rbac schema in 1057-rbac-role-builder.sql und 1058-rbac-generators.sql

This commit is contained in:
Michael Hoennig 2024-09-13 17:38:27 +02:00
parent 8b2dbaa8bd
commit 55c4983509
25 changed files with 130 additions and 131 deletions

View File

@ -26,13 +26,13 @@ public class RbacIdentityViewGenerator {
plPgSql.writeLn(
switch (rbacDef.getIdentityViewSqlQuery().part) {
case SQL_PROJECTION -> """
call generateRbacIdentityViewFromProjection('${rawTableName}',
call rbac.generateRbacIdentityViewFromProjection('${rawTableName}',
$idName$
${identityViewSqlPart}
$idName$);
""";
case SQL_QUERY -> """
call generateRbacIdentityViewFromQuery('${rawTableName}',
call rbac.generateRbacIdentityViewFromQuery('${rawTableName}',
$idName$
${identityViewSqlPart}
$idName$);

View File

@ -17,7 +17,7 @@ public class RbacObjectGenerator {
-- ============================================================================
--changeset ${liquibaseTagPrefix}-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('${rawTableName}');
call rbac.generateRelatedRbacObject('${rawTableName}');
--//
""",

View File

@ -21,7 +21,7 @@ public class RbacRestrictedViewGenerator {
-- ============================================================================
--changeset ${liquibaseTagPrefix}-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('${rawTableName}',
call rbac.generateRbacRestrictedView('${rawTableName}',
$orderBy$
${orderBy}
$orderBy$,

View File

@ -19,7 +19,7 @@ public class RbacRoleDescriptorsGenerator {
-- ============================================================================
--changeset ${liquibaseTagPrefix}-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('${simpleEntityVarName}', '${rawTableName}');
call rbac.generateRbacRoleDescriptors('${simpleEntityVarName}', '${rawTableName}');
--//
""",

View File

@ -389,7 +389,7 @@ class RolesGrantsAndPermissionsGenerator {
}
plPgSql.writeLn();
plPgSql.writeLn("perform createRoleWithGrants(");
plPgSql.writeLn("perform rbac.defineRoleWithGrants(");
plPgSql.indented(() -> {
plPgSql.writeLn("${simpleVarName)${roleSuffix}(NEW),"
.replace("${simpleVarName)", simpleEntityVarName)

View File

@ -3,11 +3,10 @@
-- =================================================================
-- CREATE ROLE
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
--changeset rbac-role-builder-define-role:1 endDelimiter:--//
-- -----------------------------------------------------------------
-- TODO: rename to defineRoleWithGrants because it does not complain if the role already exists
create or replace function createRoleWithGrants(
create or replace function rbac.defineRoleWithGrants(
roleDescriptor RbacRoleDescriptor,
permissions RbacOp[] = array[]::RbacOp[],
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],

View File

@ -5,7 +5,7 @@
--changeset rbac-generators-RELATED-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace procedure generateRelatedRbacObject(targetTable varchar)
create or replace procedure rbac.generateRelatedRbacObject(targetTable varchar)
language plpgsql as $$
declare
createInsertTriggerSQL text;
@ -35,7 +35,7 @@ end; $$;
--changeset rbac-generators-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create procedure generateRbacRoleDescriptors(prefix text, targetTable text)
create procedure rbac.generateRbacRoleDescriptors(prefix text, targetTable text)
language plpgsql as $$
declare
sql text;
@ -100,7 +100,7 @@ end; $$;
--changeset rbac-generators-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace procedure generateRbacIdentityViewFromQuery(targetTable text, sqlQuery text)
create or replace procedure rbac.generateRbacIdentityViewFromQuery(targetTable text, sqlQuery text)
language plpgsql as $$
declare
sql text;
@ -140,7 +140,7 @@ begin
execute sql;
end; $$;
create or replace procedure generateRbacIdentityViewFromProjection(targetTable text, sqlProjection text)
create or replace procedure rbac.generateRbacIdentityViewFromProjection(targetTable text, sqlProjection text)
language plpgsql as $$
declare
sqlQuery text;
@ -151,7 +151,7 @@ begin
select target.uuid, cleanIdentifier(%2$s) as idName
from %1$s as target;
$sql$, targetTable, sqlProjection);
call generateRbacIdentityViewFromQuery(targetTable, sqlQuery);
call rbac.generateRbacIdentityViewFromQuery(targetTable, sqlQuery);
end; $$;
--//
@ -160,7 +160,7 @@ end; $$;
--changeset rbac-generators-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace procedure generateRbacRestrictedView(targetTable text, orderBy text, columnUpdates text = null, columnNames text = '*')
create or replace procedure rbac.generateRbacRestrictedView(targetTable text, orderBy text, columnUpdates text = null, columnNames text = '*')
language plpgsql as $$
declare
sql text;

