Re: Is it possible to KEEP SOMEONE OUT of an Airtable base?

WilliamPorter · ‎Apr 07, 2020

Earlier today I responded to a question from a new user here, explaining how she could hide a field on a locked view and keep the field hidden from non-creator users by making it visible only on a personal view configured by the creator. I then had to add that this is security theater (I think that’s the phrase we use these days) because in truth, any user with editor or commenter privileges can simply duplicate the locked view as a new personal view, which they can then configure to their heart’s content–including making visible the fields that the base creator wanted hidden.

After posting my response, I began to feel uneasy, so I looked into this a little more deeply than I have before, and I’m a bit disappointed by what I’ve found. I’m praying someone here tells me that I didn’t look deep enough–that there are better answers to my concerns. But at the moment it appears that base creators have only a very limited, casual sort of control over who gets into their bases.

.

Nightmares

Consider this scenario. I develop a base for a law firm. I’m the creator, my contact at the law firm is the Owner, and the half dozen users in the firm are editors, because, well, because they need to be able to edit the data in the base. And let’s say that the base contains info that the law firm regards as sensitive: perhaps info about their clients, or data for a lawsuit they are working on; etc.

Now, one of the employees at the law firm is let go. Naturally, the firm’s manager (the base Owner) emails me and I remove that person’s sharing privileges. But the person calls somebody still working at the office and that person (whether maliciously or stupidly) shares the base with the ex-employee. The ex-employee is back in, thanks to a decision by somebody who perhaps should not have the authority to make that decision.

Or somebody on the other side of the lawsuit sweet talks one of the firm’s employees and they agree (again, doesn’t matter whether this is malice or mistake) to share the base with somebody who shouldn’t be allowed to view what’s in the base at all. And if these security breaches are committed by somebody with editor privileges, the person who should not have access but now does will actually be able to do things like edit records, delete records, etc.

I use the example of a law firm because most of my development work has been for law firms. But I don’t think I’ve ever developed a base for any client where the client didn’t care about controlling access.

And what if the security breach is committed by somebody with only read-only privileges? Well, even somebody with read-only privileges has the ability to share the base. Okay, fine, maybe I’m willing to live with that. The problem is, if I’m not happy about that, even as base creator there’s not a thing I can do about it.

Wow, just wow.

.

Living in the real world

Now systems like FileMaker, AppMaker, Caspio, Servoy and nearly all SQL app front ends, give developers the ability to restrict access to the databases to specific users and only those users. (I don’t understand the security models for Coda or SmartSheet well enough to comment on them.) If developers wish to authorize admin users to control access, too, they can do that. But who gets into the solution is always restricted to somebody who is, in theory at least, a responsible user. With Airtable on the other hand, granting access to the base is the prerogative of any and all users, regardless of their privileges.

Of course, I’m aware that users are always the biggest weakness in any security system. There’s always the chance that an authorized user might share his or her credentials with somebody who’s NOT supposed to have access. But doing so would be hard to do by accident. In those other systems there’s no “Share” button that invites the user to give some stranger access to the base. Since my users all log in using their email addresses, anybody who logs in using somebody else’s email address will be aware that they’re doing something fraudulent (even if they don’t realize how serious it could be). And in at least some of those systems, it’s possible to do various other things to minimize the risk of unauthorized access: require two-factor authentication to an authorized user’s mobile phone or email perhaps; and/or track IP address from which user is connecting and even restrict users on that basis.

.

My three wishes

I know that Airtable is designed to be like the friendly and convenient corner store, not like an Amazon.com distribution center that uses metal detectors and employs armed security guards. I love that about Airtable.

Still, at a minimum, I wish that any (or all) of the following were possible:

Creator should have option to hide the share button for all non-creator users
If creators aren’t given ability to decide who can share/not share the base, then read-only users absolutely should NOT have this ability. When I think “read only” I don’t think “read and make a copy for all your friends”.
Finally, there should be a privileges level just below Editors called perhaps “End Users”. End Users should be allowed to edit data in records but NOT edit locked views, that is, for End Users, the “create private view” button would disappear.

I gather that some greater degree of control MIGHT be achievable if I gave access to bases strictly on a view-by-view basis using links that are embedded in a web page, but for me, that dramatically limits Airtable’s appeal and potential usefulness.

Somebody is going to read this and think, “My my, he’s not a very trusting person!” Guilty as charged, your honor.

Please tell me what I’m missing!

