- 24 Oct 2024
- 20 Minutes to read
- Print
- DarkLight
- PDF
Settings - Airtable admin panel
- Updated on 24 Oct 2024
- 20 Minutes to read
- Print
- DarkLight
- PDF
Enterprise Scale and Business plans | |
Platform(s) | Web/Browser, Mac app, and Windows app |
Related reading | |
Airtable terminology | Admin panel - A centralized set of tools to help admins manage their organization’s Enterprise account. It's a designated surface that includes ways for admins to view and manage users, groups, reports, bases, and more. It is not visible or available to non-admins. |
Admin panel settings overview
To access the admin panel settings:
Open your admin panel.
Click Settings.
What control and management options are available on the admin panel's settings page?
Security & compliance
Sharing & data
Integrations & development
Org customization
Security and compliance in the admin panel
Note
Review Configuring SSO in the admin panel for a deeper dive into the admin panel's SSO settings.
Security & compliance overview
As an admin, you can choose to make SSO either optional or required for each of your federated domains.
If you make SSO optional, collaborators can use SSO or log in with their email addresses and passwords. If a user does not have a password enabled, they can set one by visiting airtable.com/forgot.
If SSO is required, all users within that domain must use SSO to sign in to Airtable.
Note
If you make SSO required, all users within the organization’s verified domains will have to use SSO to log in to Airtable. Requiring SSO allows you to better manage access to Airtable and ensures that your users use the most suitable authentication method.
The Security & compliance section of the admin panel is made up the following sections:
Email domains and SSO configuration - This tool allows admins to verify domains, giving complete control over their associated user accounts.
Fixed Web Session length - Set how long users can stay signed into airtable.com.
Enable Change Events (available on Enterprise Scale) - Turn on/off change events logging and API access. This feature requires enablement; please contact your account manager for access.
Two-factor authentication (MFA)
NOTE
Contact our sales team if you are interested in learning more about enabling two-factor authentication.
The Enterprise two-factor authentication (a.k.a. multi-factor authentication) feature allows admins to disable two-factor authentication, enable it only for members, or require 2FA for everyone.
Sharing and data in the admin panel
Sharing & data overview
The "Sharing & data" section of the admin panel is made up the following sections:
Sharing
Invites - Control users' ability to invite other users outside your organization and domains.
Prevent organization-wide app interface sharing - Toggle ON/OFF user's ability to make interfaces accessible to the entire organization.
Share links - Control which users can access your organization’s shared base links or shared view links. Note that this setting will also affect the behavior of public interface pages.
Prevent public sharing of interface pages - This prevents the creation of share links for interface pages. Note that any existing publicly shared interface pages will still be accessible, since this option only prevents new publicly shared interface pages.
Restrict user group creation to admins - Toggle ON/OFF non-admin user's ability to create user groups.
Access
Synced view restrictions - Control which bases can receive synced data from Airtable bases.
File attachments - Control which attachment file types can be uploaded to Airtable bases in your organization.
Restricting access to specific IP ranges
Note
Restricting IP addresses is only available on Enterprise Org plans, and restricting individual IP addresses is unsupported.
This setting lets admins set IP range restrictions to prevent users from accessing Airtable unless they are logged into Airtable from an allowed device and/or network. Currently, only IPv4 protocol is supported.
Understanding invite settings
Invites settings
Prevent users from inviting other users outside of your organization’s domains or outside of your organization.
Unrestricted
Users can invite any user to organization content.
Restricted to your organization’s domains
Users can only invite other users with email domains matching their organization domains.
Restricted to org unit members
NOTE
This option is available for organizations on Enterprise Hub.
Users cannot invite non-member and non-org unit user groups to org unit resources. The following actions are also taken:
Non-member collaborators are removed from all org unit resources when the invite restriction is enabled for the first time.
Non-member collaborators are removed when workspaces, bases, and user groups are moved into the members-only org unit.
Org unit resources cannot be moved outside the org unit to bypass collaboration restrictions.
Org units previously using the "Autoclaim" membership capture type are updated to "Manual."
Super admins and org unit admins can add new members via the admin panel's "Global Users page" and the org unit's "Users" page.
