When a developer defines a new model, a new kind of record, the question of who can do what with it has to be answered. Access rights answer it. This piece is about access rights and model access in Odoo.
Access rights on a model
Access rights, in Odoo, govern what users can do with a kind of record, with a model. The basic things a user can do with records of a kind are reading them, creating them, changing them, and deleting them, and access rights govern, for a model, which users can do which of those. Access rights are, in essence, the model-level permissions: per kind of record, who can read, create, change, delete.
Why a new model needs access rights
When a developer defines a new model, it needs access rights, and this is not optional housekeeping; it is part of the model genuinely being usable and secure. Without access rights set, the new kind of record's access is not governed: either the right people cannot use it, or access to it is not properly controlled. Setting the access rights for a new model is what makes it both usable, the people who should use it can, and secure, access to it is governed. A developer who defines a new model must set its access rights as part of completing it.
How access rights are set
Access rights for a model are set as part of a module's security definition, declaring, for the model, which users, by their groups, can read, create, change, and delete records of that kind. The developer defines those access rights so that each kind of user has, for the new model, the access their role genuinely warrants. This connects to security groups, which are how kinds of users are organised, and to the broader principle of access matching the role.
The principle: access matched to the role
The principle in setting a model's access rights is the same that governs access generally: a user's access to a kind of record should match what their role genuinely needs. Some users may need to read a kind of record but not change it; some may need full access; some may need none. The access rights should be set so each kind of user has, for the model, the access their role genuinely warrants, and no more. Setting access rights well means the access to the new kind of record genuinely reflects who should be able to do what with it.
The takeaway
Access rights in Odoo govern, per kind of record, per model, what users can do: read, create, change, delete records of that kind. When a developer defines a new model, it needs access rights, which is part of the model being genuinely usable and secure, not optional. Access rights are set in a module's security definition, declaring, by users' groups, who can do what with the model. The principle is that a user's access to a kind of record should match what their role genuinely needs, and no more. For how we approach Odoo, see our ERP practice.