William

Jordan_Scott1 · ‎Sep 16, 2021

Hi all! Wanted to follow up and close the loop on this thread. I’m excited to share that Airtable now supports workspace sharing restrictions so that Enterprise admins and workspace owners and Pro workspace owners can restrict the addition of new collaborators to specific workspaces or bases. Enterprise admins and workspace owners can also toggle a setting to prevent future share link creation on a given workspace. Thank you so much for the transparent feedback on this topic, we really appreciate it!

See Solution in Thread

Bill_French · ‎Apr 09, 2020

Have you actually tested this assertion? I don’t believe that it is possible for a non-creator to share access to a base.

Indeed; access control in tools and systems that are in their mid-life stages are always likely to have advanced access control. Airtable is still an adolescent and especially the case with regard to access control and security.

Commentary and opinion from here down -

I suspect no one has commented on this because it requires a deep level of reading and thought just to get to the point where the reader could begin to discuss the merits and provide any sort of advice.

I’ll make it simple for ya’ - stick with FileMaker; it is 22 years old (140 Internet years), you know it, the access control is ideal for law firms, and It has a very good UI/UX - significantly better than Airtable. I am also a certified FileMaker developer from a previous life. :winking_face:

I jettisoned all clients and all work in FileMaker in 2012 because it wasn’t modernizing with open web standards. And I didn’t fill the database void left by FileMaker with Airtable - to the contrary. It’s a long story how I got here but that will soon come to light in a podcast I recorded with BuiltOnAir.

I digress - pretty much everything you say here is fully expected of good database management systems, and I think the latest advanced security features (in beta) cover these for the most part.

No one’s responding because they don’t have 2 hours to do your comments justice. :winking_face:

Zollie · ‎Apr 09, 2020

There’s nothing wrong with the conclusion that Airtable might not be the best application for storing sensitive data. But it’d be nice to see Airtable mature into a platform that could better handle this type of use case. Redefining permissions is definitely a good route if the new definitions are well thought out.

Granular control over permissions would be more flexible, especially for super users/developers. But without proper hierarchical design, there’s a risk of creating key functionality that intimidates new users. Thinking of applications (like Excel) that sometimes wander towards functionality that isn’t super user friendly.

WilliamPorter · ‎Apr 09, 2020

Well, sorry, but I don’t believe you are correct. :frowning:

Yes, I have tested it, repeatedly. And I just tested it once again. I used four different email accounts that I have (my work account, my personal domain account, a Gmail account and an Outlook.com account).

The work account is the creator.
From the work account, shared base with my personal domain account as Editor.
From there shared with my Gmail account as read-only.
From Gmail read-only account, shared with my Outlook.com account (at read-only level).

Note that not only can a read-only level account share the base with someone else, this lowliest level of privilege can also do things like email a record to, well, anybody.

It’s not inconceivable that my tests were faulty, but I was as careful as I could think to be. I used 4 different browsers to do this – in each new browser I made sure that I was NOT logged into Airtable and when accepting each new invite, I created a new test account in that browser. And to make extra-sure, I then shared the base with a fellow developer at the read-only level and asked him to try to share it with himself at one of his other email addresses. He was able to do so.

I’m pretty surprised.

.

Good advice and I thank you for trying to get me to see reason. But if I wanted to make things easy on myself I wouldn’t be here. :slightly_smiling_face:

William

WilliamPorter · ‎Apr 09, 2020

Zollie,

Thanks for responding.

I don’t think I’m asking for the moon here. I already have the moon and then some in FileMaker, where I can, as developer, control pretty much every aspect of a user’s access to every specific item in a solution. If I want to create a privilege set that will prevent certain users from accessing the solution from any IP address except the one I specify, I can do that. If I want to prevent users from editing the records of accounts that have the letter “Q” in them or from editing anything on a Tuesday, I can do that too. All that control was fascinating when I first learned it. But for the most part it’s overkill.

But I DO need to know that I am the only person who has the ability to share the base. The three wishes I described – which I have also now posted as a feature request – would get me a long way towards happiness and towards making Airtable a useful tool for some of my clients.

And if Airtable’s developers are hard at work preparing to give us more control over access and permissions, well, that would be fantastic. Airtable team: More all nighters, please!! :slightly_smiling_face:

William

Bill_French · ‎Apr 10, 2020

That seems like a reasonable test methodology. If this can be validated then Airtable should probably run similar tests and advise us accordingly. I have a sense that a few folks in this community like @cor, @Kasra, and @kuovonne can probably guide us a bit regarding your test results.

kuovonne · ‎Apr 11, 2020

I was able to successfully reproduce @WilliamPorterTech’s results.

