User roles
PLANA Business Cloud uses two layers of access control:
- Odoo groups — fine-grained per-feature permissions (e.g. "can post invoices")
- User roles (from OCA
base_user_role+ PLANA'splana_user_roles) — pre-defined bundles of groups for common job functions
You assign a user one or more roles; the roles expand to the underlying group memberships. This is much easier to manage than ticking individual group checkboxes.
The roles PLANA ships
| Role | Common job | Granted permissions |
|---|---|---|
| Manager | Owner, GM | Everything except technical / developer settings |
| Sales Lead | Sales manager | Full Sales app, full CRM, read Accounting receivables |
| Sales Rep | Account executive, BDR | Read / edit own opportunities + quotes, send for approval |
| Accountant | Bookkeeper, accountant | Full Accounting; can post journal entries, reconcile, run reports |
| Accounting Manager | Senior accountant | Accountant + configure chart of accounts, taxes, journals; close fiscal year |
| Adviser (read-only) | External accountant, auditor | Read Accounting + Sales + Purchase; no write |
| Warehouse Manager | Operations lead | Full Inventory, Purchase, can configure warehouses |
| Warehouse Operator | Picker, receiver | Validate stock pickings; read-only on Purchase / Sales |
| HR Manager | HR lead (Pro+ tier) | Full Employees, Time Off, Recruitment |
| HR Employee | Self-service user | Submit time-off requests, see own info |
| Project Manager | (Pro+ tier) | Full Project, Timesheets |
| Project Member | Team member on a project | Edit own tasks, log own timesheets |
A user can hold multiple roles — typical small-business owner holds Manager + Accountant so they can do everything.
Assigning a role
Settings → Users → click the user → Roles tab.
- Click Add a role → pick from the list
- Click Save
The user's effective permissions update on their next page load (they don't need to sign out).
Customising roles
The default roles are sensible but rigid. To customise:
| Need | How |
|---|---|
| Add a permission to all "Sales Reps" | Open the role → Add the underlying group → save |
| Create a new role | Configuration → Roles → Create → assign groups |
| Time-bound role | Set From / Until dates on the role assignment — useful for contractors |
Custom roles persist across upgrades. PLANA's role definitions update in place when we ship new groups.
Group-level overrides
For one-off permission tweaks that don't fit a role:
Settings → Users → click the user → Other Permissions tab.
You see every Odoo group and can tick / untick individually. This is additive on top of the user's roles — handy for "this person has the Sales Rep role but also needs to see Accounting reports".
Avoid sprawl: if you find yourself ticking the same boxes for many users, that's a sign to add a new role.
Multi-company
For multi-company tenants (Pro+ tier), roles can be company-scoped:
- A "Sales Rep" role on Company A doesn't grant access to Company B's records
- The Company selector in the top bar filters records by user's allowed companies
- Multi-company users select the active company; switches refresh the view
Inactive / archived users
When someone leaves the company:
- Settings → Users → click the user → Archive (don't delete)
- They're signed out immediately
- Their historical records (invoices created, sale orders signed, etc.) remain — archiving preserves audit trail
- If they return, Unarchive
Never delete a user — the audit trail relies on user records existing.
Permissions vs SSO
The roles described here are inside the tenant. They don't affect PLANA SSO directly.
- SSO: are you signed in? are you who you claim?
- Roles: what can you do once you're signed in?
A user with SSO access but no roles can sign in to the tenant but see almost nothing (just their profile). A user with roles but no SSO link can't sign in at all.
What admins can do that nobody else can
Some actions are restricted to the Manager + Settings access combo:
- Edit roles or create new ones
- Edit Odoo groups
- Install / uninstall modules
- Change company information
- Edit fiscal positions, journals, taxes
PLANA recommends one or two people per tenant hold this level.
Where to read more
- Single sign-on — the SSO layer above roles
- Subscription and tier — tier limits on number of users
- Getting started → First login — the new-user view