Object permissions for Enterprise
The object permissions feature is currently rolling out to cloud instances. It is not yet available on self-hosted instances.
Retool now supports object roles—a new role type that grants groups Use, Edit, or Own access to specific apps, workflows, resources, and agents. Object roles are separate from organization roles, which control access to admin settings like billing and SSO.
When you create an object role, you set an access level for each object type and choose how the role applies:
- Universal access—The role applies to all current and future objects of that type across the organization.
- Individual access—Access is scoped to specific objects or folders, which you define when assigning the role to a group.
Object roles are assigned to groups from the Groups page. Once assigned, all members of the group inherit the role's permissions. You can view a group's or user's full object-level access from the Object permissions tab on their detail page in Settings.
Updates to organization roles
As part of this launch, organization roles have been updated to cleanly separate admin settings access from object-level access. The Create Role button on the Roles & Permissions page is now a dropdown where you choose between creating an object role or an organization role. A filter control on the roles list lets you view all roles, object roles only, or organization roles only.
To get started:
- Object roles—Understand how object roles work, including universal vs. individual access and folder inheritance.
- Create an object role—Step-by-step instructions for creating and managing object roles.
- Organization roles—Updated UI for managing organization roles, including a new role type selector and filter controls on the Roles & Permissions page.
- Assign roles to groups—Assign object or organization roles to groups.