[PM-40336] Access Rules: domain, persistence & schema#7981
Conversation
|
Reviewed the automated code-quality suggestions. Decisions below: 1. 2. Dapper 3. 4. EF Net: keeping (1), (2), and (4) as-is by design; (3) is an optional cosmetic tweak. |
f5a81b6 to
74777a5
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #7981 +/- ##
==========================================
- Coverage 66.58% 66.54% -0.04%
==========================================
Files 2277 2284 +7
Lines 99452 99680 +228
Branches 8983 8992 +9
==========================================
+ Hits 66220 66332 +112
- Misses 30963 31076 +113
- Partials 2269 2272 +3 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-40336
📔 Objective
Add the domain and persistence layer for org-scoped PAM Access Rules — the
reusable policy objects that gate PAM credential leasing. This is the first of two
stacked PRs; the commercial CRUD API that consumes this layer follows in #7983
(stacked on this branch).
Access-rule data (name, description, conditions) is organization configuration
metadata, not Vault Data — no zero-knowledge surface is touched. Nothing here is
reachable at runtime until the API lands and the
pm-37044-pam-v-0(
FeatureFlagKeys.Pam) flag is enabled.What's included
Domain — new
Pam.Domainlibrary (src/Pam.Domain)AccessRuleentity: org-scoped rule with lease semantics —SingleActiveLease,DefaultLeaseDurationSeconds,MaxLeaseDurationSeconds,Enabled,AllowsExtensions/MaxExtensionDurationSeconds, andLastEditedBy.Conditionsstored as a JSONAccessConditiontree (validated in [PM-40336] Access Rules: API #7983).AccessRuleDetails(rule + governed collection IDs),IAccessRuleRepository,and the
AccessAuditEventData/AccessAuditEventKind/AccessAuditEventPhaseaudit contract.
IAccessAuditEventEmitteraudit-write seam with aNoopdefault — both inPam.Domain(the commercial implementation in the Pam service persists to thePAM audit store).
Persistence
Infrastructure.Dapper) and EF Core (Infrastructure.EntityFramework)AccessRuleRepositoryimplementations, registered in DI.AccessRuletable + stored procedures (_Create,_Update,_DeleteById,_ReadById,_ReadByOrganizationId,_ReadDetailsById,_ReadDetailsByOrganizationId,Collection_SetAccessRuleAssociations).2026-07-14_00_AddAccessRule.sql) and EF migrations +snapshots for Postgres/MySQL/SQLite.
Collection association
Collection.AccessRuleIdFK (null = leasing disabled for that collection);updated
Collection_*stored procedures and theCollectiontable.(Touches AdminConsole-owned files — flagging for that team's review.)
📸 Screenshots
N/A — backend only.