Equipment CSV import UI — Stream B.3/B.5 operator page + EquipmentTab "Import CSV" button. Closes the UI slice of task #163 (Phase 6.4 Stream B.3/B.5); the ExternalIdReservation merge follow-up inside FinaliseBatchAsync is split into new task #197 so it gets a proper concurrent-insert test matrix rather than riding this UI PR. New /clusters/{ClusterId}/draft/{GenerationId}/import-equipment page driving the full staged-import flow end-to-end. Operator selects a driver instance + UNS line (both scoped to the draft generation via DriverInstanceService.ListAsync + UnsService.ListLinesAsync dropdowns), pastes or uploads a CSV (InputFile with 5 MiB cap so pathological files can't OOM the server), clicks Parse — EquipmentCsvImporter.Parse runs + shows two side-by-side cards (accepted rows in green with ZTag/Machine/Name/Line columns, rejected rows in red with line-number + reason). Click Stage + Finalise and the page calls CreateBatchAsync → StageRowsAsync → FinaliseBatchAsync in sequence using the authenticated user's identity as CreatedBy; on success, 600ms banner then NavigateTo back to the draft editor so operator sees the newly-imported rows in EquipmentTab without a manual refresh. Parse errors (missing version marker, bad header, malformed CSV) surface InvalidCsvFormatException.Message inline alongside the Parse button — no page reload needed to retry. Finalise errors surface the service-layer exception message (ImportBatchNotFoundException / ImportBatchAlreadyFinalisedException / any DbUpdate* exception from the atomic transaction) so operator sees exactly why the finalise rejected before the tx rolled back. EquipmentTab gains an "Import CSV…" button next to "Add equipment" that NavigateTo's the new page; it needs a ClusterId parameter to build the URL so the @code block adds [Parameter] string ClusterId, and DraftEditor now passes ClusterId="@ClusterId" alongside the existing GenerationId. EquipmentImportBatchService was already implemented in Phase 6.4 Stream B.4 but missing from the Admin DI container — this PR adds AddScoped so the @inject resolves. The FinaliseBatch docstring explicitly defers ExternalIdReservation merge as a narrower follow-up with a concurrent-insert test matrix — task #197 captures that work. For now the finalise may surface a DB-level UNIQUE-constraint violation if a ZTag conflict exists at commit time; the UI shows the raw message + the batch + staged rows are still in the DB for re-use once the conflict is resolved. Admin project builds 0 errors; Admin.Tests 72/72 passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor

@@ -10,6 +10,7 @@
             <li class="nav-item"><a class="nav-link text-light" href="/clusters">Clusters</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/reservations">Reservations</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/certificates">Certificates</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/role-grants">Role grants</a></li>
         </ul>
 
         <div class="mt-5">

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DraftEditor.razor

@@ -27,7 +27,7 @@
 
 <div class="row">
     <div class="col-md-8">
-        @if (_tab == "equipment") { <EquipmentTab GenerationId="@GenerationId"/> }
+        @if (_tab == "equipment") { <EquipmentTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
         else if (_tab == "uns") { <UnsTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
         else if (_tab == "namespaces") { <NamespacesTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
         else if (_tab == "drivers") { <DriversTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/EquipmentTab.razor

@@ -2,10 +2,14 @@
 @using ZB.MOM.WW.OtOpcUa.Configuration.Entities
 @using ZB.MOM.WW.OtOpcUa.Configuration.Validation
 @inject EquipmentService EquipmentSvc
+@inject NavigationManager Nav
 
 <div class="d-flex justify-content-between mb-3">
     <h4>Equipment (draft gen @GenerationId)</h4>
-    <button class="btn btn-primary btn-sm" @onclick="StartAdd">Add equipment</button>
+    <div>
+        <button class="btn btn-outline-primary btn-sm me-2" @onclick="GoImport">Import CSV…</button>
+        <button class="btn btn-primary btn-sm" @onclick="StartAdd">Add equipment</button>
+    </div>
 </div>
 
 @if (_equipment is null)
@@ -96,6 +100,9 @@ else if (_equipment.Count > 0)
 
 @code {
     [Parameter] public long GenerationId { get; set; }
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+
+    private void GoImport() => Nav.NavigateTo($"/clusters/{ClusterId}/draft/{GenerationId}/import-equipment");
     private List<Equipment>? _equipment;
     private bool _showForm;
     private bool _editMode;

