Skip to content

Users & Permissions

HEMMS uses Odoo's standard security model: every user belongs to one or more groups, groups grant ACLs (table-level read/write/create/unlink), and record rules further filter what each group can see at the row level. This page covers the groups HEMMS adds, how to assign them, and a recommended mapping of hospital roles to Odoo groups.

Odoo's security model in 60 seconds

Concept What it does Where it lives
Group (res.groups) A named bundle of permissions ir.model.data → XML records
ACL (ir.model.access) Per-model CRUD permissions for a group security/ir.model.access.csv
Record rule (ir.rule) A domain filter applied to a group for one model security/*.xml

ACLs and record rules combine with AND: a user must pass both the ACL and every applicable record rule to access a row. A group with no record rule on a model gets unfiltered access (subject to its ACL).

The relevant Odoo / OCA groups

These are the foundation groups that HEMMS builds on. They are not defined by HEMMS — they ship with Odoo or the OCA maintenance module.

Group XML ID Display name Typical hospital role
base.group_user Internal User Any staff with a login
maintenance.group_equipment_manager Maintenance / Equipment Manager BME technician or BME manager
base.group_system Administration / Settings IT admin, DPO

base.group_user is the floor — every logged-in HEMMS user has it. maintenance.group_equipment_manager is the BME role; it implies base.group_user and unlocks maintenance request creation, equipment editing, etc. base.group_system is full Odoo admin and should be tightly scoped (1–2 people).

HEMMS-specific groups

These are defined in the addons/roots/roots_hemms_*/security/ folders.

roots_hemms_asset_inspection — annual ปจป. workflow

Defined in hemms_security_groups.xml.

Group XML ID Display name Permissions
roots_hemms_asset_inspection.group_hemms_asset_officer Asset Officer Implies maintenance.group_equipment_manager. Can create, manage, submit, and print annual asset inspection reports across all departments.
roots_hemms_asset_inspection.group_hemms_inspection_committee Inspection Committee Member Implies base.group_user. Can view all inspection records and edit condition/damage/notes on lines of in-progress inspections. Cannot create inspections.

roots_hemms_ha_report — HA Thailand annual PM report (Q5)

The Q5 HA report module does not define a new group. Instead it ships a department-scoped record rule (ha_report_security.xml) attached to base.group_user: a non-manager sees only HA reports for departments they are a member of (department_id.member_ids.user_id includes them) or which they authored.

Members of maintenance.group_equipment_manager are not subject to this rule, so BME managers see all reports across all departments.

roots_hemms_mass_import — uploader-scoped record rule (Q6)

Same pattern: no new group, just a record rule attached to base.group_user that filters hemms.import.batch to rows the user created or committed. Managers see all batches.

roots_hemms_service_contracts — manager-only writes (Q3)

The ACL gives base.group_user read-only access and grants full CRUD only to maintenance.group_equipment_manager. That means any logged-in staff member can see service contracts, but only BME managers can create or edit them.

Assigning groups to users

  1. Go to Settings → Users & Companies → Users.
  2. Open or create the user.
  3. Under the Access Rights tab, scroll to the Maintenance section:
    • Tick Maintenance = Administrator to grant maintenance.group_equipment_manager.
    • Tick Asset Officer or Inspection Committee Member as needed.
  4. Under Administration, set to Settings to grant base.group_system (admin / DPO only).
  5. Save. The user's effective permissions update on their next login.

Use developer mode to see XML IDs

With developer mode on, hovering over a group field shows the XML ID (base.group_system etc.) — invaluable when matching the table above to the UI checkboxes.

This is the mapping Trinity Roots ships by default. Adjust per customer.

Hospital role Groups Notes
Ward Nurse base.group_user only Can raise a maintenance request, see equipment in their ward, view PM schedule. Cannot edit equipment master data or close requests.
BME Technician base.group_user + maintenance.group_equipment_manager Can move requests through the workflow, log spare parts, update equipment condition. Limited by record rules on inspections (sees own dept).
BME Manager base.group_user + maintenance.group_equipment_manager + roots_hemms_asset_inspection.group_hemms_asset_officer Full BME ops: edit service contracts, sign off inspections, print HA reports across all departments.
Inspection Committee Member base.group_user + roots_hemms_asset_inspection.group_hemms_inspection_committee Reviews and signs off inspection lines but cannot create inspections. Typically a clinical lead, not BME.
Admin / DPO base.group_user + maintenance.group_equipment_manager + base.group_system Full system admin — installs modules, manages users, runs backup/restore. Should be 1–2 people per hospital.
Vendor / External technician base.group_portal (Odoo portal user) Read-only portal access to their own service contracts and assigned requests. Not a full internal user — does not consume a paid Enterprise seat.

Record rules in action — a worked example

A BME technician (Tha) belongs to the Cardiology department. She has maintenance.group_equipment_manager and nothing else.

Action Resolution
Open Maintenance → Requests ACL says she can read maintenance.request. No HEMMS rule filters it further. She sees all requests.
Open HA Report → Annual Reports ACL says she can read hemms.ha.report. The Q5 rule on base.group_user filters to her department only + reports she authored. She sees Cardiology + her authored reports.
Open Mass Import → Batches ACL says she can read. The Q6 rule filters to batches she uploaded or committed. She sees only her own batches.
Sign a service contract as the customer signer ACL allows read; she is not in the manager group so she cannot edit. She uses the signature workflow which is a separate flow on top of sign_oca.

Promote her to maintenance.group_equipment_manager only changes ACLs; record rules on base.group_user still apply because she is still a base user. To bypass the dept-scoped HA report rule, she needs the manager group — which she already has. Manager status removes the dept filter for HA reports because the rule is scoped to base.group_user not the manager group; Odoo evaluates rules as OR across a user's groups for the same model, and the manager group has no rule.

Auditing who has what

In developer mode, Settings → Technical → Security → Groups lists every group with its members. Cross-reference against your HR roster annually as part of the DPO review.

For a per-user permission audit:

  1. Open the user.
  2. Click the Access Rights tab.
  3. Every checked group is a permission this user has. Print or export.