We are looking into building an app in ReTool where multiple organizations/businesses can log in. I would like that each business can only see the data in the database connected to their firm. I.e. upon log inn, Business A will see only their products in Table 1, but when Business B is logged inn, they will only see products for their business in Table 1 etc.
Is this possible to achieve in Retool? I have seen some previous discussion on using Retool for Saas platforms, but I couldn't quite figure out is Retool is a good choice for this or not.
Great question indeed. I wondered this myself and ended up with a solution that works for me. It all comes down how to separate the different tenantsâ data that is being served to your application.
I opted to use Supabase postgreSQL instead of Retool Database. The reason for this is that Supabase makes it possible to implement âRow Level Securityâ, which means that you can limit the visibility of the data using policies that you can set up in Supabase database.
However, instead of setting up RLS, I opted to go for the following setup:
I have an âorganizationsâ table which defines a UUID and a name for each of my customer organizations.
In addition, I have a âusersâ table that links the Retool users (sid and email address) to one of the organizations using a foreign key relationship.
Each of the tables in my database, e.g., âproductsâ has also a foreign key relationship to the âorganizationsâ table. Essentially each row in the table belongs to one organization or another.
When a user from an organization makes a request, I use postgreSQL functions to return the results. An example function could be âget_all_productsâ function, that requires the userâs sid and email address as input parameters from Retool. The tough part is to set up the database function properly. First, the function is responsible for making sure this user matches an entry in the âusersâ table, after which the function will use the organization_id of the found user to perform a âSELECT * FROM products WHERE organization_id = user_organization_idâ query.
The above setup makes it possible to save all product data of different tenant organizations in the same table, and the functions always make sure the query returns the data that the user is authorized to see. I never run plain SQL queries and I have decided to always rely on the carefully crafted functions. This way I can keep my Retool queries âcleanâ and hide away the complexity of making sure the query returns the proper data.
I have found the following setup works quite well, granted that you are extra careful with the functions or queries you make.
Best of luck and never forget to carefully test your implementation!
Just as an addendum here, it is possible to implement Row Level Security in Retool as well. Just an option while you explore what will work best for you!
This helps me a lot when starting to implement my own SaaS solution. 