XPM Permissions by Member Role
This article explains which StructureGram member levels can perform each Xero Practice Manager (XPM) workflow, so you can pick the right role when inviting people who will work with XPM data.
This is about StructureGram's roles, not Xero's. For Xero-side requirements (which Xero account you need, which OAuth scopes to grant), see Connecting to Xero Practice Manager.
Quick Reference
| Workflow | Tenancy Admin | Member - Group Admin | Member - Edit | Member - View / Granted Only / Guest |
|---|---|---|---|---|
| See XPM features at all | Yes | Yes | Yes | No |
| Pull from XPM (sync) | Yes | Yes | Yes | No |
| Link a Group to XPM | Yes | Yes | Yes | No |
| Save reconciliation decisions | Yes | Yes | Yes | No |
| Run reconciliation (preview + apply) | Yes | Yes | No | No |
| Push from an entity page | Yes | Yes | No | No |
| Delete an entity from XPM | Yes | Yes | No | No |
| Unlink a Group from XPM | Yes | Yes | No | No |
| Delete an entity locally in StructureGram | Yes | Yes | Yes | No |
The pattern: edit-level capabilities (pull, link, save decisions, local edits and deletes) are available to anyone with an editor baseline. Manage-level capabilities (the reconciliation flow, entity-page push, remote delete, unlink) require Group Admin or Tenancy Admin.
Why Some Workflows Need Higher Permissions
XPM workflows split cleanly into two groups by risk profile:
Pull-shaped workflows — bring data from XPM into StructureGram. These can't damage anything in XPM, so anyone with editor access can run them.
Push and reconciliation workflows — make changes in XPM, including creating clients, updating fields, and deleting clients. These can affect data your team or your client may rely on, so they're limited to Group Admin and Tenancy Admin roles.
Why You Might Restrict Push and Delete
Many practices treat Xero Practice Manager as their source of truth for client data. In that setup, XPM is the system staff trust to be correct — the place billing, compliance, and reporting all reference back to.
When XPM is your source of truth, you typically want StructureGram to be:
- Easy to draft and experiment in. Junior staff, paraplanners, and intermediates should feel free to build diagrams, model scenarios, and explore client structures without worrying about damaging real client data.
- Hard to push back from. Changes that flow into XPM should be deliberate, reviewed, and made by senior staff who understand the downstream impact.
The role split is designed around this:
- Member - Edit can pull the latest XPM data into StructureGram any time, edit and reshape inside StructureGram (including deleting entities locally), and build diagrams freely. Nothing they do affects XPM directly.
- Member - Group Admin and Tenancy Admin are the people who can deliberately push back to XPM via reconciliation or direct entity-page push.
This pattern has practical benefits:
- Mistakes stay local. A staff member who creates a duplicate, mis-types a name, or restructures a diagram for a hypothetical scenario can't accidentally damage the XPM record. Pulling fresh from XPM restores the canonical view.
- Reconciliation becomes a clear, owned step. Pushing data back to XPM is a conscious decision by a senior reviewer who can confirm it's the right move and explain why.
- Audit trails are cleaner. When XPM changes flow through a small number of specific people, you can attribute every remote change to a named decision.
- Trainees can experiment safely. New staff can build practice diagrams and explore restructure scenarios on real client data without a senior having to review every interaction.
For broader guidance on choosing roles and team structures for your firm, see Setting Up Roles, Teams, and Access Patterns.
What Each Role Can Do
Tenancy Admin
Full access to all XPM workflows. Can also manage tenancy-wide integration settings (connect, disconnect, choose the active Xero organisation).
Member - Group Admin
Full access to all XPM workflows within the Groups they have access to. Cannot manage tenancy-wide integration settings — that's reserved for Tenancy Admin.
Use this role for senior advisors, partners, or anyone who needs to actively manage XPM-linked client data including pushing changes back to XPM and resolving reconciliation differences.
Member - Edit
Can use XPM workflows for read-shaped operations:
- Pull from XPM — sync clients, relationships, and group membership into StructureGram.
- Link a Group to XPM — establish the initial connection between a StructureGram Group and an XPM group.
- Save reconciliation decisions — review and annotate differences flagged in the diff (but cannot run the diff or apply the resolved decisions).
- Edit and delete entities locally in StructureGram — full ability to make changes inside StructureGram.
Cannot:
- Run reconciliation preview or apply — the diff-and-apply flow, where most push and delete activity actually happens, is gated above this level.
- Push individual entities from an entity page to XPM.
- Delete an entity from XPM — even if the local entity is deleted in StructureGram, the corresponding XPM client is not removed.
- Unlink a Group from XPM.
Tip: This is the right role for staff who need to keep StructureGram up to date by pulling the latest XPM data, but who shouldn't be making changes that propagate back to XPM.
Member - View, Member - Granted Only, External Guest
XPM features are not visible to these roles. The integration UI is hidden from them entirely.
Local Delete vs Remote Delete
A common point of confusion: deleting an entity locally in StructureGram is not the same as removing the client from XPM.
- Local delete (available to Member - Edit and above): removes the entity from StructureGram only. The XPM client and its data remain in Xero Practice Manager.
- Remote delete from XPM (available to Member - Group Admin and Tenancy Admin only): removes the entity from both StructureGram and the XPM client list.
If you need to remove a client from XPM and you're a Member - Edit, ask a Group Admin or Tenancy Admin to perform the delete from the entity page or via reconciliation.
Worked Examples
"I'm setting up a new staff member who'll keep our XPM-linked Groups synced. What role do they need?" Member - Edit is enough. They can pull from XPM whenever XPM data changes and edit StructureGram entities locally. If they later need to push changes back to XPM or run reconciliation, you can lift them to Member - Group Admin.
"Our client wants their XPM client list cleaned up by removing duplicate clients. Which role can do that from StructureGram?" Member - Group Admin or Tenancy Admin. Deleting clients from XPM via StructureGram requires Group Admin or higher.
"A Member - Edit user reported a stale relationship in StructureGram that they fixed locally. Does that fix flow back to XPM?" No. Member - Edit can change StructureGram data, but those changes aren't pushed to XPM. A Group Admin or Tenancy Admin needs to run reconciliation (or use the push workflow) to propagate the change back.
"What's the smallest role that can run reconciliation to resolve all differences between StructureGram and XPM?" Member - Group Admin. The reconciliation preview and apply are both gated at the Manage level.
Edge Cases
- The reconciliation review list is partly accessible. Member - Edit users can see and annotate reconciliation decisions when they're presented as part of a pull review (this is how policy-flagged items surface during sync). What they can't do is launch the full diff preview or apply the resolved actions.
- MFA is required for all XPM actions regardless of role. See Connecting to Xero Practice Manager for the MFA setup steps.
- Restricted Groups still apply. Even a Tenancy Admin can lose XPM access to a specific Group if that Group is restricted and they haven't been granted explicit access to it.