OCA · AungKoKoLin1997 · Dec 5, 2025 · yostashiro · Dec 23, 2025
diff --git a/account_move_group_restriction/README.rst b/account_move_group_restriction/README.rst
@@ -0,0 +1,111 @@
+=========================================
+Account Move Restricted by Account Groups
+=========================================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:933c2ca3272ccf0dd85bb6c838cee69ba99b8a2366f20cbb46fe18b36a1652ad
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Faccount--financial--tools-lightgray.png?logo=github
+    :target: https://github.com/OCA/account-financial-tools/tree/16.0/account_move_group_restriction
+    :alt: OCA/account-financial-tools
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/account-financial-tools-16-0/account-financial-tools-16-0-account_move_group_restriction
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/account-financial-tools&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module adds an Access Groups field on accounts. When set, only
+users in the selected groups can view journal entries and journal items
+that use those accounts.
+
+In standard Odoo, accounting users can generally access all journal
+entries and items. In some cases, even certain accounting managers
+should not see specific entries because they contain confidential
+information. This module fills that gap by enforcing account-based
+visibility rules.
+
+Note: The groups set on accounts are intended to be additional to the
+standard account.group_account_user, so users still keep basic
+accounting access. For this reason, the module also provides a default
+group, Accounting / View Restricted Accounts, which implies
+account.group_account_user.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Known issues / Roadmap
+======================
+
+If a journal entry includes lines on accounts restricted by different
+access groups, the entry is accessible to any user who belongs to at
+least one (not all) of those groups.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/account-financial-tools/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/account-financial-tools/issues/new?body=module:%20account_move_group_restriction%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Quartile
+
+Contributors
+------------
+
+-  `Quartile <https://www.quartile.co>`__:
+
+   -  Tatsuki Kanda
+   -  Aung Ko Ko Lin
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-kanda999| image:: https://github.com/kanda999.png?size=40px
+    :target: https://github.com/kanda999
+    :alt: kanda999
+.. |maintainer-aungkokolin1997| image:: https://github.com/aungkokolin1997.png?size=40px
+    :target: https://github.com/aungkokolin1997
+    :alt: aungkokolin1997
+
+Current `maintainers <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-kanda999| |maintainer-aungkokolin1997| 
+
+This module is part of the `OCA/account-financial-tools <https://github.com/OCA/account-financial-tools/tree/16.0/account_move_group_restriction>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/account_move_group_restriction/__init__.py b/account_move_group_restriction/__init__.py
@@ -0,0 +1 @@
+from . import models
diff --git a/account_move_group_restriction/__manifest__.py b/account_move_group_restriction/__manifest__.py
@@ -0,0 +1,20 @@
+# Copyright 2025 Quartile (https://www.quartile.co)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+{
+    "name": "Account Move Restricted by Account Groups",
+    "summary": "Restrict visibility of journal entries by security groups on accounts.",
+    "version": "16.0.1.0.0",
+    "category": "Accounting",
+    "author": "Quartile, Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/account-financial-tools",
+    "license": "AGPL-3",
+    "depends": ["account"],
+    "data": [
+        "security/account_move_group_restriction_security.xml",
+        "views/account_account_view.xml",
+    ],
+    "maintainers": ["kanda999", "aungkokolin1997"],
+    "installable": True,
+    "application": False,
+}
diff --git a/account_move_group_restriction/models/__init__.py b/account_move_group_restriction/models/__init__.py
@@ -0,0 +1,2 @@
+from . import account_account
+from . import account_move
diff --git a/account_move_group_restriction/models/account_account.py b/account_move_group_restriction/models/account_account.py
@@ -0,0 +1,22 @@
+# Copyright 2025 Quartile (https://www.quartile.co)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl)
+
+from odoo import fields, models
+
+
+class AccountAccount(models.Model):
+    _inherit = "account.account"
+
+    security_group_ids = fields.Many2many(
+        comodel_name="res.groups",
+        relation="account_account_res_groups_rel",
+        column1="account_id",
+        column2="group_id",
+        string="Access Groups",
+        help=(
+            "If set, only users belonging to at least one of these groups "
+            "will be able to see journal items and journal entries "
+            "posting on this account. "
+            "If left empty, the account is visible to all accounting users."
