Skip to main content

Permissions best practices

Role-based access control (RBAC) in Retool lets you define roles with specific permission scopes and assign them to groups. Following these practices helps you keep access predictable, auditable, and easy to maintain as your organization grows.

Use the principle of least privilege

Grant only the minimum permissions needed for users to perform their tasks. Create focused roles with specific permissions rather than broad roles with many permissions.

Example

Instead of creating a Settings Manager role with all configuration permissions, create separate roles like Environment Manager (environments only) and Theme Manager (themes only).

Create reusable roles

Design roles based on common job functions rather than individual users. This makes roles easier to maintain and apply consistently across your organization.

Example

Create roles like Analytics Viewer, Branding Editor, or User Manager that can be assigned to multiple groups.

Combine multiple roles

Assign multiple roles to a group when users need permissions from different areas. Users inherit the combined permissions of all roles assigned to their groups.

Example

A group might need both Analytics Viewer and Audit Log Reader roles to perform their duties.

Use descriptive names

Give roles clear, descriptive names that indicate their purpose. Include the permission level in the name when appropriate.

Example

Use Branding Manager instead of Design Team Role or Theme Editor instead of Role 1.

Organize objects into folders

Folder-based permissions are easier to manage than per-object grants. When you grant access to a folder, new objects added to the folder automatically inherit the permission.

Example

Create folders like Finance Reports or HR Tools and grant access at the folder level. Any new apps or workflows added to the folder are immediately accessible to the same groups without additional configuration.

Regularly audit role assignments

Periodically review which groups have which roles assigned. Remove role assignments that are no longer needed.