Give user 'use' access to application but block access to resource configurations


We want to have an external user that can access and use an app we have created, but are unable to have the user run the app's resource queries without exposing the resource configuration.

The user should have the following permissions:

  • Use the app but not be able to edit it
  • Run the app with full functionality, including running the application's underlying resource queries when appropriately triggered, but not be able to view these queries
  • No access to the resource details and configurations

We set the user workspace homepage to redirect to the app, and tried a couple configurations of permissions to try to get this behavior:

  1. Gave only 'use' permission for the app
    a. This led to the user having access to the app but not being able to run any of the queries when using it.
    b. We checked the console and each resource query resulted in 404s (screenshot below)
  2. Gave 'use' permission for the app as well as 'use' permission for relevant resources for the queries
    a. This fixed the 404 issue and the app was fully functional.
    b. However, the user could press ⌘K to find the resource and view key details that cannot be exposed to them (screenshot below).

We are wondering how we can make the user have full app functionality but not expose the resource to them, as otherwise we cannot use Retool for this use-case.

1 Like

i recently had the same issue for one of my users.. For me it would make sense to have on option to run whole app without exposing the resource section.

Hey @PadenM @PadenM Can you share what Retool version you are on? Just tried that setup on our cloud offering (v 3.22) and a user with app Use and resource Use permissions is not able to see the resource setup screen.