Testing access control policy changes

Each time you create or modify an access control policy, you must perform certain tests to verify that the policy is working correctly.

Procedure

  1. For each policy that you have created or modified, ensure the following:
    • A user that belongs to the policy's access group is able to take the specified actions on the specified resources. If you have removed authorization to perform an action, you should also test to make sure that the user can no longer perform the action.
    • A user that does not belong to the policy's access group is unable to take the specified actions on the specified resources.

    For example, suppose you implement an Auction customization scenario, in which you remove the ability of auction administrators to close auction bidding. To test whether this change is working properly, log in as a user who belongs to the auction administrator access group and perform the following actions:

    • Modify an auction
    • Delete an auction.
  2. Verify that an Auction Administrator cannot close bidding.
  3. Log in as a user who does not belong to the auction administrator access group and attempt to perform the same actions. If the policy is working correctly, your attempts should fail.
  4. Once you have finished testing all your new and changed policies that are currently in the database, it is a good idea to extract that information into XML files. These files have the same format as the initial access control policy related files: defaultAccessControlPolices.xml, defaultAccessControlPolicies_locale.xml, and ACUserGroup_locale.xml. This step is necessary because changes made using the Organization Administration Console affect only the policy information stored in the database. The XML files that were used to load the default access control policies and their components during instance creation, are not updated automatically. For more information, see Extracting policy and access group definitions.

What to do next

After a new policy has been created, the new policy must be assigned into a policy group before it comes into effect. You should assign the new policy to the group that serves the purpose of the policy. For more information about the policy group names, see Default access control policy groups.