Role-Based Access Guide
ForgePortal uses role-based access control (RBAC). Your role is assigned by an administrator (via the Admin β Permissions area or your IdP group mapping) and determines which actions you can perform. This page lists the five roles and their permissions.
The five rolesβ
| Role | Typical use | Scope |
|---|---|---|
| platform-admin | Full platform control: admin UI, users, settings, plugins, integrations. | Global. |
| template-admin | Manage templates and scorecards; run templates and actions; read entities and docs. Cannot manage users or admin settings. | Global. |
| team-admin | Create/update entities, run templates and actions, read scorecards and docs. Cannot create/update/delete templates or scorecards. | Often scoped to a team (by entity ownership or future scope). |
| developer | Read catalog, run templates and actions, read scorecards and docs. Cannot create or edit entities, templates, or scorecards. | General developers. |
| viewer | Read-only: catalog, templates (metadata), action list, scorecards, docs. Cannot run templates or actions. | Auditors, read-only users. |
tip
Role hierarchy (for display or future use): platform-admin > template-admin > team-admin > developer > viewer. Higher roles have at least the permissions of lower roles where it applies.
Permissions matrixβ
The table below is derived from the RBAC configuration. A β means that role has the permission; a β means it does not.
| Permission | platform-admin | template-admin | team-admin | developer | viewer |
|---|---|---|---|---|---|
| Catalog & entities | |||||
| entity:read | β | β | β | β | β |
| entity:create | β | β | β | β | β |
| entity:update | β | β | β | β | β |
| entity:delete | β | β | β | β | β |
| Templates | |||||
| template:read | β | β | β | β | β |
| template:create | β | β | β | β | β |
| template:update | β | β | β | β | β |
| template:delete | β | β | β | β | β |
| template:run | β | β | β | β | β |
| Actions | |||||
| action:read | β | β | β | β | β |
| action:run | β | β | β | β | β |
| Scorecards | |||||
| scorecard:read | β | β | β | β | β |
| scorecard:create | β | β | β | β | β |
| scorecard:update | β | β | β | β | β |
| scorecard:delete | β | β | β | β | β |
| scorecard:evaluate | β | β | β | β | β |
| Docs | |||||
| docs:read | β | β | β | β | β |
| Integrations | |||||
| integration:read | β | β | β | β | β |
| integration:manage | β | β | β | β | β |
| Admin | |||||
| admin:users | β | β | β | β | β |
| admin:settings | β | β | β | β | β |
| admin:plugins | β | β | β | β | β |
| Audit | |||||
| audit:read | β | β | β | β | β |
Who uses which role?β
- platform-admin β SREs or platform team leads who configure the portal, OIDC, SCM, plugins, and user/role assignments. Only they see the Admin menu (Integrations, Permissions, Plugins, Scan).
- template-admin β People who define golden-path templates and scorecards (e.g. "Create service", "Must have README"). They can run templates and fix actions too.
- team-admin β Team leads who register and update their teamβs entities and run templates; they do not define templates or scorecards.
- developer β Engineers who browse the catalog, run templates to create repos/PRs, and check scorecards. They cannot create or edit entities or templates.
- viewer β Read-only access for compliance, auditors, or external stakeholders. They can open the catalog, templates list, action runs, and scorecards but cannot run anything.
How your role is setβ
- OIDC: Your IdP groups (or roles) are mapped to ForgePortal roles in config (e.g.
auth.roleMapping). When you log in, your role is resolved from your groups. - Admin UI: A platform-admin can assign roles in Admin β Permissions by adding entries (subject ref, role, optional scope). Subject refs are typically
user:emailorteam:slug.
If you believe your role is wrong, contact your administrator or check the configured role mapping and permissions entries.