RBAC Phase 2: Temporal Logic & Auto-Expiration #106
Description
Phase 2 Overview
Implement temporal role logic with automatic expiration and comprehensive audit trail.
Tasks
- Create
role_assignments_logaudit trail table- Immutable log of all role actions
- Fields: user_id, role_id, action, valid_from/until, assigned_by, reason
- Create
RoleAssignmentLogmodel- Read-only (no updates/deletes)
- Relationships to User, Role
- Implement scheduled command
roles:expire- Find expired roles with
auto_revoke=true - Log to audit trail before deletion
- Delete expired assignments
- Run every minute via Laravel scheduler
- Find expired roles with
- Add command to
Console/Kernel.phpschedule - Write unit tests for expiration logic
- Command identifies correct expired roles
- Audit trail logging works
- Only
auto_revoke=trueroles deleted - Timezone edge cases handled
- Write feature tests for scheduled execution
- Mock time travel for testing
- Verify batch processing for >1000 roles
- Test partial failures (audit log succeeds, delete fails)
Acceptance Criteria
-
role_assignments_logtable created with migration -
RoleAssignmentLogmodel prevents updates/deletes -
roles:expirecommand runs every minute - Expired roles automatically revoked
- All actions logged to audit trail
- Unit tests achieve >80% coverage
- Feature tests validate end-to-end flow
- Timezone handling documented and tested
Implementation Notes
Command Pseudocode:
$expired = TemporalRoleUser::expired()->get();
foreach ($expired as $assignment) {
// 1. Log to audit trail
RoleAssignmentLog::create([
'action' => 'expired',
'user_id' => $assignment->model_id,
'role_id' => $assignment->role_id,
'valid_from' => $assignment->valid_from,
'valid_until' => $assignment->valid_until,
]);
// 2. Delete assignment
$assignment->delete();
}Reference
- ADR-004: RBAC Architecture Decision
- Parent Issue: 🔐 Implement RBAC System (Role-Based Access Control) #5 (RBAC System)
- Depends on: Phase 1 ✅
Estimated Time
- Estimate: 1 day
- Actual: TBD