From 5166bb5fc920e294f4bab7d4ba1dc205bdd6904d Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Sat, 14 Sep 2024 07:07:54 +0200
Subject: [PATCH] rbac.RbacOp, rbac.RoleDescriptor, rbac.roleDescriptorOf and
 functions

---
 doc/rbac.md                                   |  2 +-
 .../db/changelog/1-rbac/1050-rbac-base.sql    | 65 +++++++++++--------
 .../db/changelog/1-rbac/1055-rbac-views.sql   |  8 +--
 .../1-rbac/1057-rbac-role-builder.sql         | 14 ++--
 .../changelog/1-rbac/1058-rbac-generators.sql | 12 ++--
 .../db/changelog/1-rbac/1080-rbac-global.sql  | 22 +++----
 .../2013-test-customer-rbac.sql               |  4 +-
 .../2018-test-customer-test-data.sql          |  4 +-
 .../2023-test-package-rbac.sql                |  4 +-
 .../2028-test-package-test-data.sql           |  4 +-
 .../203-test-domain/2033-test-domain-rbac.sql |  4 +-
 .../5033-hs-office-relation-rbac.sql          |  4 +-
 .../5043-hs-office-partner-rbac.sql           | 28 ++++----
 .../5044-hs-office-partner-details-rbac.sql   |  4 +-
 .../5063-hs-office-debitor-rbac.sql           | 10 +--
 .../5073-hs-office-sepamandate-rbac.sql       |  4 +-
 .../5103-hs-office-membership-rbac.sql        |  4 +-
 .../5113-hs-office-coopshares-rbac.sql        |  8 +--
 .../5123-hs-office-coopassets-rbac.sql        |  8 +--
 .../6203-hs-booking-project-rbac.sql          |  6 +-
 .../6203-hs-booking-item-rbac.sql             | 12 ++--
 .../6303-hs-booking-item-rbac.sql             | 12 ++--
 22 files changed, 126 insertions(+), 117 deletions(-)

diff --git a/doc/rbac.md b/doc/rbac.md
index f859e2e1..d98669ba 100644
--- a/doc/rbac.md
+++ b/doc/rbac.md
@@ -606,7 +606,7 @@ We have tested two variants of the query for the restricted view,
 both utilizing a PostgreSQL function like this:
 
     FUNCTION queryAccessibleObjectUuidsOfSubjectIds(
-            requiredOp RbacOp,
+            requiredOp rbac.RbacOp,
             forObjectTable varchar,
             subjectIds uuid[],
             maxObjects integer = 16000)
diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
index 4e47f302..3e894841 100644
--- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
+++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
@@ -156,6 +156,7 @@ begin
     end if;
     return old;
 end; $$;
+--//
 
 
 -- ============================================================================
@@ -166,13 +167,19 @@ create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST',
 
 create table rbac.role
 (
-    uuid       uuid primary key references  rbac.reference (uuid) on delete cascade initially deferred, -- initially deferred
+    uuid       uuid primary key references rbac.reference (uuid) on delete cascade initially deferred, -- initially deferred
     objectUuid uuid not null references rbac.object (uuid) initially deferred,
     roleType   rbac.RoleType not null,
     unique (objectUuid, roleType)
 );
 
 call base.create_journal('rbac.role');
+--//
+
+
+-- ============================================================================
+--changeset rbac-base-ROLE-DESCRIPTOR:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 create type rbac.RoleDescriptor as
 (
@@ -196,8 +203,7 @@ create or replace function rbac.unassumed()
 select false;
 $$;
 
-
-create or replace function roleDescriptor(
+create or replace function rbac.roleDescriptorOf(
         objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
         assumed boolean = true) -- just for DSL readability, belongs actually to the grant
     returns rbac.RoleDescriptor
@@ -207,7 +213,7 @@ create or replace function roleDescriptor(
         select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
 $$;
 
-create or replace function createRole(roleDescriptor rbac.RoleDescriptor)
+create or replace function rbac.createRole(roleDescriptor rbac.RoleDescriptor)
     returns uuid
     returns null on null input
     language plpgsql as $$
@@ -224,9 +230,14 @@ begin
     return referenceId;
 end;
 $$;
+--//
 
