Issue:
Directly grant individual permission for a user inside an app will add the user to 'full access list' in all other apps as well. On all apps, the user will be shown as 'GRANTED THROUGH' - 'Direct share'.
'full access list' = click 'share' button within an app, on the lower right corner of the modal, click 'view full access list'
I'm on Self Host Retool Version: 3.75.0
Thank you for reporting this @zelterNN!
I will test out the steps you outlines to reproduce this and file a bug report 
Will let you know if I have any questions to get the repro up to show our engineering team 
Hello @zelterNN,
After some research, I have details to help explain what is going on and to help you get to the permission controls you want
So Retool has some 'fun' quirks to permissions, because there are two systems of permissions at play.
One system is the 'group' system, which is interfering with the other system. The other system is the 'direct share' system, which I imagine you are trying to use for individual permission for a single user of a single app.
When you share an app the user becomes a part of the "All Users" group for your organization, automatically.
This is why the new users is in the 'full access list', as that list includes them and all members of the current "All Users" group which have access to all apps.
This can cause some confusion, as by default, the "All Users" group will have permission access to all apps in the org. This is a point of contention as this is unintuitive and there are arguments for and against having the default permissions be wide vs narrow.
It sounds like this you do not want new users added to your org to have unlimited access. You can limit this by editing the "All Users" permission group.
This way, when you share a single app, the user is added by default to "All Users" group, but this group will have its permissions limited and will not give the user access to all other apps. The 'direct share' system will give them only access to the specific app that was shared
To change the permissions of the "All User" group, go to "Settings"->"Permissions" and click the three dots on the far right side of the group row.
Then, at the top where it has "Select Access Type" you can toggle out of the default and select "Define specific app access", and from there use the check box toggles to set up the permissions you want for all users(ie all users in this group)
I apologize for the confusion, we are continually looking to improve our docs and the sharing instructions to better explain this and help users to navigate the permission controls to set things up properly and understand the default behavior in Retool
Hi @Jack_T
Thanks for looking into this.
I think my scenario is pretty close to what you describe but in my case, I occasionally configure the ad-hoc permission to just established Retool users instead a new user in the direct share.
If I understand correctly, all established users will be at least in the 'All User' group. When I configure the app in the direct share, not all users in the 'All User' group will appear in the 'full access list', but only those that have been configure in the current app or any app thru this method currently (the part in issue).
So, I assume, you have a hidden 'direct share' group?
Anyway, this issue is only about the demonstation of the 'full acces list'. The actual permission of an app functions correctly. It creates some confusions to the app admin, because when the app admin wants to see who is actually having acces to the app, they will see users they didn't configure for and there's basically no way for them to remove those users from the list. 
Of course no problem!
Ok it sounds like you have a good handle on the permission options
Yes all established users will be at least in the 'All User' group.
For direct share, once I changed and limited the accessibility options for 'All User' group, the members of said group no longer appeared in the Access List.
Any user that is in a group with permissions for the app will show up in the 'full access list'.
If the 'All User' group does not have access to all apps/the current app, then only users added with 'direct share' should appear in the 'access list'. I believe the term 'full' means the user has use, and edit and own permissions for the current app.
I totally understand how this would be confusing for the app admin but a name showing up means a user does have access to the app. This can be changed by the org admin changing group permissions to limit user access.
Hope this helps!
That's a bit weird......
I can confirm under my 'All User' group, there's no permission configured for any app.
Just to align our understanding on 'View full access list'. What I'm referring to is the lower right corner of the Share modal in an app. As you can see in my example, on the initial screen of the Share modal, no account has been configured permission thru direct share, but if I click the 'View full access list', on the next screen, it shows there're two users permission GRANTED THROUGH 'Direct share'.
Similarly, if I add any established user on the Share, they will show on the 'View full access list' not only of the current app but also all other apps as GRANTED THROUGH 'Direct share'
Ok yes you have the 'All User' group configured to limit app access.
It looks like the 'Access List' reflects users that were given access via 'direct share'.
If those users did not receive a direct share, then I am confused and that might be a bug
I think you are correct that there is a hidden 'direct share' group for each app.
