MHR API set up BCOL helpdesk access.

mhr_api/src/mhr_api/models/registration_utils.py

@@ -30,7 +30,7 @@
     MhrRegistrationStatusTypes,
     MhrStatusTypes
 )
-from mhr_api.services.authz import MANUFACTURER_GROUP, QUALIFIED_USER_GROUP, DEALERSHIP_GROUP, BCOL_HELP
+from mhr_api.services.authz import MANUFACTURER_GROUP, QUALIFIED_USER_GROUP, DEALERSHIP_GROUP
 from mhr_api.services.authz import GOV_ACCOUNT_ROLE
 from mhr_api.models.queries import (
     DOC_ID_COUNT_QUERY,
@@ -270,7 +270,7 @@ def get_generated_values(registration, draft, user_group: str = None):
     gen_doc_id: bool = False
     if draft:
         query = QUERY_PKEYS_NO_DRAFT
-    if user_group and user_group in (QUALIFIED_USER_GROUP, DEALERSHIP_GROUP, BCOL_HELP):
+    if user_group and user_group in (QUALIFIED_USER_GROUP, DEALERSHIP_GROUP):
         query += DOC_ID_QUALIFIED_CLAUSE
         gen_doc_id = True
         current_app.logger.debug('Updating query to generate qualified user document id.')
@@ -307,7 +307,7 @@ def get_change_generated_values(registration, draft, user_group: str = None):
     query = CHANGE_QUERY_PKEYS
     if draft:
         query = CHANGE_QUERY_PKEYS_NO_DRAFT
-    if user_group and user_group in (QUALIFIED_USER_GROUP, DEALERSHIP_GROUP, BCOL_HELP):
+    if user_group and user_group in (QUALIFIED_USER_GROUP, DEALERSHIP_GROUP):
         query += DOC_ID_QUALIFIED_CLAUSE
     elif user_group and user_group == MANUFACTURER_GROUP:
         query += DOC_ID_MANUFACTURER_CLAUSE

mhr_api/src/mhr_api/resources/utils.py

@@ -29,6 +29,7 @@
 # Model business error messages in models.utils.py
 ACCOUNT_REQUIRED = '{code}: Account-Id header required.'
 UNAUTHORIZED = '{code}: authorization failure submitting a request for {account_id}.'
+UNAUTHORIZED_HELPDESK = '{code}: BCOL helpdesk users are not authorized to create {reg_type} registrations.'
 ACCOUNT_ACCESS = '{code}: the account ID {account_id} cannot access statement information for ' + \
                  'mhr number {mhr_num}.'
 STAFF_SEARCH_BCOL_FAS = '{code}: provide either a BCOL Account Number or a Routing Slip Number but not both.'
@@ -201,6 +202,13 @@ def unauthorized_error_response(account_id):
     return jsonify({'message': message}), HTTPStatus.UNAUTHORIZED
 
 
+def helpdesk_unauthorized_error_response(reg_type: str):
+    """Build an helpdesk registration unauthorized error response."""
+    message = UNAUTHORIZED_HELPDESK.format(code=ResourceErrorCodes.UNAUTHORIZED_ERR, reg_type=reg_type)
+    current_app.logger.error(str(HTTPStatus.UNAUTHORIZED.value) + ': ' + message)
+    return jsonify({'message': message}), HTTPStatus.UNAUTHORIZED
+
+
 def path_param_error_response(param_name):
     """Build a bad request param missing error response."""
     message = PATH_PARAM.format(code=ResourceErrorCodes.PATH_PARAM_ERR, param_name=param_name)

mhr_api/src/mhr_api/resources/v1/admin_registrations.py

@@ -122,9 +122,10 @@ def setup_report(registration: MhrRegistration,
     if add_groups:
         if not response_json.get('deleteOwnerGroups'):
             delete_groups = []
-            for group in current_reg.owner_groups:
-                if group.change_registration_id == registration.id and group.status_type == MhrOwnerStatusTypes.PREVIOUS:
-                    delete_groups.append(group.json)
+            for delete_group in current_reg.owner_groups:
+                if delete_group.change_registration_id == registration.id and \
+                        delete_group.status_type == MhrOwnerStatusTypes.PREVIOUS:
+                    delete_groups.append(delete_group.json)
             response_json['deleteOwnerGroups'] = delete_groups
         response_json = get_report_groups(response_json, current_json, add_groups)
     reg_utils.enqueue_registration_report(registration, response_json, ReportTypes.MHR_REGISTRATION_STAFF, current_json)

