Skip to main content
Solved

Allow unrestricted access to shared forms

  • January 26, 2023
  • 3 replies
  • 55 views
M
Forum|alt.badge.img+1

We are looking to enable users outside our domain (parents of our students) to submit a form with an attachment. If we turn on the setting "Allow unrestricted access to shared forms" at the org level what other impact might that have from a security perspective? We are using AirTable to manage very sensitive data about our students.

 

Thanks!

Best answer by Ben_Young1

Hey @MichaelJS!

In the abstract, there are three things I keep in mind when it comes to security and shared Form views.

  1. Creating versus editing: Form views do not allow you to edit existing data within a base or table(s).
    They only facilitate the creation of new records.
    While it's technically possible for a malicious actor to spam the creation of new records, you could implement a few form design decisions that would discourage or impede someone's ability to spam record creation and buy you enough time to catch the "attack" before it resulted in the creation of additional dirty data.
  2. Linked records: If your form exposes a linked record field, someone filling out the form would be able to see the primary field values of all of the linked records in the related table. In my opinion, this is the biggest risk. However, it's only really an issue if your linked records' primary field contains any PII or otherwise sensitive data.
  3. Validation & Audits: There are a few nifty tricks that you can use to implement an automated validation and review process of submitted forms. This really just depends on your comfort level with Airtable as a whole, but it's definitely possible.

With those things in mind, you're not putting too much at risk if you do a bit of planning and document where the potential risks are for your specific usage.

3 replies

Ben_Young1
Forum|alt.badge.img+22
  • Ben_Young1
  • Brainy
  • 520 replies
  • Answer
  • January 29, 2023

Hey @MichaelJS!

In the abstract, there are three things I keep in mind when it comes to security and shared Form views.

  1. Creating versus editing: Form views do not allow you to edit existing data within a base or table(s).
    They only facilitate the creation of new records.
    While it's technically possible for a malicious actor to spam the creation of new records, you could implement a few form design decisions that would discourage or impede someone's ability to spam record creation and buy you enough time to catch the "attack" before it resulted in the creation of additional dirty data.
  2. Linked records: If your form exposes a linked record field, someone filling out the form would be able to see the primary field values of all of the linked records in the related table. In my opinion, this is the biggest risk. However, it's only really an issue if your linked records' primary field contains any PII or otherwise sensitive data.
  3. Validation & Audits: There are a few nifty tricks that you can use to implement an automated validation and review process of submitted forms. This really just depends on your comfort level with Airtable as a whole, but it's definitely possible.

With those things in mind, you're not putting too much at risk if you do a bit of planning and document where the potential risks are for your specific usage.

M
Forum|alt.badge.img+1
  • MichaelJS
  • Author
  • New Participant
  • 1 reply
  • January 30, 2023

Thanks, Ben. That's helpful. I'm looking into SSO as well, since the folks we want filling out the forms already have users accounts in our CRM.

ScottWorld
Forum|alt.badge.img+35
  • ScottWorld
  • Genius
  • 9808 replies
  • October 10, 2025

You mentioned that you’re looking into SSO for your forms, but Airtable doesn’t offer SSO on their public-facing forms.

However, you can get SSO on public-facing forms with Fillout’s advanced forms for Airtable.

Fillout lets you can create a login page for your form, which will give you these additional security options:

  1. You can restrict the logins by SSO.
  2. You can restrict the logins by email domain.
  3. You can restrict the logins by password.
  4. You can restrict logins based on a pre-approved list of email addresses that you have stored in your Airtable base.
  5. You can verify & confirm that the user is typing in a valid email address.
  6. You can limit form entries to one entry per person.

After the user logs in with their email address, that will let Fillout know who the user is and what the user’s email address is.

Then, you can use this email information to automatically prefill other fields on your form based on who logged into your form, and you can even use this email information to do other advanced tricks with Fillout.

For example, you could use Fillout’s filtering features to filter your linked record fields to only show the user the linked records that they are allowed to see, because those linked records are linked to their email address.

And Fillout offers lots of other advanced features for Airtable as well, such as the ability to:

I show how to use a few of the advanced features of Fillout on these 2 Airtable podcast episodes:

Hope this helps!

If you’d like to hire the best Airtable consultant to help you with anything Airtable-related, please feel free to contact me through my website: Airtable consultant — ScottWorld


Terms & ConditionsAccessibility statement