Role-based access control (RBAC)
Understand how role-based access control (RBAC) works in Retool, including roles, role grants, and permission groups.
Role-based access control (RBAC) lets organization admins define roles with specific permission scopes and assign those roles to groups. Every member of a group inherits the permissions of all roles assigned to that group.
This approach offers several advantages:
- Principle of least privilege: Grant only the minimum permissions needed.
- Reusable roles: Define a role once and apply it to multiple groups.
- Simplified management: Update a role's permissions and all assigned groups inherit the changes immediately.
- Clear audit trail: Track who has access to what through role assignments.
Organization roles
Organization roles contain scopes that control access to organization-wide settings, such as managing billing, configuring SSO, editing the query library, or viewing audit logs. These roles also let you delegate administrative responsibilities to non-admin users without granting full admin access using admin granularity.
Available on Business and Enterprise plans. The available scopes differ by plan:
- Business: Non-sensitive settings: query library, draft apps, themes, Assist, user visibility.
- Enterprise: All Business scopes plus admin granularity: SSO, billing, IAM credentials, audit logs, Spaces, source control, and more.
For a deep dive, see Organization roles.
Role grants
A role grant links a role to a group. When you assign a role to a group, every member of that group receives the permissions defined by that role. If a user belongs to multiple groups, their permissions are additive: they inherit the combined permissions of all roles across all their groups.
Default roles and groups
Retool automatically creates default roles and groups for every organization. These cannot be edited, reassigned, or deleted.
| Default group | Organization role |
|---|---|
| Admins | All organization permission scopes |
| Editors | Query library (edit), view users, manage account details, unpublished releases, drafts |
| Viewers | Query library (view), view users, manage account details |
Next steps
- Organization roles: Scopes, plan availability, and default org role assignments.
- Create an organization role: Step-by-step instructions.
- Admin permissions reference: Complete list of organization permission scopes by plan.
- Permissions best practices: Guidance on structuring roles and access.