Configure user permissions

Learn how to restrict access to apps and resources.

🚧

Granular access control with permission groups is only available on Business and Enterprise plans. All users in Retool organizations on the Free or Team plan have global Edit access.

Retool organization admins can use permission groups to control access to apps, workflows, and resources.

Configure permission groups for a user

You can configure the permission group membership for individual users from the Users organization settings. This page lists all enabled users in your Retool organization and the permission groups to which they're a member. You can search and filter users with different criteria, such as name or last active.

Select a user from the list to display their details. The Permissions section lists the groups to which the user is a member, along with the apps, resources, and workflows to which they have access.

Click Groups to modify group membership. You can add groups to the list by entering the group name. The groups list autocompletes and also presents a dropdown menu of lists to select.

Configure permission groups for multiple users

You can manage permission groups directly to more easily configure membership for multiple users. Navigate to the Permissions settings and select the group to manage.

Manage permission groups

Click Add new members to add users to the group. You can search the list of users and select multiple users to add. Click Select all to select all users currently visible, then click Add to group.

To remove a user:

  1. Hover the cursor over the specified user.
  2. Click the β€’β€’β€’ button to open the contextual menu.
  3. Select Remove from group.

Configure access rules for a permission group

Permission groups uses access rules which determine the apps, resources configuration, and workflows to which members can access. Access rules can also apply to folders in which these are organized.

Select the Apps, Resources, or Workflows tab to configure their respective access rules. The Select type option enables you to define specific access by configuring access individually, or apply Use all, Edit all, or Own all

Configure access rules

Hide or disable components for users and groups

The current_user object contains metadata about the currently logged-in user. This includes groups, which contains an of permission groups. You can use this data to restrict access to certain components.

You can include conditional checks that dynamically change the behavior of apps based on the user's group membership. For example, you could disable a button for members of a group named Marketing. To do this, you would set the Disabled value in the Inspector to {{current_user.groups.map(group => group.name).includes('Marketing')}}

Restrict access to certain data

You can also restrict access to database records by referencing current_user in queries. current_user.email uniquely identifies the email address of the user running the query.

For example, you could restrict access to an employees table that contains a manager field, populated with the manager’s email address, by referencing current_user.email:

SELECT
  *
FROM
  employees
WHERE
  manager = {{current_user.email}};

You can also reference current_user within a resource's configuration. For example, you can always include current_user.email in the request body. Retool organizations integrated with OpenID SSO providers also provide identification using current_user.metadata.idToken. This provides greater flexibility for restricting access.