Security & Permissions

Overview

The Atlas Construction Management module implements a comprehensive security model with multiple user groups providing different levels of access. This ensures that users can only access and modify data appropriate to their role.

Important

Common Issue: Users cannot edit budget lines because they don’t have the correct security group. Budget lines require the Job Cost Manager role to edit. See Assigning Security Groups for instructions.

Security Groups

The module defines security groups across six functional areas:

  1. Job Costing

  2. Scheduling

  3. Progress Billing

  4. Change Orders

  5. Daily Logs

  6. Customer Selections

Each area has User, Manager, and/or Admin levels with increasing permissions.

Job Costing Security Groups

atlas_construction.group_job_cost_user

Read-only access to job costing data.

Permissions:

  • ✓ View projects and budgets

  • ✓ View job cost lines

  • ✓ View actual costs

  • ✓ View committed costs

  • ✗ Cannot create or edit budget lines

  • ✗ Cannot modify cost categories or phases

Record Rules:

  • Can only view budgets for projects they are following or assigned to

Typical Users:

  • Estimators (viewing historical costs)

  • Field supervisors (viewing budgets)

  • Accounting staff (read-only cost review)

atlas_construction.group_job_cost_manager

Full access to job costing within their projects.

Permissions:

  • ✓ Everything Job Cost User can do

  • Create job cost lines

  • Edit job cost lines

  • Delete job cost lines

  • ✓ Create and apply budget templates

  • ✓ Link purchase orders to cost lines

  • ✗ Cannot modify system-wide phases/categories

Record Rules:

  • Can create/edit budget lines for projects in their company

  • Full access to own company’s job costing data

Typical Users:

  • Project Managers (primary role)

  • Office managers

  • Construction coordinators

Warning

This is the role required to edit budget lines in the project form! If users cannot edit budgets, verify they have this role.

atlas_construction.group_job_cost_admin

System-wide administrative access.

Permissions:

  • ✓ Everything Job Cost Manager can do

  • ✓ Create/edit/delete cost categories

  • ✓ Create/edit/delete job phases

  • ✓ Manage budget templates

  • ✓ Configure module settings

  • ✓ Access all projects company-wide

Typical Users:

  • Construction executives

  • System administrators

  • Module administrators

Scheduling Security Groups

atlas_construction.group_scheduling_user

  • ✓ View project schedules

  • ✓ View Gantt charts

  • ✗ Cannot edit schedules

atlas_construction.group_scheduling_manager

  • ✓ Everything Scheduling User can do

  • ✓ Create and edit schedule tasks

  • ✓ Update task dependencies

  • ✓ Modify project timelines

Progress Billing Security Groups

atlas_construction.group_billing_user

  • ✓ View billing milestones

  • ✓ View milestone status

  • ✗ Cannot create invoices

atlas_construction.group_billing_manager

  • ✓ Everything Billing User can do

  • ✓ Create billing milestones

  • ✓ Mark milestones as ready to bill

  • ✓ Generate invoices from milestones

Change Order Security Groups

atlas_construction.group_change_order_user

  • ✓ View change orders

  • ✓ Create change order requests

  • ✓ Edit draft change orders

  • ✗ Cannot approve change orders

atlas_construction.group_change_order_manager

  • ✓ Everything Change Order User can do

  • Approve change orders

  • ✓ Reject change orders

  • ✓ Create sales orders from change orders

  • ✓ Update project budgets from approved COs

Daily Log Security Groups

atlas_construction.group_daily_log_user

  • ✓ Create daily logs

  • ✓ Upload photos

  • ✓ Record weather, delays, safety incidents

  • ✓ Edit own daily logs

  • ✗ Cannot edit other users’ logs

atlas_construction.group_daily_log_manager

  • ✓ Everything Daily Log User can do

  • ✓ Edit all daily logs

  • ✓ Delete daily logs

  • ✓ Approve/review logs

Customer Selections Security Groups

atlas_construction.group_selections_user

  • ✓ View customer selections

  • ✓ View selection options and pricing

  • ✗ Cannot modify selections

atlas_construction.group_selections_manager

  • ✓ Everything Selections User can do

  • ✓ Create selection categories

  • ✓ Manage selection options

  • ✓ Approve customer choices

  • ✓ Calculate budget impacts

Permission Matrix

Job Cost Lines (atlas.job.cost.line)

Security Group

Read

Create

Write

Delete

Job Cost User

Job Cost Manager

Job Cost Admin

Change Orders (atlas.change.order)

Security Group

Read

Create

Write

Delete

Change Order User

✓ (own)

Change Order Manager

✓ (all)

Billing Milestones (atlas.billing.milestone)

Security Group

Read

Create

Write

Delete

Billing User

Billing Manager

Daily Logs (atlas.daily.log)

Security Group

Read

Create

Write

Delete

Daily Log User

✓ (own)

Daily Log Manager

✓ (all)

Assigning Security Groups

Via User Form

  1. Navigate to Settings → Users & Companies → Users

  2. Select the user you want to configure

  3. Scroll to Job Costing section (and other relevant sections)

  4. Select the appropriate role:

    • User - Read-only access

    • Manager - Full access (can edit budgets)

    • Admin - System configuration

  5. Repeat for other functional areas (Scheduling, Billing, etc.)

  6. Click Save

User security group assignment

Note

Users need to log out and log back in for security changes to take effect.

