Skip to main content

W24: RBAC & Permission Testing

Browsers: 4 (Worker, Manager, Operations Director, Admin)
Stories: SPRINT0-002, SPRINT0-003
Time: ~25 min

Test Items

  • Service Request ID: _________________
  • Work Order ID: _________________

Test Cases

24.1: Worker Attempts Unauthorized Actions

Browser: Worker
Steps:

  1. Navigate to service request detail page
  2. Look for "Create Work Orders" or "Convert to Work Order" button
  3. Attempt to access conversion feature
  4. Verify button hidden or disabled

Verify: Worker cannot convert service requests, button hidden/disabled

24.2: Worker Attempts to Assign Work Order

Browser: Worker
Steps:

  1. Navigate to work order detail page
  2. Look for "Assign" button
  3. Attempt to assign work order
  4. Verify button hidden or action fails

Verify: Worker cannot assign work orders, permission denied

24.3: Manager Can Convert Service Request

Browser: Manager
Steps:

  1. Navigate to service request detail page
  2. Verify "Create Work Orders" button visible
  3. Convert service request to work order
  4. Record Service Request ID: _________________
  5. Record Work Order ID: _________________

Verify: Manager can convert service requests, action succeeds

24.4: Manager Can Assign Work Order

Browser: Manager
Steps:

  1. Navigate to work order detail page
  2. Verify "Assign" button visible
  3. Assign work order to worker
  4. Verify assignment succeeds

Verify: Manager can assign work orders, action succeeds

24.5: Operations Director Can Triage

Browser: Operations Director
Steps:

  1. Navigate to service requests
  2. Verify triage/approval actions available
  3. Approve service request
  4. Verify action succeeds

Verify: Operations Director can triage/approve, action succeeds

24.6: Admin Can Access All Features

Browser: Admin
Steps:

  1. Navigate through system
  2. Verify admin has access to:
    • All service request actions
    • All work order actions
    • Settings area
    • User management
  3. Test admin-only features

Verify: Admin has full access, all features accessible

24.7: Multi-Tenant Isolation

Browser: Worker (Tenant A), Manager (Tenant B)
Steps:

  1. Worker (Tenant A): Create service request
  2. Manager (Tenant B): Navigate to service requests
  3. Verify Tenant B cannot see Tenant A's service request
  4. Verify data isolation works

Verify: Multi-tenant isolation works, users cannot see other tenant data

Findings

  • Status: [ ] ✅ Complete [ ] ⚠️ Partial [ ] ❌ Blocked
  • Worker Permissions: [ ] ✅ Correct [ ] ⚠️ Issues [ ] ❌ Broken
  • Manager Permissions: [ ] ✅ Correct [ ] ⚠️ Issues [ ] ❌ Broken
  • Multi-Tenant Isolation: [ ] ✅ Works [ ] ⚠️ Issues [ ] ❌ Broken
  • Notes: _________________