10% OFF
Website Exclusive Promotion 10% discount for new customers. Offer expires 30th June 2026.
Use code: JIFFYWEB10
Buy Pro
Try Free

Plugin Documentation

Documentation
← Back

Testing Your RBAC Configuration Safely

2 March 2026 jiffytrade Role Based Access Control (RBAC)

After configuring Role Based Access Control (RBAC), it is strongly recommended that you test your setup before relying on it in a live team environment.

This ensures:

  • Staff have appropriate access
  • Sensitive actions are restricted correctly
  • No accidental lockouts occur
  • Financial controls are working as intended

🔎 Why Testing Is Important

RBAC controls critical actions such as:

  • Sending documents
  • Marking invoices as paid
  • Unlocking locked documents
  • Permanently deleting records
  • Accessing backups
  • Managing plugin settings

A small misconfiguration could:

  • Give too much authority
  • Or remove access unexpectedly

Testing prevents surprises.

🛠 Recommended Testing Method

The safest way to test RBAC is to simulate different user roles.

Instead of logging in and out repeatedly, you can use a role-switching plugin.

🔄 Option 1: “View Admin As”

The plugin View Admin As allows you to:

  • Temporarily simulate different user roles
  • View the admin interface as that role
  • Test capability restrictions
  • Switch back instantly

This makes it easy to confirm:

  • Buttons are hidden correctly
  • Restricted actions are blocked
  • Financial controls are protected

🔄 Option 2: “User Switching”

Another reliable plugin is User Switching.

This allows you to:

  • Switch between actual user accounts
  • Test real-world behaviour
  • Validate front-end and back-end permissions

This is slightly slower than role spoofing but provides realistic testing.

🧠 What to Test

After configuring RBAC, test:

✔ Can staff create documents?
✔ Can staff send documents?
✔ Can staff mark invoices as paid?
✔ Can staff unlock documents?
✔ Can staff permanently delete documents?
✔ Can staff access Reports?
✔ Can staff access Backups?

Also verify:

  • Locked documents cannot be edited
  • Financial unlock requires proper authority
  • Permanent deletion is restricted appropriately

⚠ Important: Always Keep a Super Administrator

When testing:

  • Ensure you are logged in as a Plugin Super Administrator
  • Do not remove Super Administrator status from all users
  • Always retain at least one recovery account

This prevents accidental lockout during testing.

🧩 UI Testing vs Server Testing

When testing, remember:

Even if a button appears hidden, you should confirm:

  • Actions cannot be triggered via direct URL
  • AJAX operations fail for restricted roles

JiffyTrade enforces capabilities server-side, not just visually.

🎯 Recommended Testing Workflow

  1. Configure RBAC.
  2. Save settings.
  3. Use View Admin As or User Switching.
  4. Simulate lower roles.
  5. Attempt restricted actions.
  6. Confirm behaviour matches your intention.

Testing should take 5–10 minutes and can prevent serious permission mistakes later.

💡 Best Practice

Whenever you:

  • Add new staff
  • Change team responsibilities
  • Upgrade plans
  • Adjust deletion or unlocking rules

Re-test RBAC.

Permissions should evolve with your business structure.