Advanced User Permissions

I looks like a big solution to a smaller problem. My main goal is to prevent users from changing my data. That said I can take API key leaking, if it would be possible to set a base to “read only”. Right now this seems not to be the case, so the proxy is a plus for security.

On the other hand I do not know if thunkable uses internally also the REST API. Because it is a no-code platform I use blocks but do not know what’s behind the curtains. When using the Web APIs I am aware of the 5 requests/second limit, but I don’t know if this limit may apply also to the internal functions (blocks). This is a reason for me to have a closer look at caching proxies, not for security but for availability reasons.

Anyone who discovers you API key has access to not only every part of you base, but also every part of every base in your entire account.

Another option for “read-only” access is to create a new Airtable account and give that account read-only access to only that specific base. Then use that user’s API key to access the Rest API from your app. If that API key is compromised, no data can be changed and no other bases are compromised. Read only users are free.

For full access via the Rest API, I also recommend a proxy to store the key. That will allow you to change the api key if you ever need to.

1 Like

Hi @kuovonne, that sounds like a great idea. I am on the free plan, how can I create a new account? I entered “create new account” in airtable’s help pages, but got no result that helped me further.

You will need a different email address for the new account. After you setup the new email address, add that email address as a base collaborator then follow the instructions in the email that is sent. (You may need to log out of your existing account first.)

1 Like

Airtable is a wonderful platform but it moves SLOW. Like, glacially slow. I wanted to move my company to working with it but I when I saw that there are so many requests that were addressed in a very knowledgable and lengthy ways by the company’s representatives it seems like most of then got stuck in this phase. Of writing essays.

This request is more than 4 years old. 4 years. And how much changed with the user permissions? NOTHING.

I love the new automations and the button field which is really awesome but without the ability to control who can see and edit what it is useless.

Get it together Airtable. User permissions are not that hard. Give your customers clarity. They deserve it. And please, stop with the essays. Learn to write concisely - it is frustrating to read so much just to acknowledge that you will do nothing about it.

To sum up… Find a way to move faster in crucial features or Monday will eat you up.

2 Likes

Welcome to the Airtable community! @Oren_Menashe

I’m not sure which “essays” by company representatives you are referring to. Almost all of the posts in this thread and in the community at large are written by other Airtable users on their own time, not Airtable employees.

Although Airtable does not yet have the advanced user permissions that you and many others would like, I wouldn’t say that Airtable has done nothing in four years. Airtable has released table and field level permissions. Airtable allows shared views and protecting shared views via password or domain. Airtable also just release syncing between bases, which has huge implications for based design and user permissions.

1 Like

Thank you for your reply kuovonne.

My apologies. I wasn’t aware of that. These are great improvements.

The view permissions for a specific field is crucial to our work. Do you have it on your roadmap? And if so, when should it be released?

If you’re looking for an example for a lengthy essay, just look at the “Solved” post at the top of this page.
The “Solved” tag is far from the truth.

Anyway, thanks again and keep up the good work!

@Oren_Menashe

I do not work for Airtable and Airtable tends to keep quiet about its roadmap. I have no more idea of when view permissions will be released than you.

If you need users to be able to edit a record but not view a specific field in the record, I suggest you check out the third party tools Stacker and/or MiniExtensions.

1 Like

Oren, in all forms of technology, pointing to a forum thread that’s nearly four years old is pretty much irrelevant. A lot was said back then that is certainly untruthful today. We know more about workarounds, and we have vastly different features that we can draw upon.

Whenever looking for answers in a technical climate, it’s best to start reading from the bottom because that’s where the most recent and accurate information will be. Blogs, for example are reverse chronological because the pace of change, knowledge, and understanding makes earlier posts obsolete.

The concept of “user permissions” and “view permissions” are very different ideas that need finer points, but regardless, Airtable is probably not the right platform if this feature is crucial to your work because I don’t see it happening soon. Best to move to something that handles these use cases
.

Perhaps, but I think you actually mean field-level user permissions. If so, this statement could could not be further from the truth. I would love to learn how you conclude that field-level security and permissions are akin to “easy”. Please feel free to write a lengthy essay so that I and the Airtable dev team can understand the secret to effortless field-level permissions design.

1 Like

Another alternative involves updating records through forms and automations. You can create a button that opens an update record form targeting the record of choice. Then use automations to take the input from that form and update the record.

It’s more work than the three sentences above may make it sound, but it allows you to give a view-only link to someone and restrict exactly what they can see and edit.

Also, don’t take Bill’s attitude too personally. Although he is right, the sarcasm at the end of the post might be a bit much :slight_smile:

1 Like

Yes, there’s always an edginess when digging for clear requirements and I am known for being a little blunt. :wink: However, I wasn’t attempting sarcasm in this case - I was simply recognizing that Orem had reflected on and complained about the earlier comments that were unhelpful and invited him to provide some thoughts that are detailed and contained substance.

1 Like

Is it possible to do collaborator-field based dynamic permission? i.e. to let only assigned collaborator to see or edit the line.

Nope, you can’t do that @Ohad_Shavit

1 Like

Thanks Jarvis. Is there any alternative?

In Airtable, you can probably use a workaround that uses Airtable sync. It might take a few trial-and-errors to get it working the way you like, but it’s the cheaper route: Re-Linking data or two way sync?

