TenantAtlas/specs/076-permissions-enterprise-ui/data-model.md

Data Model — Spec 076 (Permissions Enterprise UI)

Primary entities

Tenant

• Source: app/Models/Tenant.php
• Used for scoping and tenancy routing (/admin/t/{tenant}/...).

RequiredPermissionDefinition (config)

• Source: config/intune_permissions.php (permissions array)
• Shape:
  • key: string (e.g. DeviceManagementConfiguration.Read.All)
  • type: 'application'|'delegated' (current config is application-only, but model supports both)
  • description: ?string
  • features: string[] (feature tags used for grouping/impact)

TenantPermission (DB)

• Source: app/Models/TenantPermission.php (table: tenant_permissions)
• Key fields (inferred from service usage):
  • tenant_id: int
  • permission_key: string
  • status: 'granted'|'missing'|'error'
  • details: ?array
  • last_checked_at: ?datetime

PermissionComparisonResult (computed)

• Source: TenantPermissionService::compare(...)
• Shape:
  • overall_status: 'granted'|'missing'|'error' (service-level)
  • permissions: PermissionRow[]

PermissionRow (computed)

• Shape:
  • key: string
  • type: 'application'|'delegated'
  • description: ?string
  • features: string[]
  • status: 'granted'|'missing'|'error'
  • details: ?array

View models

RequiredPermissionsOverview

• Inputs: PermissionRow[]
• Derived fields:
  • overall: VerificationReportOverall where:
    • Blocked if any missing application
    • NeedsAttention if only delegated missing
    • Ready if none missing
  • counts:
    • missing_application_count
    • missing_delegated_count
    • present_count
    • error_count
  • feature_impacts: FeatureImpact[]

FeatureImpact

• Key: feature: string
• Derived:
  • missing_count
  • required_application_count
  • required_delegated_count
  • blocked: bool (based on missing application for that feature)

RequiredPermissionsFilterState

• Livewire-backed state on the page:
  • status: missing|present|all (default: missing)
  • type: application|delegated|all (default: all)
  • features: string[] (default: [])
  • search: string (default: '')

CopyPayload

• Derived string payload:
  • Always status = missing
  • Always type = application|delegated (fixed by clicked button)
  • Respects only features[] filter
  • Ignores search
  • Newline separated permission.key

Verification report model (clustered checks)

VerificationReport (stored on OperationRun)

• Source: operation_runs.context['verification_report']
• Schema: app/Support/Verification/VerificationReportSchema.php

VerificationCheck (cluster)

• Key fields (schema-required):
  • key, title, status, severity, blocking, reason_code, message, evidence[], next_steps[]

Cluster mapping

• Cluster definitions map check key → permission keys (or permission feature sets).
• Permission-derived checks compute status from PermissionRow[] and supply next-step URL to the Required Permissions page.