Permissions revoked, user still has access

Hi there!

We're preparing to roll out to a larger user base, and during permission testing we've encountered inconsistent application/page permission behavior.

Expected Behavior:

Application and page permissions should reflect the current group configuration immediately (or within a documented propagation window). When a user is granted access to a page, they should be be able to access only that page. When that access is removed, it should be removed consistently.

Observed Behavior:

During testing we observed several unexpected behaviors:

  • A role configured to allow access to only specific pages did not behave correctly until the group was deleted, recreated, and users were re-added.
  • When creating a new group that granted access to only a single page, the user unexpectedly retained access to multiple additional pages.
  • We verified that the user had no other groups granting application access and was only a member of the All Users group, which has no application, page, or resource permissions.
  • Even after removing the user from the group, or deleting the group entirely, the user continued to have access to pages they should no longer have access to.
  • Browser cache was cleared, incognito sessions were tested, and different browsers were used with the same results.

Questions:

  • Is there a synchronization or propagation step required, or is there an expected time delay before permission changes take effect?
  • Are there any known issues with permission evaluation or caching that could explain this behavior?

We've experienced another permission-related anomaly previously (forum post here) that unexpectedly resolved itself without any identifiable configuration changes, which is concerning as there may be an underlying sync or permission evaluation issue. Access governance is a primary benefit to using Retool, so we're hoping to gain confidence in this before deployment.

Thanks for any help!

Thanks for reaching out, @S00! I see that you've submitted a breakage report, as well. In your testing, is this largely scoped to page-level permissions in classic apps? Thanks for being so thorough, as well! I'll dig into this Jay and hopefully have an answer for you soon. :folded_hands:

Thanks, @Darren! From what we've observed, it appears to affect application-level and page-level permissions in classic apps.