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset test-customer-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_customer');
call rbac.generateRelatedRbacObject('test_customer');
--//
-- ============================================================================
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testCustomer', 'test_customer');
call rbac.generateRbacRoleDescriptors('testCustomer', 'test_customer');
--//
@ -34,20 +34,20 @@ declare
begin
call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
testCustomerOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN(unassumed())],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
testCustomerADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[testCustomerOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
testCustomerTENANT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[testCustomerADMIN(NEW)]
@ -157,7 +157,7 @@ create trigger test_customer_insert_permission_check_tg
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('test_customer',
call rbac.generateRbacIdentityViewFromProjection('test_customer',
$idName$
prefix
$idName$);
@ -167,7 +167,7 @@ call generateRbacIdentityViewFromProjection('test_customer',
-- ============================================================================
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_customer',
call rbac.generateRbacRestrictedView('test_customer',
$orderBy$
reference
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset test-package-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_package');
call rbac.generateRelatedRbacObject('test_package');
--//
-- ============================================================================
--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testPackage', 'test_package');
call rbac.generateRbacRoleDescriptors('testPackage', 'test_package');
--//
@ -39,18 +39,18 @@ begin
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s', NEW.customerUuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
testPackageOWNER(NEW),
permissions => array['DELETE', 'UPDATE'],
incomingSuperRoles => array[testCustomerADMIN(newCustomer)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
testPackageADMIN(NEW),
incomingSuperRoles => array[testPackageOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
testPackageTENANT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[testPackageADMIN(NEW)],
@ -222,7 +222,7 @@ create trigger test_package_insert_permission_check_tg
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('test_package',
call rbac.generateRbacIdentityViewFromProjection('test_package',
$idName$
name
$idName$);
@ -232,7 +232,7 @@ call generateRbacIdentityViewFromProjection('test_package',
-- ============================================================================
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_package',
call rbac.generateRbacRestrictedView('test_package',
$orderBy$
name
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset test-domain-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_domain');
call rbac.generateRelatedRbacObject('test_domain');
--//
-- ============================================================================
--changeset test-domain-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testDomain', 'test_domain');
call rbac.generateRbacRoleDescriptors('testDomain', 'test_domain');
--//
@ -39,14 +39,14 @@ begin
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
testDomainOWNER(NEW),
permissions => array['DELETE', 'UPDATE'],
incomingSuperRoles => array[testPackageADMIN(newPackage)],
outgoingSubRoles => array[testPackageTENANT(newPackage)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
testDomainADMIN(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[testDomainOWNER(NEW)],
@ -221,7 +221,7 @@ create trigger test_domain_insert_permission_check_tg
--changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('test_domain',
call rbac.generateRbacIdentityViewFromProjection('test_domain',
$idName$
name
$idName$);
@ -231,7 +231,7 @@ call generateRbacIdentityViewFromProjection('test_domain',
-- ============================================================================
--changeset test-domain-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_domain',
call rbac.generateRbacRestrictedView('test_domain',
$orderBy$
name
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-contact-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_contact');
call rbac.generateRelatedRbacObject('hs_office_contact');
--//
-- ============================================================================
--changeset hs-office-contact-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact');
call rbac.generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact');
--//
@ -34,20 +34,20 @@ declare
begin
call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeContactOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeContactADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeContactOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeContactREFERRER(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[hsOfficeContactADMIN(NEW)]
@ -80,7 +80,7 @@ execute procedure insertTriggerForHsOfficeContact_tf();
--changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_contact',
call rbac.generateRbacIdentityViewFromProjection('hs_office_contact',
$idName$
caption
$idName$);
@ -90,7 +90,7 @@ call generateRbacIdentityViewFromProjection('hs_office_contact',
-- ============================================================================
--changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_contact',
call rbac.generateRbacRestrictedView('hs_office_contact',
$orderBy$
caption
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-person-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_person');
call rbac.generateRelatedRbacObject('hs_office_person');
--//
-- ============================================================================
--changeset hs-office-person-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person');
call rbac.generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person');
--//
@ -34,20 +34,20 @@ declare
begin
