If you want to override the permissions in Odoo 16, check below tip and hope it helps.

Requirement : restrict all users to access purchase orders.

In order to do this, we need to setup a ir.model.access.csv in the security folder in our c
ustom extension module directory.

First find the model that is responsible for purchase orders which is purchase_order in settings > technical then find the access rights listed. Now we have to restrict each of these groups that can access to Purchase Model

In order to find the correct access rights group for Inventory/User, we can click on the Inventory/User and it will have a internal link arrow, click on it and it will land on the page Model > Purchase Order > User . From this page , click technical > view metadata - you will see the XL id as stock.group_stock_user
Now we have to find the base permission for this and then override in our own custom csv permission file.

for that, we need to extend the base level permissions of purchase order in our custom permission csv.

In oddo, 80 % of the time we are searching for code blocks in the source code, so here, we want to search the string part

model_purchase_order,stock.group_stock_user

The above string is part of the csv permission file, because we know there should be a string somewhere in source code that has the line above, we need to find it and override it.

so search using VSCode and we will find as below

we found the file odoo/addons/purchase_stock/security/ir.model.access.csv

Now we know that, the module name is purchase_stock and groups is stock.group_stock_user

So in our custom csv permission file, we shall add a line

purchase_stock.access_purchase_order_stock_worker,access_purchase_order_inventory,purchase.model_purchase_order,stock.group_stock_user,0,0,0,0

compare that to the original line in the base csv

access_purchase_order_stock_worker,purchase.order,model_purchase_order,stock.group_stock_user,1,0,0,0

so we have added
id: module.access_purchase_order_stock_worker
name: access_purchase_order_inventory
model: module.modelname
group: stock.group_stock_user
permission : 0,0,0,0 ( restrict everything )

general explanation of CSV file as below:

id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
custom_extension.access_product_root_type, access_custom_extension_product_root_type,custom_extension.model_product_root_type,base.group_system,1,1,1,0

ID : this should be unique and a good nomenclature is to put
nameofmodule.access_nameofmodel that you need to set access to

name : this can be same as ID

model_id : this should be the modulename.model_nameofthemodel

group_id: this is xml id of the group, the xml id can get from the view metadata in Technical

the last numbers are for read, write, create and delete.

note : the group and the name of model may not have any relationship each other