Access Control

Conical uses a role based security model to control access to the tool and the data stored within.

Each role can be granted a set of site level privileges as well as a set of per-product privileges. This allows for finely grained control over who has access to what. Note that all privileges are granted, there’s no support for having ‘all privileges except x’.

These roles can be assigned to both groups and to individual users (although we recommend the use of groups for ease of management).

Anonymous Access

Anonymous access is supported within the tool and the anonymous user can be granted roles in the same way as any other user.


Users have the following properties:

  • can be members of multiple groups
  • can have roles granted to them explicitly
  • can be renamed
  • can be locked / unlock
  • cannot be deleted – this is due to maintaining a full audit trail of data.

Note that the best way to ‘delete’ users (given they can’t actually be deleted) is to renamed them to have a prefix indicating that they’re deleted and to lock the account so that it cannot be used.

Access Tokens

Users can create access tokens to allow for REST API calls to be made. These can either be for all of the user’s privileges or can be for a specific subset of privileges (site level or product level).


Groups represent a set of users and currently may not be recursive in nature, that is, groups cannot themselves be members of other groups.

Available Product Privileges

The following product privileges are available:

adminCan do everything
commenterCan add comments
commentsAdminCan edit other people’s comments
configuratorCan configure the product, e.g. add test run types
publisherCan publish data to the tool
viewerCan view published data
auditTrailCan view the audit trail within the product
testRunSetDeleterCan mark test run sets as candidates for deletion

Note that users are always able to edit their own comments.