Roles and permissions

Roles are assigned to users. A role and its permissions determine which actions a user can perform and which areas they can view.

Overview

User permissions are managed using role-based access control (RBAC). A user’s role is made up of permissions based on the user's function, like Leader or Tester. In shared spaces, the role also includes data access control.

Predefined roles are included, most of which can be customized. For details, see Predefined roles.

Roles, permissions, and data access are defined at the space level and are managed by space admins. They are relevant for all associated workspaces. Role permissions cannot be modified on a workspace level.

Regardless of defined roles and permissions, space admins have full permissions to manage any workspaces to which they are assigned.

Permission categories and types

Permissions are assigned to roles, and are organized into permission categories, such as backlog, administration, testing, and more.

Permission categories

The table lists the permissions available for each category. These permissions control the following.

How users with the selected role can work with each item in the category.
In some cases, whether a user with the selected role can perform additional actions related to the category.

Category	Description
Tests	Permissions for working with all test types, and parameter tables.
Runs	Permissions for working with runs for each type of test.
Backlog	Permissions for working with work items and tasks. Included in this category are permissions for copying work items to another workspace, ranking, and planning.
Requirements	Permissions for working with requirements and folders.
Application Modules	Permissions for working with application modules.
Release Management	Permissions for working with releases, sprints, and milestones.
Teams	Permissions for working with teams.
Security	Permissions for working with vulnerabilities. Note that for security purposes, you can also grant or block view access to vulnerability data.
Pipelines	Permissions for working with pipelines and pipeline builds. Included in this category are permissions for running pipelines.
Integrations	The Comment on behalf permission is for integrations only, to enable identification of comments by users when using the API key to import. This should not be used for any other purpose.
Administration	Permissions for customizing the workspace, such as customizing workflow, phases, forms, and rules.
DevOps Administration	Permissions for customizing pipelines, CI servers, and collaboration tools.
General System Actions	Permissions for the actions in this category apply across all areas and are not related to any specific functional category. For example, you can set permissions for sending email and managing environments. This area also include permissions for the creation and manipulation of document reports. For details, see Document reports.
Module Visibility	Permissions for the actions in this category let you customize which roles have UI access to each module. This is for convenience, so users only see areas that are relevant to them. Module visibility permissions do not affect the user's ability to perform actions for items in the module. For example, a user has full permissions for defects, but no permission to view the Defects module. This user can still view, update, and create defects using the REST API or from other modules, such as Backlog or Quality.
Data Access	Permissions for creating and editing data access control categories and assigning them to roles.

Permissions

After choosing a role, you can assign permissions by item.

The permissions are grouped by the following types.

Type of Permissions	Description
Standard permissions	Most items have the standard Create, Update, and Delete permissions available for assignment.
"By author" permissions	By author permissions are permissions that are granted only to the item's creator. For example: Delete by author permission for a test enables the test's designer to delete the test. Delete by author permission for a defect enables the user who detected the defect to delete it. In both of these cases, the user designated in the Owner field cannot delete the test or defect if this user did not create the item.
Category-specific permissions	Some actions are relevant to specific categories only. For example, you can set the permissions for running a pipeline for the Pipelines category only, and you can set the permissions for ranking work items in the Backlog category only.
Other permissions	Some items have additional permissions, such as managing relations between items, performing certain actions, or the ability to access certain modules. There are also permissions that include a combination of other permissions: If your role is assigned the Manage Relations set of permissions, you automatically have create, edit, and delete permissions for relations. If your role is allowed to create an item, you also have the ability to edit any item you create. If your role is allowed to create releases, teams, administration items, and DevOps items, you can also edit items created by others.

Note: Permissions to disallow views of specific entity types are not supported. Even if a user is only permitted module access to certain entities, other entities can be seen in the Relations tab. For details on how to add further permission customization, see Data access control.

Predefined roles

A number of roles are predefined. Predefined roles have a set of preset permissions. Admins can customize the permissions for the predefined roles. The site admin and space admin roles cannot be customized. For details, see Edit permissions.

Admins can assign users one or more of the predefined roles.

