Role-Based Access Control (RBAC)
Forward Enterprise supports Role-Based Access Control (RBAC), enabling organizations to manage user permissions with precision and align access with job responsibilities. This ensures that users only have access to the data and actions necessary for their role, improving both security and operational efficiency.
The following roles are available:
- Org Admin: Admin user with full access to the platform and all its settings, including Network creation, and user account management.
- Network Admin: A Network Admin has full access to all Forward applications for the network and can configure the network, including its collection settings.
- Network Operator: A Network Operator has full access to all Forward applications for the network, but they cannot configure network settings or trigger Snapshot collection.
- Workspace Operator: Assigned automatically when you create a workspace network (when credential copying is enabled). Has all Network Operator capabilities plus the ability to trigger snapshot collection, copy and delete sources, view credentials, proxies, and jump servers, and edit or delete snapshots and networks. Cannot add or edit devices or credentials, or upload or invalidate snapshots. See Workspace Network RBAC for details.
- Read-only: A Read-only user has only view (read) access to the network. They cannot create new data, nor change any settings.
- Limited Read-only: Limited Read-only users are restricted Read-only users, with no access to sensitive data like configuration and state files of the network devices, nor to any application that could expose them (NQE, Inventory+, and Security applications).
Settings
| Functionality | Limited Read-Only | Read-Only | Network Operator | Workspace Operator | Network Admin | Org Admin |
|---|---|---|---|---|---|---|
| Personal | ||||||
| Personal - Preferences | Yes | Yes | Yes | Yes | Yes | Yes |
| Personal - Account | Yes | Yes | Yes | Yes | Yes | Yes |
| Personal - Notifications | Yes | Yes | Yes | Yes | Yes | Yes |
| Accounts | ||||||
| Accounts - User accounts (includes accounts creation/editing/deleting) | No | No | No | No | No | Yes |
| Accounts - Login (includes 2FA) | No | No | No | No | No | Yes |
| Accounts - Login Notice | No | No | No | No | No | Yes |
| Accounts - TACACS | No | No | No | No | No | Yes |
| Accounts - SSO | No | No | No | No | No | Yes |
| System | ||||||
| System - General (includes session mgmt, password strength, experimental features) | No | No | No | No | No | Yes |
| System - Software Update | No | No | No | No | No | Yes |
| System - Backup / Restore | No | No | No | No | No | Yes |
| System - Database Import / Export | No | No | No | No | No | Yes |
| System - Integrations | No | No | No | No | No | Yes |
| System - License Key | No | No | No | No | No | Yes |
| System - Licensed Devices | No | No | No | No | No | Yes |
| System - Notification Settings | No | No | No | No | No | Yes |
| System - SMTP Settings | No | No | No | No | No | Yes |
| System - System Overview | No | No | No | No | No | Yes |
| System - Webhooks | No | No | No | No | No | Yes |
Network
| Functionality | Limited Read-Only | Read-Only | Network Operator | Workspace Operator | Network Admin | Org Admin |
|---|---|---|---|---|---|---|
| Devices | ||||||
| Devices - View | Yes | Yes | Yes | Yes | Yes | Yes |
| Devices - Edit | No | No | No | No | Yes | Yes |
| Virtualization (NSX, ESX) | ||||||
| Virtualization (NSX, ESX) - View | Yes | Yes | Yes | Yes | Yes | Yes |
| Virtualization (NSX, ESX) - Edit | No | No | No | No | Yes | Yes |
| Cloud Accounts | ||||||
| Cloud Accounts - View | Yes | Yes | Yes | Yes | Yes | Yes |
| Cloud Accounts - Edit | No | No | No | No | Yes | Yes |
| Cloud Account Proxy - View | No | No | No | Yes | Yes | Yes |
| Cloud Account Proxy - Edit | No | No | No | No | Yes | Yes |
| Access Credentials | ||||||
| Credentials - View | No | No | No | Yes | Yes | Yes |
| Credentials - Edit | No | No | No | No | Yes | Yes |
| Jump Servers - View | No | No | No | Yes | Yes | Yes |
| Jump Servers - Edit | No | No | No | No | Yes | Yes |
| Collection | ||||||
| Collection Schedule - View | No | No | No | Yes | Yes | Yes |
| Collection Schedule - Edit | No | No | No | Yes | Yes | Yes |
| Collection Triggering | No | No | No | Yes | Yes | Yes |
