Skip to Content

Access Pass

by
Odoo

79.00

v 16.0 Third Party
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Lines of code 845
Technical Name no_access_pass
LicenseOPL-1
Websitehttps://www.oudayet.com
Versions 16.0 17.0 18.0 19.0
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Lines of code 845
Technical Name no_access_pass
LicenseOPL-1
Websitehttps://www.oudayet.com
Versions 16.0 17.0 18.0 19.0

Access Pass

Time-limited privilege elevation, with the timer built in.

Odoo 16 $79 · OPL-1 SOC-Ready Audit Log
Access Pass grant form showing an Active elevation with green ribbon, statusbar, and live countdown
A grant in flight: green ribbon, live countdown, audit trail one tab away.

The pile-of-permissions problem

Without Access Pass A user needs admin rights for one afternoon. The admin grants them, then forgets. A month later the permission audit reveals six users with privileges they no longer need. Least-privilege has quietly drifted into most-privilege, with no record of who approved what.
With Access Pass The user requests an Access Pass, an authorized approver signs off, the cron activates the elevation when the window opens and revokes it when the window closes. Every step is logged immutably. Permissions return to the baseline automatically.

What you get

Elevation Profiles

Bundle security groups into reusable profiles — "Accounting Manager", "HR Admin", "Finance Closer". Each profile carries a risk level, a max duration, and an optional approver list.

Time-Limited Grants

Set a start datetime and an end datetime. The cron activates the grant when the window opens and revokes it when the window closes — no manual cleanup, no forgotten permissions.

Approval Workflow

Draft → Approved → Active → Expired or Revoked. Self-approval is blocked at the model level — the target user can never sign off on their own elevation.

Smart Revocation

Only the groups added by the grant are removed at expiry. Pre-existing groups are preserved. Groups still claimed by another active grant on the same user are protected.

Immutable Audit Log

Every action — request, approve, reject, activate, revoke, expire — is logged with timestamp, performer and notes. Records cannot be edited or deleted; only sudo() can create them.

5-Minute Cron

A scheduled action runs every five minutes to activate approved grants whose start has passed and to expire active grants whose end has passed. Configurable in Settings → Technical → Scheduled Actions.

Elevation Profile form with risk-level radio, max duration, approvers, and embedded security groups list
Profile: bundle the groups, set the risk, pin the approvers.
Grant request form in Draft state with Approve and Reject buttons in the header
Manager view of an inbound request — Approve or Reject in one click.

When you reach for it

End-of-month closing

Your accountant needs Manager rights for two days to close the books. Create a grant, set the window, get a sign-off, walk away. Permissions revert on Wednesday morning.

Vacation coverage

A team lead is on PTO for ten days. Their backup needs the same approver permissions for that exact window. One grant captures the duration; nothing leaks past the return date.

One-time data fix

A consultant needs Settings access for a 30-minute migration. Grant the elevation profile for one hour, audit logs the whole session, and the consultant loses access before they hang up.

Compliance audit

Your auditor asks who had elevated access in Q3 and why. The audit log answers in one screen: every grant, every approver, every reason — immutable, time-stamped, and exportable.

How it works

1
Define a profile

Open Access Pass → Configuration → Elevation Profiles. Bundle the security groups, set max duration, list approvers (optional).

2
Submit a grant

Pick the profile, the target user, the time window, and a reason if the profile demands one. The grant lands in Requested.

3
Cron does the rest

An approver signs off. The cron snapshots current groups, adds the new ones at start, and removes only what it added at end.

Grants list view with rows colored by state — green Active, yellow Approved, red Expired and Revoked, grey Rejected
Every state in one screen, color-decoded.
Grants kanban board grouped by state with swim lanes for Requested, Approved, Active, Expired, Revoked and Rejected
The same grants, told as a workflow.

Installation

Step 1 — install
# drop the addon into your addons_path
cp -r no_access_pass /opt/odoo/addons/
# restart odoo and update apps list
# then install Access Pass from the Apps menu
Step 2 — assign manager group
Settings → Users & Companies → Users
# tick the "Access Pass / Manager" group
# only managers can approve, activate or revoke grants

Works with

Any module's groups

Sales, Accounting, HR, Inventory, custom modules — if it ships a security group, you can elevate it.

Mail / Activities

Grants surface a chatter. Activity scheduling lets approvers track follow-ups.

Cron / Scheduler

Activation and expiration are stock ir.cron jobs — tweak the interval or trigger them on demand.

All editions

Community and Enterprise. Multi-company-aware via the standard groups model.

Honest scope

What it doesn't do
  • Record-rule level elevation — this module elevates security groups, not row-level domain rules.
  • External-system credential injection — nothing is sent outside Odoo.
  • Multi-step approval chains — one approver per grant.
Things to know

The 5-minute cron interval is a deliberate ceiling for activation latency. Need shorter? Lower the interval in Settings → Technical → Scheduled Actions. Activations take effect on the user's next login or by Odoo's own group-cache refresh, whichever comes first.

Audit trail you can show an auditor

The access.pass.audit model is append-only. write() and unlink() raise AccessError. Direct create() raises too — only sudo() from _log_audit() can write entries, so even a compromised manager account cannot rewrite history. Self-approval is blocked at the model level: env.user == user_id raises UserError on action_approve.

Immutable audit log with colored action badges, performer avatars, timestamps and notes

FAQ

What if a user already has one of the profile's groups?

Activation only adds the groups the user is missing. The grant tracks exactly which groups it added in granted_group_ids, and revocation removes only those.

Can I run two grants on the same user simultaneously?

Yes. When one expires, the smart-revocation logic checks the other active grant's profile and protects any group still claimed by it.

Can I shorten the 5-minute cron?

Yes — Settings → Technical → Scheduled Actions → Access Pass: Process Elevation Grants. You can also trigger it manually from the same screen.

What happens if I uninstall the module?

The grant and audit tables are dropped. Active grants will not auto-revoke, so revoke them before uninstalling, or rely on a manual cleanup of the affected users' groups afterwards.

Does it support multi-company?

Yes — security groups in Odoo are global, so a grant works across the user's entire scope. Profiles can be created per company through the standard res.groups model.

Technical details

Technical name
no_access_pass
Dependencies
base, web, mail (no Python deps)
Cron interval
5 minutes (configurable)
License
OPL-1
Editions
Community & Enterprise
© Naim OUDAYET — OPL-1 · oudayet.com 
Odoo Proprietary License v1.0

This software and associated files (the "Software") may only be used (executed,
modified, executed after modifications) if you have purchased a valid license
from the authors, typically via Odoo Apps, or if you have received a written
agreement from the authors of the Software (see the COPYRIGHT file).

You may develop Odoo modules that use the Software as a library (typically
by depending on it, importing it and using its resources), but without copying
any source code or material from the Software. You may distribute those
modules under the license of your choice, provided that this license is
compatible with the terms of the Odoo Proprietary License (For example:
LGPL, MIT, or proprietary licenses similar to this one).

It is forbidden to publish, distribute, sublicense, or sell copies of the Software
or modified copies of the Software.

The above copyright notice and this permission notice must be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author or have a question related to your purchase, please use the support page.