Role-Based Access Control (RBAC)
M3 Forge uses role-based access control to manage what each user can do across your workspace. Every user is assigned a single role, and that role determines the set of permissions they have.
Available Roles
M3 Forge provides six predefined system roles. System roles cannot be modified or deleted.
Administrator
Full system access. Administrators have a wildcard permission (*) that grants every operation on every resource. Use this role for workspace owners and platform operators.
Capabilities:
- All permissions across every resource
- User management (invite, remove, change roles, impersonate)
- System settings configuration
- API key and credential management
- Role creation and management
Editor
The primary role for active contributors who build and iterate on workflows, DAGs, and related resources.
Capabilities:
- Create, edit, delete, and execute workflows
- Manage DAGs and query plans
- Create and manage credentials (except delete)
- Read gateways and test connectivity
- Create and manage API keys
- Create and update RAG indexes
- Read annotator configs, deployments, storage, events, and roles
Member
Read-only access to the workspace. Members can view all resources but cannot create, modify, or execute anything. This is the default role assigned to new users.
Capabilities:
- View workflows, DAGs, jobs, and query plans
- View deployments, gateways, events, and storage
- View annotator configs and RAG indexes
- View roles
- List credentials (without reading values)
Workflow Editor
Focused role for users who manage workflows and DAGs without access to credentials or system settings.
Capabilities:
- Full workflow management (create, edit, delete, execute, activate, deactivate)
- Full DAG management
- Full query plan management (create, edit, delete, execute)
- View and manage jobs (read, cancel, retry)
- Read gateways and test connectivity
- Read events, storage, and roles
Deployment Editor
Manages deployments and gateway infrastructure without access to workflows or credentials.
Capabilities:
- Full deployment management (create, edit, delete)
- Full gateway management (create, edit, delete, test)
- Read workflows and jobs
- Read roles
Document Editor
Manages knowledge base resources including RAG indexes, storage, and annotator configurations.
Capabilities:
- Full RAG index management (create, edit, delete)
- Full annotator config management (create, edit, delete)
- Read and update storage
- Read workflows and roles
Permissions Matrix
Detailed breakdown of permissions by role. Admin has all permissions via wildcard and is omitted for brevity.
Workflows
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| Create workflows | ✓ | ✓ | |||
| View workflows | ✓ | ✓ | ✓ | ✓ | ✓ |
| Edit workflows | ✓ | ✓ | |||
| Delete workflows | ✓ | ✓ | |||
| Execute workflows | ✓ | ✓ | |||
| Activate / Deactivate | ✓ | ✓ |
Jobs
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| View jobs | ✓ | ✓ | ✓ | ✓ | |
| Cancel jobs | ✓ | ✓ | |||
| Retry jobs | ✓ | ✓ |
DAGs
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| Create DAGs | ✓ | ✓ | |||
| View DAGs | ✓ | ✓ | ✓ | ||
| Edit DAGs | ✓ | ✓ | |||
| Delete DAGs | ✓ | ✓ |
Query Plans
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| Create query plans | ✓ | ✓ | |||
| View query plans | ✓ | ✓ | ✓ | ||
| Edit query plans | ✓ | ✓ | |||
| Delete query plans | ✓ | ✓ | |||
| Execute query plans | ✓ | ✓ |
Deployments
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| Create deployments | ✓ | ||||
| View deployments | ✓ | ✓ | ✓ | ||
| Edit deployments | ✓ | ||||
| Delete deployments | ✓ |
Gateways
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| Create gateways | ✓ | ||||
| View gateways | ✓ | ✓ | ✓ | ✓ | |
| Edit gateways | ✓ | ||||
| Delete gateways | ✓ | ||||
| Test gateways | ✓ | ✓ | ✓ |
RAG Indexes
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| Create indexes | ✓ | ✓ | |||
| View indexes | ✓ | ✓ | ✓ | ||
| Edit indexes | ✓ | ✓ | |||
| Delete indexes | ✓ |
Storage
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| View storage | ✓ | ✓ | ✓ | ✓ | |
| Update storage | ✓ | ||||
| List storage | ✓ | ✓ | ✓ | ✓ |
Annotator Configs
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| Create configs | ✓ | ||||
| View configs | ✓ | ✓ | ✓ | ||
| Edit configs | ✓ | ||||
| Delete configs | ✓ | ||||
| List configs | ✓ | ✓ | ✓ |
Credentials
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| Create credentials | ✓ | ||||
| View credentials | ✓ | ||||
| Edit credentials | ✓ | ||||
| List credentials | ✓ | ✓ |
API Keys
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| Create API keys | ✓ | ||||
| View API keys | ✓ | ||||
| Delete API keys | ✓ | ||||
| List API keys | ✓ |
Events
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| View events | ✓ | ✓ | ✓ | ||
| List events | ✓ | ✓ | ✓ |
Roles
| Permission | Editor | Member | Workflow Editor | Deployment Editor | Document Editor |
|---|---|---|---|---|---|
| View roles | ✓ | ✓ | ✓ | ✓ | ✓ |
| List roles | ✓ | ✓ | ✓ | ✓ | ✓ |
| Manage roles |
Only Administrators can manage roles (create, edit, delete custom roles) and manage users (invite, remove, change roles).
Managing User Roles
Administrators can update any user’s role from the Members settings page.
Navigate to Members
From the sidebar, go to Settings and select the Members tab.
Select a User
Click the edit icon next to the user whose role you want to change.
Choose New Role
Select a role from the dropdown. The change takes effect immediately.
If the user is currently logged in, they may need to refresh to see updated permissions.
Default Role
New users are assigned the Member role by default. Self-hosted deployments can override this with the DEFAULT_USER_ROLE environment variable:
# Set default role for new users (defaults to global:admin for self-hosted)
DEFAULT_USER_ROLE=global:memberValid values: global:admin, global:editor, global:member, global:workflow-editor, global:deployment-editor, global:document-editor.
Custom Roles
For access patterns that don’t fit the built-in roles, administrators can create custom roles with specific permission combinations.
Navigate to Roles
From the sidebar, go to Settings and select the Roles tab.
Create Role
Click Create Role and provide a name and description.
Configure Permissions
Select individual scopes grouped by resource. Scopes follow the resource:operation format (e.g., workflow:create, deployment:delete).
Save
The custom role becomes available for assignment immediately.
SSO Role Mapping
When users authenticate via SSO, their provider-assigned roles are mapped to M3 Forge roles:
| SSO Role | M3 Forge Role |
|---|---|
owner | Administrator |
admin | Administrator |
editor | Editor |
member | Editor |
| (no role) | Member |
SSO users assigned the member role in the identity provider are mapped to Editor (active contributor), not the read-only Member role. Users without any SSO role assignment receive the read-only Member role.
Best Practices
Principle of Least Privilege
Assign users the minimum role required for their responsibilities:
- Start new users with Member (read-only)
- Promote to a specialized editor role (Workflow, Deployment, or Document) based on their function
- Grant Editor for broad contributor access
- Reserve Administrator for platform operators
Specialized Roles for Separation of Duties
Use the specialized editor roles to enforce boundaries:
- Workflow Editor for pipeline developers who don’t need credential access
- Deployment Editor for release engineers managing infrastructure
- Document Editor for knowledge base curators managing RAG indexes
This prevents accidental modification of resources outside a user’s domain.
Next Steps
- Configure HMAC authentication for API request signing
- Set up data retention policies for compliance
- Manage users and invitations from the admin panel