ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
113-platform-ops-runbooks
TenantAtlas/app/Services/EntraAdminRoles/HighPrivilegeRoleCatalog.php
ahmido 6a15fe978a feat: Spec 105 — Entra Admin Roles Evidence + Findings (#128) 
## Summary

Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support.

## What's included

### Core Services
- **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication
- **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog
- **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.)
- **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline

### UI
- **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button
- RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger

### Infrastructure
- Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments`
- `config/entra_permissions.php` — Entra permission registry
- `StoredReport.fingerprint` migration (deduplication support)
- `OperationCatalog` label + duration for `entra.admin_roles.scan`
- Artisan command `entra:scan-admin-roles` for CLI/scheduled use

### Global UX improvement
- **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications.

## Test Coverage
- **12 test files**, **79+ tests**, **307+ assertions**
- Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping

## Spec artifacts
- `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete)
- `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked

## Files changed
46 files changed, 3641 insertions(+), 15 deletions(-)

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #128
2026-02-22 02:37:36 +00:00

77 lines
2.5 KiB
PHP
Raw Permalink Blame History

<?php
declare(strict_types=1);
namespace App\Services\EntraAdminRoles;
final class HighPrivilegeRoleCatalog
{
/**
* Template ID → severity mapping.
*
* @var array<string, string>
*/
private const CATALOG = [
'62e90394-69f5-4237-9190-012177145e10' => 'critical', // Global Administrator
'e8611ab8-c189-46e8-94e1-60213ab1f814' => 'high', // Privileged Role Administrator
'194ae4cb-b126-40b2-bd5b-6091b380977d' => 'high', // Security Administrator
'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9' => 'high', // Conditional Access Administrator
'29232cdf-9323-42fd-ade2-1d097af3e4de' => 'high', // Exchange Administrator
'c4e39bd9-1100-46d3-8c65-fb160da0071f' => 'high', // Authentication Administrator
];
/**
* Display name fallback (case-insensitive) for roles without template_id match.
*
* @var array<string, string>
*/
private const DISPLAY_NAME_FALLBACK = [
'global administrator' => 'critical',
'privileged role administrator' => 'high',
'security administrator' => 'high',
'conditional access administrator' => 'high',
'exchange administrator' => 'high',
'authentication administrator' => 'high',
];
/**
* Classify a role by template_id (preferred) or display_name (fallback).
*
* @return string|null Severity ('critical'|'high') or null if not high-privilege
*/
public function classify(string $templateIdOrId, ?string $displayName = null): ?string
{
if (isset(self::CATALOG[$templateIdOrId])) {
return self::CATALOG[$templateIdOrId];
}
if ($displayName !== null) {
$normalized = strtolower(trim($displayName));
if (isset(self::DISPLAY_NAME_FALLBACK[$normalized])) {
return self::DISPLAY_NAME_FALLBACK[$normalized];
}
}
return null;
}
public function isHighPrivilege(string $templateIdOrId, ?string $displayName = null): bool
{
return $this->classify($templateIdOrId, $displayName) !== null;
}
public function isGlobalAdministrator(string $templateIdOrId, ?string $displayName = null): bool
{
return $this->classify($templateIdOrId, $displayName) === 'critical';
}
/**
* @return array<string, string> All template_id → severity mappings
*/
public function allTemplateIds(): array
{
return self::CATALOG;
}
}
Reference in New Issue View Git Blame Copy Permalink