[Test cases] Domain Control - Release 3

[mountiny]

Release 3 - Domain Members Configuration

Access Member Configuration Options

1. Navigate to Domain Members page.
2. Click on any member row to open their details.

Verify:

• You see the following in the RHP, in order from top to bottom:
  • Member avatar and display name
  • "Close account" button
  • Email address (or phone number)
  • Vacation delegate
  • Force two-factor authentication (toggle)
  • Reset two-factor authentication (only visible when the member's account has 2FA enabled)
  • Report suspicious activity (or "Unlock account" if the account is already locked)
  • Profile link

Set Vacation Delegate

Preconditions
Have an account that is a part of at least one expense

1. Click on a member row.
2. Click on the "Vacation delegate" row.
3. Verify a page opens showing sections: "Recents" and "Contacts" (and "Current delegate" if one is already set).
4. Type a name, email, or phone number in the search field.
5. Select a delegate from the suggestions.

Verify:

• The selected delegate appears in the "Vacation delegate" row on the member details page.
• If the member is currently acting as a vacation delegate for other members, the selection list is replaced with an error message listing those members.

Clear Vacation Delegate

1. On a member with a vacation delegate set, click the "Vacation delegate" row.
2. Tap the current delegate (shown with a selected checkmark) to deselect them.

Verify:

• The vacation delegate is removed.
• The row shows no delegate selected.

Enable 2FA for Specific Member

1. Click on a member row who does not have 2FA forced.
2. Toggle "Force two-factor authentication" to ON.

Verify:

• The toggle switches to ON without requiring a 2FA code.
• The member will be required to set up 2FA on their next login if they haven't already.

Disable 2FA for Specific Member (Admin has 2FA)

1. Ensure you (the admin) have 2FA enabled on your account.
2. Click on a member who has 2FA forced (toggle is ON).
3. Toggle "Force two-factor authentication" to OFF.
4. Verify you are navigated to a "Disable two-factor authentication" page.
5. Enter your 2FA code (or recovery code).
6. Click "Disable".

Verify:

• The toggle switches to OFF.
• The member's 2FA requirement is removed.

Disable 2FA for Specific Member (Admin does NOT have 2FA)

1. Sign in as an admin who does NOT have 2FA enabled.
2. Navigate to a member's details page.
3. Toggle "Force two-factor authentication" to OFF.

Verify:

• The toggle switches to OFF directly without requiring a 2FA code (since the admin has no 2FA to verify).

Reset Member's 2FA

1. Sign in as an admin with 2FA enabled.
2. Click on a member who has 2FA enabled (the "Reset two-factor authentication" option should be visible).
3. Click "Reset two-factor authentication".
4. Verify you are navigated to a "Disable two-factor authentication" page.
5. Enter your 2FA code (or use a recovery code).
6. Click "Disable".

Verify:

• The member's 2FA is reset.
• The member will need to set up 2FA again on their next login.

Report Suspicious Activity

1. Click on a member row.
2. Click "Report suspicious activity".
3. Verify a page opens with title "Report suspicious activity".
4. Review the message: "Are you sure? This will lock [email]'s account. Our team will then review the account and remove any unauthorized access. To regain access, they'll need to work with Concierge."
5. Click the red "Report suspicious activity" button at the bottom of the page.
6. Verify a confirmation modal appears with title "Report suspicious activity".
7. Click "Lock account" to confirm.

Verify:

• The account is locked.
• On the member details page, the "Report suspicious activity" option changes to "Unlock account".

Unlock Account

1. On a member with a locked account, verify "Unlock account" is shown instead of "Report suspicious activity".
2. Click "Unlock account".
3. Verify an informational modal appears with title "We've received your request" and message "We'll review the account to verify it's safe to unlock and reach out via Concierge with any questions."
4. Click "Got it".

Verify:

• The modal closes.
• The unlock request is submitted.

Access Domain Members Settings

1. From the Domain Members page, click the "More" dropdown button in the top right.
2. Verify a popover appears with two options: "Settings" and "Download CSV".
3. Click "Settings".

