Summary

This document describes the test plan to test the functionality of the LDAP Group Sync to Roles feature for Mattermost v5.20.

For the practicality of running tests easily, test cases may follow steps from the preceding test case.

When images exist in parallel to assist with the test case, they are placed right below the corresponding test cases.

Scope

This document outlines the tests for LDAP Group Sync to Roles - UI and Functionality features including system console and chat facing changes.

Glossary

• Main menu

  • Hamburger menu on the LHS.

• Channel menu

  • Dropdown menu which is displayed when we click on the Channel Name

• Team Admin

  • A user who has a team administrator privileges of a team but with non-system administrator privileges.

• Channel Admin

  • A user who has a channel administrator privileges of a channel but with non-system administrator (or) non-team admin privileges.

• LDAP Group Sync Job

  • This is an option provided in the System Console > AD/LDAP page.

• Test Server

  • A list of test server versions used in testing including Mattermost server and Marketplace Server

Assumptions

The tests in this test plans are written with the assumption that:

1. Testing done on System Console pages is done as a System Administrator, unless otherwise specified by the test case.

2. Testing is primarily done on the webapp and desktop app, with spot checks on RN mobile app or mobile web browser app to ensure the feature is not present.

Setup

1. The following setup will be necessary in order to begin testing:

• A Mattermost server and webapp with the latest changes from the 5.20 release branch.

• An AD/LDAP server with Groups and users for testing this functionality.

• AD/LDAP configuration settings should be done on the System Console > AD/LDAP page and should be working.

• At least one user with system administrator access to the Mattermost instance

• At least one LDAP user belonging to one LDAP group

• At least one LDAP user belonging to two LDAP groups (with at least 1 group common with the above step).

1. Log in to Mattermost as a system administrator.

2. Verify that Mattermost Version 5.20 is running.

• Go to the main menu

• Go to “About Mattermost”

• Mattermost version appears on the About modal

Test Cases

System Console > Manage Teams

System Console > Team Configuration - UI

1. Check if the Roles dropdown is displayed in the Team Configuration page under Groups section.

2. Add Multiple Groups and set different Roles, save and check if values are persisted.

3. Remove a Group, save and search for the same channel again and check if values are persisted.

Promote Team Role Permission

1. For a Group Synced Team, select a Group and set the Role to Members in System Console > Teams page.

2. Run LDAP Group Sync job and check if user has access to the Team with Member permission.

3. Change the role from Members to Team Admin for the same team in System Console > Teams page.

4. User should immediately be updated to Team Admin role and should be able to perform Team Admin tasks like view and modify Team Settings, Manage Groups etc.

5. Run LDAP Group Sync job again and check if user User still has Team Admin permission for that Team.

   1. User should be able to perform Team Admin tasks like view and modify Team Settings, Manage Groups etc

Demote Team Role Permission

1. For a Group Synced Team, select a Group and set the Role to Team Admin in System Console > Teams page.

2. Run LDAP Group Sync job and check if user has access to the Team with Team Admin permission.

3. Change the role from Team Admin to Members for the same team in System Console > Teams page.

4. User should immediately be updated to Team Member role and should not be able to perform Team Admin tasks like view and modify Team Settings, Manage Groups etc.

5. Run LDAP Group Sync job again and check if user User still has Team Member permission for that Team.

   1. User should not be able to perform Team Admin tasks like view and modify Team Settings, Manage Groups etc

Team Role ignores Guest Users

1. Set Guest Filter in LDAP Configuration page such that some users are marked as Guest.

2. Login as LDAP users matching the Guest Filter and ensure that their account is created as a Guest.

3. For a new Group Synced Team, select a Group and set the Role to Team Admin in System Console > Teams page.

4. Check if all users who are not Guest Users have Team Admin permissions for that team.

5. Guest Users should not be added to the team.

   1. Guest Users should not be added to the LDAP Group Synced Team unless they are added to a specific channel in the team

System Console > Manage Channels

System Console > Channel Configuration - UI

1. Check if the Roles dropdown is displayed in the Channel Configuration page under Groups section.

2. Add Multiple Groups and set different Roles, save and check if values are persisted.

3. Remove a Group, save and search for the same channel again and check if values are persisted.

   1. Values should be shown correctly in the Channel Configuration page

Promote Channel Role Permission

1. For a Group Synced Channel, select a Group and set the Role to Members in System Console > Channels page.

2. Run LDAP Group Sync job and check if user has access to the Channel with Channel Member permission.

3. Change the role from Members to Channel Admin for the same channel in System Console > Channels page.

4. User should immediately be updated to Channel Admin role and should be able to perform Channel Admin tasks like view and modify Channel Members, Manage Groups etc.