call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficePersonOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficePersonADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficePersonOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficePersonREFERRER(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[hsOfficePersonADMIN(NEW)]
@ -80,7 +80,7 @@ execute procedure insertTriggerForHsOfficePerson_tf();
--changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_person',
call rbac.generateRbacIdentityViewFromProjection('hs_office_person',
$idName$
concat(tradeName, familyName, givenName)
$idName$);
@ -90,7 +90,7 @@ call generateRbacIdentityViewFromProjection('hs_office_person',
-- ============================================================================
--changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_person',
call rbac.generateRbacRestrictedView('hs_office_person',
$orderBy$
concat(tradeName, familyName, givenName)
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-relation-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_relation');
call rbac.generateRelatedRbacObject('hs_office_relation');
--//
-- ============================================================================
--changeset hs-office-relation-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation');
call rbac.generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation');
--//
@ -47,25 +47,25 @@ begin
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeRelationOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeRelationADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeRelationOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeRelationAGENT(NEW),
incomingSuperRoles => array[hsOfficeRelationADMIN(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeRelationTENANT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[
@ -231,7 +231,7 @@ create trigger hs_office_relation_insert_permission_check_tg
--changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_relation',
call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
$idName$
(select idName from hs_office_person_iv p where p.uuid = anchorUuid)
|| '-with-' || target.type || '-'
@ -243,7 +243,7 @@ call generateRbacIdentityViewFromProjection('hs_office_relation',
-- ============================================================================
--changeset hs-office-relation-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_relation',
call rbac.generateRbacRestrictedView('hs_office_relation',
$orderBy$
(select idName from hs_office_person_iv p where p.uuid = target.holderUuid)
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-partner-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_partner');
call rbac.generateRelatedRbacObject('hs_office_partner');
--//
-- ============================================================================
--changeset hs-office-partner-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner');
call rbac.generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner');
--//
@ -234,7 +234,7 @@ create trigger hs_office_partner_insert_permission_check_tg
--changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_partner',
call rbac.generateRbacIdentityViewFromProjection('hs_office_partner',
$idName$
'P-' || partnerNumber
$idName$);
@ -244,7 +244,7 @@ call generateRbacIdentityViewFromProjection('hs_office_partner',
-- ============================================================================
--changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_partner',
call rbac.generateRbacRestrictedView('hs_office_partner',
$orderBy$
'P-' || partnerNumber
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-partner-details-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_partner_details');
call rbac.generateRelatedRbacObject('hs_office_partner_details');
--//
-- ============================================================================
--changeset hs-office-partner-details-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficePartnerDetails', 'hs_office_partner_details');
call rbac.generateRbacRoleDescriptors('hsOfficePartnerDetails', 'hs_office_partner_details');
--//
@ -138,7 +138,7 @@ create trigger hs_office_partner_details_insert_permission_check_tg
--changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_partner_details',
call rbac.generateRbacIdentityViewFromQuery('hs_office_partner_details',
$idName$
SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName
FROM hs_office_partner_details AS partnerDetails
@ -151,7 +151,7 @@ call generateRbacIdentityViewFromQuery('hs_office_partner_details',
-- ============================================================================
--changeset hs-office-partner-details-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_partner_details',
call rbac.generateRbacRestrictedView('hs_office_partner_details',
$orderBy$
uuid
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-bankaccount-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_bankaccount');
call rbac.generateRelatedRbacObject('hs_office_bankaccount');
--//
-- ============================================================================
--changeset hs-office-bankaccount-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeBankAccount', 'hs_office_bankaccount');
call rbac.generateRbacRoleDescriptors('hsOfficeBankAccount', 'hs_office_bankaccount');
--//
@ -34,20 +34,20 @@ declare
begin
call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeBankAccountOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeBankAccountADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeBankAccountOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeBankAccountREFERRER(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[hsOfficeBankAccountADMIN(NEW)]
@ -80,7 +80,7 @@ execute procedure insertTriggerForHsOfficeBankAccount_tf();
--changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_bankaccount',
call rbac.generateRbacIdentityViewFromProjection('hs_office_bankaccount',
$idName$
iban
$idName$);
@ -90,7 +90,7 @@ call generateRbacIdentityViewFromProjection('hs_office_bankaccount',
-- ============================================================================
--changeset hs-office-bankaccount-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_bankaccount',
call rbac.generateRbacRestrictedView('hs_office_bankaccount',
$orderBy$
iban
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-debitor-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_debitor');
