ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
478a9b6aed
TenantAtlas/specs/026-custom-compliance-scripts/spec.md
Ahmed Darrazi d734c992cb spec: add upcoming Intune object specs (024-030)
2026-01-04 01:58:41 +01:00

2.4 KiB
Raw Blame History

Feature Specification: Custom Compliance Scripts (Windows) (026)

Feature Branch: feat/026-custom-compliance-scripts
Created: 2026-01-04
Status: Draft
Priority: P1

Context

Windows Custom Compliance is widely used. Without deviceComplianceScripts, backup/restore for compliance posture is incomplete. Restore must include assignments.

User Scenarios & Testing

User Story 1 — Inventory + view compliance scripts (Priority: P1)

As an admin, I can see Custom Compliance Scripts in inventory and view their script/config in a readable way.

Acceptance Scenarios

  1. Given device compliance scripts exist, sync shows them as type deviceComplianceScript.
  2. Detail view shows key settings (runAsAccount, enforceSignatureCheck, runAs32Bit) and script content (safe display rules).

User Story 2 — Backup + versioning (Priority: P1)

As an admin, I can capture versions/backups of compliance scripts so I can diff changes.

Acceptance Scenarios

  1. Snapshot capture stores the full payload including detectionScriptContent.
  2. Diff highlights script changes and operational flags.

User Story 3 — Restore preview + execution (Priority: P1)

As an admin, I can restore a compliance script and its assignments defensively.

Acceptance Scenarios

  1. Preview shows create/update + restore mode and warnings.
  2. Execution strips read-only fields and re-encodes script content correctly.
  3. Assignments are applied via Graph assign action.

Requirements

Functional Requirements

  • FR-001: Add policy type deviceComplianceScript backed by Graph deviceManagement/deviceComplianceScripts (beta).
  • FR-002: Snapshot stores full payload (including detectionScriptContent) and assignments.
  • FR-003: Restore supports create/update with contract-driven sanitization.
  • FR-004: Restore applies assignments (/assign) and records audit logs.
  • FR-005: Add normalized display support for key fields and script content (with safety limits).
  • FR-006: Add Pest tests for sync + snapshot + preview + execution.

Non-Functional Requirements

  • NFR-001: Script content must never be logged; UI display must be bounded (config-driven).
  • NFR-002: Preview-only fallback when Graph returns unexpected shapes or missing contracts.

Success Criteria

  • SC-001: Custom compliance scripts appear in inventory and backups.
  • SC-002: Restore execution works and assignments are applied.