ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
ce0615a9c1
TenantAtlas/apps/platform/config/intune_permissions.php
ahmido ce0615a9c1 Spec 182: relocate Laravel platform to apps/platform (#213) 
## Summary
- move the Laravel application into `apps/platform` and keep the repository root for orchestration, docs, and tooling
- update the local command model, Sail/Docker wiring, runtime paths, and ignore rules around the new platform location
- add relocation quickstart/contracts plus focused smoke coverage for bootstrap, command model, routes, and runtime behavior

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/PlatformRelocation`
- integrated browser smoke validated `/up`, `/`, `/admin`, `/admin/choose-workspace`, and tenant route semantics for `200`, `403`, and `404`

## Remaining Rollout Checks
- validate Dokploy build context and working-directory assumptions against the new `apps/platform` layout
- confirm web, queue, and scheduler processes all start from the expected working directory in staging/production
- verify no legacy volume mounts or asset-publish paths still point at the old root-level `public/` or `storage/` locations

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #213
2026-04-08 08:40:47 +00:00

123 lines
5.6 KiB
PHP
Raw Blame History

<?php
return [
'permissions' => [
[
'key' => 'DeviceManagementConfiguration.ReadWrite.All',
'type' => 'application',
'description' => 'Read and write Intune device configuration policies.',
'features' => ['policy-sync', 'backup', 'restore', 'settings-normalization', 'drift'],
],
[
'key' => 'DeviceManagementConfiguration.Read.All',
'type' => 'application',
'description' => 'Read Intune device configuration policies (least-privilege for inventory).',
'features' => ['policy-sync', 'backup', 'settings-normalization', 'drift'],
],
[
'key' => 'DeviceManagementApps.ReadWrite.All',
'type' => 'application',
'description' => 'Manage app configuration and assignments for Intune.',
'features' => ['backup', 'restore'],
],
[
'key' => 'DeviceManagementApps.Read.All',
'type' => 'application',
'description' => 'Read app configuration and assignments for Intune.',
'features' => ['policy-sync', 'backup'],
],
[
'key' => 'DeviceManagementServiceConfig.ReadWrite.All',
'type' => 'application',
'description' => 'Manage enrollment restrictions, Autopilot, ESP, and related service configs.',
'features' => ['backup', 'restore', 'policy-sync'],
],
[
'key' => 'DeviceManagementServiceConfig.Read.All',
'type' => 'application',
'description' => 'Read enrollment restrictions, Autopilot, ESP, and related service configs.',
'features' => ['policy-sync', 'backup'],
],
[
'key' => 'Policy.Read.All',
'type' => 'application',
'description' => 'Read Conditional Access policies for preview/backup.',
'features' => ['conditional-access', 'backup', 'versioning'],
],
[
'key' => 'Policy.ReadWrite.ConditionalAccess',
'type' => 'application',
'description' => 'Manage Conditional Access policies (used for preview-only or admin-controlled restores).',
'features' => ['conditional-access', 'restore'],
],
[
'key' => 'Directory.Read.All',
'type' => 'application',
'description' => 'Read directory data needed for tenant health checks.',
'features' => ['tenant-health'],
],
[
'key' => 'DeviceManagementRBAC.Read.All',
'type' => 'application',
'description' => 'Read Intune RBAC settings including scope tags for backup metadata enrichment.',
'features' => ['scope-tags', 'backup-metadata', 'assignments'],
],
[
'key' => 'DeviceManagementRBAC.ReadWrite.All',
'type' => 'application',
'description' => 'Manage Intune RBAC scope tags for foundation backup and restore.',
'features' => ['scope-tags', 'foundations', 'backup', 'restore'],
],
[
'key' => 'Group.Read.All',
'type' => 'application',
'description' => 'Read group information for resolving assignment group names and cross-tenant group mapping.',
'features' => ['assignments', 'group-mapping', 'backup-metadata', 'directory-groups', 'group-directory-cache', 'drift'],
],
[
'key' => 'DeviceManagementScripts.ReadWrite.All',
'type' => 'application',
'description' => 'Manage Intune device management scripts and remediations.',
'features' => ['policy-sync', 'backup', 'restore', 'scripts', 'remediations'],
],
[
'key' => 'DeviceManagementScripts.Read.All',
'type' => 'application',
'description' => 'Read Intune device management scripts and remediations.',
'features' => ['policy-sync', 'backup', 'scripts', 'remediations'],
],
],
// Stub list of permissions already granted to the service principal (used for display in Tenant verification UI).
// Diese Liste sollte mit den tatsächlich in Entra ID granted permissions übereinstimmen.
// HINWEIS: In Produktion sollte dies dynamisch von Graph API abgerufen werden (geplant für v1.1+).
//
// ⚠️ WICHTIG: Nach dem Hinzufügen neuer Berechtigungen in Azure AD:
// 1. Berechtigungen in Azure AD hinzufügen und Admin Consent geben
// 2. Diese Liste unten aktualisieren (von "Required permissions" nach "Tatsächlich granted" verschieben)
// 3. Cache leeren: php artisan cache:clear
// 4. Optional: Live-Check auf Tenant-Detailseite ausführen
'granted_stub' => [
// Tatsächlich granted (aus Entra ID):
'Device.Read.All',
'DeviceManagementConfiguration.Read.All',
'DeviceManagementConfiguration.ReadWrite.All',
'DeviceManagementManagedDevices.ReadWrite.All',
'DeviceManagementServiceConfig.Read.All',
'Directory.Read.All',
'User.Read',
'DeviceManagementScripts.ReadWrite.All',
// Feature 004 - Assignments & Scope Tags (granted seit 2025-12-22):
'DeviceManagementRBAC.Read.All', // Scope Tag Namen auflösen
'Group.Read.All', // Group Namen für Assignments auflösen
// Required permissions (müssen in Entra ID granted werden):
// Wenn diese fehlen, erscheinen sie als "missing" in der UI
'DeviceManagementApps.ReadWrite.All',
'DeviceManagementApps.Read.All',
'DeviceManagementServiceConfig.ReadWrite.All',
'Policy.Read.All',
'Policy.ReadWrite.ConditionalAccess',
],
];
Reference in New Issue View Git Blame Copy Permalink