feat(security): add ConfigEditor + AuthenticatedRead AdminUI policies behind AdminUiPolicies constants

This commit is contained in:
Joseph Doherty
2026-07-13 09:52:13 -04:00
parent 1676c8f40f
commit 183b72b7cb
4 changed files with 165 additions and 7 deletions
@@ -0,0 +1,22 @@
namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
/// <summary>
/// Names of the AdminUI authorization policies registered by <c>AddOtOpcUaAuth</c>.
/// Single source of truth — pages, AuthorizeView blocks, imperative checks, and endpoint
/// groups must reference these constants, never string literals (guarded by
/// PageAuthorizationGuardTests). Policy → role mapping lives in ServiceCollectionExtensions.
/// </summary>
public static class AdminUiPolicies
{
/// <summary>Fleet-wide admin actions (RoleGrants page, certificate mutations). Roles: Administrator.</summary>
public const string FleetAdmin = "FleetAdmin";
/// <summary>Live driver operations (reconnect/restart, alarm ack/shelve, live address browse). Roles: Operator, Administrator.</summary>
public const string DriverOperator = "DriverOperator";
/// <summary>Config authoring: UNS/equipment/cluster/driver/ACL/namespace/script editors + deploy + script analysis. Roles: Administrator, Designer.</summary>
public const string ConfigEditor = "ConfigEditor";
/// <summary>Read-only AdminUI access (dashboards, lists, live tails). Any authenticated user.</summary>
public const string AuthenticatedRead = "AuthenticatedRead";
}