Migration Testing & Validation
Comprehensive testing strategies for validating FGA policies before enforcement, including shadow mode testing and production validation
Migration Testing & Validation
Testing is critical to successful FGA migration. Authonomy provides comprehensive testing capabilities that let you validate your new authorization logic in production environments without any risk to existing systems.
Shadow Mode Testing
Shadow mode is the cornerstone of safe FGA migration. Your legacy authorization continues to control access while the new FGA policies run in parallel, allowing perfect comparison without risk.
π How Shadow Mode Works
graph LR
A[User Request] --> B[Legacy Auth Check]
A --> C[FGA Auth Check]
B --> D[Grant/Deny Access]
C --> E[Log Decision]
E --> F[Comparison Report]
B --> F- Dual evaluation: Every authorization request is processed by both legacy and FGA systems
- Legacy controls access: Only the legacy systemβs decision affects the user
- FGA logs decisions: New policy decisions are captured for analysis
- Comparison analysis: Automated reports highlight differences
βοΈ Shadow Mode Configuration
# Shadow mode configuration
shadow_mode:
enabled: true
systems:
- name: "customer_portal"
legacy_method: "rbac_middleware"
fga_policy_set: "customer_portal_v1"
sampling_rate: 100 # Test all requests
- name: "admin_dashboard"
legacy_method: "hardcoded_checks"
fga_policy_set: "admin_dashboard_v1"
sampling_rate: 10 # Test 10% of requests
logging:
level: "detailed"
include_context: true
store_decisions: 30_daysDecision Comparison Analysis
π Comparison Dashboard
Real-time analysis of legacy vs. FGA authorization decisions:
Daily Summary Example:
Authorization Decision Comparison - Customer Portal
Date: 2024-01-15
Total Requests: 45,230
βββββββββββββββββββ¬ββββββββββ¬βββββββββββ
β Decision Match β Count β % β
βββββββββββββββββββΌββββββββββΌβββββββββββ€
β Both Allow β 42,150 β 93.2% β
β Both Deny β 2,890 β 6.4% β
β Legacy Allow, β 145 β 0.3% β
β FGA Deny β β β
β Legacy Deny, β 45 β 0.1% β
β FGA Allow β β β
βββββββββββββββββββ΄ββββββββββ΄βββββββββββ
π― Agreement Rate: 99.6%
β οΈ Differences Requiring Review: 190π Discrepancy Investigation
When decisions donβt match, detailed analysis helps understand why:
Example Discrepancy Report:
Decision Mismatch #127
User: alice@company.com
Resource: /api/billing/invoices/12345
Timestamp: 2024-01-15 14:23:07 UTC
Legacy Decision: ALLOW
Reason: user.role = 'admin'
FGA Decision: DENY
Reason: Policy 'billing_access' failed condition 'same_department'
Context:
user.department: 'engineering'
invoice.department: 'sales'
Analysis: Legacy admin role granted broad access across departments.
FGA policy correctly implements department-based restrictions.
