Controlling Access & Permissions

Updated 11 July 2026

Decide exactly which Odoo apps, data types, and fields each AI key can reach – and from which locations.

Overview

Giving an AI tool an API key does not mean it can see your entire Odoo system. You layer three types of control on top of the linked Odoo user’s normal permissions:

Together, these let you safely let AI read customer names without touching payroll, or update products without deleting invoices.

How It Works

When AI makes a request, Odoo checks rules in this order:

If any check fails, the request is blocked and recorded as an error in the audit log.

App Access and Model Access are configured on each API key form, under their own tabs.

Step-by-Step Guide

Restrict by Odoo App
Restrict by Data Type (Model)
Restrict by IP Address

Fields Table – App Access

Fields Table – Model Access

Fields Table – IP Rules (on API Key)

Field Explanations

Odoo App / Module

Groups data by the Odoo app that owns it. Restricting to “Sales” means AI can work with sales-related data but not accounting or HR – even if the user could normally see those apps.

Module Name

The internal identifier for the app. You usually do not need to change this – it fills in automatically when you pick an app.

Model

A specific kind of record in Odoo – customers, products, invoices, etc. Use this for precise control when app-level access is too broad.

Allow Read / Create / Write / Delete

Four separate switches. For read-only AI assistants, enable only Read. For automation that creates leads, enable Read and Create but leave Delete off.

Field Allowlist

Comma-separated list of field names. If empty, all fields the user can normally see are allowed. If filled, AI can only touch those fields – great for hiding salary or cost data.

Domain Filter

A condition that limits which records count. Example: only show orders in “Draft” state. Ask your Odoo partner if you need help writing filters.

IP Allowlist

Extra network security. Useful when your AI tool runs from a fixed office IP or VPN. One address or CIDR range per line.

IP Denylist

Checked before the allowlist. Block a suspicious IP immediately without changing allowlist rules.

Tips

Common Mistakes

Image