+        ),
+    )
diff --git a/account_move_group_restriction/models/account_move.py b/account_move_group_restriction/models/account_move.py
@@ -0,0 +1,31 @@
+# Copyright 2025 Quartile (https://www.quartile.co)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl)
+
+from odoo import Command, api, fields, models
+
+
+class AccountMove(models.Model):
+    _inherit = "account.move"
+
+    account_security_group_ids = fields.Many2many(
+        comodel_name="res.groups",
+        relation="account_move_res_groups_rel",
+        column1="move_id",
+        column2="group_id",
+        string="Account Access Groups",
+        compute="_compute_account_security_group_ids",
+        compute_sudo=True,
+        store=True,
+        help=(
+            "Union of the security groups configured on the accounts used "
+            "on this journal entry. Used by record rules to restrict access: "
+            "if any line uses a restricted account, the whole move becomes "
+            "visible only to users in at least one of these groups."
+        ),
+    )
+
+    @api.depends("line_ids.account_id.security_group_ids")
+    def _compute_account_security_group_ids(self):
+        for move in self:
+            groups = move.mapped("line_ids.account_id.security_group_ids")
+            move.account_security_group_ids = [Command.set(groups.ids)]
diff --git a/account_move_group_restriction/readme/CONTRIBUTORS.md b/account_move_group_restriction/readme/CONTRIBUTORS.md
@@ -0,0 +1,3 @@
+- [Quartile](https://www.quartile.co):
+  - Tatsuki Kanda
+  - Aung Ko Ko Lin
diff --git a/account_move_group_restriction/readme/DESCRIPTION.md b/account_move_group_restriction/readme/DESCRIPTION.md
@@ -0,0 +1,12 @@
+This module adds an Access Groups field on accounts. When set, only users in the
+selected groups can view journal entries and journal items that use those accounts.
+
+In standard Odoo, accounting users can generally access all journal entries and items.
+In some cases, even certain accounting managers should not see specific entries because
+they contain confidential information. This module fills that gap by enforcing
+account-based visibility rules.
+
+Note: The groups set on accounts are intended to be additional to the standard
+account.group_account_user, so users still keep basic accounting access. For this
+reason, the module also provides a default group, Accounting / View Restricted Accounts, 
+which implies account.group_account_user.
diff --git a/account_move_group_restriction/readme/ROADMAP.md b/account_move_group_restriction/readme/ROADMAP.md
@@ -0,0 +1,2 @@
+If a journal entry includes lines on accounts restricted by different access groups, the
+entry is accessible to any user who belongs to at least one (not all) of those groups.
diff --git a/account_move_group_restriction/security/account_move_group_restriction_security.xml b/account_move_group_restriction/security/account_move_group_restriction_security.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo>
+    <record id="group_restricted_account_management" model="res.groups">
+        <field name="name">Accounting / View Restricted Accounts</field>
+        <field name="category_id" ref="base.module_category_accounting_and_finance" />
+        <field
+            name="implied_ids"
+            eval="[Command.link(ref('account.group_account_user'))]"
+        />
+    </record>
+
+    <record id="account_move_line_account_group_rule" model="ir.rule">
+        <field name="name">Account Move Line by Account Group</field>
+        <field name="model_id" ref="account.model_account_move_line" />
+        <field name="domain_force">
+            ['|',
+                ('move_id.account_security_group_ids', '=', False),
+                ('move_id.account_security_group_ids', 'in', user.groups_id.ids)
+            ]
+        </field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+
+    <record id="account_move_account_group_rule" model="ir.rule">
+        <field name="name">Account Move by Account Group</field>
+        <field name="model_id" ref="account.model_account_move" />
+        <field name="domain_force">
+            ['|',
+                ('account_security_group_ids', '=', False),
+                ('account_security_group_ids', 'in', user.groups_id.ids)
+            ]
+        </field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+</odoo>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		from . import account_account
		from . import account_move
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		If a journal entry includes lines on accounts restricted by different access groups, the
		entry is accessible to any user who belongs to at least one (not all) of those groups.