• Dedicated "Users Settings" Menu: A standalone top-level menu called "Users Settings" is added to the main navigation bar. It is visible only to members of the "User Manager (Limited)" group and system administrators — keeping it completely hidden from regular users.

• System Accounts Hidden (OdooBot & Administrator): The user list automatically filters out system accounts (User ID 1 and 2). Limited managers can only see and manage users with ID > 2 — OdooBot and the main Administrator account are completely invisible.

• Application-Level Access Assignment: Limited managers can create new users and assign application-level access rights (Sales, Purchase, Inventory, etc.) using the standard Odoo user form — no custom UI needed.

• Administration Category Hidden: The "Administration" category is automatically hidden from the access rights widget for non-technical users. Limited managers cannot see or accidentally assign Administration/Settings roles through the structured groups interface.

• Privilege Escalation Block: Even if someone attempts to assign Administration or Settings groups via developer mode, API calls, or direct ORM commands, the module intercepts all three Odoo group assignment formats (groups_id, sel_groups_*, in_group_*) and raises a UserError — completely blocking the attempt.

• ORM-Level Record Rule: A server-side record rule enforces the ID > 2 filter at the database level. Even if the domain filter is bypassed through an API or RPC call, the record rule ensures system accounts remain inaccessible.

• Delete Protection: Limited managers can create and edit users but cannot delete them (perm_unlink = False). This prevents accidental or intentional deletion of user accounts.

• Clean List View with Smart Columns: A custom list view displays user records with useful columns — ID, Full Name, Email/Login, Active toggle, Portal status, Company, and optional Language/Timezone fields. Inactive users are visually muted for easy identification.

Step 1: Install the module and assign the "User Manager (Limited)" group to the desired team leads, HR managers, or department heads via the standard Odoo user form.

Step 2: Limited managers will see a new "Users Settings" menu in their navigation bar. Clicking it opens the Users list — showing only non-system users (ID > 2).

Step 3: They can create new users, set login credentials, and assign application-level access rights (Sales User, Inventory Manager, etc.) — all through the familiar Odoo user form.

Step 4: The module silently enforces security — the Administration category is hidden, system groups cannot be assigned, system accounts are invisible, and user deletion is blocked. No action required from the administrator.

• Multi-Branch Organizations: Allow branch managers to create and manage their own team's Odoo accounts without giving them access to the main Administrator account or system settings.

• HR Departments: Enable HR teams to onboard new employees into Odoo — setting up their login, assigning Sales/Inventory/Purchase access — without needing to involve the IT administrator.

• Outsourced IT Support: Give your external IT support team the ability to manage user accounts while ensuring they can never escalate their own privileges or access system-level settings.

• Compliance & Audit Requirements: Maintain strict separation of duties — the person managing user accounts should not have the same level of access as the system administrator.

• Small Teams with Shared Admin Responsibilities: In smaller teams where multiple people need to manage users, this module prevents any of them from accidentally or intentionally changing critical system configurations.

• ✅ Zero Configuration: Install and start using immediately — just assign the "User Manager (Limited)" group to the desired users. No extra setup needed.

• ✅ Multi-Layer Security: Protection works at three levels — UI (hidden category), ORM (record rules), and Python (write/create guards) — making privilege escalation virtually impossible.

• ✅ Familiar User Interface: Reuses the standard Odoo user form (base.view_users_form) — no learning curve for your team. Everything looks and works like native Odoo.

• ✅ Lightweight & Dependency-Free: Depends only on 'base' and 'web' — no third-party modules required. Works on any standard Odoo 19.0 installation.

• ✅ Safe Delegation: Delegate user management to team leads without worry — they can manage day-to-day user operations while system integrity remains untouched.

• ✅ Comprehensive Protection: All three Odoo group assignment methods (groups_id, sel_groups_*, in_group_*) are intercepted — no backdoor remains open.

Step 1: Install the module from the Apps menu.

Step 2: Go to Settings → Users & Companies → Users.

Step 3: Open the user you want to designate as a limited user manager.

Step 4: In the "Other" section or via Technical groups, assign the "User Manager (Limited)" group to this user.

Step 5: Done! The user will now see the "Users Settings" menu and can start managing users safely.

Q: Which users are hidden from limited managers?
A: Users with ID 1 (OdooBot) and ID 2 (Administrator) are hidden. These are the default system accounts created during Odoo installation. All other users (ID > 2) are fully visible and manageable.

Q: Can a limited manager assign the Administrator role to themselves or others?
A: No. The module blocks assignment of both 'base.group_system' (Technical/Settings) and 'base.group_erp_manager' (Administration) groups. Any attempt — via UI, developer mode, or API — will result in a clear error message.

Q: Can limited managers delete user accounts?
A: No. The access control rules explicitly set perm_unlink to False. Limited managers can only create and edit users — deletion requires system administrator access.

Q: Does this module modify the standard Odoo user form?
A: No. The module reuses the standard Odoo user form (base.view_users_form) as-is. It only adds a custom list view and hides the Administration category from the structured groups widget.

Q: Will the "Users Settings" menu appear for all users?
A: No. The menu is visible only to users who belong to either the "User Manager (Limited)" group or the system administrator group (base.group_system). Regular users will not see it.

Q: What Odoo modules does this depend on?
A: Only 'base' and 'web' — both are core Odoo modules available in every installation. No third-party or enterprise dependencies.

Q: Does developer mode bypass the security restrictions?
A: No. Even with developer mode enabled, the Python-level guards in write() and create() methods will block any attempt to assign Administration or Settings groups. The protection is enforced at the server side, not just the UI.