Enter your idea

I would like to see more granular ability to allow access to users, It is different to the above, however, being able to choose items would mean we have better control over who can do and see what.

would like to request more granular user permissions for purchasing functions.

Specifically, I need to allow a user to:

Create and manage purchase orders
Access supplier/contact records for operational purposes

But restrict them from:

Viewing bills
Seeing any financial values (amounts, totals, pricing)
Accessing financial data within contact records

This would be particularly useful for operational or procurement staff who need to manage purchasing workflows without access to sensitive financial information.

Currently, permission levels require granting broader financial visibility than is appropriate for these roles.

A solution could include:

A “Purchasing Only (No Financials)” role, or
Toggle permissions to hide monetary values and bills while retaining operational access

This would greatly improve privacy and internal control for businesses.

**Title:** Purchase Order–Only User Access (No Bills Visibility)

**Request:**
We would like the ability to assign users access to purchase orders only, without any visibility of supplier bills or broader financial information.

**Use Case:**
In our business, operational staff (e.g. apprentices, site staff, or project team members) need to raise and manage purchase orders as part of their role. However, they should not have access to financial data such as supplier bills, costs, or payment details.

**Current Issue:**
At present, Xero user roles bundle purchase order access together with bills and supplier information. This means we cannot safely allow team members to create POs without also exposing sensitive financial data.

**Impact:**

* Limits our ability to delegate purchasing tasks
* Creates unnecessary risk by exposing financial information
* Forces us to rely on manual processes or external tools

**Suggested Solution:**
Introduce more granular permissions that allow:

* Create/edit/view purchase orders
* Without access to bills, payments, or full supplier financial data

**Benefit:**
This would allow businesses to safely involve operational staff in procurement workflows while maintaining appropriate financial controls.

---

Currently, we have asked our teams to generate PO using other software or give us manually. We request XERO Team to consider this request to avoid double or manual work.

Thanks :)

Yes please. This is the one reason why i can't use Xero. The other reason is you can't email purchase orders from mobile device. Please Xero get a move on with this so i can start.

I agree,we want the team to be able to see what purchase orders have currently been ordered and imput new ones but with no access to bills and other financial information surrounding bills and invoice totals etc.

Also, there should be an option to configure the inability to NOT see other purchase orders and their history.

Granular Access Control – Secure, Zero Trust Permissions
Control-C’s new security model introduces a level of granularity never seen before in managing access to your Xero financial data. Traditionally, giving an employee access to run an Aged Payables or Aged Receivables report meant exposing your entire financial landscape – including sensitive areas like your Profit & Loss, balance sheet, bank transactions, and even other employees’ bonus information. Xero’s native user roles are fairly broad (e.g. standard user or advisor roles grant wide access). Not anymore.

With Control-C’s Zero Trust-based security framework, you can now restrict access to just the specific data or reports your team members need – and nothing more. Want a staff member to run only the Aged Receivables report? You can grant that exact permission, without also giving away the rest of your accounting info. No more over-exposure or “all-or-nothing” access. For example, an accounts clerk can be set up to view and export customer invoices and aging reports, but cannot see the general ledger or payroll details. A junior bookkeeper could be limited to inputting bills and viewing the payables report, without any visibility of bank balances or management reports. You define roles at a fine-grained level – a stark contrast to Xero, where even a read-only user can see almost everything.

This precision access control is built from the ground up, aligning with modern Zero Trust security principles that assume no implicit trust – every access is explicitly granted and minimal. For accountants and compliance officers, this means better internal controls and cleaner audit trails. You can demonstrate that even within your organisation, sensitive financial data is only accessible on a strict need-to-know basis. For instance, an auditor or external accountant could be given a special “Auditor” role on Control-C: read-only access to relevant reports and the audit log, but nothing else. Meanwhile, your sales manager might have access to customer contact list backups (for business continuity) but not to any financials. These tailored permissions greatly reduce the risk of internal data leaks or unnecessary snooping.

For business owners, the benefit is peace of mind and professionalism. You no longer have to say, “I’ll give my assistant access to Xero, but I hope they don’t poke around the salaries or bank accounts.” Instead, you define their role on Control-C to exactly what they require (perhaps invoice creation and nothing else). It shows a commitment to confidentiality: employees see only what’s relevant to their job, which also reduces temptation and errors. And because the platform logs every access and download, you have a full audit trail of who viewed or exported data.

This Zero Trust security model is a unique selling point of Control-C’s platform. It effectively adds a new permission layer on top of Xero’s data, one that many businesses have long wished Xero itself had. By deploying it, you protect sensitive information by default while still empowering your team with the tools they need. The result is a more secure, compliant operation, where data access is precisely aligned with role and purpose – no more, no less.

If you would like to learn more visit Control-C.com or find us in the Xero App Store.

Please add this feature!

I second Tim Jack's comment below!! Seems like Xero would have the infrastructure to include this easily in their package, not sure why it has not already been actioned!

Require this at the earliest

Yes, more granularity is required. The main problem we have with the current IO role is that it allows the user to see a lot of info that we would rather keep hidden. Ideally, we would have a permission that was restricted to "raise draft purchases" and then have that user only able to see the draft purchases that they themselves have raised.

This is an essential feature. User roles must be broken down further. Employees see sales and purchase figures which is not good practice.

Agree with purchase order access only, this is absolutely critical, we only want staff to raise a purchase order without having access to other financial information, Xero please prioritize this feature.

Yes, we are the same as very much do not want to see any element of the billing cycle. The P/O is to be raised on site level by a supervisor and approve at PM level. We do not want either of the operative because of Accounting Policy and Segregation of Duties.

This "Purchase order only access" is essential to ensure the smooth running of a business, without compromising the confidentiality of financial records.

We need this as an option as soon as possible.Our existing provider is ending the PO function by end Jan 2025 and we will have to go back to manual or find additional software which we really don't want to do. Especially when we have XERO has the function.

This is essential to our growing business

Why on earth have Xero not addressed this as issue yet......we will now have to use a manual system for our buyer which is not being proactive or streamlining our accounts process in any way.

I vote for this BIG TIME