diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql index 3078922f..c28a464d 100644 --- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql +++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql @@ -139,7 +139,7 @@ select 'global', (select uuid from RbacObject where objectTable = 'global'), 'GU $$; begin transaction; - call defineContext('creating role:global#globa:guest', null, null, null); + call defineContext('creating role:global#global:guest', null, null, null); select createRole(globalGuest()); commit; --// diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.md b/src/main/resources/db/changelog/133-test-domain-rbac.md deleted file mode 100644 index d9b3748c..00000000 --- a/src/main/resources/db/changelog/133-test-domain-rbac.md +++ /dev/null @@ -1,75 +0,0 @@ -### rbac domain - -This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - -```mermaid -%%{init:{'flowchart':{'htmlLabels':false}}}%% -flowchart TB - -subgraph package.customer["`**package.customer**`"] - direction TB - style package.customer fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph package.customer:roles[ ] - style package.customer:roles fill:#99bcdb,stroke:white - - role:package.customer:OWNER[[package.customer:OWNER]] - role:package.customer:ADMIN[[package.customer:ADMIN]] - role:package.customer:TENANT[[package.customer:TENANT]] - end -end - -subgraph package["`**package**`"] - direction TB - style package fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph package:roles[ ] - style package:roles fill:#99bcdb,stroke:white - - role:package:OWNER[[package:OWNER]] - role:package:ADMIN[[package:ADMIN]] - role:package:TENANT[[package:TENANT]] - end -end - -subgraph domain["`**domain**`"] - direction TB - style domain fill:#dd4901,stroke:#274d6e,stroke-width:8px - - subgraph domain:roles[ ] - style domain:roles fill:#dd4901,stroke:white - - role:domain:OWNER[[domain:OWNER]] - role:domain:ADMIN[[domain:ADMIN]] - end - - subgraph domain:permissions[ ] - style domain:permissions fill:#dd4901,stroke:white - - perm:domain:INSERT{{domain:INSERT}} - perm:domain:DELETE{{domain:DELETE}} - perm:domain:UPDATE{{domain:UPDATE}} - perm:domain:SELECT{{domain:SELECT}} - end -end - -%% granting roles to roles -role:global:ADMIN -.->|XX| role:package.customer:OWNER -role:package.customer:OWNER -.-> role:package.customer:ADMIN -role:package.customer:ADMIN -.-> role:package.customer:TENANT -role:package.customer:ADMIN -.-> role:package:OWNER -role:package:OWNER -.-> role:package:ADMIN -role:package:ADMIN -.-> role:package:TENANT -role:package:TENANT -.-> role:package.customer:TENANT -role:package:ADMIN ==> role:domain:OWNER -role:domain:OWNER ==> role:package:TENANT -role:domain:OWNER ==> role:domain:ADMIN -role:domain:ADMIN ==> role:package:TENANT - -%% granting permissions to roles -role:package:ADMIN ==> perm:domain:INSERT -role:domain:OWNER ==> perm:domain:DELETE -role:domain:OWNER ==> perm:domain:UPDATE -role:domain:ADMIN ==> perm:domain:SELECT - -``` diff --git a/src/main/resources/db/changelog/223-hs-office-relation-rbac.md b/src/main/resources/db/changelog/223-hs-office-relation-rbac.md deleted file mode 100644 index 8014cdaf..00000000 --- a/src/main/resources/db/changelog/223-hs-office-relation-rbac.md +++ /dev/null @@ -1,102 +0,0 @@ -### rbac relation - -This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - -```mermaid -%%{init:{'flowchart':{'htmlLabels':false}}}%% -flowchart TB - -subgraph holderPerson["`**holderPerson**`"] - direction TB - style holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph holderPerson:roles[ ] - style holderPerson:roles fill:#99bcdb,stroke:white - - role:holderPerson:OWNER[[holderPerson:OWNER]] - role:holderPerson:ADMIN[[holderPerson:ADMIN]] - role:holderPerson:REFERRER[[holderPerson:REFERRER]] - end -end - -subgraph anchorPerson["`**anchorPerson**`"] - direction TB - style anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph anchorPerson:roles[ ] - style anchorPerson:roles fill:#99bcdb,stroke:white - - role:anchorPerson:OWNER[[anchorPerson:OWNER]] - role:anchorPerson:ADMIN[[anchorPerson:ADMIN]] - role:anchorPerson:REFERRER[[anchorPerson:REFERRER]] - end -end - -subgraph contact["`**contact**`"] - direction TB - style contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph contact:roles[ ] - style contact:roles fill:#99bcdb,stroke:white - - role:contact:OWNER[[contact:OWNER]] - role:contact:ADMIN[[contact:ADMIN]] - role:contact:REFERRER[[contact:REFERRER]] - end -end - -subgraph relation["`**relation**`"] - direction TB - style relation fill:#dd4901,stroke:#274d6e,stroke-width:8px - - subgraph relation:roles[ ] - style relation:roles fill:#dd4901,stroke:white - - role:relation:OWNER[[relation:OWNER]] - role:relation:ADMIN[[relation:ADMIN]] - role:relation:AGENT[[relation:AGENT]] - role:relation:TENANT[[relation:TENANT]] - end - - subgraph relation:permissions[ ] - style relation:permissions fill:#dd4901,stroke:white - - perm:relation:DELETE{{relation:DELETE}} - perm:relation:UPDATE{{relation:UPDATE}} - perm:relation:SELECT{{relation:SELECT}} - perm:relation:INSERT{{relation:INSERT}} - end -end - -%% granting roles to users -user:creator ==> role:relation:OWNER - -%% granting roles to roles -role:global:ADMIN -.-> role:anchorPerson:OWNER -role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN -role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER -role:global:ADMIN -.-> role:holderPerson:OWNER -role:holderPerson:OWNER -.-> role:holderPerson:ADMIN -role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER -role:global:ADMIN -.