diff --git a/README.md b/README.md
index 04827ba3..4301d8fe 100644
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@ If you have at least Docker and the Java JDK installed in appropriate versions a
 
     # the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
     curl \
-        -H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy.admin' \
+        -H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy:admin' \
         http://localhost:8080/api/test/packages
 
     # add a new customer
diff --git a/doc/ideas/rbac-schema-f.md b/doc/ideas/rbac-schema-f.md
index 7047d066..f1731d4f 100644
--- a/doc/ideas/rbac-schema-f.md
+++ b/doc/ideas/rbac-schema-f.md
@@ -27,8 +27,8 @@ Objektorientiert gedacht, enthalten solche Objekte die Zusatzdaten einer Subklas
 - Für die Rollenzuordnung zwischen referenzierten Objekten gilt:
   - Für Objekte vom Typ Root werden die Rollen des zugehörigen Aggregator-Objektes verwendet. 
   - Gibt es Referenzen auf hierarchisch verbundene Objekte (z.B. Debitor.refundBankAccount) gilt folgende Faustregel:
-        ***Nach oben absteigen, nach unten halten oder aufsteigen.*** An einem fachlich übergeordneten Objekt wird also eine niedrigere Rolle (z.B. Debitor-admin -> Partner.agent), einem fachlich untergeordneten Objekt eine gleichwertige Rolle (z.B. Partner.admin -> Debitor.admin) zugewiesen oder sogar aufgestiegen (Debitor.admin -> Package.tenant).
-  - Für Referenzen zwischen Objekten, die nicht hierarchisch zueinander stehen (z.B. Debitor und Bankverbindung), wird auf beiden seiten abgestiegen (also Debitor.admin -> BankAccount.referrer und BankAccount.admin -> Debitor.tenant).
+        ***Nach oben absteigen, nach unten halten oder aufsteigen.*** An einem fachlich übergeordneten Objekt wird also eine niedrigere Rolle (z.B. Debitor.ADMIN -> Partner.AGENT), einem fachlich untergeordneten Objekt eine gleichwertige Rolle (z.B. Partner.ADMIN -> Debitor.ADMIN) zugewiesen oder sogar aufgestiegen (Debitor.ADMIN -> Package.TENANT).
+  - Für Referenzen zwischen Objekten, die nicht hierarchisch zueinander stehen (z.B. Debitor und Bankverbindung), wird auf beiden seiten abgestiegen (also Debitor.ADMIN -> BankAccount.REFERRER und BankAccount.ADMIN -> Debitor.TENANT).
 
 Anmerkung: Der Typ-Begriff *Root* bezieht sich auf die Rolle im fachlichen Datenmodell. Im Bezug auf den Teilgraphen eines fachlichen Kontexts ist dies auch eine Wurzel im Sinne der Graphentheorie. Aber in anderen fachlichen Kontexten können auch diese Objekte von anderen Teilgraphen referenziert werden und werden dann zum inneren Knoten.
 
diff --git a/doc/ideas/simplified-grant-structure.md b/doc/ideas/simplified-grant-structure.md
index 6d89897a..d9b3cf44 100644
--- a/doc/ideas/simplified-grant-structure.md
+++ b/doc/ideas/simplified-grant-structure.md
@@ -16,11 +16,11 @@ Beim Debitor ist das nämlich selbst mit Generator die Hölle, zumal eben auch Q
 
 Mit anderen Worten, um als Repräsentant eines Geschäftspartners auf den Bank-Account der Sepa-Mandate sehen zu dürfen, wird derzeut folgende Grant-Kette durchlaufen (bzw. eben noch nicht, weil es noch nicht funktioniert):
 
-User -> Partner-Holder-Person:Admin -> Partner-Relation:Agent -> Debitor-Relation:Agent -> Sepa-Mandat:Admin -> BankAccount:Admin -> BankAccount:SELECT
+User -> Partner-Holder-Person:ADMIN -> Partner-Relation:AGENT -> Debitor-Relation:AGENT -> Sepa-Mandat:ADMIN -> BankAccount:ADMIN -> BankAccount:SELECT
 
 Daraus würde:
 
-User -> Partner-Relation:Agent -> Debitor-Relation:Agent -> Sepa-Mandat:Admin -> Sepa-Mandat:SELECT*
+User -> Partner-Relation:AGENT -> Debitor-Relation:AGENT -> Sepa-Mandat:ADMIN -> Sepa-Mandat:SELECT*
 
 (*mit JOIN auf RawBankAccount, also implizitem Leserecht)
 
diff --git a/doc/rbac.md b/doc/rbac.md
index 2de4d4bb..3cf58e25 100644
--- a/doc/rbac.md
+++ b/doc/rbac.md
@@ -196,24 +196,24 @@ E.g. if a new package is added, the admin-role of the related customer has to be
 There can be global roles like 'administrators'.
 Most roles, though, are specific for certain business-objects and automatically generated as such:
 
-    business-object-table#business-object-name.relative-role
+    business-object-table#business-object-name.role-stereotype
 
 
 Where *business-object-table* is the name of the SQL table of the business object (e.g *customer* or 'package'),
 *business-object-name* is generated from an immutable business key(e.g. a prefix like 'xyz' or 'xyz00')
-and the *relative-role*' describes the role relative to the referenced business-object as follows:
+and the *role-stereotype* describes a role relative to a referenced business-object as follows:
 
 #### owner
 
 The owner-role is granted to the subject which created the business object.
-E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...admin'. 
+E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...:admin'. 
 
 Whoever has the owner-role assigned can do everything with the related business-object, including deleting (or deactivating) it.
 
 In most cases, the permissions to other operations than 'DELETE' are granted through the 'admin' role.
 By this, all roles ob sub-objects, which are assigned to the 'admin' role, are also granted to the 'owner'.
 
-#### admin
+#### ADMIN
 
 The admin-role is granted to a role of those subjects who manage the business object.
 E.g. a 'package' is manged by the admin of the customer.
@@ -222,7 +222,7 @@ Whoever has the admin-role assigned, can usually update the related business-obj
 
 The admin-role also comprises lesser roles, through which the SELECT-permission is granted.
 
-#### agent
+#### AGENT
 
 The agent-role is not used in the examples of this document, because it's for more complex cases.
 It's usually granted to those roles and users who represent the related business-object, but are not allowed to update it.
@@ -231,21 +231,25 @@ Other than the tenant-role, it usually offers broader visibility of sub-business
 E.g. a package-admin is allowed to see the related debitor-business-object, 
 but not its banking data.
 
-#### tenant
+#### TENANT
 
 The tenant-role is granted to everybody who needs to be able to select the business-object and (probably some) related business-objects.
 Usually all owners, admins and tenants of sub-objects get this role granted.
 
 Some business-objects only have very limited data directly in the main business-object and store more sensitive data in special sub-objects (e.g. 'customer-details') to which tenants of sub-objects of the main-object (e.g. package admins) do not get SELECT permission.
 
-#### guest
+#### GUEST
+
+(Deprecated)
+
+#### REFERRER
 
 Like the agent-role, the guest-role too is not used in the examples of this document, because it's for more complex cases.
 
-If the guest-role exists, the SELECT-permission is granted to it, instead of to the tenant-role.
-Other than the tenant-role, the guest-roles does never grant any roles of related objects. 
+If the referrer-role exists, the SELECT-permission is granted to it, instead of to the tenant-role.
+Other than the tenant-role, the referrer-roles does never grant any roles of related objects. 
 
-Also, if the guest-role exists, the tenant-role receives the SELECT-permission through the guest-role.
+Also, if the referrer-role exists, the tenant-role receives the SELECT-permission through the referrer-role.
 
 
 ### Referenced Business Objects and Role-Depreciation
@@ -372,7 +376,7 @@ That user is also used for historicization and audit log, but which is a differe
 If the session variable `hsadminng.assumedRoles` is set to a non-empty value, its content is interpreted as a list of semicolon-separated role names.
 Example:
 
-    SET LOCAL hsadminng.assumedRoles = 'customer#aab.admin;customer#aac.admin';
+    SET LOCAL hsadminng.assumedRoles = 'customer#aab:admin;customer#aac:admin';
 
 In this case, not the current user but the assumed roles are used as a starting point for any further queries.
 Roles which are not granted to the current user, directly or indirectly, cannot be assumed.
@@ -385,7 +389,7 @@ A full example is shown here:
     BEGIN TRANSACTION;
         SET SESSION SESSION AUTHORIZATION restricted;
         SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
-        SET LOCAL hsadminng.assumedRoles = 'customer#aab.admin;customer#aac.admin';
+        SET LOCAL hsadminng.assumedRoles = 'customer#aab:admin;customer#aac:admin';
         
         SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
           FROM emailaddress_rv ema
@@ -466,14 +470,14 @@ together {
     permCustomerXyzSELECT--> boCustXyz
 }
 
-entity "Role customer#xyz.tenant" as roleCustXyzTenant 
+entity "Role customer#xyz:tenant" as roleCustXyzTenant 
 roleCustXyzTenant --> permCustomerXyzSELECT
 
-entity "Role customer#xyz.admin" as roleCustXyzAdmin
+entity "Role customer#xyz:admin" as roleCustXyzAdmin
 roleCustXyzAdmin --> roleCustXyzTenant
 roleCustXyzAdmin --> permCustomerXyzINSERT:package
 