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ImportEquipment.razor

@@ -0,0 +1,200 @@
+@page "/clusters/{ClusterId}/draft/{GenerationId:long}/import-equipment"
+@using Microsoft.AspNetCore.Components.Authorization
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject DriverInstanceService DriverSvc
+@inject UnsService UnsSvc
+@inject EquipmentImportBatchService BatchSvc
+@inject NavigationManager Nav
+@inject AuthenticationStateProvider AuthProvider
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <div>
+        <h1 class="mb-0">Equipment CSV import</h1>
+        <small class="text-muted">Cluster <code>@ClusterId</code> · draft generation @GenerationId</small>
+    </div>
+    <a class="btn btn-outline-secondary" href="/clusters/@ClusterId/draft/@GenerationId">Back to draft</a>
+</div>
+
+<div class="alert alert-info small mb-3">
+    Accepts <code>@EquipmentCsvImporter.VersionMarker</code>-headered CSV per Stream B.3.
+    Required columns: @string.Join(", ", EquipmentCsvImporter.RequiredColumns).
+    Optional columns cover the OPC 40010 Identification fields. Paste the file contents
+    or upload directly — the parser runs client-stream-side and shows a row-level preview
+    before anything lands in the draft. ZTag + SAPID uniqueness across the fleet is NOT
+    enforced here yet (see task #197); for now the finalise may fail at commit time if a
+    reservation conflict exists.
+</div>
+
+<div class="card mb-3">
+    <div class="card-body">
+        <div class="row g-3">
+            <div class="col-md-5">
+                <label class="form-label">Target driver instance (for every accepted row)</label>
+                <select class="form-select" @bind="_driverInstanceId">
+                    <option value="">-- select driver --</option>
+                    @if (_drivers is not null)
+                    {
+                        @foreach (var d in _drivers) { <option value="@d.DriverInstanceId">@d.DriverInstanceId</option> }
+                    }
+                </select>
+            </div>
+            <div class="col-md-5">
+                <label class="form-label">Target UNS line (for every accepted row)</label>
+                <select class="form-select" @bind="_unsLineId">
+                    <option value="">-- select line --</option>
+                    @if (_unsLines is not null)
+                    {
+                        @foreach (var l in _unsLines) { <option value="@l.UnsLineId">@l.UnsLineId — @l.Name</option> }
+                    }
+                </select>
+            </div>
+            <div class="col-md-2 pt-4">
+                <InputFile OnChange="HandleFileAsync" class="form-control form-control-sm" accept=".csv,.txt"/>
+            </div>
+        </div>
+        <div class="mt-3">
+            <label class="form-label">CSV content (paste or uploaded)</label>
+            <textarea class="form-control font-monospace" rows="8" @bind="_csvText"
+                      placeholder="# OtOpcUaCsv v1&#10;ZTag,MachineCode,SAPID,EquipmentId,…"/>
+        </div>
+        <div class="mt-3">
+            <button class="btn btn-sm btn-outline-primary" @onclick="ParseAsync" disabled="@_busy">Parse</button>
+            <button class="btn btn-sm btn-primary ms-2" @onclick="StageAndFinaliseAsync"
+                    disabled="@(_parseResult is null || _parseResult.AcceptedRows.Count == 0 || string.IsNullOrWhiteSpace(_driverInstanceId) || string.IsNullOrWhiteSpace(_unsLineId) || _busy)">
+                Stage + Finalise
+            </button>
+            @if (_parseError is not null) { <span class="alert alert-danger ms-3 py-1 px-2 small">@_parseError</span> }
+            @if (_result is not null) { <span class="alert alert-success ms-3 py-1 px-2 small">@_result</span> }
+        </div>
+    </div>
+</div>
+
+@if (_parseResult is not null)
+{
+    <div class="row g-3">
+        <div class="col-md-6">
+            <div class="card">
+                <div class="card-header bg-success text-white">
+                    Accepted (@_parseResult.AcceptedRows.Count)
+                </div>
+                <div class="card-body p-0" style="max-height: 400px; overflow-y: auto;">
+                    @if (_parseResult.AcceptedRows.Count == 0)
+                    {
+                        <p class="text-muted p-3 mb-0">No accepted rows.</p>
+                    }
+                    else
+                    {
+                        <table class="table table-sm table-striped mb-0">
+                            <thead>