Verify:

• A RHP opens with title "Settings".
• You see a toggle for "Force two-factor authentication" for the entire domain.
• The description reads: "Require two-factor authentication for all members of this domain. Domain members will be prompted to set up two-factor authentication on their account when they sign in."
• If SAML is enabled for the domain, the toggle is disabled and a message to disable SAML first is shown.

Enable Domain-Wide 2FA

1. In the Members Settings page, toggle "Force two-factor authentication" ON.

Verify:

• The toggle switches to ON.
• All domain members will be required to enable 2FA.
• Members without 2FA will be prompted to set it up on next login.

Disable Domain-Wide 2FA (Admin has 2FA)

1. Ensure you (the admin) have 2FA enabled.
2. Toggle "Force two-factor authentication" OFF.
3. Verify you are navigated to a "Disable two-factor authentication" page.
4. Enter your 2FA code (or recovery code).
5. Click "Disable".

Verify:

• The toggle switches to OFF.
• Domain members are no longer required to have 2FA (unless individually set).

Disable Domain-Wide 2FA (Admin does NOT have 2FA)

1. Sign in as an admin without 2FA enabled.
2. Toggle "Force two-factor authentication" OFF.

Verify:

• The toggle switches to OFF directly without requiring a code.

Download Domain Members CSV

1. From the Domain Members page, click "More" button.
2. Click "Download CSV" from the popover.

Verify:

• A CSV file is downloaded containing the list of domain members.
• If you are offline, a modal appears saying "You appear to be offline" with a message that this feature requires internet.

Bulk Select Members

1. From the Domain Members page (desktop), verify you can see checkboxes next to member rows. On mobile, long-press a member row to enable selection mode.
2. Click the checkbox next to one member.

Verify:

• The member row is highlighted/selected.
• A counter appears showing "X selected" where X is the number of selected members.
• The "Add member" button and "More" dropdown are replaced with the "X selected" dropdown.

Bulk Close Accounts

1. Select multiple members by clicking their checkboxes (e.g., select 3 members).
2. Verify the dropdown button in the top right shows "X selected".
3. Click the dropdown.
4. Verify one option appears: "Close accounts".
5. Click "Close accounts".
6. Verify the first modal (DecisionModal) appears with title "Close accounts" and safety precautions text explaining: pending approvals, active reimbursements, and no alternative login methods.
7. Choose "Close accounts safely" (green) or "Force close accounts" (red).
8. Verify a second confirmation modal appears with title "Close accounts" and prompt "Are you sure? This action is permanent."
9. Click "Close accounts" to confirm, or "Cancel" to go back to the first modal.

Verify:

• Both modals are shown in sequence (safety precautions first, then final confirmation).
• All selected members are processed for account closure.
• Members are removed from the domain members list.
• Selection is cleared after closing.

Cancel Bulk Close Accounts

1. Select multiple members.
2. Click the dropdown and select "Close accounts".
3. In the first modal (safety precautions), close it or in the second modal click "Cancel".

Verify:

• The modal closes. If cancelled from the confirmation modal, the safety precautions modal reappears.
• No accounts are closed.
• Members remain selected.

Deselect Members

1. Select multiple members.
2. Click on a selected member's checkbox again to deselect.

Verify:

• The member is deselected.
• The counter decreases.
• When all members are deselected, the bulk action dropdown is replaced with the "Add member" button and "More" dropdown.

---

Close Single Member Account

1. Click on a member row to open their details.
2. Click the "Close account" button near the top of the page.
3. Verify the first modal (DecisionModal) appears with title "Close account" and safety precautions text explaining: pending approvals, active reimbursements, and no alternative login methods.
4. Choose "Close account safely" (green) or "Force close account" (red).
5. Verify a second confirmation modal appears with title "Close account" and prompt "Are you sure? This action is permanent."
6. Click "Close account" to confirm, or "Cancel" to go back to the first modal.

