feat(auth)!: OtOpcUa canonical control-plane roles + config-DB migration (Task 1.7)

Standardize the control-plane admin role VALUES on the canonical six
(ZB.MOM.WW.Auth CanonicalRole). OtOpcUa uses four:
  ConfigViewer   -> Viewer
  ConfigEditor   -> Designer
  FleetAdmin     -> Administrator
  DriverOperator -> Operator   (appsettings-only string role)

This is a rename, not a permission change: enforcement semantics are
preserved (whoever could deploy/administer/operate before still can).

- AdminRole enum members renamed (persisted as string names via
  HasConversion<string>); RoleGrants.razor dropdown default updated.
- EF DATA migration CanonicalizeAdminRoles rewrites existing
  LdapGroupRoleMapping.Role rows old->new (Up) and back (Down); schema /
  model snapshot byte-identical (no pending model changes).
- Enforcement role STRINGS canonicalized:
  * Security policies keep their NAMES ("DriverOperator"/"FleetAdmin")
    but require canonical roles: RequireRole("Operator","Administrator")
    and RequireRole("Administrator").
  * Deployments.razor [Authorize(Roles="Administrator,Designer")].
  * DevStub now grants "Administrator"; LdapOptions/doc-comment examples
    canonicalized.
- Data-plane authorization (NodePermissions/NodeAcl/IPermissionEvaluator/
  TriePermissionEvaluator/UserAuthorizationState) UNTOUCHED.
- New CanonicalAdminRolesTests pins canonical claim values end-to-end and
  the real registered policies; existing role-string tests updated.

src/Core/ZB.MOM.WW.OtOpcUa.Configuration/Enums/AdminRole.cs

@@ -7,20 +7,31 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
 ///     <see cref="Entities.NodeAcl"/> joined against LDAP group memberships directly.
 /// </summary>
 /// <remarks>
-///     Per <c>docs/v2/plan.md</c> decision #150 the two concerns share zero runtime code path:
-///     the control plane (Admin UI) consumes <see cref="Entities.LdapGroupRoleMapping"/>; the
-///     data plane consumes <see cref="Entities.NodeAcl"/> rows directly. Having them in one
-///     table would collapse the distinction + let a user inherit tag permissions via their
-///     admin-role claim path.
+///     <para>
+///         Per <c>docs/v2/plan.md</c> decision #150 the two concerns share zero runtime code path:
+///         the control plane (Admin UI) consumes <see cref="Entities.LdapGroupRoleMapping"/>; the
+///         data plane consumes <see cref="Entities.NodeAcl"/> rows directly. Having them in one
+///         table would collapse the distinction + let a user inherit tag permissions via their
+///         admin-role claim path.
+///     </para>
+///     <para>
+///         Task 1.7 standardized the member names on the canonical control-plane role vocabulary
+///         (<c>ZB.MOM.WW.Auth</c> <c>CanonicalRole</c>): <c>ConfigViewer → Viewer</c>,
+///         <c>ConfigEditor → Designer</c>, <c>FleetAdmin → Administrator</c>. The appsettings-only
+///         <c>DriverOperator</c> string role likewise became <c>Operator</c>. These members persist
+///         as their string names (EF <c>HasConversion&lt;string&gt;</c>); the rename is paired with
+///         a data migration (<c>CanonicalizeAdminRoles</c>) that rewrites existing rows. This is a
+///         rename, not a permission change — enforcement semantics are preserved.
+///     </para>
 /// </remarks>
 public enum AdminRole
 {
-    /// <summary>Read-only Admin UI access — can view cluster state, drafts, publish history.</summary>
-    ConfigViewer,
+    /// <summary>Read-only Admin UI access — can view cluster state, drafts, publish history. (Canonical: Viewer; was ConfigViewer.)</summary>
+    Viewer,
 
-    /// <summary>Can author drafts + submit for publish.</summary>
-    ConfigEditor,
+    /// <summary>Can author drafts + submit for publish. (Canonical: Designer; was ConfigEditor.)</summary>
+    Designer,
 
-    /// <summary>Full Admin UI privileges including publish + fleet-admin actions.</summary>
-    FleetAdmin,
+    /// <summary>Full Admin UI privileges including publish + fleet-admin actions. (Canonical: Administrator; was FleetAdmin.)</summary>
+    Administrator,
 }

src/Core/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260602112419_CanonicalizeAdminRoles.cs

