diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
index 88d07efa..faa3d565 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
@@ -23,7 +23,7 @@ public class InsertTriggerGenerator {
 
     void generateTo(final StringWriter plPgSql) {
         generateLiquibaseChangesetHeader(plPgSql);
-        generateGrantInsertRoleToExistingCustomers(plPgSql);
+        generateGrantInsertRoleToExistingObjects(plPgSql);
         generateInsertPermissionGrantTrigger(plPgSql);
         generateInsertCheckTrigger(plPgSql);
         plPgSql.writeLn("--//");
@@ -38,7 +38,7 @@ public class InsertTriggerGenerator {
                 with("liquibaseTagPrefix", liquibaseTagPrefix));
     }
 
-    private void generateGrantInsertRoleToExistingCustomers(final StringWriter plPgSql) {
+    private void generateGrantInsertRoleToExistingObjects(final StringWriter plPgSql) {
         getOptionalInsertSuperRole().ifPresent( superRoleDef -> {
             plPgSql.writeLn("""
                 /*
@@ -100,13 +100,7 @@ public class InsertTriggerGenerator {
 
     private void generateInsertCheckTrigger(final StringWriter plPgSql) {
         getOptionalInsertGrant().ifPresentOrElse(g -> {
-            if (!g.getSuperRoleDef().getEntityAlias().isGlobal()) {
-                if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
-                    generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
-                } else {
-                    generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
-                }
-            } else {
+            if (g.getSuperRoleDef().getEntityAlias().isGlobal()) {
                 switch (g.getSuperRoleDef().getRole()) {
                     case ADMIN -> {
                         generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql);
@@ -119,6 +113,12 @@ public class InsertTriggerGenerator {
                                 "invalid global role for INSERT permission: " + g.getSuperRoleDef().getRole());
                     }
                 }
+            } else {
+                if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
+                    generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
+                } else {
+                    generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
+                }
             }
         },
         () -> {
@@ -139,7 +139,10 @@ public class InsertTriggerGenerator {
     private void generateInsertPermissionTriggerAllowByDirectRole(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) {
         plPgSql.writeLn("""
                 /**
-                    Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
+                    Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
+                    where the check is performed by a direct role.
+                    
+                    A direct role is a role depending on a foreign key directly available in the NEW row.
                 */
                 create or replace function ${rawSubTable}_insert_permission_missing_tf()
                     returns trigger
@@ -164,7 +167,10 @@ public class InsertTriggerGenerator {
             final RbacView.RbacGrantDefinition g) {
         plPgSql.writeLn("""
                 /**
-                    Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
+                    Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
+                    where the check is performed by an indirect role.
+                    
+                    An indirect role is a role FIXME.
                 */
                 create or replace function ${rawSubTable}_insert_permission_missing_tf()
                     returns trigger
@@ -203,7 +209,8 @@ public class InsertTriggerGenerator {
     private void generateInsertPermissionTriggerAllowOnlyGlobalAdmin(final StringWriter plPgSql) {
         plPgSql.writeLn("""
             /**
-                Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
+                Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
+                where only global-admin has that permission.
             */
             create or replace function ${rawSubTable}_insert_permission_missing_tf()
                 returns trigger
diff --git a/src/main/resources/db/changelog/113-test-customer-rbac.md b/src/main/resources/db/changelog/113-test-customer-rbac.md
index 99083bec..14057c2a 100644
--- a/src/main/resources/db/changelog/113-test-customer-rbac.md
+++ b/src/main/resources/db/changelog/113-test-customer-rbac.md
@@ -1,6 +1,6 @@
 ### rbac customer
 
-This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-21T09:53:18.451453701.
+This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-22T11:19:38.310302721.
 
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
diff --git a/src/main/resources/db/changelog/113-test-customer-rbac.sql b/src/main/resources/db/changelog/113-test-customer-rbac.sql
index 2d8436a8..2b3fda9f 100644
--- a/src/main/resources/db/changelog/113-test-customer-rbac.sql
+++ b/src/main/resources/db/changelog/113-test-customer-rbac.sql
@@ -1,5 +1,5 @@
 --liquibase formatted sql
--- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:18.467932975.
+-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.329089492.
 
 
 -- ============================================================================
@@ -80,17 +80,7 @@ execute procedure insertTriggerForTestCustomer_tf();
 --changeset test-customer-rbac-INSERT:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-/**
-    Checks if the user or assumed roles are allowed to insert a row to test_customer.
-*/
-create or replace function test_customer_insert_permission_missing_tf()
-    returns trigger
-    language plpgsql as $$
-begin
-    raise exception '[403] insert into test_customer not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
-end; $$;
-
+-- FIXME: Where is this case necessary?
 create trigger test_customer_insert_permission_check_tg
     before insert on test_customer
     for each row
diff --git a/src/main/resources/db/changelog/123-test-package-rbac.md b/src/main/resources/db/changelog/123-test-package-rbac.md
index 2ba8560e..0ca13fc4 100644
--- a/src/main/resources/db/changelog/123-test-package-rbac.md
+++ b/src/main/resources/db/changelog/123-test-package-rbac.md
@@ -1,6 +1,6 @@
 ### rbac package
 
-This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-21T09:53:51.758424330.
+This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-22T11:19:38.365161640.
 
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
diff --git a/src/main/resources/db/changelog/123-test-package-rbac.sql b/src/main/resources/db/changelog/123-test-package-rbac.sql
index b3d20bac..1e79ac4b 100644
--- a/src/main/resources/db/changelog/123-test-package-rbac.sql
+++ b/src/main/resources/db/changelog/123-test-package-rbac.sql
@@ -1,5 +1,5 @@
 --liquibase formatted sql
--- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:51.767062425.
+-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.365610181.
 
 
 -- ============================================================================
@@ -194,7 +194,10 @@ create trigger z_test_package_test_customer_insert_tg
 execute procedure test_package_test_customer_insert_tf();
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to test_package.
+    Checks if the user or assumed roles are allowed to insert a row to test_package,
+    where the check is performed by an indirect role.
+
+    An indirect role is a role FIXME.
 */
 create or replace function test_package_insert_permission_missing_tf()
     returns trigger
diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.md b/src/main/resources/db/changelog/133-test-domain-rbac.md
index 800a6fe5..71fb6074 100644
--- a/src/main/resources/db/changelog/133-test-domain-rbac.md
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.md
@@ -1,6 +1,6 @@
 ### rbac domain
 
-This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-21T09:53:31.860490657.
+This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-22T11:19:38.391784384.
 
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.sql b/src/main/resources/db/changelog/133-test-domain-rbac.sql
index 6fb9cc73..8bd6b8df 100644
--- a/src/main/resources/db/changelog/133-test-domain-rbac.sql
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql
@@ -1,5 +1,5 @@
 --liquibase formatted sql
--- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:31.873124905.
+-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.392306652.
 
 
 -- ============================================================================
@@ -193,7 +193,10 @@ create trigger z_test_domain_test_package_insert_tg
 execute procedure test_domain_test_package_insert_tf();
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to test_domain.
+    Checks if the user or assumed roles are allowed to insert a row to test_domain,
+    where the check is performed by an indirect role.
+
+    An indirect role is a role FIXME.
 */
 create or replace function test_domain_insert_permission_missing_tf()
     returns trigger