Hi @Sion, this approach won't work as the data type you are passing will constantly be string literals and BQ will treat it as strings. Parameterized queries are only at filter level and BQ does not allow it on any other parts of the query. Check that limitation here.
You might want to go down the route of establishing an API connection with BQ but I wouldn't recommend that. Doing this kind of dynamic query and putting the controls to the user wouldn't be wise. Your example query does not have any filters (probs for simplicity on the example) but that would essentially pull all time data of that table. You might be able to do that in BQ console but I don't think retool can support 100k+ rows of data.
What I would do is identify what common queries/data requests they have, what their needs are, and create different apps per department. This way, you can limit of access to data they actually don't need access to (ex. Project A members not gaining access to Project B data).