I've been spending the last few days planning for 'security' testing of a web-based product. One thing that I do NOT have to concern myself with is log-on security; that is going to be handled by a single-sign-on facility provided by the customer (no lectures, please).
What I am perplexed about is some way to reasonably prove that the field level security works. The mechanism is this: HTML pages will be generated on the fly with the data represented based on the specific user's permissions each data element normally associated with the page (i.e., editable, display only, no access).
I'm imagining that after going to all the trouble to script tests via Rational Team Test (for ongoing regression testing), I may also be able to use that work as a basis for running a variety of tests of the security.
Rational Team Test may not help you to address field level security. You will need to either address this either by your in-house scripting or by subcontracting this to appropriate third party specialising in this segment.