For all of you who are QA or testing gurus this question may sound completely stupid but I have to ask it.
At the moment the company I work for is getting a new insurance system and since I am doing all the coordination (and some of the functional testing) testing I am trying to cover every aspect of the testing. So far so good except for the security testing. Do I have go through every user in the company (in excess of 300 users) and test their security access or is there a quicker way?
Would greatly appreciate your advice on this one. We don't have any automated testing tools at this moment in time.
Using equivalence class partitioning, you should be able to reduce the number of test cases.
For example, are the users assigned to a Role, which drives the authorized functions? If so, you could test the functions allowed for each Role, with the assumption that any single user in that Role would be held to those rules.
If Roles are not used, then is there a table which holds the allowed functions for each user? If so, you may be able to devise test cases that cover each combination of functions (allowed and disallowed), which will probably not only require less than 300 tests, but will also cover for security configurations that existing users may not currently have.
Much in line with TestGeek, that is how we do it here. We test against the a Security Matrix which is basically CRUD vs. Screens. Each role has a combination of CRUD for a screen. This determines our test cases.
"These are the specific access rights that are granted to each user profile for each screen. (For example: Create (C) – allows the user to create new records, Read (R) – allows the user to only view data, Update (U) – allows the user to make changes to existing records, Delete (D) – allows the user to remove data from the database)"
Security testing is much broader (or can be) then just testing User privileges. Will the system be accessible from outside your local area (WWW)? If so, this could require a lot more testing (but if you have a Firewall, maybe your Network people have to do this testing).