What are the minimal role attributes required for odoo day-to-day use?

Question

Most tutorials to setup odoo ERP create a superuser role for the web app user, which is odoo everywhere too, except in the documentation where it is said:

For the database management screen to be completely non-functional, the PostgreSQL user needs to be created with no-createdb and the database must be owned by a different PostgreSQL user.

Warning: the PostgreSQL user must not be a superuser

But I don't manage to find what are the minimal roles required in order to fulfil the minimum rights principle for day-to-day role, so excluding administration (updating, adding modules).

Answer 1

Any tutorial that recommends using a superuser is untrustworthy.

To create a role odoo that can create anything it wants in database mydb, you could connect to mydb and run:

/*
 * It would be better to create the role without password
 * and set it in a more secure fashion later.
 */
CREATE ROLE odoo LOGIN PASSWORD 'whatever';
GRANT CREATE ON DATABASE mydb TO odoo;
CREATE SCHEMA myapp AUTHORIZATION odoo;
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
ALTER DATABASE mydb SET search_path = myapp, public;

The creation of a separate schema for your application objects is not absolutely necessary, but a good idea in my opinion.