Ask the Community
Role-Based Access Control
Learn how IAM roles and Test Hub permissions control access to dashboards, integrations, and settings in Quality Engineering Insights.
Role-Based Access Control (RBAC) restricts who perform sensitive actions in Quality Engineering Insights (QEI). It ensures that only authorized users edit metric definitions, change settings, or manage dashboards, while everyone else retains the access they need to do their work.
Access in QEI is governed by two layers:
- IAM roles control ownership and administrative privileges across all BrowserStack products.
- Test Hub permissions control what actions a user can perform on QEI resources, such as dashboards, integrations, and alerts.
A separate layer, User Data Access Control (UDAC), defines the scope of data a user can see. UDAC works alongside RBAC. RBAC decides what a user can do. UDAC decides what data that action applies to.
Types of roles
QEI uses two types of roles.
IAM roles
IAM roles apply across all BrowserStack products and determine administrative privileges at the organization level.
- Owner: Has complete control over organization settings, member management, and product access. Only one owner is permitted per organization.
- Admin: Has extensive administrative privileges, including managing users and granting product access, without ownership privileges.
- User: Can use QEI based on the Test Hub permissions assigned to them. Users have no administrative privileges.
Learn more about IAM roles in the BrowserStack IAM guide.
Test Hub permissions
Test Hub permissions apply to users who are not IAM Owners or Admins. They define which actions a user can perform on QEI resources.
- View: See prebuilt and custom dashboards.
- Create: Create new dashboards. Includes View.
- Edit: Edit own dashboards and dashboards created by other users. Includes Create and View.
- Delete: Delete own dashboards and dashboards created by other users. Includes Edit, Create, and View.
Test Hub permissions are hierarchical on QEI. A user with Edit permission implicitly inherits Create and View permissions. A user with Delete permission implicitly has Edit, Create, and View.
Users without Test Hub permission cannot access QEI because QEI is a dashboard product.
IAM Owner and Admin access
IAM Owner and IAM Admin roles have full access to QEI regardless of their Test Hub permissions. This includes editing settings, modifying metric definitions, and managing dashboards, integrations, alerts, and goals created by any user.
| IAM role | View | Create | Edit | Delete | Edit settings | Edit metric definitions |
|---|---|---|---|---|---|---|
| Owner | Yes | Yes | Yes | Yes | Yes | Yes |
| Admin | Yes | Yes | Yes | Yes | Yes | Yes |
IAM Owner and Admin access overrides all Test Hub permissions. The sections below apply only to users who are not IAM Owners or Admins.
Manage user access permissions for dashboards
Test Hub permissions determine what a user can do with prebuilt and custom dashboards. The following table summarizes dashboard access by Test Hub permission.
| Test Hub permission | View prebuilt dashboards | View custom dashboards | Create dashboards | Edit own dashboards | Edit others’ dashboards | Delete own dashboards | Delete others’ dashboards | Settings and metric definitions |
|---|---|---|---|---|---|---|---|---|
| No access | No | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No |
| Create | Yes | Yes | Yes | Yes | No | Yes | No | No |
| Edit | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
| Delete | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |
Note the following:
- Only IAM Owner and IAM Admin can modify settings or metric definitions.
- Users with Create or Edit permission can delete dashboards they own.
- A user with Delete permission has full CRUD access to dashboards, except for settings and metric definitions.
Dashboard interface restrictions
The QEI interface adapts to a user’s Test Hub permission. The following restrictions apply.
View only
- The Create dashboard button is hidden on the Dashboards page.
- The Add to dashboard option is hidden from the prebuilt dashboard menu.
Create only
- On the Add to dashboard flow, only the Create dashboard button is available. The list of existing dashboards is hidden.
- On dashboards created by other users, the Add widget button is hidden.
- On dashboards created by other users, the widget-level menu is hidden.
- On dashboards created by other users, only Clone dashboard is available in the dashboard menu.
- On dashboards the user created, all options are available.
Edit only
- The Delete option is hidden from the dashboard menu on custom dashboard pages.
Manage user access permissions for integrations
Integrations connect QEI to source control management and incident management tools. Access to integrations depends on both the IAM role and the user’s ownership of the connection.
The following table summarizes integration access.
| Action | IAM Owner or Admin | Connection creator | Other users |
|---|---|---|---|
| Connect a new tool (no existing connection in category) | Yes | Yes | Yes |
| Disconnect an existing connection | Yes | Yes (own only) | No |
| Edit connection details | Yes | Yes (own only) | No |
| Import or delete projects | Yes | Yes (own only) | No |
Note the following:
- Any user can connect a new tool if no tool exists in that category.
- IAM Owner and Admin can disconnect or edit any connection, regardless of who created it.
- A user who created a connection can disconnect, edit, or manage projects for that connection only.
- Users cannot make changes to integrations they did not create.
Manage user access permissions for settings and metric definitions
Only IAM Owner and IAM Admin can change settings or modify metric definitions.
Users who are not IAM Owner or Admin can open the Settings page and view its contents. The page is read-only for these users. No changes can be saved.
Manage user access permissions for alerts, goals, and saved views
Access to alerts, goals, and saved views follows these rules.
| Resource | IAM Owner or Admin | Other users |
|---|---|---|
| Alerts | View, edit, and delete all alerts, including those created by other users | Manage alerts they created |
| Goals | View, edit, and delete all goals, including those created by other users | Manage goals they created |
| Saved views | Follow the existing saved views behavior | Follow the existing saved views behavior |
Data access boundaries
UDAC defines the scope of data a user can see in QEI. UDAC operates independently of RBAC.
- RBAC defines what actions a user can perform.
- UDAC defines what data those actions apply to.
IAM and Test Hub roles do not override UDAC. For example, if UDAC scopes a user to Team A, that user sees only Team A data, even with Delete permission on dashboards. The user can create, edit, and delete dashboards, but only for data within their UDAC scope.
Next steps
We're sorry to hear that. Please share your feedback so we can do better
Contact our Support team for immediate help while we work on improving our docs.
We're continuously improving our docs. We'd love to know what you liked
We're sorry to hear that. Please share your feedback so we can do better
Contact our Support team for immediate help while we work on improving our docs.
We're continuously improving our docs. We'd love to know what you liked
Thank you for your valuable feedback!