From b9706ee4c34808a470d067abc2eccd426dbf3504 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Fri, 5 Apr 2024 12:10:30 +0200 Subject: [PATCH] properly generate imported conditional rbac rules (partner -> partnerRel usingDefaultCase) --- .../office/partner/HsOfficePartnerEntity.java | 8 +- .../relation/HsOfficeRelationEntity.java | 8 +- .../hsadminng/rbac/rbacdef/RbacView.java | 34 ++++--- .../RbacViewMermaidFlowchartGenerator.java | 36 +++++--- .../5033-hs-office-relation-rbac-DEBITOR.md | 91 ------------------- ...-hs-office-relation-rbac-REPRESENTATIVE.md | 1 - .../5033-hs-office-relation-rbac.md | 6 +- .../5033-hs-office-relation-rbac.sql | 3 +- .../5043-hs-office-partner-rbac.md | 11 +-- .../5043-hs-office-partner-rbac.sql | 18 ++-- .../5063-hs-office-debitor-rbac.md | 16 +--- .../5073-hs-office-sepamandate-rbac.md | 5 +- .../5103-hs-office-membership-rbac.md | 5 +- .../5113-hs-office-coopshares-rbac.md | 5 +- .../5123-hs-office-coopassets-rbac.md | 5 +- 15 files changed, 80 insertions(+), 172 deletions(-) delete mode 100644 src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-DEBITOR.md diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java index 3c5f1983..6b019f62 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java @@ -102,16 +102,16 @@ public class HsOfficePartnerEntity implements Stringifyable, RbacObject { usingDefaultCase(), directlyFetchedByDependsOnColumn(), dependsOnColumn("partnerRelUuid")) - .createPermission(DELETE).grantedTo("partnerRel", ADMIN) - .createPermission(UPDATE).grantedTo("partnerRel", AGENT) + .createPermission(DELETE).grantedTo("partnerRel", OWNER) + .createPermission(UPDATE).grantedTo("partnerRel", ADMIN) .createPermission(SELECT).grantedTo("partnerRel", TENANT) .importSubEntityAlias("partnerDetails", HsOfficePartnerDetailsEntity.class, directlyFetchedByDependsOnColumn(), dependsOnColumn("detailsUuid")) - .createPermission("partnerDetails", DELETE).grantedTo("partnerRel", ADMIN) + .createPermission("partnerDetails", DELETE).grantedTo("partnerRel", OWNER) .createPermission("partnerDetails", UPDATE).grantedTo("partnerRel", AGENT) - .createPermission("partnerDetails", SELECT).grantedTo("partnerRel", AGENT); + .createPermission("partnerDetails", SELECT).grantedTo("partnerRel", AGENT); // not TENANT! } public static void main(String[] args) throws IOException { diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationEntity.java index 33a60f31..1dbed5cc 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationEntity.java @@ -119,7 +119,6 @@ public class HsOfficeRelationEntity implements RbacObject, Stringifyable { with.incomingSuperRole("anchorPerson", ADMIN); }) .createSubRole(TENANT, (with) -> { - with.incomingSuperRole("holderPerson", ADMIN); with.incomingSuperRole("contact", ADMIN); with.outgoingSubRole("anchorPerson", REFERRER); with.outgoingSubRole("holderPerson", REFERRER); @@ -132,17 +131,20 @@ public class HsOfficeRelationEntity implements RbacObject, Stringifyable { then.createRole(OWNER, (with) -> { with.owningUser(CREATOR); with.incomingSuperRole(GLOBAL, ADMIN); + with.incomingSuperRole("anchorPerson", ADMIN); with.permission(DELETE); }) .createSubRole(ADMIN, (with) -> { - with.incomingSuperRole("anchorPerson", ADMIN); with.permission(UPDATE); }) .createSubRole(AGENT, (with) -> { + // TODO.spec: we need relation:PROXY, to allow changing the relation contact. + // the alternative would be to move this to the relation:ADMIN role, + // but then the partner holder person could update the partner relation itself, + // see partner entity. with.incomingSuperRole("holderPerson", ADMIN); }) .createSubRole(TENANT, (with) -> { - with.incomingSuperRole("holderPerson", ADMIN); with.incomingSuperRole("contact", ADMIN); with.outgoingSubRole("anchorPerson", REFERRER); with.outgoingSubRole("holderPerson", REFERRER); diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java index 171a3b64..4e792861 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java @@ -393,8 +393,8 @@ public class RbacView { new RbacRoleDefinition(findEntityAlias(mapper.map(roleDef.entityAlias.aliasName)), roleDef.role); }); importedRbacView.getGrantDefs().forEach(grantDef -> { - if ( grantDef.matchesCase(forCase) && - grantDef.grantType() == RbacGrantDefinition.GrantType.ROLE_TO_ROLE) { + if ( grantDef.grantType() == RbacGrantDefinition.GrantType.ROLE_TO_ROLE && + grantDef.matchesCase(forCase) ) { final var importedGrantDef = findOrCreateGrantDef( findRbacRole( mapper.map(grantDef.getSubRoleDef().entityAlias.aliasName), @@ -484,14 +484,13 @@ public class