Fields with the groups attribute are specially handled to check whether the user belongs to any of the security groups indicated in the attribute, and if not, removes it from UI views and ORM operations for the user.

Note that this security is not superficial. The field is not only hidden in the user interface, but is also made unavailable to the user in the other ORM operations, such as read and write. This is also true for the XML-RPC or JSON-RPC calls.

Be careful when using these fields in business logic, or on change UI events (@api.onchange methods); they can raise errors for users with no access to the field. One workaround for this is to use privilege elevation, such as the sudo() model method or the compute_sudo field attribute for computed fields.

The groups value is a string containing a comma-separated list of valid XML IDs for security groups. The simplest way to find the XML ID for a particular group is to navigate to its form, at Settings | Users | Groups, and then access the View Metadata option from the debug menu, as shown in the following screenshot: