allow fine grained permissions
I'd like to be able to generate multiple API keys for myself, but be able to control the permissions for each of these keys.
For example:
I do some subcontracting to a company and do timesheets for them each month. I then invoice them each month with those timesheet numbers as each line item on the invoice. I'm currently modifying their timesheeting system (which I wrote anyway) so that it'll generate the invoice for me in Xero, it would be nice to be able to PUT an invoice but not allow anyone else in the company to do any GETs if they managed to pull the key out of the app/database.
You can now set more fine grained permissions for your app using scopes in OAuth 2.0
-
Joshua Ting commented
I have been waiting for finer permission controls for quite some time now. The integration I am doing is pulling the leave data from Xero. We planned to use the API but found that it is tied to the Payroll permission which means the sensitve information will be exposed to the application. Therefore, currently, we have to manually export leave in Xero as .xlsx file and then manually import into the application.
-
Brendan Lester commented
I'm not sure how separate the Xero and WorkFlowMax systems are, but I need this for WFM. I fully agree with the comments below regarding unwarranted, elevated access. This is a significant barrier to the development & promotion of 3rd party software & Xero services in return.
-
Eden Hudgens commented
Allowing any service that uses Xero’s API full access to everything that a human user can access is a major security risk.
It may even fall afoul of the GDPR and other similar privacy and data sharing regulations where it is stipulated that only data necessary for the performance of a task is shared with the performer of that task.
With this in mind, please expedite plans to provide the ability for Xero users to create separate API sign-in credentials each with its own set of fine-grained permissions including write-only access to bank statements.
-
Ian Fiddler commented
I want to allow invoice only users to get a Xero organization when logging in via the API using oauth.
-
Jonathan commented
This would be really awesome, since we could have more control over APIs access on a specific application. I.e. we might want 3rd parties access to some reporting and few other queries in read only (GET) and not being able to see all Bank Transactions for example or do a PUT ...
-
Anonymous commented
Hi Xero.
This really needs to be implemented. We need to allow our staff on "Invoice Only' permission status's to have access between our externally integrated software and Xero. Currently, Xero does not allow this and it is something that seems so minor to implement.
I do not see why this would not be a current option? Can you please advise as my business (as well as others) will be hamstrung by not having this ability.
-
Anonymous commented
This would be great, we have similar requirements as previous comments. Please implement.
-
Ross commented
I think it would be beneficial to have more granular control than just by endpoint.
For example the Invoices Endpoint should be limited based on the InvoiceTypes or the Payments by PaymentType. For any application which is only interested in Sales Invoices (and Payments Received), there's no need for it to be allowed to see my invoices to suppliers.
-
Peter Sawyer commented
I could really do with this, I have built a private application that will periodically (hourly during business hours) grab any new Leave Applications then create Exchange Appointments in a shared calendar which is rendered in our intranet application, plus also available in Outlook through public folders.
So for each call I need to get "Employees", "Leave Types", then "Leave Applications". I would like to be able to limit these calls from specific IP Address plus fine granular endpoint authorisation also authorise by verb, ie. only GET.
Thanks in advance
Peter -
Adam Law commented
I have a situation where I would like to create draft invoices with the API such that an "DRAFT INVOICES" only user is able to view the draft use the usual web portal for that user. I don't think that this can presently be done with the API ... if it can it woudl be great to hear from you. Otherwise I have to provide the user will full invoices access
-
Mikel Lindsaar commented
This would be very useful, especially as the API opens up. Some sites that I use with Xero for example have no right to look at my bank balances or invoices... but others might need this access.