mhr_api/src/mhr_api/resources/v1/exemptions.py

@@ -22,7 +22,7 @@
 
 from mhr_api.utils.auth import jwt
 from mhr_api.exceptions import BusinessException, DatabaseException
-from mhr_api.services.authz import authorized_role, is_staff, is_all_staff_account, get_group
+from mhr_api.services.authz import authorized_role, is_bcol_help, is_staff, is_all_staff_account, get_group
 from mhr_api.services.authz import REQUEST_EXEMPTION_RES, REQUEST_EXEMPTION_NON_RES
 from mhr_api.models import MhrRegistration
 from mhr_api.models.type_tables import MhrRegistrationStatusTypes
@@ -49,6 +49,8 @@ def post_exemptions(mhr_number: str):  # pylint: disable=too-many-return-stateme
         if account_id is None or account_id.strip() == '':
             return resource_utils.account_required_response()
         # Verify request JWT role
+        if is_bcol_help(account_id, jwt):
+            return resource_utils.helpdesk_unauthorized_error_response('residential/non-residential exemption')
         request_json = request.get_json(silent=True)
         if not request_json.get('nonResidential') and not authorized_role(jwt, REQUEST_EXEMPTION_RES):
             current_app.logger.error('User not staff or missing required role: ' + REQUEST_EXEMPTION_RES)

mhr_api/src/mhr_api/resources/v1/permits.py

@@ -22,7 +22,7 @@
 
 from mhr_api.utils.auth import jwt
 from mhr_api.exceptions import BusinessException, DatabaseException
-from mhr_api.services.authz import authorized_role, is_staff, is_all_staff_account, get_group
+from mhr_api.services.authz import authorized_role, is_bcol_help, is_staff, is_all_staff_account, get_group
 from mhr_api.services.authz import REQUEST_TRANSPORT_PERMIT
 from mhr_api.models import MhrRegistration
 from mhr_api.reports.v2.report_utils import ReportTypes
@@ -47,6 +47,8 @@ def post_permits(mhr_number: str):  # pylint: disable=too-many-return-statements
         if account_id is None or account_id.strip() == '':
             return resource_utils.account_required_response()
         # Verify request JWT role
+        if is_bcol_help(account_id, jwt):
+            return resource_utils.helpdesk_unauthorized_error_response('transport permit')
         request_json = request.get_json(silent=True)
         if not authorized_role(jwt, REQUEST_TRANSPORT_PERMIT):
             current_app.logger.error('User not staff or missing required role: ' + REQUEST_TRANSPORT_PERMIT)

mhr_api/src/mhr_api/resources/v1/registrations.py

@@ -22,8 +22,8 @@
 
 from mhr_api.utils.auth import jwt
 from mhr_api.exceptions import BusinessException, DatabaseException
-from mhr_api.services.authz import authorized, authorized_role, is_staff, is_all_staff_account, REGISTER_MH
-from mhr_api.services.authz import is_reg_staff_account, get_group, MANUFACTURER_GROUP, STAFF_ROLE
+from mhr_api.services.authz import authorized, authorized_role, is_bcol_help, is_staff, is_all_staff_account
+from mhr_api.services.authz import is_reg_staff_account, get_group, MANUFACTURER_GROUP, STAFF_ROLE, REGISTER_MH
 from mhr_api.models import (
     batch_utils, EventTracking, MhrRegistration, MhrManufacturer, registration_utils as model_reg_utils
 )
@@ -101,6 +101,8 @@ def post_registrations():  # pylint: disable=too-many-return-statements,too-many
         if not authorized_role(jwt, REGISTER_MH):
             current_app.logger.error('User not staff or missing required role: ' + REGISTER_MH)
             return resource_utils.unauthorized_error_response(account_id)
+        if is_bcol_help(account_id, jwt):
+            return resource_utils.helpdesk_unauthorized_error_response('new manufactured home')
         manufacturer: MhrManufacturer = None
         if get_group(jwt) == MANUFACTURER_GROUP:
             current_app.logger.debug(f'Manufacturer request looking up info for account={account_id}.')

