Security / Security Administrators Spec

Background

Security Administrators are tasked with maintaining Roles and permissions for an assigned group of people.

It is essential for regulation and auditing purposes that Security Administrators be able to perform certain functions (within defined limitations) within their assigned group, and explicitly not be able to perform those same functions within a non-assigned group.

Some of the most import issues that this spec covers are:

• Ensuring that Security Administrators can only create/edit/delete user accounts within their own Organizations

• Ensuring that Security Administrators can only assign/remove a Role if the Security Administrator has been given permission to assign/remove that Role

• Ensuring the Security Administrators can issue password resets and unlock user accounts

• Ensuring that Security Administrators can ONLY perform these operations on Organizations to which they are assigned

Specification

• Security Administrators

  • should be able to setup variables with values and lookups for this test script

  • should be able to create the Main new test Org and a new user (automatically in Security Admin role)

  • should be able to create a new org to test other/Cross-Org scenarios

  • should be able to Impersonate the security admin

  • should be able to create an End-user account for the test organization

  • should not be able to create user accounts for other organizations

  • should be able to add a Tag to the new person and a Tag to the new Org

  • should be able to remove Tags on Users and Organizations

  • should be able to add their roles to members of their organization

  • should be able to remove a role

  • should not be able to add other roles to members of their organization

  • should be able to deactivate their users

  • should be able to activate their users

  • should not be able to deactivate users of other organizations

  • should not be able to activate users of other organizations

  • should be able to unlock their users

  • should not be able to unlock users of other organizations

  • should be able to issue password resets for their users

  • should be able to clean up the data created