ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
ef41c9193a
TenantAtlas/specs/128-rbac-baseline-compare/data-model.md
ahmido ef41c9193a feat: add Intune RBAC baseline compare support (#156) 
## Summary
- add Intune RBAC Role Definition baseline scope support, capture references, compare classification, findings evidence, and landing/detail UI labels
- keep Intune Role Assignments explicitly excluded from baseline compare scope, summaries, findings, and restore messaging
- add focused Pest coverage for baseline scope selection, capture, compare behavior, recurrence, isolation, findings rendering, inventory anchoring, and RBAC summaries

## Verification
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Unit/Inventory/InventoryPolicyTypeMetaBaselineSupportTest.php tests/Unit/Baselines/BaselinePolicyVersionResolverTest.php tests/Unit/Baselines/BaselineScopeTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Feature/Baselines/BaselineCaptureRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareDriftEvidenceContractRbacTest.php tests/Feature/Baselines/BaselineCompareCoverageGuardTest.php tests/Feature/Baselines/BaselineCompareCrossTenantMatchTest.php tests/Feature/Baselines/BaselineCompareFindingRecurrenceKeyTest.php tests/Feature/Baselines/BaselineCompareWhyNoFindingsReasonCodeTest.php tests/Feature/Filament/BaselineProfileFoundationScopeTest.php tests/Feature/Filament/BaselineSnapshotRbacRoleDefinitionsTest.php tests/Feature/Filament/BaselineCompareLandingRbacLabelsTest.php tests/Feature/Filament/FindingViewRbacEvidenceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/DriftStaleAutoResolveTest.php tests/Feature/Inventory/InventorySyncButtonTest.php tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php`
- result: `71 passed (467 assertions)`

## Filament / Platform Notes
- Livewire compliance: unchanged and compatible with Livewire v4.0+
- Provider registration: no panel/provider changes; `bootstrap/providers.php` remains the registration location
- Global search: no new globally searchable resource added; existing global search behavior is unchanged
- Destructive actions: no new destructive actions introduced; existing confirmed actions remain unchanged
- Assets: no new Filament assets introduced; deploy asset handling remains unchanged, including `php artisan filament:assets`
- Testing plan covered: baseline profile scope, snapshot detail, compare job, findings recurrence, findings detail, compare landing labels, inventory sync anchoring, and tenant isolation

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #156
2026-03-09 18:49:20 +00:00

