Users & Permissions¶
HEMMS uses Odoo's standard security model: every user belongs to one or more groups, groups grant ACLs (table-level read/write/create/unlink), and record rules further filter what each group can see at the row level. This page covers the groups HEMMS adds, how to assign them, and a recommended mapping of hospital roles to Odoo groups.
Odoo's security model in 60 seconds¶
| Concept | What it does | Where it lives |
|---|---|---|
Group (res.groups) | A named bundle of permissions | ir.model.data → XML records |
ACL (ir.model.access) | Per-model CRUD permissions for a group | security/ir.model.access.csv |
Record rule (ir.rule) | A domain filter applied to a group for one model | security/*.xml |
ACLs and record rules combine with AND: a user must pass both the ACL and every applicable record rule to access a row. A group with no record rule on a model gets unfiltered access (subject to its ACL).
The relevant Odoo / OCA groups¶
These are the foundation groups that HEMMS builds on. They are not defined by HEMMS — they ship with Odoo or the OCA maintenance module.
| Group XML ID | Display name | Typical hospital role |
|---|---|---|
base.group_user | Internal User | Any staff with a login |
maintenance.group_equipment_manager | Maintenance / Equipment Manager | BME technician or BME manager |
base.group_system | Administration / Settings | IT admin, DPO |
base.group_user is the floor — every logged-in HEMMS user has it. maintenance.group_equipment_manager is the BME role; it implies base.group_user and unlocks maintenance request creation, equipment editing, etc. base.group_system is full Odoo admin and should be tightly scoped (1–2 people).
HEMMS-specific groups¶
These are defined in the addons/roots/roots_hemms_*/security/ folders.
roots_hemms_asset_inspection — annual ปจป. workflow¶
Defined in hemms_security_groups.xml.
| Group XML ID | Display name | Permissions |
|---|---|---|
roots_hemms_asset_inspection.group_hemms_asset_officer | Asset Officer | Implies maintenance.group_equipment_manager. Can create, manage, submit, and print annual asset inspection reports across all departments. |
roots_hemms_asset_inspection.group_hemms_inspection_committee | Inspection Committee Member | Implies base.group_user. Can view all inspection records and edit condition/damage/notes on lines of in-progress inspections. Cannot create inspections. |
roots_hemms_ha_report — HA Thailand annual PM report (Q5)¶
The Q5 HA report module does not define a new group. Instead it ships a department-scoped record rule (ha_report_security.xml) attached to base.group_user: a non-manager sees only HA reports for departments they are a member of (department_id.member_ids.user_id includes them) or which they authored.
Members of maintenance.group_equipment_manager are not subject to this rule, so BME managers see all reports across all departments.
roots_hemms_mass_import — uploader-scoped record rule (Q6)¶
Same pattern: no new group, just a record rule attached to base.group_user that filters hemms.import.batch to rows the user created or committed. Managers see all batches.
roots_hemms_service_contracts — manager-only writes (Q3)¶
The ACL gives base.group_user read-only access and grants full CRUD only to maintenance.group_equipment_manager. That means any logged-in staff member can see service contracts, but only BME managers can create or edit them.
Assigning groups to users¶
- Go to Settings → Users & Companies → Users.
- Open or create the user.
- Under the Access Rights tab, scroll to the Maintenance section:
- Tick Maintenance = Administrator to grant
maintenance.group_equipment_manager. - Tick Asset Officer or Inspection Committee Member as needed.
- Tick Maintenance = Administrator to grant
- Under Administration, set to Settings to grant
base.group_system(admin / DPO only). - Save. The user's effective permissions update on their next login.
Use developer mode to see XML IDs
With developer mode on, hovering over a group field shows the XML ID (base.group_system etc.) — invaluable when matching the table above to the UI checkboxes.
Recommended role mapping for a hospital deployment¶
This is the mapping Trinity Roots ships by default. Adjust per customer.
| Hospital role | Groups | Notes |
|---|---|---|
| Ward Nurse | base.group_user only | Can raise a maintenance request, see equipment in their ward, view PM schedule. Cannot edit equipment master data or close requests. |
| BME Technician | base.group_user + maintenance.group_equipment_manager | Can move requests through the workflow, log spare parts, update equipment condition. Limited by record rules on inspections (sees own dept). |
| BME Manager | base.group_user + maintenance.group_equipment_manager + roots_hemms_asset_inspection.group_hemms_asset_officer | Full BME ops: edit service contracts, sign off inspections, print HA reports across all departments. |
| Inspection Committee Member | base.group_user + roots_hemms_asset_inspection.group_hemms_inspection_committee | Reviews and signs off inspection lines but cannot create inspections. Typically a clinical lead, not BME. |
| Admin / DPO | base.group_user + maintenance.group_equipment_manager + base.group_system | Full system admin — installs modules, manages users, runs backup/restore. Should be 1–2 people per hospital. |
| Vendor / External technician | base.group_portal (Odoo portal user) | Read-only portal access to their own service contracts and assigned requests. Not a full internal user — does not consume a paid Enterprise seat. |
Record rules in action — a worked example¶
A BME technician (Tha) belongs to the Cardiology department. She has maintenance.group_equipment_manager and nothing else.
| Action | Resolution |
|---|---|
| Open Maintenance → Requests | ACL says she can read maintenance.request. No HEMMS rule filters it further. She sees all requests. |
| Open HA Report → Annual Reports | ACL says she can read hemms.ha.report. The Q5 rule on base.group_user filters to her department only + reports she authored. She sees Cardiology + her authored reports. |
| Open Mass Import → Batches | ACL says she can read. The Q6 rule filters to batches she uploaded or committed. She sees only her own batches. |
| Sign a service contract as the customer signer | ACL allows read; she is not in the manager group so she cannot edit. She uses the signature workflow which is a separate flow on top of sign_oca. |
Promote her to maintenance.group_equipment_manager only changes ACLs; record rules on base.group_user still apply because she is still a base user. To bypass the dept-scoped HA report rule, she needs the manager group — which she already has. Manager status removes the dept filter for HA reports because the rule is scoped to base.group_user not the manager group; Odoo evaluates rules as OR across a user's groups for the same model, and the manager group has no rule.
Auditing who has what¶
In developer mode, Settings → Technical → Security → Groups lists every group with its members. Cross-reference against your HR roster annually as part of the DPO review.
For a per-user permission audit:
- Open the user.
- Click the Access Rights tab.
- Every checked group is a permission this user has. Print or export.
Related pages¶
- Multi-company / Multi-hospital Setup — branch-level scoping is orthogonal to group-level scoping
- For DPO / Compliance — audit trail access
- Architecture — why HEMMS adds so few groups (we layer on Odoo / OCA rather than re-defining the security model)