...
SAK-131: Add Role based SU security
SAK-131: Add Role based SU security
This request to add Role-based SU security encompasses two parts:
...
SAK-367 - CharonPortal Tracking of assumed Id's with 'Return to...'
part two of two
2) CharonPortal patch: - assumed identities tracked with 'Return to <Eid>' link next to Logout link
create special url ('/realuser') that the portal will use to reload any existing previous usage session
Test for
...
SAK-
...
354
SAK-354: add realm based security to SuTool
This test plan covers the sub-story SAK-354: add realm based security to SuTool ONLY
...
Test # | source | function | target | result |
|---|---|---|---|---|
Test 3 | SuperUser | can SU | SuperUser | false |
Test 7a | SuperUser | can SU | Priv User | true |
Test 3 | SuperUser | can SU | Standard User | true |
Test 5 | Standard User | can SU | SuperUser | false |
Test 7b | Standard User | can SU | Priv User | false |
Test 4 | Standard User | can SU | Standard User | false |
Test 6a | Priv User | can SU | SuperUser | false |
Test 6b | Priv User | can SU | Standard User | true |
Test 6c | Priv User | can SU | Priv User | true |
Preparation
- Requires initial SU Tool Setup in Realms if this is a new system.
- SuperUser access is required for Administration Workspace changes
- A test site with the SU Tool installed (see #SU Tool Setup to set up a course)
- At least two non-SuperUser accounts in the test site (e.g., sakaiinst user or a non-SuperUser test partner)
- Knowledge of 1-2 other SuperUser logins
...
Login as admin, access the Realms tool, and delete the the realm entitled '!su.can_su_realm'.
Select the test site that contains the SU Tool.
Type the name of any non-admin or admin user and select 'Become User' button (the latter case will fail the su, but should achieve the desired results for this test.)
If necessary, log out and re-login as an admin user.
Return to Realms tool and search for the above realm name.
Expected result: '!su.can_su_realm' will be created if missing the first time the tool is opened by a SuperUser.
...
Login as admin, access the Realms tool, and delete the realm entitled '!su.can_su_realm'.
Log out and re-login as a non-admin user in the test site with the SU Tool.
Type the name of any non-admin or admin user and select 'Become User' button (the latter case will fail the su, but should achieve the desired results for this test.)
If necessary, log out and re-login as an admin user.
Return to Realms tool and search for the above realm name.
Expected result: '!su.can_su_realm' will be created if missing the first time the tool is opened by a Standard User.
Test 3 - Validate SuperUser
...
can SU other users except another SuperUser
Login as admin and select the test site that contains the SU Tool.
Type in the name of another SuperUser and select 'become user'.
Expected result: 'unauthorized' - SuperUsers cannot su a SuperUser account
Select the up arrow (Reset function.)
Type in the name of a Standard User and select 'become user'.
Expected result: success
Test 4 - Validate Standard User cannot SU another Standard User
Login as a Standard User and select the test site that contains the SU Tool.
Type in the name of another Standard User and select 'become user'.
Expected result: 'unauthorized' - Standard users cannot su another standard user account with out the correct permissions
...
Login as a Standard User and select the test site that contains the SU Tool.
Type in the name of a SuperUser and select 'become user'.
Expected result: 'unauthorized' - Standard users cannot SU a SuperUser account.
Test(s) 6
Prep for
...
6a, 6b and 6c
- Login as admin and access the Realms tool and select the realm entitled '!su.can_su_realm'.
- From the Edit Realm screen, select the Add Role link and type in a Role Id name (for example, 'Can SU'.)
- Check the checkbox next to 'su.can_su' permission for that role and then Save.
- From the Edit Realm screen, select Grant Ability.
- Type in the name of a Standard User non-SuperUser in the test site, select the Rolerole name you created, and then Save.
- Repeat the previous step. You now have 2 non-SuperUsers with SU access - they are 'priveleged' users.
Test 6a - Validate Priveleged User cannot SU SuperUser
Logout and re-login as one of the Standard Priveleged User username given in Test 5.
Select the test site that contains the SU Tool.
Select SU Tool and type in the name of SuperUser and select 'become user'.
Expected result: 'unauthorized' - Privileged users cannot su SU a SuperUser account.
6-b
...
6b - Validate Priveleged User can SU Standard User
Reset the SU Tool again(by using the up arrow.)
Type in the name of another standard user and select 'become user'.
Expected result: success
6c - Validate Priveleged User can SU another Priveleged User
Logout and re-login as one of the Priveleged User.
Select the test site that contains the SU Tool.
Type in the name of the other Priveleged User and select 'become user'.
Expected result: success
Test 7a - Validate SuperUser can SU Priveleged User
Logout and re-login as SuperUser.
Select the test site that contains the SU Tool.
Select SU Tool and type in the name of one of the Priveleged Users and select 'become user'.
Expected result: success
7b - Validate Standard User cannot SU Priveleged User
Logout and re-login as Standard User.
Select the test site that contains the SU Tool.
Type in the name of one of the Priveleged Users and select 'become user'.
Expected result: 'unauthorized' - Standard users cannot SU a Privileged account.
Test 8
Prep for 8
- Login as admin and access the Realms tool and select the realm entitled '!su.can_su_realm'.
- From the Edit Realm screen, select the Add Role link and type in a Role Id name (for example, 'Cannot SU'.)
- Do not check any permissions and Save.
- Return to the Edit Realm screen for '!su.can_su_realm'. Select one of the newly added Priveleged users.
- From the Edit Realm screen, select Remove All.
- From the Edit Realm screen, select Grant Ability.
- Type in the name of the same Priveleged User you removed and then select the new role name you created and Save. You have now added a user to a role that does not include the can_su security function.
8 - Validate Priveleged User without can_su in Role cannot SU successfully
Logout and re-login as Priveleged User with new 'Cannot SU' role.
Select the test site that contains the SU Tool.
Type in the name of one of the Priveleged Users and select 'become user'.
Reset and type in the name of s SuperUser and select 'become user'.
Reset and type in the name of a Standard User and select 'become user'.
Expected results - all 3 attempts: 'unauthorized' - Standard users cannot SU a Privileged account.
SU Tool Setup
To setup the SU Tool in a particular course or project, login as an admin and follow these steps:
- In Administration Workspace and select the Sites tool. Select the course desired - a non-joinable site is desired to limit access to this tool.
- Select the Pages button; on the new screen select the New Pages link.
- Enter SU Tool under Title and select the Tools button.
- Select the New Tool link.
- Select 'Admin: Become User (sakai:su)' from the list and then the Save button.