mhr_api/src/mhr_api/resources/v1/transfers.py

@@ -22,7 +22,14 @@
 
 from mhr_api.utils.auth import jwt
 from mhr_api.exceptions import BusinessException, DatabaseException
-from mhr_api.services.authz import authorized_role, is_staff, is_all_staff_account, get_group, is_reg_staff_account
+from mhr_api.services.authz import (
+    authorized_role,
+    is_bcol_help,
+    is_staff,
+    is_all_staff_account,
+    get_group,
+    is_reg_staff_account
+)
 from mhr_api.services.authz import TRANSFER_SALE_BENEFICIARY, TRANSFER_DEATH_JT
 from mhr_api.models import MhrRegistration
 from mhr_api.models import registration_utils as model_reg_utils, utils as model_utils
@@ -49,6 +56,8 @@ def post_transfers(mhr_number: str):  # pylint: disable=too-many-return-statemen
         if account_id is None or account_id.strip() == '':
             return resource_utils.account_required_response()
         # Verify request JWT role
+        if is_bcol_help(account_id, jwt):
+            return resource_utils.helpdesk_unauthorized_error_response('transfer of ownership')
         request_json = request.get_json(silent=True)
         current_app.logger.info(request_json)
         if not model_reg_utils.is_transfer_due_to_death(request_json.get('registrationType')) and \

mhr_api/src/mhr_api/services/authz.py

@@ -31,7 +31,8 @@
 PUBLIC_USER = 'public_user'
 USER_ORGS_PATH = 'users/orgs'
 GOV_ACCOUNT_ROLE = 'gov_account_user'
-BCOL_HELP = 'mhr_helpdesk'
+BCOL_HELP_ROLE = 'mhr_helpdesk'
+BCOL_HELP_ACCOUNT = 'helpdesk'
 ASSETS_HELP = 'helpdesk'  # Share single account id for search, registration history.
 # MH keycloak roles for registrations/filings
 REGISTER_MH = 'mhr_register'
@@ -234,10 +235,10 @@ def is_staff(jwt: JwtManager) -> bool:  # pylint: disable=too-many-return-statem
 
 
 def is_bcol_help(account_id: str, jwt: JwtManager = None) -> bool:
-    """Return True if the account id is a bcol help account id."""
-    if jwt is not None and jwt.validate_roles([BCOL_HELP]):
+    """Return True if the user token includes the role for a bcol helpdesk account."""
+    if jwt is not None and jwt.validate_roles([BCOL_HELP_ROLE]):
         return True
-    return account_id is not None and account_id == BCOL_HELP
+    return account_id is not None and account_id == BCOL_HELP_ACCOUNT
 
 
 def is_staff_account(account_id: str, jwt: JwtManager = None) -> bool:
@@ -282,8 +283,8 @@ def get_group(jwt: JwtManager) -> str:  # pylint: disable=too-many-return-statem
     """Obtain the user group/role by inspecting the web token."""
     if jwt.validate_roles([STAFF_ROLE]):
         return STAFF_ROLE
-    if jwt.validate_roles([BCOL_HELP]):
-        return BCOL_HELP
+    if jwt.validate_roles([BCOL_HELP_ROLE]):
+        return BCOL_HELP_ROLE
     if jwt.validate_roles([GOV_ACCOUNT_ROLE]):
         return GOV_ACCOUNT_ROLE
     if jwt.validate_roles([REGISTER_MH]) and jwt.validate_roles([TRANSFER_SALE_BENEFICIARY]) and \

mhr_api/tests/unit/api/test_admin_registrations.py

@@ -24,7 +24,7 @@
 
 from mhr_api.models import MhrRegistrationReport, MhrDocument
 from mhr_api.models.type_tables import MhrDocumentTypes, MhrRegistrationStatusTypes
-from mhr_api.services.authz import MHR_ROLE, STAFF_ROLE, COLIN_ROLE, TRANSFER_DEATH_JT
+from mhr_api.services.authz import BCOL_HELP_ROLE, MHR_ROLE, STAFF_ROLE, COLIN_ROLE, TRANSFER_DEATH_JT
 from tests.unit.services.utils import create_header, create_header_account
 
