User Roles & Permissions
QA Hub has three roles. A user is assigned one role per workspace.
Role overview
| Role | Scope | Who it's for |
|---|---|---|
SUPER_ADMIN | Platform-wide | QA Hub platform administrators only |
QA_MANAGER | Tenant workspace | Team leads, QA chapter leads |
QA_TESTER | Tenant workspace | Individual QA engineers |
Permission matrix
| Action | SUPER_ADMIN | QA_MANAGER | QA_TESTER |
|---|---|---|---|
| Approve/reject tenants | ✓ | — | — |
| Impersonate tenants | ✓ | — | — |
| View all audit logs | ✓ | — | — |
| Invite team members | ✓ | ✓ | — |
| Change user roles | ✓ | ✓ | — |
| Create/edit projects | ✓ | ✓ | — |
| Manage integrations (Jira, AI, etc.) | ✓ | ✓ | — |
| Create API tokens | ✓ | ✓ | — |
| Create/edit test cases | ✓ | ✓ | ✓ |
| Execute test runs | ✓ | ✓ | ✓ |
| Record test results | ✓ | ✓ | ✓ |
| Link bug tickets | ✓ | ✓ | ✓ |
| Upload result attachments | ✓ | ✓ | ✓ |
| View coverage & metrics | ✓ | ✓ | ✓ |
| View audit logs (own workspace) | ✓ | ✓ | — |
Assigning roles
The first user in a workspace is automatically QA_MANAGER. All subsequent invited users can be assigned QA_MANAGER or QA_TESTER at invite time.
To change a role after the fact:
- Go to Settings → Team.
- Find the user and select a new role from the dropdown.
- The change takes effect on the user's next page load.
SUPER_ADMIN assignment
SUPER_ADMIN cannot be assigned through the UI. It requires a direct database update:
UPDATE "User" SET role = 'SUPER_ADMIN' WHERE email = 'admin@your-org.com';
Only perform this on the initial bootstrap of a self-hosted installation.
mustChangePassword flag
Administrators can set a temporary password for a user and flag their account with mustChangePassword = true. The user is redirected to the change-password page on their next login and cannot access the app until they update their credentials.
This is used for the admin-mediated password reset flow (requested via Settings and resolved in /admin).