Users & Roles: Access Control in Forjinn
Invite team members, assign roles, and define exactly what each person can do in Forjinn using built-in roles or custom ones you create yourself.
Forjinn's access control system lets you decide who can see, create, and modify every resource in your organization. You start by inviting users and assigning them a role. Roles are collections of permissions — you can use Forjinn's built-in roles or build your own from scratch. Custom roles and advanced role management require the Enterprise plan.
Invite a user
You need the users:manage permission to invite users.
In the left sidebar, go to Users under the User & Workspace Management section.
Select Invite user in the top-right corner.
Type the new user's email address.
Select a role from the dropdown. This determines what the user can do across the organization. You can change it later.
Click Invite. The user receives an email with a link to set up their account. Once they accept, they appear in your Users list.
Built-in roles
Forjinn ships with pre-configured roles that cover the most common access patterns:
Admin
Full access to all resources, user management, role management, and SSO configuration.
Member
Standard access to flows, tools, credentials, and other workspace resources based on default permissions.
Create a custom role
Custom roles let you grant only the permissions a person needs — no more. You need the roles:manage permission.
In the left sidebar, go to Roles under the User & Workspace Management section.
Select New role in the top-right corner.
Give it a clear, descriptive name — for example, "Flow Editor" or "Read-only Analyst".
Toggle on the permissions this role should have. Permissions are grouped by category (see the reference below).
Click Save. The role is now available to assign to users.
Start with the minimum permissions a user needs to do their job. You can always add more later.
Assign or change a user's role
You need the users:manage permission.
Navigate to Users in the sidebar.
Click the user's name or the edit icon next to them.
Select a new role from the Role dropdown and save. The change takes effect on their next request.
Permissions reference
Permissions are organized by category. Each permission follows the format category:action.
Chatflows
Manage conversational pipelines.
| Permission | What it allows |
|---|---|
chatflows:view | View chatflows |
chatflows:create | Create new chatflows |
chatflows:update | Edit chatflows |
chatflows:duplicate | Duplicate chatflows |
chatflows:delete | Delete chatflows |
chatflows:export | Export chatflows |
chatflows:import | Import chatflows |
chatflows:config | Edit chatflow configuration |
chatflows:domains | Manage allowed domains |
Agentflows
Manage LangFlow-based agent workflows.
| Permission | What it allows |
|---|---|
agentflows:view | View agentflows |
agentflows:create | Create agentflows |
agentflows:update | Edit agentflows |
agentflows:duplicate | Duplicate agentflows |
agentflows:delete | Delete agentflows |
agentflows:export | Export agentflows |
agentflows:import | Import agentflows |
agentflows:config | Edit agentflow configuration |
agentflows:domains | Manage allowed domains |
Google ADK
Manage Google ADK agent projects.
| Permission | What it allows |
|---|---|
autoadk:view | View ADK projects |
autoadk:create | Create ADK projects |
autoadk:update | Edit ADK projects |
autoadk:duplicate | Duplicate ADK projects |
autoadk:delete | Delete ADK projects |
autoadk:export | Export ADK projects |
autoadk:import | Import ADK projects |
CrewAI
Manage CrewAI multi-agent workflows.
| Permission | What it allows |
|---|---|
crewai:view | View CrewAI flows |
crewai:create | Create CrewAI flows |
crewai:update | Edit CrewAI flows |
crewai:duplicate | Duplicate CrewAI flows |
crewai:delete | Delete CrewAI flows |
crewai:export | Export CrewAI flows |
crewai:import | Import CrewAI flows |
AutoGen
Manage AutoGen generative AI workflows.
| Permission | What it allows |
|---|---|
autogen:view | View AutoGen flows |
autogen:create | Create AutoGen flows |
autogen:update | Edit AutoGen flows |
autogen:duplicate | Duplicate AutoGen flows |
autogen:delete | Delete AutoGen flows |
autogen:export | Export AutoGen flows |
autogen:import | Import AutoGen flows |
Tools
Manage custom utility tools.