5. Run LDAP Group Sync job again and check if user User still has Channel Admin permission for that Channel.

   1. User should be able to perform Channel Admin tasks like downgrade other user's permissions

Demote Channel Role Permission

1. For a Group Synced Channel, select a Group and set the Role to Channel Admin in System Console > Channels page.

2. Run LDAP Group Sync job and check if user has access to the Channel with Channel Admin permission.

3. Change the role from Channel Admin to Members for the same channel in System Console > Channels page.

4. User should immediately be updated to Channel Member role and should not be able to perform Channel Admin tasks like view and modify Channel Members, Manage Groups etc.

5. Run LDAP Group Sync job again and check if user User still has Channel Member permission for that Channel.

   1. User should not be able to perform Channel Admin tasks like downgrade other user's permissions

Channel Role ignores Guest Users

1. Set Guest Filter in LDAP Configuration page such that some users are marked as Guest.

2. Login as LDAP users matching the Guest Filter and ensure that their account is created as a Guest.

3. For a new Channel, select a Group and set the Role to Channel Admin in System Console > Channels page.

4. Check if all users who are not Guest Users have Channel Admin permissions.

5. Guest Users should have only Channel Guest permissions and should not be promoted to Channel Admin.

   1. Guest Users should have only Channel Guest permissions and should not be promoted to Channel Admin.

System Console > Manage Groups

System Console > Group Configuration - UI

1. Configure AD/LDAP and enable LDAP Group Sync and ensure there are LDAP Groups available.

2. Go to System Console > Groups Page and click on one of the groups.

3. Click on Add a Team and select a Team.

4. Check if there is an option provided to Assign a role to the team.

   1. Assigned Roles column should have dropdown options of Member and Team Admin.

5. Click on Add a Channel and select a Channel.

6. Check if there is an option provided to Assign a role to the channel.

   1. Assigned Roles column should have dropdown options of Member and Channel Admin.

7. Change the dropdown values and save. Reload the page and check if values are saved.

   1. The values changes in the Assigned Roles dropdown should persist even after the page reload.

Group Roles on New User login

1. Set a different role for a group for a team/channel

2. Do not perform a LDAP Group Sync

3. Login as a new LDAP user who has never logged into the Mattermost system before.

4. Check if new user is assigned the permissions according to the permissions set in System Configuration > Groups page

   1. New user should be assigned the Team & Channel permissions based on the roles defined in the System Console for that team and Channel

Check for Highest Role permission

1. Create a new team Team1 and channel Channel1.

2. Ensure Team1 & Channel1 has Group Synced turned on.

3. Ensure Role for Team1 is selected as Team Admin and Role for Channel1 is selected as Member.

4. Check if the LDAP User has the highest permission, i.e. Team Admin and also has Channel Admin permission for Channel1.

   1. LDAP User should have Team Admin perform and also Channel Admin permission for Channel 1

Highest permission should be allotted to user belonging to multiple groups

1. Login as a LDAP user say User1 belonging to 2 groups, group1 and group2.

2. On a different browser, login as sysadmin and select a team and enable group sync.

3. Add the Groups with Roles as follows: Group1 -> Member Group2 -> Team Admin

4. Check the role the user User1 has.

   1. User1 should have Team Admin permissions as the highest permission should be allotted to a user belonging to multiple groups.

Chat Facing > Teams > Manage Groups

Promote Group Role to Team Admins

1. For a Group Synced Team, login as a user User1 who has Team Admin permissions.

2. For the same group synced team, on a different browser, login as a user User2 who has Team Member permissions.

3. As User1, Click on Manage Groups from Main menu and then set the role to Team Admins for a Group which User2 belongs to.

4. User2 should immediately be updated to Team Admin role and should be able to perform Team Admin tasks like view and modify Team Settings, Manage Groups etc.

5. Run LDAP Group Sync job again and check if user User2 still has Team Admin permission for that Team.

   1. User2 should be updated to a Team Admin role and should be able to perform any Team Admin Tasks

Demote Group Role to Team Members

1. For a Group Synced Team, login as a user User1 who has Team Admin permissions.

2. For the same group synced team, on a different browser, login as a user User2 who has Team Admin permissions.

3. As User1, Click on Manage Groups from Main menu and then set the role to Team Members for a Group which User2 belongs to.

4. User2 should immediately be updated to Team Member role and should not be able to perform Team Admin tasks like view and modify Team Settings, Manage Groups etc.

5. Run LDAP Group Sync job again and check if user User2 still has Team Member permission for that Team.

   1. User2 should be updated to a Team Member role and should not be able to perform any Team Admin Tasks

Chat Facing > Channels > Manage Groups

Promote Group Role to Channel Admins

1. For a Group Synced Channel, login as a user User1 who has Channel Admin permissions.

2. For the same group synced channel, on a different browser, login as a user User2 who has Channel Member permissions.

3. As User1, Click on Channel Dropdown and select Manage Groups and then set the role to Channel Admins for a Group which User2 belongs to.

4. User2 should immediately be updated to Channel Admin role and should be able to perform Channel Admin tasks like Manage Groups etc.

