Manage access to objects
Customize workspace members' access to objects.
Set object permissions to control which actions members, teams, and automations can take on objects and their records.
Note: See the Sharing and permissions article to learn more about managing access across Attio features.
Who can manage access to objects?
Only workspace admins and members with Full access to the object can manage object permissions. If you need help managing permissions and don't have access, contact a workspace admin or Full access member.
Access controls for objects vary by Attio plan:
Free: Managing workspace, team, and member access is not available. Automations access is configurable.
Plus: Customize workspace-wide access. Managing team and member access is not available. Automations access is configurable.
Pro and Enterprise: Manage access for the workspace, teams, individual members, and automations.
Object access levels
There are three access levels to choose from when setting object permissions:
Full access: Can manage object settings including permissions and attributes, and can view and update record data for the object.
Read and write: Can view and update record data for the object.
Read only: Can view all record data for the object, but cannot update it.
The table below shows which actions are available for each access level.
Legend:
✅ Yes = This access level can take this action.
❌ No = This access level cannot take this action.
Action | Read only | Read and write | Full access | Notes |
|---|---|---|---|---|
Manage object permissions | ❌ No | ❌ No | ✅ Yes | |
Manage object name, icon, and record labels | ❌ No | ❌ No | ✅ Yes | |
Create, edit, and archive object attributes | ❌ No | ❌ No | ✅ Yes | |
Configure record pages | ❌ No | ❌ No | ✅ Yes | |
Create record templates | ❌ No | ❌ No | ✅ Yes | |
Delete custom objects and deactivate standard objects | ❌ No | ❌ No | ✅ Yes | |
Create, merge, and delete records | ❌ No | ✅ Yes | ✅ Yes | Admins must have full or read and write access to create, merge, or delete records. |
Update object attribute values | ❌ No | ✅ Yes | ✅ Yes | Write access to objects on both sides of the relationship is required to update relationship attributes. |
Export object views | ✅ Yes | ✅ Yes | ✅ Yes | Exception for Enterprise accounts that have disabled non-admin exports |
See the object, including its records and attributes | ✅ Yes | ✅ Yes | ✅ Yes | |
View object attribute values | ✅ Yes | ✅ Yes | ✅ Yes | |
View, create, link, and delete record activities | ✅ Yes | ✅ Yes | ✅ Yes | |
Manage all records page views | ✅ Yes | ✅ Yes | ✅ Yes | Includes creating, editing, reordering, favoriting, and deleting views. |
Create lists, add records of the object to lists, and update list entries | ✅ Yes | ✅ Yes | ✅ Yes | |
View, create, edit, and delete notes and tasks on records of the object | ✅ Yes | ✅ Yes | ✅ Yes | |
View, upload or delete files on records of the object | ✅ Yes | ✅ Yes | ✅ Yes | |
Comment on records | ✅ Yes | ✅ Yes | ✅ Yes | |
Enroll records in sequences | ✅ Yes | ✅ Yes | ✅ Yes | |
Sync emails and calendar events | ✅ Yes | ✅ Yes | ✅ Yes | Includes automatic record creation of people and companies |
Note: See Understanding Attio’s data model for an explanation of objects, records, and attributes and how they relate.
Access priority rules
When workspace, team, member, or workflow access settings differ, the more specific setting takes priority:
Workspace access sets the default for all members.
Team access overrides the workspace default.
Member access overrides team and workspace settings.
Workflow access is independent of other settings; workflows have Read only access to objects by default, unless explicitly added.
Note: Members can belong to multiple teams. If team permissions differ and no member-specific setting is in place, the most permissive access level from any of the member's teams is applied. For example, if one team grants Read only access and another grants Read and write access, a member on both teams will have Read and write access unless a member access setting overrides it.
As a best practice, set the workspace access level that fits the majority of members, then add team or member settings for exceptions, and add all workflows that should have access.
Admin access to objects
Workspace, team, and member access settings apply to admins as well. Admins with Read only access to an object cannot create, update, merge, or delete its records. However, admins can always grant themselves Full access or Read and write access to any object through the object's Permissions tab in Workspace settings.
To ensure admins can create and update records across all objects, you can either:
Create an Admins team and give it Full access or Read and write access on each object, or
Assign each individual admin Full access or Read and write member access.
Configure object access
By default, workspace access is set to Read and write for all objects, so all members can view and update records unless access is customized.
Workflow automations have Read only access to objects by default and must be explicitly granted Read and write access. Only admins and members with Full access to the object can grant Read and write access to a workflow.
Admins and members with Full access to the object can update object access from two places:
The object’s settings page in Workspace settings
The Share menu on the all records page
Configure object access in Workspace settings
Follow these steps to manage access to objects from Workspace settings:
Click your workspace name in the top-left corner.
Select Workspace settings from the dropdown.
In the left sidebar, click Objects.
Select the object, then the Permissions tab.
Workspace access: Set the workspace default with the dropdown to the right of Workspace access. Workspace access applies to all members, but does not apply to automations.
Teams: Click + Add to add a team, then use the dropdown to customize access for all team members.
Individual members: Click + Add to add a member, then use the dropdown to customize access for the member.
Automations: Click + Add to add a workflow automation, then use the dropdown to customize access for the workflow.
Configure object access from the all records page
Follow these steps to manage access to objects from the all records page:
Open the all records page under Records in the sidebar, then click Share.
To update the workspace-wide default access setting, use the dropdown next to Workspace access.
To set team or individual member access (available on Pro and Enterprise plans), add teams or members and choose their access from the dropdown next to the name, then click Add.
4. To give a workflow access, search for and select the workflow, choose the access level, and click Add.
Object permissions examples
Real world use cases
These examples illustrate common ways to configure object permissions for real world scenarios.
Example 1:
The Sales team and workspace admins should be able to create, update, and delete Deals records, but no one else. Admins should also be able to manage permissions for Deals. Set the following:
Workspace access to Read only
Sales team access to Read and write
Sales managers’ member access to Full access
Example 2:
No members should be able to update Users and Workspaces records, because they are updated automatically by integrations. Set workspace access to Read only.
Resolving conflicting access levels
These examples show how workspace, team, and member settings are applied when they conflict.
Example 3:
Workspace access is set to Read and write, Executive team is set to Full access, and Sales team is set to Read only. No member access is set. A member on both the Executive and Sales teams will have Full access, since the more permissive team level is applied.
Example 4:
Workspace access is set to Read and write, Executives team is set to Full access, and Sales team is set to Read only. Member access for a person on both teams is set to Read only. The person will have Read only access, since the member access setting overrides workspace and team access.