[16.0][ADD] security_visualizer

Author: kobros-tech

security_visualizer/README.rst

@@ -0,0 +1,295 @@
+====================================
+Permissions & Access Rule Visualizer
+====================================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:d30227088b2ac95369cb4df9493b310d7b88fe6a848f15fd3307714a6417f71a
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--tools-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-tools/tree/16.0/security_visualizer
+    :alt: OCA/server-tools
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-tools-16-0/server-tools-16-0-security_visualizer
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-tools&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module provides a comprehensive security visualization and
+debugging tool for Odoo. It makes Odoo's complex security system
+(``ir.model.access`` and ``ir.rule``) understandable and debuggable.
+
+**Problem**
+
+Odoo's security system is powerful but notoriously difficult to
+understand and debug:
+
+- Access rules are invisible and complex
+- Debugging security is painful
+- Small mistakes cause major data leaks or access blocks
+- No clear way to answer "Why can't user X access record Y?"
+
+**Solution**
+
+This module provides:
+
+1. **Security Analyzer** - Detailed analysis of access decisions
+2. **Access Matrix** - Visual grid showing user × model × operation
+   permissions
+3. **Rule Explainer** - Step-by-step breakdown of security checks
+4. **Safe Simulation** - Test access as any user without risk
+5. **Multi-Company Analysis** - Understand company-specific security
+   rules
+6. **Role-Based Access** - Analyze access through user roles (requires
+   base_user_role module)
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+No configuration needed. After installation, access the module via:
+
+**Menu Location**: Settings > Technical > Security > Security Visualizer
+
+1. **Security Dashboard** - Main interactive visualizer
+2. **Quick Analyzer** - Simple wizard for quick analysis
+
+Access Control
+--------------
+
+By default, only users in the **Settings** group (``base.group_system``)
+can access this module.
+
+This ensures that sensitive security information is only visible to
+system administrators.
+
+Multi-Company Configuration
+---------------------------
+
+The multi-company analysis feature works automatically if your Odoo
+instance uses multiple companies:
+
+- **No additional configuration needed**
+- Analysis automatically detects models with ``company_id`` fields
+- Shows which companies each user belongs to
+- Identifies company-specific record rules
+
+Role-Based Access (Optional)
+----------------------------
+
+To use the role-based access analysis feature:
+
+1. **Install base_user_role module**:
+
+   .. code:: bash
+
+      # The module is typically available from OCA
+      # Add the OCA server-backend repository to your addons path
+
+2. **Assign roles to users**:
+
+   - Go to **Settings > Users & Companies > Roles**
+   - Create roles with appropriate groups
+   - Assign roles to users
+
+3. **Use the analyzer**:
+
+   - The Security Visualizer will automatically detect installed roles
+   - Analysis will include role information
+   - See which roles grant access to models
+
+If ``base_user_role`` is not installed:
+
+- The module works normally without role features
+- Role-related methods return appropriate status messages
+- All other features remain fully functional
+
+Usage
+=====
+
+Analyze Specific Access
+-----------------------
+
+1. Open **Security Visualizer** from **Settings > Technical > Security >
+   Security Dashboard**
+2. Select a **User** from the dropdown
+3. Select a **Model** (e.g., ``sale.order``)
+4. Choose an **Operation** (read, write, create, delete)
+5. Optionally enter a **Record ID** for specific record testing
+6. Click **Analyze Access**
+7. Review the detailed step-by-step explanation
+
+View Access Matrix
+------------------
+
+1. Open **Security Dashboard** from **Settings > Technical > Security**
+2. Click the **Access Matrix** tab
+3. Use the operation dropdown to filter by read/write/create/delete
+4. Green checkmark = access allowed, Red X = access denied
+5. Click any cell to see detailed analysis (coming in next version)
+
+Quick Analysis
+--------------
+
+1. Go to **Settings > Technical > Security > Quick Analyzer**
+2. Fill in the form (user, model, operation, optional record ID)
+3. Click **Analyze**
+4. View results in HTML summary and JSON format
+
+Understanding the Analysis
+--------------------------
+
+**Step 1: Model-Level Access (ACL)**
+
+Shows all ``ir.model.access`` rules that apply:
+
+- Which groups grant permission
+- Which specific CRUD operations are allowed
+- Whether the user has the required group membership
+
+**Step 2: Record Rules**
+
+Shows ``ir.rule`` domain filters:
+
+- **Global rules** (no groups): ALL must be satisfied - AND logic
+- **Group rules**: ANY can grant access - OR logic
+- Displays actual domain syntax for each rule
+
+**Step 3: Simulation Result**
+
+If a record ID is provided:
+
+- Tests actual access on that specific record
+- Safe, read-only simulation
+- Clear explanation of final verdict (Allowed/Denied/Conditional)
+
+Multi-Company Security Analysis
+-------------------------------
+
+**Analyze Company-Specific Access**
+
+1. Open **Security Visualizer**
+2. Use the multi-company analysis feature (via RPC methods)
+3. View which companies a user can access data from
+4. See company-related record rules
+
+The analysis shows:
+
+- User's assigned companies
+- Current active company
+- Models with company_id field
+- Company-specific record rules
+- Which companies grant access to records
+
+**Company Access Matrix**
+
+Generate a matrix showing:
+
+- User x Company x Model permissions
+- Which companies the user can access for each model
+- Company-specific rule counts
+
+Role-Based Access Analysis
+--------------------------
+
+**Prerequisites**
+
+This feature requires the ``base_user_role`` module to be installed.
+
+**Analyze User Roles**
+
+1. Open **Security Visualizer**
+2. Select a user
+3. View their assigned roles
+4. See which groups each role grants
+5. Distinguish between role-based and direct group assignments
+
+The analysis shows:
+
+- All roles assigned to the user
+- Groups granted by each role
+- Groups assigned directly (not through roles)
+- Total effective groups
+
+**Model Access with Roles**
+
+When analyzing model access:
+
+- See which roles grant access to the model
+- Understand access through role hierarchy
+- Identify if access is via role or direct group
+
+**Enhanced Explanations**
+
+Access decisions now include:
+
+- Step 0: User Roles (if roles are assigned)
+- Which specific roles grant the required permission
+- Whether access is role-based or direct
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-tools/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-tools/issues/new?body=module:%20security_visualizer%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Kobros-Tech
+
+Contributors
+------------
+
+- Mohamed Alkobrosli mohamed@kobros-tech.com
+  (`Kobros-Tech <https://kobros-tech.com/>`__)
+
+Other credits
+-------------
+
+**Development**
+
+This module was developed by **Kobros-Tech** (https://kobros-tech.com/)
+to address the common challenge of understanding and debugging Odoo's
+security system.
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-tools <https://github.com/OCA/server-tools/tree/16.0/security_visualizer>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

