Access Rules are much more robust. Protected ranges in Google Sheets allow designating particular ranges to be editable by specific people. They do not protect data from viewing, because hidden data may be easily exposed, e.g. via exports. In Grist, both view and edit restrictions work robustly, protecting data at all levels and preventing the export of restricted data. As importantly, they work as dynamic rules expressed in business logic, and don’t require manual updates as data changes. For example, you can create a rule that allows access only to records whose “region” field matches the region associated with the logged-in user. This rule will then apply whenever records are added or changed, when adding new users, or when their associated region is changed. In Google Sheets, the protected range would need to be updated manually in all cases.

Regular document sharing (as configured by the document owner(s) via the “Manage Users” dialog) defines the first level of protection. It is always applied and enforced first. For users who pass this level, access rules can restrict them further. For example, suppose you’d like someone to have view-only access to your document but allow adding records to one table. In that case, you have to give them Editor access in the document-level sharing, and use rules to restrict their editing privileges to your needs. For another example, if you’d like to make a single cell from a single table publicly available, you’ll need to make your document publicly viewable, and create access rules that restrict the public from viewing anything except that one cell.

You don’t have to know how to code. The level of technical skills required is similar to writing Excel formulas. However, Access Rules are an advanced feature. It is important to put in the time to learn it because you’ll probably be using it for sensitive data, and will want to have confidence in your rules. We have detailed documentation and videos (including webinar recordings) where we explain when and how to use them. Note that we also have the Sprouts Program to help you build your solution, and we encourage you to reach out if you’d like expert help.

The SaaS service provided by Grist does not currently have compliance certifications. However, our self-managed product allows users to run an instance of Grist on premises under their own control, and can be used to meet compliance needs. When paired with Access Rules, this does allow configuring access for different roles in a way to address compliance requirements. Please reach out if you are interested in our self-managed options.

Yes, Grist offers several options for sharing data outside your team. First, to share any part of a document with a user, you have to share the document itself with them. Grist allows any document to be shared with two guests (users external to the team). You can also add any person to your team site, even if they are not part of your organization, and share as much or as little as you like with them. Another option is to make the document publicly accessible (aka link-shared), with either view-only or editing permission. This allows anyone to open your document, including users who are not signed-in. You can use Access Rules to restrict the access of such users to only the data and the operations needed.

You can create rules for any table and control the permissions to read data, update existing records, create new records, and delete records. In addition, you can create rules for any subsets of columns, controlling the permissions to view or update values in those columns. There are also some special rules, such as permission to modify the document’s structure. In all cases, the rules may include a condition, written as a formula, for when it applies. Conditions may use the user’s info, document-level access, or some information about the user stored in the document. Conditions may also access information about the request. E.g., some use cases rely on access rules that grant additional permissions to requests with certain values in the URL (called link-keys).

Access Rules support the “View As” feature that allows you to preview your document as the particular user it is shared with or a specific role (e.g., Viewer or Editor). It is important to test your rules by using this preview feature to ensure they limit access in the way you expect.

Yes! Access Rules work at the data level of your document. A user accessing the data via the API will have the same rules applied to them as if they were accessing it via the browser.