[ADD] hr_employee_bank_restrict: Restrict bank account visibility in employee contacts

Add visibility restriction for bank accounts field in partner contacts linked
to employees via work_contact_id. Only users with account.group_account_user
or account.group_account_manager can view bank accounts in employee contacts.

Users with billing-only access (account.group_invoice) cannot view this data.

MT-14341 @moduon

Author: EmilioPascual

hr_employee_bank_restrict/README.rst

@@ -0,0 +1,144 @@
+======================
+Employee bank restrict
+======================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:fcad4c62a0566610c4344fe2465e1456fb33f4c7fce25d0ae0bf90cafe928a15
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Alpha-red.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Alpha
+.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+    :alt: License: LGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fhr-lightgray.png?logo=github
+    :target: https://github.com/OCA/hr/tree/18.0/hr_employee_bank_restrict
+    :alt: OCA/hr
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/hr-18-0/hr-18-0-hr_employee_bank_restrict
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/hr&target_branch=18.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+Restrict visibility of bank accounts in contacts related to employees.
+
+This module hides bank account information in partner contacts that are
+linked to employees, only allowing users with accounting full access
+(group_account_user or group_account_manager) to view this sensitive
+data.
+
+Regular contacts (not related to employees) show bank accounts to all
+users as usual.
+
+.. IMPORTANT::
+   This is an alpha version, the data model and design can change at any time without warning.
+   Only for development or testing purpose, do not use in production.
+   `More details on development status <https://odoo-community.org/page/development-status>`_
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Use Cases / Context
+===================
+
+This module was developed to protect sensitive banking information of
+employees.
+
+In organizations where payroll or expense reimbursement is managed,
+employees need to provide their bank account details. These contacts are
+linked to employee records via the "Work Contact" field. It's common
+practice to restrict access to this sensitive data to only users who
+truly need it for payment processing.
+
+It will be useful for you if:
+
+- You manage employee payroll or expense reimbursements in Odoo.
+- You want to restrict access to employee bank account data.
+- You need to comply with data protection regulations (like GDPR).
+
+Usage
+=====
+
+To use this module, you need to:
+
+1. Install the module in your Odoo database.
+
+2. Ensure employees have their "Work Contact" field properly linked:
+
+   - Go to the "Employees" app.
+   - Select an employee.
+   - In the "Work Contact" field, verify the contact is set.
+
+3. Verify the restriction works:
+
+   - As a user with accounting rights (Accounting User or Accounting
+     Manager), open a contact linked to an employee. The bank accounts
+     section should be visible.
+
+   - As a user without accounting rights (like Billing or Internal
+     User), open a contact linked to an employee. The bank accounts
+     section should be hidden.
+
+4. For regular contacts (not related to employees), bank accounts are
+   always visible to all users.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/hr/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/hr/issues/new?body=module:%20hr_employee_bank_restrict%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Moduon
+
+Contributors
+------------
+
+- Emilio Pascual (`Moduon <https://www.moduon.team/>`__)
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-EmilioPascual| image:: https://github.com/EmilioPascual.png?size=40px
+    :target: https://github.com/EmilioPascual
+    :alt: EmilioPascual
+.. |maintainer-rafaelbn| image:: https://github.com/rafaelbn.png?size=40px
+    :target: https://github.com/rafaelbn
+    :alt: rafaelbn
+
+Current `maintainers <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-EmilioPascual| |maintainer-rafaelbn| 
+
+This module is part of the `OCA/hr <https://github.com/OCA/hr/tree/18.0/hr_employee_bank_restrict>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

hr_employee_bank_restrict/__init__.py

@@ -0,0 +1 @@
+from . import models

hr_employee_bank_restrict/__manifest__.py

@@ -0,0 +1,22 @@
+# Copyright 2026 Moduon Team S.L.
+# License LGPL-3.0 or later (https://www.gnu.org/licenses/lgpl-3.0)
+
+{
+    "name": "Employee bank restrict",
+    "summary": "Restrict employee bank account in employee partner",
+    "version": "18.0.1.0.0",
+    "development_status": "Alpha",
+    "category": "Human Resources/Employees",
+    "website": "https://github.com/OCA/hr",
+    "author": "Moduon, Odoo Community Association (OCA)",
+    "maintainers": ["EmilioPascual", "rafaelbn"],
+    "license": "LGPL-3",
+    "application": False,
+    "installable": True,
+    "depends": [
+        "hr", "account",
+    ],
+    "data": [
+        "views/res_partner_views.xml",
+    ],
+}

