Role-Based Access Control (RBAC)
Forward Enterprise provides support for Role-Based Access Control (RBAC). The following roles are available for the Org Admin to assign when creating users:
- Org Admin: Admin user with full access to the platform and all its settings, including Network creation, and user account management.
- Network Admin: A Network Admin has full access to all Forward applications for the network and can configure the network, including its collection settings.
- Network Operator: A Network Operator has full access to all Forward applications for the network, but they cannot configure network settings or trigger Snapshot collection. An exception is made for Workspace Networks, where the Network Operator role is upgraded to Network Admin for the specific workspace network.
- Read-only: A Read-only user has only view (read) access to the network. They cannot create new data, nor change any settings.
- Limited Read-only: Limited Read-only users are restricted Read-only users, with no access to sensitive data like configuration and state files of the network devices, nor to any application that could expose them (NQE, Inventory+, and Security applications).
Settings
| Functionality | Limited Read-Only | Read-Only | Network Operator | Network Admin | Org Admin |
|---|---|---|---|---|---|
| Personal | |||||
| Personal - Preferences | Yes | Yes | Yes | Yes | Yes |
| Personal - Account | Yes | Yes | Yes | Yes | Yes |
| Personal - Notifications | Yes | Yes | Yes | Yes | Yes |
| Accounts | |||||
| Accounts - User accounts (includes accounts creation/editing/deleting) | No | No | No | No | Yes |
| Accounts - Login (includes 2FA) | No | No | No | No | Yes |
| Accounts - Login Notice | No | No | No | No | Yes |
| Accounts - TACACS | No | No | No | No | Yes |
| Accounts - SSO | No | No | No | No | Yes |
| System | |||||
| System - General (includes session mgmt, password strength, experimental features) | No | No | No | No | Yes |
| System - Software Update | No | No | No | No | Yes |
| System - Backup / Restore | No | No | No | No | Yes |
| System - Database Import / Export | No | No | No | No | Yes |
| System - Integrations | No | No | No | No | Yes |
| System - License Key | No | No | No | No | Yes |
| System - Licensed Devices | No | No | No | No | Yes |
| System - Notification Settings | No | No | No | No | Yes |
| System - SMTP Settings | No | No | No | No | Yes |
| System - System Overview | No | No | No | No | Yes |
| System - Webhooks | No | No | No | No | Yes |
Network
| Functionality | Limited Read-Only | Read-Only | Network Operator | Network Admin | Org Admin |
|---|---|---|---|---|---|
| Devices | |||||
| Devices - View | Yes | Yes | Yes | Yes | Yes |
| Devices - Edit | No | No | No | Yes | Yes |
| Virtualization (NSX, ESX) | |||||
| Virtualization (NSX, ESX) - View | Yes | Yes | Yes | Yes | Yes |
| Virtualization (NSX, ESX) - Edit | No | No | No | Yes | Yes |
| Cloud Accounts | |||||
| Cloud Accounts - View | Yes | Yes | Yes | Yes | Yes |
| Cloud Accounts - Edit | No | No | No | Yes | Yes |
| Cloud Account Proxy Settings | No | No | No | Yes | Yes |
| Access Credentials | |||||
| Credentials - View and Edit | No | No | No | Yes | Yes |
| Jump Servers - View and Edit | No | No | No | Yes | Yes |
| Collection | |||||
| Collection Schedule - View | No | No | No | Yes | Yes |
| Collection Schedule - Edit | No | No | No | Yes | Yes |
| Collection Triggering | No | No | No | Yes | Yes |
| Platform | |||||
| Dashboard - View | Yes | Yes | Yes | Yes | Yes |
| NQE (create/edit/delete query) | No | Maybe* | Maybe** | Maybe** | Yes |
| NQE (run query, Verify checks) | No | Yes | Yes | Yes | Yes |
| Snapshots - Restore | No | No | Yes | Yes | Yes |
* By default, No, but permission can be granted for specific directories
** By default, Yes, but permission can be revoked for specific directories
Network Snapshots (Forward Apps)
| Functionality | Limited Read-Only | Read-Only | Network Operator | Network Admin | Org Admin |
|---|---|---|---|---|---|
| Search | |||||
| Search | Yes | Yes | Yes | Yes | Yes |
| Search - Path Analysis | Yes | Yes | Yes | Yes | Yes |
| Search - View device configuration and state | No | Yes | Yes | Yes | Yes |
| Verify | |||||
| Verify - View NQE checks | No | Yes | Yes | Yes | Yes |
| Verify - View other checks | Yes | Yes | Yes | Yes | Yes |
| Verify - Add/edit/delete checks | No | No | Yes | Yes | Yes |
| Security | |||||
| Security Matrix - View | No | Yes | Yes | Yes | Yes |
| Security Matrix - Add/edit/delete | No | No | Yes | Yes | Yes |
| Security Blast Radius | No | Yes | Yes | Yes | Yes |
| Security Vulnerability | No | Yes | Yes | Yes | Yes |
| Security Exposure | No | Yes | Yes | Yes | Yes |
| Platform | |||||
| Diffs | Yes | Yes | Yes | Yes | Yes |
| Inventory | No | Yes | Yes | Yes | Yes |
| Objects - View | Yes | Yes | Yes | Yes | Yes |
| Objects - Add/edit/delete | No | No | Yes | Yes | Yes |
note
Workspace networks inherit the permissions configured for their parent network except that a Network Operator is effectively promoted to a Network Admin for any Workspace Network that they create for a period of time that can be configured by an Org Admin.
For more details, visit the Workspace Networks page.