Docs

Permissions overview

Baserow’s permission system allows you to control who can view, edit, or manage your data, from simple workspace membership to granular role-based access control.

This guide covers how to understand Baserow’s permission system, compare free vs. paid role-based access control, and learn which approach fits your security needs.

Overview

Permissions determine what members can do within workspaces, databases, tables, and fields. As a workspace admin, you assign roles when inviting users to a workspace or creating teams, then adjust access as your needs evolve.

The right permission strategy depends on your plan, team size, and security requirements. This guide helps you understand your options and select the best approach.

Permission system comparison

Basic roles

Free and Premium plans offer two workspace-level roles, without granular, table-level restrictions:

Role	Capabilities	Best for
Admin	Can fully configure and edit: workspaces, applications, members, settings, billing, databases	Team leads, workspace owners
Member	Can fully create, edit, and delete and manage databases, tables, views; full data access	All team members

When you create a workspace, you are automatically assigned the Admin role. As an Admin, you can invite others to join as workspace members. A workspace member has broad permissions, giving them full access to all data within that workspace.

This is best for small teams (2-10 people), high-trust environments, projects where everyone needs similar access, and teams on limited budgets.

Role-based access control

Advanced and Enterprise plans add roles with granular permissions. To get granular control, such as restricting access to specific databases or tables, you will need the full Role-Based Access Control (RBAC) features. View pricing options.

Role	Access level	Typical users
Admin	Full control over workspace, members, and all data	Department heads, workspace managers
Builder	Create/modify databases, tables, fields, views	Application developers, power users
Editor	Add, edit, delete data; cannot modify structure	Data entry team, content managers
Commenter	View data and add comments; no editing	Reviewers, stakeholders, clients
Viewer	Read-only access to data	Reporting users, executives, observers
No Role	No default access; requires team or explicit grants	(Strategic use for security)
No Access	Explicitly blocked from accessing content	Suspended users, restricted members

This is best for medium to large teams (10+ people), organizations with sensitive data (HR, finance), client-facing workspaces with external collaborators, compliance-driven environments (HIPAA, GDPR, SOC 2), and departments with different access needs.

Learn more about role capabilities and role hierarchy.

How role-based access control works

Permission structure

With role-based permissions, you can assign roles at levels of specificity. Assign roles at workspace, database, and table levels.

Workspace Level (default baseline)
  ↓ can be overridden at
Database Level (project/department access)
  ↓ can be overridden at  
Table Level (granular control)

More specific roles override broader ones (table > database > workspace). Learn more about how role hierarchy works.

Example scenario: The Marketing team has an Editor role at the workspace level → Viewer role on the Finance database → Sarah (in Marketing) has Admin role on the Budgets table in the Finance database.

How individual and team permissions interact

In Baserow, you can assign roles to manage permissions in two ways:

To a team: This assigns a default set of permissions to a group of members. Learn how to create and manage teams.
To an individual member: This assigns permissions directly to a specific user.

When a workspace member belongs to a team but also has a different role assigned to them individually, the individual role always takes precedence.

An individual member’s assigned role will always override any role they inherit from a team.

This system provides flexibility. For example, you can set a general, view-only role for a Marketing team, but then grant a specific Marketing Manager in that team an Editor role. The manager will have full editor permissions, overriding the team’s view-only setting.

Getting started with permissions

Setting up permissions for a new workspace involves a few key planning steps. Following this process ensures your data is secure and collaborators have the correct level of access from day one.

How to set up permissions in a new workspace

Assess your plan’s capabilities: First, identify which roles are available on your plan.
Design your permission structure: Before inviting anyone, map out your data access strategy. Ask these questions:
- Who needs what level of access (e.g., read-only, editor, admin)?
- Which databases or tables contain sensitive data that needs to be restricted?
- Will you manage access by creating teams or by assigning roles to individual users?
Implement your design: With your plan in place, you can now configure your workspace.
- Start by inviting members to your workspace.
- Assign the appropriate roles to individuals or teams at the workspace, database, or table level.

Learn more about advanced role configuration strategies to implement your design.

Frequently asked questions

What’s the difference between “No Role” and “No Access”?

No Role – Member gets access through team memberships only (strategic choice)
No Access – Explicitly blocked from accessing content (restriction)

Learn more about using “No Role” strategically.

Can Free plan users control who sees specific tables?

No. Free and Premium plans don’t support granular permissions. All users with Member roles have full access to all workspace content. Upgrade to Advanced/Enterprise for table-level control.

How do I restrict client access to only their project data?

Use Advanced or Enterprise plans: Create a team for each client, assign the team a Viewer or Commenter role, and Grant access only to their specific database or tables. Learn more about client access strategies.

Are permissions the same on self-hosted and cloud versions?

Free/Premium roles work the same. Role-based access control requires a Cloud Advanced plan subscription or Self-hosted: Enterprise license. Learn about self-hosted licensing.

What happens when your plan expires?

If your Advanced plan or Enterprise license expires, role-based permissions deactivate immediately. All users automatically become Members (Builder equivalent) with full workspace access, teams lose role assignments, and you must manually restructure workspace access on the Free/Premium plan. Learn more about Baserow subscriptions.

What’s the difference between Free/Premium and Advanced plan permissions?

The Free and Premium plans offer workspace-level roles (Admin, Member, etc.), which are suitable for small, trusted teams. The Advanced and Enterprise plans add Role-Based Access Control (RBAC), allowing you to set granular permissions for specific databases and tables.

Should I use teams or assign roles individually?

Use teams when you need to grant the same level of access to a group of users (e.g., a “Sales” team that needs editor access to the “CRM” database). Assign roles individually for users with unique access needs or for high-level roles like Workspace Admin.

Understand the system:

Implement permissions:

Manage teams and members:

Billing and plans:

Free and Premium plans:

Advanced and Enterprise plans:

Still need help? If you’re looking for something else, please feel free to make recommendations or ask us questions; we’re ready to assist you.

Ask the Baserow community
Contact support for questions about Baserow or help with your account