We present our work on testing access control of large national e-health Internet portal which has millions of monthly visits. Our aim is twofold: (1) to improve testing by applying systematic and rigorous (semi-formal) approach and (2) to obtain holistic view of portal’s complex access control structure. Applying more rigorous approach facilitates reducing ambiguity while holistic picture aids on easier and often also faster comprehension of complex control structure by avoiding reading a lot of textual specifications. We use set-theoretic approach for specifying access control. Then, from access control’s abstract set notations we get a visualize version in form of the access control tree. Access control tree presented in this paper has 15 leaves (scopes) which results in 105 pairs of abstract test scenarios. More complete version of the tree has 66 leaves (scopes) that results in over 2000 pairs of abstract test scenarios (although not all of them can be valid). From abstract scenarios we implemented over 600 concrete and automated test cases. Manual execution test of one concrete test takes about five minutes while automated execution of all tests takes about one hour (thus achieving over 40 times speedup). These automated test cases run as a part of our CI/CD pipeline.