Granular Access Permissions: "Per Team, Per View"


#1

Requests for more granular access permissions have been beaten to death, but I recently shared this detailed use case/request with a member of Airtable support, so I’d like to post it here, as well – both for reference and to learn whether or not the community has discovered workarounds.


USE CASE
As a short-term vacation rental company, our primary AirTable Base stores the following types of data:

PROPERTIES (Table 1)

  • Property Detail (address, footage, etc.)

RENTALS (Table 2)

  • Rental Terms
  • Net Sales
  • Net Profits
  • Sales Team Member Commissions
  • AirTable Admin Formula Fields

As for our company structure, we’re made up of multiple departments (like most companies). Each department demands specific levels of access to certain types of data (also, like most companies). For example, here are 2 departments and the level of access they each require to the data types listed above:

SALES TEAM

  • EDIT: Property Detail
  • COMMENT: Rental Terms
  • VIEW: Net Sales
  • NO ACCESS: Net Profits, Sales Commissions, AirTable Admin Formula Fields

RENTAL TEAM

  • EDIT: Rental Terms
  • COMMENT: Property Detail
  • NO ACCESS: Net Sales, Net Profits, Sales Commissions, AirTable Admin Formula Fields

PROBLEM
You may notice a similarity between the needs of the Sales Team and Rental Team: both sets of users require at least 2 permission types for data stored within the same Table. The current Airtable permission settings do not allow us to mimic this access structure.

We need granular access permission sets that can be applied “per user, per view”, as opposed to the current “per user, per base”. We’re not so much interested in restricting access to the records of our base, but more interested in restricting access to the columns/fields, and limiting which users can read and/or edit the content within these fields. It’s not enough to blanket each staff member with the binary option of “READ Everything inside the Base” or “EDIT Everything inside the Base”. There are too many nuances in between.

At the same time, “per user, per view” permissions are complicated to maintain, and perhaps too granular. Which leads me to my proposed compromise…


PATHS TO A SOLUTION
Certainly this is far easier said than done, but the most holistic, usable, and obvious solution (imo) would result from the addition of:

TEAMS

  • defined as groups of users who share identical access permissions for the data stored within a given Base
  • any given Team is unique to a single Base (i.e. the Base A “sales team” may be different than the Base B “sales team”)
  • all users must be on 1, and only 1, Team

TEAM VIEWS

  • users with EDIT permissions are now limited to creating (a) Personal Views or (b) Team Views
  • if a user creates a Team View, the access permissions for the new View will default to “VIEW” for all users on their Team, and “HIDDEN” for all other Teams (the Base Creator can later extend access to this View via the Team Panel).
  • thus, by definition, Team Views are Views which are HIDDEN from all but 1 Team
  • when sharing Team Views, login is required to access the share link (ensuring that users from other Teams cannot access); public share links are not allowed

TEAM ADMIN PANEL

  • accessed only by Base “Creators”, each Base has one “Team Panel” interface, but the settings within the panel will change respective of the “Team” that is selected from a Team dropdown (located within the panel)
  • the Team Panel lists all Views that exist within the base (regardless of which Team is selected), grouped by Table (see attached images)
  • adjacent to each View name is an access permission dropdown, which “Creators” use to assign the following access permissions to the selected Team: EDIT, VIEW, COMMENT, HIDDEN

To illustrate, here’s a very crude rendering of the Team Admin Panel:


ADDITIONAL CONSIDERATIONS

Since Views are merely groupings of “Fields”, these additions would ultimately allow a clever Base Creator to assign granular permissions on a “per user, per field” level, if they so choose.

Consider a single user, John, who has the following access:

  • VIEW access to View A
  • EDIT access to View B

These permissions are better thought of like so:

  • VIEW access to all Fields of View A
  • EDIT access to all Fields of View B

Since John’s highest level of access is EDIT, he can add new Personal or Team View to the Base. If John were to create View C, he would have all Fields of View A and View B at his disposal in creating his new View C, but his ability to EDIT field data will be limited to the Fields of View B.


#2

Great feedback. Please add your voice to Advanced User Permissions.


#3

Great feedback. Ties in nicely with the Advanced User Permissions post.


#4

Just realised I basically copied the above reply. In any case, it deserves two mentions.


#5

effectively handed a well-developed feature idea on a silver platter. Pretty please team Airtable! I second this feature 100%.:pray::pray::pray: This is especially useful for teams collaborating with external contractors on project basis!