Recommendation: Update FGA policy to include admin override:
define can_access: department_member or adminValidation Testing Strategies
π§ͺ Regression Testing
Ensure migration doesnβt break existing functionality:
# Automated regression test suite
regression_tests:
scenarios:
- name: "admin_full_access"
user_role: "admin"
resources: ["all_systems"]
expected_decision: "allow"
- name: "user_own_data_only"
user_role: "standard_user"
resource_owner: "same_user"
expected_decision: "allow"
- name: "cross_department_block"
user_department: "engineering"
resource_department: "finance"
expected_decision: "deny"
execution:
frequency: "hourly"
alerts:
- policy_deviation > 5%
- performance_degradation > 100msποΈ Performance Validation
Ensure new authorization logic meets performance requirements:
# Performance benchmarks
performance_tests:
targets:
decision_latency:
p50: < 10ms
p95: < 50ms
p99: < 100ms
throughput:
min_rps: 1000
target_rps: 5000
scenarios:
- simple_role_check: "user has role 'admin'"
- complex_condition: "hierarchical resource with temporal conditions"
- bulk_authorization: "batch check 100 resources"
monitoring:
duration: "24_hours"
traffic_percentage: "10%"π Security Testing
Validate that migration doesnβt introduce security vulnerabilities:
- Privilege escalation testing: Ensure users canβt gain unauthorized access
- Edge case validation: Test boundary conditions and error scenarios
- Attack simulation: Test against common authorization bypass attempts
- Compliance verification: Ensure regulatory requirements are met
Production Validation Framework
π Gradual Rollout Testing
Test with increasing confidence levels:
# Phased rollout configuration
rollout_phases:
phase_1:
name: "internal_testing"
user_groups: ["internal_staff"]
duration: "1_week"
success_criteria:
agreement_rate: "> 99%"
performance_impact: "< 5%"
phase_2:
name: "beta_customers"
user_groups: ["beta_participants"]
duration: "2_weeks"
success_criteria:
user_satisfaction: "> 95%"
incident_count: "= 0"
phase_3:
name: "full_deployment"
user_groups: ["all_users"]
success_criteria:
system_stability: "> 99.9%"ποΈ Feature Flag Integration
Control FGA enforcement with feature flags:
// Application code with feature flag
async function checkAuthorization(user, resource, action) {
if (await featureFlag.isEnabled('fga_enforcement')) {
return await fgaClient.check(user, action, resource);
} else {
return await legacyAuth.check(user, resource);
}
}π Real-Time Monitoring
Monitor key metrics during validation:
- Authorization decision latency
- Policy evaluation errors
- User experience impact
- System resource utilization
Testing Best Practices
β Comprehensive Test Coverage
- Happy path scenarios: Standard user workflows
- Edge cases: Boundary conditions and error states
- Security scenarios: Attempted authorization bypasses
- Performance scenarios: High load and stress testing
π Continuous Validation
- Automated daily tests: Catch regressions early
- Business hour monitoring: Focus on peak usage periods
- Long-term trending: Track policy effectiveness over time
- Compliance auditing: Regular validation against requirements
π₯ Stakeholder Involvement
- Business validation: Have domain experts review policy behavior
- Security review: Ensure security team approves new authorization logic
- User acceptance testing: Validate that user experience is unchanged
- Operations readiness: Confirm ops team can support new infrastructure
Common Testing Scenarios
π’ Enterprise B2B SaaS
test_scenarios:
multi_tenant_isolation:
description: "Users only access their tenant's data"
test_cases:
- tenant_a_user_access_tenant_b_data: "deny"
- tenant_admin_cross_tenant_access: "deny"
- super_admin_cross_tenant_access: "allow"
role_hierarchy:
description: "Role inheritance works correctly"
test_cases:
- manager_inherits_employee_permissions: "allow"
- employee_cannot_access_manager_data: "deny"π₯ Healthcare System
test_scenarios:
patient_data_access:
description: "HIPAA-compliant patient data access"
test_cases:
- doctor_own_patients: "allow"
- doctor_other_patients: "deny"
- emergency_override: "allow_with_audit"
audit_requirements:
description: "All access is properly logged"
test_cases:
- access_attempt_logged: "required"
- audit_trail_complete: "required"Rollback & Recovery
π Instant Rollback
If issues are detected during validation:
# Emergency rollback to legacy authorization
authonomy rollback --system customer_portal --immediate
# Gradual rollback with monitoring
authonomy rollback --system admin_dashboard --gradual --monitor 30mπ Rollback Triggers
Automated rollback based on metrics:
- Error rate increase > 1% above baseline
- Performance degradation > 100ms increase in response time
- User complaint threshold > 5 support tickets/hour
- Security incident detected
Next Steps
With thorough testing and validation complete, youβre ready to proceed to Policy Enforcement Methods to choose the best deployment approach for your infrastructure.
Want to see shadow mode testing in action? Request a demo of our migration testing capabilities.