Managing user security

TestRail makes it easy to administrate users, regardless of whether you’re managing a large or small team. TestRail provides administrator users with capabilities to export the entire list of users out of TestRail for reporting and analysis purposes, identify the last time a user was active, manage user session settings, and if necessary, force password resets.

To support compliance with General Data Protection Regulations (GDPR), we also provide administrators with the ability to “forget users” from TestRail.

Forget user

GDPR legislation includes a “right to be forgotten” which in practice means there must be some way of removing user information from the TestRail system. Since each user is tied to artifacts within the system, and that relationship between the user and e.g. their creation or modification of a test or result, removing the user entirely is not practical. Forget User, therefore, replaces the personally identifiable information within a user record (i.e. the user name) with an obfuscated value instead.

Administrators can initiate the Forget User function via the Edit User page in the administration console.

Clicking the Forget this user link and confirming the procedure in the resulting dialog will replace the existing username and email address with e.g. F15238729834696 and change the user status from Active to Inactive.

Please note that the users' details cannot be removed from previously generated reports. Also, if the user’s email address has been added to the distribution list for a report, you will need to remove it manually.

Export users to CSV

A full list of users can be exported from your TestRail instance from the Users & Roles area of the administration console. Exporting the user list to either a CSV or Excel formatted file is as simple as navigating to the user list, clicking on the Export Users button, and selecting the format. Once done, all the users will be extracted to the file along with their email, status, and role.

Last active user session

The Last Active column on the Users & Roles page can be used by administrators to identify which users may need pruning from the system for license management purposes. The Last Active timestamp records the last date on which the user was active within TestRail.

Administrators should be aware that the field will only start recording timestamps for logins after the feature is introduced. Any logins prior to the 5.5 release will show Never Logged In until such time as TestRail records an active user session, at which point the column will show the last active timestamp for the user.

Please note that we do not monitor the timestamp for billing purposes. For more information about how we calculate our fee based on the number of active users, please refer to our terms and conditions here.

Force password reset

To help you keep your TestRail system secure in the event of a user account or credentials being compromised in some way, administrators can force users to change their password with immediate effect by navigating to the Edit User page in the administration console and clicking the Force Password Change link. After doing so and confirming the action in the resulting dialogue, the user will be logged out on their next browser request.

The user will be directed to an email with a reset password link via the login page. Once the user has updated their password, their TestRail access will be reinstated as before.


Resetting the user password also removes the user’s API key. Once the password has been updated, the user regains access to TestRail, but they will need to generate a new API key.

User session timeout

Should you wish to restrict the length of your TestRail user sessions, you can do so using the Session Timeout feature, which provides you with the following options:

  • Infinite session length: The default setting. Users can check the Remember Me checkbox on login and will stay logged into TestRail until they log out.
  • Remember Me checkbox disabled: Sessions are not persisted. Once the user shuts down their browser session, they are in effect logged out and must re-login when they return to TestRail in the future.
  • Idle Session Timeout: After a user has been inactive for the configured period, they will be logged out on the next browser request. So long as the user is active within TestRail, they will remain logged in.
  • Absolute session timeout: The user is logged out after a configured period of time, whether they are active within TestRail or not.


Idle Session Timeout and Absolute Session Timeout can be used exclusively, or in parallel with each other. For example, you may wish to set an Idle Session Timeout of 30mins and an Absolute Session Timeout of 8 hours, which would log the user out after 30mins of inactivity or after 8 hours regardless of activity levels.

Was this article helpful?
6 out of 22 found this helpful