PSAutoRBAC

1.1.0

Public/Get-RBACRequirement.ps1

                                function Get-RBACRequirement {

    <#

    .SYNOPSIS

        Resolves the minimum RBAC roles / permissions a command requires.

    .DESCRIPTION

        Dispatches to the registered probe provider for the platform and returns

        its least-privilege requirement. Each provider uses the best available

        source for its platform:

          * Azure    - the knowledge base (offline), enrichable by live probing.

          * Graph    - Find-MgGraphCommand (authoritative), KB fallback.

          * Fabric   - the knowledge base (workspace roles).

          * Purview  - the knowledge base (metadata-policy roles).

        This is a preflight, non-destructive operation: it never executes the

        target command. Use Invoke-RBACProbe -LiveProbe to derive an Azure

        requirement from a live AuthorizationFailed instead.

    .PARAMETER Platform

        The platform name or alias, e.g. 'Azure', 'Microsoft Graph', 'Fabric',

        'Purview'. See Get-RBACProvider for the full set.

    .PARAMETER Command

        The command / operation to evaluate, e.g. 'New-AzResourceGroup'.

    .PARAMETER MapPath

        Optional alternate knowledge-base path (chiefly for testing).

    .PARAMETER TenantId

        Optional tenant id, recorded on the context.

    .PARAMETER RunAsCredential

        Run the resolution as a user credential instead of the ambient session.

    .PARAMETER RunAsServicePrincipal

        Run as a service principal (with -RunAsTenantId).

    .PARAMETER RunAsTenantId

        Tenant for service-principal run-as.

    .PARAMETER RunAsManagedIdentity

        Run as a managed identity.

    .PARAMETER RunAsManagedIdentityClientId

        Client id for a user-assigned managed identity.

    .EXAMPLE

        Get-RBACRequirement -Platform Azure -Command New-AzResourceGroup

    .EXAMPLE

        Get-RBACRequirement -Platform 'Microsoft Graph' -Command New-MgGroup

    .OUTPUTS

        PSCustomObject (PSAutoRBAC.Requirement).

    #>

    [CmdletBinding()]

    [OutputType([pscustomobject])]

    param(

        [Parameter(Mandatory)]

        [ValidateNotNullOrEmpty()]

        [string]$Platform,

        [Parameter(Mandatory)]

        [ValidateNotNullOrEmpty()]

        [string]$Command,

        [Parameter()]

        [string]$MapPath,

        [Parameter()]

        [string]$TenantId,

        [Parameter()]

        [pscredential]$RunAsCredential,

        [Parameter()]

        [pscredential]$RunAsServicePrincipal,

        [Parameter()]

        [string]$RunAsTenantId,

        [Parameter()]

        [switch]$RunAsManagedIdentity,

        [Parameter()]

        [string]$RunAsManagedIdentityClientId

    )

    Write-PSFMessage -Level Verbose -Message "Get-RBACRequirement: platform '$Platform', command '$Command'." -Tag 'PSAutoRBAC', 'Public'

    $provider = Get-RBACProviderInternal -Platform $Platform

    $context  = Initialize-RBACContext -BoundParameters $PSBoundParameters

    try {

        $options = @{}

        if ($MapPath) { $options['MapPath'] = $MapPath }

        $req = & $provider.ResolveRequirement $Command $context $options

        Write-PSFMessage -Level Verbose -Message "Get-RBACRequirement: '$Command' requires role(s) [$(@($req.Roles) -join ', ')] (source: $($req.Source), known: $($req.IsKnown))." -Tag 'PSAutoRBAC', 'Public'

        $req

    }

    finally {

        if ($context.IsRunAs) { & $context.Disconnect }

    }

}