Best practices on testing access permissions
My web system has roles which allows the users to access different resources depending on the role.
My questions are: should permissions be tested by automated integration tests? Are there best practices about it?
There are a lot of ways to answer the first question.
Should this specific feature be tested?
That depends on how important the feature is and whether it is possible that the feature was broken by a change since the last time the feature was tested.
Should the association between permissions and users be tested?
Should this specific role be tested?
Should permissions be tested by automated tests?
That depends on whether the permissions will already be tested by manual testing, and whether you think you will save time or reduce risk by automated those tests compared to testing manually. Remember: it takes time to write automated tests, and you have to maintain them afterwards.
Should permissions be tested by automated integration tests?
Assuming the answer to the previous question is Yes, you should decide whether you can test permissions adequately with automated unit tests, which may be easier to write and faster to run. If you can't then you will want to write integration tests.
I don't know how to answer the best practices question.