PSAutoRBAC

0.1.0

Data/CommandRoleMap.psd1

@{
    # ------------------------------------------------------------------------
    # PSAutoRBAC command -> RBAC requirement knowledge base
    # ------------------------------------------------------------------------
    # Each platform maps a command name (case-insensitive) to the *minimum*
    # role / permission set required to execute it successfully at the given
    # scope. Entries are intentionally conservative (least privilege).
    #
    # Schema per command entry:
    # Roles = @( 'BuiltInRoleName', ... ) # Azure RBAC / Entra role names
    # Actions = @( 'provider/operation', ... ) # underlying control-plane actions
    # ScopeLevel = 'Tenant' | 'ManagementGroup' | 'Subscription' | 'ResourceGroup' | 'Resource' | 'None'
    # Notes = 'free-text guidance'
    #
    # The map is data-driven on purpose: extend it without touching code.
    # Lookups fall back to the '*Default' entry for a platform when a command
    # is unknown, and Get-CommandRBACRequirement reports IsKnown = $false.
    # ------------------------------------------------------------------------

    'Azure PowerShell' = @{

        'Connect-AzAccount' = @{
            Roles      = @('Reader')
            Actions    = @('*/read')
            ScopeLevel = 'Subscription'
            Notes      = 'Authentication itself needs no RBAC role, but a usable session typically requires at least Reader to enumerate subscriptions and resources.'
        }

        'New-AzResourceGroup' = @{
            Roles      = @('Contributor')
            Actions    = @('Microsoft.Resources/subscriptions/resourceGroups/write')
            ScopeLevel = 'Subscription'
            Notes      = 'Creating a resource group is a write at subscription scope.'
        }

        'Remove-AzResourceGroup' = @{
            Roles      = @('Contributor')
            Actions    = @('Microsoft.Resources/subscriptions/resourceGroups/delete')
            ScopeLevel = 'ResourceGroup'
            Notes      = 'Deleting a resource group requires delete on the group and its contained resources.'
        }

        'Set-AzResourceGroup' = @{
            Roles      = @('Contributor')
            Actions    = @('Microsoft.Resources/subscriptions/resourceGroups/write')
            ScopeLevel = 'ResourceGroup'
            Notes      = 'Updating tags / properties on a resource group is a write.'
        }

        'New-AzRoleAssignment' = @{
            Roles      = @('Role Based Access Control Administrator')
            Actions    = @('Microsoft.Authorization/roleAssignments/write')
            ScopeLevel = 'ResourceGroup'
            Notes      = 'Creating role assignments requires roleAssignments/write. RBAC Administrator, User Access Administrator, or Owner grant this.'
        }

        'Remove-AzRoleAssignment' = @{
            Roles      = @('Role Based Access Control Administrator')
            Actions    = @('Microsoft.Authorization/roleAssignments/delete')
            ScopeLevel = 'ResourceGroup'
            Notes      = 'Removing role assignments requires roleAssignments/delete.'
        }

        'New-AzPolicyAssignment' = @{
            Roles      = @('Resource Policy Contributor')
            Actions    = @('Microsoft.Authorization/policyAssignments/write')
            ScopeLevel = 'ResourceGroup'
            Notes      = 'Assigning policy requires policyAssignments/write.'
        }

        'New-AzResource' = @{
            Roles      = @('Contributor')
            Actions    = @('Microsoft.Resources/deployments/write')
            ScopeLevel = 'ResourceGroup'
            Notes      = 'Creating arbitrary resources requires write at the target scope; Contributor is the broad baseline.'
        }

        '*Default' = @{
            Roles      = @('Contributor')
            Actions    = @('*/read', '*/write')
            ScopeLevel = 'Subscription'
            Notes      = 'Unknown command; defaulting to Contributor as a conservative baseline. Validate and add an explicit mapping.'
        }
    }

    'Microsoft Graph' = @{

        'Connect-MgGraph' = @{
            Roles      = @('Directory Readers')
            Actions    = @('microsoft.directory/users/standard/read')
            ScopeLevel = 'Tenant'
            Notes      = 'Sign-in plus delegated/app scopes; Directory Readers is the minimum to enumerate directory objects.'
        }

        'New-MgGroup' = @{
            Roles      = @('Groups Administrator')
            Actions    = @('microsoft.directory/groups/create')
            ScopeLevel = 'Tenant'
            Notes      = 'Creating security groups requires Groups Administrator (or a custom role with groups/create).'
        }

        'New-MgGroupMember' = @{
            Roles      = @('Groups Administrator')
            Actions    = @('microsoft.directory/groups/members/update')
            ScopeLevel = 'Tenant'
            Notes      = 'Adding members to a group requires group membership write.'
        }

        '*Default' = @{
            Roles      = @('Directory Readers')
            Actions    = @('microsoft.directory/users/standard/read')
            ScopeLevel = 'Tenant'
            Notes      = 'Unknown Graph command; defaulting to Directory Readers. Add an explicit mapping.'
        }
    }

    'Microsoft Fabric' = @{

        '*Default' = @{
            Roles      = @('Fabric Administrator')
            Actions    = @('Microsoft.Fabric/capacities/read')
            ScopeLevel = 'Tenant'
            Notes      = 'Fabric admin operations require Fabric Administrator or capacity-scoped roles. Add explicit mappings as commands are onboarded.'
        }
    }

    'Microsoft Purview' = @{

        '*Default' = @{
            Roles      = @('Purview Data Curator')
            Actions    = @('Microsoft.Purview/accounts/read')
            ScopeLevel = 'Resource'
            Notes      = 'Purview data-plane roles are managed in the Purview governance portal. Add explicit mappings as commands are onboarded.'
        }
    }
}