TenantAtlas/specs/076-permissions-enterprise-ui/data-model.md

# Data Model — Spec 076 (Permissions Enterprise UI)

## Primary entities

### Tenant
- Source: `app/Models/Tenant.php`
- Used for scoping and tenancy routing (`/admin/t/{tenant}/...`).

### RequiredPermissionDefinition (config)
- Source: `config/intune_permissions.php` (`permissions` array)
- Shape:
  - `key: string` (e.g. `DeviceManagementConfiguration.Read.All`)
  - `type: 'application'|'delegated'` (current config is application-only, but model supports both)
  - `description: ?string`
  - `features: string[]` (feature tags used for grouping/impact)

### TenantPermission (DB)
- Source: `app/Models/TenantPermission.php` (table: `tenant_permissions`)
- Key fields (inferred from service usage):
  - `tenant_id: int`
  - `permission_key: string`
  - `status: 'granted'|'missing'|'error'`
  - `details: ?array`
  - `last_checked_at: ?datetime`

### PermissionComparisonResult (computed)
- Source: `TenantPermissionService::compare(...)`
- Shape:
  - `overall_status: 'granted'|'missing'|'error'` (service-level)
  - `permissions: PermissionRow[]`

### PermissionRow (computed)
- Shape:
  - `key: string`
  - `type: 'application'|'delegated'`
  - `description: ?string`
  - `features: string[]`
  - `status: 'granted'|'missing'|'error'`
  - `details: ?array`

## View models

### RequiredPermissionsOverview
- Inputs: `PermissionRow[]`
- Derived fields:
  - `overall: VerificationReportOverall` where:
    - Blocked if any missing application
    - NeedsAttention if only delegated missing
    - Ready if none missing
  - counts:
    - `missing_application_count`
    - `missing_delegated_count`
    - `present_count`
    - `error_count`
  - `feature_impacts: FeatureImpact[]`

### FeatureImpact
- Key: `feature: string`
- Derived:
  - `missing_count`
  - `required_application_count`
  - `required_delegated_count`
  - `blocked: bool` (based on missing application for that feature)

### RequiredPermissionsFilterState
- Livewire-backed state on the page:
  - `status: missing|present|all` (default: missing)
  - `type: application|delegated|all` (default: all)
  - `features: string[]` (default: [])
  - `search: string` (default: '')

### CopyPayload
- Derived string payload:
  - Always `status = missing`
  - Always `type = application|delegated` (fixed by clicked button)
  - Respects only `features[]` filter
  - Ignores `search`
  - Newline separated `permission.key`

## Verification report model (clustered checks)

### VerificationReport (stored on OperationRun)
- Source: `operation_runs.context['verification_report']`
- Schema: `app/Support/Verification/VerificationReportSchema.php`

### VerificationCheck (cluster)
- Key fields (schema-required):
  - `key`, `title`, `status`, `severity`, `blocking`, `reason_code`, `message`, `evidence[]`, `next_steps[]`

### Cluster mapping
- Cluster definitions map check key → permission keys (or permission feature sets).
- Permission-derived checks compute status from `PermissionRow[]` and supply next-step URL to the Required Permissions page.