Skip to content
ModularityKit.Mutator ModularityKit.Mutator Docs
  • Home
  • Core
  • Governance
  • Redis
  • API
Search Results for

    IamRoles

    This example shows how to guard privileged role changes with policy checks and audit friendly context.

    It is the most governance focused sample in the repository. Use it when you want to see how to protect sensitive operations such as granting admin rights, revoking permissions, or migrating many roles at once.

    Domain

    The domain state maps user IDs to a set of roles.

    The example covers three workflows:

    • granting role to user
    • revoking role from user
    • batch migration of role assignments

    What this example demonstrates

    • privilege changing mutations
    • last admin protection
    • approval metadata in MutationContext
    • two man approval for critical mutations
    • batch role operations across multiple users

    Project structure

    • Program.cs
    • IamRoles.csproj
    • State/UserPermissionsState.cs
    • Mutations/GrantUserRoleMutation.cs
    • Mutations/RevokeUserRoleMutation.cs
    • Policies/PreventLastAdminRemovalPolicy.cs
    • Policies/RequireTwoManApprovalPolicy.cs
    • Scenarios/GrantAdminScenario.cs
    • Scenarios/RevokeAdminScenario.cs
    • Scenarios/BatchRoleMigrationScenario.cs

    How it works

    Program.cs:

    1. registers the engine with strict options
    2. resolves IMutationEngine
    3. registers the two governance policies
    4. runs the three role management scenarios
    5. prints summary statistics

    The sample keeps the domain model simple so the policies stay visible.

    Mutation flow

    Grant role

    GrantUserRoleMutation grants role to user.

    • validates the user ID and role name
    • rejects duplicate assignments
    • writes the role into copied dictionary
    • emits state change for the affected user

    Revoke role

    RevokeUserRoleMutation removes role from user.

    • checks that the user actually has the role
    • removes the role from copied state
    • emits removal change

    Policies

    Prevent last admin removal

    PreventLastAdminRemovalPolicy blocks the removal of the last remaining Admin role.

    This shows classic safety rule for sensitive systems.

    Require two man approval

    RequireTwoManApprovalPolicy requires additional approval metadata for critical changes.

    The policy demonstrates:

    • inspecting mutation risk level
    • reading the approval list from metadata
    • rejecting self approval

    Scenarios

    Grant admin

    GrantAdminScenario promotes user to admin.

    Revoke admin

    RevokeAdminScenario removes admin from user.

    Batch role migration

    BatchRoleMigrationScenario applies multiple role grants in single batch.

    It demonstrates:

    • batch execution
    • state driven mutation generation
    • policy evaluation on each item
    • reporting per mutation failures

    What to read first

    1. State/UserPermissionsState.cs
    2. Mutations/GrantUserRoleMutation.cs
    3. Mutations/RevokeUserRoleMutation.cs
    4. Policies/PreventLastAdminRemovalPolicy.cs
    5. Policies/RequireTwoManApprovalPolicy.cs
    6. Scenarios/BatchRoleMigrationScenario.cs

    Run

    dotnet run --project Examples/Core/IamRoles/IamRoles.csproj
    

    Expected output

    When you run the sample, you should see:

    • a single grant flow
    • a single revoke flow
    • a batch migration flow
    • blocked or approved mutations depending on policy input
    • final statistics from the engine

    This example is the clearest one to study if you care about policy controlled privilege management.

    • Edit this page
    In this article
    ModularityKit.Mutator Generated from XML docs and published from main. Back to top