Skip to main content

Configure user permissions

Learn how to restrict access to apps and resources.

Available on:Business planEnterprise plan
Availability

Permission groups are not available on the Free and Team plans.

Retool organization admins can use permission groups to control access to apps, workflows, and configured resources. App owners and admins can also use direct sharing to share apps to users, independent of permission groups.

Permission groups cannot be used to control access to Retool Database.

Configure permission groups for a user

You can configure the permission group membership for individual users from the Users organization settings. This page lists all enabled users in your Retool organization and the permission groups to which they're a member. You can search and filter users with different criteria, such as name or last active.

Select a user from the list to display their details. The Permissions section lists the groups to which the user is a member, along with the apps, resources, and workflows to which they have access.

Click Groups to modify group membership. You can add groups to the list by entering the group name. The groups list autocompletes and also presents a dropdown menu of lists to select.

Configure permission groups for multiple users

You can manage permission groups directly to more easily configure membership for multiple users. Navigate to the Permissions settings and select the group to manage.

Manage permission groups

Click Add new members to add users to the group. You can search the list of users and select multiple users to add. Click Select all to select all users currently visible, then click Add to group.

To remove a user:

  1. Hover the cursor over the specified user.
  2. Click the ••• button to open the contextual menu.
  3. Select Remove from group.

Configure access rules for a permission group

Permission groups uses access rules that determine the apps, resources configuration, and workflows to which members can access. Access rules can also apply to folders in which these are organized.

Select the Apps, Resources, or Workflows tab to configure their respective access rules. The Select type option enables you to define specific access by configuring access individually, or apply Use all, Edit all, or Own all. Note that permission groups are not currently supported for Retool Database.

Configure access rules

Directly share apps with users and groups

When Allow app owners to manage permissions in Settings > Advanced is enabled, app owners can directly share apps with individual users and groups.

Once enabled, app owners can use the Share modal to share an app with any member of their organization. They can set the access level—Use, Edit, or Own—for the given user or group. Admins can also invite users to their organization and give them direct access without creating a new permission group. App owners can only share with existing users in their organization.

Share directly from the share modal

In the Share modal, app owners can view all users who have access granted through direct sharing. Admins can view all users with access, including those granted access through permission groups.

Hide or disable components for users and groups

The current_user object contains metadata about the currently logged-in user. This includes groups, which contains an of permission groups. You can use this data to restrict access to certain components.

You can include conditional checks that dynamically change the behavior of apps based on the user's group membership. For example, you could disable a button for members of a group named Marketing. To do this, you would set the Disabled value in the Inspector to {{current_user.groups.map(group => group.name).includes('Marketing')}}

Restrict access to certain data

You can also restrict access to database records by referencing current_user in queries. current_user.email uniquely identifies the email address of the user running the query.

For example, you could restrict access to an employees table that contains a manager field, populated with the manager’s email address, by referencing current_user.email:

SELECT
  *
FROM
  employees
WHERE
  manager = {{current_user.email}};

You can also reference current_user within a resource's configuration. For example, you can always include current_user.email in the request body. Retool organizations integrated with OpenID SSO providers also provide identification using current_user.metadata.idToken. This provides greater flexibility for restricting access.

See the Row-level security page for information on limiting access to database records.