Configure permissions for Base Connect guests
Configuring Permissions for Base Connect Guest Users
Context:
After approving external users as guests through Base Connect, you need to configure their permissions to control what they can access in your Base instance. Guest permissions determine which modules they can view, which companies' jobs they can see, and whether they can participate in messaging. Properly configuring guest permissions ensures that external partners have appropriate access while maintaining security and data privacy.
Managing Guest Access
The Challenge:
Base Connect guests from external organizations need access to shared records, but you want to control exactly what they can see and do. Without proper permission configuration, guests might have too much access (security risk) or too little access (hindering collaboration). You need granular control over module access, job visibility, and communication capabilities while ensuring guests can only access records they're explicitly granted access to.
Base's Solution:
Base provides a comprehensive permission configuration system for Base Connect guests. You can configure read permissions for specific modules (Jobs, Invoices, Expenses, etc.), control job visibility by company, enable or disable chat/messaging capabilities, and use permission templates for consistent configuration. Guests are automatically restricted to read-only access, and permissions are scoped to records they're explicitly granted access to via watchers or collaborators.
Understanding Guest Permissions
Permission Restrictions:
Base Connect guests have specific limitations:
Read-Only Access: Guests can only have "Read" permissions—they cannot edit, create, or delete records
Scoped Access: Guests only see records they're explicitly granted access to (via watchers, collaborators, or job visibility settings)
Module-Specific: Permissions are configured per module (Jobs, Invoices, Companies, etc.)
Secure by Default: Guests start with minimal permissions that must be explicitly granted
Permission Levels Available:
For guests, only these permission levels are available:
Read: View records and data
Chat: Participate in messaging on shared records (if enabled)
Guests cannot have:
Edit: Cannot modify records
Admin: Cannot perform administrative actions
TableConfig: Cannot configure table views
Step-by-Step Guide: Configuring Guest Permissions
1. Navigate to Base Connect Settings:
Go to Companies → Find the connected company
Click on the company to open company details
Find the "Base Connect" or "Connection" section
Look for "Guest Permissions" or "Configure Guests"
2. Select the Guest User:
You'll see a list of approved guest users from the connected organization
Click on the guest user you want to configure permissions for
This opens the permission configuration interface
3. Configure Module Permissions:
For each module, configure read access:
Jobs:
Enable/disable read access to jobs
Control job visibility (see below)
Invoices:
Enable/disable read access to invoices
Guests can view invoices for jobs they have access to
Expenses:
Enable/disable read access to expenses
Guests can view expenses on jobs they have access to
Purchase Orders:
Enable/disable read access to purchase orders
Guests can view POs related to their accessible jobs
Quotes:
Enable/disable read access to quotes
Guests can view quotes for jobs they have access to
Companies:
Enable/disable read access to company information
Typically limited to the connected company
Projects:
Enable/disable read access to projects
Guests can view projects they're collaborators on
Contracts:
Enable/disable read access to contracts
Guests can view contracts they're collaborators on
4. Configure Job Visibility:
Control which companies' jobs guests can see:
All Companies: Guest can see jobs from all companies (if they have job read access)
Specific Companies: Restrict to specific companies only
Connected Company Only: Only see jobs for the connected company
Note: Even with job visibility enabled, guests must still be added as watchers or collaborators to specific jobs to see them.
5. Configure Chat Permissions:
Enable or disable messaging capabilities:
Enable Chat: Guest can participate in messaging on records they have access to
Disable Chat: Guest cannot send messages or use @mentions
6. Use Permission Templates (Optional):
If you've created permission templates, select one from the dropdown
The template's permissions are automatically applied
You can then adjust individual permissions as needed
Note: Base automatically filters templates to only include read permissions when applied to guests.
