Role-based access control

Forest controls what each person can see and do through roles. Access follows the job, not the individual, so adding or removing someone is a single decision rather than a long checklist.

Roles separate three kinds of work. Some people need to run and update the CAMP assessment, set criticality and target maturity, and act on recommendations. Some need to read scores, benchmarks, and roadmaps without changing inputs. And some manage the account itself: inviting users, assigning roles, and configuring security settings.

Why this matters

Your assessment data describes where your defenses are weakest. That information deserves the same care you give any sensitive record. Scoping access by role limits who can see gaps and who can alter the inputs that drive your Org Score and Forest Score. Because the Forest Intelligence Service is deterministic, every score traces back to specific inputs, so it matters that only the right people can change those inputs.

How to think about assignment

• Give each person the narrowest role that lets them do their work.

• Reserve administrative roles for the few who manage users and settings.

• Review assignments when people change teams or leave.

Least privilege is not a one-time setup. Revisit roles on a regular cadence so access reflects who is actually doing the work today.

Role-based access works alongside the other controls in this section. See Multi-factor authentication for how individuals prove who they are, and Audit logging for the record of what each role did.