 
@@ -234,6 +234,7 @@
      HTTPStatus.BAD_REQUEST, 'PS12345'),
     ('Staff missing account', '000900', [MHR_ROLE, STAFF_ROLE], HTTPStatus.BAD_REQUEST, None),
     ('Invalid role product', '000900', [COLIN_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
+    ('Invalid BCOL helpdesk role', '000900', [MHR_ROLE, BCOL_HELP_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Invalid non-staff role', '000900', [MHR_ROLE, TRANSFER_DEATH_JT], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Valid staff NCAN', '000915', [MHR_ROLE, STAFF_ROLE], HTTPStatus.CREATED, 'PS12345'),
     ('Invalid mhr num', '300655', [MHR_ROLE, STAFF_ROLE], HTTPStatus.NOT_FOUND, 'PS12345'),

mhr_api/tests/unit/api/test_exemptions.py

@@ -25,7 +25,7 @@
 
 from mhr_api.models import MhrRegistrationReport, MhrDocument
 from mhr_api.models.type_tables import MhrDocumentTypes
-from mhr_api.services.authz import MHR_ROLE, STAFF_ROLE, COLIN_ROLE, \
+from mhr_api.services.authz import BCOL_HELP_ROLE, MHR_ROLE, STAFF_ROLE, COLIN_ROLE, \
                                    REQUEST_EXEMPTION_RES, REQUEST_EXEMPTION_NON_RES, \
                                    TRANSFER_DEATH_JT, TRANSFER_SALE_BENEFICIARY
 from tests.unit.services.utils import create_header, create_header_account
@@ -44,6 +44,7 @@
     ('Staff missing account', '000916', [MHR_ROLE, STAFF_ROLE, REQUEST_EXEMPTION_RES],
      HTTPStatus.BAD_REQUEST, None),
     ('Invalid role product', '000916', [COLIN_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
+    ('Invalid BCOL helpdesk role', '000916', [MHR_ROLE, BCOL_HELP_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Invalid non-exemption role', '000916', [MHR_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Valid staff', '000916', [MHR_ROLE, STAFF_ROLE, REQUEST_EXEMPTION_RES], HTTPStatus.CREATED, 'PS12345'),
     ('Valid non-staff', '000916', QUALIFIED_USER, HTTPStatus.CREATED, 'PS12345'),

mhr_api/tests/unit/api/test_notes.py

@@ -24,7 +24,7 @@
 
 from mhr_api.models import MhrRegistration
 from mhr_api.resources.v1.notes import get_transaction_type
-from mhr_api.services.authz import MHR_ROLE, STAFF_ROLE, COLIN_ROLE, TRANSFER_DEATH_JT
+from mhr_api.services.authz import BCOL_HELP_ROLE, MHR_ROLE, STAFF_ROLE, COLIN_ROLE, TRANSFER_DEATH_JT
 from mhr_api.services.payment import TransactionTypes
 from tests.unit.services.utils import create_header, create_header_account
 
@@ -75,6 +75,7 @@
     ('Staff missing account', '000900', [MHR_ROLE, STAFF_ROLE],
      HTTPStatus.BAD_REQUEST, None),
     ('Invalid role product', '000900', [COLIN_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
+    ('Invalid BCOL helpdesk role', '000900', [MHR_ROLE, BCOL_HELP_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Invalid non-staff role', '000900', [MHR_ROLE, TRANSFER_DEATH_JT], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Invalid mhr num', '300655', [MHR_ROLE, STAFF_ROLE], HTTPStatus.NOT_FOUND, 'PS12345'),
     ('Invalid exempt', '000912', [MHR_ROLE, STAFF_ROLE], HTTPStatus.BAD_REQUEST, 'PS12345'),

mhr_api/tests/unit/api/test_permits.py

@@ -24,7 +24,7 @@
 
 from mhr_api.models import MhrRegistration, MhrRegistrationReport, MhrDocument
 from mhr_api.models.type_tables import MhrRegistrationStatusTypes
-from mhr_api.services.authz import MHR_ROLE, STAFF_ROLE, COLIN_ROLE, REQUEST_TRANSPORT_PERMIT, \
+from mhr_api.services.authz import MHR_ROLE, BCOL_HELP_ROLE, STAFF_ROLE, COLIN_ROLE, REQUEST_TRANSPORT_PERMIT, \
                                    TRANSFER_SALE_BENEFICIARY, TRANSFER_DEATH_JT, REGISTER_MH
 from tests.unit.services.utils import create_header, create_header_account
 