-entity "Role customer#xyz.owner" as roleCustXyzOwner
+entity "Role customer#xyz:owner" as roleCustXyzOwner
 roleCustXyzOwner ..> roleCustXyzAdmin
 roleCustXyzOwner --> permCustomerXyzDELETE
 
@@ -489,7 +493,7 @@ actorHostmaster --> roleAdmins
 ```
 
 As you can see, there something special:
-From the 'Role customer#xyz.owner' to the 'Role customer#xyz.admin' there is a dashed line, whereas all other lines are solid lines.
+From the 'Role customer#xyz:owner' to the 'Role customer#xyz:admin' there is a dashed line, whereas all other lines are solid lines.
 Solid lines means, that one role is granted to another and automatically assumed in all queries to the restricted views.
 The dashed line means that one role is granted to another but not automatically assumed in queries to the restricted views.
 
@@ -537,15 +541,15 @@ together {
 }
 
 package {
-    entity "Role customer#xyz.tenant" as roleCustXyzTenant
-    entity "Role customer#xyz.admin" as roleCustXyzAdmin    
-    entity "Role customer#xyz.owner" as roleCustXyzOwner
+    entity "Role customer#xyz:tenant" as roleCustXyzTenant
+    entity "Role customer#xyz:admin" as roleCustXyzAdmin    
+    entity "Role customer#xyz:owner" as roleCustXyzOwner
 }
 
 package {
-    entity "Role package#xyz00.owner" as rolePacXyz00Owner
-    entity "Role package#xyz00.admin" as rolePacXyz00Admin
-    entity "Role package#xyz00.tenant" as rolePacXyz00Tenant
+    entity "Role package#xyz00:owner" as rolePacXyz00Owner
+    entity "Role package#xyz00:admin" as rolePacXyz00Admin
+    entity "Role package#xyz00:tenant" as rolePacXyz00Tenant
 }
 
 rolePacXyz00Tenant --> permPacXyz00SELECT
diff --git a/sql/rbac-tests.sql b/sql/rbac-tests.sql
index e30ac926..351d1509 100644
--- a/sql/rbac-tests.sql
+++ b/sql/rbac-tests.sql
@@ -3,10 +3,10 @@
 -- --------------------------------------------------------
 
 
-select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
-select isGranted(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
--- call grantRoleToRole(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
--- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
+select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
+select isGranted(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
+-- call grantRoleToRole(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
+-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
 
 select count(*)
 FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('superuser-fran@hostsharing.net'),
diff --git a/sql/rbac-view-option-experiments.sql b/sql/rbac-view-option-experiments.sql
index f6e80e10..c5c04487 100644
--- a/sql/rbac-view-option-experiments.sql
+++ b/sql/rbac-view-option-experiments.sql
@@ -83,7 +83,7 @@ select rr.uuid, rr.type from RbacGrants g
         select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
             where objectTable='test_customer');
 
-call grantRoleToUser(findRoleId('test_customer#aaa.admin'), findRbacUser('aaaaouq@example.com'));
+call grantRoleToUser(findRoleId('test_customer#aaa:ADMIN'), findRbacUser('aaaaouq@example.com'));
 
 select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));
 
diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java
index c4a4c8b9..ac1e5053 100644
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java
@@ -24,8 +24,11 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.REFERRER;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java
index 7bb4aea3..9a120ea3 100644
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java
@@ -68,7 +68,7 @@ public class HsOfficePartnerDetailsEntity implements HasUuid, Stringifyable {
     public static RbacView rbac() {
         return rbacViewFor("partnerDetails", HsOfficePartnerDetailsEntity.class)
                 .withIdentityView(SQL.query("""
-                        SELECT partnerDetails.uuid as uuid, partner_iv.idName || '-details' as idName
+                        SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName
                             FROM hs_office_partner_details AS partnerDetails
                             JOIN hs_office_partner partner ON partner.detailsUuid = partnerDetails.uuid
                             JOIN hs_office_partner_iv partner_iv ON partner_iv.uuid = partner.uuid
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
index a9a72160..7ef34252 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
@@ -120,7 +120,7 @@ public class InsertTriggerGenerator {
             }
         },
         () -> {
-            System.err.println("WARNING: no explicit INSERT grant for " + rbacDef.getRootEntityAlias().simpleName() + " => implicitly grant INSERT to global.admin");
+            System.err.println("WARNING: no explicit INSERT grant for " + rbacDef.getRootEntityAlias().simpleName() + " => implicitly grant INSERT to global:ADMIN");
             generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql);
         });
     }
@@ -246,7 +246,7 @@ public class InsertTriggerGenerator {
     }
 
     private static String toVar(final RbacView.RbacRoleDefinition roleDef) {
-        return uncapitalize(roleDef.getEntityAlias().simpleName()) + capitalize(roleDef.getRole().roleName());
+        return uncapitalize(roleDef.getEntityAlias().simpleName()) + capitalize(roleDef.getRole().name());
     }
 
 
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
index d6fe2ab3..6bba2b12 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
@@ -113,7 +113,7 @@ public class RbacView {
      * <p>An identity view is a view which maps an objectUuid to an idName.
      * The idName should be a human-readable representation of the row, but as short as possible.
      * The idName must only consist of letters (A-Z, a-z), digits (0-9), dash (-), dot (.) and unserscore '_'.
-     * It's used to create the object-specific-role-names like test_customer#abc.admin - here 'abc' is the idName.
+     * It's used to create the object-specific-role-names like test_customer#abc:ADMIN - here 'abc' is the idName.
      * The idName not necessarily unique in a table, but it should be avoided.
      * </p>
      *
@@ -882,15 +882,12 @@ public class RbacView {
         TENANT,
         REFERRER,
 
+        @Deprecated
         GUEST;
 
         @Override
         public String toString() {
-            return ":" + roleName();
-        }
-
-        String roleName() {
-            return name().toLowerCase();
+            return ":" + name();
         }
     }
 
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java
index d6a9bc28..c6e775c9 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java
@@ -48,7 +48,7 @@ public class RbacViewMermaidFlowchartGenerator {
 
         flowchart.indented( () -> {
             rbacDef.getEntityAliases().values().stream()
-                    .filter(e -> e.aliasName().startsWith(entity.aliasName() + "."))
+                    .filter(e -> e.aliasName().startsWith(entity.aliasName() + ":"))
                     .forEach(this::renderEntitySubgraph);
 
             wrapOutputInSubgraph(entity.aliasName() + ":roles", color,
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
index 719c8ab4..484415f2 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
@@ -333,7 +333,7 @@ class RolesGrantsAndPermissionsGenerator {
             return "globalAdmin()";
         }
         final String entityRefVar = entityRefVar(rootRefVar, roleDef.getEntityAlias());
-        return roleDef.getEntityAlias().simpleName() + capitalize(roleDef.getRole().roleName())
+        return roleDef.getEntityAlias().simpleName() + capitalize(roleDef.getRole().name())
                 + "(" + entityRefVar + ")";
     }
 
@@ -359,7 +359,7 @@ class RolesGrantsAndPermissionsGenerator {
         plPgSql.indented(() -> {
             plPgSql.writeLn("${simpleVarName)${roleSuffix}(NEW),"
                     .replace("${simpleVarName)", simpleEntityVarName)
-                    .replace("${roleSuffix}", capitalize(role.roleName())));
+                    .replace("${roleSuffix}", capitalize(role.name())));
 
             generatePermissionsForRole(plPgSql, role);
 
@@ -562,7 +562,7 @@ class RolesGrantsAndPermissionsGenerator {
     }
 
     private static String toRoleRef(final RbacView.RbacRoleDefinition roleDef) {
-        return uncapitalize(roleDef.getEntityAlias().simpleName()) + capitalize(roleDef.getRole().roleName());
+        return uncapitalize(roleDef.getEntityAlias().simpleName()) + capitalize(roleDef.getRole().name());
     }
 
     private static String toTriggerReference(
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java
index a3abf528..c2f2d524 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java
@@ -59,9 +59,9 @@ public class RbacGrantEntity {
     }
 
     public String toDisplay() {
-        return "{ grant role " + grantedRoleIdName +
-                " to user " + granteeUserName +
-                " by role " + grantedByRoleIdName +
+        return "{ grant role:" + grantedRoleIdName +
+                " to user:" + granteeUserName +
+                " by role:" + grantedByRoleIdName +
                 (assumed ? " and assume" : "") +
                 " }";
     }
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java
index cf05496a..f8746eb5 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java
@@ -71,14 +71,14 @@ public class RbacGrantsDiagramService {
     private void traverseGrantsTo(final Set<RawRbacGrantEntity> graph, final UUID refUuid, final EnumSet<Include> includes) {
         final var grants = rawGrantRepo.findByAscendingUuid(refUuid);
         grants.forEach(g -> {
