app-odoo/app_sample/security/app_security.xml

<?xml version="1.0" encoding="utf-8"?>
<odoo>
    <data noupdate="1">
        <!-- Create new App security category, 创建应用 -->
        <record model="ir.module.category" id="app_module_category_1">
            <field name="name">App...</field>
            <field name="description">Helps you manage your ...</field>
            <field name="sequence">8</field>
        </record>
        <!-- Cretate new App security group, 权限组 -->
        <!-- User group, 普通用记 -->
        <record id="group_app_user" model="res.groups">
            <field name="name">App User</field>
            <field name="category_id" ref="app_module_category_1"/>
            <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
            <field name="comment">The user will be able to ...</field>
        </record>

        <!-- Admin group，管理员，可以配置 -->
        <record id="group_app_admin" model="res.groups">
            <field name="name">App Admin</field>
            <field name="category_id" ref="app_module_category_1"/>
            <field name="implied_ids" eval="[(4, ref('group_app_user'))]"/>
            <field name="comment">The user will be able to config ...</field>
        </record>

        <!-- Auto set erp admin full access，group_erp_manager自动有完整权限 -->
        <record id="base.group_erp_manager" model="res.groups">
            <field name="implied_ids" eval="[(4, ref('group_app_admin'))]"/>
        </record>

        <!-- IR Rules, user can only see my record，记录集权限，用户只能见到自已的记录 -->
<!--        <record id="rule_user" model="ir.rule">-->
<!--            <field name="name">Users are allowed to access their own record</field>-->
<!--            <field name="model_id" ref="model_app_order"/>-->
<!--            <field name="domain_force">['|', ('partner_id', 'in', [user.partner_id.id]), ('user_id.id', '=', user.id)]</field>-->
<!--            <field name="groups" eval="[(4, ref('base.group_user'))]"/>-->
<!--        </record>-->
        <!--End -->
    </data>
</odoo>