| Platform | ||||||
| Dashboard - View | Yes | Yes | Yes | Yes | Yes | Yes |
| NQE (create/edit/delete query) | No | Maybe* | Maybe** | Maybe** | Maybe** | Yes |
| NQE (run query, Verify checks) | No | Yes | Yes | Yes | Yes | Yes |
| Snapshots - Restore | No | No | Yes | Yes | Yes | Yes |
* By default, No, but permission can be granted for specific directories
** By default, Yes, but permission can be revoked for specific directories
Network Snapshots (Forward Apps)
| Functionality | Limited Read-Only | Read-Only | Network Operator | Workspace Operator | Network Admin | Org Admin |
|---|---|---|---|---|---|---|
| Search | ||||||
| Search | Yes | Yes | Yes | Yes | Yes | Yes |
| Search - Path Analysis | Yes | Yes | Yes | Yes | Yes | Yes |
| Search - View device configuration and state | No | Yes | Yes | Yes | Yes | Yes |
| Verify | ||||||
| Verify - View NQE checks | No | Yes | Yes | Yes | Yes | Yes |
| Verify - View other checks | Yes | Yes | Yes | Yes | Yes | Yes |
| Verify - Add/edit/delete checks | No | No | Yes | Yes | Yes | Yes |
| Security | ||||||
| Security Matrix - View | No | Yes | Yes | Yes | Yes | Yes |
| Security Matrix - Add/edit/delete | No | No | Yes | Yes | Yes | Yes |
| Security Blast Radius | No | Yes | Yes | Yes | Yes | Yes |
| Security Vulnerability | No | Yes | Yes | Yes | Yes | Yes |
| Security Exposure | No | Yes | Yes | Yes | Yes | Yes |
| Platform | ||||||
| Diffs | Yes | Yes | Yes | Yes | Yes | Yes |
| Inventory | No | Yes | Yes | Yes | Yes | Yes |
| Objects - View | Yes | Yes | Yes | Yes | Yes | Yes |
| Objects - Add/edit/delete | No | No | Yes | Yes | Yes | Yes |
Workspace Network RBAC
The Workspace network follows the role-based access control (RBAC) outlined for the parent network. The role assigned to the workspace creator depends on their role in the parent network and whether credential copying is enabled:
- Org Admin or Network Admin in the parent network — Always receives Network Admin on the workspace, regardless of the credential copying setting.
- Network Operator in the parent network, credential copying enabled — Elevated to Workspace Operator. This role sits between Network Operator and Network Admin. Workspace Operators can trigger and cancel collections, run connectivity tests, copy sources from the parent network, delete sources and snapshots, view credentials and jump servers (but not edit them), edit collection schedules, and edit snapshot and network metadata (name, note). They cannot add or edit devices, edit credentials, upload or invalidate snapshots, or modify network-level settings.
- Network Operator in the parent network, credential copying disabled — Elevated to Network Admin, since credentials must be provided manually and cannot be copied from the parent network.
Read-only and Limited Read-only users cannot create workspace networks.
The Workspace Operator role applies only to newly created workspace networks. Existing workspaces are not migrated — users who were previously elevated to Network Admin on an existing workspace retain that role.
Workspace Operator Permissions
The Workspace Operator role sits between Network Operator and Network Admin. The following table summarizes what you can and cannot do as a Workspace Operator:
| Action | Allowed |
|---|---|
| All Network Operator actions | Yes |
| Trigger snapshot collection and connectivity tests | Yes |
| Copy sources from parent network to workspace | Yes |
| Delete sources | Yes |
| View credentials, proxies, and jump servers | Yes |
| Edit and delete snapshots | Yes |
| Edit and delete networks | Yes |
| Assign roles to workspace network (up to Workspace Operator) | Yes |
| Add or edit devices | No |
| Edit credentials | No |
| Upload or invalidate snapshots | No |
Copying Sources Between Networks
The required roles for copying sources depend on the type of networks involved:
| Source Network | Target Network | Required Role in Source | Required Role in Target |
|---|---|---|---|
| Regular | Regular | Network Admin | Network Admin |
| Parent | Workspace | Network Operator or higher | Workspace Operator or higher |
As a Network Operator, you can no longer copy sources between two regular (non-workspace) networks. This operation now requires Network Admin in both the source and target networks.
For more details, visit the Workspace Networks page.