diff --git a/swh/web/tests/admin/test_origin_save.py b/swh/web/tests/admin/test_origin_save.py
--- a/swh/web/tests/admin/test_origin_save.py
+++ b/swh/web/tests/admin/test_origin_save.py
@@ -7,8 +7,6 @@
 
 import pytest
 
-from django.contrib.auth import get_user_model
-
 from swh.web.common.models import (
     SAVE_REQUEST_ACCEPTED,
     SAVE_REQUEST_PENDING,
@@ -22,10 +20,6 @@
 from swh.web.common.utils import reverse
 from swh.web.tests.utils import check_http_get_response, check_http_post_response
 
-_user_name = "swh-web-admin"
-_user_mail = "admin@swh-web.org"
-_user_password = "..34~pounds~BEAUTY~march~63.."
-
 _authorized_origin_url = "https://scm.ourproject.org/anonscm/"
 _unauthorized_origin_url = "https://www.softwareheritage.org/"
 
@@ -35,10 +29,6 @@
 
 @pytest.fixture(autouse=True)
 def populated_db():
-    User = get_user_model()
-    user = User.objects.create_user(_user_name, _user_mail, _user_password)
-    user.is_staff = True
-    user.save()
     SaveAuthorizedOrigin.objects.create(url=_authorized_origin_url)
     SaveUnauthorizedOrigin.objects.create(url=_unauthorized_origin_url)
 
@@ -50,7 +40,7 @@
     assert unquote(resp.url) == login_url
 
 
-def test_add_authorized_origin_url(client):
+def test_add_authorized_origin_url(client, staff_user):
     authorized_url = "https://scm.adullact.net/anonscm/"
     assert can_save_origin(authorized_url) == SAVE_REQUEST_PENDING
 
@@ -62,13 +52,13 @@
 
     assert can_save_origin(authorized_url) == SAVE_REQUEST_PENDING
 
-    client.login(username=_user_name, password=_user_password)
+    client.force_login(staff_user)
 
     check_http_post_response(client, url, status_code=200)
     assert can_save_origin(authorized_url) == SAVE_REQUEST_ACCEPTED
 
 
-def test_remove_authorized_origin_url(client):
+def test_remove_authorized_origin_url(client, staff_user):
     assert can_save_origin(_authorized_origin_url) == SAVE_REQUEST_ACCEPTED
 
     url = reverse(
@@ -80,12 +70,12 @@
 
     assert can_save_origin(_authorized_origin_url) == SAVE_REQUEST_ACCEPTED
 
-    client.login(username=_user_name, password=_user_password)
+    client.force_login(staff_user)
     check_http_post_response(client, url, status_code=200)
     assert can_save_origin(_authorized_origin_url) == SAVE_REQUEST_PENDING
 
 
-def test_add_unauthorized_origin_url(client):
+def test_add_unauthorized_origin_url(client, staff_user):
     unauthorized_url = "https://www.yahoo./"
     assert can_save_origin(unauthorized_url) == SAVE_REQUEST_PENDING
 
@@ -98,12 +88,12 @@
 
     assert can_save_origin(unauthorized_url) == SAVE_REQUEST_PENDING
 
-    client.login(username=_user_name, password=_user_password)
+    client.force_login(staff_user)
     check_http_post_response(client, url, status_code=200)
     assert can_save_origin(unauthorized_url) == SAVE_REQUEST_REJECTED
 
 
-def test_remove_unauthorized_origin_url(client):
+def test_remove_unauthorized_origin_url(client, staff_user):
     assert can_save_origin(_unauthorized_origin_url) == SAVE_REQUEST_REJECTED
 
     url = reverse(
@@ -115,12 +105,12 @@
 
     assert can_save_origin(_unauthorized_origin_url) == SAVE_REQUEST_REJECTED
 
-    client.login(username=_user_name, password=_user_password)
+    client.force_login(staff_user)
     check_http_post_response(client, url, status_code=200)
     assert can_save_origin(_unauthorized_origin_url) == SAVE_REQUEST_PENDING
 
 
-def test_accept_pending_save_request(client, swh_scheduler):
+def test_accept_pending_save_request(client, staff_user, swh_scheduler):
 
     visit_type = "git"
     origin_url = "https://v2.pikacode.com/bthate/botlib.git"
@@ -138,7 +128,7 @@
 
     check_not_login(client, accept_request_url)
 
-    client.login(username=_user_name, password=_user_password)
+    client.force_login(staff_user)
     response = check_http_post_response(client, accept_request_url, status_code=200)
 
     response = check_http_get_response(client, save_request_url, status_code=200)
@@ -146,7 +136,7 @@
     assert response.data[0]["save_task_status"] == SAVE_TASK_NOT_YET_SCHEDULED
 
 
-def test_reject_pending_save_request(client, swh_scheduler):
+def test_reject_pending_save_request(client, staff_user, swh_scheduler):
 
     visit_type = "git"
     origin_url = "https://wikipedia.com"
@@ -166,14 +156,14 @@
 
     check_not_login(client, reject_request_url)
 
-    client.login(username=_user_name, password=_user_password)
+    client.force_login(staff_user)
     response = check_http_post_response(client, reject_request_url, status_code=200)
 
     response = check_http_get_response(client, save_request_url, status_code=200)
     assert response.data[0]["save_request_status"] == SAVE_REQUEST_REJECTED
 