call rbac.generateRelatedRbacObject('hs_office_debitor');
--//
-- ============================================================================
--changeset hs-office-debitor-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor');
call rbac.generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor');
--//
@ -207,7 +207,7 @@ create trigger hs_office_debitor_insert_permission_check_tg
--changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_debitor',
call rbac.generateRbacIdentityViewFromQuery('hs_office_debitor',
$idName$
SELECT debitor.uuid AS uuid,
'D-' || (SELECT partner.partnerNumber
@ -226,7 +226,7 @@ call generateRbacIdentityViewFromQuery('hs_office_debitor',
-- ============================================================================
--changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_debitor',
call rbac.generateRbacRestrictedView('hs_office_debitor',
$orderBy$
defaultPrefix
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-sepamandate-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_sepamandate');
call rbac.generateRelatedRbacObject('hs_office_sepamandate');
--//
-- ============================================================================
--changeset hs-office-sepamandate-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeSepaMandate', 'hs_office_sepamandate');
call rbac.generateRbacRoleDescriptors('hsOfficeSepaMandate', 'hs_office_sepamandate');
--//
@ -47,20 +47,20 @@ begin
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeSepaMandateOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateAGENT(NEW),
incomingSuperRoles => array[hsOfficeSepaMandateADMIN(NEW)],
outgoingSubRoles => array[
@ -68,7 +68,7 @@ begin
hsOfficeRelationAGENT(newDebitorRel)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateREFERRER(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[
@ -188,7 +188,7 @@ create trigger hs_office_sepamandate_insert_permission_check_tg
--changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_sepamandate',
call rbac.generateRbacIdentityViewFromQuery('hs_office_sepamandate',
$idName$
select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName
from hs_office_sepamandate sm
@ -200,7 +200,7 @@ call generateRbacIdentityViewFromQuery('hs_office_sepamandate',
-- ============================================================================
--changeset hs-office-sepamandate-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_sepamandate',
call rbac.generateRbacRestrictedView('hs_office_sepamandate',
$orderBy$
validity
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-membership-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_membership');
call rbac.generateRelatedRbacObject('hs_office_membership');
--//
-- ============================================================================
--changeset hs-office-membership-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership');
call rbac.generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership');
--//
@ -43,12 +43,12 @@ begin
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s', NEW.partnerUuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeMembershipOWNER(NEW),
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeMembershipADMIN(NEW),
permissions => array['DELETE', 'UPDATE'],
incomingSuperRoles => array[
@ -56,7 +56,7 @@ begin
hsOfficeRelationADMIN(newPartnerRel)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeMembershipAGENT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[
@ -169,7 +169,7 @@ create trigger hs_office_membership_insert_permission_check_tg
--changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_membership',
call rbac.generateRbacIdentityViewFromQuery('hs_office_membership',
$idName$
SELECT m.uuid AS uuid,
'M-' || p.partnerNumber || m.memberNumberSuffix as idName
@ -182,7 +182,7 @@ call generateRbacIdentityViewFromQuery('hs_office_membership',
-- ============================================================================
--changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_membership',
call rbac.generateRbacRestrictedView('hs_office_membership',
$orderBy$
validity
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_coopsharestransaction');
call rbac.generateRelatedRbacObject('hs_office_coopsharestransaction');
--//
-- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction');
call rbac.generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction');
--//
@ -145,7 +145,7 @@ create trigger hs_office_coopsharestransaction_insert_permission_check_tg
--changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
call rbac.generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
$idName$
reference
$idName$);
@ -155,7 +155,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
-- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_coopsharestransaction',
call rbac.generateRbacRestrictedView('hs_office_coopsharestransaction',
$orderBy$
reference
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_coopassetstransaction');
call rbac.generateRelatedRbacObject('hs_office_coopassetstransaction');
--//
-- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction');
call rbac.generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction');
--//
@ -145,7 +145,7 @@ create trigger hs_office_coopassetstransaction_insert_permission_check_tg
--changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
call rbac.generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
$idName$
reference
$idName$);
@ -155,7 +155,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
-- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_coopassetstransaction',
call rbac.generateRbacRestrictedView('hs_office_coopassetstransaction',
$orderBy$
reference
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-booking-project-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_booking_project');
call rbac.generateRelatedRbacObject('hs_booking_project');
--//
-- ============================================================================
--changeset hs-booking-project-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsBookingProject', 'hs_booking_project');
call rbac.generateRbacRoleDescriptors('hsBookingProject', 'hs_booking_project');
--//
@ -47,23 +47,23 @@ begin
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingProjectOWNER(NEW),
