Skip to content

IdLE.Provider.AD (On-Prem AD) MVP (Windows-only) #46

New issue
New issue
Open
Open
IdLE.Provider.AD (On-Prem AD) MVP (Windows-only)#46
Assignees
blindzero
Labels
enhancementNew feature or requestprio:hightype:provider
Milestone
v0.8.0 - Real Providers I (AD + EntraID + EntraID-Sync)
@blindzero

Description

@blindzero
blindzero
opened on Jan 2, 2026

Goal

  • Provide a production-usable on-prem Active Directory provider so IdLE can run real Joiner/Mover/Leaver workflows out of the box.

Scope

  • Create new provider module: IdLE.Provider.AD
  • Platform support:
    • Windows-only (documented). Requires RSAT / ActiveDirectory module availability on the host.
  • Capabilities (MVP):
    • IdLE.Identity.Read
    • IdLE.Identity.List
    • IdLE.Identity.Create
    • IdLE.Identity.Delete
    • IdLE.Identity.EnsureAttribute
    • IdLE.Identity.Move (OU/container move)
    • IdLE.Identity.Disable
    • IdLE.Identity.Enable
    • IdLE.Entitlement.List (Groups)
    • IdLE.Entitlement.Grant (Groups)
    • IdLE.Entitlement.Revoke (Groups)
  • Identity addressing:
    • Support common identifiers (UPN, sAMAccountName, GUID); document preferred defaults and resolution rules.
  • Idempotency guarantees (required for retries and re-runs):
    • Create: if identity exists, return success with "NoChange"/"AlreadyExists" semantics (no duplicate creation).
    • Delete: if identity is already gone, treat as success ("AlreadyDeleted").
    • Group Grant/Revoke: membership already in desired state must be a no-op success.
    • Move(OU): if already in target OU, no-op success.
  • Implementation approach:
    • Use a small internal wrapper layer around AD cmdlets so unit tests can mock behavior without requiring a real AD.
  • Provider must publish its capability list consistently (capabilities are announced, not assumed).

Docs / Examples (part of DoD)

  • Document prerequisites (Windows/RSAT/permissions), configuration, and supported identifiers.
  • Provide at least one example workflow per LifecycleEvent:
    • Joiner: Create + EnsureAttribute + Group grants + Move to Joiner OU
    • Mover: EnsureAttribute changes + Group delta + optional Move OU
    • Leaver: Disable + Move to Leavers OU + Delete (Delete must require explicit opt-in)
  • Integrate with the single demo runner (shared examples script) via -Provider AD.

Acceptance Criteria

  • Provider module loads and advertises capabilities.
  • MVP capabilities are implemented and covered by unit tests (mocked; no real AD required).
  • Idempotency rules above are enforced and test-covered.
  • Example workflows run via the demo runner using -Provider AD (documented commands).

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestprio:hightype:provider

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions