namespace ZB.MOM.WW.OtOpcUa.Admin.Security;
///
/// Deterministic LDAP-group-to-Admin-role mapper driven by .
/// Every returned role corresponds to a group the user actually holds; no inference.
///
public static class RoleMapper
{
public static IReadOnlyList Map(
IReadOnlyCollection ldapGroups,
IReadOnlyDictionary groupToRole)
{
if (groupToRole.Count == 0) return [];
var roles = new HashSet(StringComparer.OrdinalIgnoreCase);
foreach (var group in ldapGroups)
{
if (groupToRole.TryGetValue(group, out var role))
roles.Add(role);
}
return [.. roles];
}
}