I’m rattling my brains trying to figure out a sensible approach to testing combinations of permissions in our web application.
We have 95 different permissions that control access to various parts of the application. Note that each permission could restrict access to a single field, a group of fields, a page, a link etc. They are essentially CRUD permissions.
A user can potentially have any combination of these 95 permissions. The number of permutations must number in the thousands. We do occasionally get bugs back whereby even though we test every permission when it’s added, it can unknowingly interfere with some other permission.
Any thoughts on how to begin to try and automate this?
We do have some selenium tests and the ability to inject/setup users with desired permissions via the api/database, however to perform the actual checks in the UI for each permutation is mind boggling. I sort of feel like I should be trying to do this without invoking the browser but I can’t think how.