Permissions quickstart
Learn about the fundamental concepts of permissions and access control.
You can configure user permissions to restrict access to apps, resources, and workflows. You add users to permission groups that use access rules which determine what members can access.
Permission groups
A permission group is a list of users by which to restrict access. You add users to one or more groups and then configure the group's level of access. This applies the same permissions to all group members.
The Members tab lists all group members. You can use the default permission groups or create custom groups with more granular control.
Default permission groups
The default groups and permissions differ depending on the plan your organization uses. All pricing plans have Admin and All Users groups. Business and Enterprise plan users have more granular control over groups, and can create their own custom groups.
- Free and Team plans
- Business and Enterprise plans
The following built-in permission groups cannot be modified or removed, and the access levels cannot be changed.
| Group | Apps | Resources | Workflows |
|---|---|---|---|
| All Users | Edit | Own | Edit |
| Admin | Own | Own | Own |
The following built-in permission groups cannot be modified or removed. These are preconfigured with default permission levels, which can be updated by an admin.
| Group | Apps | Resources | Workflows |
|---|---|---|---|
| All Users | None | None | None |
| Viewer | Use | Use | Use |
| Editor | Edit | Own | Edit |
| Admin | Own | Own | Own |
For organizations created before Retool version 3.259.0, the All Users group had Edit access to apps and workflows, and Use access to resources. Read more in the changelog entry.
Custom permission groups
Custom permission groups are limited to Business and Enterprise plans.
You can create additional permission groups and configure them with the granularity of access you require.
You can also designate group members as group admins to add or remove members for only that group. Group admins can view all users in your Retool organization but can only modify group membership.
Access rules
Retool applies access rules hierarchically. Access rules for folders do not apply to individual apps and workflows that have different rules.
There are three access rules in Retool: Use, Edit, and Own. These access rules are functionally similar across apps, resources, and workflows, but there are some slight differences. You can also apply access rules to all apps, workflows, or resources with Use all, Edit all, or Own all.
You can configure the following custom group access rules in the Apps, Resources, and Workflows tabs.
| Access | Apps | Workflows | Resources |
|---|---|---|---|
| Use | View and interact with the app. | View and run the workflow. | Run queries in apps and workflows. |
| Edit | Make changes to an existing app. | Make changes to an existing workflow. | Run and write queries with the resource. |
| Own | Rename, move, export, delete, and manage permissions of an existing app. | Rename, move, export, and delete an existing workflow. | Run and write queries, and edit the resource configuration. |
From the Resources tab, you can also configure resource permissions per environment. This is useful when access should differ by environment—for example, if production data is sensitive, you can give developers Edit access to only a resource's dev environment. By default, environment permissions inherit access levels from the resource.
Folder access rules
You can also configure access rules for app, resource, and workflow folders. These access rules set different permissions and are inherited by their contents.
| Access | App folders | Workflow folders | Resource folders |
|---|---|---|---|
| Use | View and interact with all apps in the folder. | View and run workflows in the folder. | Write queries in apps and workflows in the folder. |
| Edit | Create new apps and make changes to existing apps in the folder. | Create new workflows and make changes to existing workflows in the folder. | Write and edit queries against resources in the folder. |
| Own | Rename, move, export, and delete apps in the folder. | Rename, move, export, and delete workflows in the folder. | Create, rename, move, and edit resources in the folder. |
For a user to move an object to a different folder, they must have Own access to an object and either Edit or Own access on the folder.
Inheritance
Once configured, all new apps either created in or moved to the folder inherit its permissions.
Subfolders inherit the permissions of their parent folder. Users with Edit access to a folder are permitted to create subfolders within it.
Additional access rules
Permission groups also have additional access rules for other aspects of Retool. These include:
- Query Library: Whether users are restricted from accessing the Query Library, can edit queries, or use queries in apps.
- Settings page visibility: Whether users can view the Users settings and audit logs.
- Release versions: Whether users can access unpublished releases of an app.
You can only configure these additional access rules for custom groups.