ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
0ab31b2b81
TenantAtlas/specs/128-rbac-baseline-compare/quickstart.md
Ahmed Darrazi 0ab31b2b81 feat: add Intune RBAC baseline compare support
2026-03-09 19:43:13 +01:00

2.9 KiB
Raw Blame History

Quickstart — Intune RBAC Baseline Compare & Findings v1

Goal

Validate that Intune Role Definitions can be selected into a baseline, captured as approved references, compared against current tenant state, and surfaced as unified drift findings without pulling in Role Assignments.

Prerequisites

  • Laravel Sail services are running.
  • A workspace and tenant test fixture exist.
  • Spec 127 RBAC inventory and versioning support is already present.

Development flow

  1. Start Sail if needed.
    • vendor/bin/sail up -d
  2. Implement explicit baseline-support metadata for foundation types and filter baseline scope options to eligible foundations only.
  3. Extend baseline capture and compare identity handling so intuneRoleDefinition matches by Role Definition ID, not display name.
  4. Plug normalized Role Definition diffs into the existing baseline compare finding and evidence pipeline.
  5. Update existing Filament baseline and findings surfaces with RBAC-specific labeling and summaries.

Focused verification

  1. Eligibility and scope tests
    • confirm intuneRoleDefinition is selectable for baseline compare
    • confirm intuneRoleAssignment is not selectable
  2. Capture tests
    • confirm baseline snapshot items for Role Definitions keep evidence-ready references
    • confirm Role Assignments do not enter baseline snapshots
  3. Compare tests
    • unchanged Role Definition yields no finding
    • permission change yields a High-severity modified finding
    • metadata-only change yields a Low-severity modified finding
    • missing and unexpected Role Definitions yield the correct findings
  4. Findings tests
    • repeated identical compare runs do not duplicate findings
    • resolved RBAC findings reopen correctly on recurrence
  5. Safety tests
    • coverage or evidence gaps suppress false RBAC findings
    • tenant/workspace isolation remains intact

Suggested test commands

  • vendor/bin/sail artisan test --compact tests/Unit/IntuneRoleDefinitionNormalizerTest.php
  • vendor/bin/sail artisan test --compact tests/Feature/Baselines
  • vendor/bin/sail artisan test --compact tests/Feature/Findings/FindingRecurrenceTest.php
  • vendor/bin/sail artisan test --compact tests/Feature/Filament/BaselineProfileCompareStartSurfaceTest.php
  • vendor/bin/sail bin pint --dirty --format agent

Manual QA checklist

  1. Open Baseline Profiles and verify only Intune Role Definition appears as an RBAC foundation compare option.
  2. Capture a baseline from a tenant with Intune RBAC inventory and verify the snapshot shows Role Definition references only.
  3. Run compare against a tenant with an intentionally changed custom Role Definition and verify RBAC summary counts and finding labels.
  4. Inspect finding detail and verify before/after evidence is readable, severity is correct, and no restore implication appears.
  5. Verify Role Assignment objects never appear in summary, findings, or baseline snapshot compare output.