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingProjectADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsBookingProjectOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingProjectAGENT(NEW),
incomingSuperRoles => array[hsBookingProjectADMIN(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingProjectTENANT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[hsBookingProjectAGENT(NEW)],
@ -182,7 +182,7 @@ create trigger hs_booking_project_insert_permission_check_tg
--changeset hs-booking-project-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_booking_project',
call rbac.generateRbacIdentityViewFromQuery('hs_booking_project',
$idName$
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName
FROM hs_booking_project bookingProject
@ -194,7 +194,7 @@ call generateRbacIdentityViewFromQuery('hs_booking_project',
-- ============================================================================
--changeset hs-booking-project-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_booking_project',
call rbac.generateRbacRestrictedView('hs_booking_project',
$orderBy$
caption
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-booking-item-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_booking_item');
call rbac.generateRelatedRbacObject('hs_booking_item');
--//
-- ============================================================================
--changeset hs-booking-item-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item');
call rbac.generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item');
--//
@ -40,25 +40,25 @@ begin
SELECT * FROM hs_booking_item WHERE uuid = NEW.parentItemUuid INTO newParentItem;
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingItemOWNER(NEW),
incomingSuperRoles => array[
hsBookingItemAGENT(newParentItem),
hsBookingProjectAGENT(newProject)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingItemADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsBookingItemOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingItemAGENT(NEW),
incomingSuperRoles => array[hsBookingItemADMIN(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingItemTENANT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[hsBookingItemAGENT(NEW)],
@ -253,7 +253,7 @@ create trigger hs_booking_item_insert_permission_check_tg
--changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_booking_item',
call rbac.generateRbacIdentityViewFromProjection('hs_booking_item',
$idName$
caption
$idName$);
@ -263,7 +263,7 @@ call generateRbacIdentityViewFromProjection('hs_booking_item',
-- ============================================================================
--changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_booking_item',
call rbac.generateRbacRestrictedView('hs_booking_item',
$orderBy$
validity
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-booking-item-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_booking_item');
call rbac.generateRelatedRbacObject('hs_booking_item');
--//
-- ============================================================================
--changeset hs-booking-item-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item');
call rbac.generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item');
--//
@ -40,25 +40,25 @@ begin
SELECT * FROM hs_booking_item WHERE uuid = NEW.parentItemUuid INTO newParentItem;
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingItemOWNER(NEW),
incomingSuperRoles => array[
hsBookingItemAGENT(newParentItem),
hsBookingProjectAGENT(newProject)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingItemADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsBookingItemOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingItemAGENT(NEW),
incomingSuperRoles => array[hsBookingItemADMIN(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsBookingItemTENANT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[hsBookingItemAGENT(NEW)],
@ -253,7 +253,7 @@ create trigger hs_booking_item_insert_permission_check_tg
--changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_booking_item',
call rbac.generateRbacIdentityViewFromProjection('hs_booking_item',
$idName$
caption
$idName$);
@ -263,7 +263,7 @@ call generateRbacIdentityViewFromProjection('hs_booking_item',
-- ============================================================================
--changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_booking_item',
call rbac.generateRbacRestrictedView('hs_booking_item',
$orderBy$
validity
$orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================
--changeset hs-hosting-asset-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_hosting_asset');
call rbac.generateRelatedRbacObject('hs_hosting_asset');
--//
-- ============================================================================
--changeset hs-hosting-asset-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsHostingAsset', 'hs_hosting_asset');
call rbac.generateRbacRoleDescriptors('hsHostingAsset', 'hs_hosting_asset');
--//
@ -46,7 +46,7 @@ begin
SELECT * FROM hs_hosting_asset WHERE uuid = NEW.parentAssetUuid INTO newParentAsset;
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsHostingAssetOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[
@ -56,7 +56,7 @@ begin
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsHostingAssetADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[
@ -65,7 +65,7 @@ begin
hsHostingAssetOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsHostingAssetAGENT(NEW),
incomingSuperRoles => array[
hsHostingAssetADMIN(NEW),
@ -75,7 +75,7 @@ begin
hsOfficeContactREFERRER(newAlarmContact)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsHostingAssetTENANT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[
@ -158,7 +158,7 @@ execute procedure updateTriggerForHsHostingAsset_tf();
--changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_hosting_asset',
call rbac.generateRbacIdentityViewFromProjection('hs_hosting_asset',
$idName$
identifier
$idName$);
@ -168,7 +168,7 @@ call generateRbacIdentityViewFromProjection('hs_hosting_asset',
-- ============================================================================
--changeset hs-hosting-asset-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_hosting_asset',
call rbac.generateRbacRestrictedView('hs_hosting_asset',
$orderBy$
identifier
$orderBy$,