baton-retool

baton-retool is a connector for Retool built using the Baton SDK. It connects directly to your primary Retool Postgres database and syncs data about users, groups, organizations, pages, and resources. It can also create Retool user accounts and enable/disable them via the Retool REST API.

Check out Baton to learn more the project in general.

Capabilities

Capability	Status
Sync (users, groups, organizations, pages, resources)	Yes
Provisioning (Grant/Revoke)	Yes — group membership and page access
Account Creation	Yes — via the Retool REST API
Account Enable/Disable	Yes — enable_user / disable_user actions via the Retool REST API
Account Deletion	No — Retool's REST API has no hard delete (see note below)
Event Feeds	No

Note on deprovisioning: Retool's REST API has no hard delete — its DELETE /users/{id} endpoint only deactivates the account. The connector therefore models deprovisioning as the reversible disable_user action (blocks sign-in, keeps group memberships) with enable_user to reactivate, instead of an account Delete that would misrepresent a deactivation as a removal. Account provisioning requires the retool-api-base-url and retool-api-token settings; sync and group/page provisioning need only the connection-string.

Getting Started

Setup

1. While connected to the Retool database, create a new user for the connector to connect to Postgres as. Be sure to create and save the secure password for this user:

CREATE USER baton WITH PASSWORD 'secure-password';

2. Grant your new role the privileges required by the connector for inspecting retool privileges.

GRANT SELECT ("id", "name", "organizationId", "universalAccess", "universalResourceAccess", "universalQueryLibraryAccess",
              "userListAccess", "auditLogAccess", "unpublishedReleaseAccess") ON groups TO baton;
GRANT SELECT, INSERT, UPDATE ("id", "accessLevel"), DELETE ON group_pages TO baton;
GRANT SELECT, INSERT, UPDATE ("id", "accessLevel") ON group_folder_defaults TO baton;
GRANT SELECT, INSERT, UPDATE ("id", "accessLevel") on group_resources TO baton;
GRANT SELECT, INSERT, UPDATE ("id", "accessLevel") on group_resource_folder_defaults TO baton;
GRANT SELECT ("id", "name") ON organizations TO baton;
GRANT SELECT ("id", "name", "organizationId", "folderId", "photoUrl", "description", "deletedAt") ON pages TO baton;
GRANT SELECT ("id", "name", "organizationId", "type", "displayName", "environmentId", "resourceFolderId") ON resources TO baton;
GRANT SELECT ("id", "sid", "email", "firstName", "lastName", "profilePhotoUrl", "userName", "enabled", "lastLoggedIn", "organizationId") ON users TO baton;
GRANT SELECT, INSERT, UPDATE, DELETE ("id", "userId", "groupId", "isAdmin", "updatedAt") ON user_groups TO baton;
GRANT USAGE, SELECT ON SEQUENCE user_groups_id_seq TO baton;
GRANT DELETE ON user_groups TO baton;

3. Run the connector with the proper connection string. For example if you created a new baton user with the password baton, it may look like this:

BATON_CONNECTION_STRING="user=baton password=baton host=localhost port=5432 dbname=hammerhead_production" baton-retool

4. (Optional) To enable account provisioning/deprovisioning, create a Retool API token (Settings → API) with the users:read and users:write scopes, then also set the REST configuration. Both fields are required together; omit them for sync-only deployments.

BATON_CONNECTION_STRING="user=baton password=baton host=localhost port=5432 dbname=hammerhead_production" \
BATON_RETOOL_API_BASE_URL="https://your-org.retool.com" \
BATON_RETOOL_API_TOKEN="retool_xxxxxxxx" \
baton-retool --provisioning

Configuration

Flag	Env Var	Required	Description
--connection-string	BATON_CONNECTION_STRING	Yes	Postgres DSN for the Retool database
--retool-api-base-url	BATON_RETOOL_API_BASE_URL	No*	Retool REST base URL (e.g. https://your-org.retool.com) — required for account provisioning
--retool-api-token	BATON_RETOOL_API_TOKEN	No*	Retool API token (users:read + users:write) — required for account provisioning
--skip-pages	BATON_SKIP_PAGES	No	Skip syncing pages
--skip-resources	BATON_SKIP_RESOURCES	No	Skip syncing resources
--skip-disabled-users	BATON_SKIP_DISABLED_USERS	No	Skip syncing disabled users

* retool-api-base-url and retool-api-token are required together (both or neither).

brew

brew install conductorone/baton/baton conductorone/baton/baton-retool
baton-retool
baton resources

docker

docker run --rm -v $(pwd):/out -e BATON_CONNECTION_STRING="user=baton password=baton host=localhost port=5432 dbname=hammerhead_production" ghcr.io/conductorone/baton-retool:latest -f "/out/sync.c1z"
docker run --rm -v $(pwd):/out ghcr.io/conductorone/baton:latest -f "/out/sync.c1z" resources

source

go install github.com/conductorone/baton/cmd/baton@main
go install github.com/conductorone/baton-retool/cmd/baton-retool@main

BATON_CONNECTION_STRING="user=baton password=baton host=localhost port=5432 dbname=hammerhead_production" baton-retool
baton resources

Data Model

baton-retool pulls down information about the following Retool resources:

• Users
• Groups
• Organizations
• Pages
• Resources

Contributing, Support, and Issues

We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small -- our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a Github Issue!

See CONTRIBUTING.md for more details.

baton-retool Command Line Usage

baton-retool

Usage:
  baton-retool [flags]
  baton-retool [command]

Available Commands:
  capabilities       Get connector capabilities
  completion         Generate the autocompletion script for the specified shell
  help               Help about any command

Flags:
      --client-id string             The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
      --client-secret string         The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
      --connection-string string     required: The connection string for connecting to retool database ($BATON_CONNECTION_STRING)
  -f, --file string                  The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
  -h, --help                         help for baton-retool
      --log-format string            The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
      --log-level string             The log level: debug, info, warn, error ($BATON_LOG_LEVEL) (default "info")
  -p, --provisioning                 This must be set in order for provisioning actions to be enabled ($BATON_PROVISIONING)
      --retool-api-base-url string   Base URL of the Retool REST API, e.g. https://<org>.retool.com. Required only for account provisioning/deprovisioning. ($BATON_RETOOL_API_BASE_URL)
      --retool-api-token string      Retool API token with users:read + users:write. Required only for account provisioning/deprovisioning. ($BATON_RETOOL_API_TOKEN)
      --skip-disabled-users          Skip syncing disabled users ($BATON_SKIP_DISABLED_USERS)
      --skip-full-sync               This must be set to skip a full sync ($BATON_SKIP_FULL_SYNC)
      --skip-pages                   Skip syncing pages ($BATON_SKIP_PAGES)
      --skip-resources               Skip syncing resources ($BATON_SKIP_RESOURCES)
      --ticketing                    This must be set to enable ticketing support ($BATON_TICKETING)
  -v, --version                      version for baton-retool

Use "baton-retool [command] --help" for more information about a command.