Configure permission groups
Learn how to restrict access to apps and resources.
You can manage permission groups in the Permissions settings for your organization. You can use built-in permission groups or create your own custom groups.
Default groups
The default groups and permissions differ depending on the plan your organization uses. All pricing plans have Admin and All Users groups. Business and Enterprise plan users have more granular control over groups, and can create their own custom groups.
- Free and Team plans
- Business and Enterprise plans
The following built-in permission groups cannot be modified or removed, and the access levels cannot be changed.
| Group | Apps | Workflows | Agents | Resources |
|---|---|---|---|---|
| All Users | Edit | Edit | Edit | Own |
| Admin | Own | Own | Own | Own |
The following built-in permission groups cannot be modified or removed. These are preconfigured with default permission levels, which can be updated by an admin.
| Group | Apps | Workflows | Agents | Resources |
|---|---|---|---|---|
| All Users | None | None | None | None |
| Viewer | Use | Use | Use | Use |
| Editor | Edit | Edit | Edit | Own |
| Admin | Own | Own | Own | Own |
For organizations created before Retool version 3.259.0, the All Users group had Edit access to apps and workflows, and Use access to resources. Read more in the changelog entry.
Create a custom group
| Custom permission groups Availability | |||
|---|---|---|---|
| Cloud | Generally Available | ||
| Self-hosted Edge 3.33 or later | Generally Available | ||
| Self-hosted Stable 3.33 or later | Generally Available | ||
Click Add new members to add users to the group. You can search the list of users and select multiple users to add. Click Select all to select all users currently visible, then click Add to group.
To remove a user:
- Hover the cursor over the specified user.
- Click the ••• button to open the contextual menu.
- Select Remove from group.
Configure permission groups for a user
You can configure the permission group membership for individual users from the Users organization settings. This page lists all enabled users in your Retool organization and the permission groups to which they're a member. You can search and filter users with different criteria, such as name or last active.
Select a user from the list to display their details. The Permissions section lists the groups they belong to, along with the apps, resources, and workflows they can access.
Click Groups to modify group membership. You can add groups to the list by entering the group name. The groups list autocompletes and also presents a dropdown menu of lists to select.
Configure access rules for a permission group
Permission groups use access rules that determine the apps, resources configuration, and workflows that members can access. Access rules can also apply to folders in which these are organized.
Select the Apps, Resources, Workflows, or Agents tab to configure their respective access rules. The Select type option enables you to define specific access by configuring access individually, or apply Use all, Edit all, or Own all.
Folder permissions are inherited. Giving a user Edit access to a folder will also give that user Edit access to all of the items within that folder.
Control access to resource environments
| Per-environment permissions Availability | |||
|---|---|---|---|
| Cloud | Generally Available | ||
| Self-hosted Edge 3.312 or later | Generally Available | ||
| Self-hosted Stable 3.330 or later | Generally Available | ||
Admins for organizations on the Business or Enterprise plan can configure different access levels to resource environments in the Permissions tab. This is useful if you need to restrict access to production data but still want to allow access to other environments, such as staged data.
Access to resources and their environments are controlled by the Select access type option. To configure different access for a resource's environments, you must first set this to Define specific resource access. Once set, select a resource and click ▶︎ to reveal per-environment access control. You can then change the individual permissions for that resource's environments.
Configure per-environment access for a resource.