User Access Audit & Permission Report
The complete access audit toolkit for Odoo 19
A single dashboard for Odoo administrators and consultants to audit user permissions, spot over-privileged accounts, and generate compliance reports — without touching a line of code. Automatically calculates a numeric risk score for every user based on their actual group memberships, flags critical accounts with colour-coded badges, compares two users side-by-side, reports on group membership, model access rules, and menu restrictions, and exports everything to a colour-coded Excel workbook or a formatted QWeb PDF — all read-only, safe to walk a client through live.
Audit every user, group, and access rule in one place
Automated risk scoring, side-by-side user comparison, group and model access reports, and one-click export — everything an Odoo administrator needs for a complete access review.
Risk Scoring Engine
Automatically calculates a numeric score (0–100+) for every user based on their group memberships. Four colour-coded levels — Low, Medium, High, and Critical — with transparent point breakdowns and per-factor remediation guidance.
User Access Dashboard
A searchable, filterable list of all internal users with risk badge, score, admin flags, group count, and company access. Open any user to see their full risk breakdown table with factor-by-factor explanations and recommendations.
Compare & Report
Compare any two users side-by-side to instantly see which groups and companies one has that the other doesn't. Audit all groups, model access rules, and menu restrictions from dedicated report views.
Export & Report
Download a multi-sheet colour-coded Excel workbook or print a structured QWeb PDF report. Both include risk-level sections and summary counts — ready to share with management, auditors, or clients.
Four levels, fully transparent thresholds
Every user receives a numeric score calculated from their actual group memberships. Special conditions — inactive users with privileges, external users with internal groups, and sensitive model delete access — carry additional weight.
no sensitive groups
worth reviewing
review and document
required
Scored factors include: Settings Admin (+40 pts), Accounting Manager (+35 pts), User Management (+35 pts), Technical Features (+25 pts), HR Manager (+25 pts), Multi-Company (+20 pts), Inventory Admin (+20 pts). Special penalties: external user with internal groups (+60 pts), sensitive model delete access (+30 pts), inactive user with privileges (+30 pts).
See it in action
User Access Summary — risk badges, scores, and admin flags for every internal user
Per-User Risk Breakdown — factor-by-factor score table with remediation guidance
Compare Users Wizard — side-by-side group and company access diff
Group Membership Report — member counts, risk classification, and inactive member detection
Model Access Rules — browse all ir.model.access records with CRUD permission profiles
Menu Access Report — unrestricted vs group-gated menus across the full hierarchy
Excel Export — multi-sheet .xlsx with colour-coded risk rows, ready for management
PDF Audit Report — structured QWeb report with Critical / High / Medium sections and risk summary boxes
Visibility, safety, and a report your clients can act on
Odoo's built-in access control is powerful, but there is no single view that shows you which users are over-privileged, why, and what to do about it. User Access Audit fills that gap without modifying anything in your database.
Instant Visibility
See every user's risk level, score, and contributing factors in a single list view. Filter by risk level, admin type, or any specific access flag without needing technical knowledge.
Non-Destructive by Design
The module never modifies users, group memberships, access rules, or any core Odoo data. Administrators can optionally assign a custom risk level to any group to match their organisation's security policy — the only write operation the module performs.
Exportable Evidence
Export to a colour-coded Excel workbook or print a formal QWeb PDF. Both formats include risk-level sections and summary counts — ready for management sign-off and compliance documentation.
Install, open, and start auditing
No configuration required. Install the module, open the Access Audit menu, and the risk scores are ready on first load.
Install the Module
Copy atliis_user_access_audit into your Odoo addons path, update the app list, and
install User Access Audit & Permission Report. A post-install hook computes
risk scores for all existing users automatically.
The module depends only on base and web — no extra modules required.
Risk factors for Accounting, Inventory, HR, Sales, Purchase, MRP, and Project activate
automatically if those apps are installed.
