JIRA: SAK-131: Add Role based SU security
This test plan covers the sub-story SAK-354: add realm based security to SuTool ONLY
Description:
This modification to the SU Tool is intended to allow users who are not SuperUser to SU other users. On Start up, the tool looks for or creates a security realm (reference: realms tool).... by default the realms name is '!su.can_su_realm' but it can be modified by editing the tool registration file.
Administrators should add roles to this realm that have the correct security function (permission). This function name is 'su.can_su' by default (but can be changed by an administrator by editing the tool registration file).
The template permission matrix with an example of source, target, and results:
source |
function |
target |
result |
|---|---|---|---|
user A |
can SU |
user B |
true/false |
Priv User = users that are added to a role in the 'SU Realm' which has the 'Can SU' security function
Standard User =
- ) any user that is not SuperUser and has not been added to a role in the 'SU Realm' which has the 'Can SU' security function, or
- ) any user that is not SuperUser and has been added to a role in the 'SU Realm' which does not have the 'Can SU' security function
SuperUser = any user that has a 'magical' name or ability to edit the admin home site.
What is expected:
source |
function |
target |
result |
|---|---|---|---|
SuperUser |
can SU |
SuperUser |
false |
SuperUser |
can SU |
Priv User |
true |
SuperUser |
can SU |
Standard User |
true |
Standard User |
can SU |
SuperUser |
false |
Standard User |
can SU |
Priv User |
false |
Standard User |
can SU |
Stardard User |
false |
Priv User |
can SU |
SuperUser |
false |
Priv User |
can SU |
Standard User |
true |
Priv User |
can SU |
Priv User |
true |