RbacView { public void generateWithBaseFileName(final String baseFileName) { if (allCases.size() > 1) { allCases.forEach(caseDef -> { - if ( caseDef.isDefaultCase() ) { // FIXME remove the condition - final var fileName = baseFileName + (caseDef.isDefaultCase() ? "" : "-" + caseDef.val) + ".md"; - new RbacViewMermaidFlowchartGenerator(this, caseDef) - .generateToMarkdownFile(Path.of(OUTPUT_BASEDIR, fileName)); - } + final var fileName = baseFileName + (caseDef.isDefaultCase() ? "" : "-" + caseDef.val) + ".md"; + new RbacViewMermaidFlowchartGenerator(this, caseDef) + .generateToMarkdownFile(Path.of(OUTPUT_BASEDIR, fileName)); }); + } else { + new RbacViewMermaidFlowchartGenerator(this).generateToMarkdownFile(Path.of(OUTPUT_BASEDIR, baseFileName + ".md")); } - new RbacViewMermaidFlowchartGenerator(this).generateToMarkdownFile(Path.of(OUTPUT_BASEDIR, baseFileName + ".md")); new RbacViewPostgresGenerator(this).generateToChangeLog(Path.of(OUTPUT_BASEDIR, baseFileName + ".sql")); } @@ -541,7 +540,9 @@ public class RbacView { case ROLE_TO_ROLE -> superRoleDef + arrow + subRoleDef; case PERM_TO_ROLE -> superRoleDef + arrow + permDef; }; - final var condition = isConditional() ? (" " +forCases.stream().map(CaseDef::toString).collect(Collectors.joining("||"))) : ""; + final var condition = isConditional() + ? (" (" +forCases.stream().map(CaseDef::toString).collect(Collectors.joining("||")) + ")") + : ""; return grant + condition; } @@ -595,14 +596,19 @@ public class RbacView { return forCases != null && !forCases.isEmpty() && forCases.size() c.isCase(requestedCase)); + return noCasesDefined || generateForAllCases || isGrantedForRequestedCase; } boolean matchesCase(final CaseDef requestedCase) { final var noCasesDefined = forCases.isEmpty(); final var generateForAllCases = requestedCase == null; - final var isGrantedOnlyForDefaultCase = forCases.size() == 1 && forCases.iterator().next() == null; // FIXME: needed? final boolean isGrantedForRequestedCase = forCases.contains(requestedCase); return noCasesDefined || generateForAllCases || isGrantedForRequestedCase; } @@ -1171,6 +1177,10 @@ public class RbacView { ? "inOtherCases" : "inCaseOf:" + val; } + + public boolean isCase(final ColumnValue requestedCase) { + return Objects.equals(requestedCase.value, this.val); + } } private static void generateRbacView(final Class c) { diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java index e4dedc25..1f615ef3 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java @@ -1,7 +1,7 @@ package net.hostsharing.hsadminng.rbac.rbacdef; import lombok.SneakyThrows; -import net.hostsharing.hsadminng.rbac.rbacdef.ConditionGenerator.CaseDef; +import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.CaseDef; import org.apache.commons.lang3.StringUtils; import java.nio.file.*; @@ -107,7 +107,7 @@ public class RbacViewMermaidFlowchartGenerator { private void renderGrants(final RbacView.RbacGrantDefinition.GrantType grantType, final String comment) { final var grantsOfRequestedType = rbacDef.getGrantDefs().stream() .filter(g -> g.grantType() == grantType) - .filter(g -> g.matchesCase(forCase)) + .filter(this::isToBeRenderedInThisGraph) .toList(); if ( !grantsOfRequestedType.isEmpty()) { flowchart.ensureSingleEmptyLine(); @@ -116,10 +116,19 @@ public class RbacViewMermaidFlowchartGenerator { } } + private boolean isToBeRenderedInThisGraph(final RbacView.RbacGrantDefinition g) { + if ( g.grantType() != ROLE_TO_ROLE ) + return true; + if ( forCase == null && !g.isConditional() ) + return true; + final var isToBeRenderedInThisGraph = g.getForCases() == null || g.getForCases().contains(forCase); + return isToBeRenderedInThisGraph; + } + private String grantDef(final RbacView.RbacGrantDefinition grant) { final var arrow = (grant.isToCreate() ? " ==>" : " -.->") + (grant.isAssumed() ? " " : "|XX| "); - return switch (grant.grantType()) { + final var grantDef = switch (grant.grantType()) { case ROLE_TO_USER -> // TODO: other user types not implemented yet "user:creator" + arrow + roleId(grant.getSubRoleDef()); @@ -127,6 +136,7 @@ public class RbacViewMermaidFlowchartGenerator { roleId(grant.getSuperRoleDef()) + arrow + roleId(grant.getSubRoleDef()); case PERM_TO_ROLE -> roleId(grant.getSuperRoleDef()) + arrow + permId(grant.getPermDef()); }; + return grantDef; } private String permDef(final RbacView.RbacPermissionDefinition perm) { @@ -155,16 +165,16 @@ public class RbacViewMermaidFlowchartGenerator { Files.writeString( path, """ - ### rbac %{entityAlias} - - This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - - ```mermaid - %{flowchart} - ``` - """ - .replace("%{entityAlias}", rbacDef.getRootEntityAlias().aliasName()) - .replace("%{flowchart}", flowchart.toString()), + ### rbac %{entityAlias} + + This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. + + ```mermaid + %{flowchart} + ``` + """ + .replace("%{entityAlias}", rbacDef.getRootEntityAlias().aliasName()) + .replace("%{flowchart}", flowchart.toString()), StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING); System.out.println("Markdown-File: " + path.toAbsolutePath()); } diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-DEBITOR.md b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-DEBITOR.md deleted file mode 100644 index f3ffabdf..00000000 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-DEBITOR.md +++ /dev/null @@ -1,91 +0,0 @@ -### rbac relation - -This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. - -```mermaid -%%{init:{'flowchart':{'htmlLabels':false}}}%% -flowchart TB - -subgraph holderPerson["`**holderPerson**`"] - direction TB - style holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph holderPerson:roles[ ] - style holderPerson:roles fill:#99bcdb,stroke:white - - role:holderPerson:OWNER[[holderPerson:OWNER]] - role:holderPerson:ADMIN[[holderPerson:ADMIN]] - role:holderPerson:REFERRER[[holderPerson:REFERRER]] - end -end - -subgraph anchorPerson["`**anchorPerson**`"] - direction TB - style anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph anchorPerson:roles[ ] - style anchorPerson:roles fill:#99bcdb,stroke:white - - role:anchorPerson:OWNER[[anchorPerson:OWNER]] - role:anchorPerson:ADMIN[[anchorPerson:ADMIN]] - role:anchorPerson:REFERRER[[anchorPerson:REFERRER]] - end -end - -subgraph contact["`**contact**`"] - direction TB - style contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph contact:roles[ ] - style contact:roles fill:#99bcdb,stroke:white - - role:contact:OWNER[[contact:OWNER]] - role:contact:ADMIN[[contact:ADMIN]] - role:contact:REFERRER[[contact:REFERRER]] - end -end - -subgraph relation["`**relation**`"] - direction TB - style relation fill:#dd4901,stroke:#274d6e,stroke-width:8px - - subgraph relation:roles[ ] - style relation:roles fill:#dd4901,stroke:white - - role:relation:OWNER[[relation:OWNER]] - role:relation:ADMIN[[relation:ADMIN]] - role:relation:AGENT[[relation:AGENT]] - role:relation:TENANT[[relation:TENANT]] - end - - subgraph relation:permissions[ ] - style relation:permissions fill:#dd4901,stroke:white - - perm:relation:DELETE{{relation:DELETE}} - perm:relation:UPDATE{{relation:UPDATE}} - perm:relation:SELECT{{relation:SELECT}} - perm:relation:INSERT{{relation:INSERT}} - end -end - -%% granting roles to users -user:creator ==> role:relation:OWNER - -%% granting roles to roles -role:global:ADMIN -.-> role:anchorPerson:OWNER -role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN -role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER -role:global:ADMIN -.-> role:holderPerson:OWNER -role:holderPerson:OWNER -.-> role:holderPerson:ADMIN -role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER -role:global:ADMIN -.-> role:contact:OWNER -role:contact:OWNER -.-> role:contact:ADMIN -role:contact:ADMIN -.-> role:contact:REFERRER - -%% granting permissions to roles -role:relation:OWNER ==> perm:relation:DELETE -role:relation:ADMIN ==> perm:relation:UPDATE -role:relation:TENANT ==> perm:relation:SELECT -role:anchorPerson:ADMIN ==> perm:relation:INSERT - -``` diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-REPRESENTATIVE.md b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-REPRESENTATIVE.md index 067355a8..91a991a1 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-REPRESENTATIVE.md +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-REPRESENTATIVE.md @@ -88,7 +88,6 @@ role:relation:ADMIN ==> role:anchorPerson:OWNER role:relation:ADMIN ==> role:relation:AGENT role:anchorPerson:ADMIN ==> role:relation:AGENT role:relation:AGENT ==> role:relation:TENANT -role:holderPerson:ADMIN ==> role:relation:TENANT role:contact:ADMIN ==> role:relation:TENANT role:relation:TENANT ==> role:anchorPerson:REFERRER role:relation:TENANT ==> role:holderPerson:REFERRER diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md index b598df88..d1efd785 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md @@ -82,18 +82,14 @@ role:global:ADMIN -.-> role:contact:OWNER role:contact:OWNER -.-> role:contact:ADMIN role:contact:ADMIN -.