ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
143-tenant-lifecycle-operability-context-semantics
TenantAtlas/specs/128-rbac-baseline-compare/data-model.md
ahmido ef41c9193a feat: add Intune RBAC baseline compare support (#156) 
## Summary
- add Intune RBAC Role Definition baseline scope support, capture references, compare classification, findings evidence, and landing/detail UI labels
- keep Intune Role Assignments explicitly excluded from baseline compare scope, summaries, findings, and restore messaging
- add focused Pest coverage for baseline scope selection, capture, compare behavior, recurrence, isolation, findings rendering, inventory anchoring, and RBAC summaries

## Verification
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Unit/Inventory/InventoryPolicyTypeMetaBaselineSupportTest.php tests/Unit/Baselines/BaselinePolicyVersionResolverTest.php tests/Unit/Baselines/BaselineScopeTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Feature/Baselines/BaselineCaptureRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareDriftEvidenceContractRbacTest.php tests/Feature/Baselines/BaselineCompareCoverageGuardTest.php tests/Feature/Baselines/BaselineCompareCrossTenantMatchTest.php tests/Feature/Baselines/BaselineCompareFindingRecurrenceKeyTest.php tests/Feature/Baselines/BaselineCompareWhyNoFindingsReasonCodeTest.php tests/Feature/Filament/BaselineProfileFoundationScopeTest.php tests/Feature/Filament/BaselineSnapshotRbacRoleDefinitionsTest.php tests/Feature/Filament/BaselineCompareLandingRbacLabelsTest.php tests/Feature/Filament/FindingViewRbacEvidenceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/DriftStaleAutoResolveTest.php tests/Feature/Inventory/InventorySyncButtonTest.php tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php`
- result: `71 passed (467 assertions)`

## Filament / Platform Notes
- Livewire compliance: unchanged and compatible with Livewire v4.0+
- Provider registration: no panel/provider changes; `bootstrap/providers.php` remains the registration location
- Global search: no new globally searchable resource added; existing global search behavior is unchanged
- Destructive actions: no new destructive actions introduced; existing confirmed actions remain unchanged
- Assets: no new Filament assets introduced; deploy asset handling remains unchanged, including `php artisan filament:assets`
- Testing plan covered: baseline profile scope, snapshot detail, compare job, findings recurrence, findings detail, compare landing labels, inventory sync anchoring, and tenant isolation

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #156
2026-03-09 18:49:20 +00:00

6.7 KiB
Raw Permalink Blame History

Data Model — Intune RBAC Baseline Compare & Findings v1

Entities

Foundation Type Baseline Metadata

Config-defined metadata controlling whether a foundation type can participate in baseline compare.

  • Source: config/tenantpilot.php foundation rows, exposed through InventoryPolicyTypeMeta
  • Required additions:
    • explicit baseline-compare support flag
    • optional compare identity strategy marker
    • optional summary kind or compare label metadata if needed for consistent rendering
  • Required behavior:
    • intuneRoleDefinition is baseline-supported
    • intuneRoleAssignment is baseline-unsupported

Baseline Scope Entry

The workspace-owned selection stored in BaselineProfile.scope_jsonb.

  • Existing structure:
    • policy_types[]
    • foundation_types[]
  • New business rule:
    • foundation_types[] may contain intuneRoleDefinition
    • foundation_types[] must not contain intuneRoleAssignment through normal selection paths
  • Validation:
    • selected foundation types must exist in canonical metadata
    • only baseline-supported foundation types are accepted

InventoryItem for Intune Role Definition

Tenant-owned latest-observed RBAC state used as the current compare anchor.

  • Existing model/table: InventoryItem
  • Ownership:
    • workspace_id NOT NULL
    • tenant_id NOT NULL
  • Identity:
    • tenant_id + policy_type + external_id
    • for this feature, external_id is the primary compare identity
  • Relevant fields:
    • policy_type = intuneRoleDefinition
    • external_id
    • display_name
    • category = RBAC
    • platform = all
    • meta_jsonb.is_built_in
    • meta_jsonb.role_permission_count
    • last_seen_at
    • last_seen_operation_run_id

PolicyVersion for Intune Role Definition

Immutable RBAC snapshot evidence reused for baseline references and diff rendering.

