I. Intro
Version requirements: Lark mobile version 7.37 or above. No version requirements for the desktop app and web version.
Notice: This article applies to the new version of advanced permissions for Base. For more information on the new version of advanced permissions, see Overview of new advanced permissions in Base.
In Base's advanced permissions, a role functions as a permission group. You can customize a role's editing and viewing permissions, and then assign members to that role to grant them the corresponding permissions.
In the new version of advanced permissions, the "default role" has been removed and replaced with "system roles". The system roles are aligned with the collaborator permissions used in Docs (such as can edit, can view, can manage).
II. Description
The collaborator panel in this article refers to the panel that opens when you click Share in the upper-right corner of the base, and then click the profile photo section on the right side of Invite Collaborators. In the collaborator panel, you can add collaborators or modify their permissions including, manage, edit, and view.
250px|700px|reset
250px|700px|reset
Role description
Roles in the new version of advanced permissions are divided into two categories: System roles and Custom.
250px|700px|reset
System roles
After turning on advanced permissions, the four system roles, Owner, Administrator, Editor, and Viewer can be found in the upper-left corner. These roles cannot be added, renamed, or deleted.
- Owner: The owner of the base, who has the highest permission level (that is, the manage permissions for all tables and the edit permissions for dashboards). The permissions of this role cannot be modified, and members cannot be added or removed.
- Administrator: Also has the highest permission level for the base (that is, the manage permissions for all tables and the edit permissions for dashboards). The permissions of this role cannot be modified. Adding or removing members is supported. Members who are assigned manage permission in the collaborator panel are automatically added to the Administrator role.
- Editor: The Table permissions of this role can be set to Can manage, Can edit, View only, and No access. Permissions for editing or viewing records, fields, and views can also be configured. Dashboard permissions can be set to View only and No access. Adding or removing members to this role is supported. Members who are assigned edit permission in the collaborator panel are automatically added to this role.
250px|700px|reset
250px|700px|reset
- Viewer: The Table permissions of this role can only be set to View only and No access. Permissions for editing or viewing records, fields, and views can also be configured. Dashboard permissions can be set to View only and No access. Adding or removing members to this role is supported. Members who are assigned view permission in the collaborator panel are automatically added to this role.
250px|700px|reset
250px|700px|reset
Members in Editor and Viewer roles can be quickly reassigned between these two roles. For example, to reassign a member from viewer to editor:
Click Viewer and click the profile photo section on the right to enter the Members assigned to this role page. Click the Switch to another system role icon on the right of a member > Editor.
250px|700px|reset
Custom roles
Custom roles are permission groups that can be customized. These roles can be added, renamed, and deleted as needed.
- Click Add Role to add a new custom role, configure it, and add members.
- Hover over a custom role and click the ··· icon that appears to rename or delete the role.
250px|700px|reset
Members in a custom role can be quickly reassigned to another. Quickly reassigning between system roles and custom roles is not supported. For example, to reassign a member from one custom role to another:
Click a custom role and click the profile photo section on the right to enter the Members assigned to this role page. Click the Change to other custom roles icon on the right side of a member and select a custom role.
250px|700px|reset
Custom roles take precedence over system roles. For example, in the collaborator panel, if user A's permission is set to Can manage, they will be added to the Administrator system role. However, if user A is later added to a custom role, their effective permissions will follow those defined by the custom role.
Note: Users assigned to a custom role can also be added to the Administrator role, but not Editor or Viewer roles.
Set whether to allow sharing authorization
After turning on advanced permissions, you can set Only Custom Roles Can Access or Grant Access Through Sharing.
- Only Custom Roles Can Access: Recommended for managing sensitive data. This option only allows members in custom roles and those with manage permission to access the base. Users with the sharing link or collaborators who are assigned view or edit permission through the sharing panel cannot access the base.
- Note: After this option is selected, Editor and Viewer roles will no longer have access to the base. Owner and Administrator roles are not affected.
- Grant Access Through Sharing: Recommended for managing public data. This option allows you to share the base by adding collaborators in the sharing panel or using the sharing links to assign manage, view, and edit permissions.
- Note: After turning on advanced permissions, Only Custom Roles Can Access is selected by default. If you don't make any changes, you can still go back to the old version of advanced permission. If you switch to Grant Access Through Sharing and save the settings, you will no longer be able to switch back to the old version.
250px|700px|reset
The relationship between roles and document collaborators
The roles in the new version of advanced permissions are related to document collaborators in the following ways:
- Members added to system roles and custom roles are added as document collaborators.
- Members added through the collaborator panel will appear in the system roles of advanced permissions according to the permissions granted:
- Members granted manage permission through the collaborator panel are automatically added to the Administrator role.
- Members granted edit permission through the collaborator panel are automatically added to the Editor role.
- Members granted view permission through the collaborator panel are automatically added to the Viewer role.
- Note: If Only Custom Roles Can Access is selected (Grant Access Through Sharing is not selected), then Editor and Viewer roles will be disabled. In this case, even if members are added to the collaborator panel, they will not be able to access the base.
- If you remove a member in the collaborator panel, the advanced permission role of this member will become invalid and they won't be able to access the base.
- If the base contains sub-pages, adding or removing members from system roles will only affect collaborators of the current page only.
Changes to default roles in the new system
If you have previously turned on advanced permissions and used a default role in your base, the new role system works as follows:
- If the default role has permission to access base: The default role will be converted into a custom role, while retaining the same role name, permissions, and members.
- This is equivalent to Grant Access Through Sharing being selected. When new collaborators are added through sharing links or other methods, they will not automatically be placed in the new custom role. Instead, they will be assigned to one of the system roles—Administrator, Editor, or Viewer—based on the permission they're granted.
- If the default role has no permission to access base: The members in the default role will be added to the Viewer role and won't have permission to access the base.
- This is equivalent to Only Custom Roles Can Access being selected. When new collaborators are added and granted edit or view permission through sharing links or other methods, they will be assigned as Editor or Viewer, but won't be able to access the base. If the new collaborator is granted manage permission, they will be able to access the base.
III. Related