Permissions
Control form access with role-based and user-based permissions for viewing, submitting, and managing forms
What This Feature Does
Permissions control who can access, fill out, and manage your forms. You can restrict forms to specific roles, individual users, or make them available to everyone on your team. Permissions ensure sensitive forms reach only authorized personnel and that data collection is properly controlled.
Permission Levels
Forms have three main permission areas:
| Permission | What It Controls |
|---|---|
| View | Who can see the form exists |
| Submit | Who can fill out and submit the form |
| Manage | Who can edit, configure, and delete the form |
Form Access Settings
Accessing Permission Settings
- Navigate to "Forms" in the left sidebar
- Select the form you want to configure
- Click "Settings" tab
- Find the "Permissions" section
Default Permissions
By default, new forms are:
- Viewable by all team members
- Submittable by all team members
- Manageable by the creator and administrators
Role-Based Permissions
Restrict form access based on user roles in your team.
Available Roles
Roles are defined by your team's configuration and typically include:
- Owner
- Admin
- Manager
- Member
- Custom roles (configured by admin)
See Roles and Permissions for more on team roles.
Setting Role-Based Access
- In form permissions settings, find "Role Access"
- Click "Configure Roles"
- For each permission level, select allowed roles:
- Who can view: Select one or more roles
- Who can submit: Select one or more roles
- Who can manage: Select one or more roles
- Save your settings
Example: Manager-Only Form
To restrict a form to managers and above:
- View: Managers, Admins, Owners
- Submit: Managers, Admins, Owners
- Manage: Admins, Owners
Example: Everyone Views, Managers Submit
To let everyone see but restrict who can submit:
- View: All roles
- Submit: Managers, Admins, Owners
- Manage: Admins, Owners
User-Based Permissions
Assign access to specific individual users.
Adding Individual Users
- In form permissions settings, find "User Access"
- Click "Add Users"
- Search and select specific users
- Choose their permission level:
- View only
- View and Submit
- Full access (view, submit, manage)
- Save your settings
Combining Role and User Permissions
You can use both:
- Roles define baseline access
- Individual users get additional access
Example:
- Role access: Managers can view and submit
- User access: Add specific workers who also need access
Removing User Access
- In user access list, find the user
- Click "Remove" or the trash icon
- User loses individual access
- They may still have access via role permissions
Submission Visibility
Control who can see submitted data.
Submission View Settings
| Setting | Who Can See Submissions |
|---|---|
| All | Anyone with form access |
| Submitter Only | Only the person who submitted |
| Assigned Users | Submitter + assigned reviewers |
| Managers+ | Managers, Admins, Owners only |
Configuring Submission Visibility
- In form settings, find "Submission Visibility"
- Select the visibility level
- Save your settings
Use Cases
All submissions visible (default):
- Team reports
- Shared checklists
- Collaborative forms
Submitter only:
- Confidential feedback
- Personal requests
- Private evaluations
Assigned users:
- Review workflows
- Approval processes
- Manager oversight
Form-Level Restrictions
Published vs Draft
- Draft forms: Only manageable users can see
- Published forms: Visible per permission settings
Archive/Inactive Forms
- Archived forms are hidden from regular users
- Admins can still access archived forms
- Unarchive to make available again
Time-Based Access
Some forms can be restricted by date:
- Available from: Form becomes accessible
- Available until: Form access ends
- After end date, form shows as unavailable
Permission Inheritance
Team-Level Settings
Some permissions are set at the team level:
- Who can create new forms
- Default permissions for new forms
- Maximum permission restrictions
Contact your team administrator for team-level settings.
Form Overrides
Individual forms can have stricter permissions than team defaults, but cannot be more permissive than team settings allow.
Secrets Management
Secure storage for sensitive credentials used in Workflows.
What Secrets Are For
Secrets securely store:
- API keys for webhooks
- Authentication tokens
- Third-party service credentials
- Sensitive configuration values
Secret Scopes
| Scope | Availability |
|---|---|
| Local | Available only to this form |
| Global | Available to all forms in the account |
Creating Secrets
- Navigate to form settings
- Find "Secrets" section
- Click "Add Secret"
- Configure:
- Name: Use UPPERCASE_WITH_UNDERSCORES format
- Value: The secret value (hidden after saving)
- Scope: Local or Global
- Save the secret
Using Secrets
Reference secrets in workflows:
- In webhook headers:
{{secrets.MY_API_KEY}} - In webhook URLs:
https://api.example.com?key={{secrets.API_KEY}}
Secret Security
- Secret values are encrypted using Supabase Vault
- Values are never displayed after creation
- Only users with manage permission can add/edit secrets
- Secrets are not included in exports or logs
Common Permission Scenarios
Safety Inspection Form
Goal: All workers submit, supervisors review
Configuration:
- View: All roles
- Submit: All roles
- Manage: Supervisors, Admins
- Submission visibility: Managers+
Confidential HR Form
Goal: Employees submit, only HR sees responses
Configuration:
- View: All roles
- Submit: All roles
- Manage: HR role only
- Submission visibility: Submitter only + HR role
Manager Approval Form
Goal: Workers submit requests, managers approve
Configuration:
- View: All roles
- Submit: Workers, Supervisors
- Manage: Admins
- Submission visibility: Assigned users (for approval workflow)
Restricted Admin Form
Goal: Only specific admins can access
Configuration:
- View: None (use user-based)
- Submit: None
- Manage: None
- User access: Add specific admin users only
Troubleshooting
If users can't see the form
- Check their role has view permission
- Verify they're not in a restricted user group
- Check if the form is published (not draft)
- Verify form isn't archived
If users can't submit
- Check their role has submit permission
- Verify the form accepts submissions
- Check time-based restrictions
- Ensure they're logged in
If users can see submissions they shouldn't
- Review submission visibility settings
- Check role-based access configuration
- Verify individual user permissions
If secrets aren't working in workflows
- Verify secret name is correct (case-sensitive)
- Check the secret scope (local vs global)
- Ensure syntax is correct:
{{secrets.NAME}} - Verify you have permission to access secrets
If permissions changes aren't applying
- Refresh the page
- Ask users to log out and back in
- Check for conflicting role/user permissions
- Contact admin for team-level restrictions
Best Practices
- Principle of least privilege: Give minimum necessary access
- Use roles over users: Easier to maintain as team changes
- Document your permissions: Note why restrictions exist
- Test with different roles: Verify access works as expected
- Review regularly: Audit permissions periodically
- Protect sensitive forms: Use appropriate restrictions
- Communicate changes: Let users know about access changes
Permission Checklist
When setting up a new form, consider:
- [ ] Who needs to view this form?
- [ ] Who should be able to submit?
- [ ] Who can manage and edit the form?
- [ ] Should submissions be visible to everyone?
- [ ] Are there time restrictions needed?
- [ ] Do workflows need secrets configured?
- [ ] Have you tested with different user roles?
What's Next
After configuring permissions, you may want to:
- Set up Workflows with secure webhook credentials
- Learn about Submissions management
- Review Views for data access
- Check Form Builder for form configuration
- Review Roles and Permissions for team settings