admin/Odoo-Modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Odoo-Modules/fusion_plating/fusion_plating_cgp/security/fp_cgp_security.xml
gsinghpal 7c7ef06057 folder rename
2026-04-16 20:53:53 -04:00

86 lines
4.4 KiB
XML
Raw Permalink Blame History

<?xml version="1.0" encoding="utf-8"?>
<!--
Copyright 2026 Nexa Systems Inc.
License OPL-1 (Odoo Proprietary License v1.0)
Part of the Fusion Plating product family.
-->
<odoo>
<!-- ================================================================== -->
<!-- NEW RESTRICTED GROUPS -->
<!-- -->
<!-- CGP data is sensitive. Not every plating manager should see -->
<!-- Personnel Security Assessments or security incidents, so two new -->
<!-- groups sit above the core Fusion Plating privilege. Admin must -->
<!-- grant them explicitly; no users are assigned by default. -->
<!-- ================================================================== -->
<!-- CGP OFFICER: day-to-day CGP compliance operator -->
<record id="group_fusion_plating_cgp_officer" model="res.groups">
<field name="name">CGP Officer</field>
<field name="sequence">50</field>
<field name="privilege_id"
ref="fusion_plating.res_groups_privilege_fusion_plating"/>
<field name="implied_ids"
eval="[(4, ref('fusion_plating.group_fusion_plating_manager'))]"/>
</record>
<!-- CGP DESIGNATED OFFICIAL: legally accountable per PSPC registration -->
<record id="group_fusion_plating_cgp_designated_official" model="res.groups">
<field name="name">CGP Designated Official</field>
<field name="sequence">60</field>
<field name="privilege_id"
ref="fusion_plating.res_groups_privilege_fusion_plating"/>
<field name="implied_ids"
eval="[(4, ref('group_fusion_plating_cgp_officer'))]"/>
</record>
<!-- ================================================================== -->
<!-- RECORD RULES -->
<!-- -->
<!-- Defense-in-depth on top of ir.model.access.csv. PSA and Security -->
<!-- Incident records should never be visible outside the CGP Officer -->
<!-- group even if someone accidentally widens ACL. We bind a -->
<!-- permissive-for-officer rule and rely on the default-deny that -->
<!-- Odoo applies to models that have no unrestricted global rule and -->
<!-- no access lines for other groups. -->
<!-- ================================================================== -->
<!-- PSA: only visible to CGP Officer (and implied groups above) -->
<record id="fp_cgp_psa_officer_rule" model="ir.rule">
<field name="name">Fusion Plating: CGP PSA — CGP Officer full access</field>
<field name="model_id" ref="model_fusion_plating_cgp_psa"/>
<field name="groups"
eval="[(4, ref('group_fusion_plating_cgp_officer'))]"/>
<field name="domain_force">[(1, '=', 1)]</field>
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="True"/>
<field name="perm_create" eval="True"/>
<field name="perm_unlink" eval="True"/>
</record>
<!-- Security Incident: only visible to CGP Officer -->
<record id="fp_cgp_incident_officer_rule" model="ir.rule">
<field name="name">Fusion Plating: CGP Security Incident — CGP Officer full access</field>
<field name="model_id" ref="model_fusion_plating_cgp_security_incident"/>
<field name="groups"
eval="[(4, ref('group_fusion_plating_cgp_officer'))]"/>
<field name="domain_force">[(1, '=', 1)]</field>
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="True"/>
<field name="perm_create" eval="True"/>
<field name="perm_unlink" eval="True"/>
</record>
<!-- ================================================================== -->
<!-- Multi-company isolation on CGP Registration -->
<!-- ================================================================== -->
<record id="fp_cgp_registration_company_rule" model="ir.rule">
<field name="name">Fusion Plating: CGP Registration — multi-company</field>
<field name="model_id" ref="model_fusion_plating_cgp_registration"/>
<field name="global" eval="True"/>
<field name="domain_force">['|', ('company_id', '=', False), ('company_id', 'in', company_ids)]</field>
</record>
</odoo>
Reference in New Issue View Git Blame Copy Permalink