Preventing organization-wide app interface sharing
This setting allows admins to restrict users from making interfaces accessible to their entire organization.
Understanding share link settings
This setting allows admins to restrict who can access share links across your organization. Individual share link restrictions can also be set within the base UI. There are three options to choose from, each with separate options specific to them:
Public
Flexible
Private
Members only
Public
Share links are publicly accessible by default, but can individually be made private.
Private
Users outside of your organization’s domain can’t access shared links. End users will need an Airtable account and will be forced to log into Airtable so that we can verify that their login domain matches a domain associated with your organizations or additional domains configured in the email domain allowlist.
Email domain allowlist: If needed, add email domains that are exempt from this setting. Users with those email domains will be able to access share links.
Additional settings:
Allow unrestricted access to password-protected shares: Allow anyone to access share links that are password-protected.
Allow access to shared forms: Allow anyone to access shared forms.
Note
If any share link has email domain restrictions, is password-protected, or an admin has made share links private, then iCal integration links will not be able to sync because the iCal link is no longer able to authenticate.
Flexible
By default, share links are restricted to your organization's email domain. However, restrictions can be removed on individual share links. There are also some additional configuration options:
Email domain allowlist: If needed, add email domains that are exempt from this setting. Users with those email domains will be able to access share links.
Keep existing share links public: If you change this setting from Public to Flexible, you can optionally allow existing share links to remain public.
Members only
NOTE
The same "Additional settings" from "Private" are also available to "Members only".
Users who are not approved members of your org will be prevented from accessing share links.
Restrict user group creation to admins only
The next option under the Sharing category focuses on user groups. Toggling this option on means that only admins can create user groups so that users without admin privileges will be unable to create or modify user groups.
Restricting file attachments
There are 3 restriction options that admins can choose from:
Unrestricted: No restrictions. All file types are allowed to be uploaded.
Restricted: Files, regardless of their type, cannot be uploaded to any attachment fields in bases that are part of the organization's workspace(s).
Custom allow: Specific file types can be set as allowed for upload in attachment fields. Admins can choose to allow one or more of the following options:
Image - audio - video - PDF - Other: Create a custom, comma-separated, list of allowed file types that your organization can upload to Airtable attachment fields. You can find more information about common MIME types here.
Synced view restrictions
This setting gives admins control over synced shared views with other bases. Admins can choose between:
Unrestricted: Any base, within or outside your organization, can receive synced data from syncable share view links within your organization.
Restricted: Users are only to set up syncs between existing bases within your organization. Bases outside your organization aren't able to receive syncs.
The share view configuration defaults to restricting syncs within your organization but can be disabled on a share-view-by-share-view basis. Admins can also decide who can disable restrictions for views and can choose from no one, creators, and admins or admins only.
With this setting enabled—and because individual share views are controlled separately—existing syncs outside your organization will continue to function.
Off: This option is the most restrictive and prevents all shared views from syncing to any destination base.
This list includes all synced tables that can sync data from your organization, regardless of whether a sync is active. Admins can also select "Review share links" to view, sort, filter, and download share links enabling sync outside their organization. The three columns are calculated as follows
Total syncs: The total number of synced tables created from this shared view (internal and external).
Syncs to Airtable: The total number of synced tables created based on the shared view inside the Airtable corporate account—data that is likely being shared with Airtable. These tables are sometimes created during onboarding and service engagements or used to share information related to joint account planning between the customer and Airtable.
Other outside syncs: The total number of synced tables created—based on this shared view—that aren't part of your organization or part of the Airtable corporate account. Admins may want to keep some of the included data within their organization. If so, shared view links should be turned off but keep in mind that some desirable external syncs can be counted in this number, including:
Syncs with external consultants or vendors.
Syncs with other organizations under the same corporate entity (e.g., Division A and B, both of which are in Omnicorp Inc.)
The "Restricted" option prevents bases outside your organization from being sync targets by default.
Note
Please keep in mind that when syncs are not restricted, users will be able to sync data into bases that are not part of the organization.
Managing how users are added to org units
NOTE
This feature is only available for admins on the Enterprise plan with Enterprise Hub enabled. Airtable’s org unit membership setting allows admins to determine how users become members of org units.
