ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
a989ef1a23
TenantAtlas/specs/051-entra-group-directory-cache/research.md
ahmido bc846d7c5c 051-entra-group-directory-cache (#57) 
Summary

Adds a tenant-scoped Entra Groups “Directory Cache” to enable DB-only group name resolution across the app (no render-time Graph calls), plus sync runs + observability.

What’s included
	•	Entra Groups cache
	•	New entra_groups storage (tenant-scoped) for group metadata (no memberships).
	•	Retention semantics: groups become stale / retained per spec (no hard delete on first miss).
	•	Group Sync Runs
	•	New “Group Sync Runs” UI (list + detail) with tenant isolation (403 on cross-tenant access).
	•	Manual “Sync Groups” action: creates/reuses a run, dispatches job, DB notification with “View run” link.
	•	Scheduled dispatcher command wired in console.php.
	•	DB-only label resolution (US3)
	•	Shared EntraGroupLabelResolver with safe fallback Unresolved (…last8) and UUID guarding.
	•	Refactors to prefer cached names (no typeahead / no live Graph) in:
	•	Tenant RBAC group selects
	•	Policy version assignments widget
	•	Restore results + restore wizard group mapping labels

Safety / Guardrails
	•	No render-time Graph calls: fail-hard guard test verifies UI paths don’t call GraphClientInterface during page render.
	•	Tenant isolation & authorization: policies + scoped queries enforced (cross-tenant access returns 403, not 404).
	•	Data minimization: only group metadata is cached (no membership/owners).

Tests / Verification
	•	Added/updated tests under tests/Feature/DirectoryGroups and tests/Unit/DirectoryGroups:
	•	Start sync → run record + job dispatch + upserts
	•	Retention purge semantics
	•	Scheduled dispatch wiring
	•	Render-time Graph guard
	•	UI/resource access isolation
	•	Ran:
	•	./vendor/bin/pint --dirty
	•	./vendor/bin/sail artisan test tests/Feature/DirectoryGroups
	•	./vendor/bin/sail artisan test tests/Unit/DirectoryGroups

Notes / Follow-ups
	•	UI polish remains (picker/lookup UX, consistent progress widget/toasts across modules, navigation grouping).
	•	pr-gate checklist still has non-blocking open items (mostly UX/ops polish); requirements gate is green.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #57
2026-01-11 23:24:12 +00:00

43 lines
2.1 KiB
Markdown
Raw Blame History

# Research: Entra Group Directory Cache (Groups v1)
## Decisions
### Decision: Full tenant scope sync (all groups)
- Rationale: Ensures browse/search is complete and name-resolution has the best chance of resolving IDs across modules.
- Alternatives considered:
- Only sync referenced groups (creates gaps, hard to debug, non-deterministic coverage).
### Decision: Start modes = manual + scheduled
- Rationale: Manual sync supports operator workflows (pre-restore/triage), while scheduled sync keeps cache fresh without relying on user action.
- Alternatives considered:
- Manual only (cache freshness depends on operator discipline).
- Scheduled only (harder to react quickly during ops).
### Decision: App-only (service principal) directory reads
- Rationale: Scheduled runs must not depend on an interactive user session; app-only is simpler to audit/lock down.
- Alternatives considered:
- Delegated tokens (breaks scheduled runs, unpredictable auth state).
### Decision: Cache metadata only (no membership/owners)
- Rationale: Solves the UX problem (name resolution + browse) with minimal data/PII exposure and lower API volume.
- Alternatives considered:
- Cache membership/owners (larger data surface, higher sensitivity, more Graph calls).
### Decision: Missing groups retention and purge
- Decision: Retain groups for 90 days after `last_seen_at`, then purge.
- Rationale: Preserves investigatory value and audit context while bounding DB growth.
- Alternatives considered:
- Immediate delete (breaks historical triage; creates sudden “unresolved” labels).
- Retain forever (unbounded growth).
### Decision: Graph access patterns (paging + retry)
- Decision: Use Graph list endpoint with paging; apply retry/backoff for 429/503; persist stable error categories in run record.
- Rationale: Full-tenant enumeration can be large; throttling is expected.
- Alternatives considered:
- Best-effort without retry (unreliable coverage).
- UI-time lookups (explicitly disallowed by spec).
## Open Questions (resolved for planning)
- Which specific Graph endpoint and permission names to use will be documented in the contract registry during implementation.
Reference in New Issue View Git Blame Copy Permalink