Suggestions for permissions testing in a web application?

Hi there,

I’m rattling my brains trying to figure out a sensible approach to testing combinations of permissions in our web application.

We have 95 different permissions that control access to various parts of the application. Note that each permission could restrict access to a single field, a group of fields, a page, a link etc. They are essentially CRUD permissions.

A user can potentially have any combination of these 95 permissions. The number of permutations must number in the thousands. We do occasionally get bugs back whereby even though we test every permission when it’s added, it can unknowingly interfere with some other permission.

Any thoughts on how to begin to try and automate this?

We do have some selenium tests and the ability to inject/setup users with desired permissions via the api/database, however to perform the actual checks in the UI for each permutation is mind boggling. I sort of feel like I should be trying to do this without invoking the browser but I can’t think how.

Many thanks,

You are right 2 ^ 95 is a big number. We had a similar problem and one way to narrow down the scope is to use pair wise testing. https://github.com/microsoft/pict is a tool that can take your different categories and create pairs. I think they also have a good reference to what pair wise testing is.

We generated the list of pairs and then you have another program (like something based on selenium) that takes each case in the list and then performs the test. Even if you have that second part you need to limit the scope because again 2 ^ 95 is a huge number like larger than number of atoms in the universe huge.