-            if (!includes.contains(PERMISSIONS) && g.getDescendantIdName().startsWith("perm ")) {
+            if (!includes.contains(PERMISSIONS) && g.getDescendantIdName().startsWith("perm:")) {
                 return;
             }
-            if ( !g.getDescendantIdName().startsWith("role global")) {
-                if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(" test_")) {
+            if ( !g.getDescendantIdName().startsWith("role:global")) {
+                if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(":test_")) {
                     return;
                 }
-                if (!includes.contains(NON_TEST_ENTITIES) && !g.getDescendantIdName().contains(" test_")) {
+                if (!includes.contains(NON_TEST_ENTITIES) && !g.getDescendantIdName().contains(":test_")) {
                     return;
                 }
             }
@@ -102,7 +102,7 @@ public class RbacGrantsDiagramService {
     private void traverseGrantsFrom(final Set<RawRbacGrantEntity> graph, final UUID refUuid, final EnumSet<Include> option) {
         final var grants = rawGrantRepo.findByDescendantUuid(refUuid);
         grants.forEach(g -> {
-            if (!option.contains(USERS) && g.getAscendantIdName().startsWith("user ")) {
+            if (!option.contains(USERS) && g.getAscendantIdName().startsWith("user:")) {
                 return;
             }
             graph.add(g);
@@ -171,7 +171,7 @@ public class RbacGrantsDiagramService {
         }
         if (refType.equals("role")) {
             final var withoutRolePrefix = node.idName().substring("role:".length());
-            return withoutRolePrefix.substring(0, withoutRolePrefix.lastIndexOf('.'));
+            return withoutRolePrefix.substring(0, withoutRolePrefix.lastIndexOf(':'));
         }
         throw new IllegalArgumentException("unknown refType '" + refType + "' in '" + node.idName() + "'");
     }
@@ -188,23 +188,23 @@ public class RbacGrantsDiagramService {
             return "(" + displayName + "\nref:" + uuid + ")";
         }
         if (refType.equals("role")) {
-            final var roleType = idName.substring(idName.lastIndexOf('.') + 1);
+            final var roleType = idName.substring(idName.lastIndexOf(':') + 1);
             return "[" + roleType + "\nref:" + uuid + "]";
         }
         if (refType.equals("perm")) {
-            final var roleType = idName.split(" ")[1];
+            final var roleType = idName.split(":")[1];
             return "{{" + roleType + "\nref:" + uuid + "}}";
         }
         return "";
     }
 
     private static String refType(final String idName) {
-        return idName.split(" ", 2)[0];
+        return idName.split(":", 2)[0];
     }
 
     @NotNull
     private static String cleanId(final String idName) {
-        return idName.replace(" ", ":").replaceAll("@.*", "")
+        return idName.replaceAll("@.*", "")
                 .replace("[", "").replace("]", "").replace("(", "").replace(")", "").replace(",", "");
     }
 
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleController.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleController.java
index 0405fee2..cf528361 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleController.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleController.java
@@ -31,7 +31,7 @@ public class RbacRoleController implements RbacRolesApi {
 
         context.define(currentUser, assumedRoles);
 
-        final List<RbacRoleEntity> result = rbacRoleRepository.findAll();
+        final List<RbacRoleRvEntity> result = rbacRoleRepository.findAll();
 
         return ResponseEntity.ok(mapper.mapList(result, RbacRoleResource.class));
     }
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepository.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepository.java
index 94633d7c..2d9d005b 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepository.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepository.java
@@ -5,7 +5,7 @@ import org.springframework.data.repository.Repository;
 import java.util.List;
 import java.util.UUID;
 
-public interface RbacRoleRepository extends Repository<RbacRoleEntity, UUID> {
+public interface RbacRoleRepository extends Repository<RbacRoleRvEntity, UUID> {
 
     /**
      * @return the number of persistent RbacRoleEntity instances, mostly for testing purposes.
@@ -15,7 +15,7 @@ public interface RbacRoleRepository extends Repository<RbacRoleEntity, UUID> {
     /**
      * @return all persistent RbacRoleEntity instances, assigned to the current subject (user or assumed roles)
      */
-    List<RbacRoleEntity> findAll();
+    List<RbacRoleRvEntity> findAll();
 
-    RbacRoleEntity findByRoleName(String roleName);
+    RbacRoleRvEntity findByRoleName(String roleName);
 }
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleEntity.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRvEntity.java
similarity index 88%
rename from src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleEntity.java
rename to src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRvEntity.java
index 26528c8a..d174182a 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRvEntity.java
@@ -15,7 +15,7 @@ import java.util.UUID;
 @Immutable
 @NoArgsConstructor
 @AllArgsConstructor
-public class RbacRoleEntity {
+public class RbacRoleRvEntity {
 
     @Id
     @GeneratedValue
@@ -34,6 +34,6 @@ public class RbacRoleEntity {
     @Enumerated(EnumType.STRING)
     private RbacRoleType roleType;
 
-    @Formula("objectTable||'#'||objectIdName||'.'||roleType")
+    @Formula("objectTable||'#'||objectIdName||':'||roleType")
     private String roleName;
 }
diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleType.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleType.java
index fa5b16aa..e78e8836 100644
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleType.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleType.java
@@ -1,5 +1,5 @@
 package net.hostsharing.hsadminng.rbac.rbacrole;
 
 public enum RbacRoleType {
-    owner, admin, agent, tenant, guest, referrer
+    OWNER, ADMIN, AGENT, TENANT, GUEST, REFERRER
 }
diff --git a/src/main/resources/api-definition/rbac/rbac-role-schemas.yaml b/src/main/resources/api-definition/rbac/rbac-role-schemas.yaml
index ff0e18e4..45736dc3 100644
--- a/src/main/resources/api-definition/rbac/rbac-role-schemas.yaml
+++ b/src/main/resources/api-definition/rbac/rbac-role-schemas.yaml
@@ -19,9 +19,11 @@ components:
                 roleType:
                     type: string
                     enum:
-                        - owner
-                        - admin
-                        - tenant
-                        - referrer
+                        - OWNER
+                        - ADMIN
+                        - AGENT
+                        - TENANT
+                        - GUEST
+                        - REFERRER
                 roleName:
                     type: string
diff --git a/src/main/resources/db/changelog/010-context.sql b/src/main/resources/db/changelog/010-context.sql
index ba655e93..3bb37037 100644
--- a/src/main/resources/db/changelog/010-context.sql
+++ b/src/main/resources/db/changelog/010-context.sql
@@ -149,8 +149,7 @@ create or replace function cleanIdentifier(rawIdentifier varchar)
 declare
     cleanIdentifier varchar;
 begin
-    -- TODO: remove the ':' from the list of allowed characters as soon as it's not used anymore
-    cleanIdentifier := regexp_replace(rawIdentifier, '[^A-Za-z0-9\-._:]+', '', 'g');
+    cleanIdentifier := regexp_replace(rawIdentifier, '[^A-Za-z0-9\-._]+', '', 'g');
     return cleanIdentifier;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/050-rbac-base.sql b/src/main/resources/db/changelog/050-rbac-base.sql
index ca560bf9..6a3387fb 100644
--- a/src/main/resources/db/changelog/050-rbac-base.sql
+++ b/src/main/resources/db/changelog/050-rbac-base.sql
@@ -164,7 +164,7 @@ end; $$;
 
  */
 
-create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest', 'referrer');
+create type RbacRoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', 'REFERRER');
 
 create table RbacRole
 (
@@ -249,7 +249,7 @@ declare
     roleUuid                  uuid;
 begin
     -- TODO.refact: extract function toRbacRoleDescriptor(roleIdName varchar) + find other occurrences
-    roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), '.'));
+    roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), ':'));
     objectTableFromRoleIdName = split_part(roleParts, '#', 1);
     objectNameFromRoleIdName = split_part(roleParts, '#', 2);
     roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
diff --git a/src/main/resources/db/changelog/054-rbac-context.sql b/src/main/resources/db/changelog/054-rbac-context.sql
index 5437131f..faae1782 100644
--- a/src/main/resources/db/changelog/054-rbac-context.sql
+++ b/src/main/resources/db/changelog/054-rbac-context.sql
@@ -50,7 +50,7 @@ begin
 
     foreach roleName in array string_to_array(assumedRoles, ';')
         loop
-            roleNameParts = overlay(roleName placing '#' from length(roleName) + 1 - strpos(reverse(roleName), '.'));
+            roleNameParts = overlay(roleName placing '#' from length(roleName) + 1 - strpos(reverse(roleName), ':'));
             objectTableToAssume = split_part(roleNameParts, '#', 1);
             objectNameToAssume = split_part(roleNameParts, '#', 2);
             roleTypeToAssume = split_part(roleNameParts, '#', 3);
diff --git a/src/main/resources/db/changelog/055-rbac-views.sql b/src/main/resources/db/changelog/055-rbac-views.sql
index 408c3594..a8570f6c 100644
