Requests for more granular access permissions have been beaten to death, but I recently shared this detailed use case/request with a member of Airtable support, so I’d like to post it here, as well – both for reference and to learn whether or not the community has discovered workarounds.
As a short-term vacation rental company, our primary AirTable Base stores the following types of data:
PROPERTIES (Table 1)
- Property Detail (address, footage, etc.)
RENTALS (Table 2)
- Rental Terms
- Net Sales
- Net Profits
- Sales Team Member Commissions
- AirTable Admin Formula Fields
As for our company structure, we’re made up of multiple departments (like most companies). Each department demands specific levels of access to certain types of data (also, like most companies). For example, here are 2 departments and the level of access they each require to the data types listed above:
- EDIT: Property Detail
- COMMENT: Rental Terms
- VIEW: Net Sales
- NO ACCESS: Net Profits, Sales Commissions, AirTable Admin Formula Fields
- EDIT: Rental Terms
- COMMENT: Property Detail
- NO ACCESS: Net Sales, Net Profits, Sales Commissions, AirTable Admin Formula Fields
You may notice a similarity between the needs of the Sales Team and Rental Team: both sets of users require at least 2 permission types for data stored within the same Table. The current Airtable permission settings do not allow us to mimic this access structure.
We need granular access permission sets that can be applied “per user, per view”, as opposed to the current “per user, per base”. We’re not so much interested in restricting access to the records of our base, but more interested in restricting access to the columns/fields, and limiting which users can read and/or edit the content within these fields. It’s not enough to blanket each staff member with the binary option of “READ Everything inside the Base” or “EDIT Everything inside the Base”. There are too many nuances in between.
At the same time, “per user, per view” permissions are complicated to maintain, and perhaps too granular. Which leads me to my proposed compromise…
PATHS TO A SOLUTION
Certainly this is far easier said than done, but the most holistic, usable, and obvious solution (imo) would result from the addition of:
- defined as groups of users who share identical access permissions for the data stored within a given Base
- any given Team is unique to a single Base (i.e. the Base A “sales team” may be different than the Base B “sales team”)
- all users must be on 1, and only 1, Team
- users with EDIT permissions are now limited to creating (a) Personal Views or (b) Team Views
- if a user creates a Team View, the access permissions for the new View will default to “VIEW” for all users on their Team, and “HIDDEN” for all other Teams (the Base Creator can later extend access to this View via the Team Panel).
- thus, by definition, Team Views are Views which are HIDDEN from all but 1 Team
- when sharing Team Views, login is required to access the share link (ensuring that users from other Teams cannot access); public share links are not allowed
TEAM ADMIN PANEL
- accessed only by Base “Creators”, each Base has one “Team Panel” interface, but the settings within the panel will change respective of the “Team” that is selected from a Team dropdown (located within the panel)
- the Team Panel lists all Views that exist within the base (regardless of which Team is selected), grouped by Table (see attached images)
- adjacent to each View name is an access permission dropdown, which “Creators” use to assign the following access permissions to the selected Team: EDIT, VIEW, COMMENT, HIDDEN
To illustrate, here’s a very crude rendering of the Team Admin Panel:
Since Views are merely groupings of “Fields”, these additions would ultimately allow a clever Base Creator to assign granular permissions on a “per user, per field” level, if they so choose.
Consider a single user, John, who has the following access:
- VIEW access to View A
- EDIT access to View B
These permissions are better thought of like so:
- VIEW access to all Fields of View A
- EDIT access to all Fields of View B
Since John’s highest level of access is EDIT, he can add new Personal or Team View to the Base. If John were to create View C, he would have all Fields of View A and View B at his disposal in creating his new View C, but his ability to EDIT field data will be limited to the Fields of View B.