ahmido
a449ecec5b
Beschreibung Implementiert das Drift MVP Feature (Spec: 044-drift-mvp) mit Fokus auf automatische Drift-Erkennung zwischen Inventory Sync Runs und Bulk-Triage für Findings. Was wurde implementiert? Drift-Erkennung: Vergleicht Policy-Snapshots, Assignments und Scope Tags zwischen Baseline- und Current-Runs. Deterministische Fingerprints verhindern Duplikate. Findings UI: Neue Filament Resource für Findings mit Listen- und Detail-Ansicht. DB-only Diffs (keine Graph-Calls zur Laufzeit). Bulk Acknowledge: "Acknowledge selected" (Bulk-Action auf der Liste) "Acknowledge all matching" (Header-Action, respektiert aktuelle Filter; Type-to-Confirm bei >100 Findings) Scope Tag Fix: Behebt False Positives bei Legacy-Daten ohne scope_tags.ids (inferiert Default-Werte). Authorization: Tenant-isoliert, Rollen-basiert (Owner/Manager/Operator können acknowledge). Tests: Vollständige Pest-Coverage (28 Tests, 347 Assertions) für Drift-Logik, UI und Bulk-Actions. Warum diese Änderungen? Problem: Keine automatisierte Drift-Erkennung; manuelle Triage bei vielen Findings ist mühsam. Lösung: Async Drift-Generierung mit persistenter Findings-Tabelle. Safe Bulk-Tools für Massen-Triage ohne Deletes. Konformität: Folgt AGENTS.md Workflow, Spec-Kit (Tasks + Checklists abgehakt), Laravel/Filament Best Practices. Technische Details Neue Dateien: ~40 (Models, Services, Tests, Views, Migrations) Änderungen: Filament Resources, Jobs, Policies DB: Neue findings Tabelle (JSONB für Evidence, Indexes für Performance) Tests: ./vendor/bin/sail artisan test tests/Feature/Drift --parallel → 28 passed Migration: ./vendor/bin/sail artisan migrate (neue Tabelle + Indexes) Screenshots / Links Spec: spec.md Tasks: tasks.md (alle abgehakt) UI: Findings-Liste mit Bulk-Actions; Detail-View mit Diffs Checklist Tests passieren (parallel + serial) Code formatiert (./vendor/bin/pint --dirty) Migration reversibel Tenant-Isolation enforced No Graph-Calls in Views Authorization checks Spec + Tasks aligned Deployment Notes Neue Migration: create_findings_table Neue Permissions: drift.view, drift.acknowledge Queue-Job: GenerateDriftFindingsJob (async, deduped)
123 lines
5.6 KiB
PHP
123 lines
5.6 KiB
PHP
<?php
|
|
|
|
return [
|
|
'permissions' => [
|
|
[
|
|
'key' => 'DeviceManagementConfiguration.ReadWrite.All',
|
|
'type' => 'application',
|
|
'description' => 'Read and write Intune device configuration policies.',
|
|
'features' => ['policy-sync', 'backup', 'restore', 'settings-normalization', 'drift'],
|
|
],
|
|
[
|
|
'key' => 'DeviceManagementConfiguration.Read.All',
|
|
'type' => 'application',
|
|
'description' => 'Read Intune device configuration policies (least-privilege for inventory).',
|
|
'features' => ['policy-sync', 'backup', 'settings-normalization', 'drift'],
|
|
],
|
|
[
|
|
'key' => 'DeviceManagementApps.ReadWrite.All',
|
|
'type' => 'application',
|
|
'description' => 'Manage app configuration and assignments for Intune.',
|
|
'features' => ['backup', 'restore'],
|
|
],
|
|
[
|
|
'key' => 'DeviceManagementApps.Read.All',
|
|
'type' => 'application',
|
|
'description' => 'Read app configuration and assignments for Intune.',
|
|
'features' => ['policy-sync', 'backup'],
|
|
],
|
|
[
|
|
'key' => 'DeviceManagementServiceConfig.ReadWrite.All',
|
|
'type' => 'application',
|
|
'description' => 'Manage enrollment restrictions, Autopilot, ESP, and related service configs.',
|
|
'features' => ['backup', 'restore', 'policy-sync'],
|
|
],
|
|
[
|
|
'key' => 'DeviceManagementServiceConfig.Read.All',
|
|
'type' => 'application',
|
|
'description' => 'Read enrollment restrictions, Autopilot, ESP, and related service configs.',
|
