Limiting user permissions for Public App

Hi All,

I have a three groups of end users.

  1. Full Editors - users that need to add/manipulate entries within the app (but not developers)
  2. Limited Editors - users with limited ability. Can only edit certain fields in the app
  3. Read Only - users who will on occasion refer to the contents within the app. View/read only.

I created access/user permission groups for the first two groups. We have used the "disable action button" feature to exclude certain buttons.

For the 3rd group(read only), I thought that I could publish a link (on confluence for example) and folks who need to see the data could access the app via that link. The only way to do that, seems to be via the "Public" link. However, the public link appears to give them free rein.

Is there a way to control access via the Public link? Or do I need to setup everyone within an access group?


Hi @Frank_B Thanks for reaching out! Public apps allow anyone with the link to access the app in Preview mode. Since it can be accessed by anyone, even if they don't have a Retool account, we recommend not using any sensitive data or exposing any dangerous actions in public apps. With public apps, we record no user info, so there is no supported way to restrict certain parts of the app based on the current user.

Typically, teams will add read only users as internal users in their Retool organization with viewer permissions.

Does that help answer your question? Let me know if further questions come up!

Thank you @Tess! I think where my confusion lies is the different tiers of access. The ReTool permissions only control developer level access (which makes sense). When I say view only/read only, I mean the user can get into the app but what they can do within the app is restricted. We have created different screens/buttons. The ability to enter records and then edit/update those records. We need certain folks to USE the app - with the ability to add/edit records AND we need users who USE the app - but cannot add/edit records. And so this is where we are having confusion on how to execute this properly.

Hi @Frank_B thanks for this context! You should be able to implement ways to restrict access, but it's a bit manual to set up.

One solution might be to make certain parts of the app only work conditionally based on the current_user. Currently, you'd need to use Javascript for this.

For example, you could hide an entire component based on whether the user is in a particular permission group:

Or, you could prevent a query from running based on the user permissions:

When I log into this app as a non-admin, I don't see the "Modify Data" button & I get an error when clicking on "Button":

You can find the current user properties in edit mode under State -> Globals