Via XML (Technical)

In module depends or data files:

<record id="user_project_manager" model="res.users">
    <field name="name">John Smith</field>
    <field name="login">jsmith@example.com</field>
    <field name="groups_id" eval="[(4, ref('atlas_construction.group_job_cost_manager'))]"/>
    <field name="groups_id" eval="[(4, ref('atlas_construction.group_scheduling_manager'))]"/>
    <field name="groups_id" eval="[(4, ref('atlas_construction.group_change_order_manager'))]"/>
</record>

Record Rules

The module implements record rules to restrict data access based on user context.

Job Cost Line Rules

Users (``job_cost_line_user_rule``)

domain = [
    '|',
    ('project_id.user_id', '=', user.id),
    ('project_id.message_partner_ids', 'in', [user.partner_id.id])
]

  • Users can only view budget lines for projects they:

    • Own (are the project manager for)

    • Are following (in the project’s followers)

Managers (``job_cost_line_manager_rule``)

domain = [('project_id.company_id', '=', user.company_id.id)]

  • Managers can access all budget lines in their company

Change Order Rules

Users (``change_order_user_rule``)

domain = [
    '|',
    ('project_id.user_id', '=', user.id),
    ('create_uid', '=', user.id)
]

  • Users can view change orders they created or for projects they manage

Managers (``change_order_manager_rule``)

domain = [('company_id', '=', user.company_id.id)]

  • Managers can view all change orders in their company

Portal Access

Portal users (customers) have limited read-only access:

Can View:

  • Their own project information

  • Billing milestones (read-only)

  • Change orders submitted to them

  • Customer selections (for their approval)

  • Daily log summaries

Cannot:

  • View detailed cost information

  • Edit any data

  • Create change orders (must request through PM)

Portal Security Groups

  • atlas_construction.group_construction_portal

    • Read-only access to assigned projects

    • View billing milestones

    • Approve selections

Common Permission Issues

Issue: Cannot Edit Budget Lines

Symptom:

Budget lines in the project form appear as text (not editable), or edit buttons are grayed out.

Cause:

User does not have the Job Cost Manager security group.

Solution:

  1. Verify user has group_job_cost_manager role

  2. Log out and log back in

  3. Clear browser cache

  4. Verify project is in user’s company

Issue: Cannot Approve Change Orders

Symptom:

“Approve” button is missing or grayed out on change orders.

Cause:

User needs Change Order Manager role.

Solution:

Assign group_change_order_manager to the user.

Issue: Cannot Create Invoices from Milestones

Symptom:

“Create Invoice” button is missing.

Cause:

User needs Billing Manager role.

Solution:

Assign group_billing_manager to the user.

Issue: Can Only See Some Projects

Symptom:

User cannot see all projects in their company.

Cause:

User has “User” level permissions (record rules restrict to followed projects).

Solution:

Either:

  • Upgrade to “Manager” role (see all company projects)

  • Add user as follower on specific projects

Best Practices

Principle of Least Privilege

  1. Start with User-level access

    • Give users minimal permissions initially

    • Upgrade to Manager only when needed

  2. Separate duties

    • Field users: Daily Log User

    • Project managers: Job Cost Manager + Change Order Manager

    • Accounting: Billing Manager

    • Executives: Admin roles

  3. Use project followers

    • Add team members as followers instead of giving company-wide access

    • Maintains visibility without excess permissions

Role Assignment Guidelines

Field Foreman:

  • Daily Log Manager

  • Job Cost User (view budgets)

Project Manager:

  • Job Cost Manager (edit budgets)

  • Scheduling Manager

  • Change Order Manager

  • Billing User

Project Coordinator:

  • Job Cost Manager

  • Selections Manager

  • Daily Log Manager

Construction Manager/Executive:

  • Job Cost Admin

  • Change Order Manager

  • Billing Manager

  • All other Admin roles

Accounting Staff:

  • Billing Manager

  • Job Cost User (view-only)

Security Audit

Regularly review:

  1. User access levels

    • Settings → Users → Review each user’s groups

    • Remove unnecessary permissions

  2. Portal access

    • Review which customers have portal access

    • Verify they can only see their projects

  3. Inactive users

    • Archive users who no longer need access

    • Remove from security groups before archiving

Tip

Create a spreadsheet mapping users to roles for easy reference and auditing.

Multi-Company Configuration

If using Odoo multi-company:

  1. Security groups are company-independent

    • Users have same groups across all companies

    • Record rules enforce company restrictions

  2. Assign users to companies

    • Settings → Users → Allowed Companies

    • User can only access projects in their companies

  3. Shared templates

    • Budget templates can be company-specific or shared

    • Set company_id on template to restrict access

Technical Reference

Security Files

security/security.xml

Security group definitions and record rules

security/ir.model.access.csv

Model-level access rights (CRUD permissions)

Group External IDs

Use these IDs when referencing groups in code or data files:

  • atlas_construction.group_job_cost_user

  • atlas_construction.group_job_cost_manager

  • atlas_construction.group_job_cost_admin

  • atlas_construction.group_scheduling_user

  • atlas_construction.group_scheduling_manager

  • atlas_construction.group_billing_user

  • atlas_construction.group_billing_manager

  • atlas_construction.group_change_order_user

  • atlas_construction.group_change_order_manager

  • atlas_construction.group_daily_log_user

  • atlas_construction.group_daily_log_manager

Next Steps

  • configuration/settings - Configure module settings

  • Project Setup - Create your first project

  • user_guides/project_manager - Project manager user guide