7. Save Permissions:
Click "Save Permissions" or "Update" to apply the configuration
Changes take effect immediately
The guest user's access is updated according to the new permissions
Permission Configuration Details
Module Permission Structure:
Each module's permissions are structured as:
javascript{ module: { read: { feature: true/false // e.g., jobs: true, invoices: true }, chat: true/false // If messaging is enabled for this module }}
Default Guest Permissions:
When a guest is first approved, they typically receive:
Minimal Access: Only basic read permissions, if any
No Chat: Chat is typically disabled by default
Restricted Visibility: Job visibility is typically restricted
You must explicitly grant permissions for guests to access content.
Permission Inheritance:
Guest permissions work with:
Watchers: Guests must be added as watchers to specific records to see them
Collaborators: Guests can see records they're collaborators on
Job Visibility: Company-level job visibility settings further restrict access
Using Permission Templates
Applying Templates:
When configuring guest permissions:
1. Select a permission template from the "Apply Template" dropdown
2. Base automatically applies the template's permissions
3. Base filters out any non-read permissions (guests can only have read access)
4. Adjust individual permissions as needed
5. Save the configuration
Creating Guest-Specific Templates:
Consider creating templates specifically for Base Connect guests:
"Base Connect Guest - Full Read": Read access to all modules
"Base Connect Guest - Jobs Only": Read access only to jobs
"Base Connect Guest - Invoices Only": Read access only to invoices
"Base Connect Guest - Minimal": Minimal read access
See What are User Access Permission Templates? for more information.
Best Practices
Security First:
Principle of Least Privilege: Grant only the minimum permissions needed
Start Restrictive: Begin with minimal permissions and expand as needed
Regular Reviews: Periodically review guest permissions to ensure they're still appropriate
Remove When Done: Revoke guest access when projects or collaborations complete
Permission Organization:
Use Templates: Create and use permission templates for consistency
Document Permissions: Keep notes on why specific permissions were granted
Standardize: Use consistent permission sets for similar guest roles
Access Management:
Watchers Required: Remember that guests need to be added as watchers to see specific records
Job Visibility: Configure job visibility appropriately for each guest
Chat Control: Enable chat only when guests need to communicate on shared records
Collaboration Balance:
Enable Collaboration: Grant sufficient permissions for effective collaboration
Maintain Security: Don't grant more access than necessary
Monitor Usage: Keep an eye on how guests are using their access
Troubleshooting
Guest Can't See Expected Records:
If a guest can't see records they should have access to:
Check Permissions: Verify they have read permissions for the relevant module
Verify Watchers: Ensure the guest is added as a watcher to the specific record
Check Job Visibility: Verify job visibility settings allow access to the company
Review Collaborators: Check if the guest needs to be added as a collaborator
Connection Status: Ensure the Base Connect connection is still active
Guest Has Too Much Access:
If a guest can see more than they should:
Review Permissions: Check their module permissions
Check Job Visibility: Verify job visibility settings aren't too permissive
Review Watchers: Check which records they're watching
Reduce Permissions: Remove unnecessary permissions
Can't Configure Permissions:
If you can't configure guest permissions:
Check Role: Only Owners and Admins can configure guest permissions
Verify Connection: Ensure the Base Connect connection is active
Check Guest Status: Verify the guest has been approved
Try Individual Configuration: Try configuring permissions for one guest at a time
Related Features
Configuring Base Connect guest permissions works with several other features:
Request Internal Users or Approve External Users as Guests: Learn how to approve guests before configuring permissions
How to Connect an External Company: Understand the Base Connect connection process
What are User Access Permission Templates?: Learn how to create and use permission templates
User Access Control: Understand the broader permission system in Base
Summary
Configuring permissions for Base Connect guests is essential for enabling secure collaboration with external partners. By understanding the permission structure, using templates for consistency, and following security best practices, you can provide guests with appropriate access while maintaining data security. Remember that guests are read-only by default and must be explicitly granted access to specific records through watchers or collaborators.
If you have questions about configuring guest permissions or encounter any issues, our support team is ready to help.