Three users, each on a different physical device.

UserA, the creator of the base, shared the base with UserB, with read-only permissions.
UserB duplicated the base and now had two copies of the base: one with read-only permissions, and one with owner permissions.
UserB shared both copies of the base with UserC. The version with read-only permissions was shareable only with read-only permissions, and the version with owner permissions was shareable with creator permissions.

UserC ended up with two copies of the base: one with read-only permissions, and one with creator permissions.

Ultimately there were two total bases with identical data:

The original base has UserA with owner permissions and UserB & UserC with read-only permissions.
The copy of the base has UserB with owner permissions and UserC with creator permissions. UserA has no knowledge of the existence of this copy of the base.
.

kuovonne · ‎Apr 11, 2020

Continuing my tests …

UserA was never notified that the base was shared or duplicated. The only way UserA could tell that UserC was added to the original base was by viewing the list of collaborators (either by viewing who the base was shared with or when picking a collaborator in a collaborator field).

UserB was able to unshare the original base from UserC. UserC no longer showed up in the list of collaborators.

The only evidence I found of UserB’s sharing and unsharing of the bases was in UserC’s email. There were no notifications sent to UserA or UserB.

It would be quite possible for UserB to share the original base with UserC, then minutes later decide it was a mistake and unshare the base, leaving no evidence in UserB’s email or in the base itself. However, in the few minutes when UserC had access to the base, UserC could duplicate the base. UserC never even had to check email. The shared base showed up automatically in Airtable for UserC.

Bill_French · ‎Apr 11, 2020

Okay, so this is going to sound odd, but I think this is by design despite the fact that it may be a poor (or incomplete) collaboration design.

Anyone who has the right to view a base apparently has the implicit ability to make a personal copy of that base and ultimately re-distribute that data as they desire. This action violates the spirit of the original owner’s intent because it makes it really easy for the data to move outside the original creator’s sphere of control.

The act of re-distributing the data (created by first copying) is different from re-sharing the original data because any changes to the re-distributed base does not impact the original creator’s base.

To answer the question that @WilliamPorterTech posited in this thread, the answer is yes. Sharing with read-only permissions seems to keep a read-only user from violating the ability to modify the original base or to transform the ability to grant others the ability to modify the original base. The only issue made evident in these tests by @kuovonne demonstrate that a read-only user is able to make a copy of the data and to then engage in nefarious actions to re-distribute that data.

But isn’t this the same approach more mature services like Google Docs allow notwithstanding the additional feature - allow read, but no ability to make a copy?

Even Google will not be able to prevent a copy/paste of a document shared without copy authorization. Ergo… no data is adequately defended from nefarious or untrustworthy members of a shared group.

Perhaps I haven’t considered all factors, but it appears you can keep someone out of a base. What you cannot do is prevent nefarious actors from using your content when you share your content. This is very different from claiming there is a deep security flaw.

Tell me what I’m missing.

kuovonne · ‎Apr 11, 2020

In my tests, Airtable acted as I expected it to. I was not trying to expose a security flaw. Rather, I was trying to re-create @WilliamPorterTech’s results.

As soon as you allow someone to view data, it is possible for that person to copy that data. If nothing else, the user can take a photo of the data.

However, from a security point of view, being able to copy small amounts of data at a time (a screen’s worth) is very different from being able to do bulk operations (copying an entire base). The former is a trickle; the latter is a flood. A dam can continue to function (or at least there is hope of patching it) if there are only a few trickles. However, a large flood can overwhelm the dam and cause widespread problems downstream.

Other aspects of society recognize that copying small amounts of data is different from wholesale copying. For example, one of the factors in determining if a copy of a copyrighted work falls under “fair use” is the amount of that is copied. Quoting a sentence from a novel is fair use and legal. Reprinting the entire novel is not. Copying a signature move in choreography can be a nod of recognition that needs no pre-approval; re-staging the entire dance without permission would be wrong.

Other software recognizes that it is important to put up barriers to copying, even when it isn’t possible to completely prevent it. For example, I can create a Word document and set permissions to prevent printing.

More granular permissions has been a long-standing request. The beta that Bill mentioned does a lot regarding more granular permissions, but there are still many use cases that are not covered.

In any case, there is no substitute for user training and granting access only to people you trust.