User permission for environment


I made multiple environments for multiple databases.
Each database work for difference region service.
I need to set user permission for environment.
Is there any way?


Hey @starter! Permissions for environments isn't available just yet, but this is actually quite highly requested so we'll be working on implementing this in the future. I'll be sure to post in this thread with any updates :blush:

Thank you for your reply.
I hope that update release soon.

Any workarounds?

@nitzanav hey! No workarounds as of yet, but we're definitely working on this. It's a bit of a large lift so it's taking some time. Will keep this thread updated as soon as we have news :crossed_fingers:

1 Like

Seems that I can hide a container using JS code like this:
{{ retoolContext.environment === 'production' && !current_user.groups.find(group => == 'production_users') }}

I have a proposal for a workaround, can you confirm that it can work and is secured?

  1. We will set the "Hidden" field of a container, using this code. Will it be secured? I guess not, I guess that the hidden field is evaluated on the browser, right?
  2. I can add a transformer for each query, and this should solve the security issue that I mentioned above. Right?

@nitzanav, that's great! Are the users in the production_users group blocked from editing apps? And if users change the environment themselves (using either the app's dropdown or the _environment query params), is that okay with you?


  1. production_users is actually not a real name of a group, more like "support" users, those should be viewers, without permissions to edit applications, and should be able to manage production data. While other viewers can manage only QA data (for example, the QA team).
  2. as long as the backend is protected, I don't think that modifying the URL is something that we should care about.
  3. and It is ok that they will see that there is production environment in the dropdown. We can display a message to the user that they are not permitted to manage production data. They best would be to remove "production" environment from the dropdown, if it's possible. But I guess it is not.
1 Like

@victoria I want to ask regarding the safety of the transformer JS code. Is query transformer code executed on the browser or on the server?
same question regarding "Javascript query" code.

Browser! All of an app’s JS is sandboxed in an iframe in the browser so it can't touch `document` and requests are sent from `null` origins.

Is there any hope to have this feature soon?
Or, is there a workaround?

We're a heavily regulated company and environment permissions are a blocking issue for us, on multiple levels. We must limit the development team members to only those who are cleared to see production data and we basically can't work with any freelancers.

Please help :pray:

Here's an idea: is there a check we can do in the Injected JS area, or there is no application context loaded at that time?

For example, to have this …
if ( {{ retoolContext.environment === 'production' && !current_user.groups.find(group => == 'production_users') }} ) { redirectToHome(); }

Hello! Just wanted to share that environment based permissions are going to be on the back burner for a bit while we prioritize work on Retool’s Source Control.

In the meantime, there’s a workaround for on-prem orgs. You can run multiple instances, where each instance represents one environment. You can then set permissions differently for each of these environments.

Let me know if anyone has any questions I can help answer, and please do continue to write in with your +1s and use cases for this feature!

Thank you all for your patience and understanding here.

Hi @victoria !

Do you have some estimated timeframe when environment based permissions and source control will be available?

Hey @heynoway!

Not at the moment :frowning: The team has decided to prioritize work on other features this for now. If this changes, I'll definitely update this thread!

Thank you for all your patience here, wish I had better news for you.

Hi @victoria, wanted to check in here as it's been a few months. Is there any update on a timeline for permissions by environment? Our team needs to be able to use tools in environments other than prod and rather than deploy multiple instances of retool and manage said instances, we'd prefer to grant users the ability to toggle to envs they have perms for.

1 Like

Hi Angela! Thank you for checking in here—I asked the team assigned to this feature and it seems like it's not on our current roadmap for the next quarter. We're still prioritizing other features (like Source Control!), but please do continue leaving your feedback and use cases here for us to take into consideration as we plan and iterate on our plan.

I want to chime in here and see that it makes sense for us to give certain people only use access to apps, but then they absoluetly should be able to select environment. This is because we have testers who need to set up a test environment for testing and self manage this in retool. But right now, if we only give then use on apps, they dont see the environment selector.

And if we give them edit on apps, but not use on resources, they see staging, but its disabled because of some message that dont make sense.

I can give users edit app permission and use resource permission. And tell them not to edit :stuck_out_tongue: But its not optimal

Being able to set permissions on environments would make the permissions work I need to do much much easier.

+1 for this feature please.