The User Access Management Problem
Managing user access in an ERP is tedious and error-prone. New employees need accounts with the right permissions. Departing employees need accounts deactivated. Role changes require permission updates. And nobody ever audits whether users have more access than they need — until a security incident forces the question. An AI admin agent handles all of this systematically.
What the Agent Automates
User Provisioning
When a new employee joins, the agent creates their ERP account with appropriate permissions based on their role:
| Role | Security Groups | Record Rules |
|---|---|---|
| Sales Representative | Sales/User, CRM/User | See own leads and orders only |
| Sales Manager | Sales/Manager, CRM/Manager | See team leads and orders |
| Accountant | Accounting/User, Invoicing/User | All financial records |
| Finance Director | Accounting/Manager, Invoicing/Manager | All financial + approval |
| Warehouse Staff | Inventory/User, Stock/User | Assigned warehouse only |
| HR Manager | HR/Manager, Attendance/Manager | All employee records |
| IT Admin | Administration/Settings | System configuration only |
The agent maps job title → role → security groups, creating accounts with the minimum necessary permissions.
Account Deactivation
When an employee leaves:
- Deactivate the user account (do not delete — audit trail preservation)
- Revoke all security group memberships
- Invalidate active sessions
- Reset or rotate any API keys
- Reassign open tasks, leads, and tickets to another user
- Generate a deactivation audit record
Permission Audit
The agent periodically reviews user permissions:
- Over-privileged users — Users with admin/system group who should not have it
- Unused permissions — Users with access to modules they have never used
- Separation of duties — Users who can both create and approve the same transactions
- Shared accounts — Multiple people using the same login (compliance violation)
- Stale accounts — Active accounts for users who have not logged in for 90+ days
Role Change Processing
When someone changes roles (e.g., promoted from Sales Rep to Sales Manager):
- Add new security groups for the new role
- Remove groups from the old role that are no longer appropriate
- Update record rules (team scope instead of personal scope)
- Notify the user of their new access levels
Access Request Workflow
- User requests additional access through a form or chat
- Agent validates the request against role-based policies
- Standard requests are auto-approved with audit logging
- Elevated requests (admin, financial) routed to manager for approval
- Approved requests applied automatically
Compliance and Audit
- Complete audit trail of all access changes (who, when, what)
- Quarterly access review reports for compliance teams
- SOX compliance support (separation of duties, approval chains)
- GDPR compliance (who can access personal data)
Implementation in Odoo
The agent works with Odoo's security model:
res.users— User accounts with group membershipsres.groups— Security groups with implied and inherited groupsir.rule— Record rules for data-level access controlir.model.access— Model-level CRUD permissions
Getting Started
Deploy Odoo on DeployMonkey and define your role-to-permission mapping. The AI agent creates user accounts with correct permissions, audits existing users for over-privilege, and processes access requests — all through the control panel. Start with a permission audit of your existing users to identify immediate security improvements.