-> role:contact:REFERRER role:global:ADMIN ==> role:relation:OWNER -role:holderPerson:ADMIN ==> role:relation:OWNER role:relation:OWNER ==> role:relation:ADMIN -role:relation:ADMIN ==> role:anchorPerson:OWNER role:relation:ADMIN ==> role:relation:AGENT -role:anchorPerson:ADMIN ==> role:relation:AGENT role:relation:AGENT ==> role:relation:TENANT -role:holderPerson:ADMIN ==> role:relation:TENANT role:contact:ADMIN ==> role:relation:TENANT role:relation:TENANT ==> role:anchorPerson:REFERRER role:relation:TENANT ==> role:holderPerson:REFERRER role:relation:TENANT ==> role:contact:REFERRER -role:anchorPerson:ADMIN ==> role:relation:ADMIN +role:anchorPerson:ADMIN ==> role:relation:OWNER role:holderPerson:ADMIN ==> role:relation:AGENT %% granting permissions to roles diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql index 75adaeb4..15114d03 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql @@ -70,7 +70,6 @@ begin permissions => array['SELECT'], incomingSuperRoles => array[ hsOfficeContactADMIN(newContact), - hsOfficePersonADMIN(newHolderPerson), hsOfficeRelationAGENT(NEW)], outgoingSubRoles => array[ hsOfficeContactREFERRER(newContact), @@ -83,8 +82,8 @@ begin call grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson)); call grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson)); ELSE - call grantRoleToRole(hsOfficeRelationADMIN(NEW), hsOfficePersonADMIN(newAnchorPerson)); call grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson)); + call grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson)); END IF; call leaveTriggerForObjectUuid(NEW.uuid); diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md index a0caa074..3522b5a3 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md @@ -98,22 +98,21 @@ role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER role:global:ADMIN -.-> role:partnerRel:OWNER role:partnerRel:OWNER -.-> role:partnerRel:ADMIN -role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN role:partnerRel:ADMIN -.-> role:partnerRel:AGENT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:AGENT -.-> role:partnerRel:TENANT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER +role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER +role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT %% granting permissions to roles role:global:ADMIN ==> perm:partner:INSERT -role:partnerRel:ADMIN ==> perm:partner:DELETE -role:partnerRel:AGENT ==> perm:partner:UPDATE +role:partnerRel:OWNER ==> perm:partner:DELETE +role:partnerRel:ADMIN ==> perm:partner:UPDATE role:partnerRel:TENANT ==> perm:partner:SELECT -role:partnerRel:ADMIN ==> perm:partnerDetails:DELETE +role:partnerRel:OWNER ==> perm:partnerDetails:DELETE role:partnerRel:AGENT ==> perm:partnerDetails:UPDATE role:partnerRel:AGENT ==> perm:partnerDetails:SELECT diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index b5510d8c..7d263dbd 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -42,10 +42,10 @@ begin SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid); - call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationADMIN(newPartnerRel)); + call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); - call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationADMIN(newPartnerRel)); + call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); + call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); @@ -110,17 +110,17 @@ begin if NEW.partnerRelUuid <> OLD.partnerRelUuid then - call revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationADMIN(oldPartnerRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationADMIN(newPartnerRel)); + call revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); + call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); - call revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); + call revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel)); + call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); call revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel)); call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); - call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationADMIN(oldPartnerRel)); - call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationADMIN(newPartnerRel)); + call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); + call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel)); call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md index 5c43e03d..d6e546cf 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md @@ -149,17 +149,6 @@ role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER role:global:ADMIN -.