+                                <tr><th>ZTag</th><th>Machine</th><th>Name</th><th>Line</th></tr>
+                            </thead>
+                            <tbody>
+                            @foreach (var r in _parseResult.AcceptedRows)
+                            {
+                                <tr>
+                                    <td><code>@r.ZTag</code></td>
+                                    <td>@r.MachineCode</td>
+                                    <td>@r.Name</td>
+                                    <td>@r.UnsLineName</td>
+                                </tr>
+                            }
+                            </tbody>
+                        </table>
+                    }
+                </div>
+            </div>
+        </div>
+        <div class="col-md-6">
+            <div class="card">
+                <div class="card-header bg-danger text-white">
+                    Rejected (@_parseResult.RejectedRows.Count)
+                </div>
+                <div class="card-body p-0" style="max-height: 400px; overflow-y: auto;">
+                    @if (_parseResult.RejectedRows.Count == 0)
+                    {
+                        <p class="text-muted p-3 mb-0">No rejections.</p>
+                    }
+                    else
+                    {
+                        <table class="table table-sm table-striped mb-0">
+                            <thead><tr><th>Line</th><th>Reason</th></tr></thead>
+                            <tbody>
+                            @foreach (var e in _parseResult.RejectedRows)
+                            {
+                                <tr>
+                                    <td>@e.LineNumber</td>
+                                    <td class="small">@e.Reason</td>
+                                </tr>
+                            }
+                            </tbody>
+                        </table>
+                    }
+                </div>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    [Parameter] public long GenerationId { get; set; }
+
+    private List<DriverInstance>? _drivers;
+    private List<UnsLine>? _unsLines;
+    private string _driverInstanceId = string.Empty;
+    private string _unsLineId = string.Empty;
+    private string _csvText = string.Empty;
+    private EquipmentCsvParseResult? _parseResult;
+    private string? _parseError;
+    private string? _result;
+    private bool _busy;
+
+    protected override async Task OnInitializedAsync()
+    {
+        _drivers = await DriverSvc.ListAsync(GenerationId, CancellationToken.None);
+        _unsLines = await UnsSvc.ListLinesAsync(GenerationId, CancellationToken.None);
+    }
+
+    private async Task HandleFileAsync(InputFileChangeEventArgs e)
+    {
+        // 5 MiB cap — refuses pathological uploads that would OOM the server.
+        using var stream = e.File.OpenReadStream(maxAllowedSize: 5 * 1024 * 1024);
+        using var reader = new StreamReader(stream);
+        _csvText = await reader.ReadToEndAsync();
+    }
+
+    private void ParseAsync()
+    {
+        _parseError = null;
+        _parseResult = null;
+        _result = null;
+        try { _parseResult = EquipmentCsvImporter.Parse(_csvText); }
+        catch (InvalidCsvFormatException ex) { _parseError = ex.Message; }
+        catch (Exception ex) { _parseError = $"Parse failed: {ex.Message}"; }
+    }
+
+    private async Task StageAndFinaliseAsync()
+    {
+        if (_parseResult is null) return;
+        _busy = true;
+        _result = null;
+        _parseError = null;
+        try
+        {
+            var auth = await AuthProvider.GetAuthenticationStateAsync();
+            var createdBy = auth.User.Identity?.Name ?? "unknown";
+
+            var batch = await BatchSvc.CreateBatchAsync(ClusterId, createdBy, CancellationToken.None);
+            await BatchSvc.StageRowsAsync(batch.Id, _parseResult.AcceptedRows, _parseResult.RejectedRows, CancellationToken.None);
+            await BatchSvc.FinaliseBatchAsync(batch.Id, GenerationId, _driverInstanceId, _unsLineId, CancellationToken.None);
+
+            _result = $"Finalised batch {batch.Id:N} — {_parseResult.AcceptedRows.Count} rows added.";
+            // Pause 600 ms so the success banner is visible, then navigate back.
+            await Task.Delay(600);
+            Nav.NavigateTo($"/clusters/{ClusterId}/draft/{GenerationId}");
+        }
+        catch (Exception ex) { _parseError = $"Finalise failed: {ex.Message}"; }
+        finally { _busy = false; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/RoleGrants.razor

