Manage roles and permission levels

Roles

This feature is only available to the Admin permission level.

Roles can be created (1) in the Roles tab of your project settings:‌

To manage a role's permissions, click on it (2):

If your project was created before February 2021, please visit this page to learn how to enable this feature.

The above screenshot shows your role's details page. This is where you'll be managing all permissions which should apply to all the users assigned to this role.‌

Permissions are displayed in 2 sections:‌

Smart Action permissions
Collection permissions

Smart Action permissions

This section lets you to easily manage your Smart Action permissioins (for this role only). Click Show more (1) to display all permissions, or Edit permissions (2) to directly edit its Smart Action permissions.‌

Trigger: Allow users assigned to this role to trigger this Smart Action

Approval workflow permissions

You must be on a Forest Admin Pro plan to have access to this feature.

If you are using our approval workflow feature, your approval permissions are also managed within roles.‌

The following options become available if you are on the Pro plan or above:‌

Require approval: Unlike Trigger, the Smart Action will not be executed unless manually approved
Approve: Allow users assigned to this role to approve a trigger request
Self Approve: Allow users assigned to this role to approve their own trigger request

Conditional permissions

In addition to the Pro plan, this feature requires a minimum agent version to be installed.

Your processes likely depend on your data: for instance, a $1,000 refund is more sensitive than a $10 refund. You probably want to authorize your operators to trigger $10 refunds, but not $1,000 or more. This is now possible within the permissions page:

To achieve this, go to the permissions edit page and click on the filter icon:

Permission changes may take up to 15 minutes to apply.

That's it! Your operators may now refund without approval for an amount up to $1,000, but any refund of a higher amount will require an approval.

The same feature is available for Trigger and Approve permissions: use the corresponding filter icons to input the conditions you want.

Collection permissions

Collection permissions allow you to enable/disable the following collection-specific permissions:‌

Read (list): access to the collection's Table View data. Note that the collection must also be shown in the layout to be displayed.
Read (details): access to the Details View (and Summary View) data of any record of this collection.
Create: create a record of this collection (N.B: the "Duplicate" action is also managed by this permission)
Update: update a record of this collection
Delete: delete a record of this collection
Export: export the list of records of this collection

Default permissions

Default permissions allow you to choose default permissions for each newly created Collection or Smart Action.

Here is the initial configuration for a new role:

Smart Actions:

Permission

Value

Trigger

Require approval

Approve

Self approve

Collections:

Permission

Value

Read (list)

Read (details)

Create

Update

Delete

Export

For projects with high security standards, although this involves more frequent manual activation, it is advisable to reduce these default permissions, at least for your production environment. Il will avoid excessive accesses being automatically granted to operators, when a new Collection or Smart Action is released.

Control environment access per role

From a role's details page, you can also:‌

toggle which environments users assigned to this role have access to (1)
select which environment you wish to view permissions of or edit them (2)

Only remote environments are available here, since development environments have all permissions‌.

Export role permissions

At anytime you may export your user role permissions to a CSV file by clicking on Export user permissions from the Users tab:

It contains User information (1), Smart Action name (2) and Collection name (3). Granted permissions (4) are as follows:‌

empty: the user is not authorized to use that Smart Action as part of that team
trigger: the user can trigger that Smart Action
If the approval workflow module is enabled:
- request: the user can ask for an approval to trigger that Smart Action
- request/approve: the user can ask for an approval to trigger that Smart Action and can approve requests of this Smart Action except his own
- request/approve(self): the user can ask for an approval to trigger that Smart Action and can approve requests of this Smart Action including his own

Copy role permissions across environments

Setting up role permissions can take a lot of time, especially if you need to do it all over again for another environment.

This is why we've implemented the "Copy role permissions across environments" feature. In a few clicks, you can apply the permissions of all roles of an environment to another environment.

To use it, go to: Project Settings → Roles → Actions.

Permission level

The permission level of a user determines what Forest Admin administration permissions he has. You can assign one of the following permission levels per user:‌

Forest Admin permission level

Manage Data

Customize admin UI (activate layout editor)

Manage Environments and Development Workflow actions

Manage Teams, Users, Roles

Admin