feat(data): adopt role-tiers.json + tier0-permissions.json (refs #388)

[Daren9m]

Why

Per #388 (v3.5 canonical reference data layer), privileged-access lookups that every consumer needs - Entra role tiers (PIM logic, #373) and Tier-0 Graph permissions - should live in CheckID once instead of being re-maintained per repo.

What

Adopts two M365-Assess controls/ files upstream:

• data/role-tiers.json - Entra ID directory-role tiers (Enterprise Access Model): Tier 0 control plane (4 roles) + Tier 1 management plane (16 roles), keyed by role-template GUID.
• data/tier0-permissions.json - 41 Microsoft Graph application permissions classified Tier 0, each with a documented attack path to Global Admin, plus 8 Tier-1 high-impact data-access permissions. Source: github.com/emiliensocchi/azure-tiering (MIT).
• Sibling *.schema.json (draft 2020-12) + Pester tests (RoleTiers.Tests.ps1, Tier0Permissions.Tests.ps1): GUID / Graph-permission format, uniqueness, single-tier membership, and registry ENTRA-PIM-* consumer presence.
• REFERENCES.md - canonical reference data rows.

Data adopted verbatim; only $schema repointed to the CheckID schemas.

Testing

• Both files validate against their schemas (jsonschema).
• 392 Pester tests pass (377 + 15 new), 0 failures.

Scope

Advances #388 (does not close it): adopts 2 of the 4 proposed reference files; transport-rule-actions.json + power-platform-connectors.json and the unified {id, displayName, classification, source, lastReviewed} shape remain.

Notes

• Independent PR from main; REFERENCES.md adds rows to the Canonical Reference Data table - if a sibling adoption PR merged first, resolve the trivial table conflict by keeping all rows.

Refs #388, #373

[github-actions]

Content enrichment population

Overall (1106 checks): rationale 26.4% (292/1106) • impact 26.4% (292/1106) • references 26.4% (292/1106)

Framework	n	rationale	impact	references
cis-controls-v8	1021	25.2% (257/1021)	25.2% (257/1021)	25.2% (257/1021)
cis-m365-v6	167	100.0% (167/167)	100.0% (167/167)	100.0% (167/167)
cisa-scuba	52	100.0% (52/52)	100.0% (52/52)	100.0% (52/52)
cmmc	1081	26.4% (285/1081)	26.4% (285/1081)	26.4% (285/1081)
eidsca	21	100.0% (21/21)	100.0% (21/21)	100.0% (21/21)
essential-eight	631	22.3% (141/631)	22.3% (141/631)	22.3% (141/631)
fedramp	1073	27.2% (292/1073)	27.2% (292/1073)	27.2% (292/1073)
gdpr	11	100.0% (11/11)	100.0% (11/11)	100.0% (11/11)
hipaa	502	33.5% (168/502)	33.5% (168/502)	33.5% (168/502)
iso-27001	1021	26.6% (272/1021)	26.6% (272/1021)	26.6% (272/1021)
iso-27002	1021	26.6% (272/1021)	26.6% (272/1021)	26.6% (272/1021)
iso-27017	1013	26.1% (264/1013)	26.1% (264/1013)	26.1% (264/1013)
mitre-attack	893	30.8% (275/893)	30.8% (275/893)	30.8% (275/893)
nis2	311	25.7% (80/311)	25.7% (80/311)	25.7% (80/311)
nist-800-171	1081	26.4% (285/1081)	26.4% (285/1081)	26.4% (285/1081)
nist-800-53	1073	27.2% (292/1073)	27.2% (292/1073)	27.2% (292/1073)
nist-csf	827	31.2% (258/827)	31.2% (258/827)	31.2% (258/827)
pci-dss	1053	26.4% (278/1053)	26.4% (278/1053)	26.4% (278/1053)
soc2	1104	26.4% (292/1104)	26.4% (292/1104)	26.4% (292/1104)
stig	13	100.0% (13/13)	100.0% (13/13)	100.0% (13/13)

Informational only — does not gate the build. The hard release-gate for Critical/High enrichment lives in #281 (v3.2.0).

[github-actions]

Framework mapping count delta

Framework	main	this PR	Δ	Δ%	Status
cis-controls-v8	1021	1021	0	+0.00%	✓ OK
cis-m365-v6	167	167	0	+0.00%	✓ OK
cisa-scuba	52	52	0	+0.00%	✓ OK
cmmc	1081	1081	0	+0.00%	✓ OK
eidsca	21	21	0	+0.00%	✓ OK
essential-eight	631	631	0	+0.00%	✓ OK
fedramp	1073	1073	0	+0.00%	✓ OK
gdpr	11	11	0	+0.00%	✓ OK
hipaa	502	502	0	+0.00%	✓ OK
iso-27001	1021	1021	0	+0.00%	✓ OK
iso-27002	1021	1021	0	+0.00%	✓ OK
iso-27017	1013	1013	0	+0.00%	✓ OK
mitre-attack	893	893	0	+0.00%	✓ OK
nis2	311	311	0	+0.00%	✓ OK
nist-800-171	1081	1081	0	+0.00%	✓ OK
nist-800-53	1073	1073	0	+0.00%	✓ OK
nist-csf	827	827	0	+0.00%	✓ OK
pci-dss	1053	1053	0	+0.00%	✓ OK
soc2	1104	1104	0	+0.00%	✓ OK
stig	13	13	0	+0.00%	✓ OK

Result: ✓ PASS — no framework mapping regressions detected.