The information below represents a mix of questions that many Enterprise admins, users, or IT administrators may have related to Airtable's general practices as well as the technical context surrounding more in-depth topics such as integrations.
NOTELet us know if you have any feedback on this article or feel anything is missing by using this form.
Enterprise License Agreement (ELA) - All workspaces created by users at an organization are upgraded to Enterprise plan levels automatically. This is only true for users in your organization who have an account under the domain in your license agreement.
Flexible License Agreement (FLA) - Only certain workspaces at the organization are upgraded to Enterprise. An “Admin” or “Upgrader” user type are both able to elevate a particular workspace they own to the Enterprise level on an individual basis.
Federation - Joining workspaces into a company account.
Single sign-on (SSO) - Technical solution that IT teams use to control access to 3rd party services
Admin panel - The admin panel allows specific people at your organization to oversee and control various aspects of your Airtable Enterprise account. The main areas of focus are user management, security settings, and workspace or base management. You can start learning more about the admin panel here.
Admin - Individuals with Airtable Admin privileges are able to interact with the enterprise support panel. This means that they are able to manage users and user groups as well as workspaces and bases. Admins can also download various reports to better understand the ways in which their organization's users are interacting with Airtable. Additionally, admins are able to define certain company-wide policies in order to restrict or allow access to Airtable. An admin can also be a collaborator in Airtable workspaces and bases.
User/Collaborator - Folks in this category will have various roles and permissions in their organization. Our support article about permissions is handy if you are looking to learn more about the various actions that each collaborator type is able to perform in Airtable. If you don't know who your Airtable admin is, then it's a good idea to reach out internally to find out who is, as they may be able to troubleshoot various issues within your organization.
Upgrader - This user type only exists on FLA plans (covered in the section below). A user with upgrader permissions is able to convert an existing external workspace to an Enterprise (internal) workspace.
User type FAQs
Why don’t “Upgrader” user types exist for ELA license types?
For ELA license types, all workspaces created by enterprise users are automatically placed on the Enterprise plan. This is not true for FLA licenses, where users can have a mixture of workspaces on various Airtable plan types.
For FLA, what is the difference between “admins,” “upgraders,” and “collaborators”?
Everyone on your account is considered a collaborator. Some collaborators can be designated as admins and upgraders. Only upgraders will have the ability to upgrade a workspace (through the workspace settings dialog). Only admins have access to the admin panel, where they can add or remove collaborators, designate upgraders, manage security controls and more. Note: Admins are not automatically considered upgraders, but an admin can designate themselves to be an upgrader through the admin panel.
What is the difference between deactivating and removing a user?
Deactivating a user prevents them from being able to log in to Airtable in the future. Removing a user only removes their existing workspace and/or base privileges, but the user could log back into Airtable and create new workspaces and bases.
How do I remove an "Upgrader"?
"Upgrader" user types only exist on FLA plans. For more info on how to manage upgraders, please check out this support article.
Admin panel FAQs
Can I programmatically change multiple email addresses?
Yes, this section of our Enterprise Airtable API documentation will help. This can be especially useful if your company is migrating to a different domain.
As an admin, how do I remove a non-federated (external) user on an ELA Enterprise plan
There are 2 ways to remove external users from ELA plans (e.g., \firstname.lastname@example.org is a workspace or base collaborator and doesn't appear in the Users list in the admin panel):
- Checking all of the workspaces and bases owned by users in your organization and manually removing the user(s). This process can be tedious depending upon the number of workspaces and bases that your organization has.
- Programmatically checking and removing using the Enterprise API
When a previously active user deletes their account, will that deletion or history show up in the admin panel?
This information will not show up in the admin panel.
Can I quickly filter for users who have not enabled 2FA?
You can use advanced filters in the user management tab to filter for 2FA, specific account creation dates, emails, names, and more.
What will it look like when an account is deactivated? Do they receive an alert?
When an account is deactivated, the user will see a message in the sign in dialogue that says “That account has been deactivated. Please contact your organization administrator.” Users are not notified of deactivation.
What happens to a workspace when its owner is deactivated in Admin panel?
