Manage access to objects
Customize workspace members' access to objects.
Available on plus, pro and enterprise plans.
Admins and members with Full access to an object can configure its permissions.
Access controls vary by plan.
Set object permissions to control which actions members, teams, and automations can take on objects and their records.
Note: See the Sharing and permissions article to learn more about managing access across Attio features.
Who can manage access to objects?
Only workspace admins and members with Full access to the object can manage object permissions. If you don't have access and need help managing permissions, contact a workspace admin or Full access member.
Access controls for objects vary by Attio plan:
Free: Managing workspace, team, and member access is not available. Automations access is configurable.
Plus: Customize workspace-wide access. Managing team and member access is not available. Automations access is configurable.
Pro and Enterprise: Manage access for the workspace, teams, individual members, and automations.
Object access levels
There are three access levels to choose from when setting object permissions:
Full access: Can manage object settings including permissions and attributes, and can view and update record data for the object.
Read and write: Can view and update record data for the object.
Read only: Can view all record data for the object, but cannot update it.
The table below shows which actions are available for each access level.
Legend:
✅ Yes = This access level can take this action.
❌ No = This access level cannot take this action.
Action | Read only | Read and write | Full access | Notes |
|---|---|---|---|---|
Manage object permissions | ❌ No | ❌ No | ✅ Yes | |
Manage object name, icon, and record labels | ❌ No | ❌ No | ✅ Yes | |
Create, edit, and archive object attributes | ❌ No | ❌ No | ✅ Yes | |
Configure record pages | ❌ No | ❌ No | ✅ Yes | |
Create record templates | ❌ No | ❌ No | ✅ Yes | |
Delete custom objects and deactivate standard objects | ❌ No | ❌ No | ✅ Yes | |
Create, merge, and delete records | ❌ No | ✅ Yes | ✅ Yes | Admins must have full or read and write access to create, merge, or delete records. |
Update object attribute values | ❌ No | ✅ Yes | ✅ Yes | Write access to objects on both sides of the relationship is required to update relationship attributes. |
Export object views | ✅ Yes | ✅ Yes | ✅ Yes | Exception for Enterprise accounts that have disabled non-admin exports |
See the object, including its records and attributes | ✅ Yes | ✅ Yes | ✅ Yes | |
View object attribute values | ✅ Yes | ✅ Yes | ✅ Yes | |
View, create, link, and delete record activities | ✅ Yes | ✅ Yes | ✅ Yes | |
Manage all records page views | ✅ Yes | ✅ Yes | ✅ Yes | Includes creating, editing, reordering, favoriting, and deleting views. |
Create lists, add records of the object to lists, and update list entries | ✅ Yes | ✅ Yes | ✅ Yes | |
View, create, edit, and delete notes and tasks on records of the object | ✅ Yes | ✅ Yes | ✅ Yes | |
View, upload or delete files on records of the object | ✅ Yes | ✅ Yes | ✅ Yes | |
Comment on records | ✅ Yes | ✅ Yes | ✅ Yes | |
Enroll records in sequences | ✅ Yes | ✅ Yes | ✅ Yes | |
Sync emails and calendar events | ✅ Yes | ✅ Yes | ✅ Yes | Includes automatic record creation of people and companies |
Note: See Understanding Attio’s data model for an explanation of objects, records, and attributes and how they relate.
Access priority rules
As a best practice, set the workspace access setting to the lowest level of access anyone in the workspace should have. Then use team and member access settings to grant additional access to the people who need it.
A member's access is based on the most permissive setting that applies to them across the workspace access setting, any teams they're part of, and any member access settings. More specific settings can only grant additional access. They cannot reduce access below the workspace default. This means that Read only access settings for individual members or teams have no effect if workspace access is set to Read and write.
For example, if workspace access is set to Full access and a member is assigned Read only access, they will still have Full access. If workspace access is set to Read only and one of a member’s teams is assigned Read and write access, they will have Read and write access.
Admin access to objects
Workspace, team, and member access settings apply to admins as well. Admins with Read only access to an object cannot create, update, merge, or delete its records. However, admins can always grant themselves Full access or Read and write access to any object through the object's Permissions tab in Workspace settings.
To ensure admins can create and update records across all objects, you can either:
Create an Admins team and give it Full access or Read and write access on each object, or
Assign each individual admin Full access or Read and write member access.
Configure object access
By default, workspace access is set to Read and write for all objects, so all members can view and update records unless access is customized.
Workflow automations inherit the workspace access setting by default. Admins and members with Full access to the object can grant individual workflows additional access.
Admins and members with Full access to the object can update object access from two places:
The object’s settings page in Workspace settings
The Share menu on the all records page
Configure object access in Workspace settings
Follow these steps to manage access to objects from Workspace settings:
Click your workspace name in the top-left corner.
Select Workspace settings from the dropdown.
In the left sidebar, click Objects.
Select the object, then the Permissions tab.
Workspace access: Set the workspace default with the dropdown to the right of Workspace access. Workspace access applies to all members and is the default applied for workflows.
Teams: Click + Add to add a team, then use the dropdown to customize access for all team members.
Individual members: Click + Add to add a member, then use the dropdown to customize access for the member.
Automations: Click + Add to add a workflow automation, then use the dropdown to customize access for the workflow.
Configure object access from the all records page
Follow these steps to manage access to objects from the all records page:
Open the all records page under Records in the sidebar, then click Share.
To update the workspace-wide default access setting, use the dropdown next to Workspace access.
To set team or individual member access (available on Pro and Enterprise plans), add teams or members and choose their access from the dropdown next to the name, then click Add.
4. To give a workflow access, click the Automations tab. Search for and select the workflow, choose the access level, and click Add.
Object permissions examples
Real-world use cases
These examples show common ways to configure object permissions for different scenarios.
Example 1:
The Sales team and workspace admins should be able to create, update, and delete Deals records, but no one else. Admins should also be able to manage permissions for Deals. Set the following:
Workspace access to Read only
Sales team access to Read and write
Individual admins' access to Full access
Example 2:
No members should be able to update Users and Workspaces records, because they are updated automatically by integrations. Set workspace access to Read only.
Resolving conflicting access levels
These examples show how workspace, team, and member settings are applied when they conflict.
Example 3:
Workspace access is set to Read and write, Executive team is set to Full access, and Sales team is set to Read only. No member access is set. A member on both the Executive and Sales teams will have Full access, since the most permissive setting across all applicable settings is applied.
Example 4:
An admin wants to ensure one member only has Read only access while others in the workspace have Read and write. Setting workspace access to Read and write and adding Read only for that individual will not work. The member will still have Read and write access, because a member access setting cannot override a more permissive workspace default. Instead, the admin should set workspace access to Read only, then grant Read and write access individually to the members and teams who need it.