A practical checklist for reviewing role boundaries, object ownership, tenant isolation, IDOR/BOLA risks, privilege escalation paths, and authorization logic across SaaS applications.
Access Control Review Areas
Use these checks to review high-risk authorization behavior before a release, customer onboarding, security review, or major permission model change.
Authorization Model
- Document roles, permissions, tenants, teams, and ownership rules
- Confirm authorization decisions happen server-side
- Verify deny-by-default behavior for restricted resources
- Check whether disabled frontend actions can still be called directly through APIs
- Review whether permission checks are centralized or inconsistently repeated across endpoints
Role and Permission Boundaries
- Test Admin, Manager, Member, Viewer, Guest, and invited user roles
- Confirm lower-privileged users cannot perform admin-only actions
- Test whether role values can be modified in requests
- Check whether users can assign themselves or others higher privileges
- Verify permissions after role changes, demotions, removals, and account suspension
Object-Level Access Control
- Test IDOR/BOLA by changing object IDs
- Verify object ownership on every sensitive request
- Test projects, files, reports, invoices, exports, users, teams, comments, and billing records
- Confirm authorization applies to GET, POST, PATCH, PUT, and DELETE methods
- Check nested resources and related objects for missing ownership validation
Tenant Isolation
- Confirm users cannot access another tenant’s records
- Test organization, workspace, account, team, and company identifiers
- Check cross-tenant access through search, filters, exports, dashboards, and reports
- Verify tenant boundaries in background jobs, notifications, and integrations
- Confirm deleted, archived, or inactive tenant records are not still accessible
Admin and Privileged Actions
- Test admin-only endpoints using lower-privileged accounts
- Review user management, billing, plan changes, exports, integrations, audit logs, and security settings
- Confirm privileged actions require current authorization, not stale session state
- Check whether hidden admin routes are accessible through direct API calls
- Verify sensitive actions cannot be triggered through predictable endpoint patterns
Invite and Team Workflows
- Test invite creation, acceptance, cancellation, and resend flows
- Check whether invited users can control their assigned role or organization
- Verify users cannot invite themselves into unauthorized tenants
- Test whether removed users can reuse old invite links or sessions
- Confirm role assignment and team membership are validated server-side
Business Logic Authorization
- Test approval flows, state transitions, and workflow bypasses
- Check whether users can skip required steps by calling APIs directly
- Verify plan limits, seat limits, usage limits, and billing restrictions
- Review whether client-controlled fields influence authorization decisions
- Test whether object ownership changes create access-control gaps
API and GraphQL Authorization
- Review REST endpoints for missing authorization checks
- Review GraphQL queries and mutations for resolver-level authorization
- Test create, update, delete, export, and invite mutations with another tenant’s object IDs
- Check whether aliases, fragments, batching, or nested queries expose unauthorized data
- Confirm mobile APIs, legacy APIs, and internal APIs enforce the same authorization rules
Logging, Retesting, and Remediation
- Log failed authorization attempts
- Alert on repeated cross-tenant object access attempts
- Retest fixes across all related endpoints and HTTP methods
- Verify fixes cannot be bypassed through alternate routes, GraphQL, mobile APIs, or legacy endpoints
- Document evidence, impact, reproduction steps, affected roles, and remediation guidance
Access Control Testing Flow
Strong access control requires every sensitive action to pass tenant, ownership, role, and business-rule checks before access is granted.
Common Access Control Mistakes
Frontend-only permission checks
Review this behavior with multiple roles, tenants, objects, and direct API requests.
Missing object ownership validation
Review this behavior with multiple roles, tenants, objects, and direct API requests.
Trusting user-controlled role or tenant IDs
Review this behavior with multiple roles, tenants, objects, and direct API requests.
Inconsistent authorization across API methods
Review this behavior with multiple roles, tenants, objects, and direct API requests.
Unsafe export and bulk action endpoints
Review this behavior with multiple roles, tenants, objects, and direct API requests.
GraphQL resolver authorization gaps
Review this behavior with multiple roles, tenants, objects, and direct API requests.
Invite workflow role escalation
Review this behavior with multiple roles, tenants, objects, and direct API requests.
Cross-tenant record leakage
Review this behavior with multiple roles, tenants, objects, and direct API requests.
When to Request a Manual Review
Automated scanners often miss product-specific authorization weaknesses because the risk depends on roles, tenants, workflows, object relationships, and business rules.
- IDOR/BOLA
- Tenant isolation failures
- Privilege escalation paths
- Role boundary mistakes
- Invite and team workflow abuse
- Business logic authorization flaws
- GraphQL resolver authorization gaps
- Cross-tenant data exposure through exports, search, reports, and integrations
Need a Manual Access Control Review?
The Hidden Finds helps SaaS teams identify authorization flaws, tenant isolation weaknesses, privilege escalation paths, and IDOR/BOLA vulnerabilities that automated tools often miss.