-> role:contact:OWNER -role:contact:OWNER -.-> role:contact:ADMIN -role:contact:ADMIN -.-> role:contact:REFERRER -role:global:ADMIN ==> role:relation:OWNER -role:relation:OWNER ==> role:relation:ADMIN -role:anchorPerson:ADMIN ==> role:relation:ADMIN -role:relation:ADMIN ==> role:relation:AGENT -role:holderPerson:ADMIN ==> role:relation:AGENT -role:relation:AGENT ==> role:relation:TENANT -role:holderPerson:ADMIN ==> role:relation:TENANT -role:contact:ADMIN ==> role:relation:TENANT -role:relation:TENANT ==> role:anchorPerson:REFERRER -role:relation:TENANT ==> role:holderPerson:REFERRER -role:relation:TENANT ==> role:contact:REFERRER - -%% granting permissions to roles -role:relation:OWNER ==> perm:relation:DELETE -role:relation:ADMIN ==> perm:relation:UPDATE -role:relation:TENANT ==> perm:relation:SELECT -role:anchorPerson:ADMIN ==> perm:relation:INSERT - -``` diff --git a/src/main/resources/db/changelog/233-hs-office-partner-rbac.md b/src/main/resources/db/changelog/233-hs-office-partner-rbac.md deleted file mode 100644 index a0caa074..00000000 --- a/src/main/resources/db/changelog/233-hs-office-partner-rbac.md +++ /dev/null @@ -1,120 +0,0 @@ -### rbac partner - -This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - -```mermaid -%%{init:{'flowchart':{'htmlLabels':false}}}%% -flowchart TB - -subgraph partnerRel.contact["`**partnerRel.contact**`"] - direction TB - style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel.contact:roles[ ] - style partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]] - role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]] - role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]] - end -end - -subgraph partner["`**partner**`"] - direction TB - style partner fill:#dd4901,stroke:#274d6e,stroke-width:8px - - subgraph partner:permissions[ ] - style partner:permissions fill:#dd4901,stroke:white - - perm:partner:INSERT{{partner:INSERT}} - perm:partner:DELETE{{partner:DELETE}} - perm:partner:UPDATE{{partner:UPDATE}} - perm:partner:SELECT{{partner:SELECT}} - end - - subgraph partnerRel["`**partnerRel**`"] - direction TB - style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel:roles[ ] - style partnerRel:roles fill:#99bcdb,stroke:white - - role:partnerRel:OWNER[[partnerRel:OWNER]] - role:partnerRel:ADMIN[[partnerRel:ADMIN]] - role:partnerRel:AGENT[[partnerRel:AGENT]] - role:partnerRel:TENANT[[partnerRel:TENANT]] - end - end -end - -subgraph partnerDetails["`**partnerDetails**`"] - direction TB - style partnerDetails fill:#feb28c,stroke:#274d6e,stroke-width:8px - - subgraph partnerDetails:permissions[ ] - style partnerDetails:permissions fill:#feb28c,stroke:white - - perm:partnerDetails:DELETE{{partnerDetails:DELETE}} - perm:partnerDetails:UPDATE{{partnerDetails:UPDATE}} - perm:partnerDetails:SELECT{{partnerDetails:SELECT}} - end -end - -subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"] - direction TB - style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel.anchorPerson:roles[ ] - style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]] - role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]] - role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]] - end -end - -subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"] - direction TB - style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel.holderPerson:roles[ ] - style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]] - role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]] - role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]] - end -end - -%% granting roles to roles -role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER -role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN -role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER -role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.contact:OWNER -role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN -role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:partnerRel:OWNER -role:partnerRel:OWNER -.-> role:partnerRel:ADMIN -role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN -role:partnerRel:ADMIN -.-> role:partnerRel:AGENT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT -role:partnerRel:AGENT -.-> role:partnerRel:TENANT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT -role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT -role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER -role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER -role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER - -%% granting permissions to roles -role:global:ADMIN ==> perm:partner:INSERT -role:partnerRel:ADMIN ==> perm:partner:DELETE -role:partnerRel:AGENT ==> perm:partner:UPDATE -role:partnerRel:TENANT ==> perm:partner:SELECT -role:partnerRel:ADMIN ==> perm:partnerDetails:DELETE -role:partnerRel:AGENT ==> perm:partnerDetails:UPDATE -role:partnerRel:AGENT ==> perm:partnerDetails:SELECT - -``` diff --git a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md deleted file mode 100644 index aa3059f9..00000000 --- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md +++ /dev/null @@ -1,141 +0,0 @@ -### rbac sepaMandate - -This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - -```mermaid -%%{init:{'flowchart':{'htmlLabels':false}}}%% -flowchart TB - -subgraph bankAccount["`**bankAccount**`"] - direction TB - style bankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph bankAccount:roles[ ] - style bankAccount:roles fill:#99bcdb,stroke:white - - role:bankAccount:OWNER[[bankAccount:OWNER]] - role:bankAccount:ADMIN[[bankAccount:ADMIN]] - role:bankAccount:REFERRER[[bankAccount:REFERRER]] - end -end - -subgraph debitorRel.contact["`**debitorRel.contact**`"] - direction TB - style debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph debitorRel.contact:roles[ ] - style debitorRel.contact:roles fill:#99bcdb,stroke:white - - role:debitorRel.contact:OWNER[[debitorRel.contact:OWNER]] - role:debitorRel.contact:ADMIN[[debitorRel.contact:ADMIN]] - role:debitorRel.contact:REFERRER[[debitorRel.contact:REFERRER]] - end -end - -subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"] - direction TB - style debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph debitorRel.anchorPerson:roles[ ] - style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:debitorRel.anchorPerson:OWNER[[debitorRel.anchorPerson:OWNER]] - role:debitorRel.anchorPerson:ADMIN[[debitorRel.anchorPerson:ADMIN]] - role:debitorRel.anchorPerson:REFERRER[[debitorRel.anchorPerson:REFERRER]] - end -end - -subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"] - direction TB - style debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph debitorRel.holderPerson:roles[ ] - style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:debitorRel.holderPerson:OWNER[[debitorRel.holderPerson:OWNER]] - role:debitorRel.holderPerson:ADMIN[[debitorRel.holderPerson:ADMIN]] - role:debitorRel.holderPerson:REFERRER[[debitorRel.holderPerson:REFERRER]] - end -end - -subgraph sepaMandate["`**sepaMandate**`"] - direction TB - style sepaMandate fill:#dd4901,stroke:#274d6e,stroke-width:8px - - subgraph sepaMandate:roles[ ] - style sepaMandate:roles fill:#dd4901,stroke:white - - role:sepaMandate:OWNER[[sepaMandate:OWNER]] - role:sepaMandate:ADMIN[[sepaMandate:ADMIN]] - role:sepaMandate:AGENT[[sepaMandate:AGENT]] - role:sepaMandate:REFERRER[[sepaMandate:REFERRER]] - end - - subgraph sepaMandate:permissions[ ] - style sepaMandate:permissions fill:#dd4901,stroke:white - - perm:sepaMandate:DELETE{{sepaMandate:DELETE}} - perm:sepaMandate:UPDATE{{sepaMandate:UPDATE}} - perm:sepaMandate:SELECT{{sepaMandate:SELECT}} - perm:sepaMandate:INSERT{{sepaMandate:INSERT}} - end -end - -subgraph debitorRel["`**debitorRel**`"] - direction TB - style debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph debitorRel:roles[ ] - style debitorRel:roles fill:#99bcdb,stroke:white - - role:debitorRel:OWNER[[debitorRel:OWNER]] - role:debitorRel:ADMIN[[debitorRel:ADMIN]] - role:debitorRel:AGENT[[debitorRel:AGENT]] - role:debitorRel:TENANT[[debitorRel:TENANT]] - end -end - -%% granting roles to users -user:creator ==> role:sepaMandate:OWNER - -%% granting roles to roles -role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER -role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN -role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER -role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:debitorRel.contact:OWNER -role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN -role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER -role:global:ADMIN -.-> role:debitorRel:OWNER -role:debitorRel:OWNER -.-> role:debitorRel:ADMIN -role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN -role:debitorRel:ADMIN -.-> role:debitorRel:AGENT -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT -role:debitorRel:AGENT -.-> role:debitorRel:TENANT -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT -role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT -role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER -role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER -role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER -role:global:ADMIN -.-> role:bankAccount:OWNER -role:bankAccount:OWNER -.-> role:bankAccount:ADMIN -role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER -role:global:ADMIN ==> role:sepaMandate:OWNER -role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN -role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT -role:sepaMandate:AGENT ==> role:bankAccount:REFERRER -role:sepaMandate:AGENT ==> role:debitorRel:AGENT -role:sepaMandate:AGENT ==> role:sepaMandate:REFERRER -role:bankAccount:ADMIN ==> role:sepaMandate:REFERRER -role:debitorRel:AGENT ==> role:sepaMandate:REFERRER -role:sepaMandate:REFERRER ==> role:debitorRel:TENANT - -%% granting permissions to roles -role:sepaMandate:OWNER ==> perm:sepaMandate:DELETE -role:sepaMandate:ADMIN ==> perm:sepaMandate:UPDATE -role:sepaMandate:REFERRER ==> perm:sepaMandate:SELECT -role:debitorRel:ADMIN ==> perm:sepaMandate:INSERT - -``` diff --git a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md b/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md deleted file mode 100644 index 5c43e03d..00000000 --- a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md +++ /dev/null @@ -1,198 +0,0 @@ -### rbac debitor - -This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - -```mermaid -%%{init:{'flowchart':{'htmlLabels':false}}}%% -flowchart TB - -subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"] - direction TB - style debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph debitorRel.anchorPerson:roles[ ] - style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:debitorRel.anchorPerson:OWNER[[debitorRel.anchorPerson:OWNER]] - role:debitorRel.anchorPerson:ADMIN[[debitorRel.anchorPerson:ADMIN]] - role:debitorRel.anchorPerson:REFERRER[[debitorRel.anchorPerson:REFERRER]] - end -end - -subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"] - direction TB - style debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph debitorRel.holderPerson:roles[ ] - style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:debitorRel.holderPerson:OWNER[[debitorRel.holderPerson:OWNER]] - role:debitorRel.holderPerson:ADMIN[[debitorRel.holderPerson:ADMIN]] - role:debitorRel.holderPerson:REFERRER[[debitorRel.holderPerson:REFERRER]] - end -end - -subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"] - direction TB - style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel.holderPerson:roles[ ] - style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]] - role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]] - role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]] - end -end - -subgraph debitor["`**debitor**`"] - direction TB - style debitor fill:#dd4901,stroke:#274d6e,stroke-width:8px - - subgraph debitor:permissions[ ] - style debitor:permissions fill:#dd4901,stroke:white - - perm:debitor:INSERT{{debitor:INSERT}} - perm:debitor:DELETE{{debitor:DELETE}} - perm:debitor:UPDATE{{debitor:UPDATE}} - perm:debitor:SELECT{{debitor:SELECT}} - end - - subgraph debitorRel["`**debitorRel**`"] - direction TB - style debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph debitorRel:roles[ ] - style debitorRel:roles fill:#99bcdb,stroke:white - - role:debitorRel:OWNER[[debitorRel:OWNER]] - role:debitorRel:ADMIN[[debitorRel:ADMIN]] - role:debitorRel:AGENT[[debitorRel:AGENT]] - role:debitorRel:TENANT[[debitorRel:TENANT]] - end - end -end - -subgraph partnerRel["`**partnerRel**`"] - direction TB - style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel:roles[ ] - style partnerRel:roles fill:#99bcdb,stroke:white - - role:partnerRel:OWNER[[partnerRel:OWNER]] - role:partnerRel:ADMIN[[partnerRel:ADMIN]] - role:partnerRel:AGENT[[partnerRel:AGENT]] - role:partnerRel:TENANT[[partnerRel:TENANT]] - end -end - -subgraph partnerRel.contact["`**partnerRel.contact**`"] - direction TB - style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel.contact:roles[ ] - style partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]] - role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]] - role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]] - end -end - -subgraph debitorRel.contact["`**debitorRel.contact**`"] - direction TB - style debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph debitorRel.contact:roles[ ] - style debitorRel.contact:roles fill:#99bcdb,stroke:white - - role:debitorRel.contact:OWNER[[debitorRel.contact:OWNER]] - role:debitorRel.contact:ADMIN[[debitorRel.contact:ADMIN]] - role:debitorRel.contact:REFERRER[[debitorRel.contact:REFERRER]] - end -end - -subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"] - direction TB - style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel.anchorPerson:roles[ ] - style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]] - role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]] - role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]] - end -end - -subgraph refundBankAccount["`**refundBankAccount**`"] - direction TB - style refundBankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph refundBankAccount:roles[ ] - style refundBankAccount:roles fill:#99bcdb,stroke:white - - role:refundBankAccount:OWNER[[refundBankAccount:OWNER]] - role:refundBankAccount:ADMIN[[refundBankAccount:ADMIN]] - role:refundBankAccount:REFERRER[[refundBankAccount:REFERRER]] - end -end - -%% granting roles to roles -role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER -role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN -role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER -role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:debitorRel.contact:OWNER -role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN -role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER -role:global:ADMIN -.-> role:debitorRel:OWNER -role:debitorRel:OWNER -.-> role:debitorRel:ADMIN -role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN -role:debitorRel:ADMIN -.-> role:debitorRel:AGENT -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT -role:debitorRel:AGENT -.-> role:debitorRel:TENANT -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT -role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT -role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER -role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER -role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER -role:global:ADMIN -.-> role:refundBankAccount:OWNER -role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN -role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER -role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT -role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER -role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER -role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN -role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER -role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.contact:OWNER -role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN -role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:partnerRel:OWNER -role:partnerRel:OWNER -.-> role:partnerRel:ADMIN -role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN -role:partnerRel:ADMIN -.-> role:partnerRel:AGENT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT -role:partnerRel:AGENT -.