  • Existing model/table: PolicyVersion
  • Relevant fields:
    • tenant_id
    • policy_id
    • policy_type = intuneRoleDefinition
    • snapshot with Role Definition payload
    • captured_at
    • version_number
  • Invariant:
    • enough data exists to normalize display name, description, built-in/custom state, and permissions without live Graph calls

Baseline Snapshot Item for Intune Role Definition

Workspace-owned approved baseline reference used during compare.

  • Existing model/table: BaselineSnapshotItem
  • Relevant fields:
    • baseline_snapshot_id
    • subject_type = policy or a role-definition-specific variant if introduced narrowly
    • subject_external_id as workspace-safe reference
    • subject_key upgraded to support stable Role Definition identity semantics
    • policy_type = intuneRoleDefinition
    • baseline_hash
    • meta_jsonb.display_name
    • meta_jsonb.evidence.*
    • meta_jsonb.identity.external_id or equivalent explicit identity marker
    • meta_jsonb.version_reference or equivalent baseline PolicyVersion linkage
  • Validation:
    • baseline item must keep enough metadata to reconstruct evidence later
    • baseline snapshot item must not store tenant identifiers directly

RBAC Role Definition Compare Result

Tenant-scoped transient compare outcome created during baseline compare.

  • Computed attributes:
    • policy_type = intuneRoleDefinition
    • role_definition_id
    • classification = unchanged | modified | missing | unexpected
    • severity = low | medium | high
    • built_in_state
    • diff_kind = metadata_only | permission_change | missing | unexpected
    • baseline_hash
    • current_hash
    • baseline_policy_version_id nullable
    • current_policy_version_id nullable

RBAC Drift Finding

Persistent tenant-owned finding generated through the existing baseline.compare pipeline.

  • Existing model/table: Finding
  • Relevant fields:
    • tenant_id
    • finding_type = drift
    • source = baseline.compare
    • scope_key = baseline_profile:{id}
    • fingerprint
    • recurrence_key
    • subject_type
    • subject_external_id
    • severity
    • status
    • times_seen
    • evidence_jsonb
    • current_operation_run_id
  • Invariant:
    • unchanged identical drift does not create duplicate findings
    • resolved recurrence reopens through the existing lifecycle rules

Baseline Compare RBAC Summary

Run-level summary stored in compare run context.

  • Existing container: OperationRun.context.baseline_compare
  • New summary node:
    • rbac_role_definitions.total_compared
    • rbac_role_definitions.unchanged
    • rbac_role_definitions.modified
    • rbac_role_definitions.missing
    • rbac_role_definitions.unexpected
  • Constraint:
    • keep rich counts in context; do not add non-canonical summary keys to summary_counts

Relationships

  • A BaselineProfile belongs to one workspace and has one active scope definition.
  • A BaselineProfile has many BaselineSnapshot records.
  • A BaselineSnapshot has many BaselineSnapshotItem records, including intuneRoleDefinition items when selected.
  • A Tenant has many InventoryItem rows and many PolicyVersion rows for intuneRoleDefinition.
  • A Tenant has many baseline compare OperationRun rows and many Finding rows.
  • A Role Definition compare result links one baseline snapshot item to zero or one current inventory row and zero or one current PolicyVersion.

Invariants

  • intuneRoleDefinition is the only RBAC foundation type eligible for baseline compare in this release.
  • intuneRoleAssignment must never appear in baseline capture, compare summaries, or findings.
  • Role Definition identity is ID-based; same-name recreated objects with new IDs are drift.
  • Compare uses normalized governance-relevant content, not raw transport payload shape.
  • Metadata-only changes stay distinguishable from permission changes.
  • Baseline evidence remains reconstructable without UI-time provider calls.
  • Workspace-owned baseline artifacts must not persist tenant IDs.
  • Tenant-owned compare runs and findings must remain workspace- and tenant-scoped.

State Transitions

Baseline support state

  • unsupported
  • supported and selectable in baseline profile

Role Definition compare classification

  • unchanged
  • modified
  • missing
  • unexpected

RBAC finding lifecycle

  • new
  • reopened
  • resolved
  • closed

Compare trust state

  • full coverage proven
  • partial coverage proven with suppression
  • coverage unproven and findings suppressed

Validation Rules

  • Baseline profile foundation selections must be a subset of explicitly baseline-supported foundation types.
  • Baseline snapshot items for intuneRoleDefinition must carry stable identity and evidence-ready references.
  • Role Definition compare must ignore transport-only noise and ordering differences in permission blocks.
  • Severity mapping must follow the approved RBAC rule set.
  • Assignment foundation type must fail closed for baseline-compare selection and result generation.