Automated Testing of Role-Based Access with Implementation in the CI/CD Pipeline
Lindén, Anna (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202601201564
https://urn.fi/URN:NBN:fi:amk-202601201564
Tiivistelmä
This thesis presents the design and implementation of automated testing and traceability for role-based access control (RBAC) in the Metropolia Diploma Student Roster System, an internal student information system at Metropolia University of Applied Sciences (UAS). The aim is to ensure that access rules for superusers, staff and assistants are clearly specified, systematically tested, and continuously verified in the continuous integration and continuous delivery (CI/CD) pipeline. The theoretical background introduces RBAC concepts, key software testing principles, and the idea of requirements traceability.
In the implementation, functional RBAC requirements are collected and recorded in a Permission Control Table. A Python script converts this table into an RBAC Matrix with stable rule identifiers and a machine-readable Requirements Traceability Matrix (RTM). Application programming interface (API)-level tests are implemented with pytest, a Python testing framework, and executed on each merge request in GitLab.
The outcome is a structured and maintainable description of access-control behavior that remains synchronized with the automated tests and provides clear, auditable evidence that least-privilege access is enforced in the Metropolia Diploma Student Roster System.
In the implementation, functional RBAC requirements are collected and recorded in a Permission Control Table. A Python script converts this table into an RBAC Matrix with stable rule identifiers and a machine-readable Requirements Traceability Matrix (RTM). Application programming interface (API)-level tests are implemented with pytest, a Python testing framework, and executed on each merge request in GitLab.
The outcome is a structured and maintainable description of access-control behavior that remains synchronized with the automated tests and provides clear, auditable evidence that least-privilege access is enforced in the Metropolia Diploma Student Roster System.