Permissions quickstart
Understand how Retool permissions work and what you can configure on your plan.
Retool's permission system controls who can access and modify your apps, resources, workflows, and agents, as well as which organization settings users can change. Permissions are configured from Settings, primarily from Groups, Users, and Roles & Permissions.
How permissions work
All users in a Retool organization belong to one or more groups. Groups are the core unit of access control. You configure what a group can access, and every member inherits those permissions automatically.
There are two ways to grant access through groups:
- Configure access directly on a group from its Apps, Resources, Workflows, or Agents tab. You choose whether the group can Use, Edit, or Own each object.
- Create a role with specific permissions and assign that role to a group. All members inherit those permissions. Roles are reusable and apply to multiple groups at once.
Both approaches can coexist. Permissions are always additive: if a user belongs to multiple groups, they have the combined permissions of all their groups.
What you can configure on your plan
The permissions features available to you depend on your Retool plan.
Free and Team plans
On Free and Team plans, permissions are fixed. Every organization has two groups:
| Group | Apps | Workflows | Agents | Resources |
|---|---|---|---|---|
| All Users | Edit | Edit | Edit | Own |
| Admin | Own | Own | Own | Own |
You cannot modify these access levels, add custom groups, or manage which groups users belong to. All members are automatically in All Users. To adjust who has admin access, invite users and promote them to Admin from Users.
Business plans
Business plans add the ability to customize access across your organization.
- More default groups: Adds Viewer (Use access to all objects) and Editor (Edit access to apps, workflows, and agents; Own access to resources) groups. Admins can adjust the default access levels for all four built-in groups.
- Custom groups: Create groups for specific teams or roles and configure exactly what each group can access. Assign users to multiple groups as needed.
- Organization roles: Create roles with non-sensitive organization setting scopes, such as managing the query library, viewing draft apps, managing themes, or using Retool Assist, and assign them to groups or directly to users.
- Per-environment resource access: Configure different access levels for each resource environment (production, staging, development) within a group.
- API management: Manage group and user permissions programmatically via the Retool API.
Enterprise plans
Enterprise plans add the most granular control.
- Object roles: Create roles that grant Use, Edit, or Own access to apps, resources, workflows, and agents, either universally across all objects or scoped to specific objects and folders.
- Full organization role scopes: Includes all Business scopes plus sensitive admin functions: SSO configuration, billing, IAM credentials, audit logs, Spaces, source control, and more.
- Admin granularity: Use roles to split administrative responsibilities across multiple users without granting full admin access.
- Multipage app permissions: Configure access at the page level within a single app for more precise control over what different users can see and do.
- Seat types: Assign seat types (builder, internal user, or external user) to users, each with different default access and billing implications.
Where to configure permissions
Navigate to Settings to find all permission controls. The table below shows where each task lives.
| Task | Where |
|---|---|
| Invite users | Users |
| Add users to groups | Users (user detail) or Groups (group detail) |
| View all permissions for a user | Users (user detail > Object permissions or Organization permissions) |
| Create a custom group | Groups |
| Configure group access to objects | Groups (group detail > Apps, Resources, Workflows, or Agents) |
| Assign an organization role directly to a user | Users (user detail > Organization permissions) |
| Create or assign an organization role | Roles & Permissions |
| Create or assign an object role (Enterprise) | Roles & Permissions |
Next steps
Explore the following guides to go deeper on any area of permissions.
- Groups: Create and manage groups, configure direct access to objects.
- Users: Invite users and manage their permissions from the Users page.
- Role-based access control: Understand how roles, grants, and groups interact.