Now that we have external apps , how can we improve the process of creating external users, considering this is currently only possible for admins?
It would be fantastic if this access control could be managed via API. However, it seems this feature is only available for Enterprise plans, even though external apps are also included in Business plans (which I am on).
Given that the cost for each external user is $10/month, we need an efficient way to send invites to our external users without doing it manually. The goal is to expand the scope of Retool, and manual processes can be tedious and time-consuming.
Idea: This new User Action query could contain an option called Create External User which simply requires an email that do not belong to the organization domain. That sends the invite as this documentation: Build custom product pages | Retool Docs
if a random person navigates to your domain who doesn't have an email belonging to your org, they default to an external-user.
if someone navigates to your domain who does have an org email or who has been approved to join and they:
DO NOT have write permissions for anything, they're labeled as an end-user
DO have write permissions and within the current billing period have created or edited an app, module or workflow, they're labeled as a standard-user
anybody who DOES have an org email or has write permissions and they:
HAVE NOT created or edited an app, module or workflow within the current billing period is labeled an end-user
HAVE created or edited something is a standard-user
a simple way to remember this is usually:
external-user = random or unknown person
end-user = co-workers who only view/read
standard-user = other devs who create/edit anything
There's no need to hack around with intercepting tokens from the frontend - users on the business plan have access to create API tokens for user invites and user attributes. Feel free to reference the docs for how to access - the scopes available to you on your plan will be visible in your specific API page under settings.
Hey @albert thanks for the information,
Maybe I'm doing it wrong, but I have grant all the scopes to my API and still get the message
{
"success": false,
"message": "API access is only available for enterprise customers"
}
Some of the endpoint works like the send invites which let me add new users as external users, but when I try to read from the users endpoint i get the error "API access is only available for enterprise customers"
Do you know why I cannot have access to all of the endpoints?
Thank you!
@albert hmm... the retool API docs show it's available only for Enterprise:
i guess i hadn't gotten far enough to verify the API behaves according to the docs yet. a month ago or so, i had scoped out APIv2 to see if building a terraform provider plugin was worth having to write Go code, but found it was missing way too many endpoints to be useful.
not to scope creep this topic here, but if the API is Enterprise-only, and startup credits cap us at Business plan, then we really have no way to:
create many environments
manage many users programmatically
provision default apps+resources+queries+workflows with per-environment overrides
Hey @albert I understand that most endpoints are for Enterprise, but then why I have the option to assign the scope of read / write in my business plan if however i cannot have access?
This is all clear, but how can you update a user's attributes with the API (business plan) if you don't know his user_id? Or is it just general adding / updating user_attributes and then via retool admin update a particular user?
Right on spot @LinoPino, not much sense in being able to send invites if endpoints like attributes or groups are not available. All of my users have groups and attributes so just sending them an (not personalised) invite is really not a solution
the user attribues endpoint is actually accessible. I just made a REST API Resource and used the /user_attribuesendpoint to test it. It's def not very clear, you kinda have to piece it all together from different places:
this says you only need the Users > Write permission on the API Token, so you do not need any permissions for Retool API > Read/Write to access User Attribues.
on the User Attribues page you can see a base req of Business or Enterprise, so unless otherwise stated features that have access to User Attribues should have the same or more strict requirements
Thanks @bobthebear, I'll give it a go. When I last looked into this I don't think the attributes section was available when generating a token. This seems positive