Five roles. Right-sized permissions for every security team.
Isolated workspaces, a full audit trail, and permissions precise enough to hand to developers, auditors, and stakeholders without rewriting your internal process.
Team members
7 active · 1 pending
- OwnerPC
Priya Chen
priya@example.com
- AdminMR
Marcus Rivera
marcus@example.com
- ManagerMP
Maya Patel
maya@example.com
- MemberJT
Jordan Taylor
jordan@example.com
- MemberKK
Kenji Kim
kenji@example.com
- ViewerSW
Sophia Wilson (auditor)
sophia@wilson-audit.com
- Pending · Manager
alex@example.com
Invitation sent 2 hours ago
Five roles. No guesswork.
Most products ship two or three roles and expect you to improvise. FortWatch gives you five — each one mapped to a real job on a real security team.
Owner
1 per workspaceThe account holder. Everything an admin can do, plus billing, subscription changes, and workspace deletion.
Full control, including money and account lifecycle.
Admin
UnlimitedRuns the workspace day-to-day. Same surface as the owner — except billing, plan changes, and workspace deletion stay with the owner.
Everything operational: team, settings, assets, scans.
Manager
UnlimitedDrives the security work. Adds and edits assets, runs scans, triages issues, and assigns findings — without touching team or billing settings.
Assets, scans, issues, findings.
Member
UnlimitedUsually a developer or engineer. Sees everything, comments on issues, and marks findings fixed — but can't change the asset list or start scans.
Read + act on findings they're assigned.
Viewer
UnlimitedStakeholders who need visibility but shouldn't touch the product — auditors, executives, guests during compliance reviews.
Read-only. Zero write actions.
What each role can do
The exact permission matrix — no fine print, no upsell tiers. Every plan gets the full role model.
| Permission | Owner | Admin | Manager | Member | Viewer |
|---|---|---|---|---|---|
| View dashboard, assets, findings | ✓ | ✓ | ✓ | ✓ | ✓ |
| Comment on issues and findings | ✓ | ✓ | ✓ | ✓ | — |
| Mark findings as fixed / dismissed | ✓ | ✓ | ✓ | ✓ | — |
| Run manual scans | ✓ | ✓ | ✓ | — | — |
| Add, edit, remove assets | ✓ | ✓ | ✓ | — | — |
| Configure scan schedules and alerts | ✓ | ✓ | ✓ | — | — |
| Invite users and set roles | ✓ | ✓ | — | — | — |
| Workspace settings and integrations | ✓ | ✓ | — | — | — |
| API keys and webhooks | ✓ | ✓ | — | — | — |
| Manage billing and subscription | ✓ | — | — | — | — |
| Change plan or cancel subscription | ✓ | — | — | — | — |
| Delete the workspace | ✓ | — | — | — | — |
Unlimited users on every plan. You pay for assets and scans — not for seats.
Isolated workspaces for every team or client
Separate workspaces keep inventories, findings, and schedules cleanly partitioned. MSPs use them for each client. Enterprises use them for product lines or subsidiaries. Agencies use them per engagement. The assets, scans, and people in one workspace never bleed into another.
- • Independent asset inventories and scan schedules per workspace
- • Separate member lists and role assignments
- • Cross-workspace visibility for administrators who need the full picture
- • Transfer assets between workspaces without re-scanning from scratch
Audit log built for compliance reviews
Every action in FortWatch is logged — invites, role changes, asset edits, scan triggers, settings changes, API key rotations. When your SOC 2 auditor asks "who gave this developer access to production assets on March 14?", you answer in seconds.
- • Timestamped record of every write action with actor and outcome
- • Filter by user, action type, workspace, or date range
- • CSV export for SOC 2, ISO 27001, and internal reviews
- • Retained for the life of the workspace — no hidden retention window
Invite. Onboard. Offboard.
A new hire joins your team Friday — they should be triaging findings Monday morning. FortWatch makes the bureaucratic part invisible so your people get to work.
Invitations with pre-assigned roles
Pick the role before sending. One click from the invitee. No back-and-forth.
Instant role changes
Promote, downgrade, or revoke in one click. Takes effect on the user's next action.
Clean offboarding
Remove a user and their history stays in the audit log under their name. You keep the record; they lose access.
Pending invitation management
Resend, revoke, or reassign outstanding invites before they're accepted.
Frequently asked questions
Answers to the most common questions about roles, workspaces, and audit.
What's the difference between Owner and Admin in FortWatch?+
Owners and Admins share the same operational permissions — both can manage assets, scans, team members, and settings. The difference is billing authority: only the Owner can change the plan, update payment methods, cancel the subscription, or delete the workspace. This keeps the account holder in control of money and lifecycle decisions even when they delegate day-to-day administration.
What can a Member do that a Viewer cannot?+
Members are designed for developers and engineers who need to act on findings. They can comment on issues, mark findings as fixed or dismissed, and interact with the remediation workflow. Viewers are strictly read-only — they can see the same dashboards and data but cannot take any actions. Use Member for people fixing things; use Viewer for auditors, executives, and stakeholders.
Can Managers invite new team members?+
No. Inviting users and changing roles is reserved for Owners and Admins. Managers focus on the security work itself: assets, scans, and findings. This keeps team composition changes auditable under a smaller set of privileged accounts.
Does FortWatch keep an audit log?+
Yes. Every action — invitations, role changes, asset edits, scan triggers, settings changes — is recorded with actor, timestamp, workspace, and outcome. The log is filterable by user and date, exportable for compliance, and retained for the life of the workspace so you can answer 'who did what, when' during SOC 2, ISO 27001, or internal reviews.
Can I create multiple workspaces for different teams or clients?+
Yes. Workspaces are fully isolated — separate assets, scan schedules, findings, and team members. This is the standard model for MSPs managing client infrastructure, enterprises separating product lines, and agencies running engagements for multiple customers. Owners and Admins can hold cross-workspace visibility if needed.
What happens when I remove a team member?+
Their access is revoked immediately, but their comments, assigned findings, and historical actions remain in the audit log under their name. You preserve the record of what they did without leaving them an active session. Pending invitations they created can be reassigned to another admin.
Can I change someone's role after they've been invited?+
Yes. Owners and Admins can change any user's role at any time. Role changes take effect on the user's next action and are recorded in the audit log. Downgrading a Manager to a Member, for example, immediately removes their ability to edit assets while preserving their ability to work on issues they've already been assigned.
Is there a limit on how many users I can add?+
No. FortWatch doesn't charge per seat. Every plan includes unlimited Owners (one per workspace), Admins, Managers, Members, and Viewers. You pay for assets and scans, not for inviting your team — so there's no reason to leave your developers or compliance stakeholders outside the product.
Secure your entire stack today
Start scanning in under 5 minutes. No credit card required. 14-day free trial included.