Odoo-Modules/fusion_repairs/security/security.xml

<?xml version="1.0" encoding="utf-8"?>
<odoo>
    <!-- ==================================================================== -->
    <!-- MODULE CATEGORY                                                      -->
    <!-- ==================================================================== -->
    <record id="module_category_fusion_repairs" model="ir.module.category">
        <field name="name">Fusion Repairs</field>
        <field name="sequence">47</field>
    </record>

    <!-- ==================================================================== -->
    <!-- FUSION REPAIRS PRIVILEGE (Odoo 19 res.groups.privilege pattern)      -->
    <!-- ==================================================================== -->
    <record id="res_groups_privilege_fusion_repairs" model="res.groups.privilege">
        <field name="name">Fusion Repairs</field>
        <field name="sequence">47</field>
        <field name="category_id" ref="module_category_fusion_repairs"/>
    </record>

    <!-- ==================================================================== -->
    <!-- GROUPS                                                               -->
    <!-- ==================================================================== -->
    <record id="group_fusion_repairs_user" model="res.groups">
        <field name="name">Repairs: User (CS Intake)</field>
        <field name="privilege_id" ref="res_groups_privilege_fusion_repairs"/>
        <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
        <field name="comment">CS / front-office staff who take repair intake calls and view repairs.</field>
    </record>

    <record id="group_fusion_repairs_dispatcher" model="res.groups">
        <field name="name">Repairs: Dispatcher</field>
        <field name="privilege_id" ref="res_groups_privilege_fusion_repairs"/>
        <field name="implied_ids" eval="[(4, ref('group_fusion_repairs_user'))]"/>
        <field name="comment">Assigns technicians to repairs, reschedules visits, manages parts pre-pull picklists.</field>
    </record>

    <record id="group_fusion_repairs_manager" model="res.groups">
        <field name="name">Repairs: Manager</field>
        <field name="privilege_id" ref="res_groups_privilege_fusion_repairs"/>
        <field name="implied_ids" eval="[(4, ref('group_fusion_repairs_dispatcher'))]"/>
        <field name="comment">Configures intake templates, pricing, maintenance contracts, on-call rotation, variance overrides.</field>
    </record>

    <!-- ==================================================================== -->
    <!-- RECORD RULES                                                         -->
    <!-- ==================================================================== -->

    <!-- Multi-company isolation on repair.order -->
    <record id="rule_repair_order_company" model="ir.rule">
        <field name="name">Repair Order: Multi-Company</field>
        <field name="model_id" ref="repair.model_repair_order"/>
        <field name="domain_force">['|', ('company_id', '=', False), ('company_id', 'in', company_ids)]</field>
        <field name="global" eval="True"/>
    </record>

    <!-- Field technicians (from fusion_tasks) see only repairs they're assigned to as technician on a linked task.
         Uses STORED fields (technician_id + additional_technician_ids) - not the computed all_technician_ids. -->
    <record id="rule_repair_order_technician_own" model="ir.rule">
        <field name="name">Repair Order: Technician sees own repairs</field>
        <field name="model_id" ref="repair.model_repair_order"/>
        <field name="domain_force">['|', ('x_fc_technician_task_ids.technician_id', '=', user.id), ('x_fc_technician_task_ids.additional_technician_ids', 'in', [user.id])]</field>
        <field name="groups" eval="[(4, ref('fusion_tasks.group_field_technician'))]"/>
        <field name="perm_read" eval="True"/>
        <field name="perm_write" eval="True"/>
        <field name="perm_create" eval="False"/>
        <field name="perm_unlink" eval="False"/>
    </record>

    <!-- Intake answer access scoped to repair access -->
    <record id="rule_repair_intake_answer_company" model="ir.rule">
        <field name="name">Repair Intake Answer: Multi-Company</field>
        <field name="model_id" ref="model_fusion_repair_intake_answer"/>
        <field name="domain_force">['|', ('company_id', '=', False), ('company_id', 'in', company_ids)]</field>
        <field name="global" eval="True"/>
    </record>

    <!-- Sales Rep Portal: sees only repair orders they submitted -->
    <record id="rule_repair_order_sales_rep_portal" model="ir.rule">
        <field name="name">Repair Order: Sales Rep Portal - Own Repairs</field>
        <field name="model_id" ref="repair.model_repair_order"/>
        <field name="domain_force">[('x_fc_intake_user_id', '=', user.id)]</field>
        <field name="groups" eval="[(4, ref('base.group_portal'))]"/>
        <field name="perm_read" eval="True"/>
        <field name="perm_write" eval="False"/>
        <field name="perm_create" eval="False"/>
        <field name="perm_unlink" eval="False"/>
    </record>

</odoo>