Security access in Odoo is configured through security groups: permissions are given to groups and then groups are assigned to users. Each functional area has base security groups provided by a central application.
When addon modules extend an existing application, they should add permissions to the corresponding groups, as shown in the Adding security access to models recipe later.
When addon modules add a new functional area not yet covered by an existing central application, they should add the corresponding security groups. Usually, we should have at least user and manager roles.
Taking the Library example we introduced in Chapter 4, Creating Odoo Addon Modules, it doesn't fit neatly in any of the Odoo core apps, so we add security groups for it.