Fine grained permissions in retool

Did you ever find yourself having a component you only wanted admins to see? We did. It happened quite a lot actually. We needed admins to see some parts of an app or be able to assign tasks to users who were part of a group. Initially we'd hard code this into dropdown lists or window objects but as the team grew it quickly went out of date and caused mistakes.

Out of the box retool allows you to setup permissions groups and place users into them. These groups can then limit access to applications: However they only restrict or allow access to an entire app rather than component by component visibility (which is usually business specific).

Consider an app for a sales team which consists of sales leads. You have a SalesTeam group and an admin group. The app allows admins to manage sales agents and looks as follows:

Sales Dashboard

Let's consider the following fine grained permission use cases:

Permission Type 1: A component only I can see

Sales Agents can only see details of a lead that's assigned to them (make the middle box hidden if the current user is not the assignee):

{{ !=}}

Permission Type 2: A component only a group can access

Admins should be able to see an "assign to agent" container (make the third box hidden if the current user is in the admin group):

 {{!_.some(current_user.groups, {name: "admin"})}}

Alex from Retool actually came up with this one ^

Permission Type 3: A dropdown that can only contains members of a specific group

Admins should be able to see a dropdown of Sales Agents to select from by leveraging the pre existing retool permission group. This is actually quite a bit more difficult, since retool doesn't let you examine who is in a specific group (window.get_users_in_group("SalesAgents")). For this query we need to first install the retool postgres database as a resource:

Add Retool Postgres as Resource

Then we can write the following query to get emails:

SELECT FROM user_groups
JOIN   users         ON = user_groups."userId"
JOIN   groups        ON = user_groups."groupId"
WHERE = 'admin';

Populate it in the dropdown as follows:

Dropdown options

Thanks to Alex from Retool for some advice while trying to get fine grained permissions working for our team. I think having a built in function to get the list of emails of a specific retool group inside retool itself would be would be a great help to others as well, since this use case of "assigning" tasks to someone based on an existing permissions group has come up at least 3 times for us.