184 lines
6.7 KiB
Markdown
Raw Blame History

# Data Model — Intune RBAC Baseline Compare & Findings v1
## Entities
### Foundation Type Baseline Metadata
Config-defined metadata controlling whether a foundation type can participate in baseline compare.
- Source: `config/tenantpilot.php` foundation rows, exposed through `InventoryPolicyTypeMeta`
- Required additions:
- explicit baseline-compare support flag
- optional compare identity strategy marker
- optional summary kind or compare label metadata if needed for consistent rendering
- Required behavior:
- `intuneRoleDefinition` is baseline-supported
- `intuneRoleAssignment` is baseline-unsupported
### Baseline Scope Entry
The workspace-owned selection stored in `BaselineProfile.scope_jsonb`.
- Existing structure:
- `policy_types[]`
- `foundation_types[]`
- New business rule:
- `foundation_types[]` may contain `intuneRoleDefinition`
- `foundation_types[]` must not contain `intuneRoleAssignment` through normal selection paths
- Validation:
- selected foundation types must exist in canonical metadata
- only baseline-supported foundation types are accepted
### InventoryItem for Intune Role Definition
Tenant-owned latest-observed RBAC state used as the current compare anchor.
- Existing model/table: `InventoryItem`
- Ownership:
- `workspace_id` NOT NULL
- `tenant_id` NOT NULL
- Identity:
- `tenant_id + policy_type + external_id`
- for this feature, `external_id` is the primary compare identity
- Relevant fields:
- `policy_type = intuneRoleDefinition`
- `external_id`
- `display_name`
- `category = RBAC`
- `platform = all`
- `meta_jsonb.is_built_in`
- `meta_jsonb.role_permission_count`
- `last_seen_at`
- `last_seen_operation_run_id`
### PolicyVersion for Intune Role Definition
Immutable RBAC snapshot evidence reused for baseline references and diff rendering.
- Existing model/table: `PolicyVersion`
- Relevant fields:
- `tenant_id`
- `policy_id`
- `policy_type = intuneRoleDefinition`
- `snapshot` with Role Definition payload
- `captured_at`
- `version_number`
- Invariant:
- enough data exists to normalize display name, description, built-in/custom state, and permissions without live Graph calls
### Baseline Snapshot Item for Intune Role Definition
Workspace-owned approved baseline reference used during compare.
- Existing model/table: `BaselineSnapshotItem`
- Relevant fields:
- `baseline_snapshot_id`
- `subject_type = policy` or a role-definition-specific variant if introduced narrowly
- `subject_external_id` as workspace-safe reference
- `subject_key` upgraded to support stable Role Definition identity semantics
- `policy_type = intuneRoleDefinition`
- `baseline_hash`
- `meta_jsonb.display_name`
- `meta_jsonb.evidence.*`
- `meta_jsonb.identity.external_id` or equivalent explicit identity marker
- `meta_jsonb.version_reference` or equivalent baseline PolicyVersion linkage
- Validation:
- baseline item must keep enough metadata to reconstruct evidence later
- baseline snapshot item must not store tenant identifiers directly
### RBAC Role Definition Compare Result
Tenant-scoped transient compare outcome created during baseline compare.
- Computed attributes:
- `policy_type = intuneRoleDefinition`
- `role_definition_id`
- `classification = unchanged | modified | missing | unexpected`
- `severity = low | medium | high`
- `built_in_state`
- `diff_kind = metadata_only | permission_change | missing | unexpected`
- `baseline_hash`
- `current_hash`
- `baseline_policy_version_id` nullable
- `current_policy_version_id` nullable
### RBAC Drift Finding
Persistent tenant-owned finding generated through the existing baseline.compare pipeline.
- Existing model/table: `Finding`
- Relevant fields:
- `tenant_id`
- `finding_type = drift`
- `source = baseline.compare`
- `scope_key = baseline_profile:{id}`
- `fingerprint`
- `recurrence_key`
- `subject_type`
- `subject_external_id`
- `severity`
- `status`
- `times_seen`
- `evidence_jsonb`
- `current_operation_run_id`
- Invariant:
- unchanged identical drift does not create duplicate findings
- resolved recurrence reopens through the existing lifecycle rules
### Baseline Compare RBAC Summary
Run-level summary stored in compare run context.
- Existing container: `OperationRun.context.baseline_compare`
- New summary node:
- `rbac_role_definitions.total_compared`
- `rbac_role_definitions.unchanged`
- `rbac_role_definitions.modified`
- `rbac_role_definitions.missing`
- `rbac_role_definitions.unexpected`
- Constraint:
- keep rich counts in `context`; do not add non-canonical summary keys to `summary_counts`
## Relationships
- A `BaselineProfile` belongs to one workspace and has one active scope definition.
- A `BaselineProfile` has many `BaselineSnapshot` records.
- A `BaselineSnapshot` has many `BaselineSnapshotItem` records, including `intuneRoleDefinition` items when selected.
- A `Tenant` has many `InventoryItem` rows and many `PolicyVersion` rows for `intuneRoleDefinition`.
- A `Tenant` has many baseline compare `OperationRun` rows and many `Finding` rows.
- A Role Definition compare result links one baseline snapshot item to zero or one current inventory row and zero or one current `PolicyVersion`.
## Invariants
- `intuneRoleDefinition` is the only RBAC foundation type eligible for baseline compare in this release.
- `intuneRoleAssignment` must never appear in baseline capture, compare summaries, or findings.
- Role Definition identity is ID-based; same-name recreated objects with new IDs are drift.
- Compare uses normalized governance-relevant content, not raw transport payload shape.
- Metadata-only changes stay distinguishable from permission changes.
- Baseline evidence remains reconstructable without UI-time provider calls.
- Workspace-owned baseline artifacts must not persist tenant IDs.
- Tenant-owned compare runs and findings must remain workspace- and tenant-scoped.
## State Transitions
### Baseline support state
- unsupported
- supported and selectable in baseline profile
### Role Definition compare classification
- unchanged
- modified
- missing
- unexpected
### RBAC finding lifecycle
- new
- reopened
- resolved
- closed
### Compare trust state
- full coverage proven
- partial coverage proven with suppression
- coverage unproven and findings suppressed
## Validation Rules
- Baseline profile foundation selections must be a subset of explicitly baseline-supported foundation types.
- Baseline snapshot items for `intuneRoleDefinition` must carry stable identity and evidence-ready references.
- Role Definition compare must ignore transport-only noise and ordering differences in permission blocks.
- Severity mapping must follow the approved RBAC rule set.
- Assignment foundation type must fail closed for baseline-compare selection and result generation.
Reference in New Issue View Git Blame Copy Permalink