Groups
Bundle users into shared groups in Retool to grant roles and control access to apps, resources, workflows, and agents.
Groups let you bundle users together to grant shared roles and access. Instead of managing permissions per user, you assign roles and configure access once at the group level, and all members automatically inherit those permissions.
Navigate to Settings > Groups to create and manage groups for your organization.
Default groups
The default groups and permissions differ depending on the plan your organization uses. All pricing plans have Admin and All Users groups. Business and Enterprise plan users have more granular control over groups, and can create their own custom groups.
- Free and Team plans
- Business and Enterprise plans
The following built-in permission groups cannot be modified or removed, and the access levels cannot be changed.
| Group | Apps | Workflows | Agents | Resources |
|---|---|---|---|---|
| All Users | Edit | Edit | Edit | Own |
| Admin | Own | Own | Own | Own |
The following built-in permission groups cannot be modified or removed. These are preconfigured with default permission levels, which can be updated by an admin.
| Group | Apps | Workflows | Agents | Resources |
|---|---|---|---|---|
| All Users | None | None | None | None |
| Viewer | Use | Use | Use | Use |
| Editor | Edit | Edit | Edit | Own |
| Admin | Own | Own | Own | Own |
For organizations created before Retool version 3.259.0, the All Users group had Edit access to apps and workflows, and Use access to resources. Read more in the changelog entry.
Create a group
Only organization admins can create custom groups. Custom groups are available on Business and Enterprise plans.
- Navigate to Settings > Groups.
- Click Create group.
- Enter a name for the group.
- Click Create.
After creating the group, you can add members and configure roles and access from the group's detail page.
Manage group membership
Add users to a group
- Navigate to Settings > Groups and select a group.
- Click Add new members.
- Search for and select one or more users.
- Click Add to group.
You can also add pending user invites to a group. Invited users automatically inherit the group's permissions when they accept their invitation.
Designate group admins
Group admins can manage membership for their assigned group without requiring full organization admin access. Any group member can be designated as a group admin.
- Navigate to Settings > Groups and select a group.
- In the members list, hover over the user you want to promote.
- Click ••• and select Make group admin.
Protected groups (Admin, Editor, Viewer, and All Users) cannot have group admins.
Remove a user
- Navigate to Settings > Groups and select a group.
- Hover over the user you want to remove.
- Click ••• and select Remove from group.
Manage group membership from the Users page
You can also configure group membership for an individual user from Settings > Users.
- Navigate to Settings > Users and select a user.
- In the user's detail panel, click Groups.
- Type a group name or select from the dropdown to add the user to a group, or remove existing groups.
If your organization uses SAML with group claim syncing, group membership is managed by your identity provider and cannot be changed in Retool.
View and configure permissions
You can assign roles to a group from either the Groups page or the Roles & Permissions page.
For more information on creating roles, see Create an organization role.
Configure direct access
You can also grant a group access to specific objects directly, without using a role. Each group's detail page includes separate tabs for each object type:
- Apps: Grant access to specific apps or folders.
- Resources: Grant access to specific resources.
- Workflows: Grant access to specific workflows.
- Agents: Grant access to specific agents.
In each tab, use Select type to choose between applying access to all objects of that type or configuring access for individual objects.
Folder permissions are inherited. Granting a group access to a folder also grants that same access level to all objects within the folder, including objects added later.
Control access to resource environments
Admins on Business and Enterprise plans can configure different access levels for individual resource environments from the Resources tab. This is useful when you want to restrict access to production data while still allowing access to staging or development environments.
- Navigate to Settings > Groups and select a group.
- Go to the Resources tab.
- Set Select access type to Define specific resource access.
- Select a resource and click ▶︎ to expand its environment settings.
- Set the access level for each environment individually.