From b8cd633c5a8f3a2a0bc605dad24014006649a0e0 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Tue, 6 Feb 2024 16:57:21 +0100
Subject: [PATCH] draft for partner permission grant model

---
 .../changelog/233-hs-office-partner-rbac.md   | 121 +++++++++---------
 1 file changed, 57 insertions(+), 64 deletions(-)

diff --git a/src/main/resources/db/changelog/233-hs-office-partner-rbac.md b/src/main/resources/db/changelog/233-hs-office-partner-rbac.md
index 148343c3..762ead0f 100644
--- a/src/main/resources/db/changelog/233-hs-office-partner-rbac.md
+++ b/src/main/resources/db/changelog/233-hs-office-partner-rbac.md
@@ -3,76 +3,69 @@
 ```mermaid
 flowchart TB
 
-subgraph global
-    style global fill:#eee
+subgraph external[ ]
+    style external fill:#fff
     
-    role:global.admin[global.admin]    
+    subgraph global
+        style global fill:#eee
+        
+        role:global.admin[global.admin]    
+    end
+
+    subgraph partnerPerson
+        style partnerPerson fill:#eee
+        
+        role:partnerPerson.admin[global.admin]
+    end
+
+    subgraph otherRelatedPerson
+        style otherRelatedPerson fill:#eee
+        
+        role:otherRelatedPerson.admin[global.admin]
+    end
+
+    subgraph hsOfficeRelationship
+        direction TB
+        style hsOfficeRelationship fill:#eee
+
+        role:global.admin
+        --> role:hsOfficeRelationship.owner[relationship.owner]    
+        --> role:hsOfficeRelationship.admin[relationship.admin]    
+        --> role:hsOfficeRelationship.agent[relationship.agent]    
+        --> role:hsOfficeRelationship.tenant[relationship.tenant]
+        
+        role:partnerPerson.admin --> role:hsOfficeRelationship.agent
+        role:otherRelatedPerson.admin --> role:hsOfficeRelationship.tenant
+    end
 end
 
-subgraph hsOfficeContact
-    direction TB
-    style hsOfficeContact fill:#eee
-    
-    role:hsOfficeContact.admin[contact.admin]    
-    --> role:hsOfficeContact.tenant[contact.tenant]    
-    --> role:hsOfficeContact.guest[contact.guest]    
-end
+subgraph internal[ ]
+    style internal fill:#fff
 
-subgraph hsOfficePerson
-    direction TB
-    style hsOfficePerson fill:#eee
-    
-    role:hsOfficePerson.admin[person.admin]    
-    --> role:hsOfficePerson.tenant[person.tenant]    
-    --> role:hsOfficePerson.guest[person.guest]    
-end
+    subgraph hsOfficePartner
+        
+        perm:hsOfficePartner.*{{partner.*}}
+        role:hsOfficeRelationship.owner --> perm:hsOfficePartner.*
+        
+        perm:hsOfficePartner.edit{{partner.edit}}
+        role:hsOfficeRelationship.admin --> perm:hsOfficePartner.edit
+        
+        perm:hsOfficePartner.view{{partner.view}}
+        role:hsOfficeRelationship.tenant --> perm:hsOfficePartner.view
+    end
 
-subgraph hsOfficePartnerDetails
-    direction TB
-    
-    perm:hsOfficePartnerDetails.*{{partner.*}}
-    perm:hsOfficePartnerDetails.edit{{partner.edit}}
-    perm:hsOfficePartnerDetails.view{{partner.view}}
-end
+    subgraph hsOfficePartnerDetails
+        direction TB
+        
+        perm:hsOfficePartnerDetails.*{{partnerDetails.*}}
+        role:hsOfficeRelationship.owner --> perm:hsOfficePartnerDetails.*
 
-subgraph hsOfficePartner
-                    
-   role:hsOfficePartner.owner[partner.owner]
-   %% permissions
-       role:hsOfficePartner.owner --> perm:hsOfficePartner.*{{partner.*}}
-       role:hsOfficePartner.owner --> perm:hsOfficePartnerDetails.*{{partner.*}}
-   %% incoming
-       role:global.admin ---> role:hsOfficePartner.owner
-  
-   role:hsOfficePartner.admin[partner.admin]
-   %% permissions
-       role:hsOfficePartner.admin --> perm:hsOfficePartner.edit{{partner.edit}}
-       role:hsOfficePartner.admin --> perm:hsOfficePartnerDetails.edit{{partner.edit}}
-   %% incoming
-       role:hsOfficePartner.owner ---> role:hsOfficePartner.admin
-   %% outgoing
-       role:hsOfficePartner.admin --> role:hsOfficePerson.tenant
-       role:hsOfficePartner.admin --> role:hsOfficeContact.tenant
-  
-   role:hsOfficePartner.agent[partner.agent]
-   %% permissions
-       role:hsOfficePartner.agent --> perm:hsOfficePartnerDetails.view{{partner.view}}
-   %% incoming
-       role:hsOfficePartner.admin ---> role:hsOfficePartner.agent
-       role:hsOfficePerson.admin --> role:hsOfficePartner.agent
-       role:hsOfficeContact.admin --> role:hsOfficePartner.agent
-  
-   role:hsOfficePartner.tenant[partner.tenant]
-   %% incoming
-       role:hsOfficePartner.agent --> role:hsOfficePartner.tenant
-   %% outgoing   
-       role:hsOfficePartner.tenant --> role:hsOfficePerson.guest
-       role:hsOfficePartner.tenant --> role:hsOfficeContact.guest
+        perm:hsOfficePartnerDetails.edit{{partnerDetails.edit}}
+        role:hsOfficeRelationship.agent --> perm:hsOfficePartnerDetails.edit
+        role:hsOfficeRelationship.agent ----> perm:hsOfficePartnerDetails.view
+        
+        perm:hsOfficePartnerDetails.view{{partnerDetails.view}}
+    end
 
-   role:hsOfficePartner.guest[partner.guest]
-   %% permissions
-       role:hsOfficePartner.guest -->  perm:hsOfficePartner.view{{partner.view}}
-   %% incoming
-       role:hsOfficePartner.tenant --> role:hsOfficePartner.guest
 end
 ```