ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
cd23adda1a
TenantAtlas/specs/108-provider-access-hardening/quickstart.md
ahmido 0dc79520a4 feat: provider access hardening (RBAC write gate) (#132) 
Implements provider access hardening for Intune write operations:

- RBAC-based write gate with configurable staleness thresholds
- Gate enforced at restore start and in jobs (execute + assignments)
- UI affordances: disabled rerun action, tenant RBAC status card, refresh RBAC action
- Audit logging for blocked writes
- Ops UX label: `rbac.health_check` now displays as “RBAC health check”
- Adds/updates Pest tests and SpecKit artifacts for feature 108

Notes:
- Filament v5 / Livewire v4 compliant.
- Destructive actions require confirmation.
- Assets: no new global assets.

Tested:
- `vendor/bin/sail artisan test --compact` (suite previously green) + focused OpsUx tests for OperationCatalog labels.
- `vendor/bin/sail bin pint --dirty`.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #132
2026-02-23 00:49:37 +00:00

33 lines
1.5 KiB
Markdown
Raw Blame History

# Quickstart — Provider Access Hardening v1 (Intune Write Gate)
## Goal
Validate that Intune write operations (restore execution + restore assignments) are blocked unless tenant RBAC hardening is configured, healthy, and fresh.
## Local setup
- Start containers: `vendor/bin/sail up -d`
## Manual verification (once implemented)
1) Navigate to a tenant view page (`TenantResource` → View).
2) Set tenant RBAC status to a blocked state (e.g., `rbac_status = null` or `degraded`, or make `rbac_last_checked_at` stale).
3) Attempt to start a restore execution (Restore Runs → Execute).
- Expected: start surface blocks before enqueue; operator sees reason + CTA; no `OperationRun` is started for execution.
4) Attempt to trigger assignments restore (where available).
- Expected: blocked with the same reason codes.
5) For job-level defense-in-depth, directly enqueue the job (or trigger a code path that dispatches it) while tenant is blocked.
- Expected: `OperationRun` is marked failed with `reason_code` and no Graph mutation occurs.
## Test execution (once implemented)
Run the minimal related tests:
- `vendor/bin/sail artisan test --compact --filter=IntuneRbacWriteGate`
- or run file-scoped tests created for this feature under `tests/Feature`.
## Notes
- Gate evaluation is DB-only; no synchronous Graph calls are allowed during UI evaluation.
- When the gate is disabled via config, writes proceed but a warning is logged per evaluation that the gate is bypassed.
Reference in New Issue View Git Blame Copy Permalink