Test group access

Use the executeAsRole function in the TestIdp Type to to validate group access and permissions in test or development environments.

Copy link to this section

Prerequisites

Define a user role and add permissions to the role for the group you want to test.

See Define Roles and Groups to learn more about defining roles and assigning users to groups.

Copy link to this section

Example: Test role and group access

The custom role MyTypeBasicUser defines a set of permission that enforce access rules on operations related to the MyType entity. The custom role controls access to specific operations within MyType.

The role ID is "MyTypeBasicUser", and the description states that it is for testing a Basic User. THe role includes the following permissions:

• allow:MyType::convertToUppercase grants access to the convertToUppercase operation.
• deny:MyType::convertToLowercase blocks access to the convertToLowercase operation.

A user with this role can run the function convertToUppercase but cannot call convertToLowercase.

This example uses the following metadata files for the custom role:

• The role file: MyTypeBasicUser.json

  JSON

  Copy code to clipboard

  {
      "id": "MyTypeBasicUser",
      "description": "This role is used for testing a Basic User",
      "permissions": [
      "allow:MyType::convertToUppercase",
      "deny:MyType::convertToLowercase"
      ]
  }

• The Type file: MyType.c3typ

  Type

  Copy code to clipboard

  /* MyType.c3typ */
  entity type MyType {
  
  /**
  * Returns an input string to all uppercase.
  * @param input // Input string that is converted
  * @return The input string as an uppercase string
  */
  convertToUppercase: function(input: string = "test") : string js-rhino
  
  /**
  * Returns an input string to all lowercase
  * @param input // Input string that is converted
  * @return The input string as an lowercase string
  */
  convertToLowercase: function(input: string = "Test") : string js-rhino
  }

• The Type implementation file: MyType.js

  JavaScript

  Copy code to clipboard

  /**
   * Converts and input string to uppercase
   * @param {*} input 
   * @returns
  */ 
  function convertToUppercase(input) {
      return input.toUpperCase();
  }
  
  /**
  * Converts an input string to lowercase
  * @param {*} input 
  * @returns 
  */
  function convertToLowercase(input) {
      return input.toLowerCase();
  }

See Package Management Overview to learn more about the C3 Agentic AI Platform package structure and where to place files.

Run the following commands in the C3 AI Console to test group access based on the permissions defined in the role.

1. Run the convertToUppercase function as a specific role:

   JavaScript

   Copy code to clipboard

   TestIdp.executeAsRole("MyTypeBasicUser", () => MyType.convertToUppercase())

   This command tests if the group with the MyTypeBasicUser role can run the convertToUppercase function.

   Because the permission string allow:MyType::convertToUppercase in the MyTypeBasicUserrole grants access to the convertToUppercase function, the output is TEST.

2. Run the convertToLowercase function as a specific role:

   JavaScript

   Copy code to clipboard

   TestIdp.executeAsRole("MyTypeBasicUser", () => MyType.convertToLowercase())

   This command tests if the group with the MyTypeBasicUser role can run the convertToLowercase function.

   Because the permission string allow:MyType::convertToUppercase in the MyTypeBasicUser role denies access to the convertToUppercase function, the output is a 403 (Forbidden) error.

You can run these same steps for your own groups and test the permissions defined in roles.