Derive NTFS traverse scope from group strategy

2026-05-09 23:25:15 +02:00
parent 2a290b5f86
commit 8db5a5d2e6
2 changed files with 45 additions and 6 deletions
--- a/LiamNtfs/C4IT.LIAM.Ntfs.cs
+++ b/LiamNtfs/C4IT.LIAM.Ntfs.cs
@@ -1101,11 +1101,24 @@ namespace C4IT.LIAM
        private IEnumerable<IAM_SecurityGroupTemplate> BuildSecurityGroupTemplates()
        {
            var templates = new List<IAM_SecurityGroupTemplate>();
-            foreach (var namingConvention in NamingConventions ?? Enumerable.Empty<cLiamNamingConvention>())
+            var namingConventions = (NamingConventions ?? Enumerable.Empty<cLiamNamingConvention>()).ToList();
+            var hasStrategyMatchingTraverseConvention = namingConventions.Any(i =>
+                TryMapSecurityGroupType(i.AccessRole, out var securityGroupType)
+                && securityGroupType == SecurityGroupType.Traverse
+                && IsStrategyMatchingTraverseScope(i.Scope));
+
+            foreach (var namingConvention in namingConventions)
            {
                if (!TryMapSecurityGroupType(namingConvention.AccessRole, out var securityGroupType))
                    continue;

+                if (securityGroupType == SecurityGroupType.Traverse
+                    && hasStrategyMatchingTraverseConvention
+                    && !IsStrategyMatchingTraverseScope(namingConvention.Scope))
+                {
+                    continue;
+                }
+
                if (!TryMapGroupScope(namingConvention.Scope, securityGroupType, out var groupScope))
                    continue;

@@ -1145,6 +1158,12 @@ namespace C4IT.LIAM
        private bool TryMapGroupScope(eLiamAccessRoleScopes scope, SecurityGroupType type, out GroupScope groupScope)
        {
            groupScope = GroupScope.Global;
+            if (type == SecurityGroupType.Traverse)
+            {
+                groupScope = GetStrategyTraverseGroupScope();
+                return true;
+            }
+
            switch (scope)
            {
                case eLiamAccessRoleScopes.Global:
@@ -1154,17 +1173,30 @@ namespace C4IT.LIAM
                    groupScope = GroupScope.Local;
                    return true;
                case eLiamAccessRoleScopes.Unknown:
-                    if (type == SecurityGroupType.Traverse)
-                    {
-                        groupScope = this.GroupStrategy == eLiamGroupStrategies.Ntfs_AGDLP ? GroupScope.Local : GroupScope.Global;
-                        return true;
-                    }
                    return false;
                default:
                    return false;
            }
        }

+        private GroupScope GetStrategyTraverseGroupScope()
+        {
+            return this.GroupStrategy == eLiamGroupStrategies.Ntfs_AGDLP
+                ? GroupScope.Local
+                : GroupScope.Global;
+        }
+
+        private bool IsStrategyMatchingTraverseScope(eLiamAccessRoleScopes scope)
+        {
+            if (scope == eLiamAccessRoleScopes.Unknown)
+                return true;
+
+            var strategyScope = GetStrategyTraverseGroupScope();
+            return strategyScope == GroupScope.Local
+                ? scope == eLiamAccessRoleScopes.DomainLocal
+                : scope == eLiamAccessRoleScopes.Global;
+        }
+
        private string GetRequiredCustomTag(string key)
        {
            if (CustomTags.TryGetValue(key, out var value) && !string.IsNullOrWhiteSpace(value))