ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
a74ab12f04
TenantAtlas/specs/127-rbac-inventory-backup/quickstart.md
ahmido c6e7591d19 feat: add Intune RBAC inventory and backup support (#155) 
## Summary
- add Intune RBAC role definitions and role assignments as foundation-backed inventory, backup, and versioned snapshot types
- add RBAC-specific normalization, coverage, permission-warning handling, and preview-only restore safety behavior across existing Filament and service surfaces
- add spec 127 artifacts, contracts, audits, and focused regression coverage for inventory, backup, versioning, verification, and authorization behavior

## Testing
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/Filament/InventoryCoverageTableTest.php tests/Feature/FoundationBackupTest.php tests/Feature/Filament/RestoreExecutionTest.php tests/Feature/RestoreUnknownPolicyTypeSafetyTest.php tests/Unit/GraphContractRegistryTest.php tests/Unit/FoundationSnapshotServiceTest.php tests/Feature/Verification/IntuneRbacPermissionCoverageTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Unit/IntuneRoleAssignmentNormalizerTest.php`

## Notes
- tasks in `specs/127-rbac-inventory-backup/tasks.md` are complete except `T041`, which is the documented manual QA validation step

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #155
2026-03-09 10:40:51 +00:00

75 lines
2.8 KiB
Markdown
Raw Blame History

# Quickstart — Intune RBAC Inventory & Backup v1 (127)
## Prerequisites
- Docker running
- Laravel Sail available at `vendor/bin/sail`
- Existing test database available through Sail
## Local setup
- Start containers:
- `vendor/bin/sail up -d`
- Install dependencies if needed:
- `vendor/bin/sail composer install`
- `vendor/bin/sail npm install`
## Implementation checkpoints
1. Extend foundation metadata and Graph contracts for:
- `intuneRoleDefinition`
- `intuneRoleAssignment`
2. Add RBAC normalizers and register them in `AppServiceProvider`.
3. Wire permission-warning handling for missing `DeviceManagementRBAC.Read.All`.
4. Verify inventory, backup, and restore preview surfaces treat both types as foundations and `preview-only`.
## Format
- Run formatting before final review:
- `vendor/bin/sail bin pint --dirty --format agent`
## Focused tests
Run the smallest relevant sets first:
- Inventory sync and coverage:
- `vendor/bin/sail artisan test --compact tests/Feature/Inventory/InventorySyncServiceTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/Filament/InventoryCoverageTableTest.php`
- Foundation backup capture and preview-only behavior:
- `vendor/bin/sail artisan test --compact tests/Feature/FoundationBackupTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/Filament/RestoreExecutionTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/RestoreUnknownPolicyTypeSafetyTest.php`
- Graph contract and snapshot helpers:
- `vendor/bin/sail artisan test --compact tests/Unit/GraphContractRegistryTest.php`
- `vendor/bin/sail artisan test --compact tests/Unit/FoundationSnapshotServiceTest.php`
- RBAC permission and verification surfaces:
- `vendor/bin/sail artisan test --compact tests/Feature/Verification`
- `vendor/bin/sail artisan test --compact tests/Unit/RbacOnboardingServiceTest.php`
If dedicated spec-127 tests are added, run those file paths directly.
## Manual verification checklist
- As a tenant member with inventory capability:
- run inventory sync with foundations enabled
- confirm `intuneRoleDefinition` and `intuneRoleAssignment` appear in coverage under RBAC
- As a tenant member with backup visibility:
- create a backup set with foundations enabled
- confirm RBAC foundation items appear as backup items with readable display names
- In backup or restore preview detail:
- confirm both RBAC foundation types show `preview-only`
- confirm no execute-restore action is available for them
- With missing `DeviceManagementRBAC.Read.All`:
- run verification or inventory sync
- confirm the result surfaces a clear RBAC permission warning or reason instead of an opaque failure
- As a non-member:
- attempt direct access to tenant-scoped RBAC coverage or backup/version views
- confirm the response is 404
Reference in New Issue View Git Blame Copy Permalink