|
'features' => ['policy-sync', 'backup'],
|
|
],
|
|
[
|
|
'key' => 'Policy.Read.All',
|
|
'type' => 'application',
|
|
'description' => 'Read Conditional Access policies for preview/backup.',
|
|
'features' => ['conditional-access', 'backup', 'versioning'],
|
|
],
|
|
[
|
|
'key' => 'Policy.ReadWrite.ConditionalAccess',
|
|
'type' => 'application',
|
|
'description' => 'Manage Conditional Access policies (used for preview-only or admin-controlled restores).',
|
|
'features' => ['conditional-access', 'restore'],
|
|
],
|
|
[
|
|
'key' => 'Directory.Read.All',
|
|
'type' => 'application',
|
|
'description' => 'Read directory data needed for tenant health checks.',
|
|
'features' => ['tenant-health'],
|
|
],
|
|
[
|
|
'key' => 'DeviceManagementRBAC.Read.All',
|
|
'type' => 'application',
|
|
'description' => 'Read Intune RBAC settings including scope tags for backup metadata enrichment.',
|
|
'features' => ['scope-tags', 'backup-metadata', 'assignments'],
|
|
],
|
|
[
|
|
'key' => 'DeviceManagementRBAC.ReadWrite.All',
|
|
'type' => 'application',
|
|
'description' => 'Manage Intune RBAC scope tags for foundation backup and restore.',
|
|
'features' => ['scope-tags', 'foundations', 'backup', 'restore'],
|
|
],
|
|
[
|
|
'key' => 'Group.Read.All',
|
|
'type' => 'application',
|
|
'description' => 'Read group information for resolving assignment group names and cross-tenant group mapping.',
|
|
'features' => ['assignments', 'group-mapping', 'backup-metadata', 'directory-groups', 'group-directory-cache', 'drift'],
|
|
],
|
|
[
|
|
'key' => 'DeviceManagementScripts.ReadWrite.All',
|
|
'type' => 'application',
|
|
'description' => 'Manage Intune device management scripts and remediations.',
|
|
'features' => ['policy-sync', 'backup', 'restore', 'scripts', 'remediations'],
|
|
],
|
|
[
|
|
'key' => 'DeviceManagementScripts.Read.All',
|
|
'type' => 'application',
|
|
'description' => 'Read Intune device management scripts and remediations.',
|
|
'features' => ['policy-sync', 'backup', 'scripts', 'remediations'],
|
|
],
|
|
],
|
|
// Stub list of permissions already granted to the service principal (used for display in Tenant verification UI).
|
|
// Diese Liste sollte mit den tatsächlich in Entra ID granted permissions übereinstimmen.
|
|
// HINWEIS: In Produktion sollte dies dynamisch von Graph API abgerufen werden (geplant für v1.1+).
|
|
//
|
|
// ⚠️ WICHTIG: Nach dem Hinzufügen neuer Berechtigungen in Azure AD:
|
|
// 1. Berechtigungen in Azure AD hinzufügen und Admin Consent geben
|
|
// 2. Diese Liste unten aktualisieren (von "Required permissions" nach "Tatsächlich granted" verschieben)
|
|
// 3. Cache leeren: php artisan cache:clear
|
|
// 4. Optional: Live-Check auf Tenant-Detailseite ausführen
|
|
'granted_stub' => [
|
|
// Tatsächlich granted (aus Entra ID):
|
|
'Device.Read.All',
|
|
'DeviceManagementConfiguration.Read.All',
|
|
'DeviceManagementConfiguration.ReadWrite.All',
|
|
'DeviceManagementManagedDevices.ReadWrite.All',
|
|
'DeviceManagementServiceConfig.Read.All',
|
|
'Directory.Read.All',
|
|
'User.Read',
|
|
'DeviceManagementScripts.ReadWrite.All',
|
|
|
|
// Feature 004 - Assignments & Scope Tags (granted seit 2025-12-22):
|
|
'DeviceManagementRBAC.Read.All', // Scope Tag Namen auflösen
|
|
'Group.Read.All', // Group Namen für Assignments auflösen
|
|
|
|
// Required permissions (müssen in Entra ID granted werden):
|
|
// Wenn diese fehlen, erscheinen sie als "missing" in der UI
|
|
'DeviceManagementApps.ReadWrite.All',
|
|
'DeviceManagementApps.Read.All',
|
|
'DeviceManagementServiceConfig.ReadWrite.All',
|
|
'Policy.Read.All',
|
|
'Policy.ReadWrite.ConditionalAccess',
|
|
],
|
|
];
|