Users are only eligible to be assigned to an org unit after an admin manually assigns them to one.
If your org unit is connected to user groups that manage its assignment, the org unit membership setting can only be changed once the user groups are disconnected.
This setting allows admins to manage how users are added to org units.
Visit your admin panel.
Click Settings, then Sharing & data.
Click the ˲ icon at the end of the “Org unit membership” row.
Click the pencil icon at the end of the “Org unit membership” row.
Select Admin review or Automatically add invited users.
If “Automatically add invited users” is selected, users may be assigned to org units once they are:
Invited to a workspace, base, interface, or user group that belongs to an org unit.
Collaborating on a workspace, base, or interface moved into an org unit.
A member of a user group that is moved into an org unit.
Click Save.
Integrations and development in the admin panel
Integrations & development overview
The "Integrations & development" section of admin panel is made up the following sections:
Integrations
Block integrations in automations and external source sync - Turn on/off the usage of automations and external source syncs that communicate with third-party services unless they're on the allowlist.
Block sync via emailed data and API - Turn on/off users from syncing data into Airtable through email attachments and API requests. API access also needs to be granted for API endpoint sync.
Show previews of Airtable links in Slack - Turn on/off previews of organization-owned base and workspace links to authenticated users in Slack.
Block Google Drive shortcut integration - Turn on/off users from automatically creating shortcuts to Airtable bases in Google Drive.
Development
Block API access to organization-owned bases and workspaces - Control who can use API via personal access tokens to access organization-owned bases and workspaces.
Block API access for third-party integrations - Turn on/off guests and external users from granting third-party services that aren't on the allowlist API access to organization-owned bases, workspaces, and interfaces. Additionally, prevent org members from authorizing third-party integrations that aren't on the allowlist.
Prevent development of custom code - Turn on/off users from developing custom extensions, writing scripts, and installing scripts from the marketplace unless the user is on the developer allowlist.
Extensions
Third-party extensions - Control which extensions created by third parties can be used in your organization. All third-party extensions are reviewed for security and functionality by Airtable
Blocking integrations in automations and external source sync
This setting allows organizations to prevent usage of automations or external source syncs that may communicate with external services (outside of Airtable).
An allowlist will appear if you turn the setting on. You can then allow or deny each integration based upon your organization’s security practices.
At the bottom of the allowlist, you can disable or enable all integrations.
Lastly, integrations that require additional configuration will appear below the allowlist. Currently, only the Jira Server / Data Center integration requires this additional configuration.
Preventing development of custom code
When this setting is turned on, users will not be able to interact with Airtable features that enable the deployment of custom code into your organization unless they are explicitly allowed. This includes the scripting extension, script templates, the Run a script action within automations, as well as custom extensions. To enable this functionality for your entire organization, keep this setting turned off.
If this setting is on, you can optionally add specific developers to an allowlist so that they can use these custom code features. To add a developer to the allowlist, enter their email address into the space provided, and click “Allow.”. Developers previously added to the allowlist can be removed by clicking "X" next to their email address.
Third-party extensions
Third-party extensions are built and submitted to the Marketplace by third parties and reviewed for security and functionality by Airtable. They do not include the partner extensions that Airtable has closely vetted. Within both categories, there are three options that allow admins to control which extensions can be used:
Allow all: Allows users to access and use all third-party extensions.
Deny those that access non-Airtable servers: Disallows third-party extensions that send data to non-Airtable web servers.
Deny all: Disallows all extensions.
Note
As of March 26, 2021 this setting will default to the “Deny those that access non‑Airtable servers” option. Admins can select one of the other options to opt-out of that default.
When an extension is disallowed in your organization, users will still be able to see all extensions in the Marketplace and click “Install,” but they will be met with an error message instructing them to contact their admin when they attempt to run the extension.
Block API access for all third-party integrations, unless explicitly allowed
This setting allows you to manage access to third-party integrations across your entire organization.
If this setting is "Off," org members can use third-party integrations.
If this setting is "On," org members cannot use third-party integrations unless they’re on the allowlist.