@@ -0,0 +1,39 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <summary>
+    ///     Task 1.7 — canonicalizes the control-plane admin role VALUES persisted in the
+    ///     <c>LdapGroupRoleMapping.Role</c> column. The column stores the <c>AdminRole</c> enum
+    ///     member name as a string (EF <c>HasConversion&lt;string&gt;</c>, <c>nvarchar(32)</c>);
+    ///     renaming the enum members (<c>ConfigViewer → Viewer</c>, <c>ConfigEditor → Designer</c>,
+    ///     <c>FleetAdmin → Administrator</c>) therefore requires rewriting existing rows so the C#
+    ///     enum and the stored strings stay in sync.
+    /// </summary>
+    /// <remarks>
+    ///     This is a pure DATA migration: the schema (column type, length, indexes) is unchanged,
+    ///     so the model snapshot is byte-identical to the prior migration. The new canonical strings
+    ///     ("Viewer" = 6, "Designer" = 8, "Administrator" = 13 chars) all fit the existing
+    ///     <c>nvarchar(32)</c> column. Enforcement semantics are preserved — it is a rename only.
+    /// </remarks>
+    public partial class CanonicalizeAdminRoles : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.Sql("UPDATE [LdapGroupRoleMapping] SET [Role] = N'Viewer' WHERE [Role] = N'ConfigViewer';");
+            migrationBuilder.Sql("UPDATE [LdapGroupRoleMapping] SET [Role] = N'Designer' WHERE [Role] = N'ConfigEditor';");
+            migrationBuilder.Sql("UPDATE [LdapGroupRoleMapping] SET [Role] = N'Administrator' WHERE [Role] = N'FleetAdmin';");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.Sql("UPDATE [LdapGroupRoleMapping] SET [Role] = N'FleetAdmin' WHERE [Role] = N'Administrator';");
+            migrationBuilder.Sql("UPDATE [LdapGroupRoleMapping] SET [Role] = N'ConfigEditor' WHERE [Role] = N'Designer';");
+            migrationBuilder.Sql("UPDATE [LdapGroupRoleMapping] SET [Role] = N'ConfigViewer' WHERE [Role] = N'Viewer';");
+        }
+    }
+}

src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Deployments.razor

@@ -9,7 +9,7 @@
 @using ZB.MOM.WW.OtOpcUa.Configuration.Enums
 @using ZB.MOM.WW.OtOpcUa.ControlPlane.AdminOperations
 
-@attribute [Authorize(Roles = "FleetAdmin,ConfigEditor")]
+@attribute [Authorize(Roles = "Administrator,Designer")]
 
 @inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
 @inject IAdminOperationsClient AdminOps

src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/RoleGrants.razor

@@ -108,7 +108,7 @@
     private LdapOptions? _options;
     private IReadOnlyList<LdapGroupRoleMapping> _rows = [];
     private string _newGroup = "";
-    private AdminRole _newRole = AdminRole.ConfigViewer;
+    private AdminRole _newRole = AdminRole.Viewer;
     private string? _error;
     private bool _busy;
 
@@ -134,7 +134,7 @@
                 LdapGroup = _newGroup.Trim(), Role = _newRole, IsSystemWide = true, ClusterId = null,
             }, default);
             _newGroup = "";
-            _newRole = AdminRole.ConfigViewer;
+            _newRole = AdminRole.Viewer;
             await ReloadAsync();
         }
         catch (Exception ex) { _error = ex.Message; }

src/Server/ZB.MOM.WW.OtOpcUa.Security/Ldap/LdapOptions.cs

@@ -44,7 +44,7 @@ public sealed class LdapOptions
 
     /// <summary>
     ///     Dev-only stub: when <c>true</c>, <see cref="OtOpcUaLdapAuthService"/> bypasses the real LDAP
-    ///     bind and accepts any non-empty username/password, returning a single FleetAdmin role
+    ///     bind and accepts any non-empty username/password, returning a single Administrator role
     ///     so the operator can navigate the full Admin UI. MUST be <c>false</c> in production.
     /// </summary>
     public bool DevStubMode { get; set; }
@@ -76,8 +76,9 @@ public sealed class LdapOptions
 
