19 Jun

Security and Authorisation Testing

Regardless of which methodology you’re using to log in and to test security and authorisations, don’t forget to plan for the basics:

  • How do users log in?
    ○ Portal – ensure you have the URLs for any portals
    ○ SAP GUI – how is the gui being sent to each desktop/laptop? Will it be there in time for your test phases?
    ○ SAP GUI – are all test systems on the .ini file? If not, do you have the connection string? Are desktops / laptops locked down – if so, what is the workaround to get the .ini file installed?
    ○ RF scanners and other external devices – do they have the URL to the test system(s)
  • Do all users have a user ID to access?
    ○ Individual user IDs or role-based logins?
    ○ Are there any Single Sign On implications that prevent access?
    ○ Are users set up in or synchronised across each system that requires access (e.g. Portal, ECC, SCM, BI, etc)?
  • What is the password reset procedure?
    ○ Do all testers know who to contact to reset passwords?
    ○ What’s the process? Email? Self-service?
    ○ What’s the turnaround time?
    ○ If role-based logins are being used, how are you keeping track of passwords?

All of the above should be covered in your Test Plan and/or in your tester onboarding toolkit.