This is done using a CSV file named security/ir.model.access.csv :
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_todo_task_group_user,todo.task.user,model_todo_task,base.group_user,1,1,1,1
The filename corresponds to the model to load the data into, and the first line of the file has the column names. These are the columns provided by the CSV file:
id: It is the record external identifier (also known as XML ID). It should be unique in our module.
name: This is a description title. It is only informative and it’s best if it’s kept unique. Official modules usually use a dot-separated string with the model name and the group. Following this convention, we used todo.task.user.
model_id: This is the external identifier for the model we are giving access to. Models have XML IDs automatically generated by the ORM: for todo.task, the identifier is model_todo_task.
group_id: This identifies the security group to give permissions to. The most important ones are provided by the base module. The Employee group is such a case and has the identifier base.group_user.
The last four perm fields flag the access to grant read, write, create, or unlink (delete) access.