-> role:debitorRel.contact:OWNER role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER -role:global:ADMIN -.-> role:debitorRel:OWNER -role:debitorRel:OWNER -.-> role:debitorRel:ADMIN -role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN -role:debitorRel:ADMIN -.-> role:debitorRel:AGENT -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT -role:debitorRel:AGENT -.-> role:debitorRel:TENANT -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT -role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT -role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER -role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER -role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER role:global:ADMIN -.-> role:refundBankAccount:OWNER role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER @@ -176,15 +165,14 @@ role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER role:global:ADMIN -.-> role:partnerRel:OWNER role:partnerRel:OWNER -.-> role:partnerRel:ADMIN -role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN role:partnerRel:ADMIN -.-> role:partnerRel:AGENT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:AGENT -.-> role:partnerRel:TENANT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER +role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER +role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:ADMIN ==> role:debitorRel:ADMIN role:partnerRel:AGENT ==> role:debitorRel:AGENT role:debitorRel:AGENT ==> role:partnerRel:TENANT diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md index aa3059f9..e3528f7f 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md @@ -110,15 +110,14 @@ role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER role:global:ADMIN -.-> role:debitorRel:OWNER role:debitorRel:OWNER -.-> role:debitorRel:ADMIN -role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN role:debitorRel:ADMIN -.-> role:debitorRel:AGENT -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT role:debitorRel:AGENT -.-> role:debitorRel:TENANT -role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER +role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER +role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT role:global:ADMIN -.-> role:bankAccount:OWNER role:bankAccount:OWNER -.-> role:bankAccount:ADMIN role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md index 3681b8e6..9e5752b8 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md @@ -96,15 +96,14 @@ role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER role:global:ADMIN -.-> role:partnerRel:OWNER role:partnerRel:OWNER -.-> role:partnerRel:ADMIN -role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN role:partnerRel:ADMIN -.-> role:partnerRel:AGENT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:AGENT -.-> role:partnerRel:TENANT -role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER +role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER +role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT role:membership:OWNER ==> role:membership:ADMIN role:partnerRel:ADMIN ==> role:membership:ADMIN role:membership:ADMIN ==> role:membership:AGENT diff --git a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md index 26ff3d5c..b38ad4a0 100644 --- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md @@ -97,15 +97,14 @@ role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER role:global:ADMIN -.-> role:membership.partnerRel:OWNER role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN -role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER +role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:OWNER +role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT role:membership:OWNER -.-> role:membership:ADMIN role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN role:membership:ADMIN -.-> role:membership:AGENT diff --git a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md index d220a38c..77de3dc2 100644 --- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md @@ -97,15 +97,14 @@ role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER role:global:ADMIN -.-> role:membership.partnerRel:OWNER role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN -role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT -role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER +role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:OWNER +role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT role:membership:OWNER -.-> role:membership:ADMIN role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN role:membership:ADMIN -.-> role:membership:AGENT