Set up object permissions
Learn how to create a group, define an object role, and assign it to control access to apps, resources, workflows, and agents in Retool.
This tutorial walks you through setting up object permissions for a team in your Retool organization. You'll create a custom group, define an object role with specific access scopes, and assign that role to the group, both as universal access and as individual access scoped to specific objects.
The object permissions feature is currently rolling out to cloud instances. It is not yet available on self-hosted instances.
Scenario: Your organization has a Data Engineering team. You want them to have Edit access to all resources (so they can work with any data source) but only Use access to apps (so they can run apps but not modify them). You also want to scope their workflow access to a specific folder.
Prerequisites
- Retool Enterprise plan
- Organization admin access
- Object Permissions enabled (available from Retool 3.380)
1. Create a group
First, create a group for your Data Engineering team.
- Navigate to Settings > Groups.
- Click Create group.
- Enter
Data Engineeringas the group name. - Click Create.
The new group appears in your groups list. It has no members and no permissions yet.
2. Add members to the group
- Select the Data Engineering group.
- Click Add new members.
- Search for and select the users on your data engineering team.
- Click Add to group.
You can also add pending invites. Users who haven't accepted yet will automatically inherit the group's permissions when they join.
3. Create an object role
Now define an object role with the scopes your data engineering team needs.
- Navigate to Settings > Roles & Permissions.
- Click the Create Role dropdown and select Create object role.
- Enter
Data Engineer Accessas the name andEdit access to all resources, Use access to all appsas the description. - Click Next.
- Set the access level for each object type this role includes:
- Resources: Edit
- Apps: Use
- Leave Universal on for both Resources and Apps so the role applies to all current and future objects of those types.
- Click Create.
Your role is now created. It grants Edit access to every resource in the organization and Use access to every app.
4. Assign the role with universal access
Assign the role to your group so all members inherit the permissions.
- Navigate to Settings > Groups and select Data Engineering.
- Go to the Object Permissions tab.
- Click Add Role.
- Select Data Engineer Access.
- Click Save.
All current and future members of the Data Engineering group now have Edit access to all resources and Use access to all apps.
5. Create a role for workflow folder access
Your team needs Edit access to a specific workflow folder, but not to all workflows. Before scoping access to a folder, create an object role with workflow edit access that you can assign individually in the next step.
- Navigate to Settings > Roles & Permissions.
- Click the Create Role dropdown and select Create object role.
- Enter
Data Engineering Workflowsas the name andEdit access for specific workflow foldersas the description. - Click Next.
- Set Workflows to Edit.
- Turn Universal off for Workflows. This makes the role assignable to specific workflows or folders rather than every workflow in the organization.
- Click Create.
6. Add individual access for a specific workflow folder
Assign the new role to your group, scoped to the Data Pipelines folder. Because the role was created with Universal off for workflows, you select the folder when you assign it.
- Navigate to Settings > Groups and select Data Engineering.
- Go to the Object Permissions tab.
- Click Add object.
- Select the Data Engineering Workflows role.
- Browse to and select the
Data Pipelinesfolder. - Click Save.
Granting access to a folder applies to all workflows within it, including workflows added later. If a workflow is moved out of the folder, it no longer inherits this permission.
7. Verify access
Check that the permissions are configured correctly.
- On the Object Permissions tab, switch to View by: Object to see everything the group can access organized by type.
- Switch to View by: Role to confirm the
Data Engineer Accessrole is listed and which scopes it provides. - To verify a specific user's effective permissions, go to Settings > Users, select a member of the Data Engineering group, and check their Object Permissions tab.
What you built
Your Data Engineering group now has:
| Object | Access level | Scope |
|---|---|---|
| All resources | Edit | Universal |
| All apps | Use | Universal |
| Data Pipelines workflow folder | Edit | Individual |
Members can connect to any resource and run queries, run any app as an end user, and build and edit workflows in the Data Pipelines folder, without any broader access to modify apps or manage the organization.
Next steps
- Create an object role: Full reference for creating and managing object roles.
- Object roles concept guide: Understand universal vs. individual access and folder inheritance in depth.
- Admin permissions reference: Full list of available object permission scopes.
- Manage RBAC with the Retool API: Automate role and permission setup programmatically.