When an owner of a workspace is deactivated, the workspace (and its contents) are unaffected. However, owners can only be deactivated if there is at least one other owner or no other collaborators in the workspace. If there are no other collaborators in the workspace, it will no longer be accessible. In this case, if the admin needs to access it, they’d need to reactivate the owner's account or assign another owner prior to deactivating the first owner.
Can I see active users/last seen from admin panel?
The field "Last Activity Time" displays when the user was last active. Activity is calculated any time a user is logged in and takes an action in a base. (Actions include: loading a base, adding content to a base, or editing content in a base.) Loading the workspace home page would not count as activity. If the user remains logged in for an extended period of time with no activity, the last activity time will not be updated. (Note: Activity is being tracked from November 2019 onward.)
When domain restricted share links settings are turned on, does it immediately apply to all share links, or only net new links?
All links are affected, regardless of when they were created.
Are forms included in domain restrictions?
Forms are included in domain restrictions unless you opt to exclude them. To do this, toggle the “Allow unrestricted access to shared forms” option.
Can I hold off on adding users to my enterprise account until SSO has been enabled, or bulk deactivate?
On ELA Enterprise plans, we support programmatic disabling/re-activating users via SCIM for Okta (and only Okta). For additional details and setup instructions, please read our support article.
Am I able to remove my own admin privileges?
No, you will need to have another admin remove your privileges. If there are no other admins on your account, then you will need to add another admin before you can be removed.
Can I require 2FA from the admin panel?
The admin panel allows you to see who does not have 2FA enabled, but it does not allow you to enforce 2FA. If you would like more control over user authentication, we recommend using SSO, which allows you to enforce 2FA.
Can I set up SSO with Airtable?
Yes. Read our support article here about how to set up SSO with Airtable.
External Service Overview
Airtable provides a suite of functionality designed to make it easier for users to connect Airtable to other applications in your technology stack. Many users today will shuffle CSV files back and forth between systems, or using copy and paste.
These Sync and Automation features can eliminate these tedious and manual processes. We leverage standard OAuth2.0 processes to receive authorization from the external service when supported by the external service. Each user is responsible for connecting their Airtable account to the external service. The user can only access data in that external service that they are authorized to access.
Depending on how your enterprise environment is configured, additional steps may be required to approve Airtable to connect to your enterprise systems. For example, Microsoft Teams generally requires pre-approval in your Microsoft Azure admin settings.
Depending on the type of integration, they can read or write data from the external service and you should refer to each integration’s dedicated support page to learn more about what the integration authorizes and allows.
Does Airtable encrypt all data?
Airtable encrypts all data in transit and at rest.
- To protect data in transit: Connections made to Airtable are secured using HTTPS using TLSv1.2.
- To protect data at-rest: Airtable encrypts all data using AES-256.
What data is Airtable storing?
We store a user’s access token which allows us to make authorized requests into the external service.
If the integration allows read access from data in the external service, we will store the information that the user requests us to store.
Does this integration support OAuth2.0?
If the other service supports OAuth2.0, yes, we aim to use this industry standard. You can review each integration in question to understand how the authentication works and what that integration supports.
Concerning user authentication between Airtable and the external service: is it using a general service account, or will each user have to authenticate using their own credentials?
Generally, we use OAuth2.0 when supported by the external service. This requires the user to login and use their credentials for the external service for authorization. This means that the integration will only be able to access the data that’s accessible to the user who connected the account. It will NOT have access to the entire organization’s data.
Will users be required to use SSO to authenticate with the external service?
How the external service chooses to manage authentication/authorization is outside of Airtable’s control. If the external service is using your SSO provider for authentication, then it should require the user to use SSO.
Does Airtable store any user credentials?
For OAuth2.0 based integrations, we store an access token that allows us to make authorized requests for the user. These tokens are encrypted in transit and at rest.
Can users review and manage their connected accounts and revoke authorization?
Yes. Users can review their connected accounts using the instructions in this support article.
Can our Enterprise Admins restrict what external services users are allowed to connect with?
Yes, under our Enterprise plan, your admins can restrict specific integrations until they are reviewed and approved.