What is the best way to ensure that the roles used in PROD is correct, but at the same time don’t give users access to Dev and Test environments?
Normally we would like to test with the same roles as a user in PROD would have assigned, but on the role we define what environments it will give access to. So ideally a normal production user should not have access to test and Dev environments apps, but as a developer I would like to use the same role to verify that everything works as expected in Dev and Test environments before releasing to PROD.
The answer depends on criticality/sensitivity and the type of onboarding/how users get access.
Login to Dev environment: None should be able to log in except Owners, Maintainers or Developers. This is for development/developers. If you want to test with a “normal user”, you may create a separate Role (“Dev login access” etc) that you assign to your test user (in addition to the normal roles), and you give access for login to Development environment for just that role, meaning a Prod user with normal roles will have the correct permissions on a data level, but not for login.
Login to Test environment: If users are provisioned centrally by adding an “Employee” object/record or similar, you may solve this with business logic (take the user to a “No access” page if no Employee object is found. An alternative is to take the same approach as for the Development environment: To have a seperate role assigned to the testusers, that only servers as a privilege for the login to Test environment.
For me it seems to be a Gap in the solution, since we have to test with one role and assign another in production to be able to separate access to different environments. It would be a better solution to have the access to environment on the users. Hope you will consider this
Note that it only requires a seperate role for the login access. You may consider it a way of grouping a few users for giving them login access to Test environment, and give that specific Role the login access instead if adding / removing 8 users individually.
So I cannot currently see that giving users individual access is better in all cases (simpler maybe, when adding 1-2 users).