ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
0ab31b2b81
TenantAtlas/specs/128-rbac-baseline-compare/data-model.md
Ahmed Darrazi 0ab31b2b81 feat: add Intune RBAC baseline compare support
2026-03-09 19:43:13 +01:00

6.7 KiB
Raw Blame History

Data Model — Intune RBAC Baseline Compare & Findings v1

Entities

Foundation Type Baseline Metadata

Config-defined metadata controlling whether a foundation type can participate in baseline compare.

  • Source: config/tenantpilot.php foundation rows, exposed through InventoryPolicyTypeMeta
  • Required additions:
    • explicit baseline-compare support flag
    • optional compare identity strategy marker
    • optional summary kind or compare label metadata if needed for consistent rendering
  • Required behavior:
    • intuneRoleDefinition is baseline-supported
    • intuneRoleAssignment is baseline-unsupported

Baseline Scope Entry

The workspace-owned selection stored in BaselineProfile.scope_jsonb.

  • Existing structure:
    • policy_types[]
    • foundation_types[]
  • New business rule:
    • foundation_types[] may contain intuneRoleDefinition
    • foundation_types[] must not contain intuneRoleAssignment through normal selection paths
  • Validation:
    • selected foundation types must exist in canonical metadata
    • only baseline-supported foundation types are accepted

InventoryItem for Intune Role Definition

Tenant-owned latest-observed RBAC state used as the current compare anchor.

  • Existing model/table: InventoryItem
  • Ownership:
    • workspace_id NOT NULL
    • tenant_id NOT NULL
  • Identity:
    • tenant_id + policy_type + external_id
    • for this feature, external_id is the primary compare identity
  • Relevant fields:
    • policy_type = intuneRoleDefinition
    • external_id
    • display_name
    • category = RBAC
    • platform = all
    • meta_jsonb.is_built_in
    • meta_jsonb.role_permission_count
    • last_seen_at
    • last_seen_operation_run_id

PolicyVersion for Intune Role Definition

Immutable RBAC snapshot evidence reused for baseline references and diff rendering.

  • Existing model/table: PolicyVersion
  • Relevant fields:
    • tenant_id
    • policy_id
    • policy_type = intuneRoleDefinition
    • snapshot with Role Definition payload
    • captured_at
    • version_number
  • Invariant:
    • enough data exists to normalize display name, description, built-in/custom state, and permissions without live Graph calls

Baseline Snapshot Item for Intune Role Definition

Workspace-owned approved baseline reference used during compare.

  • Existing model/table: BaselineSnapshotItem
  • Relevant fields:
    • baseline_snapshot_id
    • subject_type = policy or a role-definition-specific variant if introduced narrowly
    • subject_external_id as workspace-safe reference
    • subject_key upgraded to support stable Role Definition identity semantics
    • policy_type = intuneRoleDefinition
    • baseline_hash
    • meta_jsonb.display_name
    • meta_jsonb.evidence.*
    • meta_jsonb.identity.external_id or equivalent explicit identity marker
    • meta_jsonb.version_reference or equivalent baseline PolicyVersion linkage
  • Validation:
    • baseline item must keep enough metadata to reconstruct evidence later
    • baseline snapshot item must not store tenant identifiers directly

RBAC Role Definition Compare Result

Tenant-scoped transient compare outcome created during baseline compare.

  • Computed attributes:
    • policy_type = intuneRoleDefinition
    • role_definition_id
    • classification = unchanged | modified | missing | unexpected
    • severity = low | medium | high
    • built_in_state
    • diff_kind = metadata_only | permission_change | missing | unexpected
    • baseline_hash
    • current_hash
    • baseline_policy_version_id nullable
    • current_policy_version_id nullable

RBAC Drift Finding

Persistent tenant-owned finding generated through the existing baseline.compare pipeline.

  • Existing model/table: Finding
  • Relevant fields:
    • tenant_id
    • finding_type = drift
    • source = baseline.compare
    • scope_key = baseline_profile:{id}
    • fingerprint
    • recurrence_key
    • subject_type
    • subject_external_id
    • severity
    • status
    • times_seen
    • evidence_jsonb
    • current_operation_run_id
  • Invariant:
    • unchanged identical drift does not create duplicate findings
    • resolved recurrence reopens through the existing lifecycle rules

Baseline Compare RBAC Summary

Run-level summary stored in compare run context.

  • Existing container: OperationRun.context.baseline_compare
  • New summary node:
    • rbac_role_definitions.total_compared
    • rbac_role_definitions.unchanged
    • rbac_role_definitions.modified
    • rbac_role_definitions.missing
    • rbac_role_definitions.unexpected
  • Constraint:
    • keep rich counts in context; do not add non-canonical summary keys to summary_counts

Relationships

  • A BaselineProfile belongs to one workspace and has one active scope definition.
  • A BaselineProfile has many BaselineSnapshot records.
  • A BaselineSnapshot has many BaselineSnapshotItem records, including intuneRoleDefinition items when selected.
  • A Tenant has many InventoryItem rows and many PolicyVersion rows for intuneRoleDefinition.
  • A Tenant has many baseline compare OperationRun rows and many Finding rows.
  • A Role Definition compare result links one baseline snapshot item to zero or one current inventory row and zero or one current PolicyVersion.

Invariants

  • intuneRoleDefinition is the only RBAC foundation type eligible for baseline compare in this release.
  • intuneRoleAssignment must never appear in baseline capture, compare summaries, or findings.
  • Role Definition identity is ID-based; same-name recreated objects with new IDs are drift.
  • Compare uses normalized governance-relevant content, not raw transport payload shape.
  • Metadata-only changes stay distinguishable from permission changes.
  • Baseline evidence remains reconstructable without UI-time provider calls.
  • Workspace-owned baseline artifacts must not persist tenant IDs.
  • Tenant-owned compare runs and findings must remain workspace- and tenant-scoped.

State Transitions

Baseline support state

  • unsupported
  • supported and selectable in baseline profile

Role Definition compare classification

  • unchanged
  • modified
  • missing
  • unexpected

RBAC finding lifecycle

  • new
  • reopened
  • resolved
  • closed

Compare trust state

  • full coverage proven
  • partial coverage proven with suppression
  • coverage unproven and findings suppressed

Validation Rules

  • Baseline profile foundation selections must be a subset of explicitly baseline-supported foundation types.
  • Baseline snapshot items for intuneRoleDefinition must carry stable identity and evidence-ready references.
  • Role Definition compare must ignore transport-only noise and ordering differences in permission blocks.
  • Severity mapping must follow the approved RBAC rule set.
  • Assignment foundation type must fail closed for baseline-compare selection and result generation.