User Access - Restrict Invoice only role to Customer list
There is a role setup for Invoices Only (Purchases). This is useful if you want to have a User process Accounts Payable Invoices, but without providing access to Sales Invoices.
However, if you login with this role, you can see 'All Contacts' as well as the list of all 'Customers' and the billing amounts outstanding. Surely this is inappropriate if the role is for Invoices Only (Purchases)?
The suggestion is that a user with the role 'Invoices Only (Purchases) can see Supplier contacts, but cannot view Customer contacts (which is really what most people would expect if this role is chosen).

-
Campbell Green commented
Granular Access Control – Secure, Zero Trust Permissions
Control-C’s new security model introduces a level of granularity never seen before in managing access to your Xero financial data. Traditionally, giving an employee access to run an Aged Payables or Aged Receivables report meant exposing your entire financial landscape – including sensitive areas like your Profit & Loss, balance sheet, bank transactions, and even other employees’ bonus information. Xero’s native user roles are fairly broad (e.g. standard user or advisor roles grant wide access). Not anymore.With Control-C’s Zero Trust-based security framework, you can now restrict access to just the specific data or reports your team members need – and nothing more. Want a staff member to run only the Aged Receivables report? You can grant that exact permission, without also giving away the rest of your accounting info. No more over-exposure or “all-or-nothing” access. For example, an accounts clerk can be set up to view and export customer invoices and aging reports, but cannot see the general ledger or payroll details. A junior bookkeeper could be limited to inputting bills and viewing the payables report, without any visibility of bank balances or management reports. You define roles at a fine-grained level – a stark contrast to Xero, where even a read-only user can see almost everything.
This precision access control is built from the ground up, aligning with modern Zero Trust security principles that assume no implicit trust – every access is explicitly granted and minimal. For accountants and compliance officers, this means better internal controls and cleaner audit trails. You can demonstrate that even within your organisation, sensitive financial data is only accessible on a strict need-to-know basis. For instance, an auditor or external accountant could be given a special “Auditor” role on Control-C: read-only access to relevant reports and the audit log, but nothing else. Meanwhile, your sales manager might have access to customer contact list backups (for business continuity) but not to any financials. These tailored permissions greatly reduce the risk of internal data leaks or unnecessary snooping.
For business owners, the benefit is peace of mind and professionalism. You no longer have to say, “I’ll give my assistant access to Xero, but I hope they don’t poke around the salaries or bank accounts.” Instead, you define their role on Control-C to exactly what they require (perhaps invoice creation and nothing else). It shows a commitment to confidentiality: employees see only what’s relevant to their job, which also reduces temptation and errors. And because the platform logs every access and download, you have a full audit trail of who viewed or exported data.
This Zero Trust security model is a unique selling point of Control-C’s platform. It effectively adds a new permission layer on top of Xero’s data, one that many businesses have long wished Xero itself had. By deploying it, you protect sensitive information by default while still empowering your team with the tools they need. The result is a more secure, compliant operation, where data access is precisely aligned with role and purpose – no more, no less.
If you would like to learn more visit Control-C.com or find us in the Xero App Store.
-
Melinda McAuley commented
I agree that "disguising" the contact name is not enough. An employee with Invoice only access would be able to see all the contacts and the transaction history relating to that contact, including those contacts we may have have disguised to make them less obvious as payroll payments. We would not be giving this employee Payroll access but effectively they can still see the net payment transactions. This is a significant confidentiality issue. I hope Xero will prioritise this - it's not just a "nice to have"- it is fundamental. We should be able to set up payroll contact cards and restrict access to them.
-
Louis Cocksey commented
This would be a great addition
-
Elijah Hayden commented
If this is something that is not developed then it could be the difference between using Xero for quoting or not. Its safe to say if this is developed then it would be fantastic for my mobile engineers to use!
-
Lisa Thompson commented
Agree with Sophie, basically I want data entry staff to input purchaser invoices with access to relevant contacts only
-
Paul Kimber commented
Xero users that need to process customer quotes/invoices and view customer accounts should NOT have any access to contacts derived from payroll (or any other contacts beyond customers)!!
The same for Xero users that need to be able to process supplier POs and bills. They need to be able to view vendor accounts but they should NOT have access to contacts derived from payroll (or any other contacts beyond vendors)!!
It is insane that there is no security feature (or locking feature) or role distinction existing in Xero to resolve this matter.
-
Paul Cheatle commented
The user roles are not clear and inadequate in this regard. Xero, it is so obvious to restrict access to contact lists relevant to function. Purchases=Suppliers vs Invoices=Customers.
Click to up vote please Xero community. This need solving.
-
Hannah Hatfield commented
I totally agree with Lorraine, we should be able to pick and choose who gets access to what areas of the system. Purchase Ledger and Sales Ledger are totally separate and we shouldn't have to give access to both of them for someone who only needs to see one or the other. Similarly, I have sales reps that need to be able to report on Sales, but to do that I have to give them full access across the whole system and I absolutely DO NOT want them to have access to the bank account information, or reporting on anything other than sales! This is a massive failing of Xero and one of the reasons I dislike it compared to Sage. Unfortunately for me, my CFO and accountants both prefer Xero so I am stuck with a system that lets me down again and again.
-
Lorraine Adams commented
Xero - Isn't it pretty obvious? Anything would be better than access to pretty much EVERYTHING, as things have stood since Xero was invented.
Sorry to be rude, but you do understand accounting right? & GDPR yeah?
Let me help - Purchase ledger clerk needs access to supplier contacts, bill processing, supplier reports, aged creditor reports, bills reports, purchase day book reports, bill production, quotes, purchase orders, bank supplier payments, refunds, credit notes and .........
Purchase ledger clerk DOESN'T NEED and NOR SHOULD SHOULD HAVE ACCESS to staff pay & personal information, the director's dividends & tax information, the companies balance sheet, staff bonuses, HMRC arrears (or otherwise), investments, how much the company spent on the last client event, or the christmas party, or the computers, Joe's redundancy payment (oh, did I let the cat out of the bag or should I call it something else in Xero so no one knows, HMRC won't mind....)..........do you really need me to go on?......
Perhaps some one else could be kind enough to waste some of their time explaining what the sales ledger clerk needs. or what the treasurer or in house accountant needs - which surprisingly is where the 'access all areas' should sit.
A waterfall access level approach with a tickbox list (just like staff access in MY XERO - (miss that - it was good and clear)....I've seen this before, oh yes, in SAGE. Works a treat. Easy. Clear. Transparent.
I have to give some staff access to EVERYTHING and freeze out others which not only causes causes offence, but also inconvenience to those that have to be disrupted in their own work to provide reports to other staff.
If the current reporting structure/platform can't be changed, why not build a suite of smaller reporting modules - task or job role specific??
It's stunning that this FLOOR exists in the first place, and beyond belief that in more than 10 years, and despite GDPR, and many many requests in the old & new voting system, NOTHING, EVER, has changed in this regard, or other items I've voted for..... -
Sophie Evans commented
Yes I would really like to be able to set up some users as invoice only (purchases) but restrict the contacts they're able to view. The fact they could see all the contacts is preventing me from doing that at the moment.