--- title: Roles and permissions reference description: 'The full TestingBot permission catalog: every RBAC and IAM permission, the keys behind them, and which built-in role grants each one.' source_url: html: https://testingbot.com/support/team/rbac/roles-and-permissions md: https://testingbot.com/support/team/rbac/roles-and-permissions/index.md --- # Roles and permissions reference This page is the authoritative catalog of every permission in TestingBot. Permissions are split across two role types. RBAC permissions control what you can do inside the testing products. IAM permissions control who can administer the account and grant access to others. Each permission has a stable key (for example `tests.run`). The tables below show the exact key for every permission and which built-in role grants it. For an introduction to how these two role types fit together, see [Role-based access control](https://testingbot.com/support/team/rbac). To manage assignments, open [Roles & Permissions](https://testingbot.com/members/roles) and [Team Members](https://testingbot.com/members/sub). Role-based access control is available on the Enterprise plan.[See plans](https://testingbot.com/pricing). ## RBAC permissions RBAC permissions describe product and entity capabilities: what a member can do in Live Testing, Automated Testing, Visual Testing, and the other products. They are resolved from the RBAC tier (Admin, User, or Viewer) or from an assigned custom role. The account Owner and service accounts always receive full RBAC capability. A "✓" means the role's bundle grants the permission. An empty cell means it does not. | Permission | Key | Admin | User | Viewer | | --- | --- | --- | --- | --- | | Products | | --- | | Live Web Testing | `product.live_web.access` | ✓ | ✓ | ✓ | | Live App Testing | `product.live_app.access` | ✓ | ✓ | ✓ | | Automated Testing | `product.automation.access` | ✓ | ✓ | ✓ | | Visual Testing | `product.visual.access` | ✓ | ✓ | ✓ | | Accessibility Testing | `product.accessibility.access` | ✓ | ✓ | ✓ | | AI Testing | `product.ai.access` | ✓ | ✓ | ✓ | | Tests | | --- | | View tests | `tests.view` | ✓ | ✓ | ✓ | | Run tests | `tests.run` | ✓ | ✓ | | | Delete tests | `tests.delete` | ✓ | | | | Integrations | | --- | | View integrations | `integrations.view` | ✓ | ✓ | ✓ | | Reports | | --- | | View reports | `reports.view` | ✓ | ✓ | ✓ | The six `product.*` permissions are necessary but not sufficient: a member can only use a product when both the role grants the product permission and the plan includes that product. In the role editor, products that the plan does not include show a "plan" badge. A member's effective product access is therefore the role permission combined with plan inclusion. For more detail, see [Product access](https://testingbot.com/support/team/rbac/product-access). ## IAM permissions IAM permissions describe administrative authority: who can manage the account, manage team members, manage billing, and grant access to others. They are derived from the organization role (Owner, Admin, or User) and are fixed, so they cannot be customized. A "✓" means the role grants the permission. An empty cell means it does not. | Permission | Key | Owner | Admin | User | | --- | --- | --- | --- | --- | | Team | | --- | | View team members | `team.members.view` | ✓ | ✓ | | | Manage team members | `team.members.manage` | ✓ | ✓ | | | Manage roles | `team.roles.manage` | ✓ | ✓ | | | Billing | | --- | | View billing | `billing.view` | ✓ | ✓ | | | Manage billing | `billing.manage` | ✓ | ✓ | | | Account | | --- | | View account settings | `account.settings.view` | ✓ | ✓ | | | Manage account settings | `account.settings.manage` | ✓ | ✓ | | | Transfer ownership | `account.transfer_ownership` | ✓ | | | | Delete account | `account.delete` | ✓ | | | | Manage integrations | `integrations.manage` | ✓ | ✓ | | | Manage service accounts | `service_accounts.manage` | ✓ | ✓ | | | Manage security | `security.manage` | ✓ | ✓ | | Note that `integrations.manage` is an IAM permission (who can configure integrations for the account), while `integrations.view` in the RBAC table above is a separate product capability. For background on these two role types, see [Member roles](https://testingbot.com/support/team/rbac/member-roles) and [Service accounts](https://testingbot.com/support/team/service-accounts). ## Key differences - A **Viewer** (RBAC) can view, but cannot run or delete tests: both `tests.run` and `tests.delete` are withheld. This is the read-only product role. - A **User** (RBAC) can do everything a member needs day to day, but cannot delete tests: `tests.delete` is reserved for Admin. - An **Admin** (IAM) can manage the team, billing, account settings, integrations, service accounts, and security, but cannot transfer ownership or delete the account: `account.transfer_ownership` and `account.delete` are reserved for the Owner. - A **User** (IAM) has no administrative authority at all. IAM permissions are fixed and derived from the organization role, so they cannot be customized. - **Custom roles are RBAC-only.** They can grant or withhold any RBAC permission, but can never grant IAM permissions. See [Custom roles](https://testingbot.com/support/team/rbac/custom-roles). Related reading: [Roles and permissions overview](https://testingbot.com/support/team/rbac/roles-and-permissions), [Sub-accounts](https://testingbot.com/support/team/sub-accounts), [Two-factor authentication](https://testingbot.com/support/team/2fa), [Enforce two-factor authentication](https://testingbot.com/support/team/enforce-2fa), and [Audit logs](https://testingbot.com/support/team/audit-logs). ### Looking for more help? Have questions or need more information? Reach out via email or Slack. [Email us](https://testingbot.com/contact/new)[Slack Join our Slack](https://join.slack.com/t/testingb0t/shared_invite/zt-3bcw9xch-jk19~6XPs_xBrsAgAedkCw)