Skip to main content

Set up object permissions

This tutorial walks you through setting up object permissions for a team in your Retool organization. You'll create a custom group, define an object role with specific access scopes, and assign that role to the group, both as universal access and as individual access scoped to specific objects.

The object permissions feature is currently rolling out to cloud instances. It is not yet available on self-hosted instances.

Scenario: Your organization has a Data Engineering team. You want them to have Edit access to all resources (so they can work with any data source) but only Use access to apps (so they can run apps but not modify them). You also want to scope their workflow access to a specific folder.

Prerequisites

  • Retool Enterprise plan
  • Organization admin access
  • Object Permissions enabled (available from Retool 3.380)

1. Create a group

First, create a group for your Data Engineering team.

  1. Navigate to Settings > Groups.
  2. Click Create group.
  3. Enter Data Engineering as the group name.
  4. Click Create.

The new group appears in your groups list. It has no members and no permissions yet.

2. Add members to the group

  1. Select the Data Engineering group.
  2. Click Add new members.
  3. Search for and select the users on your data engineering team.
  4. Click Add to group.

You can also add pending invites. Users who haven't accepted yet will automatically inherit the group's permissions when they join.

3. Create an object role

Now define an object role with the scopes your data engineering team needs.

  1. Navigate to Settings > Roles & Permissions.
  2. Click the Create Role dropdown and select Create object role.
  3. Enter Data Engineer Access as the name and Edit access to all resources, Use access to all apps as the description.
  4. Click Next.
  5. Set the access level for each object type this role includes:
    • Resources: Edit
    • Apps: Use
  6. Leave Universal on for both Resources and Apps so the role applies to all current and future objects of those types.
  7. Click Create.

Your role is now created. It grants Edit access to every resource in the organization and Use access to every app.

4. Assign the role with universal access

Assign the role to your group so all members inherit the permissions.

  1. Navigate to Settings > Groups and select Data Engineering.
  2. Go to the Object Permissions tab.
  3. Click Add Role.
  4. Select Data Engineer Access.
  5. Click Save.

All current and future members of the Data Engineering group now have Edit access to all resources and Use access to all apps.

5. Create a role for workflow folder access

Your team needs Edit access to a specific workflow folder, but not to all workflows. Before scoping access to a folder, create an object role with workflow edit access that you can assign individually in the next step.

  1. Navigate to Settings > Roles & Permissions.
  2. Click the Create Role dropdown and select Create object role.
  3. Enter Data Engineering Workflows as the name and Edit access for specific workflow folders as the description.
  4. Click Next.
  5. Set Workflows to Edit.
  6. Turn Universal off for Workflows. This makes the role assignable to specific workflows or folders rather than every workflow in the organization.
  7. Click Create.

6. Add individual access for a specific workflow folder

Assign the new role to your group, scoped to the Data Pipelines folder. Because the role was created with Universal off for workflows, you select the folder when you assign it.

  1. Navigate to Settings > Groups and select Data Engineering.
  2. Go to the Object Permissions tab.
  3. Click Add object.
  4. Select the Data Engineering Workflows role.
  5. Browse to and select the Data Pipelines folder.
  6. Click Save.

Granting access to a folder applies to all workflows within it, including workflows added later. If a workflow is moved out of the folder, it no longer inherits this permission.

7. Verify access

Check that the permissions are configured correctly.

  1. On the Object Permissions tab, switch to View by: Object to see everything the group can access organized by type.
  2. Switch to View by: Role to confirm the Data Engineer Access role is listed and which scopes it provides.
  3. To verify a specific user's effective permissions, go to Settings > Users, select a member of the Data Engineering group, and check their Object Permissions tab.

What you built

Your Data Engineering group now has:

ObjectAccess levelScope
All resourcesEditUniversal
All appsUseUniversal
Data Pipelines workflow folderEditIndividual

Members can connect to any resource and run queries, run any app as an end user, and build and edit workflows in the Data Pipelines folder, without any broader access to modify apps or manage the organization.

Next steps