@@ -28,8 +28,8 @@ should not have access to.
2828 Once complete, click :guilabel: `Save ` to save the changes, and implement the user as an
2929 administrator.
3030
31- Users
32- =====
31+ Manage user permissions
32+ =======================
3333
3434The access rights for :ref: `individual users <users/add-individual >` are set when the user is added
3535to the database, but they can be adjusted at any point in the user's profile.
@@ -52,6 +52,67 @@ The :guilabel:`Administration` field in the :guilabel:`Access Rights` tab has th
5252.. image :: access_rights/user-permissions-dropdown-menu.png
5353 :alt: The Sales apps drop-down menu to set the user's level of permissions.
5454
55+ Manage specific permissions
56+ ---------------------------
57+
58+ While access rights are typically assigned in bundles under specific roles, they can also be set as
59+ explicit permissions.
60+
61+ .. example ::
62+ For example, giving a user the :guilabel: `Administrator ` permission for **Timesheets **
63+ gives them full access to that app. That user, while holding full access, can *still * have their
64+ ability to manage *their own * timesheets restricted — such as in the case of a salaried payroll
65+ administrator who does not need to track time.
66+
67+ To manage specific permissions, :ref: `developer mode <developer-mode >` must be enabled.
68+
69+ After that, navigate to the :menuselection: `Settings ` app. Then click :guilabel: `Manage Users `,
70+ select a user, and go to the :guilabel: `Technical Access Rights ` tab. From here, :guilabel: `Groups `
71+ can be edited, and specific access rights can be managed across the various sections. If no changes
72+ are made to these groups, then their permissions will mirror the selections made in the
73+ :guilabel: `Access Rights ` tab.
74+
75+ - :guilabel: `Selected groups `: a list of detailed access rights, set by choices made in the
76+ :guilabel: `Access Rights ` tab.
77+ - :guilabel: `Groups added automatically `: *implied * permissions that are *inherited * with the
78+ explicit permissions already granted to the user. The values here will match the values listed
79+ under a given *Group *'s form located under the :menuselection: `Users & Companies --> Groups ` menu,
80+ in the :guilabel: `Inherited ` tab.
81+
82+ .. image :: access_rights/tech-access-rights.png
83+ :alt: The technical access rights tab opened up for a user profile.
84+
85+ .. example ::
86+ When the *Sales Administrator * permission set is assigned to a user, then the *Canned Responses
87+ Administrator * permissions are inherited automatically. These assignments are reflected across
88+ the values listed in the :guilabel: `Selected Groups ` and :guilabel: `Groups added automatically `
89+ tables, respectively.
90+
91+ To add a permission to this user profile, click :guilabel: `Add a line ` in the :guilabel: `Selected
92+ groups ` table, and then add permissions to this user profile. To remove a permission, click the
93+ :icon: `fa-times ` :guilabel: `(cancel) ` at the end of that permission's row.
94+
95+ .. warning ::
96+ Removing permissions from the :guilabel: `Selected Groups ` list can impact what permissions are
97+ listed in the :guilabel: `Groups added automatically ` list, since selected permission groups
98+ inform what permission groups are added automatically.
99+
100+ Clicking on the permission itself will open a group management form. Learn more about :ref: `managing
101+ groups <access-rights/groups>`.
102+
103+ Any permission in the :guilabel: `Groups added automatically ` section are implied or required by the
104+ permission shown in the :guilabel: `Selected groups ` section. These cannot be removed, but more users
105+ can be given these permissions by clicking on the permission itself, and then adding the user to
106+ that permission's group.
107+
108+ .. note ::
109+ - Any permission in green is already provided by another permission (for example, setting the
110+ :guilabel: `Website ` app's permission to :guilabel: `Editor and Designer ` will also give that
111+ user the :guilabel: `Restricted Editor ` permission).
112+ - Any permissions in red are conflicting and cannot be active at the same time.
113+ - Any permissions in *italics * is implied by a :guilabel: `Selected group ` (these are usually
114+ found in the :guilabel: `Groups added automatically `).
115+
55116.. _access-rights/groups :
56117
57118Create and modify groups
@@ -102,8 +163,8 @@ The group form contains multiple tabs for managing all elements of the group. In
102163- :guilabel: `Views ` tab: lists which views in Odoo the group has access to. Click :guilabel: `Add a
103164 line ` to add a view to the group.
104165- :guilabel: `Access Rights ` tab: lists the first level of rights (models) that this group has. The
105- :guilabel: `Name ` column represents the name for the current group's access to the model
106- selected in the :guilabel: `Model ` column.
166+ :guilabel: `Name ` column represents the name for the current group's access to the model selected
167+ in the :guilabel: `Model ` column.
107168
108169 To link a new access right to a group, click :guilabel: `Add a line `. Select the appropriate model
109170 from the :guilabel: `Model ` drop-down, then enter a name for the access right in the
@@ -125,9 +186,9 @@ The group form contains multiple tabs for managing all elements of the group. In
125186 .. image :: access_rights/name-field.png
126187 :alt: Name of access rights to a model.
127188
128- To find the model's technical name from the current view, first enter a placeholder text
129- in the :guilabel: `Name ` field, then click the :guilabel: `Model ` name, then the
130- :icon: ` fa-arrow-right ` : guilabel:(Internal link) ` icon.
189+ To find the model's technical name from the current view, first enter a placeholder text in the
190+ :guilabel: `Name ` field, then click the :guilabel: `Model ` name, then the :icon: ` fa-arrow-right `
191+ :guilabel: `(Internal link) ` icon.
131192
132193- :guilabel: `Record Rules `: lists the second layer of editing and visibility rights.
133194 :guilabel: `Record Rules ` overwrite, or refine, the group's access rights. Click :guilabel: `Add a
0 commit comments