Access Control Tree for Testing and Learning

We present our work on testing access control of large national e-health Internet portal which has millions of monthly visits. Our aim is twofold: (1) to improve testing by applying systematic and rigorous (semi-formal) approach and (2) to obtain holistic view of portal's complex access control structure. Applying more rigorous approach facilitates reducing ambiguity while holistic picture aids on easier and often also faster comprehension of complex access control structure. We use set-theoretic approach for specifying access control. Then, from access control's abstract set notations we derive a visual version in form of the access control tree. Nodes of the tree represent attributes that influence access while edges are values of those attributes. The leaf of the tree represents a scope which is a grouping of individual services. Access control tree presented in this paper has 15 scopes (leaves) which results in 105 pairs of abstract test scenarios. Complete version of the tree has 66 scopes that result in over 2000 pairs of abstract test scenarios. Abstract test scenarios are implemented into over 600 concrete and automated test cases. Manual execution test of one concrete test takes about five minutes while automated execution of all tests takes about one hour (thus achieving over 40 times speedup). These automated test cases run as a part of our CI/CD pipeline. Access control tree can also be used as a collaboration or learning tool, to get quicker familiarity with the solution.

Automated summary

Our work focuses on testing the access control of a large national e-health Internet portal with millions of monthly visits. We aim to improve testing by applying systematic and rigorous approaches, while also obtaining a holistic view of the portal's complex access control structure. By using a set-theoretic approach and visualizing it as an access control tree, we are able to better understand the attributes and values that influence access, resulting in over 2000 pairs of abstract test scenarios implemented into 600 automated test cases. The access control tree not only speeds up testing processes significantly, but also serves as a valuable collaboration and learning tool for better familiarity with the solution.