5. Run LDAP Group Sync job again and check if user User2 still has Channel Admin permission for that Team.

   1. User2 should be updated to a Channel Admin role and should be able to perform any Channel Admin Tasks

Demote Team Roles to Team Members

1. For a Group Synced Channel, login as a user User1 who has Channel Admin permissions.

2. For the same group synced channel, on a different browser, login as a user User2 who has Channel Admin permissions.

3. As User1, Click on Channel dropdown and select Manage Groups from Channel menu and then set the role to Channel Members for a Group which User2 belongs to.

4. User2 should immediately be updated to Channel Member role and should not be able to perform Channel Admin tasks like view and modify Manage Groups etc.

5. Run LDAP Group Sync job again and check if user User2 still has Channel Member permission for that Team.

   1. User2 should be updated to a Channel Member role and should not be able to perform any Channel Admin Tasks

Mapping to Server Scoped Role - System Admin Filter

LDAP Admin Filter

1. Ensure LDAP setup is done correctly on an instance

2. Navigate to System Console > AD/LDAP and set Admin Filter to "(givenName=barrett)" and set Enable Admin Attribute to true.

3. Login as a LDAP user who has this attribute "givenName=barrett" configured in the AD/LDAP Server.

4. Check if the user is logged in as System Admin User and has access to System Console

   1. User should be logged in as System Admin User. User should be able to access System Console without any errors

Disable LDAP Admin Filter

1. Ensure LDAP setup is done correctly on an instance

2. Navigate to System Console > AD/LDAP and set Admin Filter to "(givenName=barrett)"

3. Login as a LDAP user who has this attribute "(givenName=barrett)" configured in the AD/LDAP Server

4. Now login as sysadmin and set Enable Admin Attribute to false and check

   1. Existing LDAP System Admin users should not be demoted to members. Any new LDAP user who tries to login with "givenName=barrett" will no longer be considered a System Admin user and instead should be considered a regular member

Change LDAP Admin Filter

1. Ensure LDAP setup is done correctly on an instance

2. Navigate to System Console > AD/LDAP and set Admin Attribute to "(givenName=test)"

3. Now on a new browser login with a user who has "(givenName=barrett)". User would be logged in as Member.

4. Navigate to System Console > AD/LDAP and set Admin Attribute to "(givenName=barrett)"

5. Revoke session of all users and ensure the user in step 3 logs in again.

6. Next time the user logs in, the user should be converted to a System Admin user.

LDAP Admin Filter & Guest Attribute

1. Ensure LDAP setup is done correctly on an instance

2. Ensure Guest Access is enabled in System Console > Guest Access.

3. Navigate to System Console > AD/LDAP and set Admin Filter to "(givenName=barrett)" and set Guest Attribute to "(sn=Butler)" .

4. Now on a new browser login with a user who has both sn=Butler and givenName=barrett.

   1. User should be logged in as a System Guest user and should not have System Admin privileges.

SAML Admin Attribute

1. Ensure SAML setup is done correctly on an instance

2. Navigate to System Console > SAML 2.0 and set Admin Attribute to "isAdmin=true" and set Enable Admin Attribute to true.

3. Login as a SAML user who has this attribute "isAdmin=true" configured in the SAML Server.

4. Check if the user is logged in as System Admin User and has access to System Console

   1. User should be logged in as System Admin User. User should be able to access System Console without any errors

Disable SAML Admin Attribute

1. Ensure SAML setup is done correctly on an instance

2. Navigate to System Console > SAML 2.0 and set Admin Attribute to "isAdmin=true"

3. Login as a SAML user who has this attribute "isAdmin=true" configured in the SAML Server

4. Now login as sysadmin and set Enable Admin Attribute to false and check

   1. Existing SAML System Admin users should not be demoted to members. Any new SAML user who tries to login with isAdmin=true will no longer be considered a System Admin user and instead should be considered a regular member

Change SAML Admin Attribute

1. Ensure SAML setup is done correctly on an instance

2. Navigate to System Console > SAML and set Admin Attribute to "isAdmin=TEST".

3. Now on a new browser login with a user who has isAdmin=true. User would be logged in as Member.

4. Navigate to System Console > SAML and set Admin Attribute to "isAdmin=TRUE".

5. Revoke session of all users and ensure the user in step 3 logs in again.

6. Next time the user logs in, the user should be converted to a System Admin user.

SAML Admin Attribute & Guest Attribute

1. Ensure SAML setup is done correctly on an instance

2. Ensure Guest Access is enabled in System Console > Guest Access.

3. Navigate to System Console > SAML and set Admin Attribute to "isAdmin=TRUE" and set Guest Attribute to "isGuest=TRUE".

4. Now on a new browser login with a user who has both isGuest=true and isAdmin=true.

   1. User should be logged in as a System Guest user and should not have System Admin previliges.