Skip to main content

Testing Role-Based Access

Arcadier Support

Before going live, validate that your integration correctly handles role boundaries across both the Admin Portal and the API layer. This protects your marketplace from unintended data exposure and permission escalation.

Creating Test Accounts

Start in the Admin Portal on your Stage environment. Create one test seller and one test buyer. These accounts serve double duty: they validate the portal-side onboarding flow, and provide the tokens needed for API role testing.

For the seller account:

  1. Navigate to Users > User List and create a Merchant test account.
  2. Complete the seller onboarding flow: profile setup and first listing creation.

For the buyer account:

  1. Create a Buyer test account from Users > User List.
  2. Complete an end-to-end purchase transaction to confirm checkout works correctly.
  3. Confirm that order and transaction data is correctly reflected in the Admin Portal.

Validating Role Enforcement via API

Once test accounts exist, use their respective tokens to confirm role boundaries are enforced at the API layer:

  • Attempt an admin-only endpoint (e.g., category management) using a Merchant token. Expected response: 403 Forbidden.
  • Attempt a merchant-only endpoint (e.g., edit own listing) using a Buyer token. Expected response: 403 Forbidden.
  • Confirm the Admin token can access platform-wide resources without restriction.

Role enforcement is not automatic in custom integrations. If your frontend or backend constructs API calls dynamically, verify that token selection logic is role-aware and cannot be bypassed by a user manipulating their session.

Sub-Admin Access Control

If your team includes multiple admins with different operational responsibilities, configure permission profiles before go-live. This is separate from merchant and buyer role testing, it governs what your own team can access inside the Admin Portal.

  1. Invite sub-admin users via Users > User List.
  2. Assign them to a User Group via Users > User Group.
  3. Define an Admin Permission Profile for that group via Users > Admin Permission.

Admin permission profiles restrict sub-admins to specific portal sections. This is recommended where separation of duties applies, e.g., a finance team that needs access to Transactions but should not have access to User Management.

→ See Managing Admin Roles & Permissions and Create more than one admin account articles in Knowledge base for more details.

Related to

Related articles