ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
478a9b6aed
TenantAtlas/specs/030-intune-rbac-backup/spec.md
Ahmed Darrazi d734c992cb spec: add upcoming Intune object specs (024-030)
2026-01-04 01:58:41 +01:00

2.2 KiB
Raw Blame History

Feature Specification: Intune RBAC Backup (Role Definitions + Assignments) (030)

Feature Branch: feat/030-intune-rbac-backup
Created: 2026-01-04
Status: Draft
Priority: P3 (Optional)

Context

For a “complete tenant restore”, RBAC matters. However, RBAC restore is risky and must be safe-by-default (preview-only, strong warnings, explicit confirmation, audit logging).

This feature focuses on:

  • Inventory + backup/version of RBAC objects
  • Restore preview and validation
  • Execution only if/when safety gates and mapping are robust

User Scenarios & Testing

User Story 1 — Inventory + backup RBAC objects (Priority: P1)

As an admin, I can inventory and back up role definitions and role assignments.

Acceptance Scenarios

  1. Sync lists role definitions as roleDefinition.
  2. Sync lists role assignments as roleAssignment.
  3. Backup captures full payloads and references (scope tags, members, scopes).

User Story 2 — Restore preview + safety gates (Priority: P1)

As an admin, I can run a restore preview that clearly explains what would change and blocks unsafe execution.

Acceptance Scenarios

  1. Preview warns on built-in roles vs custom roles and blocks unsafe cases.
  2. Preview validates referenced groups/scope tags and reports missing dependencies.

Requirements

Functional Requirements

  • FR-001: Add policy (or foundation) types:
    • roleDefinitiondeviceManagement/roleDefinitions
    • roleAssignmentdeviceManagement/roleAssignments
  • FR-002: Snapshot capture stores full payloads; assignments capture includes references.
  • FR-003: Restore preview includes a dependency report (missing groups/tags/scopes).
  • FR-004: Restore execution defaults to preview-only until safety gates are implemented.
  • FR-005: Add targeted Pest tests for inventory + backup + preview dependency report.

Non-Functional Requirements

  • NFR-001: Never auto-grant permissions/scopes; no “self-heal” background jobs.
  • NFR-002: All operations are tenant-scoped and audited.

Success Criteria

  • SC-001: RBAC objects are visible and captured in backups.
  • SC-002: Preview makes restore risk and missing dependencies explicit.