The more expensive but hassle-free route would be to use https://stacker.app/ (so far this is the only 3rd party utility which allows you to do what you’re looking for in the most plug-and-play way)

It’s been over a year now since you posted this and yet it seems like it still isn’t possible to do very simple things with permissions. For example, why isn’t it possible to restrict collaborators to a single view? We use Airtable as an editorial calendar and we want our writers to only be able to see the posts we have assigned to them - we don’t want them to see the whole calendar. As far as I can tell this isn’t possible with Airtable as it is now. We are forced to share everything with everyone.

6 Likes

Hi Katherine,

Lack of security is a concerning topic: it seems that advanced permissions is such an important request that you guys should prioritize this soon no? Can you give us a hard deadline here if possible?

In my case I want to have a massive base that links all sorts of KPIs for the entire company as well as strategic projects and OKRs showing how things relate. The problem is that this requires (1) certain tables of this base to be visible only to some users, (2) specific permissions on who can view/edit certain fields and (3) data protection (e.g. ensuring that a user won’t steal all of our info by downloading stuff, using copy and paste or print screens).

I know that this is not easy but this is not only a product-changing feature that brings Airtable to the next level but also apparently a must-need for so many people.

If you could, thus, give us a hard deadline we would appreciate because at this point given the lack of security of the tool I don’t know if I can trust it to build my company on top of it.

Thank you

1 Like

Hi @DiegoF, and welcome to the community!

I do want to apologize in advance for your message being the target of one of my wild rants. :wink: Do not take any of this personally.

Hard deadlines telegraphed to all competitors? Seriously? This is software we’re talking about here, dude! :wink:

No one - not even the developers - know when something in the security category will be ready. Competitors would love this information as well, so you’re basically asking the company you want to bank on, to risk its existence to make you feel all warm and fuzzy about choosing Airtable. Not gonn’a happen.

As to the security features of Airtable, this aspect of the platform will never be complete, but I agree 100% - some level of improved permissions agility is needed now and more-so in the future. The vast community here has made these requirements clear.

However…

We must also consider why you are asking about these permissions features and the underlying objectives -

I get it - you don’t want to spend any more money on a visualization and dashboarding/reporting platform the likes of which is not Airtable or perhaps anything remotely like Airtable. This is a grand vision for a platform designed to collect and collaborate on data. But it’s not irrational - it’s just grand.

At the outset, Airtable’s reporting capabilities are near-flatlined [today], and you want it to get to the next level. I think your use case – while perfectly rational – is out of reach in a practical sense and not just because of the security constraints.

In my view, data science use cases require viz-ready(i) data and Airtable is not the most agile aggregation platform to make that happen. So, even if you had advanced user permissions, the pathway to analytics would still be like hiking Angle’s Landing in a 30-knot crosswind.

Another aspect of this use case is the general fitness-of-purpose of Airtable itself. To create your grand vision you must test a number of deeper requirements to see if they fit the spirit of the platform. I’m not suggesting it wouldn’t be ideal for a single platform to be the perfect data collection and management tool with a higher purpose for running your business at an analytics level. Your vision may be grand, but it’s also ideal.

The trouble is, this use case has a lot of devils in the details and the permissions model deficiencies pale in comparison. There’s nothing about Airtable that evokes comfort about a “massive base”. :slight_smile: But let’s say you can squeeze everything into a base that you need to effectively craft KPIs and other metrics needed to operate a moderately complex business. You still need aggregations. Airtable has rollups, but these are rudimentary and weak; you need a far different level of aggregation technology the likes of ElasticSearch.

Overall, the vision is smart, but I get the sense that your expectations don’t really fit well without aggregation into something more suitable for revealing KPIs and analytics about a business.

I also hate to toss cold water on anything without at least offering an alternative strategy, so here’s one.

Executive Base + Custom Apps

  • Imagine a base for business analytics (only).
  • In that base, there might be a few tables that describe the analytics a collection of custom apps might render. It may also describe target users and reports/notifications that are processed with actions.
  • The executive base holds no critical or sensitive data about the analytics.
  • The custom apps describe the security context based on each user’s identity (this is very secure and difficult to breach).
  • Any user could be shared into this “executive” base but only users you designate through the underlying custom apps would be able to see each KPI/metric/conversation/report.
  • The custom apps are responsible for aggregating the data from many other bases/tables.
  • The custom apps are also responsible for rendering KPIs, metrics, and data visuals using Vega and perhaps D3.
  • The custom apps are able to provide conversations between authenticated users keeping sensitive data and discussions well sequestered.

This vision is well within reach of Airtable today. It may not be financial practical for every business using Airtable, but it is ready and quite easily implemented (i.e., no technical showstoppers).

(i) viz-ready: data that has been aggregated to a level where rendering is the last step.

2 Likes

This is a really tough requirement. Currently every collaborator in an Airtable base can instantly and quietly copy all the data in the base. Airtable could change this to make it harder to copy a base.

However, preventing people from printing screens is unrealistic, and Airtable could not prevent it.

1 Like

We also really need some more nuanced user permission levels. It’s a big risk to our data if the admin does not have the ability to lock records certain. At the very least, having an editor level permission minus “delete” ability would be an improvement.