What are Xero user permissions?

Xero user permissions control what each person can see and do inside a Xero organisation, including invoices, bills, reports, bank accounts, payroll and settings.

How do I set Xero user permissions?

Invite the user in Xero, choose the role that matches their job, then limit sensitive access such as payroll, bank accounts and settings to people who genuinely need it.

Which Xero user roles are highest risk?

Roles with payroll, bank account, bill approval, supplier contact or administrator access are highest risk because they can affect payments, private data or financial records.

How often should Xero access be reviewed?

Australian SMBs should review Xero access at least quarterly, and immediately when staff, bookkeepers or accountants change roles or leave the business.

Xero User Permissions: Security Guide for Finance Teams

Australian businesses lost at least $2.03 billion to scams in 2024, according to the ACCC's Targeting Scams Report. For finance teams using Xero, Xero user permissions are one of the simplest controls you can tighten before a payment error, supplier impersonation scam or internal access problem becomes expensive.

Most guides explain what each role does. This guide goes further. It shows CFOs, finance managers and bookkeepers how to treat Xero permissions as a finance control, not just an admin setting.

In this article:

What Xero user permissions control
Why Xero user permissions matter for payment risk
The Xero user roles finance teams should understand
How to set Xero user permissions using least privilege
Xero access review checklist for Australian SMBs
Related Reading
Conclusion

What Xero user permissions control

Xero user permissions determine what each person can see, edit, approve and administer inside your Xero organisation. That includes access to invoices, bills, contacts, bank accounts, reports, payroll, settings and connected features.

Xero's own guide to user roles and permissions in Xero Business edition is the authoritative reference for the exact permission options. It explains the available roles and what each one can access.

For a finance team, the bigger question is not only "what does this permission do?" It is "what could go wrong if the wrong person has this permission?"

That distinction matters. A permission that looks harmless in isolation can become risky when combined with other access. For example, a user who can create suppliers, edit supplier details, enter bills and prepare payments may have more practical control over cash outflow than the business owner realises.

Xero permissions typically affect four broad areas:

Visibility. Whether a person can view financial information, reports, contacts, payroll or bank data.
Transaction changes. Whether they can create, edit, approve, void or delete invoices, bills and other records.
Sensitive records. Whether they can access payroll, supplier information, bank account settings or organisation settings.
Administration. Whether they can invite users, change roles, manage subscriptions or alter connected apps.

The safest setup is rarely "give everyone standard access and trust them." A better approach is to match each person's access to the work they actually do, then review that access before it drifts.

Why Xero user permissions matter for payment risk

Xero user permissions matter because payment fraud often starts with ordinary-looking changes. A supplier bank account is updated. A new contact is created. A bill is entered. A payment file is prepared. Each step can look routine until the money leaves the account.

The ACCC's Targeting Scams Report 2024 reported at least $2.03 billion in scam losses across Australia in 2024. The ASD's 2023 to 2024 cyber threat reporting also highlighted business email compromise and cybercrime losses as ongoing risks for Australian organisations.

For an SMB finance team, the lesson is practical. Strong login security matters, but it is not enough. MFA helps stop unauthorised logins, while permissions and review processes help reduce what any single user can do after they are inside the system.

This is where Xero access control becomes a finance control.

A weak permission setup can allow:

Supplier bank detail changes without independent review. This is a common pathway for payment redirection fraud.
Bills created and approved by the same person. That removes a basic segregation of duties check.
Payroll data exposed to people who do not need it. Payroll access carries privacy and fraud risk.
Former employees, bookkeepers or contractors staying active. Dormant access is easy to forget and difficult to justify later.
Shared logins. If multiple people use one account, your audit trail becomes far less useful.

These risks connect directly to other finance controls. If your team is already reviewing suspicious payment patterns or investigating supplier bank detail changes in Xero, user access should be part of the same control environment.

The Xero user roles finance teams should understand

Xero user permissions are managed through roles and feature-specific access. The names can vary depending on your Xero plan and enabled modules, so always check the current Xero settings before changing anything.

The main role concepts finance teams should understand are:

| Xero access area | Typical use | Risk level | Finance control recommendation | |---|---|---:|---| | Subscriber or administrator-style access | Owner, director or senior finance lead | High | Keep tightly controlled and avoid shared accounts | | Adviser access | External accountant or senior finance adviser | Medium to high | Use when needed, then review after the engagement or reporting period | | Standard access | Internal finance users who process records | Medium to high | Limit sensitive functions that are not required for the role | | Read only access | Reporting users, owners, advisors or auditors | Low | Useful where visibility is needed without edit rights | | Invoice only access | Sales, admin or operations staff | Medium | Keep focused on customer invoicing, not supplier or bank controls | | Payroll access | Payroll manager or authorised finance lead | High | Restrict to named users and review frequently | | Bank account or payment-related access | CFO, finance manager or owner | High | Separate setup, review and payment release where possible |

The key is to avoid thinking of each user role as a status symbol. Broader access does not mean someone is more trusted or senior. It simply means the business has accepted more operational risk for that account.

The permission combinations to avoid

Some access combinations deserve special attention because they concentrate too much control in one person.

Supplier setup plus bank detail changes. A person who can create suppliers and alter bank details can redirect payments if there is no independent verification.