-> role:partnerRel:TENANT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT -role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT -role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER -role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER -role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER -role:partnerRel:ADMIN ==> role:debitorRel:ADMIN -role:partnerRel:AGENT ==> role:debitorRel:AGENT -role:debitorRel:AGENT ==> role:partnerRel:TENANT - -%% granting permissions to roles -role:global:ADMIN ==> perm:debitor:INSERT -role:debitorRel:OWNER ==> perm:debitor:DELETE -role:debitorRel:ADMIN ==> perm:debitor:UPDATE -role:debitorRel:TENANT ==> perm:debitor:SELECT - -``` diff --git a/src/main/resources/db/changelog/303-hs-office-membership-rbac.md b/src/main/resources/db/changelog/303-hs-office-membership-rbac.md deleted file mode 100644 index 3681b8e6..00000000 --- a/src/main/resources/db/changelog/303-hs-office-membership-rbac.md +++ /dev/null @@ -1,120 +0,0 @@ -### rbac membership - -This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - -```mermaid -%%{init:{'flowchart':{'htmlLabels':false}}}%% -flowchart TB - -subgraph partnerRel["`**partnerRel**`"] - direction TB - style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel:roles[ ] - style partnerRel:roles fill:#99bcdb,stroke:white - - role:partnerRel:OWNER[[partnerRel:OWNER]] - role:partnerRel:ADMIN[[partnerRel:ADMIN]] - role:partnerRel:AGENT[[partnerRel:AGENT]] - role:partnerRel:TENANT[[partnerRel:TENANT]] - end -end - -subgraph partnerRel.contact["`**partnerRel.contact**`"] - direction TB - style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel.contact:roles[ ] - style partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]] - role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]] - role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]] - end -end - -subgraph membership["`**membership**`"] - direction TB - style membership fill:#dd4901,stroke:#274d6e,stroke-width:8px - - subgraph membership:roles[ ] - style membership:roles fill:#dd4901,stroke:white - - role:membership:OWNER[[membership:OWNER]] - role:membership:ADMIN[[membership:ADMIN]] - role:membership:AGENT[[membership:AGENT]] - end - - subgraph membership:permissions[ ] - style membership:permissions fill:#dd4901,stroke:white - - perm:membership:INSERT{{membership:INSERT}} - perm:membership:DELETE{{membership:DELETE}} - perm:membership:UPDATE{{membership:UPDATE}} - perm:membership:SELECT{{membership:SELECT}} - end -end - -subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"] - direction TB - style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel.anchorPerson:roles[ ] - style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]] - role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]] - role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]] - end -end - -subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"] - direction TB - style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph partnerRel.holderPerson:roles[ ] - style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]] - role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]] - role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]] - end -end - -%% granting roles to users -user:creator ==> role:membership:OWNER - -%% granting roles to roles -role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER -role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN -role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER -role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.contact:OWNER -role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN -role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:partnerRel:OWNER -role:partnerRel:OWNER -.-> role:partnerRel:ADMIN -role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN -role:partnerRel:ADMIN -.-> role:partnerRel:AGENT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT -role:partnerRel:AGENT -.-> role:partnerRel:TENANT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT -role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT -role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER -role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER -role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER -role:membership:OWNER ==> role:membership:ADMIN -role:partnerRel:ADMIN ==> role:membership:ADMIN -role:membership:ADMIN ==> role:membership:AGENT -role:partnerRel:AGENT ==> role:membership:AGENT -role:membership:AGENT ==> role:partnerRel:TENANT - -%% granting permissions to roles -role:global:ADMIN ==> perm:membership:INSERT -role:membership:ADMIN ==> perm:membership:DELETE -role:membership:ADMIN ==> perm:membership:UPDATE -role:membership:AGENT ==> perm:membership:SELECT - -``` diff --git a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md b/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md deleted file mode 100644 index 26ff3d5c..00000000 --- a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md +++ /dev/null @@ -1,120 +0,0 @@ -### rbac coopSharesTransaction - -This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - -```mermaid -%%{init:{'flowchart':{'htmlLabels':false}}}%% -flowchart TB - -subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"] - direction TB - style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.holderPerson:roles[ ] - style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]] - role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]] - role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]] - end -end - -subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"] - direction TB - style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.anchorPerson:roles[ ] - style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]] - role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]] - role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]] - end -end - -subgraph coopSharesTransaction["`**coopSharesTransaction**`"] - direction TB - style coopSharesTransaction fill:#dd4901,stroke:#274d6e,stroke-width:8px - - subgraph coopSharesTransaction:permissions[ ] - style coopSharesTransaction:permissions fill:#dd4901,stroke:white - - perm:coopSharesTransaction:INSERT{{coopSharesTransaction:INSERT}} - perm:coopSharesTransaction:UPDATE{{coopSharesTransaction:UPDATE}} - perm:coopSharesTransaction:SELECT{{coopSharesTransaction:SELECT}} - end -end - -subgraph membership["`**membership**`"] - direction TB - style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership:roles[ ] - style membership:roles fill:#99bcdb,stroke:white - - role:membership:OWNER[[membership:OWNER]] - role:membership:ADMIN[[membership:ADMIN]] - role:membership:AGENT[[membership:AGENT]] - end -end - -subgraph membership.partnerRel["`**membership.partnerRel**`"] - direction TB - style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel:roles[ ] - style membership.partnerRel:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]] - role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]] - role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]] - role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]] - end -end - -subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] - direction TB - style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.contact:roles[ ] - style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]] - role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]] - role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]] - end -end - -%% granting roles to roles -role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER -role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN -role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER -role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER -role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN -role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel:OWNER -role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN -role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN -role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT -role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT -role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT -role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER -role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER -role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER -role:membership:OWNER -.-> role:membership:ADMIN -role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN -role:membership:ADMIN -.-> role:membership:AGENT -role:membership.partnerRel:AGENT -.-> role:membership:AGENT -role:membership:AGENT -.-> role:membership.partnerRel:TENANT - -%% granting permissions to roles -role:membership:ADMIN ==> perm:coopSharesTransaction:INSERT -role:membership:ADMIN ==> perm:coopSharesTransaction:UPDATE -role:membership:AGENT ==> perm:coopSharesTransaction:SELECT - -``` diff --git a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql b/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql deleted file mode 100644 index f4856f0a..00000000 --- a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql +++ /dev/null @@ -1,151 +0,0 @@ ---liquibase formatted sql --- This code generated was by RbacViewPostgresGenerator, do not amend manually. - - --- ============================================================================ ---changeset hs-office-coopsharestransaction-rbac-OBJECT:1 endDelimiter:--// --- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_coopsharestransaction'); ---// - - --- ============================================================================ ---changeset hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction'); ---// - - --- ============================================================================ ---changeset hs-office-coopsharestransaction-rbac-insert-trigger:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -/* - Creates the roles, grants and permission for the AFTER INSERT TRIGGER. - */ - -create or replace procedure buildRbacSystemForHsOfficeCoopSharesTransaction( - NEW hs_office_coopsharestransaction -) - language plpgsql as $$ - -declare - newMembership hs_office_membership; - -begin - call enterTriggerForObjectUuid(NEW.uuid); - - SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; - assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); - - call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); - - call leaveTriggerForObjectUuid(NEW.uuid); -end; $$; - -/* - AFTER INSERT TRIGGER to create the role+grant structure for a new hs_office_coopsharestransaction row. - */ - -create or replace function insertTriggerForHsOfficeCoopSharesTransaction_tf() - returns trigger - language plpgsql - strict as $$ -begin - call buildRbacSystemForHsOfficeCoopSharesTransaction(NEW); - return NEW; -end; $$; - -create trigger insertTriggerForHsOfficeCoopSharesTransaction_tg - after insert on hs_office_coopsharestransaction - for each row -execute procedure insertTriggerForHsOfficeCoopSharesTransaction_tf(); ---// - - --- ============================================================================ ---changeset hs-office-coopsharestransaction-rbac-INSERT:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -/* - Creates INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows. - */ -do language plpgsql $$ - declare - row hs_office_membership; - begin - call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows'); - - FOR row IN SELECT * FROM hs_office_membership - LOOP - call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'), - hsOfficeMembershipADMIN(row)); - END LOOP; - END; -$$; - -/** - Adds hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows. -*/ -create or replace function hs_office_coopsharestransaction_hs_office_membership_insert_tf() - returns trigger - language plpgsql - strict as $$ -begin - call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'), - hsOfficeMembershipADMIN(NEW)); - return NEW; -end; $$; - --- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_coopsharestransaction_hs_office_membership_insert_tg - after insert on hs_office_membership - for each row -execute procedure hs_office_coopsharestransaction_hs_office_membership_insert_tf(); - -/** - Checks if the user or assumed roles are allowed to insert a row to hs_office_coopsharestransaction, - where the check is performed by a direct role. - - A direct role is a role depending on a foreign key directly available in the NEW row. -*/ -create or replace function hs_office_coopsharestransaction_insert_permission_missing_tf() - returns trigger - language plpgsql as $$ -begin - raise exception '[403] insert into hs_office_coopsharestransaction not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); -end; $$; - -create trigger hs_office_coopsharestransaction_insert_permission_check_tg - before insert on hs_office_coopsharestransaction - for each row - when ( not hasInsertPermission(NEW.membershipUuid, 'INSERT', 'hs_office_coopsharestransaction') ) - execute procedure hs_office_coopsharestransaction_insert_permission_missing_tf(); ---// - --- ============================================================================ ---changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction', - $idName$ - reference - $idName$); ---// - --- ============================================================================ ---changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_coopsharestransaction', - $orderBy$ - reference - $orderBy$, - $updates$ - comment = new.comment - $updates$); ---// - diff --git a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md b/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md deleted file mode 100644 index d220a38c..00000000 --- a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md +++ /dev/null @@ -1,120 +0,0 @@ -### rbac coopAssetsTransaction - -This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - -```mermaid -%%{init:{'flowchart':{'htmlLabels':false}}}%% -flowchart TB - -subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"] - direction TB - style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.holderPerson:roles[ ] - style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]] - role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]] - role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]] - end -end - -subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"] - direction TB - style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.anchorPerson:roles[ ] - style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]] - role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]] - role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]] - end -end - -subgraph coopAssetsTransaction["`**coopAssetsTransaction**`"] - direction TB - style coopAssetsTransaction fill:#dd4901,stroke:#274d6e,stroke-width:8px - - subgraph coopAssetsTransaction:permissions[ ] - style coopAssetsTransaction:permissions fill:#dd4901,stroke:white - - perm:coopAssetsTransaction:INSERT{{coopAssetsTransaction:INSERT}} - perm:coopAssetsTransaction:UPDATE{{coopAssetsTransaction:UPDATE}} - perm:coopAssetsTransaction:SELECT{{coopAssetsTransaction:SELECT}} - end -end - -subgraph membership["`**membership**`"] - direction TB - style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership:roles[ ] - style membership:roles fill:#99bcdb,stroke:white - - role:membership:OWNER[[membership:OWNER]] - role:membership:ADMIN[[membership:ADMIN]] - role:membership:AGENT[[membership:AGENT]] - end -end - -subgraph membership.partnerRel["`**membership.partnerRel**`"] - direction TB - style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel:roles[ ] - style membership.partnerRel:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]] - role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]] - role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]] - role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]] - end -end - -subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] - direction TB - style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.contact:roles[ ] - style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]] - role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]] - role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]] - end -end - -%% granting roles to roles -role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER -role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN -role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER -role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER -role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN -role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel:OWNER -role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN -role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN -role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT -role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT -role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT -role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER -role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER -role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER -role:membership:OWNER -.