JIRA: SAK-131: Add Role based SU security
This request to add Role-based SU security encompasses two parts:
- a role-based limitation and specification of which roles may use SuperUser (SU) access and what the limitations of SU access are based on the original user's role, and
- allows the portal to recoginze that the user is in an SU role and provide a UI mechanism (link or button) for the user to leave SU and return to their own role without having to log out and log in again.
The story details of these separate tasks are listed as:
SAK-354: Add Role based SU security
SU tool uses Security(Service).isSuperUser() to determine who can SU. This should be modified to use agent,/function/target ....
IT Express - can su - students
IT Express- can su - faculty
IT Express- cannot su - admin
SAK-367 - CharonPortal Tracking of assumed Id's with 'Return to...'
part two of two
2) CharonPortal patch: - assumed identities tracked with 'Return to <Eid>' link next to Logout link
create special url ('/realuser') that the portal will use to reload any existing previous usage session
Test for sub-story SAK-354: add realm based security to SuTool
This test plan covers the sub-story SAK-354: add realm based security to SuTool ONLY
Description:
This modification to the SU Tool is intended to allow users who are not SuperUser to SU other users. On Start up, the tool looks for or creates a security realm (reference: realms tool).... by default the realms name is '!su.can_su_realm' but it can be modified by editing the tool registration file.
Administrators should add roles to this realm which have the appropriate security function (or permission). This function name is 'su.can_su' by default (but can be changed by an administrator by editing the tool registration file).
The template permission matrix with an example of source, target, and results:
source |
function |
target |
result |
---|---|---|---|
user A |
can SU |
user B |
true/false |
Priv User = users that are added to a role in the 'SU Realm' which has the 'Can SU' security function
Standard User =
- ) any user that is not SuperUser and has not been added to a role in the 'SU Realm' which has the 'Can SU' security function, or
- ) any user that is not SuperUser and has been added to a role in the 'SU Realm' which does not have the 'Can SU' security function
SuperUser = any user that has a 'magical' name or ability to edit the admin home site.
What is expected:
test |
source |
function |
target |
result |
---|---|---|---|---|
SuperUser |
can SU |
SuperUser |
false |
|
SuperUser |
can SU |
Priv User |
true |
|
SuperUser |
can SU |
Standard User |
true |
|
Standard User |
can SU |
SuperUser |
false |
|
Standard User |
can SU |
Priv User |
false |
|
Standard User |
can SU |
Stardard User |
false |
|
Priv User |
can SU |
SuperUser |
false |
|
Priv User |
can SU |
Standard User |
true |
|
Priv User |
can SU |
Priv User |
true |
Preparation
- a test site with SU Tool installed (see #SU Tool Setup to set up a course)
- at least two non SuperUser accounts in the test site
- at least two SuperUser accounts
Test
Assumption
Default realm name and default security function name in tool reg file
Test 1
Login as admin and access the realms tool and delete the the realm entitled '!su.can_su_realm'
Select the tool page that contains the SU Tool
Type the name of any non-admin or admin user and select 'Become User' button (the later case will fail the su but achieve results for this test)
I necessary, log our and re-login as an admin user
Return to realms tool and search for the above realm name
Expected result: '!su.can_su_realm' will be created if missing the first time the tool is opened by a SuperUser
Test 2
Login as admin and access the realms tool and delete the realm entitled '!su.can_su_realm'
log out and re-login as a non admin user in the site that has the SU Tool installed
Select the tool page that contains the SU Tool
log out and relogin as admin
Return to realms tool and search for the above realm name
Expected result: '!su.can_su_realm' will be created if missing the first time the tool is opened by and Standard User.
Test 3
Login as admin and select the tool page that contains the SU Tool
type in the name of another SuperAccount and select 'become user'
Expected result: 'unauthorized' - SuperUsers cannot su a SuperUser account
Test 4
Login as a standard user and select the tool page that contains the SU Tool
type in the name of another standard user and select 'become user'
Expected result: 'unauthorized' - Standard users cannot su another standard user account with out the correct permissions
Test 5
Login as a standard user and select the tool page that contains the SU Tool
type in the name of SuperAccount and select 'become user'
Expected result: 'unauthorized' - Standard users cannot su a SuperUser account.
Test 6
prep for 6-a and 6b
1. Login as admin and access the realms tool and edit the realm entitled '!su.can_su_realm'
2. Add a role (example 'Can SU')
3. add a Checkbox next to 'su.can_su' permission for that role
4. click on 'add a grant'
5. type in the name of a standard user in the test site.
6. save the edit
Logout and re-login as the username given in #3
Select the tool page that contains the SU Tool
6-a
select tool reset button
type in the name of SuperUser and select 'become user'
Expected result: 'unauthorized' - Privileged users cannot su a SuperUser account.
6-b
select tool reset button
type in the name of another standard user and select 'become user'
Expected result: success
SU Tool Setup
To setup the SU Tool in a particular course or project, login as an admin and follow these steps:
- In Administration Workspace and select the Sites tool. Select the course desired.
- Select the Pages button; on the new screen select the New Pages link.
- Enter SU Tool under Title and select the Tools button.
- Select the New Tool link.
- Select 'Admin: Become User (sakai:su)' from the list and then the Save button.