Access Control Testing Checklist
Access Control Testing Checklist for SaaS Teams

A practical checklist for reviewing role boundaries, object ownership, tenant isolation, IDOR/BOLA risks, privilege escalation paths, and authorization logic across SaaS applications.

Checklist

Access Control Review Areas

Use these checks to review high-risk authorization behavior before a release, customer onboarding, security review, or major permission model change.

Authorization Model

  • Document roles, permissions, tenants, teams, and ownership rules
  • Confirm authorization decisions happen server-side
  • Verify deny-by-default behavior for restricted resources
  • Check whether disabled frontend actions can still be called directly through APIs
  • Review whether permission checks are centralized or inconsistently repeated across endpoints

Role and Permission Boundaries

  • Test Admin, Manager, Member, Viewer, Guest, and invited user roles
  • Confirm lower-privileged users cannot perform admin-only actions
  • Test whether role values can be modified in requests
  • Check whether users can assign themselves or others higher privileges
  • Verify permissions after role changes, demotions, removals, and account suspension

Object-Level Access Control

  • Test IDOR/BOLA by changing object IDs
  • Verify object ownership on every sensitive request
  • Test projects, files, reports, invoices, exports, users, teams, comments, and billing records
  • Confirm authorization applies to GET, POST, PATCH, PUT, and DELETE methods
  • Check nested resources and related objects for missing ownership validation

Tenant Isolation

  • Confirm users cannot access another tenant’s records
  • Test organization, workspace, account, team, and company identifiers
  • Check cross-tenant access through search, filters, exports, dashboards, and reports
  • Verify tenant boundaries in background jobs, notifications, and integrations
  • Confirm deleted, archived, or inactive tenant records are not still accessible

Admin and Privileged Actions

  • Test admin-only endpoints using lower-privileged accounts
  • Review user management, billing, plan changes, exports, integrations, audit logs, and security settings
  • Confirm privileged actions require current authorization, not stale session state
  • Check whether hidden admin routes are accessible through direct API calls
  • Verify sensitive actions cannot be triggered through predictable endpoint patterns

Invite and Team Workflows

  • Test invite creation, acceptance, cancellation, and resend flows
  • Check whether invited users can control their assigned role or organization
  • Verify users cannot invite themselves into unauthorized tenants
  • Test whether removed users can reuse old invite links or sessions
  • Confirm role assignment and team membership are validated server-side

Business Logic Authorization

  • Test approval flows, state transitions, and workflow bypasses
  • Check whether users can skip required steps by calling APIs directly
  • Verify plan limits, seat limits, usage limits, and billing restrictions
  • Review whether client-controlled fields influence authorization decisions
  • Test whether object ownership changes create access-control gaps

API and GraphQL Authorization

  • Review REST endpoints for missing authorization checks
  • Review GraphQL queries and mutations for resolver-level authorization
  • Test create, update, delete, export, and invite mutations with another tenant’s object IDs
  • Check whether aliases, fragments, batching, or nested queries expose unauthorized data
  • Confirm mobile APIs, legacy APIs, and internal APIs enforce the same authorization rules

Logging, Retesting, and Remediation

  • Log failed authorization attempts
  • Alert on repeated cross-tenant object access attempts
  • Retest fixes across all related endpoints and HTTP methods
  • Verify fixes cannot be bypassed through alternate routes, GraphQL, mobile APIs, or legacy endpoints
  • Document evidence, impact, reproduction steps, affected roles, and remediation guidance
Review Flow

Access Control Testing Flow

Authenticated UserTenant MatchObject OwnershipRole PermissionBusiness RulePermit or Deny

Strong access control requires every sensitive action to pass tenant, ownership, role, and business-rule checks before access is granted.

Common Mistakes

Common Access Control Mistakes

Frontend-only permission checks

Review this behavior with multiple roles, tenants, objects, and direct API requests.

Missing object ownership validation

Review this behavior with multiple roles, tenants, objects, and direct API requests.

Trusting user-controlled role or tenant IDs

Review this behavior with multiple roles, tenants, objects, and direct API requests.

Inconsistent authorization across API methods

Review this behavior with multiple roles, tenants, objects, and direct API requests.

Unsafe export and bulk action endpoints

Review this behavior with multiple roles, tenants, objects, and direct API requests.

GraphQL resolver authorization gaps

Review this behavior with multiple roles, tenants, objects, and direct API requests.

Invite workflow role escalation

Review this behavior with multiple roles, tenants, objects, and direct API requests.

Cross-tenant record leakage

Review this behavior with multiple roles, tenants, objects, and direct API requests.

Manual Review

When to Request a Manual Review

Automated scanners often miss product-specific authorization weaknesses because the risk depends on roles, tenants, workflows, object relationships, and business rules.

  • IDOR/BOLA
  • Tenant isolation failures
  • Privilege escalation paths
  • Role boundary mistakes
  • Invite and team workflow abuse
  • Business logic authorization flaws
  • GraphQL resolver authorization gaps
  • Cross-tenant data exposure through exports, search, reports, and integrations
Next Step

Need a Manual Access Control Review?

The Hidden Finds helps SaaS teams identify authorization flaws, tenant isolation weaknesses, privilege escalation paths, and IDOR/BOLA vulnerabilities that automated tools often miss.