Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

JIRA: SAK-131: Add Role based SU security

This test plan covers the sub-story SAK-354: add realm based security to SuTool ONLY

Description:

This modification to the SU Tool is intended to allow users who are not SuperUser to SU other users. On Start up, the tool looks for or creates a security realm (reference: realms tool).... by default the realms name is '!su.can_su_realm' but it can be modified by editing the tool registration file.

Administrators should add roles to this realm that have the correct security function (permission). This function name is 'su.can_su' by default (but can be changed by an administrator by editing the tool registration file).

The template permission matrix with an example of source, target, and results:

source

function

target

result

user A

can SU

user B

true/false
Definitions: Types of users

Priv User = users that are added to a role in the 'SU Realm' which has the 'Can SU' security function
Standard User =

  1. ) any user that is not SuperUser and has not been added to a role in the 'SU Realm' which has the 'Can SU' security function, or
  2. ) any user that is not SuperUser and has been added to a role in the 'SU Realm' which does not have the 'Can SU' security function

SuperUser = any user that has a 'magical' name or ability to edit the admin home site.

What is expected:

source

function

target

result

SuperUser

can SU

SuperUser

false

SuperUser

can SU

Priv User

true

SuperUser

can SU

Standard User

true

Standard User

can SU

SuperUser

false

Standard User

can SU

Priv User

false

Standard User

can SU

Stardard User

false

Priv User

can SU

SuperUser

false

Priv User

can SU

Standard User

true

Priv User

can SU

Priv User

true

Preparation

  • a site with SU Tool installed (duh!)
  • at least two non SuperUser accounts
  • at least two SuperUser accounts

Test

Assumption

Default realm name and default security function name in tool reg file

Test 1

Login as admin and access the realms tool and delete the the realm entitled '!su.can_su_realm'
Select the tool page that contains the SU Tool
Return to realms tool and search for the above realm name

Expected result: '!su.can_su_realm' will be created if missing the first time the tool is opened by a SuperUser

Test 2

Login as admin and access the realms tool and delete the realm entitled '!su.can_su_realm'
log out and re-login as a non admin user in the site that has the SU Tool installed
Select the tool page that contains the SU Tool
log out and relogin as admin
Return to realms tool and search for the above realm name

Expected result: '!su.can_su_realm' will be created if missing the first time the tool is opened by and Standard User.

h4 Test 3
Login as admin and select the tool page that contains the SU Tool
type in the name of another SuperAccount and select 'become user'

Expected result: 'unauthorized' - No one can su a SuperUser account, not even another SuperUser

  • No labels