@@ -110,6 +110,7 @@
     ('Missing account', '000900', MANUFACTURER_ROLES, HTTPStatus.BAD_REQUEST, None),
     ('Staff missing account', '000900', STAFF_ROLES, HTTPStatus.BAD_REQUEST, None),
     ('Invalid role product', '000900', [COLIN_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
+    ('Invalid BCOL helpdesk role', '000900', [MHR_ROLE, BCOL_HELP_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Invalid non-permit role', '000900', [MHR_ROLE,REGISTER_MH], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Valid staff', '000900', STAFF_ROLES, HTTPStatus.CREATED, 'PS12345'),
     ('Valid non-staff legacy', '000900', QUALIFIED_USER_ROLES, HTTPStatus.CREATED, 'PS12345'),

mhr_api/tests/unit/api/test_registrations.py

@@ -33,7 +33,7 @@
     get_pay_details,
     get_pay_details_doc
 )
-from mhr_api.services.authz import COLIN_ROLE, MHR_ROLE, STAFF_ROLE, BCOL_HELP, ASSETS_HELP
+from mhr_api.services.authz import COLIN_ROLE, MHR_ROLE, STAFF_ROLE, BCOL_HELP_ROLE, ASSETS_HELP
 from mhr_api.services.authz import REGISTER_MH, TRANSFER_SALE_BENEFICIARY, MANUFACTURER_GROUP
 
 from tests.unit.services.utils import create_header, create_header_account
@@ -134,6 +134,7 @@
     ('Invalid schema validation no submitting', False, [MHR_ROLE, STAFF_ROLE], HTTPStatus.BAD_REQUEST, True, None),
     ('Missing account', True, [MHR_ROLE], HTTPStatus.BAD_REQUEST, False, None),
     ('Staff missing account', True, [MHR_ROLE, STAFF_ROLE], HTTPStatus.BAD_REQUEST, False, None),
+    ('Invalid BCOL helpdesk role', True, [MHR_ROLE, BCOL_HELP_ROLE], HTTPStatus.UNAUTHORIZED, True, None),
     ('Invalid role', True, [COLIN_ROLE], HTTPStatus.UNAUTHORIZED, True, None),
     ('Invalid non-staff role', True, [MHR_ROLE], HTTPStatus.UNAUTHORIZED, True, None),
     ('Valid staff', True, [MHR_ROLE, STAFF_ROLE], HTTPStatus.CREATED, True, None),
@@ -152,7 +153,7 @@
     ('Invalid role', [COLIN_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345', '000900'),
     ('Valid Request', [MHR_ROLE], HTTPStatus.OK, 'PS12345', '000900'),
     ('Valid Request reg staff', [MHR_ROLE, STAFF_ROLE], HTTPStatus.OK, STAFF_ROLE, '000900'),
-    ('Valid Request bcol helpdesk', [MHR_ROLE, BCOL_HELP], HTTPStatus.OK, ASSETS_HELP, '000900'),
+    ('Valid Request bcol helpdesk', [MHR_ROLE, BCOL_HELP_ROLE], HTTPStatus.OK, ASSETS_HELP, '000900'),
     ('Valid Request other account', [MHR_ROLE], HTTPStatus.OK, 'PS12345', '000900'),
     ('Invalid MHR Number', [MHR_ROLE], HTTPStatus.NOT_FOUND, 'PS12345', 'TESTXXXX'),
     ('Invalid request Staff no account', [MHR_ROLE, STAFF_ROLE], HTTPStatus.BAD_REQUEST, None, '000900')

mhr_api/tests/unit/api/test_search_results.py

@@ -24,7 +24,7 @@
 
 from mhr_api.models import SearchResult, SearchRequest
 from mhr_api.resources.v1.search_results import get_payment_details
-from mhr_api.services.authz import COLIN_ROLE, MHR_ROLE, STAFF_ROLE, BCOL_HELP, GOV_ACCOUNT_ROLE
+from mhr_api.services.authz import COLIN_ROLE, MHR_ROLE, STAFF_ROLE, BCOL_HELP_ROLE, GOV_ACCOUNT_ROLE
 
 from tests.unit.services.utils import create_header, create_header_account, create_header_account_report
 
