diff --git a/.github/ISSUE_TEMPLATE/testplan.md b/.github/ISSUE_TEMPLATE/testplan.md index 288ceb286b2b9..2f59aee6098a3 100644 --- a/.github/ISSUE_TEMPLATE/testplan.md +++ b/.github/ISSUE_TEMPLATE/testplan.md @@ -1563,13 +1563,21 @@ Docs: [IP Pinning](https://goteleport.com/docs/access-controls/guides/ip-pinning - [ ] Verify that users can run custom audit queries. - [ ] Verify that the Privileged Access Report is generated and periodically refreshed. -- [ ] Access List +- [ ] Access Lists - [ ] Verify Access List membership/ownership/expiration date. - - [ ] Verify permissions granted by Access List membership. - - [ ] Verify permissions granted by Access List ownership. - - [ ] Verify Access List Review. - - [ ] verify Access LIst Promotion. - - [ ] Verify that owners can only add/remove members and not change other properties. + - [ ] Verify permissions granted by Access List membership. + - [ ] Verify permissions granted by Access List ownership. + - [ ] Verify Access List Review. + - [ ] verify Access LIst Promotion. + - [ ] Verify that owners can only add/remove members and not change other properties. + - [ ] Nested Access Lists + - [ ] Verify that Access Lists can be added as members or owners of other Access Lists. + - [ ] Verify that member grants from ancestor lists are inherited by members of nested Access Lists added as members. + - [ ] Verify that owner grants from ancestor lists are inherited by members of nested Access Lists added as owners. + - [ ] Verify that Access List Review and Promotion work with nested Access Lists. + - [ ] Verify that manually deleting a nested Access List used as a member or owner does not break UserLoginState generation or listing Access Lists. + - [ ] Verify that an Access List can be added as a member or owner of another Access List using `tctl`. + - [ ] Verify that Access Lists added as members or owners of other Access Lists using `tctl` are validated (no circular references, no nesting > 10 levels). - [ ] Verify Okta Sync Service - [ ] Verify Okta Plugin configuration. @@ -1579,6 +1587,7 @@ Docs: [IP Pinning](https://goteleport.com/docs/access-controls/guides/ip-pinning - [ ] Verify that users/apps/groups are synced from Okta to Teleport. - [ ] Verify the custom `okta_import_rule` rule configuration. - [ ] Verify that users/apps/groups are displayed in the Teleport Web UI. + - [ ] Verify that users/groups are flattened on import, and are not duplicated on sync when their membership is inherited via nested Access Lists. - [ ] Verify that a user is locked/removed from Teleport when the user is Suspended/Deactivated in Okta. - [ ] Verify access to Okta apps granted by access_list/access_request. diff --git a/.github/ISSUE_TEMPLATE/webtestplan.md b/.github/ISSUE_TEMPLATE/webtestplan.md index a0414c0409085..bdc8de31fe32a 100644 --- a/.github/ISSUE_TEMPLATE/webtestplan.md +++ b/.github/ISSUE_TEMPLATE/webtestplan.md @@ -478,6 +478,45 @@ With the previous role you created from `Strategy Reason`, change `request_acces - [ ] Verify after login, dashboard is rendered as normal +## Access Lists + +Not available for OSS + +- Creating new Access List: + - [ ] Verify that traits/roles are not be required in order to create + - [ ] Verify that one can be created with members and owners + - [ ] Verify the web cache is updated (new list should appear under "Access Lists" page without reloading) +- Deleting existing Access List: + - [ ] Verify the web cache is updated (deleted list should disappear from "Access Lists" page without reloading) + - [ ] Verify that an Access List used as a member or owner in other lists cannot be deleted (should show a warning) +- Reviewing Access List: + - [ ] Verify that after reviewing, the web cache is updated (list cards should show any member/role changes) +- Updating (renaming, removing members, adding members): + - [ ] Verify the web cache is updated (changes to name/members appear under "Access Lists" page without reloading) +- [ ] Verify Access List search is preserved between sub-route navigation (clicking into specific List and navigating back) +- Can manage members/owners for an existing Access List: + - [ ] Verify that existing Users: + - [ ] Can be enrolled as members and owners + - [ ] Enrolled as members or owners can be removed + - [ ] Verify that existing Access Lists: + - [ ] Can be enrolled as members and owners + - [ ] Enrolled as members or owners can be removed + - [ ] Verify that an Access List cannot be added as a member or owner: + - [ ] If it is already a member or owner + - [ ] If it would result in a circular reference (ACL A -> ACL B -> ACL A) + - [ ] If the depth of the inheritance would exceed 10 levels + - [ ] If it includes yourself (and you lack RBAC) + - [ ] Verify that non-existing Members and Owners can be enrolled in an existing List (e.g., SSO users) +- Inherited grants are properly calculated and displayed: + - [ ] Verify that members of a nested Access List: + - [ ] Added as a member to another Access List inherit its Member grants + - [ ] Added as an owner to another Access List inherit its Owner grants + - [ ] That do not meet Membership Requirements in a Nested List do not inherit any Grants from Parent Lists + - [ ] That do not meet the Parent List's Membership/Ownership Requirements do not inherit its Member/Owner Grants + - [ ] Verify that owners of Access Lists added as Members/Owners to other Access Lists do *not* inherit any Grants + - [ ] Verify that inherited grants are updated on reload or navigating away from / back to Access List View/Edit route + - [ ] Verify that 'View More' exists and can be clicked under the 'Inherited Member Grants' section if inherited grants overflows the container + ## Web Terminal (aka console) - [ ] Verify that top nav has a user menu (Main and Logout)