EH HR Payroll for Odoo 17
Salary structures, sequenced rules, and payslips that compute gross, deductions, and net inside a sandboxed engine, on a workflow with a tamper-evident audit trail.
Why this module
EH HR Payroll for Odoo 17
Rules cannot reach the ORM
Salary rules are expressions evaluated with safe_eval against a curated context. Record proxies mediate every attribute access and name mangle their backing stores, so a rule cannot read the cursor, the record slot, or the internal category store. Four negative tests prove each escape attempt fails with a clean error.
Every change is on the chain
The payslip is an audited record. Create, write, and unlink emit rows into an append only, sha256 hash chained audit log whose appends are serialized by a Postgres advisory lock. verify_chain walks the chain and names the first tampered row, so an edited or deleted payslip history does not stay hidden.
Owns no engine of its own
Workflow, audit, and company scoping live in the platform mixins this module inherits, not in copies pasted here. Payroll stays focused on structures, rules, and slips, and country modules extend the same engine through documented hooks rather than forking it.
Day in the life
A monthly pay run, start to file
A payroll officer opens a pay run for the period, adds the employees, and computes every draft slip in one action. Each slip runs its structure rules in sequence: basic, housing allowance, a gross subtotal, a percentage tax on gross, and an employer contribution, with gross, total deductions, and net derived from the category kinds. The admin confirms the slips, the workflow records each transition on the hash chained audit trail, and the run exports a payment file of the net amounts for the confirmed slips. A recompute after a wage correction rebuilds the lines in place without duplicating them.
Edge cases
The cases most modules quietly ignore.
In the shipped code today, each one a place where a cheaper module silently does the wrong thing.
compute_payslip unlinks and rebuilds the lines each run and resyncs auto inputs, so recomputing a slip after a change never duplicates lines. A test asserts the line count is stable across repeated computes.
safe_eval permits single underscore names and only blocks double underscore at compile, so the proxies refuse any underscore prefixed access and name mangle their stores. Attempts to reach the ORM, the record slot, or the category store all raise rather than leak.
A constraint compiles every rule expression at save time, so a rule whose formula does not even parse is rejected on save with the offending code named, not discovered mid pay run.
The company aware mixin forces company_id on create and refuses writing a record into a company the user is not a member of, even under sudo, unless an explicit audited override context is set. The elevation is recorded with every affected id.
Paid and cancelled are final states. The workflow refuses any further transition out of a final state, and a confirmed slip can only be cancelled by an admin since by that point it may have reached the ledger.
When a transition opens an approval request, the real submitter is captured before the engine elevates to sudo, so a user who fired a gated transition cannot later approve their own request even if they hold an approver group.
Each line total is rounded with the company currency before category totals accumulate, so gross, deductions, and net are consistent with the slip currency rather than raw float arithmetic.
What is inside
Built to do the job, end to end.
- Salary structures and rules. Structures hold rules applied in sequence. Each rule has a category, a condition (always, numeric range, or Python), and an amount that is fixed, a percentage of a base, or a code expression, with a quantity expression and an appears on payslip flag for rules that feed later math without showing a line.
- The payslip engine. compute_payslip runs active rules in order, accumulating per category totals so later rules read categories.CODE and rules.CODE, writing one line per visible rule. Gross, total deductions, and net are derived from the basic, allowance, and deduction category kinds. A pay periods helper infers 52, 26, or 12 periods for annualisation hooks.
- Pay runs and payment file. A payslip batch groups slips for a period, computes them all in one action, and totals net. Export builds a payment file from the confirmed and paid slips. The base format is a generic CSV; a country localization overrides one render method to emit its own bank format.
- Extension points for localization. Documented hooks let country modules add safe rule helpers to the sandbox, feed auto inputs from loans, overtime, advances, or gratuity, read a real contract wage, and mark feeder sources processed once a slip is paid. The base module ships the engine and no statutory content.
- Workflow, audit, and access. Payslips inherit the platform workflow, audited, and company aware mixins. Transitions are group gated to HR officer and HR admin, every change lands on the hash chained audit log, and access rules give self service users read only visibility. A QWeb PDF payslip report is included.
Honest about the edges
What this does not do, so nothing surprises you.
- This is a payroll engine, not a country localization. The base module ships no statutory tax, social, or pension rules. PAYG, superannuation, PCB, and similar calculations come from separate country modules built on these hooks.
- The bank file export is a generic CSV by default. Real bank formats such as an AU ABA file are produced by a localization that overrides the render method, not by this module alone.
- No feeder modules ship here. Loan, overtime, advance, and gratuity auto inputs are extension points; the base returns nothing until a feeder module is installed.
- Salary rules are expressions, not statements, so multi line procedural logic is not supported. Conditional amounts use Python inline if and else expressions inside the sandbox.
- This module does not post payroll to the general ledger. Journal posting and reversal are handled by a separate accounting bridge.
- Requires the EH HR Platform base modules (eh_hr_core, eh_hr_compat, eh_hr_engine_workflow). It is not a standalone replacement for Odoo Community payroll on its own.
- Approval gating is available from the platform engine but payslip transitions are group gated rather than approval gated out of the box.
Odoo 17 payroll, salary structures Odoo, salary rules engine, payslip Odoo 17, pay run batch, bank file export payroll, multi company payroll, payroll audit trail, sandboxed salary rule, gross net payroll Odoo, HR payroll workflow, Odoo Community payroll, QWeb payslip report, hash chained audit log, ERP Heritage HR
Need this fitted to the way you work?
ERP Heritage delivers end to end Odoo work: Odoo Implementation, Customization and Development, Integration, Migration, Consultation, Support and Training. We help teams put this module into production, shape it to their process, and keep it running.
We work with businesses across Australia (Melbourne, Sydney, Brisbane, Perth, Adelaide, Canberra) and the Middle East (Dubai, Abu Dhabi, Riyadh, Jeddah, Doha, Kuwait City, Muscat). Start a conversation at erpheritage.com.au or email info@erpheritage.com.au.
Languages
Available in 19 languages
The interface ships translated out of the box. Switch language in Odoo and the fields, menus, and messages follow.
Please log in to comment on this module