Create a Test Role
Easily establish custom test roles to streamline API testing processes and enhance security protocols
Last updated
Was this helpful?
Easily establish custom test roles to streamline API testing processes and enhance security protocols
Last updated
Was this helpful?
If you use role-based access control in your APIs and applications, you should check for privilege escalation issues. This often entails determining if a lower-privilege user has access to all higher-privilege APIs. If such an API exists, the development team should fix its privileges.
Akto lets you automate privilege escalation security tests. The information can also be used to create custom tests using Test YAML templates.
You should define as many roles as there are in your application. For example, if you're running a B2B SaaS program, you might have ADMIN, BILLING, MEMBER, and GUEST. Role creation is a one-time configuration.
In the demonstration below, let's create a Test Role and specify the role endpoint conditions.
Go to Testing > Test Roles. Click on the Create New Test Role button. Enter the details for the new test role, including the name and specific role endpoint conditions.
In the above demonstration, we created a test role with the condition that it “Belongs to” the "juice_shop_demo" API collection. We chose to apply this role to the endpoints rest/basket/6 and rest/languages. This setup allows us to simulate and verify the behavior of these endpoints under the defined role's permissions.\
You can add a hard-coded auth token using the following steps -
Go to Test Roles and click on the ... at the end of the row
Click on Add Auth button
Enter the auth header key and the auth header value (eg. Authorization and Bearer some.auth.token)
Click on Save button and verify that the auth is created.
For one-time testing or a quick tryout, you might need to manually add an auth token, because the token expires quickly, within a day. This means you can only use it occasionally for testing. Instead, you can set Akto to automatically fetch a fresh auth token to ensure that tests are always up-to-date before each test run. This way, Akto uses a new token for every test, ensuring the tests are always valid.
To add an auth token automatically while performing API testing, you need to follow these steps:
Configure API Call Details
Configuring API call details ensures that the server knows how to process the request and can generate and return a new auth token. This is key for keeping tests current and valid, as it allows the system to automatically get a fresh token before each test run.
In the demonstration, we're setting up the details for an API call, including the URL, method, headers, and body, to ensure the request is correctly configured and can successfully obtain the token.
Execute the API Call
After configuring the details, execute the API call. If successful, the server will respond with an auth token.
In the demonstration below, we make an API call and receive an authentication token from the server.
Extract Token
After testing the API call, you need to extract the auth token from the response. This typically involves identifying the header or body parameter where the token is located. For example, if the token is returned in a header named Authorization, you would extract it.
In the demonstration below, we extract the auth token from the response. This token can then be used for subsequent API calls that require authentication.
Once you have extracted the token, Akto will automatically use it for subsequent API calls in your tests.
Akto will now execute this entire API sequence before running a test to fetch a fresh auth token. You can now execute all the daily tests and CI/CD tests without worrying about the expiry of the hard-coded token.
You can add TLS authentication configuration to any role using the following steps:
Click on TLS Authentication to reveal the configuration inputs.
For PEM certificate type:
Input the client certificate
2. Input the client private key
3. Input the certificate authority certificate (optional, leave the input blank if you do not have one)
Click on Save
Notes:
Please enter the keys only in the format shown in the images. Do not enter any additional details.
If you have a P12 type key you can convert it to a PEM key using the commands given below. Here client.p12 is your original key, client.crt is the client certificate and client.key is the client private key. While running these commands, you may be asked for an Import Password. You can leave that blank.
There are multiple ways to request support from Akto. We are 24X7 available on the following:
In-app intercom support. Message us with your query on intercom in Akto dashboard and someone will reply.
Contact help@akto.io for email support.
You can for quickly executing a test. However, for daily tests or setting up tests in CI/CD, we highly recommend that you use . If you have a TLS based authentication, you can configure that using
Create a . Click on the test role and click on Add auth.
📌 Note: You can now limit visibility of a Test Role using RBAC. Use the "Scope Role" dropdown while creating or editing a Test Role. For details, see .
Join our for community support.
Contact us .
