BMC Helix Remedyforce 20.19.01 patch 2 sandbox testing guidelines

BMC Helix Remedyforce 20.19.01 (Winter 19) Patch 2 contains a number of defect fixes to improve the product quality. It also includes improved checks on objects and fields for various user personas such as Staff and Client to further secure the application usage and prevent unwanted access. It is recommended that if you elect to self-upgrade, then first upgrade and test in your sandbox before pushing 20.19.01 Patch 2 to your production instances.

This document provides testing recommendations related to various defect fixes and security enhancements addressed in the BMC Helix Remedyforce 20.19.01 Patch 2 release. Note that these guidelines might not cover all customization or configuration that are specific to your organization. Hence, it is recommended that this document be used as a reference for understanding the possible product areas which might have undergone changes. Partners and customers are expected to not limit their validations to the ones mentioned in this documentation. They should also execute their test suites to ensure all the use cases important to their business continue to work as expected.

For more information on the release details, refer BMC Helix Remedyforce 20.19.01 Patch 2 release notes.

For more information about the testing guidelines, refer the following topics:

Testing guidelines for security enhancements

Improvised checks on the objects and fields for various supported personas have been added into this patch. This will further help in enhancing the application security. There should not be any impact if you are using OOTB (out of the box) permissions for various personas, however, it is recommended that you validate your key use cases related to customization using various personas such as Staff, Client, and Change Manager.

Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.

Product area / Feature	Sub feature	Recommended validation	Remediation if issues observed
Remedyforce Console	Create and Update: Incident, Service Request, and other modules	Create, Update, and Close actions continue to work without any impact. Note: It is recommended that you use a mix of Remedyforce fields and custom fields.	Give object permissions in Profile or Permission Set for Read, Create, and Edit actions of a record. For example, if you are on the Incident or Service Request form, the permissions should be given on the Incident object.
	Form	Perform validation on all the fields (for example, Staff lookup field in Assignment Details) to check if they appear on the form as desired. Ensure that the Read Only fields appear in Read mode and Editable fields appear in Edit mode.	For example, if on the Incident form you find some missing fields or Read Only fields, grant the Read or Edit permission to that persona.
	Close Form	Ensure that the options such as Close Linked Tasks are available on the Close Form action of the respective modules.	If a label is not visible, grant the Read or Edit permission to the fields such as the ones in Incident on Close Tasks field.
	Activity Feed	Perform validation on actions like adding a note and attachments from the Activity Feed. Validate adding notes and attachments from the Actions menu as well.	For Example, in case of any issues in adding the notes or attachments from Activity Feed or Actions menu of the Incident form, grant the Read, Create, and Edit access to the Incident object. Note that, to add attachments, you need the Edit access on the parent object.
	Details tab	Perform validation on linking of records. For Example, in Incident Details tab, the Select and Link Configuration Item and Assets to an Incident option.	In case of any issues in linking, grant the Create or Edit access. For example, grant the Create or Edit access to the Incident object for that persona.
	SmartView	Expand all the related nodes (such as Task, Change Request, Problem, CMDB) and check the records details.	If there are fields missing in Record Details, then grant the Read or Edit access to the object and the missing fields as per the persona. For example, the OOTB (out of the box) behavior for a Staff user is to allow viewing of the Change Request fields but not editing them.
	View/Create Change Request	Users with Change Manager persona should be able to create and edit a change request record.	As per the persona grant the Read and Edit access on the Change Request object.
	View/Create Releases	Users with Release Manager persona should be able to create and edit a release record.	As per the persona grant the Read and Edit access on the Release object.
Self Service 3.0	Create/Copy/Edit/Close Incident with and without attachments	Perform the following validations: Submit a ticket by populating OOTB (out of the box) and custom field values on the form. Add notes and attachments to the submitted ticket. Add attachment before creating a ticket and then save the ticket.	Grant the Create and Edit access to the Incident object. For attachments grant the Read, Create, and Edit access to the Temporary Attachments object.
	Create/Copy/Edit/Close Service Request with attachments	Perform the following validations: Search for your Common Service Request from Describe your issue and Save it as a draft or create a service request. Recommended to try this with a commonly used request, which has complex custom configurations having template application, workflows, approvals, and process builder.	Grant the Read access on Request Definitions and Fulfillment Inputs object. Grant the Read, Create and Edit access on Request Details, Request Detail Inputs, and Incident objects.
	Category lookup field on the Incident form	Perform the following validations: Search for values in the Category lookup field. Check if you can see the categories. Check if you see the list view display.	If you cannot see the categories, grant the Read Access permission to the Parent Tree field of the `Category` object for ServiceDesk Client Profile or client's Permission Set.
	View Knowledge Article	Perform the following validations: Go to View Self Help Articles and then navigate through the categories and view a knowledge article. If you are using a custom permission, then also ensure that you can provide feedback, rating and other options available.	If you are using custom profiles or permission sets then ensure that you have granted the Read permission to the Knowledge Article object. Also, the Read and Edit permission to the Knowledge Feedback objects. If some part of the article section is not visible, then give Read permission to the fields, which are not rendered for the user persona.
	Manage Approvals	In pending approvals, you should be able to see more details of the fields that you have added through configuration. The Client user should be able to Approve, Reject, Reassign and View history in case you are using custom permission.	If fields are missing in the Approval list or in Show Details section, then give Read permission for the user's persona.
	Broadcast, Custom Tile Links, My Assets, Service Health	Verify if the client user can see Broadcasts, Broadcast Messages, Custom Tile links, View My Assets, View Service Health on the Self Service Home screen.	If you are using custom profiles or permission sets, ensure that Read permission is granted on the Broadcast object and its fields.
Self Service Mobile Application	Create, Update Incident, Task for Analyst. Create Ticket for Self Service application	Perform the following validations: Create and update the incident/ticket from both the mobile applications. Look for any missing fields on the form and list views. Add notes and attachments.	Mobile applications for both the personas require the same permissions as that of their web interfaces. If Self Service 3.0 and Console permissions are given properly, the mobile applications will not face any permission issues.

