There are many multiuser software products such as enterprise management systems, social networks, online shops and other web and network applications.
Functional testing, usability testing, performance testing and other testing activities of such systems are more complex than verification of a desktop single user program. And all software users must be sure that their personal data are protected.
Security testing of systems of that kind should touch upon outside and inside aspects. Logging procedure, passwords and storage of the user passwords, protection from cyber-attacks relate to outside aspects.
Inside security aspects include clear allocation of the user roles and different access rights to different users.
For example, in a plant management system an accountant must have access to certain accounting data such as salaries, income, expenses, but this user must not be able to go to pages of industrial processes control or laboratory researches.
Managers should have access to more data than non-management employees.
Verifying Access Rights of Different Application Users it is Necessary:
- to create accounts of all types of the system users;
- to create accounts with users holding several roles if it is possible to do it in the tested system;
- to interact with the system from all the created accounts;
- to check to what data every created user has access, whether their access rights comply with the specification.