[PM-40336] Access Rules: API#7983
Conversation
🤖 Bitwarden Claude Code ReviewOverall Assessment: APPROVE Reviewed the commercial CRUD API for org-scoped PAM Access Rules ( Code Review DetailsNo blocking findings. Verification notes:
|
0351a28 to
37a5507
Compare
37a5507 to
a85b172
Compare
a85b172 to
9c09687
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## pam/access-rule #7983 +/- ##
==================================================
Coverage ? 61.99%
==================================================
Files ? 2293
Lines ? 100067
Branches ? 9029
==================================================
Hits ? 62035
Misses ? 35848
Partials ? 2184 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
9c09687 to
56c6cac
Compare
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-40336
📔 Objective
Add the commercial CRUD API for org-scoped PAM Access Rules, consuming the
domain and persistence layer from #7981. This PR is stacked on #7981 — review
and merge that first; GitHub will retarget this PR to
mainonce it lands.All endpoints are gated behind the
pm-37044-pam-v-0(FeatureFlagKeys.Pam)feature flag, so nothing is reachable in production until PAM v0 ships. Access-rule
data (name, description, conditions) is organization configuration metadata, not
Vault Data — no zero-knowledge surface is touched.
What's included
API —
bitwarden_license/src/Services/PamGET(list),GET {id},POST,PUT {id},DELETE {id}, all org-scoped and feature-flag gated.AccessRuleRequestModel,AccessRuleResponseModel),condition models (time-of-day, IP allowlist, human approval, weekday) with a
custom
AccessWeekdayJSON converter.Create/Update/Deletecommands behind interfaces;AccessRuleValidatorvalidating the conditions JSON (max 10 conditions, per-type rules; empty list is
vacuously valid and still routes access through PAM for audit).
IAccessAuditEventEmitterfor rule created/updated/deleted.📸 Screenshots
N/A — backend only.