 
-def test_remove_save_request(client):
+def test_remove_save_request(client, staff_user):
     sor = SaveOriginRequest.objects.create(
         visit_type="git",
         origin_url="https://wikipedia.com",
@@ -187,6 +177,6 @@
 
     check_not_login(client, remove_request_url)
 
-    client.login(username=_user_name, password=_user_password)
+    client.force_login(staff_user)
     check_http_post_response(client, remove_request_url, status_code=200)
     assert SaveOriginRequest.objects.count() == 0
diff --git a/swh/web/tests/api/test_throttling.py b/swh/web/tests/api/test_throttling.py
--- a/swh/web/tests/api/test_throttling.py
+++ b/swh/web/tests/api/test_throttling.py
@@ -6,7 +6,6 @@
 import pytest
 
 from django.conf.urls import url
-from django.contrib.auth.models import User
 from django.test.utils import override_settings
 from rest_framework.decorators import api_view
 from rest_framework.response import Response
@@ -159,10 +158,7 @@
 
 @override_settings(ROOT_URLCONF=__name__)
 @pytest.mark.django_db
-def test_staff_users_are_not_rate_limited(api_client):
-    staff_user = User.objects.create_user(
-        username="johndoe", password="", is_staff=True
-    )
+def test_staff_users_are_not_rate_limited(api_client, staff_user):
 
     api_client.force_login(staff_user)
 
@@ -177,11 +173,9 @@
 
 @override_settings(ROOT_URLCONF=__name__)
 @pytest.mark.django_db
-def test_non_staff_users_are_rate_limited(api_client):
-
-    user = User.objects.create_user(username="johndoe", password="", is_staff=False)
+def test_non_staff_users_are_rate_limited(api_client, regular_user):
 
-    api_client.force_login(user)
+    api_client.force_login(regular_user)
 
     scope2_limiter_rate_user = (
         scope2_limiter_rate * SwhWebUserRateThrottle.NUM_REQUESTS_FACTOR
@@ -215,13 +209,17 @@
 
 @override_settings(ROOT_URLCONF=__name__)
 @pytest.mark.django_db
-def test_users_with_throttling_exempted_perm_are_not_rate_limited(api_client):
-    user = User.objects.create_user(username="johndoe", password="")
-    user.user_permissions.add(create_django_permission(API_THROTTLING_EXEMPTED_PERM))
+def test_users_with_throttling_exempted_perm_are_not_rate_limited(
+    api_client, regular_user
+):
+
+    regular_user.user_permissions.add(
+        create_django_permission(API_THROTTLING_EXEMPTED_PERM)
+    )
 
-    assert user.has_perm(API_THROTTLING_EXEMPTED_PERM)
+    assert regular_user.has_perm(API_THROTTLING_EXEMPTED_PERM)
 
-    api_client.force_login(user)
+    api_client.force_login(regular_user)
 
     for _ in range(scope2_limiter_rate + 1):
         response = api_client.get("/scope2_func")
diff --git a/swh/web/tests/api/views/test_origin_save.py b/swh/web/tests/api/views/test_origin_save.py
--- a/swh/web/tests/api/views/test_origin_save.py
+++ b/swh/web/tests/api/views/test_origin_save.py
@@ -8,7 +8,6 @@
 
 import pytest
 
-from django.contrib.auth.models import User
 from django.core.exceptions import ObjectDoesNotExist
 from django.utils import timezone
 
@@ -524,20 +523,19 @@
 
 
 def test_create_pending_save_request_multiple_authenticated_users(
-    api_client, swh_scheduler
+    api_client, swh_scheduler, regular_user, regular_user2
 ):
     origin_url = "https://some.git.hosters/user/repo3"
-    first_user = User.objects.create_user(username="first_user", password="")
-    second_user = User.objects.create_user(username="second_user", password="")
+
     url = reverse(
         "api-1-save-origin", url_args={"visit_type": "git", "origin_url": origin_url},
     )
 
-    api_client.force_login(first_user)
+    api_client.force_login(regular_user)
     check_api_post_response(api_client, url, status_code=200)
 
-    api_client.force_login(second_user)
+    api_client.force_login(regular_user2)
     check_api_post_response(api_client, url, status_code=200)
 
-    assert SaveOriginRequest.objects.get(user_ids__contains=f'"{first_user.id}"')
-    assert SaveOriginRequest.objects.get(user_ids__contains=f'"{second_user.id}"')
+    assert SaveOriginRequest.objects.get(user_ids__contains=f'"{regular_user.id}"')
+    assert SaveOriginRequest.objects.get(user_ids__contains=f'"{regular_user2.id}"')
diff --git a/swh/web/tests/conftest.py b/swh/web/tests/conftest.py
--- a/swh/web/tests/conftest.py
+++ b/swh/web/tests/conftest.py
@@ -15,6 +15,7 @@
 from hypothesis import HealthCheck, settings
 import pytest
 
+from django.contrib.auth.models import User
 from django.core.cache import cache
 from django.test.utils import setup_databases  # type: ignore
 from rest_framework.test import APIClient, APIRequestFactory
@@ -515,3 +516,18 @@
         setup_databases(
             verbosity=request.config.option.verbose, interactive=False, keepdb=False
         )
+
+
+@pytest.fixture
+def staff_user():
+    return User.objects.create_user(username="admin", password="", is_staff=True)
+
+
+@pytest.fixture
+def regular_user():
+    return User.objects.create_user(username="johndoe", password="")
+
+
+@pytest.fixture
+def regular_user2():
+    return User.objects.create_user(username="janedoe", password="")