--- a/src/main/resources/db/changelog/055-rbac-views.sql
+++ b/src/main/resources/db/changelog/055-rbac-views.sql
@@ -9,7 +9,7 @@
  */
 drop view if exists rbacrole_ev;
 create or replace view rbacrole_ev as
-select (objectTable || '#' || objectIdName || '.' || roleType) as roleIdName, *
+select (objectTable || '#' || objectIdName || ':' || roleType) as roleIdName, *
        -- @formatter:off
     from (
              select r.*,
@@ -40,7 +40,7 @@ select *
                 where isGranted(currentSubjectsUuids(), r.uuid)
         ) as unordered
         -- @formatter:on
-        order by objectTable || '#' || objectIdName || '.' || roleType;
+        order by objectTable || '#' || objectIdName || ':' || roleType;
 grant all privileges on rbacrole_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
 --//
 
@@ -57,7 +57,7 @@ create or replace view rbacgrants_ev as
     -- @formatter:off
     select x.grantUuid as uuid,
            x.grantedByTriggerOf as grantedByTriggerOf,
-           go.objectTable || '#' || findIdNameByObjectUuid(go.objectTable, go.uuid) || '.' || r.roletype as grantedByRoleIdName,
+           go.objectTable || '#' || findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName,
            x.ascendingIdName as ascendantIdName,
            x.descendingIdName as descendantIdName,
            x.grantedByRoleUuid,
@@ -71,16 +71,16 @@ create or replace view rbacgrants_ev as
                     g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
 
                     coalesce(
-                        'user ' || au.name,
-                        'role ' || aro.objectTable || '#' || findIdNameByObjectUuid(aro.objectTable, aro.uuid) || '.' || ar.roletype
+                        'user:' || au.name,
+                        'role:' || aro.objectTable || '#' || findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype
                         ) as ascendingIdName,
                     aro.objectTable, aro.uuid,
                     ( case
                             when dro is not null
-                                then ('role ' || dro.objectTable || '#' || findIdNameByObjectUuid(dro.objectTable, dro.uuid) || '.' || dr.roletype)
+                                then ('role:' || dro.objectTable || '#' || findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype)
                             when dp.op = 'INSERT'
-                                then 'perm ' || dp.op || ' into ' || dp.opTableName || ' with ' || dpo.objecttable || '#' || findIdNameByObjectUuid(dpo.objectTable, dpo.uuid)
-                            else 'perm ' || dp.op || ' on ' || dpo.objecttable || '#' || findIdNameByObjectUuid(dpo.objectTable, dpo.uuid)
+                                then 'perm:' || dpo.objecttable || '#' || findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':'  || dp.op || '>' || dp.opTableName
+                            else 'perm:' || dpo.objecttable || '#' || findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op
                         end
                     ) as descendingIdName,
                     dro.objectTable, dro.uuid,
@@ -115,8 +115,8 @@ create or replace view rbacgrants_ev as
 drop view if exists rbacgrants_rv;
 create or replace view rbacgrants_rv as
     -- @formatter:off
-select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || '.' || r.roletype as grantedByRoleIdName,
-       g.objectTable || '#' || g.objectIdName || '.' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
+select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
+       g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
        g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as userUuid,
        g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
     from (
@@ -327,7 +327,7 @@ execute function deleteRbacUser();
 drop view if exists RbacOwnGrantedPermissions_rv;
 create or replace view RbacOwnGrantedPermissions_rv as
 select r.uuid as roleuuid, p.uuid as permissionUuid,
-       (r.objecttable || '#' || r.objectidname || '.' ||  r.roletype) as roleName, p.op,
+       (r.objecttable || ':' || r.objectidname || ':' ||  r.roletype) as roleName, p.op,
        o.objecttable, r.objectidname, o.uuid as objectuuid
     from rbacrole_rv r
     join rbacgrants g on g.ascendantuuid = r.uuid
@@ -359,7 +359,7 @@ begin
 
     return query select
         xp.roleUuid,
-        (xp.roleObjectTable || '#' || xp.roleObjectIdName || '.' || xp.roleType) as roleName,
+        (xp.roleObjectTable || '#' || xp.roleObjectIdName || ':' || xp.roleType) as roleName,
         xp.permissionUuid, xp.op, xp.opTableName,
         xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid
         from (select
diff --git a/src/main/resources/db/changelog/058-rbac-generators.sql b/src/main/resources/db/changelog/058-rbac-generators.sql
index efe71b1b..958d3afe 100644
--- a/src/main/resources/db/changelog/058-rbac-generators.sql
+++ b/src/main/resources/db/changelog/058-rbac-generators.sql
@@ -46,7 +46,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'owner', assumed);
+            return roleDescriptor('%2$s', entity.uuid, 'OWNER', assumed);
         end; $f$;
 
         create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
@@ -54,7 +54,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'admin', assumed);
+            return roleDescriptor('%2$s', entity.uuid, 'ADMIN', assumed);
         end; $f$;
 
         create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
@@ -62,7 +62,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'agent', assumed);
+            return roleDescriptor('%2$s', entity.uuid, 'AGENT', assumed);
         end; $f$;
 
         create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
@@ -70,7 +70,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'tenant', assumed);
+            return roleDescriptor('%2$s', entity.uuid, 'TENANT', assumed);
         end; $f$;
 
         -- TODO: remove guest role
@@ -79,7 +79,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'guest', assumed);
+            return roleDescriptor('%2$s', entity.uuid, 'GUEST', assumed);
         end; $f$;
 
         create or replace function %1$sReferrer(entity %2$s)
@@ -87,7 +87,7 @@ begin
             language plpgsql
             strict as $f$
         begin
-            return roleDescriptor('%2$s', entity.uuid, 'referrer');
+            return roleDescriptor('%2$s', entity.uuid, 'REFERRER');
         end; $f$;
 
         $sql$, prefix, targetTable);
diff --git a/src/main/resources/db/changelog/080-rbac-global.sql b/src/main/resources/db/changelog/080-rbac-global.sql
index f8058113..7577e88c 100644
--- a/src/main/resources/db/changelog/080-rbac-global.sql
+++ b/src/main/resources/db/changelog/080-rbac-global.sql
@@ -114,11 +114,11 @@ create or replace function globalAdmin(assumed boolean = true)
     returns null on null input
     stable -- leakproof
     language sql as $$
-select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType, assumed;
+select 'global', (select uuid from RbacObject where objectTable = 'global'), 'ADMIN'::RbacRoleType, assumed;
 $$;
 
 begin transaction;
-    call defineContext('creating global admin role', null, null, null);
+    call defineContext('creating role:global#global:ADMIN', null, null, null);
     select createRole(globalAdmin());
 commit;
 --//
@@ -135,11 +135,11 @@ create or replace function globalGuest(assumed boolean = true)
     returns null on null input
     stable -- leakproof
     language sql as $$
-select 'global', (select uuid from RbacObject where objectTable = 'global'), 'guest'::RbacRoleType, assumed;
+select 'global', (select uuid from RbacObject where objectTable = 'global'), 'GUEST'::RbacRoleType, assumed;
 $$;
 
 begin transaction;
-    call defineContext('creating global guest role', null, null, null);
+    call defineContext('creating role:global#loba:guest', null, null, null);
     select createRole(globalGuest());
 commit;
 --//
diff --git a/src/main/resources/db/changelog/113-test-customer-rbac.md b/src/main/resources/db/changelog/113-test-customer-rbac.md
index 4d63eeac..19e67a38 100644
--- a/src/main/resources/db/changelog/113-test-customer-rbac.md
+++ b/src/main/resources/db/changelog/113-test-customer-rbac.md
@@ -13,9 +13,9 @@ subgraph customer["`**customer**`"]
     subgraph customer:roles[ ]
         style customer:roles fill:#dd4901,stroke:white
 
-        role:customer:owner[[customer:owner]]
-        role:customer:admin[[customer:admin]]
-        role:customer:tenant[[customer:tenant]]
+        role:customer:OWNER[[customer:OWNER]]
+        role:customer:ADMIN[[customer:ADMIN]]
+        role:customer:TENANT[[customer:TENANT]]
     end
 
     subgraph customer:permissions[ ]
@@ -29,17 +29,17 @@ subgraph customer["`**customer**`"]
 end
 
 %% granting roles to users
-user:creator ==>|XX| role:customer:owner
+user:creator ==>|XX| role:customer:OWNER
 
 %% granting roles to roles
-role:global:admin ==>|XX| role:customer:owner
-role:customer:owner ==> role:customer:admin
-role:customer:admin ==> role:customer:tenant
+role:global:ADMIN ==>|XX| role:customer:OWNER
+role:customer:OWNER ==> role:customer:ADMIN
+role:customer:ADMIN ==> role:customer:TENANT
 
 %% granting permissions to roles
-role:global:admin ==> perm:customer:INSERT
-role:customer:owner ==> perm:customer:DELETE
-role:customer:admin ==> perm:customer:UPDATE
-role:customer:tenant ==> perm:customer:SELECT
+role:global:ADMIN ==> perm:customer:INSERT
+role:customer:OWNER ==> perm:customer:DELETE
+role:customer:ADMIN ==> perm:customer:UPDATE
+role:customer:TENANT ==> perm:customer:SELECT
 