| Permission | What it allows |
|---|---|
tools:view | View tools |
tools:create | Create tools |
tools:update | Edit tools |
tools:delete | Delete tools |
tools:export | Export tools |
Assistants
Manage AI assistants.
| Permission | What it allows |
|---|---|
assistants:view | View assistants |
assistants:create | Create assistants |
assistants:update | Edit assistants |
assistants:delete | Delete assistants |
Credentials
Manage API keys and authentication credentials stored in Forjinn.
| Permission | What it allows |
|---|---|
credentials:view | View credentials |
credentials:create | Create credentials |
credentials:update | Edit credentials |
credentials:delete | Delete credentials |
credentials:share | Share credentials across workspaces |
Variables
Manage global variables used across flows.
| Permission | What it allows |
|---|---|
variables:view | View variables |
variables:create | Create variables |
variables:update | Edit variables |
variables:delete | Delete variables |
API keys
Manage Forjinn API keys used to authenticate external requests.
| Permission | What it allows |
|---|---|
apikeys:view | View API keys |
apikeys:create | Create API keys |
apikeys:update | Rename API keys |
apikeys:delete | Delete API keys |
apikeys:import | Import API keys from a JSON file |
Document stores
Manage document stores for retrieval-augmented generation.
| Permission | What it allows |
|---|---|
documentStores:view | View document stores |
documentStores:create | Create document stores |
documentStores:update | Edit document stores |
documentStores:delete | Delete a document store |
documentStores:add-loader | Add a document loader |
documentStores:delete-loader | Remove a document loader |
documentStores:preview-process | Preview and process document chunks |
documentStores:upsert-config | Configure upsert settings |
Datasets
Manage evaluation datasets.
| Permission | What it allows |
|---|---|
datasets:view | View datasets |
datasets:create | Create datasets |
datasets:update | Edit datasets |
datasets:delete | Delete datasets |
Executions
View and manage flow execution history.
| Permission | What it allows |
|---|---|
executions:view | View execution history |
executions:delete | Delete execution records |
Evaluators
Manage evaluation metric configurations.
| Permission | What it allows |
|---|---|
evaluators:view | View evaluators |
evaluators:create | Create evaluators |
evaluators:update | Edit evaluators |
evaluators:delete | Delete evaluators |
Evaluations
Run and manage evaluation results.
| Permission | What it allows |
|---|---|
evaluations:view | View evaluations |
evaluations:create | Create evaluations |
evaluations:update | Edit evaluations |
evaluations:delete | Delete evaluations |
evaluations:run | Re-run an evaluation |
Templates
Manage marketplace and custom templates.
| Permission | What it allows |
|---|---|
templates:marketplace | View marketplace templates |
templates:custom | View custom templates |
templates:custom-delete | Delete custom templates |
templates:toolexport | Export a tool as a template |
templates:flowexport | Export a flow as a template |
templates:custom-share | Share custom templates |
Workspace
Control workspace membership and data.
| Permission | What it allows |
|---|---|
workspace:view | View workspaces |
workspace:create | Create workspaces |
workspace:update | Edit workspace settings |
workspace:add-user | Add members to a workspace |
workspace:unlink-user | Remove members from a workspace |
workspace:delete | Delete a workspace |
workspace:export | Export workspace data |
workspace:import | Import data into a workspace |
Admin
Organization-level administration.
| Permission | What it allows |
|---|---|
users:manage | Invite, update, and remove organization users |
roles:manage | Create, update, and delete roles |
sso:manage | Configure SSO login methods |
Logs
| Permission | What it allows |
|---|---|
logs:view | View system logs |
Custom roles and the roles:manage, sso:manage permissions require the Enterprise plan. On the Cloud plan, you can assign built-in roles but cannot create custom ones.
Remove a user
You need the users:manage permission.
Navigate to Users in the sidebar.
Click the user's name or the actions menu next to them.
Click Remove user and confirm. The user's account is deactivated and they can no longer log in. Their content (flows, credentials, etc.) remains in the workspace.