The statement of simple requirements may hide many details that must be discovered and processed in the end.

Image by kjpargeter on freepik

Some requirements such as icebergs: the part you see at first is only a small part of everything. Whether it is represented as a text – such as a statement of functional or non -function Analysis formThere can be much more than what appears. Requirement analysis Drilling under the surface of the requirements provided to understand its full scope, complexity, and implications include.

Let’s think about a simple, non -functional condition: “Only users can only access system services.” This security condition may have arisen from the company’s policy, government regulations, or other workplace. Can you just deliver this condition to a developer, or maybe writing it in the form of a user story and adding it to the accumulation of the product? i don’t think so. Class exfoliation explains that a single requirement statement can expand significantly, raising many questions and emptying many children’s requirements along the way.

This raises the issue of the amount of details that must be documented for non -repeated requirements in exchange for leaving them in the hands of the developer for treatment as they see. In other words, Who want to make all decisions related to complex requirements? Considering this question will help you manage the transition from the requirements to design.

If you want to implement high -level primary requirements in a specific way, the business analyst must clarify it at the appropriate level of details and accuracy. This detail can be imposed Design restrictions On the developer, albeit for good and thoughtful reasons. On the other hand, if you are well with the final developer in functional details and user experience (preferably with notes from others on design documents, initial models or screen graphics), only you have to pass the requirements of the higher level of implementation.

Consider some of the questions that you have to answer if you are the developer to implement one safety requirements. You are unlikely to have all the answers yourself. While studying the requirements, you must compensate for these answers or standards of research policy or consulting with others to agree on how to resolve each issue. This is what the business analysis is around. Let’s see how quickly this individual requirement is to explore many detailed requirements.

First, we will need a clear definition of exactly what the “accredited user” is what the system services are not accessed unless the user is declared. Do different parts of the system require different levels of concession or access adopting data?

How should each user be determined uniquely? With a login name or email address or using an external account (such as Google, Apple, Facebook, X) or anything else? Will the user’s identifier be set by Sys official or was chosen for the user? What are the rules of the user’s identifier: minimal, maximum length, permitted letters, and condition allergy? What happens if the user identifies the user’s identifier that is already used?

After that, what is the user’s basic authentication mechanism? We have many options, including password, passersby, PIN, and vital measurements of different types. Let’s only think about the esteemed password at the present time. Below are some questions that come to mind with regard to passwords:

• What are the password rules: the minimum and the maximum number of letters; It is allowed, prohibited, and required; Characters, conditional sensitivity; Styles restrictions (such as no more than two cases of the same letter in sequence); Required patterns (like at least one of both letters, numbers and upper and small symbols)?
• Should the user re -enter the same password in a separate field during construction to verify it? If so, what happens if the password that was entered does not match?
• Can the user change the vision of the password that was entered and stopped, either during construction or while logging in?
• How is the password filled in the input field? With the star or points? One symbol for each letter or random number of symbols to hide the length of the password from Onlooker?
• What are the reactions that the system will offer if you failed to log in?
• Was the user blocked after many unsuccessful login attempts? If so, how many attempts do they get?
• If the user account is closed after a lot of failed login attempts, how long does the account remain closed? How can the user open it?
• What happens if the user forgets the login or password ID? What is the recovery method used? I can’t access the original YouTube account because I have forgotten the password for a long time, and the phone number on the account cannot receive texts. Google does not offer me other identity check options.
• Should the user change the password periodically? If so, how many times? Are there restrictions on what the new password might be, such as not to reuse any of the before N Passwords?
• Can the user select the PIN as a password, as is the case on a Windows computer? If so, what are the permissible characters, the minimum and the maximum of the length of the pin?

These are some problems associated with determining safety requirements for a simple password mechanism. You can see how the answers to these questions lead to more and more requirements to meet non -functional safety requirements. But expansion can get worse.

If decision makers on your project want better security than the password provides, you will explore MFA authentication options (MFA). You will need to choose from many options for both MFA technologies and their implementation details. Start by selecting the MFA types that the system must enable to provide the required safety level. Options include:

• Send one time code that the user must enter to check his identity
• Send an email that contains a one -time login link
• Biological measurements, such as fingerprints, facial recognition, sound identifier, IRIS or retinal examination
• Physical security code
• Using the authentication application, perhaps on a second device

Here are some general questions:

• How many MFA options should you provide to the user?
• If it is more than one, can the user determine his virtual preference for use at the beginning for each entry attempt? Can they change this default?
• How will the user enable and disable MFA on his account?
• If for some reason the user is not able to employ his initial method (such as not accessing the device using the authentication application), can they determine another way for that session?
• Will there be some other backup measures, such as contacting customer support, if any MFA method does not work for the user?

Let’s take a closer look at the user transmission technology for once. Think about these questions:

• What options will you provide to send the code: text message, email or phone call? Will the user have more than one option available?
• If it is a text message or a phone call, can the user save more than one phone number in their application profile? Can they determine the default and determine the number to be used for each session? Can they change, delete a preserved number or change, which is virtual?
• How many letters are in the code for one time and what are the good letters?
• What is the duration of one time? If it is limited, does the application must a temporary count of countdown? Can the user request the reformulation of the code? If so, is the same symbol sent again or a new code? What happens if the user enters one time icon after the time period?
• What happens if this secondary approval attempt fails? Was the entire login session ended, or can they try MFA again? How many attempts the user get in MFA? If it is limited, are you trying to use different methods, all towards the limit?
• Can the user choose to identify his approved device and log in for some time so that they do not have to re -approve each session? If so, what is the duration of that period? Where should this information be stored? I use some applications that recognize my device even if you restart my browser, while others lose my ticket whenever I have wiped cookies for the browser.

I’m sure there is more than this, but you get the picture. The drilling often opens the details of the initial and brief requirements of a large box of worms. The answers to the resulting questions lead to an explosion in more and more requirements. This fact is correct whether the exploration is carried out by a business analyst during the requirements of the requirements or by a developer assigned to write the user authentication code. The original condition does not actually grow, so this process does not change the project. It is just a real scope detection.

The good news is that if you can formulate a set of studied requirements for a complex function such as the user’s approval, you can likely Return them in multiple applications. At least, it should provide an excellent starting point.

I have used common non -functional requirements to clarify the amount of complexity that it can hide under the tip of this requirement. The same thing can apply to functional requirements and product features, of course.

One of my consulting clients held a large workshop to collect requirements for a new main product. One of the aforementioned requirements, “The product must respond to the editing directions made by the sound.” This was at a time before the capabilities of identifying speech were combined in all our devices. This simple requirements show seemed not greater or smaller than all others in the group. However, you can guess the size of the requirements that will have an explosion when someone looked at everything concerned with the details of the speech recognition.

Understand the real range of requirements so that your team can appreciate and plan its design and implement it often requires a good amount of exploration. During this exploration, you can specify the priorities of the child’s different requirements, and perhaps postpone some jobs to subsequent development repeated repetitions and may never implement others. This thinking process is less painful than facing an additional and unexpected need after another and constantly reviewing the product.

======

Karl Weiz, author of the book ” Basic software requirements (With Candse Hokanson), Software requirements (With Joy Betty), Pearls of software developmentand The reckless design of daily thingsand Successful business analysis consultationsAnd many other books.

Predictions: 813