@@ -142,7 +142,7 @@
     (STAFF_ROLE, '12345', None, None, True, HTTPStatus.OK, True),
     (STAFF_ROLE, None, '654321', '111111', False, HTTPStatus.OK, False),
     (STAFF_ROLE, '12345', '654321', '111111', False, HTTPStatus.BAD_REQUEST, False),
-    (BCOL_HELP, None, None, None, False, HTTPStatus.OK, False),
+    (BCOL_HELP_ROLE, None, None, None, False, HTTPStatus.OK, False),
     (GOV_ACCOUNT_ROLE, None, None, None, False, HTTPStatus.OK, False)
 ]
 # testdata pattern is ({description}, {JSON data}, {mhr_num}, {client_ref_id}, {match_count})

mhr_api/tests/unit/api/test_transfers.py

@@ -25,7 +25,7 @@
 
 from mhr_api.models import MhrRegistration, MhrRegistrationReport, MhrDocument
 from mhr_api.models.type_tables import MhrRegistrationTypes
-from mhr_api.services.authz import MHR_ROLE, STAFF_ROLE, COLIN_ROLE, \
+from mhr_api.services.authz import BCOL_HELP_ROLE, MHR_ROLE, STAFF_ROLE, COLIN_ROLE, \
                                    TRANSFER_DEATH_JT, TRANSFER_SALE_BENEFICIARY
 from tests.unit.services.utils import create_header, create_header_account
 from tests.unit.utils.test_transfer_data import (
@@ -52,6 +52,7 @@
     ('Staff missing account', '000900', [MHR_ROLE, STAFF_ROLE, TRANSFER_SALE_BENEFICIARY],
      HTTPStatus.BAD_REQUEST, None),
     ('Invalid role product', '000900', [COLIN_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
+    ('Invalid BCOL helpdesk role', '000900', [MHR_ROLE, BCOL_HELP_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Invalid non-transfer role', '000900', [MHR_ROLE], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Invalid transfer death role', '000900', [MHR_ROLE, TRANSFER_SALE_BENEFICIARY], HTTPStatus.UNAUTHORIZED, 'PS12345'),
     ('Valid staff', '000919', [MHR_ROLE, STAFF_ROLE, TRANSFER_SALE_BENEFICIARY], HTTPStatus.CREATED, 'PS12345'),

mhr_api/tests/unit/services/test_authorization.py

@@ -42,7 +42,13 @@
 TEST_STAFF_DATA = [
     ('Valid account id', authz.STAFF_ROLE, True),
     ('No account id', None, False),
-    ('Invalid account id', authz.BCOL_HELP, False),
+    ('Invalid account id', authz.BCOL_HELP_ROLE, False),
+    ('Invalid account id', '2518', False)
+]
+TEST_BCOL_HELPDESK_DATA = [
+    ('Valid account id', authz.BCOL_HELP_ACCOUNT, True),
+    ('Invalid REG staff account id', authz.STAFF_ROLE, False),
+    ('No account id', None, False),
     ('Invalid account id', '2518', False)
 ]
 
@@ -74,3 +80,12 @@ def test_staff_account(session, desc, account_id, valid):
     result = authz.is_staff_account(account_id)
     # check
     assert result == valid
+
+
+@pytest.mark.parametrize('desc,account_id,valid', TEST_BCOL_HELPDESK_DATA)
+def test_bcol_helpdesk_account(session, desc, account_id, valid):
+    """Assert that bcol helpdesk account check returns the expected result."""
+    # test
+    result = authz.is_bcol_help(account_id)
+    # check
+    assert result == valid