Skip to main content

Bruno API Collection - Role-Based Organization

Bruno API collection untuk MStore API V2 dengan struktur role-based mengikuti RBAC Multi-Level Architecture (L0-L4).

🎯 Overview

Collection ini memudahkan testing API berdasarkan role yang spesifik. Setiap role memiliki folder terpisah dengan endpoints yang sesuai dengan permissions role tersebut.

📁 Collection Structure

third_party/bruno/02_API_V2/
├── Role_L0_OWNER/              # 15 endpoints - Full access
├── Role_L0_CASHIER/            # 7 endpoints - POS operations
├── Role_L0_VIEWER/             # Read-only access
├── Role_L1_FIN-MGR/            # 9 endpoints - Finance management
├── Role_L1_INV-MGR/            # 8 endpoints - Inventory management
├── Role_L1_HR-MGR/             # 8 endpoints - HR management
├── Role_L1_AUD/                # 7 endpoints - Audit read-only
├── Role_L2_ACC-MGR/            # 8 endpoints - Accounting & approval
├── Role_L2_ADM-SYS/            # 7 endpoints - System administration
└── ... (49 more role folders)
Total: 57 role folders covering L0-L4 business levels

📊 Role Organization by Level

L0 - Micro/Solo (3 roles)

RoleCodeEndpointsDescription
OwnerOWNER15Full system access
CashierCASHIER7POS operations
ViewerVIEWER-Read-only reports

L1 - SME (6 roles)

RoleCodeEndpointsDescription
Owner & ManagerOWN-MGR-Business owner
Finance ManagerFIN-MGR9Finance & reports
Inventory ManagerINV-MGR8Stock management
HR ManagerHR-MGR8HR & payroll
CashierCSH-Daily transactions
AuditorAUD7Audit trail (read-only)

L2 - Enterprise (24 roles)

  • Management
  • Finance
  • Operations
  • Marketing & CRM
  • Support
  • ADM-BIZ: Business configuration
  • ADM-SYS: System infrastructure (7 endpoints)

L3 - Holding (9 roles)

RoleDescription
OWN-MGR-HLDOwner & Manager (Holding)
CONS-MGRConsolidation Manager
AUD-GRPGroup Auditor
BI-MGRBI Manager
DATA-ANLData Analyst
+ 4 more

L4 - Corporate/MNC (15 roles)

RoleDescription
BOARD-CXOBoard & C-Level
GOV-COMPGovernance & Compliance
FIN-GLBGlobal Finance
IT-SYS-GLBGlobal IT System
ESG-MGRESG Manager
SEC-OFFRSecurity Officer
+ 9 more

🚀 Quick Start

1. Open Bruno

# Navigate to Bruno collection
cd /path/to/mstore_backend/third_party/bruno/02_API_V2
Open folder ini di Bruno application.

2. Configure Environment

Create environment di Bruno dengan variables: 
{
  "base_url": "http://localhost:8080",
  "auth_token": ""
}

3. Login & Get Token

  1. Navigate ke role folder yang sesuai (e.g., Role_L0_OWNER)
  2. Run 001_AUTH_LOGIN.bru dengan credentials valid
  3. Copy JWT token dari response
  4. Set token ke environment variable auth_token

4. Test Endpoints

Run endpoints lain sesuai dengan role permissions.

📂 Folder Structure per Role

Setiap role folder berisi: 
Role_LX_ROLENAME/
├── collection.bru           # Collection metadata & docs
├── README.md                # Usage guide
├── 001_AUTH_LOGIN.bru       # Login endpoint
├── 002_AUTH_LOGOUT.bru      # Logout endpoint
├── 003_AUTH_PROFILE.bru     # Profile endpoint
├── 004_ROLE_LIST.bru        # Role management
└── ... (more endpoints)

File Format Example

meta {
  name: AUTH_LOGIN
  type: http
  seq: 1
}

post {
  url: {{host}}/api/v2/core/auth/login
  body: json
  auth: bearer
}

headers {
  Content-Type: application/json
}

body:json {
  {
    "email": "[email protected]",
    "password": "password123"
  }
}

