Managing user permissions and roles
TestRail’s permission and role system allows you to configure and restrict the project access and permissions of individual users and groups. TestRail comes with built-in roles that can be customized and extended. It is also possible to configure per-project access for users and groups, enabling you to customize TestRail’s access control for your needs.
info You can manage users & permissions in the administration area under Administration > Users & Roles in TestRail.
Roles within TestRail are collections of permissions that can be assigned to users (globally and per project) and groups (per project). TestRail already comes with a few preconfigured useful roles such as Guest, Tester or Lead. You can also change the built-in roles or add your own ones. To configure TestRail’s roles, select Administration > Users & Roles.
Note: Enterprise Administrators can now give specific permissions to users using the Project Level Administration in TestRail 6.6. Learn more here.
One role is always the default role in TestRail. The default role is used as a fallback in case you delete roles that are still in use. The default role is also preselected if you add additional users to TestRail.
TestRail 7.0 added a new permission “Permanently Delete”. This will help you limit which users of your instance have permission to delete cases permanently. The other option is to mark the test cases as deleted without permanently deleting them.
When test cases are marked as deleted they can still be seen by toggling “Display Deleted Test Cases”. If you would like to restore any of them, choose the test case and go to its History section. There you can select to restore the test case.
Assigning Global Roles
Every user has an assigned global role. The global role is used if you don’t specify the access of a user for a specific project. For example, if you choose the built-in Tester role as the global role for a user, the user can add test results to all projects that use the global role as the default access.
To change the global role of a user, you can either select the role on the Users & Roles page or change the role when you edit a user account.
Please note that you can also assign roles (and thus restrict permissions) to administrators. This can be useful if an administrator wants to hide specific projects or disable some functionality in the user interface. But remember that administrators can always change their own roles, so you cannot count on roles to enforce permissions for administrators.
The ‘No Access’ role will deny users access to projects. If this role is set as a user’s global role, the user will not have access to any TestRail projects unless project settings grant different permissions. The ‘No Access’ global role requires TestRail 6.6 or later.
Groups can be used to manage a collection of users, e.g. a team of testers, geographical teams or users that belong to a specific client or customer. You can define and configure groups under Administration > Users & Roles.
You can specify and override users’ global roles within each project. To do this, just edit a project in the administration area and select the Access tab.
There are two things you can do here: you can specify the Default Access for the project and you can assign access for specific users or groups. The Default Access is used for all users and groups that don’t override the project access.
For example, by default, all users have permissions according to their global role (when the Default Access for a project is set to Global Role). However, you can also select that no user should have a access to a project (i.e. No Access as Default Access), unless you override the access for a user. You can also use a role as the default access for a project. This allows you to make a project read-only for all users by default, for example.
You can also override the project access for specific groups of users and this applies the configured access/permissions to all users of this group. For example, if you assign Global Role to a group, all users of this group will use their global role. Likewise, if you assign No Access, the users of this group won’t have access to this project. If a user is a member of multiple groups, TestRail uses the sum of the permissions of those groups. Please note that the user access for the project (if any) has precedence over the group settings.
The combination of global roles, default project access and user/group-specific access for projects makes TestRail’s roles and permissions system very flexible. Please see the next section for some examples on how to configure TestRail for typical scenarios.
The following examples explain how to configure TestRail to accomplish some common scenarios with regards to roles and permissions.
Restrict user permissions globally: If you want to restrict the permissions of users, you can assign them the built-in TestRail roles or build your own roles. For example, you can use roles to allow users to add test results but not add any new cases. You can also use roles if you want to prevent users from deleting test cases or any other entity within TestRail.
Individual permissions per project: To use individual permissions per user and project, just select and assign a different role to a user for a project. For example, if a user needs the Designer role for most projects, just assign her this role as her Global Role. To override this role for projects where the user needs the Lead role, just select this role on the project’s Access page.
Hide projects for all users but project members: You can also hide projects from users who don’t need access to it. To do this, just configure No Access as the Default Access for the project. You can then assign specific roles (or their global role) to users that work on the project.
Make a project read-only: If you have a project you don’t work on anymore but want to keep in TestRail to keep the history of the testing data, you can make it read-only. To do this, just configure the Guest role (or equivalent) as the Default Access for the project. Unless you override this role for specific users, all users can only access the project with read-only permissions now.