     /// <summary>
     ///     Maps LDAP group name → Admin role. Group match is case-insensitive. A user gets every
-    ///     role whose source group is in their membership list. Example dev mapping:
-    ///     <code>"ReadOnly":"ConfigViewer","ReadWrite":"ConfigEditor","AlarmAck":"FleetAdmin"</code>
+    ///     role whose source group is in their membership list. Values are the canonical control-plane
+    ///     roles (Task 1.7). Example dev mapping:
+    ///     <code>"ReadOnly":"Viewer","ReadWrite":"Designer","AlarmAck":"Administrator"</code>
     /// </summary>
     public Dictionary<string, string> GroupToRole { get; set; } = new(StringComparer.OrdinalIgnoreCase);
 

src/Server/ZB.MOM.WW.OtOpcUa.Security/Ldap/OtOpcUaLdapAuthService.cs

@@ -13,7 +13,7 @@ namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
 ///     library deliberately does not model:
 ///     <list type="number">
 ///         <item>the <see cref="LdapOptions.Enabled"/> master switch (disabled ⇒ deny, no bind); and</item>
-///         <item><see cref="LdapOptions.DevStubMode"/> — the dev bypass that grants a FleetAdmin
+///         <item><see cref="LdapOptions.DevStubMode"/> — the dev bypass that grants an Administrator
 ///             session WITHOUT touching the network, so an operator can navigate the full Admin UI
 ///             against a machine with no directory.</item>
 ///     </list>
@@ -24,12 +24,13 @@ namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
 ///     both the login endpoint and the OPC UA data-plane authenticator call with the returned
 ///     <see cref="LdapAuthResult.Groups"/>. The only path that pre-populates
 ///     <see cref="LdapAuthResult.Roles"/> is the DevStub success; consumers union that pre-resolved
-///     set with the mapper output so the dev FleetAdmin grant survives the move to the mapper.
+///     set with the mapper output so the dev Administrator grant survives the move to the mapper.
 /// </summary>
 /// <remarks>
 ///     Fail-closed: the library never throws, and this wrapper adds no new throwing paths. The
-///     DevStub result mirrors the legacy bespoke service exactly (group <c>"dev"</c>, role
-///     <c>"FleetAdmin"</c>) so behaviour is preserved bit-for-bit on dev nodes.
+///     DevStub result grants the canonical <c>"Administrator"</c> control-plane role (group
+///     <c>"dev"</c>) so the dev session can navigate the full Admin UI (Task 1.7 renamed the prior
+///     <c>"FleetAdmin"</c> to the canonical <c>"Administrator"</c>).
 /// </remarks>
 public sealed class OtOpcUaLdapAuthService : ILdapAuthService
 {
@@ -77,12 +78,13 @@ public sealed class OtOpcUaLdapAuthService : ILdapAuthService
 
         if (_options.DevStubMode)
         {
-            // Dev bypass: accept any non-empty credentials and grant FleetAdmin WITHOUT a real bind.
+            // Dev bypass: accept any non-empty credentials and grant Administrator WITHOUT a real bind.
             // Pre-populated Roles are unioned with the mapper output by both consumers, so the grant
-            // survives the move to IGroupRoleMapper. Mirrors the legacy bespoke service exactly.
+            // survives the move to IGroupRoleMapper. (Task 1.7 canonicalized the role string from the
+            // prior "FleetAdmin" to "Administrator".)
             _logger.LogWarning(
                 "OtOpcUaLdapAuthService: DevStubMode bypass — accepting {User} without a real LDAP bind", username);
-            return new(true, username, username, ["dev"], ["FleetAdmin"], null);
+            return new(true, username, username, ["dev"], ["Administrator"], null);
         }
 
         // Fail closed on a plaintext transport unless explicitly opted in. The bespoke service

src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs

@@ -103,14 +103,17 @@ public static class ServiceCollectionExtensions
                 .RequireAuthenticatedUser()
                 .Build();
 
-            // DriverOperator: may issue Reconnect/Restart commands against live driver instances
-            // from the Admin UI DriverStatusPanel. Map LDAP group → role via GroupToRole in
-            // appsettings (e.g. "ot-driver-operator": "DriverOperator").
+            // DriverOperator (policy NAME kept stable): may issue Reconnect/Restart commands against
+            // live driver instances from the Admin UI DriverStatusPanel. The role STRINGS it requires
+            // are the canonical control-plane roles (Task 1.7): Operator (was DriverOperator) and
+            // Administrator (was FleetAdmin). Map LDAP group → role via GroupToRole in appsettings
+            // (e.g. "ot-driver-operator": "Operator").
             o.AddPolicy("DriverOperator", policy =>
-                policy.RequireRole("DriverOperator", "FleetAdmin"));
+                policy.RequireRole("Operator", "Administrator"));
 
-            // FleetAdmin: full administrative access; gates fleet-wide pages such as RoleGrants.
-            o.AddPolicy("FleetAdmin", policy => policy.RequireRole("FleetAdmin"));
+            // FleetAdmin (policy NAME kept stable): full administrative access; gates fleet-wide pages
+            // such as RoleGrants. Requires the canonical Administrator role (was FleetAdmin).
+            o.AddPolicy("FleetAdmin", policy => policy.RequireRole("Administrator"));
         });
 
         return services;