Role & Permission Testing Checklist.

Before testing, produce or obtain a permissions matrix: rows are features/pages/API endpoints, columns are roles, cells are allow/deny. Testing without a matrix leads to missed checks and untestable requirements. If no matrix exists, create one as part of this work.

For every role defined in the permissions matrix, at least one active test account must exist in the target environment. Testing with only admin credentials misses 90% of the access control surface. Seed test accounts during environment setup, not during the test run.

Register a new account via the standard signup flow. Inspect the account's role in the database or via the user-profile API. The role must be the lowest-privilege role (e.g., 'user' or 'viewer'). Default-to-admin is a catastrophic misconfiguration that frequently appears post-migration.

Review the permissions matrix against the stated business purpose of each role. A 'viewer' role must not have write access. A 'billing-admin' must not have access to user management. Flag any permission that cannot be justified by the role's documented purpose.

For each URL in the admin section (e.g., /admin, /admin/users, /admin/settings), attempt access as a standard user by directly typing the URL. Expect a 403 status and an appropriate message — not a blank page, a crash, or partial admin content with edit controls disabled.

Log out and navigate directly to protected routes (/dashboard, /profile, /settings). Each must redirect to /login (with returnTo preserved). A 200 response with empty or partially-loaded content leaks the page structure to unauthenticated users.

For a route that a role cannot access, confirm the route guard is enforced on the server. Use DevTools to manually navigate to the protected URL or call the underlying API directly. The backend must enforce the authorization check — not rely on the UI hiding the link.

Log in as each role and compare the navigation menu items against the permissions matrix. Admin-only items must not appear for standard users. Visible links to inaccessible pages cause a poor UX and invite direct-URL attacks from curious users.

As User A in Tenant 1, construct a URL for Tenant 2's dashboard (e.g., /t/tenant2/settings). Attempt access. The server must return 403 or 404 — not load Tenant 2's data. Cross-tenant access is the most severe access control failure in SaaS applications.

As a read-only or viewer role, call the POST endpoint for a resource the role cannot create (e.g., POST /users). Expect 403 — not a 200 with the resource created, and not a 401 (authentication failure). The distinction matters: 401 = not authenticated, 403 = authenticated but not authorized.

As a viewer role, call PUT or PATCH on a resource. Expect 403 with a JSON error body. Also verify in the UI that the edit button and inline edit fields are not rendered for the viewer role — not just disabled. Disabled controls can sometimes be re-enabled via DevTools.

As a role without delete permission, call DELETE /resource/:id and the bulk delete endpoint. Both must return 403. Also test the UI: the delete button must not be rendered (not just hidden via CSS visibility: hidden, which is still in the DOM and clickable via DevTools).

Call the export endpoint (e.g., GET /users/export.csv or POST /reports/generate) as a role without export rights. Expect 403. Data exports are high-value targets — a viewer who can export all user records can exfiltrate the entire customer dataset.

Log in as a standard user and attempt to access /settings, /organization/settings, and /integrations. Each must return 403 or redirect. Configuration changes (SSO settings, API key management, billing) must be admin-only — they have system-wide impact.

As User A, note the ID of a resource owned by User A (e.g., GET /invoices/1042). Authenticate as User B. Call GET /invoices/1042. Expect 403 or 404. If the invoice is returned, an Insecure Direct Object Reference (IDOR) vulnerability exists. Test across every resource type in the system.

As User A, call GET /invoices. Assert the response contains only User A's invoices — not all invoices in the system. Unscoped list endpoints that return all records regardless of the caller's identity are one of the most common and impactful access control bugs.

As a viewer role, call GET /users/:id. Sensitive fields must be absent from the response body entirely — not present with a masked value like '****'. Compare the response to the same call authenticated as admin. Fields absent in the viewer response are correctly access-controlled.

A dashboard may show 'Total revenue: $X'. As a user who can only see their own records, the total should reflect only their records — not all records in the system. Aggregate endpoints that bypass row-level security can leak summary statistics of inaccessible data.

