Roles and permissions reference

This page is the authoritative catalog of every permission in TestingBot. Permissions are split across two role types. RBAC permissions control what you can do inside the testing products. IAM permissions control who can administer the account and grant access to others.

Each permission has a stable key (for example tests.run). The tables below show the exact key for every permission and which built-in role grants it. For an introduction to how these two role types fit together, see Role-based access control. To manage assignments, open Roles & Permissions and Team Members.

Role-based access control is available on the Enterprise plan. See plans.

RBAC permissions

RBAC permissions describe product and entity capabilities: what a member can do in Live Testing, Automated Testing, Visual Testing, and the other products. They are resolved from the RBAC tier (Admin, User, or Viewer) or from an assigned custom role. The account Owner and service accounts always receive full RBAC capability.

A "✓" means the role's bundle grants the permission. An empty cell means it does not.

Permission	Key	Admin	User	Viewer
Products
Live Web Testing	`product.live_web.access`	✓	✓	✓
Live App Testing	`product.live_app.access`	✓	✓	✓
Automated Testing	`product.automation.access`	✓	✓	✓
Visual Testing	`product.visual.access`	✓	✓	✓
Accessibility Testing	`product.accessibility.access`	✓	✓	✓
AI Testing	`product.ai.access`	✓	✓	✓
Tests
View tests	`tests.view`	✓	✓	✓
Run tests	`tests.run`	✓	✓
Delete tests	`tests.delete`	✓
Integrations
View integrations	`integrations.view`	✓	✓	✓
Reports
View reports	`reports.view`	✓	✓	✓

The six product.* permissions are necessary but not sufficient: a member can only use a product when both the role grants the product permission and the plan includes that product. In the role editor, products that the plan does not include show a "plan" badge. A member's effective product access is therefore the role permission combined with plan inclusion. For more detail, see Product access.

IAM permissions

IAM permissions describe administrative authority: who can manage the account, manage team members, manage billing, and grant access to others. They are derived from the organization role (Owner, Admin, or User) and are fixed, so they cannot be customized.

A "✓" means the role grants the permission. An empty cell means it does not.

Permission	Key	Owner	Admin
Team
View team members	`team.members.view`	✓	✓
Manage team members	`team.members.manage`	✓	✓
Manage roles	`team.roles.manage`	✓	✓
Billing
View billing	`billing.view`	✓	✓
Manage billing	`billing.manage`	✓	✓
Account
View account settings	`account.settings.view`	✓	✓
Manage account settings	`account.settings.manage`	✓	✓
Transfer ownership	`account.transfer_ownership`	✓
Delete account	`account.delete`	✓
Manage integrations	`integrations.manage`	✓	✓
Manage service accounts	`service_accounts.manage`	✓	✓
Manage security	`security.manage`	✓	✓

Note that integrations.manage is an IAM permission (who can configure integrations for the account), while integrations.view in the RBAC table above is a separate product capability. For background on these two role types, see Member roles and Service accounts.

Key differences

A Viewer (RBAC) can view, but cannot run or delete tests: both tests.run and tests.delete are withheld. This is the read-only product role.
A User (RBAC) can do everything a member needs day to day, but cannot delete tests: tests.delete is reserved for Admin.
An Admin (IAM) can manage the team, billing, account settings, integrations, service accounts, and security, but cannot transfer ownership or delete the account: account.transfer_ownership and account.delete are reserved for the Owner.
A User (IAM) has no administrative authority at all. IAM permissions are fixed and derived from the organization role, so they cannot be customized.
Custom roles are RBAC-only. They can grant or withhold any RBAC permission, but can never grant IAM permissions. See Custom roles.