Verify:

• Both modals are shown in sequence (safety precautions first, then final confirmation).
• After confirming, the member's account is closed and you are navigated away from the member details page.
• If "Cancel" is clicked in the second modal, the first modal (safety precautions) reappears.

Vacation Delegate Blocked by Active Delegations

1. Navigate to a member who is currently acting as a vacation delegate for one or more other members.
2. Click the "Vacation delegate" row.

Verify:

• Instead of the normal contact selection list, you see the message: "You can't set a vacation delegate for [email] because they're currently the delegate for the following members:"
• A list of the members they are currently delegating for is shown below the message.
• You cannot select a new vacation delegate until their existing delegations are removed.

SAML Blocks Domain-Wide 2FA Toggle

1. On a domain that has SAML enabled, navigate to the Domain Members page.
2. Click the "More" dropdown and select "Settings".

Verify:

• The "Force two-factor authentication" toggle is disabled and cannot be interacted with.
• The description text reads "Please disable SAML to force two-factor authentication" with a link to the SAML settings page.
• The normal description about requiring 2FA for all members is not shown.

Offline CSV Download

1. Disconnect from the internet (go offline).
2. From the Domain Members page, click the "More" dropdown.
3. Click "Download CSV".

Verify:

• A modal appears with title "You appear to be offline" and message "This feature requires internet."
• Click "Got it" to dismiss the modal.
• No file is downloaded.

Select All Members

1. From the Domain Members page (desktop), locate the header checkbox above the member list.
2. Click the header checkbox to select all members.

Verify:

• All eligible members are selected.
• The counter shows the total number of selected members.
• The "Add member" button and "More" dropdown are replaced with the "X selected" dropdown.

3. Click the header checkbox again to deselect all members.

Verify:

• All members are deselected.
• The counter is removed and the "Add member" button and "More" dropdown reappear.

Recovery Code Alternative on 2FA Pages

1. Navigate to a page that requires a 2FA code (e.g., disable a member's 2FA or reset a member's 2FA).
2. On the "Disable two-factor authentication" page, verify the form asks for a 2FA code.
3. Click the "Use recovery code" link.

Verify:

• The form switches to accept a recovery code instead of a 2FA code.
• A "Use two-factor authentication code" link appears to switch back.

4. Enter a valid recovery code and click "Disable".

Verify:

• The action completes successfully using the recovery code.

[m-natarajan]

@mountiny
Set Vacation Delegate
Recent section not displayed when assigning Vacation delegate

Recording.2514.mp4

Enable 2FA for Specific Member
The member is not required to set up 2FA on their next login if they haven't already.

Recording.2515.mp4

[mountiny]

@war-in @rayane-d mind checking those out?

Enable 2FA for Specific Member
The member is not required to set up 2FA on their next login if they haven't already.

[war-in]

Enable 2FA for Specific Member
The member is not required to set up 2FA on their next login if they haven't already.

I think the flow should be different here. Users should only be required to set up 2FA when the global toggle (/domain/<id>/members/settings) is enabled.

The toggles in the member details are meant to disable 2FA for specific users. The current flow can be a bit misleading because it may suggest that 2FA can be enforced per user, but in reality, you cannot force 2FA for a specific user, only disable it.

This is also how OD handles it.

[mountiny]

The toggles in the member details are meant to disable 2FA for specific users. The current flow can be a bit misleading because it may suggest that 2FA can be enforced per user, but in reality, you cannot force 2FA for a specific user, only disable it.

That is indeed quite confusing, maybe we could make that clearer as a follow up to the project

@m-natarajan in that case can you update the test case to reflect that - the toggle should only exempt the user if the domain requires 2fa

[mountiny]

@m-natarajan we are handling the second one here #85208 if the domain is not 2fa required, we will not show the toggle at all

[mountiny]

@m-natarajan we updated the Set Vacation Delegate, can you please verify now?

[m-natarajan]

@m-natarajan we updated the Set Vacation Delegate, can you please verify now?

@mountiny Still Recent section not displayed