ahmido
c6e7591d19
## Summary - add Intune RBAC role definitions and role assignments as foundation-backed inventory, backup, and versioned snapshot types - add RBAC-specific normalization, coverage, permission-warning handling, and preview-only restore safety behavior across existing Filament and service surfaces - add spec 127 artifacts, contracts, audits, and focused regression coverage for inventory, backup, versioning, verification, and authorization behavior ## Testing - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/Filament/InventoryCoverageTableTest.php tests/Feature/FoundationBackupTest.php tests/Feature/Filament/RestoreExecutionTest.php tests/Feature/RestoreUnknownPolicyTypeSafetyTest.php tests/Unit/GraphContractRegistryTest.php tests/Unit/FoundationSnapshotServiceTest.php tests/Feature/Verification/IntuneRbacPermissionCoverageTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Unit/IntuneRoleAssignmentNormalizerTest.php` ## Notes - tasks in `specs/127-rbac-inventory-backup/tasks.md` are complete except `T041`, which is the documented manual QA validation step Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #155
2.8 KiB
2.8 KiB
Quickstart — Intune RBAC Inventory & Backup v1 (127)
Prerequisites
- Docker running
- Laravel Sail available at
vendor/bin/sail - Existing test database available through Sail
Local setup
-
Start containers:
vendor/bin/sail up -d
-
Install dependencies if needed:
vendor/bin/sail composer installvendor/bin/sail npm install
Implementation checkpoints
- Extend foundation metadata and Graph contracts for:
intuneRoleDefinitionintuneRoleAssignment
- Add RBAC normalizers and register them in
AppServiceProvider. - Wire permission-warning handling for missing
DeviceManagementRBAC.Read.All. - Verify inventory, backup, and restore preview surfaces treat both types as foundations and
preview-only.
Format
- Run formatting before final review:
vendor/bin/sail bin pint --dirty --format agent
Focused tests
Run the smallest relevant sets first:
-
Inventory sync and coverage:
vendor/bin/sail artisan test --compact tests/Feature/Inventory/InventorySyncServiceTest.phpvendor/bin/sail artisan test --compact tests/Feature/Filament/InventoryCoverageTableTest.php
-
Foundation backup capture and preview-only behavior:
vendor/bin/sail artisan test --compact tests/Feature/FoundationBackupTest.phpvendor/bin/sail artisan test --compact tests/Feature/Filament/RestoreExecutionTest.phpvendor/bin/sail artisan test --compact tests/Feature/RestoreUnknownPolicyTypeSafetyTest.php
-
Graph contract and snapshot helpers:
vendor/bin/sail artisan test --compact tests/Unit/GraphContractRegistryTest.phpvendor/bin/sail artisan test --compact tests/Unit/FoundationSnapshotServiceTest.php
-
RBAC permission and verification surfaces:
vendor/bin/sail artisan test --compact tests/Feature/Verificationvendor/bin/sail artisan test --compact tests/Unit/RbacOnboardingServiceTest.php
If dedicated spec-127 tests are added, run those file paths directly.
Manual verification checklist
-
As a tenant member with inventory capability:
- run inventory sync with foundations enabled
- confirm
intuneRoleDefinitionandintuneRoleAssignmentappear in coverage under RBAC
-
As a tenant member with backup visibility:
- create a backup set with foundations enabled
- confirm RBAC foundation items appear as backup items with readable display names
-
In backup or restore preview detail:
- confirm both RBAC foundation types show
preview-only - confirm no execute-restore action is available for them
- confirm both RBAC foundation types show
-
With missing
DeviceManagementRBAC.Read.All:- run verification or inventory sync
- confirm the result surfaces a clear RBAC permission warning or reason instead of an opaque failure
-
As a non-member:
- attempt direct access to tenant-scoped RBAC coverage or backup/version views
- confirm the response is 404