 
-create or replace procedure deleteRole(roleUUid uuid)
+-- ============================================================================
+--changeset rbac-base-ROLE-FUNCTIONS:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+create or replace procedure rbac.deleteRole(roleUUid uuid)
     language plpgsql as $$
 begin
     --raise exception '% deleting role uuid %', rbac.currentSubjectOrAssumedRolesUuids(), roleUUid;
@@ -234,7 +245,7 @@ begin
 end;
 $$;
 
-create or replace function findRoleId(roleIdName varchar)
+create or replace function rbac.findRoleId(roleIdName varchar)
     returns uuid
     returns null on null input
     language plpgsql as $$
@@ -246,7 +257,7 @@ declare
     objectUuidOfRole          uuid;
     roleUuid                  uuid;
 begin
-    -- TODO.refa: extract function toRbacRoleDescriptor(roleIdName varchar) + find other occurrences
+    -- TODO.refa: extract function rbac.toRoleDescriptor(roleIdName varchar) + find other occurrences
     roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), ':'));
     objectTableFromRoleIdName = split_part(roleParts, '#', 1);
     objectNameFromRoleIdName = split_part(roleParts, '#', 2);
@@ -261,14 +272,14 @@ begin
     return roleUuid;
 end; $$;
 
-create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor)
+create or replace function rbac.findRoleId(roleDescriptor rbac.RoleDescriptor)
     returns uuid
     returns null on null input
     language sql as $$
 select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
 $$;
 
-create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor)
+create or replace function rbac.getRoleId(roleDescriptor rbac.RoleDescriptor)
     returns uuid
     language plpgsql as $$
 declare
@@ -276,13 +287,14 @@ declare
 begin
     assert roleDescriptor is not null, 'roleDescriptor must not be null';
 
-    roleUuid := findRoleId(roleDescriptor);
+    roleUuid := rbac.findRoleId(roleDescriptor);
     if (roleUuid is null) then
         raise exception 'rbac.role "%#%.%" not found', roleDescriptor.objectTable, roleDescriptor.objectUuid, roleDescriptor.roleType;
     end if;
     return roleUuid;
 end;
 $$;
+--//
 
 
 -- ============================================================================
@@ -351,10 +363,7 @@ create trigger delete_roles_of_object_tg
 -- ============================================================================
 --changeset rbac-base-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
-/*
-
- */
-create domain RbacOp as varchar(6)
+create domain rbac.RbacOp as varchar(6)
     check (
                VALUE = 'DELETE'
             or VALUE = 'UPDATE'
@@ -367,7 +376,7 @@ create table rbac.permission
 (
     uuid        uuid primary key references  rbac.reference (uuid) on delete cascade,
     objectUuid  uuid not null references rbac.object,
-    op          RbacOp not null,
+    op          rbac.RbacOp not null,
     opTableName varchar(60)
 );
 -- TODO.perf: check if these indexes are really useful
@@ -379,7 +388,7 @@ ALTER TABLE rbac.permission
 
 call base.create_journal('rbac.permission');
 
-create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
+create or replace function rbac.createPermission(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
     returns uuid
     language plpgsql as $$
 declare
@@ -415,7 +424,7 @@ begin
     return permissionUuid;
 end; $$;
 
-create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
+create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
     returns uuid
     returns null on null input
     stable -- leakproof
@@ -423,11 +432,11 @@ create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp R
 select uuid
     from rbac.permission p
     where p.objectUuid = forObjectUuid
-      and (forOp = 'SELECT' or p.op = forOp) -- all other RbacOp include 'SELECT'
+      and (forOp = 'SELECT' or p.op = forOp) -- all other rbac.RbacOp include 'SELECT'
       and p.opTableName = forOpTableName
 $$;
 
-create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
+create or replace function findPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
     returns uuid
     returns null on null input
     stable -- leakproof
@@ -439,7 +448,7 @@ select uuid
       and p.opTableName = forOpTableName
 $$;
 
