Skip to main content

View the access list

The access list for an object shows every user and group that has access to it, what access level they have, and how they received that access. You can view the access list from the listing page for any app, resource, workflow, agent, or folder.

Only organization admins and users with Own access to the object can view its access list.

Open the access list

From the listing page for any app, resource, workflow, or agent, click the ••• menu next to the object and select View access list.

The access list for a workflow, opened from the ••• menu.

Users and Groups tabs

The access list has two tabs:

  • Users: Every individual user with access, including users who received access through group membership. The count shown reflects all users with any form of access.
  • Groups: Every group with access, and the access level that group holds.

The Users tab aggregates access from all sources. If a user has access both directly and through a group, all sources appear on that user's row.

Granted through column

The Granted through column shows how each user or group received access. A single user or group may have multiple sources.

SourceWhat it means
SharingAccess was granted directly via the Share modal or by configuring access on the group's detail page.
UniversalAccess comes from a universal role grant that applies to all objects of this type across the organization.
N groupsAccess is inherited through membership in one or more groups. Hover over the entry to see which groups.
InheritedAccess comes from a parent folder. Hover over the entry to see which folder.

Multiple sources can appear on the same row. For example, a user who is both directly shared and a member of a group with access shows "Sharing, 1 group."

Resource environments

For resources, the access list shows access per environment. If a group has different access levels across environments, for example, Use in the default environment and Own in staging, each appears as a separate entry with the environment label.

View the access list via API

You can also retrieve the access list for any object programmatically using the Retool API:

API endpoint
GET /api/v2/permissions/accessList/{objectType}/{objectId}

Supported objectType values: app, folder, resource, workflow, agent.

The response includes every user, group, and pending invite with access, their access level, and the sources that granted it (direct, universal, groups, or inherited). For full details, see Manage RBAC with the Retool API.