Permissions best practices
Best practices for structuring roles and managing access in Retool using role-based access control (RBAC).
Role-based access control (RBAC) in Retool lets you define roles with specific permission scopes and assign them to groups. Following these practices helps you keep access predictable, auditable, and easy to maintain as your organization grows.
Use the principle of least privilege
Grant only the minimum permissions needed for users to perform their tasks. Create focused roles with specific permissions rather than broad roles with many permissions.
Example
Instead of creating a Settings Manager role with all configuration permissions, create separate roles like Environment Manager (environments only) and Theme Manager (themes only).
Create reusable roles
Design roles based on common job functions rather than individual users. This makes roles easier to maintain and apply consistently across your organization.
Example
Create roles like Analytics Viewer, Branding Editor, or User Manager that can be assigned to multiple groups.
Combine multiple roles
Assign multiple roles to a group when users need permissions from different areas. Users inherit the combined permissions of all roles assigned to their groups.
Example
A group might need both Analytics Viewer and Audit Log Reader roles to perform their duties.
Use descriptive names
Give roles clear, descriptive names that indicate their purpose. Include the permission level in the name when appropriate.
Example
Use Branding Manager instead of Design Team Role or Theme Editor instead of Role 1.
Organize objects into folders
Folder-based permissions are easier to manage than per-object grants. When you grant access to a folder, new objects added to the folder automatically inherit the permission.
Example
Create folders like Finance Reports or HR Tools and grant access at the folder level. Any new apps or workflows added to the folder are immediately accessible to the same groups without additional configuration.
Regularly audit role assignments
Periodically review which groups have which roles assigned. Remove role assignments that are no longer needed.