-create or replace function getPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
+create or replace function getPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
     returns uuid
     stable -- leakproof
     language plpgsql as $$
@@ -567,7 +576,7 @@ create or replace function hasInsertPermission(objectUuid uuid, tableName text )
 declare
     permissionUuid uuid;
 begin
-    permissionUuid = findPermissionId(objectUuid, 'INSERT'::RbacOp, tableName);
+    permissionUuid = findPermissionId(objectUuid, 'INSERT'::rbac.RbacOp, tableName);
     return permissionUuid is not null;
 end;
 $$;
@@ -602,7 +611,7 @@ $$;
 create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
     language plpgsql as $$
 begin
-    call grantPermissionToRole(permissionUuid, findRoleId(roleDesc));
+    call grantPermissionToRole(permissionUuid, rbac.findRoleId(roleDesc));
 end;
 $$;
 
@@ -634,8 +643,8 @@ begin
         return;
     end if;
 
-    superRoleId := findRoleId(superRole);
-    subRoleId := findRoleId(subRole);
+    superRoleId := rbac.findRoleId(superRole);
+    subRoleId := rbac.findRoleId(subRole);
 
     perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
     perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
@@ -656,8 +665,8 @@ declare
     superRoleId uuid;
     subRoleId uuid;
 begin
-    superRoleId := findRoleId(superRole);
-    subRoleId := findRoleId(subRole);
+    superRoleId := rbac.findRoleId(superRole);
+    subRoleId := rbac.findRoleId(subRole);
 
     perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
     perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
@@ -678,7 +687,7 @@ declare
     objectTable text;
     objectUuid uuid;
 begin
-    superRoleId := findRoleId(superRole);
+    superRoleId := rbac.findRoleId(superRole);
 
     perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
     perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
@@ -705,7 +714,7 @@ end; $$;
 
  */
 create or replace function queryAccessibleObjectUuidsOfSubjectIds(
-    requiredOp RbacOp,
+    requiredOp rbac.RbacOp,
     forObjectTable varchar,
     subjectIds uuid[],
     maxObjects integer = 8000)
diff --git a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql
index 610040f8..7243b3b2 100644
--- a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql
+++ b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql
@@ -344,7 +344,7 @@ grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_
     which are also visible to the current user or assumed roles.
 */
 create or replace function rbac.grantedPermissionsRaw(targetSubjectUuid uuid)
-    returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
+    returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
     returns null on null input
     language plpgsql as $$
 declare
@@ -380,13 +380,13 @@ begin
 end; $$;
 
 create or replace function rbac.grantedPermissions(targetSubjectUuid uuid)
-    returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
+    returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
     returns null on null input
     language sql as $$
     select * from rbac.grantedPermissionsRaw(targetSubjectUuid)
     union all
-    select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid
+    select roleUuid, roleName, permissionUuid, 'SELECT'::rbac.RbacOp, opTableName, objectTable, objectIdName, objectUuid
         from rbac.grantedPermissionsRaw(targetSubjectUuid)
-        where op <> 'SELECT'::RbacOp;
+        where op <> 'SELECT'::rbac.RbacOp;
 $$;
 --//
diff --git a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql
index 7adf4adc..7316e376 100644
--- a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql
+++ b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql
@@ -8,7 +8,7 @@
 
 create or replace function rbac.defineRoleWithGrants(
     roleDescriptor rbac.RoleDescriptor,
-    permissions RbacOp[] = array[]::RbacOp[],
+    permissions rbac.RbacOp[] = array[]::rbac.RbacOp[],
     incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
     outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
     subjectUuids uuid[] = array[]::uuid[],
@@ -19,7 +19,7 @@ create or replace function rbac.defineRoleWithGrants(
     language plpgsql as $$
 declare
     roleUuid                uuid;
-    permission              RbacOp;
+    permission              rbac.RbacOp;
     permissionUuid          uuid;
     subRoleDesc             rbac.RoleDescriptor;
     superRoleDesc           rbac.RoleDescriptor;
@@ -28,23 +28,23 @@ declare
     subjectUuid             uuid;
     userGrantsByRoleUuid    uuid;
 begin
-    roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor));
+    roleUuid := coalesce(rbac.findRoleId(roleDescriptor), rbac.createRole(roleDescriptor));
 
