Users & Roles
Role-based access control (RBAC) with fine-grained permissions for user management, workflow editing, and system administration.
Overview
M3 Forge uses a role-based permission model to control who can perform which actions. Each user is assigned one or more roles within a workspace, and roles define specific permissions across the platform.
Built-In Roles
M3 Forge provides six predefined system roles. These roles cannot be modified or deleted.
| Role | Description | Typical Use Case |
|---|---|---|
| Administrator | Full access to all resources and operations (wildcard) | Platform operators, workspace owners |
| Editor | Create and modify workflows, DAGs, credentials, and related resources | Engineers, data scientists |
| Member | Read-only access to all resources | Stakeholders, auditors, new users |
| Workflow Editor | Full workflow and DAG management without credential access | Pipeline developers |
| Deployment Editor | Full deployment and gateway management | Release engineers, DevOps |
| Document Editor | Full RAG index, storage, and annotator config management | Knowledge base curators |
For a detailed breakdown of every permission by role, see RBAC Permissions.
Administrator
Capabilities:
- All permissions across every resource (wildcard
*) - User management (invite, remove, change roles, impersonate)
- System settings, API keys, credentials, role management
Use case: Primary workspace administrator with full control.
Editor
Capabilities:
- Create, edit, delete, and execute workflows
- Manage DAGs, query plans, and credentials
- Create and manage API keys
- Create and update RAG indexes
- Read gateways, deployments, events, annotator configs, and roles
Use case: Day-to-day contributors building and iterating on AI pipelines.
Member
Capabilities:
- View all resources (workflows, DAGs, jobs, deployments, storage, etc.)
- List credentials (without reading values)
Restrictions:
- Cannot create, modify, or execute any resource
Use case: Stakeholders, managers, and auditors who need visibility but not operational access. This is the default role for new users.
Workflow Editor
Capabilities:
- Full workflow and DAG management (create, edit, delete, execute)
- Full query plan management
- Manage jobs (read, cancel, retry)
- Read gateways and test connectivity
Restrictions:
- No credential access
- No deployment management
- No system settings
Use case: Pipeline developers who build workflows without needing credential or infrastructure access.
Deployment Editor
Capabilities:
- Full deployment management (create, edit, delete)
- Full gateway management (create, edit, delete, test)
- Read workflows, jobs, and roles
Restrictions:
- No workflow editing or execution
- No credential access
- No system settings
Use case: Release engineers who manage infrastructure without modifying pipeline logic.
Document Editor
Capabilities:
- Full RAG index management (create, edit, delete)
- Full annotator config management
- Read and update storage
- Read workflows and roles
Restrictions:
- No workflow editing or execution
- No credential or deployment access
Use case: Knowledge base curators who manage document indexes and annotation configurations.
Managing Users
Inviting Users
Navigate to Users
From workspace settings, go to Settings → Users.
Click Invite User
Select Invite User and provide:
- Email address — User’s email (they must accept invitation to join)
- Role — Select from Administrator, Editor, Member, Workflow Editor, Deployment Editor, Document Editor
- Custom message — Optional personalized invitation text
Send Invitation
User receives an email with an invitation link. Link expires after 7 days.
Users can belong to multiple workspaces with different roles in each workspace.
Accepting Invitations
When a user receives an invitation:
- Click the link in the email
- Sign in or create an account
- Accept the invitation to join the workspace
They immediately gain access with the assigned role.
Changing User Roles
To update a user’s role:
Select User
From the Users list, click the user whose role you want to change.
Choose New Role
Select a new role from the dropdown.
Confirm
The role change takes effect immediately. If the user is currently logged in, they may need to refresh to see updated permissions.
Changing an Administrator’s role requires at least one other Administrator to remain in the workspace.
Removing Users
To remove a user from the workspace:
- Click Remove next to the user’s name
- Confirm removal
- User loses access to this workspace immediately
Removing a user:
- Does not delete their account
- Does not affect their access to other workspaces
- Does not delete resources they created (workflows, prompts remain)
Suspending Users
Temporarily disable a user’s access:
- Click user in the list
- Select Suspend
- User cannot log in until unsuspended
Useful for:
- Employees on leave
- Contractors whose engagement ended
- Security incidents pending investigation
Custom Roles
For advanced permission requirements, create custom roles with specific permission combinations.
Custom roles are available in Enterprise deployments. Contact support to enable this feature.
Creating a Custom Role
Navigate to Roles
From workspace settings, go to Settings → Roles.
Click Create Role
Select New Custom Role and provide:
- Role name — Descriptive identifier (e.g., “Prompt Engineer”, “QA Tester”)
- Description — Brief summary of intended use
Configure Permissions
Select permissions from categories:
Workflows:
workflows.view— View workflow definitionsworkflows.create— Create new workflowsworkflows.edit— Modify existing workflowsworkflows.delete— Delete workflowsworkflows.execute— Run workflows
Prompts:
prompts.view— View prompt templatesprompts.create— Create promptsprompts.edit— Modify promptsprompts.test— Execute prompt testsprompts.delete— Delete prompts
Agents:
agents.view— View agent configurationsagents.create— Create agentsagents.edit— Modify agentsagents.delete— Delete agents
Knowledge Bases:
knowledge.view— View knowledge basesknowledge.upload— Upload documentsknowledge.index— Configure indexingknowledge.delete— Delete documents
Monitoring:
monitoring.view— View dashboards and logsmonitoring.export— Export logs and metrics
Settings:
settings.llm— Configure LLM connectionssettings.api_keys— Generate API keyssettings.workspace— Modify workspace settings
Users:
users.view— View user listusers.invite— Invite new usersusers.remove— Remove usersusers.roles— Assign roles
Save
The custom role is available for assignment to users.
