Skip to content
← For small businesses

Enter your idea

For small businesses: Settings & user roles

Categories

(thinking…)

Permissions - User Roles to Submit and Approve Quotes and Purchase Orders

It is really basic, the permission control is not flexible and give more options. How about to give multiple choosing box for permissions. I want to create a user and give him permission to create and print quotations and a purchase order permission to create and submit for approval. Because the purchase approval permission i want to give to the manager levels only.

114 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Faisal Baras shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
In discovery  ·  AdminKelly Middleton (Admin, Xero) responded  · 

Hi everyone, thanks for sharing your feedback on this idea. We appreciate you explaining how important more flexible user permissions are for your businesses. We understand having granular control over who can create, submit, and approve quotes and purchase orders could help many of you implement better internal controls and protect sensitive financial information.

This idea is now moving to In Discovery, which means our product team are reviewing the viability of the idea as part of wider development of the permissions/user role functionality in Xero. We'll keep you updated here as we learn more.


Show previous admin responses (1)

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Janine Young commented  ·   ·  Report

    This is a must, 3 years later is there any movement on this??

  • Campbell Green commented  ·   ·  Report

    Granular Access Control – Secure, Zero Trust Permissions
    Control-C’s new security model introduces a level of granularity never seen before in managing access to your Xero financial data. Traditionally, giving an employee access to run an Aged Payables or Aged Receivables report meant exposing your entire financial landscape – including sensitive areas like your Profit & Loss, balance sheet, bank transactions, and even other employees’ bonus information. Xero’s native user roles are fairly broad (e.g. standard user or advisor roles grant wide access). Not anymore.

    With Control-C’s Zero Trust-based security framework, you can now restrict access to just the specific data or reports your team members need – and nothing more. Want a staff member to run only the Aged Receivables report? You can grant that exact permission, without also giving away the rest of your accounting info. No more over-exposure or “all-or-nothing” access. For example, an accounts clerk can be set up to view and export customer invoices and aging reports, but cannot see the general ledger or payroll details. A junior bookkeeper could be limited to inputting bills and viewing the payables report, without any visibility of bank balances or management reports. You define roles at a fine-grained level – a stark contrast to Xero, where even a read-only user can see almost everything.

    This precision access control is built from the ground up, aligning with modern Zero Trust security principles that assume no implicit trust – every access is explicitly granted and minimal. For accountants and compliance officers, this means better internal controls and cleaner audit trails. You can demonstrate that even within your organisation, sensitive financial data is only accessible on a strict need-to-know basis. For instance, an auditor or external accountant could be given a special “Auditor” role on Control-C: read-only access to relevant reports and the audit log, but nothing else. Meanwhile, your sales manager might have access to customer contact list backups (for business continuity) but not to any financials. These tailored permissions greatly reduce the risk of internal data leaks or unnecessary snooping.

    For business owners, the benefit is peace of mind and professionalism. You no longer have to say, “I’ll give my assistant access to Xero, but I hope they don’t poke around the salaries or bank accounts.” Instead, you define their role on Control-C to exactly what they require (perhaps invoice creation and nothing else). It shows a commitment to confidentiality: employees see only what’s relevant to their job, which also reduces temptation and errors. And because the platform logs every access and download, you have a full audit trail of who viewed or exported data.

    This Zero Trust security model is a unique selling point of Control-C’s platform. It effectively adds a new permission layer on top of Xero’s data, one that many businesses have long wished Xero itself had. By deploying it, you protect sensitive information by default while still empowering your team with the tools they need. The result is a more secure, compliant operation, where data access is precisely aligned with role and purpose – no more, no less.

    If you would like to learn more visit Control-C.com or find us in the Xero App Store.

  • Campbell Green commented  ·   ·  Report

    Granular Access Control – Secure, Zero Trust Permissions
    Control-C’s new security model introduces a level of granularity never seen before in managing access to your Xero financial data. Traditionally, giving an employee access to run an Aged Payables or Aged Receivables report meant exposing your entire financial landscape – including sensitive areas like your Profit & Loss, balance sheet, bank transactions, and even other employees’ bonus information. Xero’s native user roles are fairly broad (e.g. standard user or advisor roles grant wide access). Not anymore.

