Test Case #:1586	Test Case Name:Enforce Right: Manage Facility
System:	Subsystem:
Test case designed by: Paulina Borowa	Design Date:01.02.2017
Short description: There should be an Administrative type Right that a User may be assigned via a Role that allows them to Manage (View, Create, Edit) Facilities, FacilityTypes and FacilityOperators. Acceptance: there is a new Administrative type of right named FACILITIES_MANAGE in Reference Data - this should be done the endpoint's that GET, PUT, POST & DELETE for: /api/facilities, /api/facilities/{id}, /api/facilityTypes, /api/facilityTypes/{id}, /api/facilityOperators, /api/facilityOperators/{id} should require the right FACILITIES_MANAGE or a service level token, otherwise return a 403. the GET endpoints for /api/facilities/{id}/approvedProducts, /api/facilities/{id}/supplying, /api/facilities/{id}/search should require the user has the right FACILITIES_MANAGE or a service level token. Otherwise should return a 403. TECH DEBT: The endpoint /api/facilities/{id}/orders should be removed - verify there is no Java code that does this, and when verified remove from RAML. RAML is updated Check to ensure clients of updated endpoints don't break - raise an issue to the larger group if it does. the product grid should work and user should be able to add non full supply product (also when I user don't have the FACILITIES_MANAGE permission)

Pre – conditions:

Step	Action	Expected system response	Comment
1	Use devadmin account to check if user without right FACILITIES_MANAGE cannot GET, PUT, POST & DELETE for: /api/facilities, /api/facilities/{id}, /api/facilityTypes, /api/facilityTypes/{id}, /api/facilityOperators, /api/facilityOperators/{id}	`Response Code 403 { "messageKey": "referenceData.error.unauthorized", "message": "You do not have the following right to perform this action: FACILITIES_MANAGE" }` For all these endpoints: post /api/facilities get /api/facilities/search delete /api/facilities/{id} get /api/facilities/{id} put /api/facilities/{id} get /api/facilities/{id}/approvedProducts get /api/facilities/{id}/auditLog get /api/facilityOperators post /api/facilityOperators delete /api/facilityOperators/{id} get /api/facilityOperators/{id} put /api/facilityOperators/{id} post /api/facilityTypeApprovedProducts delete /api/facilityTypeApprovedProducts/{id} get /api/facilityTypeApprovedProducts/{id} put /api/facilityTypeApprovedProducts/{id} get /api/facilityTypes post /api/facilityTypes delete /api/facilityTypes/{id}get /api/facilityTypes/{id} put /api/facilityTypes/{id}
2	Use administrator account to check if user with right FACILITIES_MANAGE canGET, PUT, POST & DELETE for: /api/facilities, /api/facilities/{id}, /api/facilityTypes, /api/facilityTypes/{id}, /api/facilityOperators, /api/facilityOperators/{id}	Response Code 200/201/204 for these endpoints: post /api/facilities get /api/facilities/search delete /api/facilities/{id} get /api/facilities/{id} put /api/facilities/{id} get /api/facilities/{id}/approvedProducts get /api/facilities/{id}/auditLog get /api/facilityOperators post /api/facilityOperators delete /api/facilityOperators/{id} get /api/facilityOperators/{id} put /api/facilityOperators/{id} post /api/facilityTypeApprovedProducts delete /api/facilityTypeApprovedProducts/{id} get /api/facilityTypeApprovedProducts/{id} put /api/facilityTypeApprovedProducts/{id} get /api/facilityTypes post /api/facilityTypes delete /api/facilityTypes/{id}get /api/facilityTypes/{id} put /api/facilityTypes/{id}
3
4
5
6
7
8