In our previous article, we explored an Example Structure for Functional and End User Roles in IFS using the two-layer model of functional and end user roles. That structure provides the foundation for clarity, reuse, and scalability.
But design alone isn’t enough. The real challenge comes when roles need to be tested, validated, and rolled out across environments. Without a disciplined approach, permissions testing can become chaotic, and environments can drift apart, leading to last-minute issues before go-live.
To start this discussion, let’s briefly revisit the main lessons from the last session:
These principles ensure that testing has a stable starting point. Testing cannot succeed if the underlying role structure is inconsistent.
Permissions testing follows a clear lifecycle with four stages:
Each stage builds on the previous one. Skipping or rushing through any step often leads to rework later.
Testing begins with defining roles at a high level. Typically, project management and solution architects set the first draft, which is then refined with “permissions responsibles” from each process stream. These are usually process owners or key users who know the business needs in detail.
A good rule of thumb is to limit the number of end user roles to three or four per process stream at the start. For a project with ten streams, that gives roughly 30–40 roles initially. This number will naturally grow during implementation, but keeping it lean from the start avoids unnecessary complexity.
Setup in IFS can be time-intensive, especially if starting from scratch. Where possible, prebuilt libraries of functional roles accelerate the process significantly. Even if end user roles need to be newly created, modular functional roles provide reusable building blocks that reduce effort and ensure consistency.
Once roles are defined and set up, the first testing step is pre-testing. This is not full end-to-end process testing, it’s a rough validation to check whether roles broadly align with expectations.
The approach is straightforward:
Issues are corrected in the CFG environment. If significant gaps remain after the first round, a second round of pre-testing may be necessary. The goal is not perfection but ensuring that roles are on the right track before integration testing begins.
Integration testing is where permissions are validated under real project conditions. Most implementations include at least two or three cycles of integration testing, and roles should be part of each cycle.
A crucial best practice is retesting. Every fix applied during a cycle must be retested before moving to the next cycle. Otherwise, issues risk being carried forward unnoticed.
Testing doesn’t happen in a vacuum. Roles and permissions exist across multiple environments, and how those environments are managed determines whether permissions remain consistent.
A typical setup includes three environments:
The golden rule: CFG is always the master environment.
This avoids divergence, ensures consistency, and maintains a single source of truth for permissions.
This article builds on the previous post, “Example Structures for Functional and End User Roles,” where we showed how to design roles using the two-layer model. Here, we’ve shown how to test and manage those roles in practice.
The next article in the series will focus on handling presentation objects and projections outside of the Navigator and lobbies, highlighting the hidden permissions that often cause trouble.
Our next webinar we took a deep dive into permissions outside the Navigator. If your team has struggled with missing projections or unexplained access gaps, this session will be directly relevant.
As always, if you’d like to discuss your own testing approach or environment setup in more detail, get in touch. We’re happy to compare experiences and share lessons learned from real projects.