diff --git a/server_environment/README.rst b/server_environment/README.rst
index 5517d0e..d512efb 100644
--- a/server_environment/README.rst
+++ b/server_environment/README.rst
@@ -18,7 +18,8 @@ an environment variable with a fallback on default values in the database.
 
 The configuration read from the files are visible under the Configuration
 menu.  If you are not in the 'dev' environment you will not be able to
-see the values contained in keys named '*passw*'.
+see the values contained in the defined secret keys
+(by default : '*passw*', '*key*', '*secret*' and '*token*').
 
 Installation
 ============
diff --git a/server_environment/__manifest__.py b/server_environment/__manifest__.py
index 15a7510..065af45 100644
--- a/server_environment/__manifest__.py
+++ b/server_environment/__manifest__.py
@@ -31,6 +31,7 @@
     "license": "GPL-3 or any later version",
     "category": "Tools",
     "data": [
+        'security/res_groups.xml',
         'serv_config.xml',
     ],
     'installable': True,
diff --git a/server_environment/security/res_groups.xml b/server_environment/security/res_groups.xml
new file mode 100644
index 0000000..1297fbf
--- /dev/null
+++ b/server_environment/security/res_groups.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+
+<odoo>
+
+    <record model="res.groups" id="has_server_configuration_access">
+        <field name="name">View Server Environment Configuration</field>
+        <field name="users" eval="[(4, ref('base.user_root'))]"/>
+    </record>
+
+</odoo>
diff --git a/server_environment/serv_config.py b/server_environment/serv_config.py
index 4af4061..e695b99 100644
--- a/server_environment/serv_config.py
+++ b/server_environment/serv_config.py
@@ -24,7 +24,7 @@ import configparser
 from lxml import etree
 from itertools import chain
 
-from odoo import api, fields, models
+from odoo import api, models, fields
 from odoo.tools.config import config as system_base_config
 
 from .system_info import get_server_environment
@@ -283,11 +283,24 @@ class ServerConfiguration(models.TransientModel):
             res['fields'] = xfields
         return res
 
+    @api.model
+    def _is_secret(self, key):
+        """
+        This method is intended to be inherited to defined which keywords
+        should be secret.
+        :return: list of secret keywords
+        """
+        secret_keys = ['passw', 'key', 'secret', 'token']
+        return any(secret_key in key for secret_key in secret_keys)
+
     @api.model
     def default_get(self, fields_list):
         res = {}
+        if not self.env.user.has_group(
+                'server_environment.has_server_configuration_access'):
+            return res
         for key in self._conf_defaults:
-            if 'passw' in key and not self.show_passwords:
+            if not self.show_passwords and self._is_secret(key=key):
                 res[key] = '**********'
             else:
                 res[key] = self._conf_defaults[key]()