 ```
diff --git a/src/main/resources/db/changelog/113-test-customer-rbac.sql b/src/main/resources/db/changelog/113-test-customer-rbac.sql
index fd460049..2f9ea4de 100644
--- a/src/main/resources/db/changelog/113-test-customer-rbac.sql
+++ b/src/main/resources/db/changelog/113-test-customer-rbac.sql
@@ -35,22 +35,22 @@ begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
     perform createRoleWithGrants(
-        testCustomerOwner(NEW),
+        testCustomerOWNER(NEW),
             permissions => array['DELETE'],
-            incomingSuperRoles => array[globalAdmin(unassumed())],
+            incomingSuperRoles => array[globalADMIN(unassumed())],
             userUuids => array[currentUserUuid()]
     );
 
     perform createRoleWithGrants(
-        testCustomerAdmin(NEW),
+        testCustomerADMIN(NEW),
             permissions => array['UPDATE'],
-            incomingSuperRoles => array[testCustomerOwner(NEW)]
+            incomingSuperRoles => array[testCustomerOWNER(NEW)]
     );
 
     perform createRoleWithGrants(
-        testCustomerTenant(NEW),
+        testCustomerTENANT(NEW),
             permissions => array['SELECT'],
-            incomingSuperRoles => array[testCustomerAdmin(NEW)]
+            incomingSuperRoles => array[testCustomerADMIN(NEW)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -93,7 +93,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'test_customer'),
-                    globalAdmin());
+                    globalADMIN());
             END LOOP;
     END;
 $$;
@@ -108,7 +108,7 @@ create or replace function test_customer_global_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'test_customer'),
-            globalAdmin());
+            globalADMIN());
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/118-test-customer-test-data.sql b/src/main/resources/db/changelog/118-test-customer-test-data.sql
index 85c34ac6..73c8e535 100644
--- a/src/main/resources/db/changelog/118-test-customer-test-data.sql
+++ b/src/main/resources/db/changelog/118-test-customer-test-data.sql
@@ -32,7 +32,7 @@ declare
     newCust       test_customer;
 begin
     currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
-    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global.admin');
+    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
     execute format('set local hsadminng.currentTask to %L', currentTask);
 
     custRowId = uuid_generate_v4();
diff --git a/src/main/resources/db/changelog/123-test-package-rbac.md b/src/main/resources/db/changelog/123-test-package-rbac.md
index 34b8c7c7..368cfe2f 100644
--- a/src/main/resources/db/changelog/123-test-package-rbac.md
+++ b/src/main/resources/db/changelog/123-test-package-rbac.md
@@ -13,9 +13,9 @@ subgraph package["`**package**`"]
     subgraph package:roles[ ]
         style package:roles fill:#dd4901,stroke:white
 
-        role:package:owner[[package:owner]]
-        role:package:admin[[package:admin]]
-        role:package:tenant[[package:tenant]]
+        role:package:OWNER[[package:OWNER]]
+        role:package:ADMIN[[package:ADMIN]]
+        role:package:TENANT[[package:TENANT]]
     end
 
     subgraph package:permissions[ ]
@@ -35,25 +35,25 @@ subgraph customer["`**customer**`"]
     subgraph customer:roles[ ]
         style customer:roles fill:#99bcdb,stroke:white
 
-        role:customer:owner[[customer:owner]]
-        role:customer:admin[[customer:admin]]
-        role:customer:tenant[[customer:tenant]]
+        role:customer:OWNER[[customer:OWNER]]
+        role:customer:ADMIN[[customer:ADMIN]]
+        role:customer:TENANT[[customer:TENANT]]
     end
 end
 
 %% granting roles to roles
-role:global:admin -.->|XX| role:customer:owner
-role:customer:owner -.-> role:customer:admin
-role:customer:admin -.-> role:customer:tenant
-role:customer:admin ==> role:package:owner
-role:package:owner ==> role:package:admin
-role:package:admin ==> role:package:tenant
-role:package:tenant ==> role:customer:tenant
+role:global:ADMIN -.->|XX| role:customer:OWNER
+role:customer:OWNER -.-> role:customer:ADMIN
+role:customer:ADMIN -.-> role:customer:TENANT
+role:customer:ADMIN ==> role:package:OWNER
+role:package:OWNER ==> role:package:ADMIN
+role:package:ADMIN ==> role:package:TENANT
+role:package:TENANT ==> role:customer:TENANT
 
 %% granting permissions to roles
-role:customer:admin ==> perm:package:INSERT
-role:package:owner ==> perm:package:DELETE
-role:package:owner ==> perm:package:UPDATE
-role:package:tenant ==> perm:package:SELECT
+role:customer:ADMIN ==> perm:package:INSERT
+role:package:OWNER ==> perm:package:DELETE
+role:package:OWNER ==> perm:package:UPDATE
+role:package:TENANT ==> perm:package:SELECT
 
 ```
diff --git a/src/main/resources/db/changelog/123-test-package-rbac.sql b/src/main/resources/db/changelog/123-test-package-rbac.sql
index 972b174d..3a4d5d8b 100644
--- a/src/main/resources/db/changelog/123-test-package-rbac.sql
+++ b/src/main/resources/db/changelog/123-test-package-rbac.sql
@@ -40,21 +40,21 @@ begin
 
 
     perform createRoleWithGrants(
-        testPackageOwner(NEW),
+        testPackageOWNER(NEW),
             permissions => array['DELETE', 'UPDATE'],
-            incomingSuperRoles => array[testCustomerAdmin(newCustomer)]
+            incomingSuperRoles => array[testCustomerADMIN(newCustomer)]
     );
 
     perform createRoleWithGrants(
-        testPackageAdmin(NEW),
-            incomingSuperRoles => array[testPackageOwner(NEW)]
+        testPackageADMIN(NEW),
+            incomingSuperRoles => array[testPackageOWNER(NEW)]
     );
 
     perform createRoleWithGrants(
-        testPackageTenant(NEW),
+        testPackageTENANT(NEW),
             permissions => array['SELECT'],
-            incomingSuperRoles => array[testPackageAdmin(NEW)],
-            outgoingSubRoles => array[testCustomerTenant(newCustomer)]
+            incomingSuperRoles => array[testPackageADMIN(NEW)],
+            outgoingSubRoles => array[testCustomerTENANT(newCustomer)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -110,11 +110,11 @@ begin
 
     if NEW.customerUuid <> OLD.customerUuid then
 
-        call revokeRoleFromRole(testPackageOwner(OLD), testCustomerAdmin(oldCustomer));
-        call grantRoleToRole(testPackageOwner(NEW), testCustomerAdmin(newCustomer));
+        call revokeRoleFromRole(testPackageOWNER(OLD), testCustomerADMIN(oldCustomer));
+        call grantRoleToRole(testPackageOWNER(NEW), testCustomerADMIN(newCustomer));
 
-        call revokeRoleFromRole(testCustomerTenant(oldCustomer), testPackageTenant(OLD));
-        call grantRoleToRole(testCustomerTenant(newCustomer), testPackageTenant(NEW));
+        call revokeRoleFromRole(testCustomerTENANT(oldCustomer), testPackageTENANT(OLD));
+        call grantRoleToRole(testCustomerTENANT(newCustomer), testPackageTENANT(NEW));
 
     end if;
 
@@ -158,7 +158,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'test_package'),
-                    testCustomerAdmin(row));
+                    testCustomerADMIN(row));
             END LOOP;
     END;
 $$;
@@ -173,7 +173,7 @@ create or replace function test_package_test_customer_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'test_package'),
-            testCustomerAdmin(NEW));
+            testCustomerADMIN(NEW));
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/128-test-package-test-data.sql b/src/main/resources/db/changelog/128-test-package-test-data.sql
index 9abba772..f50ad480 100644
--- a/src/main/resources/db/changelog/128-test-package-test-data.sql
+++ b/src/main/resources/db/changelog/128-test-package-test-data.sql
@@ -25,7 +25,7 @@ begin
                           cust.uuid;
 
             custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
-            custAdminRole = 'test_customer#' || cust.prefix || '.admin';
+            custAdminRole = 'test_customer#' || cust.prefix || ':ADMIN';
             call defineContext(currentTask, null, 'superuser-fran@hostsharing.net', custAdminRole);
             raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
 
diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.md b/src/main/resources/db/changelog/133-test-domain-rbac.md
index 6954e9b8..d9b3748c 100644
--- a/src/main/resources/db/changelog/133-test-domain-rbac.md
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.md
@@ -13,9 +13,9 @@ subgraph package.customer["`**package.customer**`"]
     subgraph package.customer:roles[ ]
         style package.customer:roles fill:#99bcdb,stroke:white
 
-        role:package.customer:owner[[package.customer:owner]]
-        role:package.customer:admin[[package.customer:admin]]
-        role:package.customer:tenant[[package.customer:tenant]]
+        role:package.customer:OWNER[[package.customer:OWNER]]
+        role:package.customer:ADMIN[[package.customer:ADMIN]]
+        role:package.customer:TENANT[[package.customer:TENANT]]
     end
 end
 
@@ -23,25 +23,12 @@ subgraph package["`**package**`"]
     direction TB
     style package fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-    subgraph package.customer["`**package.customer**`"]
-        direction TB
-        style package.customer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph package.customer:roles[ ]
-            style package.customer:roles fill:#99bcdb,stroke:white
-
-            role:package.customer:owner[[package.customer:owner]]
-            role:package.customer:admin[[package.customer:admin]]
-            role:package.customer:tenant[[package.customer:tenant]]
-        end
-    end
-
     subgraph package:roles[ ]
         style package:roles fill:#99bcdb,stroke:white
 
-        role:package:owner[[package:owner]]
-        role:package:admin[[package:admin]]
-        role:package:tenant[[package:tenant]]
+        role:package:OWNER[[package:OWNER]]
+        role:package:ADMIN[[package:ADMIN]]
+        role:package:TENANT[[package:TENANT]]
     end
 end
 
@@ -52,8 +39,8 @@ subgraph domain["`**domain**`"]
     subgraph domain:roles[ ]
         style domain:roles fill:#dd4901,stroke:white
 
-        role:domain:owner[[domain:owner]]
-        role:domain:admin[[domain:admin]]
+        role:domain:OWNER[[domain:OWNER]]
+        role:domain:ADMIN[[domain:ADMIN]]
     end
 
     subgraph domain:permissions[ ]
@@ -67,22 +54,22 @@ subgraph domain["`**domain**`"]
 end
 
 %% granting roles to roles
-role:global:admin -.->|XX| role:package.customer:owner
-role:package.customer:owner -.-> role:package.customer:admin
-role:package.customer:admin -.-> role:package.customer:tenant
-role:package.customer:admin -.-> role:package:owner
-role:package:owner -.-> role:package:admin
-role:package:admin -.-> role:package:tenant
-role:package:tenant -.-> role:package.customer:tenant
-role:package:admin ==> role:domain:owner
-role:domain:owner ==> role:package:tenant
-role:domain:owner ==> role:domain:admin
-role:domain:admin ==> role:package:tenant
+role:global:ADMIN -.->|XX| role:package.customer:OWNER
+role:package.customer:OWNER -.-> role:package.customer:ADMIN
+role:package.customer:ADMIN -.-> role:package.customer:TENANT
+role:package.customer:ADMIN -.-> role:package:OWNER
+role:package:OWNER -.-> role:package:ADMIN
+role:package:ADMIN -.-> role:package:TENANT
+role:package:TENANT -.-> role:package.customer:TENANT
+role:package:ADMIN ==> role:domain:OWNER
+role:domain:OWNER ==> role:package:TENANT
+role:domain:OWNER ==> role:domain:ADMIN
+role:domain:ADMIN ==> role:package:TENANT
 
 %% granting permissions to roles
-role:package:admin ==> perm:domain:INSERT
-role:domain:owner ==> perm:domain:DELETE
-role:domain:owner ==> perm:domain:UPDATE
-role:domain:admin ==> perm:domain:SELECT
+role:package:ADMIN ==> perm:domain:INSERT
+role:domain:OWNER ==> perm:domain:DELETE
+role:domain:OWNER ==> perm:domain:UPDATE
+role:domain:ADMIN ==> perm:domain:SELECT
 