Sample testing scenarios for security enhancements

Perform validations whenever you see any of the following scenarios:

Any field(s) which were visible earlier on the form but are not visible now.

Reason: Those fields might be missing the Read or Edit field level permissions.

Fix: Grant appropriate permissions to those fields which are missing.

You receive error message, such as Insufficient permissions on specific field while performing any operation.

Refer to the following screenshots:

Reason: Insufficient object or field level permission.

Fix: Grant appropriate permissions on that object or field to the persona as displayed in the error message.

If you see any unexpected behavior for any of the feature(s).

Reason: Permissions on the object or fields driving that feature may be missing.

Fix: Basic objects or fields involved for proper functioning of that feature as described in above scenarios. Granting basic permissions might resolve the issue.

Using OOTB (out of the box) permission sets provided for that persona should fix the issue. If the issue persists, please contact the BMC support team.

Testing guidelines based on defect fixes

Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.

Product area / Feature	Sub feature	Recommended validation
Remedyforce Administration		Perform the following validations: In Templates if you are using field mapping with field types such as Text Area and Long Text Area, verify whether the values are getting saved and applied. Editing of Service Request Definition having lookup fields. Create, Update, and Delete operation on Category.
Remedyforce Console	Staff Queue Assignment	Perform the validation for the following areas: Staff Auto Assignment and Round Robin Auto Queue Assignment
	Service Level Agreement	Perform validation for the following areas: Apply the commonly used Service Level Agreements. Verify whether the Service Level Targets get applied with the clock states such as Start, Pause, and Stop. Milestone notifications are received where ever applicable.
	Activity Feed	Perform validation for the Email Actions and Notes.
	Email Conversation	Perform validation for the following: Email related use cases such as creating incidents from incoming email, email conversation from various user interfaces like Activity Feed, Smart Views, Email form, and so on.
CMDB		Perform validation for the Custom fields with Read or Edit mode to see if the values are correctly populated.
Self Service 3.0	Tickets and Requests	Perform validation for the following areas: Verify the Staff Queue assignment on the Self Service form. Lookup type of input fields on the Service Request form such as the lookup field on the Base Element Object.
	Tiles	Perform validation for the custom tile redirecting to the correct URL, if there are any configured.
	Supported Localized organisations including Hebrew (Non English)	Perform validation for the following (UI distortion): Home Screen Submit a Ticket Request a service Manage Approvals View Service Health Broadcast pop up
Self Service Mobile Application		Perform actions such as create tickets and service requests and then validate the below tiles by applying filters: View Tickets and Requests View My Assets Submit Tickets from View My Assets