docs {
# AUTH_LOGIN

**Method**: POST  
**Path**: `/api/v2/core/auth/login`

## Response Format
```json
{
  "meta": {
    "success": true,
    "message": "Success"
  },
  "data": {
    "token": "jwt-token-here"
  }
}
} 

---

## 🔐 Role-Specific Endpoints

### OWNER Role (15 endpoints)

**Authentication:**
- AUTH_LOGIN, AUTH_LOGOUT, AUTH_PROFILE

**System:**
- ROLE_LIST

**Finance:**
- FIN_INVOICE_LIST, FIN_INVOICE_CREATE
- FIN_PAYMENT_LIST, FIN_REPORT_DAILY

**Inventory:**
- INV_PRODUCT_LIST, INV_PRODUCT_CREATE
- INV_STOCK_LIST, INV_STOCK_ADJUSTMENT

**HR:**
- HR_EMPLOYEE_LIST, HR_EMPLOYEE_CREATE
- HR_PAYROLL_LIST

### CASHIER Role (7 endpoints)

**Authentication:**
- AUTH_LOGIN, AUTH_LOGOUT, AUTH_PROFILE

**Inventory (Read-only):**
- INV_PRODUCT_LIST, INV_STOCK_LIST

**POS:**
- POS_TRANSACTION_CREATE
- POS_TRANSACTION_LIST

### AUDITOR Role (7 endpoints)

**Authentication:**
- AUTH_LOGIN, AUTH_PROFILE

**Finance (Read-only):**
- FIN_INVOICE_LIST
- FIN_PAYMENT_LIST
- FIN_REPORT_DAILY

**Audit:**
- AUDIT_LOG_LIST
- AUDIT_TRAIL

---

## 🎯 Populated Collections

| Role | Level | Endpoints | Status |
|------|-------|-----------|--------|
| OWNER | L0 | 15 | ✅ Complete |
| CASHIER | L0 | 7 | ✅ Complete |
| FIN-MGR | L1 | 9 | ✅ Complete |
| INV-MGR | L1 | 8 | ✅ Complete |
| HR-MGR | L1 | 8 | ✅ Complete |
| AUD | L1 | 7 | ✅ Complete |
| ACC-MGR | L2 | 8 | ✅ Complete |
| ADM-SYS | L2 | 7 | ✅ Complete |
| Others | L2-L4 | - | 📋 Template ready |

**Total**: 69 endpoint files created across 8 roles

---

## 🔧 Environment Configuration

### Development

```json
{
  "base_url": "http://localhost:8080",
  "auth_token": "",
  "merchant_id": "1",
  "branch_id": "1"
}

Staging

{
  "base_url": "https://api-staging.mstore.com",
  "auth_token": "",
  "merchant_id": "",
  "branch_id": ""
}

Production

{
  "base_url": "https://api.mstore.com",
  "auth_token": "",
  "merchant_id": "",
  "branch_id": ""
}

📋 Testing Workflow

1. Basic Flow (OWNER)

2. Transaction Flow (CASHIER)

1. AUTH_LOGIN → Get token
2. INV_PRODUCT_LIST → Browse products
3. INV_STOCK_LIST → Check stock
4. POS_TRANSACTION_CREATE → Create sale
5. POS_TRANSACTION_LIST → View transactions

3. Audit Flow (AUDITOR)

1. AUTH_LOGIN → Get token
2. FIN_INVOICE_LIST → View invoices
3. FIN_PAYMENT_LIST → View payments
4. AUDIT_LOG_LIST → Check audit logs
5. AUDIT_TRAIL → Track specific transaction

🎓 Best Practices

  • Pisahkan environment untuk Dev, Staging, Production
  • Jangan commit auth_token ke version control
  • Rotate tokens secara berkala
  • Gunakan environment presets untuk switching cepat
  • Group requests by domain (Core, Finance, Inventory, dll)
  • Beri naming yang konsisten (e.g., 001_, 002_)
  • Tambahkan docs lengkap di setiap request
  • Tambahkan sample response
  • Start dengan AUTH_LOGIN untuk setiap role
  • Test positive cases dulu, baru negative cases
  • Validate response schema
  • Check RBAC permissions enforcement
  • Test SoD (Segregation of Duties) rules
  • Share collection via Git
  • Document expected responses
  • Add pre-request scripts untuk setup
  • Add tests untuk automated validation

RBAC Multi-Level

RBAC Architecture (L0-L4)

Endpoint Registry

Complete endpoint definitions

API Styleguide

API design patterns

🔄 Next Steps

For Developers

  1. Complete Endpoint Population: Add endpoints untuk role-role yang belum terisi
  2. Add Test Scripts: Implementasi automated tests di Bruno
  3. Add Pre-request Scripts: Setup data sebelum request
  4. Document Edge Cases: Tambahkan scenario error handling

For QA

  1. Create Test Suites: Group endpoints by feature
  2. Add Assertions: Validate response structure & data
  3. Performance Testing: Test endpoint response time
  4. Security Testing: Validate RBAC enforcement

For Product

  1. Review Role Permissions: Pastikan role sesuai use case
  2. Test User Flows: Validate end-to-end scenarios
  3. Document Workflows: Update user guides

📞 Support

Jika ada pertanyaan atau butuh bantuan:
  • Documentation: Check /80-guides/rbac-multilevel-architecture
  • Endpoint Registry: /config/api/endpoints-registry-v2.yaml
  • RBAC Policy: /config/rbac/policy.csv
Tags: bruno, api-testing, rbac, role-based, collection, testing-tools