12973248e7
Implements RBAC-based write gating for Intune restore flows, UI affordances, and audit logging; adds tests and specs.
33 lines
1.5 KiB
Markdown
33 lines
1.5 KiB
Markdown
# Quickstart — Provider Access Hardening v1 (Intune Write Gate)
|
|
|
|
## Goal
|
|
|
|
Validate that Intune write operations (restore execution + restore assignments) are blocked unless tenant RBAC hardening is configured, healthy, and fresh.
|
|
|
|
## Local setup
|
|
|
|
- Start containers: `vendor/bin/sail up -d`
|
|
|
|
## Manual verification (once implemented)
|
|
|
|
1) Navigate to a tenant view page (`TenantResource` → View).
|
|
2) Set tenant RBAC status to a blocked state (e.g., `rbac_status = null` or `degraded`, or make `rbac_last_checked_at` stale).
|
|
3) Attempt to start a restore execution (Restore Runs → Execute).
|
|
- Expected: start surface blocks before enqueue; operator sees reason + CTA; no `OperationRun` is started for execution.
|
|
4) Attempt to trigger assignments restore (where available).
|
|
- Expected: blocked with the same reason codes.
|
|
5) For job-level defense-in-depth, directly enqueue the job (or trigger a code path that dispatches it) while tenant is blocked.
|
|
- Expected: `OperationRun` is marked failed with `reason_code` and no Graph mutation occurs.
|
|
|
|
## Test execution (once implemented)
|
|
|
|
Run the minimal related tests:
|
|
|
|
- `vendor/bin/sail artisan test --compact --filter=IntuneRbacWriteGate`
|
|
- or run file-scoped tests created for this feature under `tests/Feature`.
|
|
|
|
## Notes
|
|
|
|
- Gate evaluation is DB-only; no synchronous Graph calls are allowed during UI evaluation.
|
|
- When the gate is disabled via config, writes proceed but a warning is logged per evaluation that the gate is bypassed.
|