Bill creation plus approval plus payment preparation. This removes the natural handoff between accounts payable, review and payment release.

Payroll access plus bank reconciliation. Payroll changes and reconciliation should not sit with one unchecked account unless the team is too small to separate duties. If separation is impossible, add owner review.

Administrator access for external advisors. Accountants and bookkeepers need access to do their work, but permanent broad access should still be reviewed.

Former staff left active. Offboarding is one of the most overlooked Xero security settings. Access should be removed on the person's last working day, not weeks later when someone remembers.

If your team is small, you may not be able to separate every duty perfectly. That is normal. The goal is to recognise where access is concentrated, then add compensating controls such as owner approval, audit trail checks or supplier change verification.

How to set Xero user permissions using least privilege

The safest way to set Xero user permissions is to use least privilege. That means each person receives the minimum access they need to perform their current role, with no extra permissions kept "just in case."

Xero's help article on how to add a new user to your organisation covers the mechanical steps. Finance leaders should add a decision process before the invite is sent.

Step 1: Start with the job, not the person

List the actual tasks the person needs to perform in Xero.

For example, an accounts payable clerk may need to enter supplier bills, attach supporting documents and prepare a weekly payment run for review. They may not need to change supplier bank details, access payroll or administer users.

A sales administrator may need invoice-only access for customer billing. They probably do not need supplier, payroll or bank account access.

An external accountant may need adviser access during BAS, EOFY or management reporting work. They may not need permanent broad access outside that period.

Step 2: Identify sensitive access separately

Treat these permissions as high-risk and approve them deliberately:

Payroll access
Bank account administration
Supplier contact changes
Bill approval and payment preparation
User administration
Connected app access
Organisation settings

Do not bundle these permissions into a role because it is faster. Record why the person needs the access and who approved it.

Step 3: Separate create, approve and pay where possible

Payment risk rises when the same person can manage the whole flow from supplier setup to payment release.

For a small Australian SMB, a practical model might look like this:

One person enters the supplier bill and attaches the invoice.
A second person reviews the supplier, amount and bank details.
A senior finance person or owner approves the payment batch before funds are released.
Supplier bank detail changes are verified by phone using a known number, not a number from the change request email.

This does not require enterprise software or a large team. It requires a clear rule that risky changes do not approve themselves.

Step 4: Avoid shared logins

Shared logins weaken both security and accountability. If three people use the same Xero account, the audit trail can no longer reliably show who made a change.

Every user should have their own login with MFA enabled. If a contractor, casual staff member or external advisor needs access, give them named access and remove it when the work ends.

Step 5: Document the permission decision

Keep a simple access register outside Xero. A spreadsheet is fine if it is maintained.

Include:

User name and email
Role or permission level
Business reason for access
Sensitive permissions granted
Date approved
Approver
Last review date
Removal date, if applicable

This creates evidence for auditors, insurers and directors. More importantly, it forces the team to make access decisions deliberately.

Xero access review checklist for Australian SMBs

A quarterly access review is one of the highest-value controls a finance team can run. It is simple, low cost and often finds stale permissions that nobody intended to keep.

Use this checklist each quarter, and immediately after staff departures, role changes or a change of accountant or bookkeeper.

1. Confirm every active user is still current

Export or review the active user list in Xero. Remove anyone who has left the business, finished a project or no longer supports your account.

Pay particular attention to former bookkeepers, outsourced finance staff, contractors and directors who are no longer involved day to day.

2. Review administrator and subscriber access

Administrator-style permissions should be held by a very small group. If the subscriber or senior access holder is no longer the right person, update it through the proper Xero process rather than letting ownership drift.

This matters during business sales, staff turnover, accountant changes and founder transitions.

3. Check payroll permissions

Payroll access should only sit with people who manage payroll or have a clear oversight role.

Ask:

Does this person still need payroll access?
Can they change employee bank details?
Is there independent review of payroll changes?
Are payroll reports visible to people who do not need them?

4. Check supplier and payment permissions

Review who can create suppliers, edit contact details, enter bills, approve bills and prepare payment files.

These are the permissions most closely linked to supplier impersonation and payment redirection risk. If a single person has all of them, document the reason and add a second-person review.

This is also a good time to revisit your process for segregation of duties in a small finance team. Even a three-person team can create basic separation if the handoffs are clear.

5. Review connected apps and integrations

Xero permissions are not only about human users. Connected apps can access data through the Xero API.

Review apps that are no longer used, apps installed by former staff and tools with more access than they need. Remove anything you cannot explain.

6. Save evidence of the review

Record the review date, reviewer, findings and actions taken. If nothing changed, record that too.

This evidence can help during cyber insurance renewal, external audit, board reporting or an incident investigation. It also builds the habit that access is reviewed, not assumed.

Conclusion

Xero user permissions are not only a setup task. They are part of how your finance team protects supplier payments, payroll data and financial records.

Start with least privilege. Give each person the access they need, avoid risky permission combinations, remove stale users quickly and review sensitive access every quarter.

For Australian SMBs using Xero, that small routine can reduce real payment risk. OutflowGuard helps finance teams monitor supplier bank detail changes and other high-risk Xero activity, so permissions, alerts and approvals work together instead of relying on memory alone.