 ```
diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.sql b/src/main/resources/db/changelog/133-test-domain-rbac.sql
index 7a891841..de5faa78 100644
--- a/src/main/resources/db/changelog/133-test-domain-rbac.sql
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql
@@ -40,17 +40,17 @@ begin
 
 
     perform createRoleWithGrants(
-        testDomainOwner(NEW),
+        testDomainOWNER(NEW),
             permissions => array['DELETE', 'UPDATE'],
-            incomingSuperRoles => array[testPackageAdmin(newPackage)],
-            outgoingSubRoles => array[testPackageTenant(newPackage)]
+            incomingSuperRoles => array[testPackageADMIN(newPackage)],
+            outgoingSubRoles => array[testPackageTENANT(newPackage)]
     );
 
     perform createRoleWithGrants(
-        testDomainAdmin(NEW),
+        testDomainADMIN(NEW),
             permissions => array['SELECT'],
-            incomingSuperRoles => array[testDomainOwner(NEW)],
-            outgoingSubRoles => array[testPackageTenant(newPackage)]
+            incomingSuperRoles => array[testDomainOWNER(NEW)],
+            outgoingSubRoles => array[testPackageTENANT(newPackage)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -106,14 +106,14 @@ begin
 
     if NEW.packageUuid <> OLD.packageUuid then
 
-        call revokeRoleFromRole(testDomainOwner(OLD), testPackageAdmin(oldPackage));
-        call grantRoleToRole(testDomainOwner(NEW), testPackageAdmin(newPackage));
+        call revokeRoleFromRole(testDomainOWNER(OLD), testPackageADMIN(oldPackage));
+        call grantRoleToRole(testDomainOWNER(NEW), testPackageADMIN(newPackage));
 
-        call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainOwner(OLD));
-        call grantRoleToRole(testPackageTenant(newPackage), testDomainOwner(NEW));
+        call revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainOWNER(OLD));
+        call grantRoleToRole(testPackageTENANT(newPackage), testDomainOWNER(NEW));
 
-        call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainAdmin(OLD));
-        call grantRoleToRole(testPackageTenant(newPackage), testDomainAdmin(NEW));
+        call revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainADMIN(OLD));
+        call grantRoleToRole(testPackageTENANT(newPackage), testDomainADMIN(NEW));
 
     end if;
 
@@ -157,7 +157,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'test_domain'),
-                    testPackageAdmin(row));
+                    testPackageADMIN(row));
             END LOOP;
     END;
 $$;
@@ -172,7 +172,7 @@ create or replace function test_domain_test_package_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'test_domain'),
-            testPackageAdmin(NEW));
+            testPackageADMIN(NEW));
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/203-hs-office-contact-rbac.md b/src/main/resources/db/changelog/203-hs-office-contact-rbac.md
index 52584907..fe736072 100644
--- a/src/main/resources/db/changelog/203-hs-office-contact-rbac.md
+++ b/src/main/resources/db/changelog/203-hs-office-contact-rbac.md
@@ -13,9 +13,9 @@ subgraph contact["`**contact**`"]
     subgraph contact:roles[ ]
         style contact:roles fill:#dd4901,stroke:white
 
-        role:contact:owner[[contact:owner]]
-        role:contact:admin[[contact:admin]]
-        role:contact:referrer[[contact:referrer]]
+        role:contact:OWNER[[contact:OWNER]]
+        role:contact:ADMIN[[contact:ADMIN]]
+        role:contact:REFERRER[[contact:REFERRER]]
     end
 
     subgraph contact:permissions[ ]
@@ -29,17 +29,17 @@ subgraph contact["`**contact**`"]
 end
 
 %% granting roles to users
-user:creator ==> role:contact:owner
+user:creator ==> role:contact:OWNER
 
 %% granting roles to roles
-role:global:admin ==> role:contact:owner
-role:contact:owner ==> role:contact:admin
-role:contact:admin ==> role:contact:referrer
+role:global:ADMIN ==> role:contact:OWNER
+role:contact:OWNER ==> role:contact:ADMIN
+role:contact:ADMIN ==> role:contact:REFERRER
 
 %% granting permissions to roles
-role:contact:owner ==> perm:contact:DELETE
-role:contact:admin ==> perm:contact:UPDATE
-role:contact:referrer ==> perm:contact:SELECT
-role:global:guest ==> perm:contact:INSERT
+role:contact:OWNER ==> perm:contact:DELETE
+role:contact:ADMIN ==> perm:contact:UPDATE
+role:contact:REFERRER ==> perm:contact:SELECT
+role:global:GUEST ==> perm:contact:INSERT
 
 ```
diff --git a/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql b/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql
index 0e08e15f..0f53b167 100644
--- a/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql
+++ b/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql
@@ -35,22 +35,22 @@ begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
     perform createRoleWithGrants(
-        hsOfficeContactOwner(NEW),
+        hsOfficeContactOWNER(NEW),
             permissions => array['DELETE'],
-            incomingSuperRoles => array[globalAdmin()],
+            incomingSuperRoles => array[globalADMIN()],
             userUuids => array[currentUserUuid()]
     );
 
     perform createRoleWithGrants(
-        hsOfficeContactAdmin(NEW),
+        hsOfficeContactADMIN(NEW),
             permissions => array['UPDATE'],
-            incomingSuperRoles => array[hsOfficeContactOwner(NEW)]
+            incomingSuperRoles => array[hsOfficeContactOWNER(NEW)]
     );
 
     perform createRoleWithGrants(
-        hsOfficeContactReferrer(NEW),
+        hsOfficeContactREFERRER(NEW),
             permissions => array['SELECT'],
-            incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
+            incomingSuperRoles => array[hsOfficeContactADMIN(NEW)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -93,7 +93,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_contact'),
-                    globalGuest());
+                    globalGUEST());
             END LOOP;
     END;
 $$;
@@ -108,7 +108,7 @@ create or replace function hs_office_contact_global_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_contact'),
-            globalGuest());
+            globalGUEST());
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/213-hs-office-person-rbac.md b/src/main/resources/db/changelog/213-hs-office-person-rbac.md
index 70e0f33a..d0eebfdd 100644
--- a/src/main/resources/db/changelog/213-hs-office-person-rbac.md
+++ b/src/main/resources/db/changelog/213-hs-office-person-rbac.md
@@ -13,9 +13,9 @@ subgraph person["`**person**`"]
     subgraph person:roles[ ]
         style person:roles fill:#dd4901,stroke:white
 
-        role:person:owner[[person:owner]]
-        role:person:admin[[person:admin]]
-        role:person:referrer[[person:referrer]]
+        role:person:OWNER[[person:OWNER]]
+        role:person:ADMIN[[person:ADMIN]]
+        role:person:REFERRER[[person:REFERRER]]
     end
 
     subgraph person:permissions[ ]
@@ -29,17 +29,17 @@ subgraph person["`**person**`"]
 end
 
 %% granting roles to users
-user:creator ==> role:person:owner
+user:creator ==> role:person:OWNER
 
 %% granting roles to roles
-role:global:admin ==> role:person:owner
-role:person:owner ==> role:person:admin
-role:person:admin ==> role:person:referrer
+role:global:ADMIN ==> role:person:OWNER
+role:person:OWNER ==> role:person:ADMIN
+role:person:ADMIN ==> role:person:REFERRER
 
 %% granting permissions to roles
-role:global:guest ==> perm:person:INSERT
-role:person:owner ==> perm:person:DELETE
-role:person:admin ==> perm:person:UPDATE
-role:person:referrer ==> perm:person:SELECT
+role:global:GUEST ==> perm:person:INSERT
+role:person:OWNER ==> perm:person:DELETE
+role:person:ADMIN ==> perm:person:UPDATE
+role:person:REFERRER ==> perm:person:SELECT
 
