PSAutoRBAC

0.1.0

Public/Get-CommandRBACRequirement.ps1

                                function Get-CommandRBACRequirement {

    <#

    .SYNOPSIS

        Returns the minimum RBAC roles / permissions required to run a command.

    .DESCRIPTION

        Looks up a platform command in the PSAutoRBAC knowledge base and returns

        the least-privilege role set, underlying control-plane actions, and the

        scope level at which they apply. When the command is not known, the

        platform's conservative default is returned and IsKnown is $false.

    .PARAMETER Platform

        The execution platform, e.g. 'Azure PowerShell', 'Microsoft Graph',

        'Microsoft Fabric', 'Microsoft Purview'.

    .PARAMETER Command

        The command name to evaluate, e.g. 'Connect-AzAccount'.

    .PARAMETER MapPath

        Optional path to an alternate knowledge-base file (chiefly for testing).

    .EXAMPLE

        Get-CommandRBACRequirement -Platform 'Azure PowerShell' -Command 'Connect-AzAccount'

        Returns the Reader requirement for establishing a usable Azure session.

    .OUTPUTS

        PSCustomObject with Platform, Command, Roles, Actions, ScopeLevel,

        Notes, and IsKnown properties.

    #>

    [CmdletBinding()]

    [OutputType([pscustomobject])]

    param(

        [Parameter(Mandatory)]

        [ValidateNotNullOrEmpty()]

        [string]$Platform,

        [Parameter(Mandatory)]

        [ValidateNotNullOrEmpty()]

        [string]$Command,

        [Parameter()]

        [string]$MapPath

    )

    $map = if ($MapPath) { Get-CommandRoleMap -Path $MapPath } else { Get-CommandRoleMap }

    # Resolve the platform key case-insensitively.

    $platformKey = $map.Keys | Where-Object { $_ -eq $Platform } | Select-Object -First 1

    if (-not $platformKey) {

        throw "Unknown platform '$Platform'. Known platforms: $($map.Keys -join ', ')."

    }

    $commands = $map[$platformKey]

    $commandKey = $commands.Keys | Where-Object { $_ -eq $Command } | Select-Object -First 1

    $isKnown = $true

    if (-not $commandKey) {

        $isKnown = $false

        $commandKey = '*Default'

        Write-Verbose "Command '$Command' not found for platform '$platformKey'; using '*Default'."

    }

    $entry = $commands[$commandKey]

    [pscustomobject]@{

        PSTypeName = 'PSAutoRBAC.Requirement'

        Platform   = $platformKey

        Command    = $Command

        Roles      = @($entry.Roles)

        Actions    = @($entry.Actions)

        ScopeLevel = $entry.ScopeLevel

        Notes      = $entry.Notes

        IsKnown    = $isKnown

    }

}