ahmido
b9c47e7973
## Summary <!-- Kurz: Was ändert sich und warum? --> ## Spec-Driven Development (SDD) - [ ] Es gibt eine Spec unter `specs/<NNN>-<feature>/` - [ ] Enthaltene Dateien: `plan.md`, `tasks.md`, `spec.md` - [ ] Spec beschreibt Verhalten/Acceptance Criteria (nicht nur Implementation) - [ ] Wenn sich Anforderungen während der Umsetzung geändert haben: Spec/Plan/Tasks wurden aktualisiert ## Implementation - [ ] Implementierung entspricht der Spec - [ ] Edge cases / Fehlerfälle berücksichtigt - [ ] Keine unbeabsichtigten Änderungen außerhalb des Scopes ## Tests - [ ] Tests ergänzt/aktualisiert (Pest/PHPUnit) - [ ] Relevante Tests lokal ausgeführt (`./vendor/bin/sail artisan test` oder `php artisan test`) ## Migration / Config / Ops (falls relevant) - [ ] Migration(en) enthalten und getestet - [ ] Rollback bedacht (rückwärts kompatibel, sichere Migration) - [ ] Neue Env Vars dokumentiert (`.env.example` / Doku) - [ ] Queue/cron/storage Auswirkungen geprüft ## UI (Filament/Livewire) (falls relevant) - [ ] UI-Flows geprüft - [ ] Screenshots/Notizen hinzugefügt ## Notes <!-- Links, Screenshots, Follow-ups, offene Punkte --> Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local> Reviewed-on: #6
7.1 KiB
Feature Specification: SoT Foundations & Assignments
Feature Branch: 006-sot-foundations-assignments
Created: 2025-12-25
Status: Draft
Input: User description: "SoT Foundations & Assignments: implement backup/restore foundations (assignment filters, scope tags, notification templates) and add assignment-aware backup/restore pipeline with ID mapping for core Intune objects; keep Conditional Access restore preview-only until named locations/mapping exist."
User Scenarios & Testing (mandatory)
User Story 1 - Restore Foundations First (Priority: P1)
As an admin, I want to back up and restore the core "foundation" objects that other configurations depend on (assignment filters, scope tags, and compliance notification templates), so that later restores can reliably re-apply assignments and dependencies.
Why this priority: Without these foundations, restores either fail or must skip assignments/dependencies, which reduces trust and makes outcomes unpredictable.
Independent Test: In a test tenant with at least one filter, one scope tag, and one notification template: create a backup snapshot, then restore into a tenant where they are missing. Verify that the restored objects exist and that a mapping from old IDs to new IDs is produced.
Acceptance Scenarios:
- Given a tenant with assignment filters, When a backup is created and later restored into a tenant missing those filters, Then missing filters are created and the restore reports the old→new identifier mapping.
- Given a tenant with scope tags, When a restore runs, Then scope tags are restored before any dependent objects are applied.
- Given a tenant with compliance notification templates, When a restore runs, Then templates are restored before applying compliance policy scheduled actions.
User Story 2 - Apply Assignments Safely (Priority: P2)
As an admin, I want restores to apply assignments for supported configuration objects using the foundation mappings, so that a restore reproduces intended targeting while staying safe and auditable.
Why this priority: Restoring payloads without assignments is incomplete; restoring assignments without safe mapping can be dangerous.
Independent Test: Restore a small set of supported configurations that include assignments with filters and scope tags. Verify that assignments are applied when mappings exist, and skipped with a clear reason when mappings are missing.
Acceptance Scenarios:
- Given a configuration object whose assignments reference filters/scope tags that exist (or can be mapped), When restore executes, Then assignments are applied and reported as applied.
- Given a configuration object whose assignments reference a missing dependency (e.g., an unknown filter), When restore executes, Then the assignment is skipped (not broadly applied) and a human-readable reason is recorded.
- Given an object restore with name collisions, When the system cannot unambiguously match a target, Then it creates a copy with a predictable suffix and records this decision in the restore report.
User Story 3 - Conditional Access Stays Preview-Only (Priority: P3)
As an admin, I want to preview Conditional Access (CA) policies and their dependencies, but I do not want CA restore to execute automatically until dependency mapping is supported.
Why this priority: CA is security-critical and often depends on other objects (like named locations) and identity references. A preview still delivers value without risking outages.
Independent Test: Include CA policies in a backup and run restore in "preview" mode. Verify preview shows intended actions and highlights missing dependencies, while execute mode does not apply CA changes.
Acceptance Scenarios:
- Given a backup containing CA policies, When a restore preview is generated, Then CA items appear in preview with a clear "preview-only" indicator.
- Given a restore execution (non-dry-run), When CA items are included, Then the system does not apply CA changes and records them as preview-only/skipped.
Edge Cases
- Missing permissions: backup/restore continues for other object types and clearly reports which categories failed due to permissions.
- Name collisions: multiple objects share the same display name; system must avoid ambiguous updates.
- Missing identity references: group/user references cannot be resolved; system must skip the assignment and report.
- Large tenants: operations must cope with pagination and partial failures without losing auditability.
- Throttling/transient failures: system retries safely and produces a final report if some items could not be processed.
Requirements (mandatory)
Functional Requirements
- FR-001: System MUST support backup and restore of foundation objects: assignment filters, scope tags, and compliance notification templates.
- FR-002: System MUST restore foundation objects before applying any dependent configurations.
- FR-003: System MUST produce an identifier mapping report (old→new) for restored foundation objects.
- FR-004: System MUST apply assignments for supported configurations using the identifier mapping.
- FR-005: System MUST skip assignments that cannot be safely mapped (e.g., missing dependencies) and MUST record a clear skip reason.
- FR-006: System MUST be able to run in preview mode that produces the same decision report as execute mode, without making changes.
- FR-007: System MUST NOT delete objects in the target tenant as part of restore.
- FR-008: System MUST record an audit trail for backup and restore actions, including outcomes, partial failures, and skipped items.
- FR-009: System MUST prevent conflicting simultaneous restore executions for the same tenant (single-writer safety).
- FR-010: System MUST keep Conditional Access restore as preview-only until dependency mapping for CA is supported.
Key Entities (include if feature involves data)
- Foundation Object Snapshot: A captured representation of an assignment filter, scope tag, or notification template.
- Assignment Snapshot: Captured targeting rules associated with a configuration object.
- Restore Mapping: A mapping of source identifiers to newly created target identifiers.
- Restore Report: A structured outcome summary containing applied items, skipped items, reasons, and any created copies.
Success Criteria (mandatory)
Measurable Outcomes
- SC-001: In a tenant with at least 10 foundation objects, a full foundations restore completes with ≥ 99% of items either applied or explicitly skipped with a reason.
- SC-002: For supported configuration objects with assignments, ≥ 95% of assignments are either applied correctly or skipped with a clear reason (no silent failures).
- SC-003: Restore preview generation for 100 selected items completes in under 2 minutes in a typical admin environment.
- SC-004: Admins can complete a restore workflow (preview → execute) with no ambiguous outcomes: every selected item ends in Applied / Created Copy / Skipped / Failed with a recorded reason.