security_visualizer/__init__.py

@@ -0,0 +1,4 @@
+# Copyright 2026 Kobros-Tech Ltd (http://kobros-tech.com).
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from . import models

security_visualizer/__manifest__.py

@@ -0,0 +1,31 @@
+# Copyright 2026 Kobros-Tech Ltd (http://kobros-tech.com).
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+{
+    "name": "Permissions & Access Rule Visualizer",
+    "version": "16.0.1.0.0",
+    "category": "Tools",
+    "summary": "Visualize and debug Odoo security rules and access permissions",
+    "author": "Kobros-Tech, Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-tools",
+    "license": "AGPL-3",
+    "depends": [
+        "base",
+        "web",
+    ],
+    "data": [
+        "security/ir.model.access.csv",
+        "views/security_visualizer_views.xml",
+        "views/security_visualizer_menus.xml",
+    ],
+    "assets": {
+        "web.assets_backend": [
+            "security_visualizer/static/src/components/access_matrix/*",
+            "security_visualizer/static/src/components/rule_explainer/*",
+            "security_visualizer/static/src/components/security_visualizer/*",
+        ],
+    },
+    "installable": True,
+    "application": True,
+    "auto_install": False,
+}

security_visualizer/models/__init__.py

@@ -0,0 +1,5 @@
+# Copyright 2026 Kobros-Tech Ltd (http://kobros-tech.com) (http://kobros-tech.com).
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from . import security_analyzer
+from . import security_visualizer_analysis