-> role:membership:ADMIN -role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN -role:membership:ADMIN -.-> role:membership:AGENT -role:membership.partnerRel:AGENT -.-> role:membership:AGENT -role:membership:AGENT -.-> role:membership.partnerRel:TENANT - -%% granting permissions to roles -role:membership:ADMIN ==> perm:coopAssetsTransaction:INSERT -role:membership:ADMIN ==> perm:coopAssetsTransaction:UPDATE -role:membership:AGENT ==> perm:coopAssetsTransaction:SELECT - -``` diff --git a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql b/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql deleted file mode 100644 index df1fdd3b..00000000 --- a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql +++ /dev/null @@ -1,151 +0,0 @@ ---liquibase formatted sql --- This code generated was by RbacViewPostgresGenerator, do not amend manually. - - --- ============================================================================ ---changeset hs-office-coopassetstransaction-rbac-OBJECT:1 endDelimiter:--// --- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_coopassetstransaction'); ---// - - --- ============================================================================ ---changeset hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction'); ---// - - --- ============================================================================ ---changeset hs-office-coopassetstransaction-rbac-insert-trigger:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -/* - Creates the roles, grants and permission for the AFTER INSERT TRIGGER. - */ - -create or replace procedure buildRbacSystemForHsOfficeCoopAssetsTransaction( - NEW hs_office_coopassetstransaction -) - language plpgsql as $$ - -declare - newMembership hs_office_membership; - -begin - call enterTriggerForObjectUuid(NEW.uuid); - - SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; - assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); - - call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); - - call leaveTriggerForObjectUuid(NEW.uuid); -end; $$; - -/* - AFTER INSERT TRIGGER to create the role+grant structure for a new hs_office_coopassetstransaction row. - */ - -create or replace function insertTriggerForHsOfficeCoopAssetsTransaction_tf() - returns trigger - language plpgsql - strict as $$ -begin - call buildRbacSystemForHsOfficeCoopAssetsTransaction(NEW); - return NEW; -end; $$; - -create trigger insertTriggerForHsOfficeCoopAssetsTransaction_tg - after insert on hs_office_coopassetstransaction - for each row -execute procedure insertTriggerForHsOfficeCoopAssetsTransaction_tf(); ---// - - --- ============================================================================ ---changeset hs-office-coopassetstransaction-rbac-INSERT:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -/* - Creates INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows. - */ -do language plpgsql $$ - declare - row hs_office_membership; - begin - call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows'); - - FOR row IN SELECT * FROM hs_office_membership - LOOP - call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'), - hsOfficeMembershipADMIN(row)); - END LOOP; - END; -$$; - -/** - Adds hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows. -*/ -create or replace function hs_office_coopassetstransaction_hs_office_membership_insert_tf() - returns trigger - language plpgsql - strict as $$ -begin - call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'), - hsOfficeMembershipADMIN(NEW)); - return NEW; -end; $$; - --- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_coopassetstransaction_hs_office_membership_insert_tg - after insert on hs_office_membership - for each row -execute procedure hs_office_coopassetstransaction_hs_office_membership_insert_tf(); - -/** - Checks if the user or assumed roles are allowed to insert a row to hs_office_coopassetstransaction, - where the check is performed by a direct role. - - A direct role is a role depending on a foreign key directly available in the NEW row. -*/ -create or replace function hs_office_coopassetstransaction_insert_permission_missing_tf() - returns trigger - language plpgsql as $$ -begin - raise exception '[403] insert into hs_office_coopassetstransaction not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); -end; $$; - -create trigger hs_office_coopassetstransaction_insert_permission_check_tg - before insert on hs_office_coopassetstransaction - for each row - when ( not hasInsertPermission(NEW.membershipUuid, 'INSERT', 'hs_office_coopassetstransaction') ) - execute procedure hs_office_coopassetstransaction_insert_permission_missing_tf(); ---// - --- ============================================================================ ---changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction', - $idName$ - reference - $idName$); ---// - --- ============================================================================ ---changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_coopassetstransaction', - $orderBy$ - reference - $orderBy$, - $updates$ - comment = new.comment - $updates$); ---// -