Configure permission controls
Learn how to restrict access to apps and resources.
Permission groups are not available on the Free and Team plans.
Organization admins can use permission groups to restrict users from accessing certain apps, workflows, or connected resources.
App owners and admins can also use direct sharing to share apps with users, independent of permission groups.
Permission groups cannot be used to control access to Retool Database.
Permission levels
There are three permission levels for apps, resources, and workflows: Use, Edit, and Own.
| Permission | Apps | Resources | Workflows |
|---|---|---|---|
| Use | Interact with apps only. | Access only resources for app and workflows queries. | Run workflows only. |
| Edit | Build, edit, and delete apps. | View resource configuration and write queries for it. | Build, edit, and delete workflows. |
| Own | Build, edit, delete, rename, move, and export apps. Create, edit, delete, and rename app folders. | Create, edit, delete, rename, and move resources. Create, edit, delete, and rename resource folders. | Build, edit, delete, rename, move, and export workflows. Create, edit, delete, and rename workflow folders. |
Manage permission groups
You can manage permission groups in the Permissions settings for your organization. You can use built-in permission groups or create your own custom groups.
Default groups
The following built-in permission groups cannot be modified or removed. These are preconfigured with default permission levels.
| Group | Apps | Resources | Workflows |
|---|---|---|---|
| All Users | Edit | Own | Edit |
| Viewer | Use | Use | Use |
| Editor | Edit | Own | Edit |
| Admin | Own | Own | Own |
Create a custom group
Click Add new members to add users to the group. You can search the list of users and select multiple users to add. Click Select all to select all users currently visible, then click Add to group.
To remove a user:
- Hover the cursor over the specified user.
- Click the ••• button to open the contextual menu.
- Select Remove from group.
Configure permission groups for a user
You can configure the permission group membership for individual users from the Users organization settings. This page lists all enabled users in your Retool organization and the permission groups to which they're a member. You can search and filter users with different criteria, such as name or last active.
Select a user from the list to display their details. The Permissions section lists the groups they belong to, along with the apps, resources, and workflows they can access.
Click Groups to modify group membership. You can add groups to the list by entering the group name. The groups list autocompletes and also presents a dropdown menu of lists to select.
Configure access rules for a permission group
Permission groups uses access rules that determine the apps, resources configuration, and workflows to which members can access. Access rules can also apply to folders in which these are organized.
Select the Apps, Resources, or Workflows tab to configure their respective access rules. The Select type option enables you to define specific access by configuring access individually, or apply Use all, Edit all, or Own all. Note that permission groups are not currently supported for Retool Database.
Directly share apps with users and groups
When Allow app owners to manage permissions in Settings > Advanced is enabled, app owners can directly share apps with individual users and groups.
Once enabled, app owners can use the Share modal to share an app with any member of their organization. They can set the access level—Use, Edit, or Own—for the given user or group. Admins can also invite users to their organization and give them direct access without creating a new permission group. App owners can only share with existing users in their organization.
In the Share modal, app owners can view all users who have access granted through direct sharing. Admins can view all users with access, including those granted access through permission groups.
Hide or disable components for users and groups
The current_user object contains metadata about the currently logged-in user. This includes groups, which contains an of permission groups. You can use this data to restrict access to certain components.
You can include conditional checks that dynamically change the behavior of apps based on the user's group membership. For example, you could disable a button for members of a group named Marketing. To do this, you would set the Disabled value in the Inspector to {{current_user.groups.map(group => group.name).includes('Marketing')}}
Restrict access to certain data
You can also restrict access to database records by referencing current_user in queries. current_user.email uniquely identifies the email address of the user running the query.
For example, you could restrict access to an employees table that contains a manager field, populated with the manager’s email address, by referencing current_user.email:
SELECT
*
FROM
employees
WHERE
manager = {{current_user.email}};
You can also reference current_user within a resource's configuration. For example, you can always include current_user.email in the request body. Retool organizations integrated with OpenID SSO providers also provide identification using current_user.metadata.idToken. This provides greater flexibility for restricting access.
See the Row-level security page for information on limiting access to database records.