@@ -0,0 +1,161 @@
+@page "/role-grants"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@using ZB.MOM.WW.OtOpcUa.Configuration.Services
+@inject ILdapGroupRoleMappingService RoleSvc
+@inject ClusterService ClusterSvc
+
+<h1 class="mb-4">LDAP group → Admin role grants</h1>
+
+<div class="alert alert-info small mb-4">
+    Maps LDAP groups to Admin UI roles (ConfigViewer / ConfigEditor / FleetAdmin). Control-plane
+    only — OPC UA data-path authorization reads <code>NodeAcl</code> rows directly and is
+    unaffected by these mappings (see decision #150). A fleet-wide grant applies across every
+    cluster; a cluster-scoped grant only binds within the named cluster. The same LDAP group
+    may hold different roles on different clusters.
+</div>
+
+<div class="d-flex justify-content-end mb-3">
+    <button class="btn btn-primary btn-sm" @onclick="StartAdd">Add grant</button>
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <p class="text-muted">No role grants defined yet. Without at least one FleetAdmin grant,
+        only the bootstrap admin can publish drafts.</p>
+}
+else
+{
+    <table class="table table-sm table-hover">
+        <thead>
+            <tr><th>LDAP group</th><th>Role</th><th>Scope</th><th>Created</th><th>Notes</th><th></th></tr>
+        </thead>
+        <tbody>
+        @foreach (var r in _rows)
+        {
+            <tr>
+                <td><code>@r.LdapGroup</code></td>
+                <td><span class="badge bg-secondary">@r.Role</span></td>
+                <td>@(r.IsSystemWide ? "Fleet-wide" : $"Cluster: {r.ClusterId}")</td>
+                <td class="small">@r.CreatedAtUtc.ToString("yyyy-MM-dd")</td>
+                <td class="small text-muted">@r.Notes</td>
+                <td><button class="btn btn-sm btn-outline-danger" @onclick="() => DeleteAsync(r.Id)">Revoke</button></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_showForm)
+{
+    <div class="card mt-3">
+        <div class="card-body">
+            <h5>New role grant</h5>
+            <div class="row g-3">
+                <div class="col-md-4">
+                    <label class="form-label">LDAP group (DN)</label>
+                    <input class="form-control" @bind="_group" placeholder="cn=fleet-admin,ou=groups,dc=…"/>
+                </div>
+                <div class="col-md-3">
+                    <label class="form-label">Role</label>
+                    <select class="form-select" @bind="_role">
+                        @foreach (var r in Enum.GetValues<AdminRole>())
+                        {
+                            <option value="@r">@r</option>
+                        }
+                    </select>
+                </div>
+                <div class="col-md-2 pt-4">
+                    <div class="form-check">
+                        <input class="form-check-input" type="checkbox" id="systemWide" @bind="_isSystemWide"/>
+                        <label class="form-check-label" for="systemWide">Fleet-wide</label>
+                    </div>
+                </div>
+                <div class="col-md-3">
+                    <label class="form-label">Cluster @(_isSystemWide ? "(disabled)" : "")</label>
+                    <select class="form-select" @bind="_clusterId" disabled="@_isSystemWide">
+                        <option value="">-- select --</option>
+                        @if (_clusters is not null)
+                        {
+                            @foreach (var c in _clusters)
+                            {
+                                <option value="@c.ClusterId">@c.ClusterId</option>
+                            }
+                        }
+                    </select>
+                </div>
+                <div class="col-12">
+                    <label class="form-label">Notes (optional)</label>
+                    <input class="form-control" @bind="_notes"/>
+                </div>
+            </div>
+            @if (_error is not null) { <div class="alert alert-danger mt-3">@_error</div> }
+            <div class="mt-3">
+                <button class="btn btn-sm btn-primary" @onclick="SaveAsync">Save</button>
+                <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showForm = false">Cancel</button>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    private IReadOnlyList<LdapGroupRoleMapping>? _rows;
+    private List<ServerCluster>? _clusters;
+    private bool _showForm;
+    private string _group = string.Empty;
+    private AdminRole _role = AdminRole.ConfigViewer;
+    private bool _isSystemWide;
+    private string _clusterId = string.Empty;
+    private string? _notes;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync()
+    {
+        _rows = await RoleSvc.ListAllAsync(CancellationToken.None);
+        _clusters = await ClusterSvc.ListAsync(CancellationToken.None);
+    }
+
+    private void StartAdd()
+    {
+        _group = string.Empty;
+        _role = AdminRole.ConfigViewer;
+        _isSystemWide = false;
+        _clusterId = string.Empty;
+        _notes = null;
+        _error = null;
+        _showForm = true;
+    }
+
+    private async Task SaveAsync()
+    {
+        _error = null;
+        try
+        {
+            var row = new LdapGroupRoleMapping
+            {
+                LdapGroup = _group.Trim(),
+                Role = _role,
+                IsSystemWide = _isSystemWide,
+                ClusterId = _isSystemWide ? null : (string.IsNullOrWhiteSpace(_clusterId) ? null : _clusterId),
+                Notes = string.IsNullOrWhiteSpace(_notes) ? null : _notes,
+            };
+            await RoleSvc.CreateAsync(row, CancellationToken.None);
+            _showForm = false;
+            await ReloadAsync();
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+
+    private async Task DeleteAsync(Guid id)
+    {
+        await RoleSvc.DeleteAsync(id, CancellationToken.None);
+        await ReloadAsync();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs

@@ -48,6 +48,9 @@ builder.Services.AddScoped<ReservationService>();
 builder.Services.AddScoped<DraftValidationService>();
 builder.Services.AddScoped<AuditLogService>();
 builder.Services.AddScoped<HostStatusService>();
+builder.Services.AddScoped<EquipmentImportBatchService>();
+builder.Services.AddScoped<ZB.MOM.WW.OtOpcUa.Configuration.Services.ILdapGroupRoleMappingService,
+    ZB.MOM.WW.OtOpcUa.Configuration.Services.LdapGroupRoleMappingService>();
 
 // Cert-trust management — reads the OPC UA server's PKI store root so rejected client certs
 // can be promoted to trusted via the Admin UI. Singleton: no per-request state, just