hr_employee_bank_restrict/i18n/es.po

@@ -0,0 +1,28 @@
+# Translation of Odoo Server.
+# Copyright (C) 2026 Moduon Team SL
+# This file is distributed under the same license as the hr_employee_bank_restrict package.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 18.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2026-04-08 14:35+0000\n"
+"PO-Revision-Date: 2026-04-08 16:37+0200\n"
+"Last-Translator: Emilio Pascual <emilio@moduon.team>\n"
+"Language-Team: Spanish\n"
+"Language: es\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 3.6\n"
+
+#. module: hr_employee_bank_restrict
+#: model:ir.model.fields,field_description:hr_employee_bank_restrict.field_res_partner__can_view_bank_accounts
+#: model:ir.model.fields,field_description:hr_employee_bank_restrict.field_res_users__can_view_bank_accounts
+msgid "Can View Bank Accounts"
+msgstr "Puede Ver Cuentas Bancarias"
+
+#. module: hr_employee_bank_restrict
+#: model:ir.model,name:hr_employee_bank_restrict.model_res_partner
+msgid "Contact"
+msgstr "Contacto"

hr_employee_bank_restrict/i18n/hr_employee_bank_restrict.pot

@@ -0,0 +1,27 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* hr_employee_bank_restrict
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 18.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2026-04-08 14:35+0000\n"
+"PO-Revision-Date: 2026-04-08 14:35+0000\n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: hr_employee_bank_restrict
+#: model:ir.model.fields,field_description:hr_employee_bank_restrict.field_res_partner__can_view_bank_accounts
+#: model:ir.model.fields,field_description:hr_employee_bank_restrict.field_res_users__can_view_bank_accounts
+msgid "Can View Bank Accounts"
+msgstr ""
+
+#. module: hr_employee_bank_restrict
+#: model:ir.model,name:hr_employee_bank_restrict.model_res_partner
+msgid "Contact"
+msgstr ""

hr_employee_bank_restrict/models/__init__.py

@@ -0,0 +1 @@
+from . import res_partner

hr_employee_bank_restrict/models/res_partner.py

@@ -0,0 +1,53 @@
+# Copyright 2026 Moduon Team S.L.
+# License LGPL-3.0 or later (https://www.gnu.org/licenses/lgpl-3.0)
+
+from odoo import api, fields, models
+
+
+class ResPartner(models.Model):
+    _inherit = "res.partner"
+
+    def _is_employee_contact(self):
+        """Check if the partner is related to an employee as work contact.
+
+        Returns:
+            bool: True if the partner is linked to an employee via work_contact_id.
+        """
+        self.ensure_one()
+        return (
+            self.env["hr.employee"]
+            .sudo()
+            .search_count([("work_contact_id", "=", self.id)])
+        )
+
+    def _check_can_view_bank_accounts(self):
+        """Check if the current user can view bank accounts in this partner.
+
+        Only users with accounting_full_access (group_account_user or
+        group_account_manager) can view bank accounts in contacts
+        related to employees. Regular contacts show bank accounts to all users.
+
+        Returns:
+            bool: True if the user can view bank accounts for this partner.
+        """
+        self.ensure_one()
+        if not self._is_employee_contact():
+            return True
+        user = self.env.user
+        if user.has_group("account.group_account_user"):
+            return True
+        if user.has_group("account.group_account_manager"):
+            return True
+        return False
+
+    can_view_bank_accounts = fields.Boolean(
+        string="Can View Bank Accounts",
+        compute="_compute_can_view_bank_accounts",
+        store=False,
+        compute_sudo=True,
+    )
+
+    def _compute_can_view_bank_accounts(self):
+        """Compute the can_view_bank_accounts field for partners."""
+        for partner in self:
+            partner.can_view_bank_accounts = partner._check_can_view_bank_accounts()

hr_employee_bank_restrict/pyproject.toml

@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"

hr_employee_bank_restrict/readme/CONTEXT.md

@@ -0,0 +1,11 @@
+This module was developed to protect sensitive banking information of employees.
+
+In organizations where payroll or expense reimbursement is managed, employees need to provide their bank account
+details. These contacts are linked to employee records via the "Work Contact" field. It's common
+practice to restrict access to this sensitive data to only users who truly need it for payment processing.
+
+It will be useful for you if:
+
+-   You manage employee payroll or expense reimbursements in Odoo.
+-   You want to restrict access to employee bank account data.
+-   You need to comply with data protection regulations (like GDPR).

hr_employee_bank_restrict/readme/CONTRIBUTORS.md

@@ -0,0 +1 @@
+-   Emilio Pascual ([Moduon](https://www.moduon.team/))