    With Control-C’s Zero Trust-based security framework, you can now restrict access to just the specific data or reports your team members need – and nothing more. Want a staff member to run only the Aged Receivables report? You can grant that exact permission, without also giving away the rest of your accounting info. No more over-exposure or “all-or-nothing” access. For example, an accounts clerk can be set up to view and export customer invoices and aging reports, but cannot see the general ledger or payroll details. A junior bookkeeper could be limited to inputting bills and viewing the payables report, without any visibility of bank balances or management reports. You define roles at a fine-grained level – a stark contrast to Xero, where even a read-only user can see almost everything.

    This precision access control is built from the ground up, aligning with modern Zero Trust security principles that assume no implicit trust – every access is explicitly granted and minimal. For accountants and compliance officers, this means better internal controls and cleaner audit trails. You can demonstrate that even within your organisation, sensitive financial data is only accessible on a strict need-to-know basis. For instance, an auditor or external accountant could be given a special “Auditor” role on Control-C: read-only access to relevant reports and the audit log, but nothing else. Meanwhile, your sales manager might have access to customer contact list backups (for business continuity) but not to any financials. These tailored permissions greatly reduce the risk of internal data leaks or unnecessary snooping.

    For business owners, the benefit is peace of mind and professionalism. You no longer have to say, “I’ll give my assistant access to Xero, but I hope they don’t poke around the salaries or bank accounts.” Instead, you define their role on Control-C to exactly what they require (perhaps invoice creation and nothing else). It shows a commitment to confidentiality: employees see only what’s relevant to their job, which also reduces temptation and errors. And because the platform logs every access and download, you have a full audit trail of who viewed or exported data.

    This Zero Trust security model is a unique selling point of Control-C’s platform. It effectively adds a new permission layer on top of Xero’s data, one that many businesses have long wished Xero itself had. By deploying it, you protect sensitive information by default while still empowering your team with the tools they need. The result is a more secure, compliant operation, where data access is precisely aligned with role and purpose – no more, no less.

    If you would like to learn more visit Control-C.com or find us in the Xero App Store.

  • Sharee Keane commented  ·   ·  Report

    This is a must for our business and makes things much harder without this function

  • Ivana Samra commented  ·   ·  Report

    Hi There,
    Therefore from your response you are sending me to a different section of Xero to share my frustration with others who also share the same frustration as I, that your platform has an inability to supply your client base with a simple tool to enable quoting done from a member of staff who by no means needs to know any other function than simple quoting. Seriously Xero! How old are you? Have you never been able to build something so simple as this request - what is wrong with you data back end building staff, can't they construct this code? Maybe you need new and uptodate IT coding staff. It's 2025 and still financial privacy is put at risk by your platform as you seem to be too lazy to assist so many people who need this. Has Xero ever heard of Privacy - it appears not!

    Not at all happy - seriously!

  • Frances Whittaker commented  ·   ·  Report

    It would be extremely useful for us to select approvers or an approval limit by user to help us control costs and spending within the business

  • Marisa De Carlo commented  ·   ·  Report

    this is critical for our small business to free up the MD having to do all quotations but limiting access to financial data. How is this not a function yet?

  • katrina wu commented  ·   ·  Report

    We want to add approvals for edit purchase orders

  • Matthew James Mifsud commented  ·   ·  Report

    this is a critical function - just the ability to issue, send quotes via email and send to invoice (to be approved) once quote is confirmed.

  • Maxine Bright commented  ·   ·  Report

    We need to be able to set user permissions so that only managers can authorise purchase orders to be paid, in the very least we need to be able to set the system so that the same person that raises a purchase order cannot be the same person that authorises it. Also it would be useful to be able set different levels of authority, so managers of a department can only authorise purchase orders under $500 but executive managers can authorise purchase orders of more than $500 etc.

  • Jill Hartmann commented  ·   ·  Report

    It would help immensely to be able to have our estimator to view the quotes that send and approve.

  • Amelia Kennedy commented  ·   ·  Report

    Having the ability for a user to create both invoices and bills but choose whether they can approve neither/either/both is fundamental. Please add to roadmap asap!

  • Damian Haremza commented  ·   ·  Report

    Do we have an update on this? We require this in our business to allow for employees to do quotes without being able to see invoice, payroll and other business critical information.

  • Matthew James Mifsud commented  ·   ·  Report

    The user role to just be able to issue/send quotations without access to anything else

  • Matthew James Mifsud commented  ·   ·  Report

    This is an essential feature

    the ability to just be able to issue/send quotations without access to anything else

← Previous 1 3