     foreach permission in array permissions
         loop
-            permissionUuid := createPermission(roleDescriptor.objectuuid, permission);
+            permissionUuid := rbac.createPermission(roleDescriptor.objectuuid, permission);
             call grantPermissionToRole(permissionUuid, roleUuid);
         end loop;
 
     foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
         loop
-            superRoleUuid := getRoleId(superRoleDesc);
+            superRoleUuid := rbac.getRoleId(superRoleDesc);
             call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
         end loop;
 
     foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
         loop
-            subRoleUuid := getRoleId(subRoleDesc);
+            subRoleUuid := rbac.getRoleId(subRoleDesc);
             call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
         end loop;
 
@@ -53,7 +53,7 @@ begin
         if grantedByRole is null then
             userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid?
         else
-            userGrantsByRoleUuid := getRoleId(grantedByRole);
+            userGrantsByRoleUuid := rbac.getRoleId(grantedByRole);
         end if;
         foreach subjectUuid in array subjectUuids
             loop
diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
index d1f19dae..5f2c7122 100644
--- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
+++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
@@ -46,7 +46,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'OWNER', assumed);
+            return rbac.roleDescriptorOf('%2$s', entity.uuid, 'OWNER', assumed);
         end; $f$;
 
         create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
@@ -54,7 +54,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'ADMIN', assumed);
+            return rbac.roleDescriptorOf('%2$s', entity.uuid, 'ADMIN', assumed);
         end; $f$;
 
         create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
@@ -62,7 +62,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'AGENT', assumed);
+            return rbac.roleDescriptorOf('%2$s', entity.uuid, 'AGENT', assumed);
         end; $f$;
 
         create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
@@ -70,7 +70,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'TENANT', assumed);
+            return rbac.roleDescriptorOf('%2$s', entity.uuid, 'TENANT', assumed);
         end; $f$;
 
         -- TODO: remove guest role
@@ -79,7 +79,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'GUEST', assumed);
+            return rbac.roleDescriptorOf('%2$s', entity.uuid, 'GUEST', assumed);
         end; $f$;
 
         create or replace function %1$sReferrer(entity %2$s)
@@ -87,7 +87,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'REFERRER');
+            return rbac.roleDescriptorOf('%2$s', entity.uuid, 'REFERRER');
         end; $f$;
 
         $sql$, prefix, targetTable);
diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
index ada5f5dc..8accfb53 100644
--- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
+++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
@@ -30,16 +30,16 @@ create or replace function rbac.isGlobalAdmin()
     returns boolean
     language plpgsql as $$
 begin
-    return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), findRoleId(globalAdmin()));
+    return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin()));
 end; $$;
 --//
 
 
 -- ============================================================================
---changeset rbac-global-HAS-global-PERMISSION:1 endDelimiter:--//
+--changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--//
 -- ------------------------------------------------------------------
 
-create or replace function rbac.hasGlobalPermission(op RbacOp)
+create or replace function rbac.hasGlobalPermission(op rbac.RbacOp)
     returns boolean
     language sql as
 $$
@@ -87,7 +87,7 @@ $$;
 --liquibase formatted sql
 
 -- ============================================================================
---changeset rbac-rbac.Global-PSEUDO-OBJECT:1 endDelimiter:--//
+--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 /**
@@ -104,7 +104,7 @@ commit;
 
 
 -- ============================================================================
---changeset rbac-rbac.Global-ADMIN-ROLE:1 endDelimiter:--//
+--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
     A rbac.Global administrator role.
@@ -119,13 +119,13 @@ $$;
 
 begin transaction;
     call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
-    select createRole(globalAdmin());
+    select rbac.createRole(globalAdmin());
 commit;
 --//
 
 
 -- ============================================================================
---changeset rbac-rbac.Global-GUEST-ROLE:1 endDelimiter:--//
+--changeset rbac-global-GUEST-ROLE:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
     A rbac.Global guest role.
@@ -140,13 +140,13 @@ $$;
 
 begin transaction;
     call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
-    select createRole(globalGuest());
+    select rbac.createRole(globalGuest());
 commit;
 --//
 
