# Feature Specification: Intune RBAC Backup (Role Definitions + Assignments) (030) **Feature Branch**: `feat/030-intune-rbac-backup` **Created**: 2026-01-04 **Status**: Draft **Priority**: P3 (Optional) ## Context For a “complete tenant restore”, RBAC matters. However, RBAC restore is risky and must be **safe-by-default** (preview-only, strong warnings, explicit confirmation, audit logging). This feature focuses on: - Inventory + backup/version of RBAC objects - Restore preview and validation - Execution only if/when safety gates and mapping are robust ## User Scenarios & Testing ### User Story 1 — Inventory + backup RBAC objects (Priority: P1) As an admin, I can inventory and back up role definitions and role assignments. **Acceptance Scenarios** 1. Sync lists role definitions as `roleDefinition`. 2. Sync lists role assignments as `roleAssignment`. 3. Backup captures full payloads and references (scope tags, members, scopes). ### User Story 2 — Restore preview + safety gates (Priority: P1) As an admin, I can run a restore preview that clearly explains what would change and blocks unsafe execution. **Acceptance Scenarios** 1. Preview warns on built-in roles vs custom roles and blocks unsafe cases. 2. Preview validates referenced groups/scope tags and reports missing dependencies. ## Requirements ### Functional Requirements - **FR-001**: Add policy (or foundation) types: - `roleDefinition` → `deviceManagement/roleDefinitions` - `roleAssignment` → `deviceManagement/roleAssignments` - **FR-002**: Snapshot capture stores full payloads; assignments capture includes references. - **FR-003**: Restore preview includes a dependency report (missing groups/tags/scopes). - **FR-004**: Restore execution defaults to `preview-only` until safety gates are implemented. - **FR-005**: Add targeted Pest tests for inventory + backup + preview dependency report. ### Non-Functional Requirements - **NFR-001**: Never auto-grant permissions/scopes; no “self-heal” background jobs. - **NFR-002**: All operations are tenant-scoped and audited. ## Success Criteria - **SC-001**: RBAC objects are visible and captured in backups. - **SC-002**: Preview makes restore risk and missing dependencies explicit.