Skip to main content

Role-based access control (RBAC)

Role-based access control (RBAC) lets organization admins define roles with specific permission scopes and assign those roles to groups. Every member of a group inherits the permissions of all roles assigned to that group.

This approach offers several advantages:

  • Principle of least privilege: Grant only the minimum permissions needed.
  • Reusable roles: Define a role once and apply it to multiple groups.
  • Simplified management: Update a role's permissions and all assigned groups inherit the changes immediately.
  • Clear audit trail: Track who has access to what through role assignments.

Organization roles

Organization roles contain scopes that control access to organization-wide settings, such as managing billing, configuring SSO, editing the query library, or viewing audit logs. These roles also let you delegate administrative responsibilities to non-admin users without granting full admin access using admin granularity.

Available on Business and Enterprise plans. The available scopes differ by plan:

  • Business: Non-sensitive settings: query library, draft apps, themes, Assist, user visibility.
  • Enterprise: All Business scopes plus admin granularity: SSO, billing, IAM credentials, audit logs, Spaces, source control, and more.

For a deep dive, see Organization roles.

Role grants

A role grant links a role to a group. When you assign a role to a group, every member of that group receives the permissions defined by that role. If a user belongs to multiple groups, their permissions are additive: they inherit the combined permissions of all roles across all their groups.

Default roles and groups

Retool automatically creates default roles and groups for every organization. These cannot be edited, reassigned, or deleted.

Default groupOrganization role
AdminsAll organization permission scopes
EditorsQuery library (edit), view users, manage account details, unpublished releases, drafts
ViewersQuery library (view), view users, manage account details

Next steps