Security in Odoo works in a sense that on installation of an app, every user has almost full access and sees all corresponding menu items. This approach is changed by the Role Policy app: a user only has the access rights that have explicitly been granted. On installation, all security groups are removed from users, actions, menu items and views.
The role policy app allows a to create roles through the Odoo UI or in a spreadsheet. Roles can easily be imported and exported, you can even delete lines through the import fo a role. As soon as a role has been configured, export it and adapt it to start defining your new role.
Menu items can be specified per role, allowing you to indicate for instance that a user only has access to Sales Invoices, but not to Supplier invoices. View modifier rules allow you to set fields required / invisible / removed / read-only per role. You can also hide a complete view. Suppose you have a role who needs to create customers, but does not necessarily know the VAT number. Create a role which does not have the VAT number as a mandatory field, and create a second role who will validate the customer data, and while doing so, will see the VAT number as a required field.
A sales user should be able to post sales invoices, but is not allowed to create other account moves on the spot? No problem with the Role Policy App; view type attributes such as create, edit, delete, duplicate, import, export_xlsx become role-based!
Model methods can be created by developers and allow you to define per role who is allowed to post entries, for instance.
You only want certain roles to be able to print a sales order? Simply add a reporting action Sales Quotation / Order to the roles allowed to print it. A role who is not assigned to a reporting action will not be able to print reports.
You can also use xpath expressions for more complex rules.