ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
a5ef9961b4
TenantAtlas/specs/030-intune-rbac-backup/spec.md
ahmido 602195324b spec/024-additional-intune-types (#28) 
specs for additional intune types

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #28
2026-01-04 02:27:44 +00:00

52 lines
2.2 KiB
Markdown
Raw Blame History

# Feature Specification: Intune RBAC Backup (Role Definitions + Assignments) (030)
**Feature Branch**: `feat/030-intune-rbac-backup`
**Created**: 2026-01-04
**Status**: Draft
**Priority**: P3 (Optional)
## Context
For a “complete tenant restore”, RBAC matters. However, RBAC restore is risky and must be **safe-by-default** (preview-only, strong warnings, explicit confirmation, audit logging).
This feature focuses on:
- Inventory + backup/version of RBAC objects
- Restore preview and validation
- Execution only if/when safety gates and mapping are robust
## User Scenarios & Testing
### User Story 1 — Inventory + backup RBAC objects (Priority: P1)
As an admin, I can inventory and back up role definitions and role assignments.
**Acceptance Scenarios**
1. Sync lists role definitions as `roleDefinition`.
2. Sync lists role assignments as `roleAssignment`.
3. Backup captures full payloads and references (scope tags, members, scopes).
### User Story 2 — Restore preview + safety gates (Priority: P1)
As an admin, I can run a restore preview that clearly explains what would change and blocks unsafe execution.
**Acceptance Scenarios**
1. Preview warns on built-in roles vs custom roles and blocks unsafe cases.
2. Preview validates referenced groups/scope tags and reports missing dependencies.
## Requirements
### Functional Requirements
- **FR-001**: Add policy (or foundation) types:
- `roleDefinition``deviceManagement/roleDefinitions`
- `roleAssignment``deviceManagement/roleAssignments`
- **FR-002**: Snapshot capture stores full payloads; assignments capture includes references.
- **FR-003**: Restore preview includes a dependency report (missing groups/tags/scopes).
- **FR-004**: Restore execution defaults to `preview-only` until safety gates are implemented.
- **FR-005**: Add targeted Pest tests for inventory + backup + preview dependency report.
### Non-Functional Requirements
- **NFR-001**: Never auto-grant permissions/scopes; no “self-heal” background jobs.
- **NFR-002**: All operations are tenant-scoped and audited.
## Success Criteria
- **SC-001**: RBAC objects are visible and captured in backups.
- **SC-002**: Preview makes restore risk and missing dependencies explicit.
Reference in New Issue View Git Blame Copy Permalink