ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
ef41c9193a
TenantAtlas/specs/128-rbac-baseline-compare/quickstart.md
ahmido ef41c9193a feat: add Intune RBAC baseline compare support (#156) 
## Summary
- add Intune RBAC Role Definition baseline scope support, capture references, compare classification, findings evidence, and landing/detail UI labels
- keep Intune Role Assignments explicitly excluded from baseline compare scope, summaries, findings, and restore messaging
- add focused Pest coverage for baseline scope selection, capture, compare behavior, recurrence, isolation, findings rendering, inventory anchoring, and RBAC summaries

## Verification
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Unit/Inventory/InventoryPolicyTypeMetaBaselineSupportTest.php tests/Unit/Baselines/BaselinePolicyVersionResolverTest.php tests/Unit/Baselines/BaselineScopeTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Feature/Baselines/BaselineCaptureRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareDriftEvidenceContractRbacTest.php tests/Feature/Baselines/BaselineCompareCoverageGuardTest.php tests/Feature/Baselines/BaselineCompareCrossTenantMatchTest.php tests/Feature/Baselines/BaselineCompareFindingRecurrenceKeyTest.php tests/Feature/Baselines/BaselineCompareWhyNoFindingsReasonCodeTest.php tests/Feature/Filament/BaselineProfileFoundationScopeTest.php tests/Feature/Filament/BaselineSnapshotRbacRoleDefinitionsTest.php tests/Feature/Filament/BaselineCompareLandingRbacLabelsTest.php tests/Feature/Filament/FindingViewRbacEvidenceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/DriftStaleAutoResolveTest.php tests/Feature/Inventory/InventorySyncButtonTest.php tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php`
- result: `71 passed (467 assertions)`

## Filament / Platform Notes
- Livewire compliance: unchanged and compatible with Livewire v4.0+
- Provider registration: no panel/provider changes; `bootstrap/providers.php` remains the registration location
- Global search: no new globally searchable resource added; existing global search behavior is unchanged
- Destructive actions: no new destructive actions introduced; existing confirmed actions remain unchanged
- Assets: no new Filament assets introduced; deploy asset handling remains unchanged, including `php artisan filament:assets`
- Testing plan covered: baseline profile scope, snapshot detail, compare job, findings recurrence, findings detail, compare landing labels, inventory sync anchoring, and tenant isolation

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #156
2026-03-09 18:49:20 +00:00

57 lines
2.9 KiB
Markdown
Raw Blame History

# Quickstart — Intune RBAC Baseline Compare & Findings v1
## Goal
Validate that Intune Role Definitions can be selected into a baseline, captured as approved references, compared against current tenant state, and surfaced as unified drift findings without pulling in Role Assignments.
## Prerequisites
- Laravel Sail services are running.
- A workspace and tenant test fixture exist.
- Spec 127 RBAC inventory and versioning support is already present.
## Development flow
1. Start Sail if needed.
- `vendor/bin/sail up -d`
2. Implement explicit baseline-support metadata for foundation types and filter baseline scope options to eligible foundations only.
3. Extend baseline capture and compare identity handling so `intuneRoleDefinition` matches by Role Definition ID, not display name.
4. Plug normalized Role Definition diffs into the existing baseline compare finding and evidence pipeline.
5. Update existing Filament baseline and findings surfaces with RBAC-specific labeling and summaries.
## Focused verification
1. Eligibility and scope tests
- confirm `intuneRoleDefinition` is selectable for baseline compare
- confirm `intuneRoleAssignment` is not selectable
2. Capture tests
- confirm baseline snapshot items for Role Definitions keep evidence-ready references
- confirm Role Assignments do not enter baseline snapshots
3. Compare tests
- unchanged Role Definition yields no finding
- permission change yields a High-severity modified finding
- metadata-only change yields a Low-severity modified finding
- missing and unexpected Role Definitions yield the correct findings
4. Findings tests
- repeated identical compare runs do not duplicate findings
- resolved RBAC findings reopen correctly on recurrence
5. Safety tests
- coverage or evidence gaps suppress false RBAC findings
- tenant/workspace isolation remains intact
## Suggested test commands
- `vendor/bin/sail artisan test --compact tests/Unit/IntuneRoleDefinitionNormalizerTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/Baselines`
- `vendor/bin/sail artisan test --compact tests/Feature/Findings/FindingRecurrenceTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/Filament/BaselineProfileCompareStartSurfaceTest.php`
- `vendor/bin/sail bin pint --dirty --format agent`
## Manual QA checklist
1. Open Baseline Profiles and verify only Intune Role Definition appears as an RBAC foundation compare option.
2. Capture a baseline from a tenant with Intune RBAC inventory and verify the snapshot shows Role Definition references only.
3. Run compare against a tenant with an intentionally changed custom Role Definition and verify RBAC summary counts and finding labels.
4. Inspect finding detail and verify before/after evidence is readable, severity is correct, and no restore implication appears.
5. Verify Role Assignment objects never appear in summary, findings, or baseline snapshot compare output.
Reference in New Issue View Git Blame Copy Permalink