Enter your idea

For certain users we need to restrict their access to view invoice detail for particular suppliers due to confidentiality issues. Adding a field to contact details seems to be the solution. We are evaluating other software suppliers as a switch might be necessary if this can't be resolved.

why would you have the Payroll admin option for each user if then ANYONE with access to the report can see the payroll of everyone? it makes no sense AT ALLL

Managers posting invoices can see directors dividends - need to make confidential

This is causing us an issue with regard to staff being able to see other members of staff salary payments, as each member of staff is set up as a contact.

We really need our purchasing team to have access to only the contacts that they manage rather than all suppliers. Each member of the team will work closely with you to specific suppliers and some have similar names or departments within their own organisation that are classes as separate entities therefore it is critical that our team can only contact and raise PO’s for their allocated suppliers so that they don’t raise them in error to the incorrect supplier. Please can you provide a timeline for when this could be implemented.

Does anyone know if this is in the pipeline at all? I have a client who is desperate for certain users not to be able to access transaction information on Contact records due to pay issues.
It would be so much easier if I could put all employee & Directors Contact records into a Private group that was password protected or you could restrict access to.

This is would perfect if you would make a contact private, as an example we require the admin roles to have access to bank transactions in order to complete the reconciliation and assigning of costs, however this means that each can see the others payments, even with no payroll access, and if/when they receive a bonus. Which is not the same for each employee. To be able to hide this information would not only protect employees but maintain cohesion in the office.

I have clients that do not want to switch to Xero because we cannot hide private contacts or hide choose what bank accounts a user has access to.

has this been revolved

This is a GDPR issue for UK users and needs fixed asap! XERO PLEASE LISTEN TO YOUR USER COMMENTS. Thanks.

I need a way of assigning a sales rep ful access just to her customers and no access to any other contact.

Please make it possible to restrict contact's financial details and past salaries/bills/invoices.

Please add the ability to restrict access to Contacts (or anywhere else that Xero stores Personally Identifiable Information) by User or by Role so that business users can meet their privacy obligations.

Xero does not readily support Australian users in complying with the Privacy Principles, and does not support business to be compliant with the European GDPR rules around data disclosure. It fails to allow business to apply the Principle of Least Privilege to User setup which leads to the ready inappropriate disclosure of Personally Identifiable Information.

This is because it is not possible to restrict access to Contact information on a Per User or Per Role basis.

The example that has given rise to this request is in a mental health practitioner's business where their accountant can see all of their billed Contacts information when working on their Xero instance - thereby creating a confidentiality issue and breaching their privacy.

This concern equally applies to law firms, medical practitioners, IT outsourcers, or indeed anyone else whose Contact list is sensitive (ie pretty much everyone). It means they cannot use Xero for Invoicing or Bills and still provide accountant access if they wish to maintain the privacy of their clients and creditors.

If you're still reading, here's some boring Privacy stuff that was included in the Xero Central report case I started only to be told "you have to policy and process your way out of this issue."

>>As part of our GDPR project, we worked with our product and security teams to identify and make any necessary changes/improvements to our product for GDPR compliance. We didn't identify the user role functionality as needing to be updated for GDPR and believe them to be compliant with GDPR and Australian privacy regulations, including the Privacy Act (1988) and Privacy Amendment (Notifiable Data Breaches) Act (2017).

The Australian Privacy Act is a tricky one because it basically is a list of gentle suggestions.

Nonetheless, Xero in its current form is sketchy around (amongst others) Principle 6 - use or disclosure of personal information. This states:

"6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) […]"

It also fails to adequately support business attempting to comply with Principle 11 — security of personal information:

"11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

from misuse, interference and loss; and
from unauthorised access, modification or disclosure"

The GDPR is more explicit:

Article 25, Section 2, Paragraph 1:

"The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed."

With Xero, we can't if we want to both use Invoicing or Bills, complete contact information for same and provide access to an accounting professional.

Agree, we have made our employee have draft only sales access because of this, but now we cant collaborate invoices and quotes there should be an option to give users access to specific invoices & quotes only not the total sales in and out

This is actually quite a major issue not being able to keep Staff records and salaries separate from limited users in Xero and also Directors payments.
I am surprised this hasn't been kept under a section in the payroll area only allowing those who can access payroll to see it and also surprised Xero haven't dealt with this as a important issue.

This is something our organisation would benefit from

Make it possible to give a user access to a specific group in contacts? They should only have access to add or amend contacts for a specific group. EG: a sales rep adding contacts to a sales group and having access only to that group.

I agree, certain financial information contained within some contacts should not be viewable by other members of staff that are not privy to this information.

The money out over the last 12 months graph on the contact page is visible to users with limited permissions. This needs to be fixed ASAP. It should at least be something we can turn off. Or give us the ability to mark certain contacts as confidential.

Hi guys, this is a serious issue that needs to be resolved asap! We have been using Xero for about 3 years now and was shocked to find out today that a limited rights user still has access to a Salaried employee contact and able to view their monthly Salary being paid via the Money in and out over last 12 months graphs under the contact.