Note
In addition to this admin panel setting, you can also manage the third-party integrations already authorized by your users and service accounts:
AI settings
Enabling AI
When this setting is toggled off it will prevent AI from being used in all organization-owned workspaces.
To enable AI in the admin panel:
Navigate to the admin panel.
Click the Settings page.
Click the AI settings tab.
Toggle on the “Airtable AI” switch. If you cannot toggle on this setting, then you will need to talk with Airtable’s sales team to add Airtable AI to your Enterprise Scale or Business instance.
Once toggled on, admins can choose 1 or more AI platforms to allow at their organization. Toggle on or off the platform(s) that you want to allow under the “Status” column and then click Continue. Note that at least 1 AI platform must be enabled.
Note
Workspace owners can also choose to disable AI on the workspace settings page even if admins have enabled that workspace for AI in the admin panel settings.
Restricting AI access by workspace
When the Airtable AI setting is toggled on, you can choose to either:
Allow in all workspaces - (Default) This setting allows AI to be utilized across any workspace across the org you are managing.
Allow only in selected workspaces - Click the option to “Allow only in selected workspaces” and create an allowlist of Workspace IDs where the feature can be utilized. To add a new workspace to the allowlist:
1. Navigate to your organization’s admin panel and click on the Settings page.
2. Click the AI settings tab.
3. Click the option to “Allow only in selected workspaces”
4. Then, click the “Workspace allowlist” dropdown, enter a workspace ID, and click Allow.
Controlling AI platform and model developer usage
If you need to modify which AI platforms/models are used at your org:
Click on the setting next to the “AI platforms and model developers” section. This will either be Restricted or Allow all depending on your org’s current settings.
Next, you can change the setting to Allow all to enable all current, and any future, platforms/models for usage at your organization.
Alternatively, you can change the setting to Restricted. Then, under the “Platforms and model developers allowlist” section toggle on or off the different platforms/models under the “Status” column.
Lastly, click Save to save any changes you’ve made.
Controlling AI access to the internet
The “Internet access” setting allows you to control whether AI can access the internet
By default, this option is turned “On” meaning that it is available to all the workspaces where AI is enabled.
Admins can turn this setting off, which will prevent anyone in the org from allowing AI to access the internet.
Viewing AI credit usage
The “View AI credit usage” section can be used to see current usage levels across the organization.
Click the caret icon ⌄ next to “View AI credit usage” option.
This will reveal a usage bar:
Note
Click here for more information about how AI credits work in Airtable.
For Enterprise Scale admins, AI credit usage can also be found in the Reports page.
Org resources
The "Org customization" section of the “Org resources" tab allows admins to manage their organization’s logo, brand colors, and add a custom contact admin message. Learn more general information about organization branding in this article.
To manage your organization’s logo
Note
Be sure to upload a square image of your organization’s logo. The aspect ratio must be 1:1 (i.e. The width and the height must be the same).
The image should be at least 48x48 pixels in size, but can be larger.
Click the Settings tab on the left side of admin panel.
Under the “Org customization” section, click the → icon to the far right side of the "Organization logo” option. Note that org unit admins / admins not using Enterprise Hub will see an Edit button instead of the → icon.
Click Add logo if the org does not have a current logo added. If the org already has a logo in use, then click Edit to upload a new logo or Remove to disable the logo feature across the org you are managing.
Click Done to save any changes you have made.
To manage your organization's brand colors
Click the Settings tab on the left side of admin panel.
Under the “Org customization” section, click the → icon to the far right side of the "Brand colors” option. Note that org unit admins / admins not using Enterprise Hub will see an Edit button instead of the → icon.
If your organization has not already created a branded color set, then click Create a color set. For previously configured color sets, click the pencil icon to edit or the trash icon to remove the color set.
Name the color set and give the first color a name and a hexadecimal color code.
Each color will be represented by a hexadecimal color code. You can find more information about hexadecimal color codes on Wikipedia, and a tool to convert RGB color codes to hexadecimal codes at rgbtohex.net.