Call every protected API endpoint with no Authorization header (not an expired or invalid token — entirely absent). Expect 401 Unauthorized, not 200, not 403. 401 = unauthenticated. 403 = authenticated but not authorized. Mixing them causes client-side error handling to break.

Pick 10 endpoints that are restricted by role. Call each using a token from a lower-privilege role (e.g., a viewer token on an admin endpoint). All must return 403. Use Postman or curl to bypass the UI entirely — the API must stand on its own.

If the system supports token scopes (read:data, write:data, admin), issue a read:data token and call a write endpoint. Expect 403. Token scope checks must be independent of the user's role — a token with limited scope must be restricted even if the user has broader role permissions.

A viewer role may have GET /documents permission. Call POST /documents, PUT /documents/:id, and DELETE /documents/:id with the viewer's token. All write methods must return 403. Some authorization implementations check the path but not the method.

As admin, demote User A from 'admin' to 'viewer'. Without User A logging out, have User A call an admin-only API endpoint. Expect 403. The permission change must be reflected in the current session without requiring re-login. Cached role claims can create access windows of minutes to hours.

As a standard user, call PUT /users/{own_id} with {"role": "admin"} in the request body. Expect 403. Also try PATCH /users/{own_id}/role. Both must be blocked. Self-promotion via the user-update API is a classic privilege escalation path.

If managers can invite users and set their role, confirm a manager cannot assign the 'super-admin' or 'owner' role during an invitation. The role selector in the invite form must be capped at the manager's own privilege level, and the API must enforce the same cap.

As admin, deactivate User A's account while User A has an active session. User A's next API request must return 401 or 403. A deactivated account with a still-valid session token is effectively still active. Check your JWT strategy: if using stateless JWTs, you may need a revocation list or short token TTL.

Send API requests with non-standard headers like X-Admin: true, X-Role: admin, X-Forwarded-User: admin@company.com. The server must ignore these headers for authorization purposes. Some legacy systems route requests through a proxy that sets these headers for internal services — if exposed externally, it is a critical auth bypass.

Decode a valid JWT, change the 'role' claim from 'viewer' to 'admin', and re-encode without re-signing (using the 'none' algorithm or by tampering with the signature). Send it to an admin endpoint. Expect 401. The server must always validate the JWT signature before reading its claims.

As a standard user, call PATCH /users/:id (your own ID) with the body {"name": "Alice", "role": "admin"}. Expect a 200 for the name update but the role must remain unchanged in the database. Mass assignment vulnerabilities silently accept and persist role fields the user should not be able to set.

Send requests with duplicate query parameters: GET /api/data?role=user&role=admin. Different server frameworks resolve duplicate params differently (first, last, or array). If the authorization layer reads the wrong value, the attacker can slide admin context in. Test both first-wins and last-wins payloads.

Systematically request IDs around your own (your ID minus 1, plus 1, plus 10). Every resource returned must belong to your account. Also attempt GUIDs from other resource types. Forced browsing / IDOR via sequential IDs is the most common access control bug in production applications.

Call GET /audit-log and DELETE /audit-log/:id as a standard user. Expect 403 for both. Users being able to read their own audit trail may be intentional — but they must not read others' entries and must never be able to delete or modify audit records.

Perform: role change, resource delete, data export, admin login, and failed login. Open the audit log and confirm each action appears with: who did it (user ID + email), what they did (action type), what resource was affected (resource type + ID), and when (ISO 8601 timestamp with timezone).

Deliberately trigger 403 errors by accessing resources as the wrong role. Confirm each failed attempt appears in the audit log with the attempted action and the actor. Failed access logs are the primary signal for detecting attack patterns and insider threats.

As admin, attempt to call DELETE /audit-log/:id and PATCH /audit-log/:id. Both must return 403 or 405. An admin who can delete audit entries can cover their tracks after unauthorized actions. The audit log must be append-only and protected from mutation by all roles.