IamRoles
This example shows how to guard privileged role changes with policy checks and audit friendly context.
It is the most governance focused sample in the repository. Use it when you want to see how to protect sensitive operations such as granting admin rights, revoking permissions, or migrating many roles at once.
Domain
The domain state maps user IDs to a set of roles.
The example covers three workflows:
- granting role to user
- revoking role from user
- batch migration of role assignments
What this example demonstrates
- privilege changing mutations
- last admin protection
- approval metadata in
MutationContext - two man approval for critical mutations
- batch role operations across multiple users
Project structure
Program.csIamRoles.csprojState/UserPermissionsState.csMutations/GrantUserRoleMutation.csMutations/RevokeUserRoleMutation.csPolicies/PreventLastAdminRemovalPolicy.csPolicies/RequireTwoManApprovalPolicy.csScenarios/GrantAdminScenario.csScenarios/RevokeAdminScenario.csScenarios/BatchRoleMigrationScenario.cs
How it works
Program.cs:
- registers the engine with strict options
- resolves
IMutationEngine - registers the two governance policies
- runs the three role management scenarios
- prints summary statistics
The sample keeps the domain model simple so the policies stay visible.
Mutation flow
Grant role
GrantUserRoleMutation grants role to user.
- validates the user ID and role name
- rejects duplicate assignments
- writes the role into copied dictionary
- emits state change for the affected user
Revoke role
RevokeUserRoleMutation removes role from user.
- checks that the user actually has the role
- removes the role from copied state
- emits removal change
Policies
Prevent last admin removal
PreventLastAdminRemovalPolicy blocks the removal of the last remaining Admin role.
This shows classic safety rule for sensitive systems.
Require two man approval
RequireTwoManApprovalPolicy requires additional approval metadata for critical changes.
The policy demonstrates:
- inspecting mutation risk level
- reading the approval list from metadata
- rejecting self approval
Scenarios
Grant admin
GrantAdminScenario promotes user to admin.
Revoke admin
RevokeAdminScenario removes admin from user.
Batch role migration
BatchRoleMigrationScenario applies multiple role grants in single batch.
It demonstrates:
- batch execution
- state driven mutation generation
- policy evaluation on each item
- reporting per mutation failures
What to read first
State/UserPermissionsState.csMutations/GrantUserRoleMutation.csMutations/RevokeUserRoleMutation.csPolicies/PreventLastAdminRemovalPolicy.csPolicies/RequireTwoManApprovalPolicy.csScenarios/BatchRoleMigrationScenario.cs
Run
dotnet run --project Examples/Core/IamRoles/IamRoles.csproj
Expected output
When you run the sample, you should see:
- a single grant flow
- a single revoke flow
- a batch migration flow
- blocked or approved mutations depending on policy input
- final statistics from the engine
This example is the clearest one to study if you care about policy controlled privilege management.