OpenERP has two kinds of security restrictions that can be assigned to a user group:
Record Rules are filters applied on Create, Read, Write, Unlink operations, and allow per-document access-control, once access right are already granted. Users will only be able to perform an operation on a given document if the document matches at least one of the record rules. The default policy is ALLOW, so if no rule exists for a given model, all documents of that model may be accessed by users who have the necessary access rights.
Access Rights are Create, Read, Write, Unlink, yes/no flags (similar to Unix FS permissions), and allow per-model access control. They state whether members of this group may perform a Create, Read, Update, and Delete operation on any document of a certain document model (e.g. a project task). The default policy is DENY, so by default any operation will be refused if the user does not explicitly have the right to perform it via one of her groups' access rights.
Both Access Rights and Record Rules may also be defined globally without assigning them to a specific group, in which case they apply to everyone. There is one pitfall for Record Rules: global rules may NOT be relaxed by other rules (on purpose!), so use with care.
In your case it looks like you should define one extra Record Rule on the Project User group that explicitly restricts access on Project, Project Tasks and Phase to your own tasks. You need to create a new entry in the Security Rules menu with these parameters:
object/model: project.task
name: See own tasks only
domain: ['|',('user_id','=',False),('user_id','=',user.id)]
(means: your own tasks and unassigned ones)
apply for read: [x]
apply for write: [x]
apply for create: [x]
apply for delete: [x]
groups: Project / User
object/model: project.project
name: See own project only
domain: ['|',('user_id','=',False),('user_id','=',user.id)]
(means: your own project and unassigned ones)
apply for read: [x]
apply for write: [x]
apply for create: [x]
apply for delete: [x]
groups: Project / User
object/model: project.phase
name: See own phase only
domain: ['|',('user_id','=',False),('user_id','=',user.id)]
(means: your own phase and unassigned ones)
apply for read: [x]
apply for write: [x]
apply for create: [x]
apply for delete: [x]
groups: Project / User
The domain of a record rule is a standard OpenERP domain that is evaluated on the records on which you are trying to perform the operation, and can refer to a user variable that contains the current user's data (technically, a browse_record on the current user). Look for search() in
Note: Have a look at the existing Record Rules to see what they're doing first, and be sure to read the explanations on the Record Rule form when you are adding yours. And remember that if you do something wrong with Access Rights and Record Rules, you can always fix the mess with the admin account, as these security restrictions do not apply to the admin (similarly to the root user on Unix).
