Organization roles
Understand how organization roles work in Retool RBAC, including available scopes and plan differences.
Organization roles contain permission scopes that control access to organization-wide settings in Retool, such as managing billing, configuring SSO, editing the query library, or viewing audit logs. Assigning an organization role to a group gives every member of that group the ability to access or modify those settings without requiring full admin access.
Organization roles are available on the Business and Enterprise plans.
Available scopes
The permission scopes available to an organization role depend on your plan:
- Business: Scopes for non-sensitive settings: query library access, draft app management, theme editing, Assist access, user visibility, and account details.
- Enterprise: All Business scopes, plus admin granularity: an expanded set of scopes for sensitive administrative settings like SSO, billing, IAM credentials, audit logs, Spaces, and source control.
For the full list of scopes organized by category, see the Admin permissions reference.
Default organization roles
Retool automatically creates a default organization role for each built-in group:
| Group | Default organization role |
|---|---|
| Admins | All organization permission scopes |
| Editors | Query library (edit), view users, manage account details, unpublished releases, drafts |
| Viewers | Query library (view), view users, manage account details |
Default roles cannot be edited or deleted.
Next steps
- Create an organization role: Step-by-step instructions for creating and assigning org roles.
- Admin permissions reference: Complete list of available scopes by plan.