Configure group roles and permissions
Create reusable permission sets for role-based access control.
| Roles and permissions Availability | |||
|---|---|---|---|
| Cloud-hosted | Public beta | ||
| Self-hosted (3.267 Edge) | Public beta | ||
| Self-hosted (3.196 Stable and later) | |||
You can create roles with granular permissions, which allow groups to manage certain organization settings. This is useful for organizations who want to use a role-based access control approach that allows for more fine-grained access without needing to grant users full admin privileges.
Role-based permissions offer much greater access control than existing permission groups. Once you configure the necessary roles to control access, you can apply them to any number of groups. Retool will eventually transition to role-based access controls as the method with which you manage permissions.
To enable this feature, navigate to Settings > Beta and enable Permissions v2.
Permission groups vs. role-based permissions
Retool currently supports permission groups that allow organizations to control access on a per-group basis. Permission groups are not reusable, so if you need to apply the same access controls to multiple groups, you must configure each group separately.
Role-based permissions also allow for an elevated level of access to certain settings that would normally be available only to admins. For example, a Design team may need access to your organization's branding settings to ensure the Retool organization follows branding styles and guidelines. To do this, an admin can either:
- Add the Design team members to the admin group. This grants them access to the branding settings but also gives the team access to all other admin-level settings.
- Create a role that has the Manage branding permission enabled and apply it to the Design team's group. The team can then configure branding settings but are restricted from accessing any other settings.
Only organization admins can configure roles and their permissions.
Create a role
Create roles that have only the minimum permissions needed. You can create and assign multiple roles to groups so that members receive a combination of their permissions.
A role contains a set of permissions that grant access to specific organization settings, such as Manage Spaces. You create each role and select which permissions are applicable. Once completed, you then select the groups to which the role applies. Each user within the group then inherits the role permissions.
To get started, sign in to your Retool organization and navigate to Settings > Roles & Permissions. Then, click Create Role to create a new custom role.
You define the name and description for each role, and select which permissions to set. You can search through permissions or filter them by type, such as User management and Configuration. Each permission controls access to a specific settings page within your organization. For example, enabling the Manage branding permission allows access to the Manage branding settings page.
Toggle the permissions that should apply to the role. The Permissions preview pane displays a summary of the role's permissions as you make changes.
Click Save changes once you complete the changes to your role. You can return to the role at any time to make further change, if needed.
Assign the role to groups
You can assign roles to groups from either the Roles & Permissions or Groups page.
- Assign roles to a group
- Assign groups to a role
The Assignment tab contains a list of groups to which the role is assigned. Click + Add group assignment to select which groups are assigned the role. You can also click > to expand a group and view a complete list of its members.
The Groups settings page is where you manage all groups for your organization. To change roles for a group, select the group and click Modify role assignments.