Odoo-Modules/fusion_plating/fusion_plating_cgp/security/fp_cgp_security.xml

<?xml version="1.0" encoding="utf-8"?>
<!--
    Copyright 2026 Nexa Systems Inc.
    License OPL-1 (Odoo Proprietary License v1.0)
    Part of the Fusion Plating product family.
-->
<odoo>

    <!-- ================================================================== -->
    <!-- NEW RESTRICTED GROUPS                                              -->
    <!--                                                                    -->
    <!-- CGP data is sensitive. Not every plating manager should see       -->
    <!-- Personnel Security Assessments or security incidents, so two new  -->
    <!-- groups sit above the core Fusion Plating privilege. Admin must    -->
    <!-- grant them explicitly; no users are assigned by default.          -->
    <!-- ================================================================== -->

    <!-- CGP OFFICER: day-to-day CGP compliance operator -->
    <record id="group_fusion_plating_cgp_officer" model="res.groups">
        <field name="name">[DEPRECATED] CGP Officer</field>
        <field name="sequence">50</field>
        <field name="privilege_id"
               ref="fusion_plating.res_groups_privilege_fusion_plating"/>
        <field name="implied_ids"
               eval="[(4, ref('fusion_plating.group_fusion_plating_manager'))]"/>
    </record>

    <!-- CGP DESIGNATED OFFICIAL: legally accountable per PSPC registration -->
    <record id="group_fusion_plating_cgp_designated_official" model="res.groups">
        <field name="name">[DEPRECATED] CGP Designated Official</field>
        <field name="sequence">60</field>
        <field name="privilege_id"
               ref="fusion_plating.res_groups_privilege_fusion_plating"/>
        <field name="implied_ids"
               eval="[(4, ref('group_fusion_plating_cgp_officer'))]"/>
    </record>

    <!-- Backward-compat: new Quality Manager implies old CGP Officer; new Owner implies old CGP DO. -->
    <record id="fusion_plating.group_fp_quality_manager" model="res.groups">
        <field name="implied_ids" eval="[(4, ref('fusion_plating_cgp.group_fusion_plating_cgp_officer'))]"/>
    </record>

    <record id="fusion_plating.group_fp_owner" model="res.groups">
        <field name="implied_ids" eval="[(4, ref('fusion_plating_cgp.group_fusion_plating_cgp_designated_official'))]"/>
    </record>

    <!-- ================================================================== -->
    <!-- RECORD RULES                                                       -->
    <!--                                                                    -->
    <!-- Defense-in-depth on top of ir.model.access.csv. PSA and Security   -->
    <!-- Incident records should never be visible outside the CGP Officer  -->
    <!-- group even if someone accidentally widens ACL. We bind a           -->
    <!-- permissive-for-officer rule and rely on the default-deny that     -->
    <!-- Odoo applies to models that have no unrestricted global rule and  -->
    <!-- no access lines for other groups.                                 -->
    <!-- ================================================================== -->

    <!-- PSA: only visible to CGP Officer (and implied groups above) -->
    <record id="fp_cgp_psa_officer_rule" model="ir.rule">
        <field name="name">Fusion Plating: CGP PSA — CGP Officer full access</field>
        <field name="model_id" ref="model_fusion_plating_cgp_psa"/>
        <field name="groups"
               eval="[(4, ref('group_fusion_plating_cgp_officer'))]"/>
        <field name="domain_force">[(1, '=', 1)]</field>
        <field name="perm_read" eval="True"/>
        <field name="perm_write" eval="True"/>
        <field name="perm_create" eval="True"/>
        <field name="perm_unlink" eval="True"/>
    </record>

    <!-- Security Incident: only visible to CGP Officer -->
    <record id="fp_cgp_incident_officer_rule" model="ir.rule">
        <field name="name">Fusion Plating: CGP Security Incident — CGP Officer full access</field>
        <field name="model_id" ref="model_fusion_plating_cgp_security_incident"/>
        <field name="groups"
               eval="[(4, ref('group_fusion_plating_cgp_officer'))]"/>
        <field name="domain_force">[(1, '=', 1)]</field>
        <field name="perm_read" eval="True"/>
        <field name="perm_write" eval="True"/>
        <field name="perm_create" eval="True"/>
        <field name="perm_unlink" eval="True"/>
    </record>

    <!-- ================================================================== -->
    <!-- Multi-company isolation on CGP Registration                        -->
    <!-- ================================================================== -->
    <record id="fp_cgp_registration_company_rule" model="ir.rule">
        <field name="name">Fusion Plating: CGP Registration — multi-company</field>
        <field name="model_id" ref="model_fusion_plating_cgp_registration"/>
        <field name="global" eval="True"/>
        <field name="domain_force">['|', ('company_id', '=', False), ('company_id', 'in', company_ids)]</field>
    </record>

</odoo>