Friday, April 16, 2010

What is the best way to test screen access based on roles?

Many applications implement role based security and role based access. This means that when the user accesses the application, the application determines the role of the user first. The application shows only those screens to the user which are meant for the particular role. The application may even hide or show certain parts or sections of a particular screen depending on the role of the user. For example, an application may show only the public screens to an unauthenticated user. If the user logs in as a member, the private screens of the particular member become available to the user. If the user logs in as an administrator, the private screens of the particular administrator as well as the application administration screens become available to the user.

If you have to test the screen access of your application, you should go about it systematically. Here is the approach that you can use:

1. List the various kinds of access in the application.
Examples of access include View (just see the information listed on a screen), Read (see more information of a data item), Drill down (see the sub-items of a data tem), Add (add a data item), Update (edit a data item), Delete (remove a data item) and Comment (add further information to a data item).

2. List the various roles in the application.
You should refer the requirements documentation of your application to list the roles in your application. Examples of roles are User, Super user, Customer, Staff, Manager and Administrator.

3. List each screen (and each section within each screen) in your application.
You should refer the requirements documentation as well as the design documentation of your application to list each screen in your application. If your application implements role based access on sections (parts) of any or all screens, you should group all the relevant screen sections under the screen name.

4. Map the roles to the screens listing the access in each case.
Finally, you should map roles to the screens. In order to do so, simply list all roles on one axis and all screens on the other. Since the number of roles is commonly far less than the number of screens, you may want to list the roles horizontally and the screens vertically for ease in viewing or editing your mapping. See the example above.

5. Ensure that your mapping is complete.
Ensure that you have listed each access, each role and each screen (with each section that is accessible separately) in your application. Ensure that the mapping is present between each role and each screen/ screen section.