The following table lists the predefined roles and a provides a general outline of their preset permissions.

Role	General permissions
DevOps admin	Has similar permissions to the Leader role, plus full permissions in the Pipelines and DevOps Administration categories.
Leader	In addition the Team Member permissions, can edit teams, delete items created by other users, and has full permissions in the Application Modules category.
Release Manager	Has full permissions in the Release Management category. Has limited permissions in most areas. For example, cannot create backlog items or tests.
Shared Entities Manager	Available in shared spaces only. Has permissions to manage shared items, such as shared epics, releases, sprints, and milestones, as well as application modules (similar to shared space admins). Note: Shared space admins can add custom roles based on the Shared Entities Manager role. These roles will also be marked with the Shared icon .
Team Member	Has create and edit permissions for items in the Tests, Runs, Backlog and Requirements categories.
Tester	Has create and edit permissions for items in the Tests and Runs categories. In the Backlog category, can create and edit defects and BDD specifications.
Viewer	Has only view permissions in all areas. Cannot create or edit.
Workspace Admin	Has full create and edit permissions in all categories. The only permission the Workspace Admin does not have by default is the permission to delete comments created by other users.

View roles and permissions

Space admins can see which permissions have been assigned to each role for each category.

To view roles and permissions:

Open the Settings menu and click Spaces.
In the side pane, select a shared space.
Go to the Permissions tab.
In the toolbar, select a role from the Role list.
Click each permission category to view the permissions granted in that category. For details on the permission categories, see Permission categories.

Space admins have full permissions to edit workspace content for any workspace they are assigned to, without the permissions being explicitly granted to the space admin. When viewing the permissions for the space admin, workspace-related permissions are also displayed.

REST API: You can retrieve the permissions of each role using the REST API request: .../api/shared_spaces/<space_id>/roles?fields=actions

Create roles

In addition to the predefined roles, space admins can create new roles with customized permissions.

To create a role:

Open the Settings menu and click Spaces.
In the side pane, select a shared space.
Go to the Permissions tab.
In the toolbar, click the Add Role button.
Enter a name for the new role.
Select an existing role on which to base this new role's permissions.
For each item, check or clear the permissions.
To rename a custom role, from the Role list, select the role you want to rename and click the Rename Role button.
To delete a custom role, from the Role list, select the role you want to delete and click the Delete Role button.

Space admins can delete custom roles that are not assigned to any users or API keys.

Edit permissions

Space admins can edit permissions for all roles, except for the site admin and space admin roles.

Space admins have full permissions to edit workspace content for any workspace they are assigned to. These permissions cannot be edited.

To edit permissions for a role:

Open the Settings menu and click Spaces.
In the side pane, select a shared space.
Go to the Permissions tab.
In the toolbar, select a role from the Role list.
In the main pane, check or clear the permissions for each item.

Tip: To reset a role's permissions to the original, predefined definitions, click the Reset Role button.

Resetting a role resets the role's permissions across all the categories, not just in the selected category.

Assign and unassign roles

Administrators can assign roles to existing users. Every user must be assigned at least one role in each workspace to which they are assigned.

Workspace and space administrators cannot unassign themselves from their roles. Other administrators can do this for them.

You can assign roles at the space or workspace level.

To assign roles for a single user:

Open the Settings menu and click Spaces.
In the side pane, select a space or workspace.
Go to the Users tab.
In the main pane, click the user's ID.
Select a role for the user and specify the workspaces in which the user is assigned the role. Add more roles as necessary.

To assign roles for multiple users:

Open the Settings menu and click Spaces.
In the side pane, select a space or workspace.
Go to the Users tab.
In the main pane, select the users to which you want to assign roles.

Do one of the following:

Space/ Workspace	Instructions
Space level	Click Assign to roles/workspaces or Unassign from roles. Select a role and specify the workspaces in which they are assigned the role. Add more roles as necessary. Click Assign.
Workspace level	Click More > Bulk Update. Select the Roles field. Select the roles to assign or unassign. Depending on whether you are adding, replacing, or removing roles, select Add to existing values, Replace existing values or Remove these values. Click Update.