diff --git a/src/main/resources/db/changelog/010-context.sql b/src/main/resources/db/changelog/010-context.sql
index 4820cf9c..b388bfd6 100644
--- a/src/main/resources/db/changelog/010-context.sql
+++ b/src/main/resources/db/changelog/010-context.sql
@@ -41,6 +41,8 @@ begin
     assumedRoles := coalesce(assumedRoles, '');
     execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
 
+    SET CONSTRAINTS ALL DEFERRED;
+
     call contextDefined(currentTask, currentRequest, currentUser, assumedRoles);
 end; $$;
 --//
diff --git a/src/main/resources/db/changelog/050-rbac-base.sql b/src/main/resources/db/changelog/050-rbac-base.sql
index e028a2af..3a568761 100644
--- a/src/main/resources/db/changelog/050-rbac-base.sql
+++ b/src/main/resources/db/changelog/050-rbac-base.sql
@@ -172,7 +172,6 @@ create or replace function deleteRelatedRbacObject()
     strict as $$
 begin
     if TG_OP = 'DELETE' then
-        -- TODO: delete related grants? or via cascade?
         delete from RbacObject where rbacobject.uuid = old.uuid;
     else
         raise exception 'invalid usage of TRIGGER BEFORE DELETE';
@@ -453,7 +452,7 @@ $$;
 create table RbacGrants
 (
     uuid                uuid primary key default uuid_generate_v4(),
-    grantedByTriggerOf  uuid, -- TODO: references RbacObject (uuid) initially deferred,
+    grantedByTriggerOf  uuid references RbacObject (uuid) on delete cascade initially deferred ,
     grantedByRoleUuid   uuid references RbacRole (uuid),
     ascendantUuid       uuid references RbacReference (uuid),
     descendantUuid      uuid references RbacReference (uuid),
diff --git a/src/main/resources/db/changelog/056-rbac-trigger-context.sql b/src/main/resources/db/changelog/056-rbac-trigger-context.sql
index 057bcb97..80a92987 100644
--- a/src/main/resources/db/changelog/056-rbac-trigger-context.sql
+++ b/src/main/resources/db/changelog/056-rbac-trigger-context.sql
@@ -29,9 +29,12 @@ create or replace function currentTriggerObjectUuid()
     returns uuid
     stable -- leakproof
     language plpgsql as $$
+declare
+    currentObjectUuid uuid;
 begin
     begin
-        return current_setting('hsadminng.currentUserUuid')::uuid;
+        currentObjectUuid = current_setting('hsadminng.currentObjectUuid')::uuid;
+        return currentObjectUuid;
     exception
         when others then
             return null::uuid;