using ZB.MOM.WW.OtOpcUa.Configuration.Enums; namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities; ///

/// Maps an LDAP group to an for Admin UI access. Optionally scoped /// to one ; when is true, the grant /// applies fleet-wide. ///

/// /// Per docs/v2/plan.md decisions #105 and #150 — this entity is control-plane /// only. The OPC UA data-path evaluator does not read these rows; it reads /// joined directly against the session's resolved LDAP group /// memberships. Collapsing the two would let a user inherit tag permissions via an /// admin-role claim path never intended as a data-path grant. /// /// Uniqueness: (LdapGroup, ClusterId) — the same LDAP group may hold /// different roles on different clusters, but only one row per cluster. A system-wide row /// (IsSystemWide = true, ClusterId = null) stacks additively with any /// cluster-scoped rows for the same group. /// public sealed class LdapGroupRoleMapping { ///

Surrogate primary key.

public Guid Id { get; set; } ///

/// LDAP group DN the membership query returns (e.g. cn=fleet-admin,ou=groups,dc=corp,dc=example). /// Comparison is case-insensitive per LDAP conventions. ///

public required string LdapGroup { get; set; } ///

Admin role this group grants.

public required AdminRole Role { get; set; } ///

/// Cluster the grant applies to; null when is true. /// Foreign key to . ///

public string? ClusterId { get; set; } ///

/// true = grant applies across every cluster in the fleet; ClusterId must be null. /// false = grant is cluster-scoped; ClusterId must be populated. ///

public required bool IsSystemWide { get; set; } ///

Row creation timestamp (UTC).

public DateTime CreatedAtUtc { get; set; } ///

Optional human-readable note (e.g. "added 2026-04-19 for Warsaw fleet admin handoff").

public string? Notes { get; set; } ///

Navigation for EF core when the row is cluster-scoped.

public ServerCluster? Cluster { get; set; } }