Open the Access Audit Menu
The Access Audit top-level menu is visible only to Settings Administrators
(base.group_system). It contains six sub-sections:
- User Access Summary — all internal users with risk scores and flags
- Compare Users — side-by-side access diff wizard
- Group Membership — all groups with member counts and risk classification
- Model Access Rules — all
ir.model.accessrecords with CRUD permissions - Menu Access — full menu hierarchy with group restriction status
- Export to Excel — available via the Action menu on User Access Summary
Review the Risk Dashboard
The User Access Summary list is colour-coded by risk level — red rows are High or Critical, orange rows are Medium. Use the built-in filters to isolate Critical users, Settings Admins, Accounting Managers, inactive users with privileges, or external users with internal groups.
Click any user to open their detail view. The Risk Breakdown table shows every contributing factor, its point value, a plain-English explanation, and a specific remediation recommendation.
Compare Any Two Users
Open Compare Users, select two internal users, and the wizard immediately shows which groups and companies are unique to each user, which are shared, and the difference counts. Useful for validating that two colleagues in the same role actually have matching access.
Audit Groups, Models, and Menus
Use Group Membership to review every Odoo group — direct member count, risk
level, and whether any inactive users are still members. Open any group to set a custom
Risk Override if the automatic classification does not reflect your
organisation's policy; a Reset to Auto button restores the default at any time. Use Model
Access Rules
to browse all ir.model.access records filtered by CRUD profile or global vs
group-specific. Use Menu Access to identify any top-level or mid-level menus
that are completely unrestricted.
Export Reports
Use the Export to Excel action from the Action dropdown on the User Access Summary list and choose which sheets to include — User Summary, High Risk & Critical, and/or Group Membership. Download the .xlsx file with risk rows colour-coded in red, orange, and yellow. The Group Membership sheet includes a Risk Override column so overridden groups are clearly marked. Use the Print PDF server action on the User Access Summary list to generate a formatted QWeb audit report with risk-level sections and summary boxes.
Use the Recompute All action in the Action menu to refresh risk scores after adding or removing users from groups.
Find exactly the accounts you need
Every audit view ships with targeted one-click filters so you can jump straight to the accounts that need attention.
Risk Level Filters
One-click filters for Critical, High, Medium, and Low — narrow the list instantly without building a custom search.
Admin Role Filters
Filter by Settings Admin, Accounting Manager, Technical Features, User Management, HR Manager, and Multi-Company access in one click.
Special Case Filters
Instantly surface inactive users with active privileges, external (portal/public) users carrying internal groups, and users with sensitive model delete access.
Group-By Options
Group results by risk level, user type, or default company to spot patterns across departments or subsidiaries without manual sorting.
Everything included in User Access Audit
Risk Scoring Engine
- Automated numeric risk score (0–100+) per user
- Four risk levels: Low, Medium, High, Critical
- Per-factor breakdown with points and recommendations
- Penalties for inactive, external, and sensitive-delete users
- Batch recompute via Action menu
User Access Dashboard
- Searchable list with colour-coded risk rows
- One-click filters for every risk level and admin role
- Group-by: risk level, user type, company
- User form with risk ribbon and groups tabs
- Risk breakdown table with per-factor explanation
User Comparison Wizard
- Side-by-side access diff for any two users
- Groups unique to each user and shared groups
- Company access diff with unique and shared tabs
- Diff count banner for group and company differences
Group Membership Report
- All groups with member count and risk classification
- Inactive member flag per group
- Detail form with members and implied groups tabs
- Filters: High Risk, empty groups, inactive members
- Per-group risk override — set a custom risk level without editing source code
Model & Menu Access
- Browse all
ir.model.accessrecords with CRUD columns - Filters: Full Access, Read Only, No Delete, Global
- Full menu hierarchy with restriction status
- Unrestricted vs group-gated menu filters
Export & Compatibility
- Multi-sheet colour-coded Excel (.xlsx) export
- QWeb PDF with risk sections and summary boxes
- Read-only — no writes to users, groups, or rules
- Odoo 19 Community & Enterprise, no extra dependencies
Common questions
Which Odoo versions are supported?
The module is designed for Odoo 19 Community and Enterprise, including Odoo.sh and on-premise deployments.
Who can access the Access Audit menu?
Only users with the Settings Administrator role
(base.group_system) can see the Access Audit menu. Regular users and portal users
cannot access any part of the module.