 ```
diff --git a/src/main/resources/db/changelog/213-hs-office-person-rbac.sql b/src/main/resources/db/changelog/213-hs-office-person-rbac.sql
index adbdae33..6dbbf21b 100644
--- a/src/main/resources/db/changelog/213-hs-office-person-rbac.sql
+++ b/src/main/resources/db/changelog/213-hs-office-person-rbac.sql
@@ -35,22 +35,22 @@ begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
     perform createRoleWithGrants(
-        hsOfficePersonOwner(NEW),
+        hsOfficePersonOWNER(NEW),
             permissions => array['DELETE'],
-            incomingSuperRoles => array[globalAdmin()],
+            incomingSuperRoles => array[globalADMIN()],
             userUuids => array[currentUserUuid()]
     );
 
     perform createRoleWithGrants(
-        hsOfficePersonAdmin(NEW),
+        hsOfficePersonADMIN(NEW),
             permissions => array['UPDATE'],
-            incomingSuperRoles => array[hsOfficePersonOwner(NEW)]
+            incomingSuperRoles => array[hsOfficePersonOWNER(NEW)]
     );
 
     perform createRoleWithGrants(
-        hsOfficePersonReferrer(NEW),
+        hsOfficePersonREFERRER(NEW),
             permissions => array['SELECT'],
-            incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
+            incomingSuperRoles => array[hsOfficePersonADMIN(NEW)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -93,7 +93,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_person'),
-                    globalGuest());
+                    globalGUEST());
             END LOOP;
     END;
 $$;
@@ -108,7 +108,7 @@ create or replace function hs_office_person_global_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_person'),
-            globalGuest());
+            globalGUEST());
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/223-hs-office-relation-rbac.md b/src/main/resources/db/changelog/223-hs-office-relation-rbac.md
index 8e5524ec..8014cdaf 100644
--- a/src/main/resources/db/changelog/223-hs-office-relation-rbac.md
+++ b/src/main/resources/db/changelog/223-hs-office-relation-rbac.md
@@ -13,9 +13,9 @@ subgraph holderPerson["`**holderPerson**`"]
     subgraph holderPerson:roles[ ]
         style holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:holderPerson:owner[[holderPerson:owner]]
-        role:holderPerson:admin[[holderPerson:admin]]
-        role:holderPerson:referrer[[holderPerson:referrer]]
+        role:holderPerson:OWNER[[holderPerson:OWNER]]
+        role:holderPerson:ADMIN[[holderPerson:ADMIN]]
+        role:holderPerson:REFERRER[[holderPerson:REFERRER]]
     end
 end
 
@@ -26,9 +26,9 @@ subgraph anchorPerson["`**anchorPerson**`"]
     subgraph anchorPerson:roles[ ]
         style anchorPerson:roles fill:#99bcdb,stroke:white
 
-        role:anchorPerson:owner[[anchorPerson:owner]]
-        role:anchorPerson:admin[[anchorPerson:admin]]
-        role:anchorPerson:referrer[[anchorPerson:referrer]]
+        role:anchorPerson:OWNER[[anchorPerson:OWNER]]
+        role:anchorPerson:ADMIN[[anchorPerson:ADMIN]]
+        role:anchorPerson:REFERRER[[anchorPerson:REFERRER]]
     end
 end
 
@@ -39,9 +39,9 @@ subgraph contact["`**contact**`"]
     subgraph contact:roles[ ]
         style contact:roles fill:#99bcdb,stroke:white
 
-        role:contact:owner[[contact:owner]]
-        role:contact:admin[[contact:admin]]
-        role:contact:referrer[[contact:referrer]]
+        role:contact:OWNER[[contact:OWNER]]
+        role:contact:ADMIN[[contact:ADMIN]]
+        role:contact:REFERRER[[contact:REFERRER]]
     end
 end
 
@@ -52,10 +52,10 @@ subgraph relation["`**relation**`"]
     subgraph relation:roles[ ]
         style relation:roles fill:#dd4901,stroke:white
 
-        role:relation:owner[[relation:owner]]
-        role:relation:admin[[relation:admin]]
-        role:relation:agent[[relation:agent]]
-        role:relation:tenant[[relation:tenant]]
+        role:relation:OWNER[[relation:OWNER]]
+        role:relation:ADMIN[[relation:ADMIN]]
+        role:relation:AGENT[[relation:AGENT]]
+        role:relation:TENANT[[relation:TENANT]]
     end
 
     subgraph relation:permissions[ ]
@@ -69,34 +69,34 @@ subgraph relation["`**relation**`"]
 end
 
 %% granting roles to users
-user:creator ==> role:relation:owner
+user:creator ==> role:relation:OWNER
 
 %% granting roles to roles
-role:global:admin -.-> role:anchorPerson:owner
-role:anchorPerson:owner -.-> role:anchorPerson:admin
-role:anchorPerson:admin -.-> role:anchorPerson:referrer
-role:global:admin -.-> role:holderPerson:owner
-role:holderPerson:owner -.-> role:holderPerson:admin
-role:holderPerson:admin -.-> role:holderPerson:referrer
-role:global:admin -.-> role:contact:owner
-role:contact:owner -.-> role:contact:admin
-role:contact:admin -.-> role:contact:referrer
-role:global:admin ==> role:relation:owner
-role:relation:owner ==> role:relation:admin
-role:anchorPerson:admin ==> role:relation:admin
-role:relation:admin ==> role:relation:agent
-role:holderPerson:admin ==> role:relation:agent
-role:relation:agent ==> role:relation:tenant
-role:holderPerson:admin ==> role:relation:tenant
-role:contact:admin ==> role:relation:tenant
-role:relation:tenant ==> role:anchorPerson:referrer
-role:relation:tenant ==> role:holderPerson:referrer
-role:relation:tenant ==> role:contact:referrer
+role:global:ADMIN -.-> role:anchorPerson:OWNER
+role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
+role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
+role:global:ADMIN -.-> role:holderPerson:OWNER
+role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
+role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
+role:global:ADMIN -.-> role:contact:OWNER
+role:contact:OWNER -.-> role:contact:ADMIN
+role:contact:ADMIN -.-> role:contact:REFERRER
+role:global:ADMIN ==> role:relation:OWNER
+role:relation:OWNER ==> role:relation:ADMIN
+role:anchorPerson:ADMIN ==> role:relation:ADMIN
+role:relation:ADMIN ==> role:relation:AGENT
+role:holderPerson:ADMIN ==> role:relation:AGENT
+role:relation:AGENT ==> role:relation:TENANT
+role:holderPerson:ADMIN ==> role:relation:TENANT
+role:contact:ADMIN ==> role:relation:TENANT
+role:relation:TENANT ==> role:anchorPerson:REFERRER
+role:relation:TENANT ==> role:holderPerson:REFERRER
+role:relation:TENANT ==> role:contact:REFERRER
 