Example Custom Roles
Prompt Engineer:
Permissions:
- prompts.view, prompts.create, prompts.edit, prompts.test, prompts.delete
- workflows.view, workflows.execute
- monitoring.view
Use case: Team member focused on prompt development and testingQA Tester:
Permissions:
- workflows.view, workflows.execute
- prompts.view
- agents.view
- monitoring.view, monitoring.export
Use case: Quality assurance testing workflows and documenting resultsPipeline Operator:
Permissions:
- workflows.view, workflows.execute
- monitoring.view
Use case: Operations team running production workflows without edit accessRole Assignment Best Practices
Principle of Least Privilege
Start users with minimal permissions and grant additional access as needed:
- New user joins → assigned Member role (read-only, default)
- User needs focused access → assign a specialized editor role (Workflow, Deployment, or Document Editor)
- User needs broad contributor access → upgrade to Editor
- User needs full system control → upgrade to Administrator
Avoid granting Administrator roles by default.
Specialized Roles for Separation of Duties
Use the specialized editor roles to enforce boundaries:
- Workflow Editor — Pipeline developers who don’t need credential access
- Deployment Editor — Release engineers managing infrastructure
- Document Editor — Knowledge base curators managing RAG indexes
Time-Limited Role Escalation
For temporary elevated access:
- Grant Administrator role to user
- Set calendar reminder to downgrade after task completes
- Downgrade to original role
Useful for onboarding new admins or temporary support access.
Role Ownership
Assign role management responsibility:
- Administrator — 1-2 platform operators
- Editor — Active contributors
- Workflow / Deployment / Document Editor — Domain specialists
- Member — Stakeholders and auditors
Single Sign-On (SSO)
M3 Forge supports SSO for centralized user authentication.
OAuth Providers
Connect with popular identity providers:
- Google Workspace — Authenticate with Google accounts
- GitHub — Authenticate with GitHub accounts
- Microsoft Entra ID — Authenticate with Microsoft accounts
Navigate to SSO Settings
From platform settings, go to Settings → Authentication → OAuth.
Add Provider
Click Add OAuth Provider and select provider type.
Configure
Provide:
- Client ID — From provider’s developer console
- Client Secret — From provider’s developer console
- Redirect URI — Displayed in M3 Forge (copy to provider config)
Test
Use Test Connection to verify configuration before enabling.
Enable
Toggle Enabled to activate OAuth login.
SAML Integration
For enterprise identity providers (Okta, OneLogin, Azure AD):
Navigate to SAML Settings
From platform settings, go to Settings → Authentication → SAML.
Add SAML Provider
Click Add SAML Provider.
Configure
Provide:
- Entity ID — Identity provider’s entity ID
- SSO URL — Identity provider’s SSO endpoint
- Certificate — X.509 certificate for signature validation
Attribute Mapping
Map SAML attributes to M3 Forge user fields:
email→ User emailname→ Display namegroups→ Workspace roles (optional)
Test
Use test user account to validate SAML flow.
Enable
Toggle Enabled to activate SAML login.
SAML configuration requires platform administrator access. Contact support for assistance with complex SAML setups.
Audit Logging
All user actions are logged for security and compliance.
Logged Events
- User login/logout — Timestamps and IP addresses
- Role changes — Who changed whose role to what
- Resource creation/modification/deletion — Workflows, prompts, agents
- Settings changes — LLM connections, API keys
- Failed authentication attempts — Potential security issues
Viewing Audit Logs
Navigate to Settings → Audit Logs to view activity:
| Timestamp | User | Action | Resource | Details |
|---|---|---|---|---|
| 2026-03-19 14:32 | alice@example.com | workflow.create | fraud-detection-v2 | Created new workflow |
| 2026-03-19 14:15 | bob@example.com | user.role_change | charlie@example.com | Changed role from Viewer to Editor |
| 2026-03-19 13:58 | charlie@example.com | prompt.edit | extract-invoice | Modified prompt template |
Exporting Audit Logs
For compliance requirements, export logs as CSV or JSON:
- Apply filters (date range, user, action type)
- Click Export
- Choose format (CSV, JSON, PDF)
- Download file
Troubleshooting
User Cannot Modify Resources
Cause: User has Member role which is read-only.
Solution: Upgrade to the appropriate editor role (Editor, Workflow Editor, Deployment Editor, or Document Editor) depending on what they need to modify.
User Cannot Configure LLM Connections
Cause: Only Administrators have settings permissions.
Solution: Upgrade to Administrator role or have an Administrator configure connections.
Cannot Remove Last Administrator
Cause: Attempting to remove the only Administrator in workspace.
Solution: Assign Administrator role to another user first, then remove or downgrade the original.
SSO Login Failing
Cause: Misconfigured OAuth or SAML settings.
Solution: Verify client ID/secret and redirect URIs match provider configuration. Check audit logs for specific error messages.
Too Many Failed Login Attempts
Cause: Account locked due to repeated failed authentications.
Solution: Wait 15 minutes for automatic unlock, or contact workspace owner to manually unlock account.
Next Steps
- View the full RBAC permissions matrix for detailed scope breakdowns
- Configure workspaces for multi-tenant isolation
- Set up LLM connections for your team
- Generate API keys with appropriate scopes