A practical starting point is authorisation and authentication – as most systems rely on knowledge of the operator.
The same technique of divide and conquer works inside the page. First I create a bullet point list from what I have learnt that I will need:
- Development Users
- Authentication and Authorisation Method
- Authorisation Check
- Authorise Administrator
- Authorise Operator
- Test Instrumentation
- Auditing
uSDLC allows me to split a list into separate sections with the text as the heading and linked to an instrument block. It is a good idea to edit each section and document the reason for the section. Instrumentation, like code, tells us how but rarely why. For example:
Auditing
The audit log includes logging in and all page views, successful or unsuccessful.
Now to filling in the instrumentation block. These are a list of simple statements that fully define the section while remaining readable to domain specialists as well as the computer:
set audit log checkpoint login oper check audit log oper 'log in' browse '/oper' check audit log oper 'view /oper' browse '/admin' check audit log oper 'FAILED: view /admin' logout oper check audit log oper 'log out'
Train your domain specialists to not ignore instrumentation as ‘code’. If they can’t understand it, then it is still not good enough. What they sign off on here is what will work in production. It will grow – either in the instrumentation block or as new sections or pages – as more information becomes available. With luck this will happen with the domain specialist reviews, but it may happen later when testing working system pages. Get each change signed off so expectations meet actuality.
Next blog I will discuss activating the instrumentation.