Admin granularity
Use Admin granularity to delegate organizational settings to non-admin users without granting full administrator access.
| Admin granularity Availability | |||
|---|---|---|---|
| Cloud | Generally Available | ||
| Self-hosted Edge 3.300 or later | Generally Available | ||
| Self-hosted Stable 3.300 or later | Generally Available | ||
Admin granularity is an Enterprise plan feature of role-based access control (RBAC) that gives organization admins fine-grained control over which organizational settings non-admin users can manage. Rather than choosing between granting full admin access or no access at all, you can create roles that delegate specific settings—such as SSO configuration, or billing management—to the teams that need them.
How admin granularity works
Retool's RBAC system lets organization admins create roles that grant access to organization settings. Admin granularity extends this by unlocking the full set of 30 permission scopes, which includes sensitive administrative capabilities like IAM credentials, SSO, and billing.
- Admins on the Business plan are limited to creating and assigning roles for non-critical permissions—things like query library access, themes, and audit log visibility.
- Admins on the Enterprise plan can create and assign roles for the remaining permissions that map to critical, or business-sensitive settings to delegate settings to non-admin users without granting full administrator access.
When a user's group is assigned a role, they can access only the settings pages or permissions access that the role grants—nothing more.
Permissions are additive: if a user belongs to multiple groups with different roles, they inherit the combined set of permissions from all their groups.
When to use admin granularity
Admin granularity is most useful when your organization has teams that own specific parts of your Retool configuration but shouldn't have unrestricted admin access. Common scenarios include:
- IT or identity teams that manage SSO and user provisioning but don't need access to billing or app settings.
- Platform or DevOps teams that configure environments, config variables, and IAM credentials without requiring full admin rights.
- Finance teams that need to view and manage billing independently.
- Design teams that manage branding and themes without touching infrastructure settings.
In each case, you can create a focused role with only the relevant permissions and assign it to the appropriate group. This follows the principle of least privilege—granting only what's needed for a user to do their job.
Manage admin granularity
You can manage admin granularity through the following pages under Settings > User management:
- Groups: Control access to apps, resources, workflows, and agents. Use groups to determine what your users can build and use in Retool.
- Roles & Permissions: Control access to organization settings. Use roles to determine which teams can configure Retool itself.
These settings pages are independent. A user can be in a group that has access to certain apps while also having a role that grants access to specific settings pages.