Access Tests

Last modified 3/5/08 SY

God Tests

All Objects- really have all rights?
All Groups- really have all groups?
System management- must be explicitly assigned by user with sys mgmt record access
If have all objects but not all groups, make sure groups enforced
If have all groups but not all objects, make sure objects enforced
Can assign in network reserve areas

Joe LNA Tests

Object Access

Group
1. If have group object access, can add group? And get rights to that group?
Domain
1. can really add domain?
2. if create template, what if group is not same as user's group?
3. should not be able to add subdomain to domain that is not in the same group
4. if subdomain has Allow Names but domain does not, can add nodes?
5. if other groups associated, can user remove other groups? can still modify/del?
6. name create/modify/delete within domain set by group
7. domain modification set by group
8. can't change case of domain
User
1. can put user in group that not in?
2. if create template, what if group is not same as user's group?
3. if user has user rights, can they make themselves a god?
4. if user has All Groups access and user rights, user should not be able to change own record to All Objects (i.e., should not be able to make oneself a god)
5. if other groups associated, can user remove other groups? can still modify/del?
Admin Team
1. if create template, what if group is not same as user's group?
2. can add user not in same group?
3. if other groups associated, can user remove other groups? can still modify/del?
Network
1. if create template, what if group is not same as user's group?
2. if have rights to network but not rights to AS, can change AS group?
3. if have rights to network but not rights to AS, can move AS?
4. if have rights to network but not rights to AS, can add node to AS?
5. if have rights to network and node, can use reserved addresses? should not be able to
6. if other groups associated, can user remove other groups? can still modify/del?
MX
1. can add mx for node that don't have rights for?
2. can add mx for node that one doesn't have special node rights for?
3. when deleting node, can delete mx if no rights to mx name or node record?
Node
1. if have rights to advanced but not IPC, can modify node that is both advanced and ipc?
2. can create template from a node if no special node rights?
3. if use template, what if node's groups are not the same as user's?
4. can assign admin team even if in different group
5. if other groups associated, can user remove other groups? can still modify/del?
6. if no rights to domains of names but right to node, can modify/delete?
7. if no rights to domains of names but right to node, can modify names?
8. if no rights to Node State, can change Node State? change other fields?
9. if rights to Node State, can change Node State?
10. if no rights to domains of names, IP address spaces, nodeState, etc, can still delete node?
11. if rights to node but no rights to address space, can delete/modify IP?
12. rights to move router interfaces
Advanced Node
1. what if no regular node rights?
2. if create template, what if group is not same as user's group?
IPC Node
1. what if no regular node rights?
2. if create template, what if group is not same as user's group?
Router Node
1. what if no regular node rights?
2. if create template, what if group is not same as user's group?
Template Node
1. what if no regular node rights?
2. can create template in AS which don't have rights?
3. if create template, what if group is not same as user's group?
System Management
1. even if have All Objects, should not have rights to this unless explicit

Deletion Tests

Need to check for graceful execution when deleting an object that other objects are dependent on. In general, should not be able to delete an object if other objects are dependent on it.

Group
- Should not be able to delete group if any objects are associated with it.
Domain
- Should not be able to delete if it has subdomains
- Should not be able to delete if nodes are in the domain
User
- If delete user, should still show up in "Created By" and "Modified By" fields
- Should not affect admin teams since admin team members are in directory
Admin Team
- If node is using admin team, should not be able to delete admin team
Network
- Should not be able to delete if nodes are in any of its address spaces
- Should not be able to delete address spaces if being used
Node
- Should be prompted about any MX references and given choice to cleanup
Directory Users
- Supposedly, users never disappear from the directory. However, given behaviour we've seen, I don't know if I believe it.
Little O
- Should not be able to delete if in use
- Note department is used by both node and user
- Note location is used by both node and network

THE END