User permissions

Learn how to control how much access users have to your Retool apps and resources using Granular Permissions.


User-level permissions are only available on Business and Enterprise plans. All accounts on Free and Team plans have global Edit access by default and group attributes cannot be modified.

As a Retool admin, you can use Permission Groups to control which users have access to specific apps and resources. See Inviting users and authentication to learn how to invite users to Retool.

If you can't see Organization Settings > Permissions your account is not an admin and will not be able to perform the tasks described in this guide.

Managing users individually

The Users page displays all invited, suggested, enabled, and disabled users in your org.

You can search users by name or email, sort by name or when they were last active, and filter the list by user type.

Filtering users

While on the Users page, you can select the filter dropdown to select which users should be displayed. Please note that disabled users do not appear with the All users filter by default, and can only be viewed when the Disabled users filter is explicitly selected.

User list filterUser list filter

User list filter

Updating a specific user

On the Users page, you can also select any individual user. Once a user is selected, you'll see a modal that gives you more access and status details about the user.

When a user account is pending in the invited or suggested status, you'll have additional options to manage the pending state.

For invited users, the invite can be revoked, or resent. Invited users can also be added to permission groups which will determine their access when they first login.

For suggested users, the request can be declined or approved by admins. These users cannot be added to groups until approved.


Group membership

You cannot add suggested users to permission groups. Only approved invites and accepted users can be added to groups.

While in this user modal, you can also navigate to the Apps tab to show a list of folders and pages that the user is able to access, with the corresponding access level shown for each item. Items listed here represent access across all of a users groups.

Managing users at the group level

Within Retool, admins manage permissions by creating access groups. Every org has at least 4 default groups. These groups have the following special properties which cannot be changed:

  • All Users: every user within your organization will belong to this group, and the membership cannot be altered.
  • Viewer: a group with configurable membership where every member has "Use" access to all of Retool.
  • Editor: a group with configurable membership where every member has "Edit" access to all of Retool.
  • Admin: members of this group have "Own" access to all apps, folders, and resources, and can modify organization level settings.

From the groups page, you can see how many apps, resources, and members belong to each group. You can also quickly add members to a group by clicking on the users:

Group Admins

Admins can assign Group Admins to manage membership for any custom groups. They can grant any number of group members the Group Admin privileges to add new users or remove existing users. Group Admins will be able to see all users within an org, but are not able to modify any aspect of their group beyond membership (e.g. app and resource permissions).

Configuring group permissions

To configure a group, click its name or Edit to access the group detail page. Here, you can configure group membership, the apps, folders, and resources a group can access, and other additional settings.


Saving Changes

Within the group detail page, any changes you make will be in a draft state until Save changes is clicked. When you're finished editing, remember to click Save changes for your updates to take effect!

Managing group access to apps

For a Retool app, there are 3 tiers of access:

  • Use: open apps in end-user mode only with no editor access.
  • Edit: make changes to components, temporary states, transformers, and all queries that are for resources that the user has access to.
  • Own: all edit access, and the ability to delete apps permanently.

These can be set globally, for an entire folder with a folder default, or for specific pages. The checkbox selections cascade for folders, so it's easy to quickly add many apps to a group.

Managing group access to folders

Setting a permission for a folder will affect all new apps that are created or moved to that folder. For Own and Edit folder permissions, users will also have the ability to create new apps within that folder.


Folder Permissions

Clicking a folder's access level checkbox will update the permission of every app within it, and set the folder's permission to that access level. However, updating the folder's permission will not update the child apps, it will only affect new apps.

Managing resource permissions

Currently, resource permission can only be configured to be in one of two access levels: Own, or None. Users with Own access to a resource can edit that resource's configuration, and add it to apps that they can edit.


Resource Permission

If a user has Use access to an app, they can trigger all queries within that app, even if they do not explicitly have access to their resources.

Managing additional access

Groups can also have a configurable Workspace, Query library access, and access to the user list.

Managing component permissions

In the left panel of the editor, there is a current_user object that has metadata about the current user that is logged in, including their permission groups. You can disable buttons or hide components by using the current_user object in JS expressions within {{ }}.

For example, in a Hide when true field for a button, you could write {{ =>'Marketing')}} to hide that button for users in the Marketing permission group.

Did this page help you?