Permission tests verify users have what they need; nothing more.
Test scenarios:
- Without permission: user can't do.
- With permission via profile: user can do.
- With permission via permission set: user can do.
- With permission via permission set group: user can do.
- Without permission set licence (PSL): feature unavailable.
- System permissions: View All Data, Modify All Data work as expected.
Apex test pattern:
`apex @isTest static void testStandardUserCantViewAll() { Profile p = [SELECT Id FROM Profile WHERE Name='Standard User']; User u = new User(...ProfileId=p.Id); insert u;
Account ownedByOthers = [SELECT Id FROM Account LIMIT 1];
System.runAs(u) { try { Account a = [SELECT Id FROM Account WHERE Id=:ownedByOthers.Id]; // If sharing model is Private, this should fail System.assert(false, 'User should not see this Account'); } catch (QueryException e) { // Expected } } } `
Manual / UI testing:
- Login as test user.
- Navigate; click; verify what's accessible.
- Verify what's NOT accessible.
- Try API calls; verify FLS / sharing enforcement.
Common pitfalls:
- Testing only as System Admin — bypasses everything.
- No permission set assignment tests.
- PSL ignored.
Senior QA insight: permission tests are security tests. Production permission gaps = security incidents.
The senior framing: comprehensive permission testing matters at scale.