Limiting who can 'duplicate' a base - Why can a 'Viewer' duplicate your base?

Long-time fan…yet… this one thing has always perplexed me…

Why can someone that ONLY has ‘view access’ to a base… can then go duplicate that entire base with all the records and then become the owner of it… all while having no audit trail of who did it.

I don’t know about you but I put lots of time building my Airtables… building out custom workflows, app dashboards, syncing tables from other bases, in-depth field descriptions, specific views and putting accurate information in there to collaborate, communicate and grow with others.

It is IP that an organization builds, putting countless hours into perfecting… yet anyone with ‘view’, ‘commenting’, ‘editing’ or ‘creator’ access can take that IP with no accountability.

Basically, I would like to significantly reduce who has access to 'duplicate a base’

  • Only the 'Owner" access should be able to duplicate the base: not the creator, editor, comment or view access.
  • Additionally add an audit trail to who duplicated the base.
  • Maybe even giving specific users ‘this person can duplicate or not’ but I think the owner simplification would be more than sufficient.

Without this option, it is such a security shortcoming that it limits the number of users I have using Airtable. And I want to tell everyone in the world about Airtable… Airtable has given me a way to organize my thoughts / systems that I didn’t know was possible.

I love the origin and root behind open source programs but please let me have the option to make it open source or not. That is like someone having access to your CRM and with one button, can duplicate all customer records and how they all interact with each other.

User Story

  • As an account admin I would like control of who can duplicate our base and it’s contents. if someone can duplicate, I want a record of who did it and when.

Resources I am aware of

  • Duplicating Bases - No mention on how to avoid this
  • Yes I know you can send over ‘views’ to people to mitigate this issue… you can send over forms so they can add records to it… grids / galleries with only the information they need to know.

I desperately hope I am wrong and this indeed is actually a possible feature that I have missed.

With appreciation and admiration for Airtable & it’s community,
Paul

3 Likes

Agree 1,000%. This is a major security hole in Airtable.

They can also download a CSV of all the data in every table, too.

3 Likes

Yess, great additional point! Thank you for adding your input on this too.

1 Like

I see users here requesting assistance for an Airtable problem and when they describe their use case it fills me with dread. Personal information, donations made, realtor client bases et al, and hanging over all of it is a security hole of monumental proportions. I think its coming up to six years we’ve been flagging this, and still no major effort from Airtable that I can see. Airtable may well have audit functionality operating behind the scenes, but that’s of cold comfort when a disgruntled employee walks out the door with critical information.

3 Likes

It’s quite terrifying, isn’t it?

3 Likes

There are different ways to share a base with view-only status.

If another Airtable user has view-only status as a workspace or a base collaborator, than they can duplicate any base they can access through their user account.

If you create a ‘shared base link’ instead for a specific base, then you can deselect “Allow viewers to copy the data in this base” . This allows anyone with the link (whether or not they have an AT account) to view the base, but it does not provide any option to duplicate the base. You can set password protections on that link, or restrict to an email domain for more security.

If you have employees you need to share multiple bases with, but do not want to give them the option of duplicating the entire base, then you’ll need to create/share private view links for each base they need access to.

Hope that helps.

2 Likes

Correctly put, it’s why I’m very skittish over sharing anything with external users.

Airtable really has very poor granular user permissions. One of the largest threads was about Advanced User Permissions, and the progress since 2016 has been really slow. I don’t buy their reasons either, given that similar products have shown various ways to do this nicely and effectively. They should REALLY be looking into this.

3 Likes

Agreed.

I also realized that a workspace collaborator with read-only permissions can still add other read-only collaborators to a workspace or a base.

1 Like