Does this module modify any data?
The module is non-destructive by design. It computes and stores risk scores on user records but never modifies users, group memberships, access rules, or any other core Odoo data. The only write operation it exposes is the optional per-group risk override on the Group Membership report — administrators can set a custom risk level per group to match their organisation's security policy, and reset it to automatic at any time. Safe to use in production.
What are the risk scoring factors?
Seven group-based factors are scored automatically: Settings Admin (+40), Accounting Manager (+35), User Management (+35), Technical Features (+25), HR Manager (+25), Inventory Admin (+20), and Multi-Company (+20). Three special conditions add additional points: external (portal/public) user with internal groups (+60), user with delete access on sensitive models such as invoices, payments, and partners (+30), and inactive user with any privileges (+30).
Does it require extra dependencies?
The module depends only on base and web. The Excel export
uses openpyxl, which ships with Odoo 19 — no additional pip installs are needed.
Risk factors for Accounting, Inventory, HR, and other apps activate automatically if those
modules are installed.
How often are risk scores updated?
Risk scores are stored fields computed on install and on any individual user save. After bulk group changes (e.g. adding many users to a group), use the Recompute All action in the Action menu on the User Access Summary list to refresh all scores at once.
Can I use the Compare Users wizard on portal or public users?
The wizard filters for internal users only (base.group_user). Portal
and public users are excluded because comparing their access against internal users is not a
meaningful operation for this type of audit.
Can I customise the risk scoring thresholds or factors?
The scoring factors and thresholds are defined in const.py and can be
adjusted for your organisation's security policy by modifying the module source. Contact us
at helpdesk@atliis.com if you
need a customised version.
Change Log
Version-by-version record of new features, improvements, and fixes.
New
- Per-group risk override on Group Membership report — set Low, Medium, or High without editing source code
- Reset to Auto button clears any manual override and restores automatic classification
- Risk Override column added to the Group Membership sheet in the Excel export
Improved
- Export to Excel moved from top-level menu to the Action dropdown on User Access Summary — more contextual
- Override indicator alert shown in group form when a manual risk level is active
Fixed
- No changes
New
- Menu Access report — full menu hierarchy with unrestricted vs group-restricted filter
- Excel export sheet selection — choose which of the three sheets to include
- Sensitive model delete access flag and model name list in user form view
Improved
- Risk breakdown table renders as embedded HTML in the form view — no external pop-up
- Group risk classification extended to cover MRP, Project, and Purchase Manager
- Excel workbook now shows audit timestamp in the file name
Fixed
- Sensitive delete check no longer raises access error when account or stock modules are absent
- Group count now correctly includes all implied groups, not just direct memberships
New
- Model Access Rules report — browse all
ir.model.accessrecords with CRUD columns - Excel export wizard — multi-sheet .xlsx with colour-coded risk rows
- Recompute Selected and Recompute All server actions on User Access Summary
Improved
- User Access Summary default domain now excludes system and public users
- List view decorations (danger/warning) wired to High/Critical and Medium risk levels
Fixed
- Post-install hook correctly recomputes all audit fields on a fresh install
- Risk reasons field truncates gracefully when a user belongs to many scored groups
New
- QWeb PDF audit report with Critical / High / Medium sections and summary boxes
- Group Membership report with member count, risk level, and inactive member flag
- Compare Users wizard — side-by-side group and company access diff
Improved
- Risk ribbons (Critical/High/Medium) added to user detail form view
- Company Access tab added to user form showing all accessible companies
Fixed
- Company count correctly counts distinct companies, not multi-company group entries
Initial release for Odoo 19
- User Access Summary — filterable list with risk score, level, admin flags, group count, and active status
- Automated risk scoring engine with 7 group-based factors and 3 special conditions
- Risk Breakdown HTML table in user form — factor, points, explanation, recommendation
- Advanced search filters and group-by options for risk-driven analysis
- Access Audit menu restricted to Settings Administrators — all views read-only
Other modules you might like
Get in touch with us
| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Lines of code | 1719 |
| Technical Name |
atliis_user_access_audit |
| License | OPL-1 |
| Website | https://atliis.com |
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module