 
 -- ============================================================================
---changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
+--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
     Create two users and assign both to the administrators' role.
@@ -157,7 +157,7 @@ do language plpgsql $$
     begin
         call base.defineContext('creating fake test-realm admin users', null, null, null);
 
-        admins = findRoleId(globalAdmin());
+        admins = rbac.findRoleId(globalAdmin());
         call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
         call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
         perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
@@ -168,7 +168,7 @@ $$;
 
 
 -- ============================================================================
---changeset rbac-GLOBAL-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
+--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 /*
diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql
index 21aec61a..f6844048 100644
--- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql
+++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql
@@ -95,7 +95,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'test_customer'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
                         globalADMIN());
             END LOOP;
     end;
@@ -111,7 +111,7 @@ create or replace function new_test_customer_grants_insert_to_global_tf()
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'test_customer'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
             globalADMIN());
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql
index e5a53dab..b1139e53 100644
--- a/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql
+++ b/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql
@@ -41,8 +41,8 @@ begin
     select * into newCust
              from test_customer where reference=custReference;
     call rbac.grantRoleToSubject(
-            getRoleId(testCustomerOwner(newCust)),
-            getRoleId(testCustomerAdmin(newCust)),
+            rbac.getRoleId(testCustomerOwner(newCust)),
+            rbac.getRoleId(testCustomerAdmin(newCust)),
             custAdminUuid,
             true);
 end; $$;
diff --git a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql
index 6f421963..26e3384d 100644
--- a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql
+++ b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql
@@ -160,7 +160,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'test_package'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'test_package'),
                         testCustomerADMIN(row));
             END LOOP;
     end;
@@ -176,7 +176,7 @@ create or replace function new_test_package_grants_insert_to_test_customer_tf()
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'test_package'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'test_package'),
             testCustomerADMIN(NEW));
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql b/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql
index 1faf52a6..84da3839 100644
--- a/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql
+++ b/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql
@@ -30,8 +30,8 @@ begin
                 returning * into pac;
 
             call rbac.grantRoleToSubject(
-                    getRoleId(testCustomerAdmin(cust)),
-                    findRoleId(testPackageAdmin(pac)),
+                    rbac.getRoleId(testCustomerAdmin(cust)),
+                    rbac.findRoleId(testPackageAdmin(pac)),
                     rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
                     true);
 
diff --git a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql
index 98e76047..e07e64d8 100644
--- a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql
+++ b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql
@@ -159,7 +159,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'test_domain'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'test_domain'),
                         testPackageADMIN(row));
             END LOOP;
     end;
@@ -175,7 +175,7 @@ create or replace function new_test_domain_grants_insert_to_test_package_tf()
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'test_domain'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'test_domain'),
             testPackageADMIN(NEW));
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql
index b0769dec..52ee285e 100644
--- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql
@@ -169,7 +169,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
                         hsOfficePersonADMIN(row));
             END LOOP;
     end;
@@ -185,7 +185,7 @@ create or replace function new_hs_office_relation_grants_insert_to_hs_office_per
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
             hsOfficePersonADMIN(NEW));
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
index f9e62eeb..50a66a9a 100644
--- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
@@ -42,12 +42,12 @@ begin
     SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid    INTO newPartnerDetails;
     assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
-    call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
-    call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
-    call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
+    call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
+    call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
+    call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
 
     call rbac.leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -111,22 +111,22 @@ begin
     if NEW.partnerRelUuid <> OLD.partnerRelUuid then
 
         call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
-        call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
+        call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
 
         call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
-        call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
+        call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
 
         call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
-        call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
+        call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
 
         call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
-        call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
+        call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
 
         call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
-        call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
+        call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
 
         call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
-        call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
+        call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
 
     end if;
 