If you like, you can also click on the circle showing the current color to open a menu where you can use a color wheel, a color dropper, or enter a RGB or HSL value to determine a color. We only recommend using the color wheel or dropper options when you do not have a hexadecimal code already determined. To change the menu’s coloring format (RGB, HSL, or hexadecimal) click the icon and enter the value of the format that your organization uses. Note that a color’s RGB or HSL values will be shown as a hexadecimal color code in the main color set menu.
Colors are automatically detected as being most accessible with white or dark text. If you’d like to manually override this, you can click Change, and select Dark or Light from the dropdown “Is this color dark or light?” The preview on the right can help with your decision.
Click + to add a new color, click on an existing color to edit that color, or remove it from the color set by clicking the trash icon.
A color set can have up to 30 colors.
Click and drag a color to reorder it relative to other colors in the set.
Click Save to make the new color set available for your organization. Click Done to update the color set when you are making updates to an existing color set. This will update the color set for your organization.
To manage your contact admin message
Click the Settings tab on the left side of admin panel.
Under the “Org customization” section, click the → icon to the far right side of the “Contact admin message” option.
A new window will open that allows you to preview and edit the Title, Message, and Contact method.
To save any changes you have made, click Done.
The "Apps & Components" section of the “Org resources" tab allows admins to manage who in their organization can create, modify, and delete managed apps and components. Learn more about this feature in this article.
Allowing or restricting managed apps and components across an organization
Click the Settings tab on the left side of the admin panel.
Then, click the Org settings tab.
Scroll down to find the “APPS & COMPONENTS” section.
Here you will find the “Restrict managed app & component creation in this organization” setting.
When toggled on, this setting will globally prevent components from being created and published across the organization. When the option is toggled off, all users across the organization can create and publish apps or components to the library.
Click the ← Back to Settings button near the top left corner of the page when you are finished updating any settings here.
Adding or removing specific users to or from the allowlist
To create an allowlist of users in your organization who can create and publish apps and components:
The “Restrict managed app & component creation in this organization” setting mentioned above must be toggled on to create the allowlist.
Click and expand the User allowlist option.
Enter a single email address of a user in your organization and then click the Allow button. To remove a user click the X next to the email address of a user you want to remove from the allowlist.
Click the ← Back to Settings button near the top left corner of the page when you are finished updating any settings here.
Preventing org unit admin edits (Enterprise Hub only)
Toggling on this setting will block individual “Org admins” from being able to make edits to the allowlist settings for their org unit in their admin panel. Only “Super admins” will be able to make edits.
Click the Settings tab on the left side of the admin panel.
Then, click the Org settings tab.
Scroll down to find the “APPS & COMPONENTS” section.
Toggle on the “Prevent org unit admin edits” setting.
Click the ← Back to Settings button near the top left corner of the page when you are finished updating any settings here.
Managing individual org unit access (Enterprise Hub only)
This section will allow you to see and modify the “Status” (i.e. Whether or not the org unit has allowlist restrictions turned on. You’ll also be able to modify the individual org unit’s allowlist from here.
General actions:
Search org units - Search for an org unit by name. This is helpful when you are managing multiple org units.
Doesn't match default - Checking this box will filter out any org units that are currently set up with an allowlist that matches the default allowlist settings.
↓ CSV - Clicking this button will generate a CSV file of the current settings listed in the table. The CSV will contain 3 rows of data: Org units (name), Restriction status, and Allowlist (the email addresses of any users who have access to manage apps and components for the corresponding org unit).
Apply default - This option allows admins to apply the default allowlist to all of the org units shown in the table. You can also select one or more org units by clicking the checkbox next to its name and apply the default allowlist to each org unit you’ve selected.
Individual org unit actions:
Status - Turn the restriction On or Off for an individual org unit.
Allowlist - When the restriction is on, click the pencil icon to edit the allowlist of users who can add or modify apps and components for that particular org unit.
… - The options available in this menu will change depending on the status for each org unit. If the org unit’s status is off, then you can click the icon and then click “Apply default” to turn the restriction status to On and apply the default allowlist. For previously enabled org units, this option will not be available unless you turn the org unit restrictions off first.
Click the ← Back to Settings button near the top left corner of the page when you are finished updating any settings here.