@@ -172,7 +172,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
                         globalADMIN());
             END LOOP;
     end;
@@ -188,7 +188,7 @@ create or replace function new_hs_office_partner_grants_insert_to_global_tf()
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
             globalADMIN());
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql
index 9a3dfbe1..b53a2e2f 100644
--- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql
@@ -76,7 +76,7 @@ begin
                          -- unconditional for all rows in that table
                         LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
                         globalADMIN());
     END LOOP;
 end;
@@ -92,7 +92,7 @@ create or replace function new_hs_office_partner_details_grants_insert_to_global
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
             globalADMIN());
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql
index 58175132..a2ca4c80 100644
--- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql
@@ -57,9 +57,9 @@ begin
     call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
     call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
 
     call rbac.leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -145,7 +145,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
                         globalADMIN());
             END LOOP;
     end;
@@ -161,7 +161,7 @@ create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
             globalADMIN());
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql
index 40b6224e..c5f91a9c 100644
--- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql
@@ -120,7 +120,7 @@ do language plpgsql $$
             WHERE type = 'DEBITOR'
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
                         hsOfficeRelationADMIN(row));
             END LOOP;
     end;
@@ -136,7 +136,7 @@ create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_
 begin
     if NEW.type = 'DEBITOR' then
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
             hsOfficeRelationADMIN(NEW));
     end if;
     return NEW;
diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
index 0218f68c..2d42a51d 100644
--- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
@@ -107,7 +107,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
                         globalADMIN());
             END LOOP;
     end;
@@ -123,7 +123,7 @@ create or replace function new_hs_office_membership_grants_insert_to_global_tf()
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
             globalADMIN());
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql
index f8d72a7f..96f22285 100644
--- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql
@@ -38,8 +38,8 @@ begin
     SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
     assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
 
     call rbac.leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -83,7 +83,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
                         hsOfficeMembershipADMIN(row));
             END LOOP;
     end;
@@ -99,7 +99,7 @@ create or replace function new_hs_office_coopsharestransaction_grants_insert_to_
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
             hsOfficeMembershipADMIN(NEW));
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql
index 2be9891c..c289af2d 100644
--- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql
@@ -38,8 +38,8 @@ begin
     SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
     assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
 
     call rbac.leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -83,7 +83,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
                         hsOfficeMembershipADMIN(row));
             END LOOP;
     end;
@@ -99,7 +99,7 @@ create or replace function new_hs_office_coopassetstransaction_grants_insert_to_
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
             hsOfficeMembershipADMIN(NEW));
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql
index ff6a9054..c4cd9175 100644
--- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql
+++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql
@@ -70,7 +70,7 @@ begin
             outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
     );
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
 
     call rbac.leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -114,7 +114,7 @@ do language plpgsql $$
             WHERE type = 'DEBITOR'
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_booking_project'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_project'),
                         hsOfficeRelationADMIN(row));
             END LOOP;
     end;
@@ -130,7 +130,7 @@ create or replace function new_hs_booking_project_grants_insert_to_hs_office_rel
 begin
     if NEW.type = 'DEBITOR' then
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'),
             hsOfficeRelationADMIN(NEW));
     end if;
     return NEW;
diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql
index 2accb407..0ae4bcfa 100644
--- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql
+++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql
@@ -69,7 +69,7 @@ begin
 
 
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
 
     call rbac.leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -113,7 +113,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
                         globalADMIN());
             END LOOP;
     end;
@@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
             globalADMIN());
     -- end.
     return NEW;
@@ -156,7 +156,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
                         hsBookingProjectADMIN(row));
             END LOOP;
     end;
@@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
             hsBookingProjectADMIN(NEW));
     -- end.
     return NEW;
@@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
             hsBookingItemADMIN(NEW));
     -- end.
     return NEW;
diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql
index 2accb407..0ae4bcfa 100644
--- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql
+++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql
@@ -69,7 +69,7 @@ begin
 
 
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
+    call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
 
     call rbac.leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -113,7 +113,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
                         globalADMIN());
             END LOOP;
     end;
@@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
             globalADMIN());
     -- end.
     return NEW;
@@ -156,7 +156,7 @@ do language plpgsql $$
             -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                        createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
                         hsBookingProjectADMIN(row));
             END LOOP;
     end;
@@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
             hsBookingProjectADMIN(NEW));
     -- end.
     return NEW;
@@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
 begin
     -- unconditional for all rows in that table
         call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
             hsBookingItemADMIN(NEW));
     -- end.
     return NEW;