 %% granting permissions to roles
-role:relation:owner ==> perm:relation:DELETE
-role:relation:admin ==> perm:relation:UPDATE
-role:relation:tenant ==> perm:relation:SELECT
-role:anchorPerson:admin ==> perm:relation:INSERT
+role:relation:OWNER ==> perm:relation:DELETE
+role:relation:ADMIN ==> perm:relation:UPDATE
+role:relation:TENANT ==> perm:relation:SELECT
+role:anchorPerson:ADMIN ==> perm:relation:INSERT
 
 ```
diff --git a/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql
index 6c9ae616..ff890a59 100644
--- a/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql
+++ b/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql
@@ -48,38 +48,38 @@ begin
 
 
     perform createRoleWithGrants(
-        hsOfficeRelationOwner(NEW),
+        hsOfficeRelationOWNER(NEW),
             permissions => array['DELETE'],
-            incomingSuperRoles => array[globalAdmin()],
+            incomingSuperRoles => array[globalADMIN()],
             userUuids => array[currentUserUuid()]
     );
 
     perform createRoleWithGrants(
-        hsOfficeRelationAdmin(NEW),
+        hsOfficeRelationADMIN(NEW),
             permissions => array['UPDATE'],
             incomingSuperRoles => array[
-            	hsOfficePersonAdmin(newAnchorPerson),
-            	hsOfficeRelationOwner(NEW)]
+            	hsOfficePersonADMIN(newAnchorPerson),
+            	hsOfficeRelationOWNER(NEW)]
     );
 
     perform createRoleWithGrants(
-        hsOfficeRelationAgent(NEW),
+        hsOfficeRelationAGENT(NEW),
             incomingSuperRoles => array[
-            	hsOfficePersonAdmin(newHolderPerson),
-            	hsOfficeRelationAdmin(NEW)]
+            	hsOfficePersonADMIN(newHolderPerson),
+            	hsOfficeRelationADMIN(NEW)]
     );
 
     perform createRoleWithGrants(
-        hsOfficeRelationTenant(NEW),
+        hsOfficeRelationTENANT(NEW),
             permissions => array['SELECT'],
             incomingSuperRoles => array[
-            	hsOfficeContactAdmin(newContact),
-            	hsOfficePersonAdmin(newHolderPerson),
-            	hsOfficeRelationAgent(NEW)],
+            	hsOfficeContactADMIN(newContact),
+            	hsOfficePersonADMIN(newHolderPerson),
+            	hsOfficeRelationAGENT(NEW)],
             outgoingSubRoles => array[
-            	hsOfficeContactReferrer(newContact),
-            	hsOfficePersonReferrer(newAnchorPerson),
-            	hsOfficePersonReferrer(newHolderPerson)]
+            	hsOfficeContactREFERRER(newContact),
+            	hsOfficePersonREFERRER(newAnchorPerson),
+            	hsOfficePersonREFERRER(newHolderPerson)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -151,11 +151,11 @@ begin
 
     if NEW.contactUuid <> OLD.contactUuid then
 
-        call revokeRoleFromRole(hsOfficeRelationTenant(OLD), hsOfficeContactAdmin(oldContact));
-        call grantRoleToRole(hsOfficeRelationTenant(NEW), hsOfficeContactAdmin(newContact));
+        call revokeRoleFromRole(hsOfficeRelationTENANT(OLD), hsOfficeContactADMIN(oldContact));
+        call grantRoleToRole(hsOfficeRelationTENANT(NEW), hsOfficeContactADMIN(newContact));
 
-        call revokeRoleFromRole(hsOfficeContactReferrer(oldContact), hsOfficeRelationTenant(OLD));
-        call grantRoleToRole(hsOfficeContactReferrer(newContact), hsOfficeRelationTenant(NEW));
+        call revokeRoleFromRole(hsOfficeContactREFERRER(oldContact), hsOfficeRelationTENANT(OLD));
+        call grantRoleToRole(hsOfficeContactREFERRER(newContact), hsOfficeRelationTENANT(NEW));
 
     end if;
 
@@ -199,7 +199,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
-                    hsOfficePersonAdmin(row));
+                    hsOfficePersonADMIN(row));
             END LOOP;
     END;
 $$;
@@ -214,7 +214,7 @@ create or replace function hs_office_relation_hs_office_person_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
-            hsOfficePersonAdmin(NEW));
+            hsOfficePersonADMIN(NEW));
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/228-hs-office-relation-test-data.sql b/src/main/resources/db/changelog/228-hs-office-relation-test-data.sql
index 9bdcab18..61691d6f 100644
--- a/src/main/resources/db/changelog/228-hs-office-relation-test-data.sql
+++ b/src/main/resources/db/changelog/228-hs-office-relation-test-data.sql
@@ -25,7 +25,7 @@ declare
 begin
     idName := cleanIdentifier( anchorPersonName || '-' || holderPersonName);
     currentTask := 'creating relation test-data ' || idName;
-    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global.admin');
+    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
     execute format('set local hsadminng.currentTask to %L', currentTask);
 
     select p.*
diff --git a/src/main/resources/db/changelog/233-hs-office-partner-rbac.md b/src/main/resources/db/changelog/233-hs-office-partner-rbac.md
index 98bd276d..a0caa074 100644
--- a/src/main/resources/db/changelog/233-hs-office-partner-rbac.md
+++ b/src/main/resources/db/changelog/233-hs-office-partner-rbac.md
@@ -13,9 +13,9 @@ subgraph partnerRel.contact["`**partnerRel.contact**`"]
     subgraph partnerRel.contact:roles[ ]
         style partnerRel.contact:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel.contact:owner[[partnerRel.contact:owner]]
-        role:partnerRel.contact:admin[[partnerRel.contact:admin]]
-        role:partnerRel.contact:referrer[[partnerRel.contact:referrer]]
+        role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]]
+        role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]]
+        role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]]
     end
 end
 
@@ -35,52 +35,14 @@ subgraph partner["`**partner**`"]
     subgraph partnerRel["`**partnerRel**`"]
         direction TB
         style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-        subgraph partnerRel.contact["`**partnerRel.contact**`"]
-            direction TB
-            style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-            subgraph partnerRel.contact:roles[ ]
-                style partnerRel.contact:roles fill:#99bcdb,stroke:white
-
-                role:partnerRel.contact:owner[[partnerRel.contact:owner]]
-                role:partnerRel.contact:admin[[partnerRel.contact:admin]]
-                role:partnerRel.contact:referrer[[partnerRel.contact:referrer]]
-            end
-        end
-
-        subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
-            direction TB
-            style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-            subgraph partnerRel.anchorPerson:roles[ ]
-                style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
-
-                role:partnerRel.anchorPerson:owner[[partnerRel.anchorPerson:owner]]
-                role:partnerRel.anchorPerson:admin[[partnerRel.anchorPerson:admin]]
-                role:partnerRel.anchorPerson:referrer[[partnerRel.anchorPerson:referrer]]
-            end
-        end
-
-        subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
-            direction TB
-            style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-            subgraph partnerRel.holderPerson:roles[ ]
-                style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
-
-                role:partnerRel.holderPerson:owner[[partnerRel.holderPerson:owner]]
-                role:partnerRel.holderPerson:admin[[partnerRel.holderPerson:admin]]
-                role:partnerRel.holderPerson:referrer[[partnerRel.holderPerson:referrer]]
-            end
-        end
 
         subgraph partnerRel:roles[ ]
             style partnerRel:roles fill:#99bcdb,stroke:white
 
-            role:partnerRel:owner[[partnerRel:owner]]
-            role:partnerRel:admin[[partnerRel:admin]]
-            role:partnerRel:agent[[partnerRel:agent]]
-            role:partnerRel:tenant[[partnerRel:tenant]]
+            role:partnerRel:OWNER[[partnerRel:OWNER]]
+            role:partnerRel:ADMIN[[partnerRel:ADMIN]]
+            role:partnerRel:AGENT[[partnerRel:AGENT]]
+            role:partnerRel:TENANT[[partnerRel:TENANT]]
         end
     end
 end
@@ -105,9 +67,9 @@ subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
     subgraph partnerRel.anchorPerson:roles[ ]
         style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel.anchorPerson:owner[[partnerRel.anchorPerson:owner]]
-        role:partnerRel.anchorPerson:admin[[partnerRel.anchorPerson:admin]]
-        role:partnerRel.anchorPerson:referrer[[partnerRel.anchorPerson:referrer]]
+        role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]]
+        role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]]
+        role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]]
     end
 end
 
@@ -118,41 +80,41 @@ subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
     subgraph partnerRel.holderPerson:roles[ ]
         style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel.holderPerson:owner[[partnerRel.holderPerson:owner]]
-        role:partnerRel.holderPerson:admin[[partnerRel.holderPerson:admin]]
-        role:partnerRel.holderPerson:referrer[[partnerRel.holderPerson:referrer]]
+        role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]]
+        role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]]
+        role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]]
     end
 end
 
 %% granting roles to roles
-role:global:admin -.-> role:partnerRel.anchorPerson:owner
-role:partnerRel.anchorPerson:owner -.-> role:partnerRel.anchorPerson:admin
-role:partnerRel.anchorPerson:admin -.-> role:partnerRel.anchorPerson:referrer
-role:global:admin -.-> role:partnerRel.holderPerson:owner
-role:partnerRel.holderPerson:owner -.-> role:partnerRel.holderPerson:admin
-role:partnerRel.holderPerson:admin -.-> role:partnerRel.holderPerson:referrer
-role:global:admin -.-> role:partnerRel.contact:owner
-role:partnerRel.contact:owner -.-> role:partnerRel.contact:admin
-role:partnerRel.contact:admin -.-> role:partnerRel.contact:referrer
-role:global:admin -.-> role:partnerRel:owner
-role:partnerRel:owner -.-> role:partnerRel:admin
-role:partnerRel.anchorPerson:admin -.-> role:partnerRel:admin
-role:partnerRel:admin -.-> role:partnerRel:agent
-role:partnerRel.holderPerson:admin -.-> role:partnerRel:agent
-role:partnerRel:agent -.-> role:partnerRel:tenant
-role:partnerRel.holderPerson:admin -.-> role:partnerRel:tenant
-role:partnerRel.contact:admin -.-> role:partnerRel:tenant
-role:partnerRel:tenant -.-> role:partnerRel.anchorPerson:referrer
-role:partnerRel:tenant -.-> role:partnerRel.holderPerson:referrer
-role:partnerRel:tenant -.-> role:partnerRel.contact:referrer
+role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
+role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
+role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.contact:OWNER
+role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
+role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
+role:global:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
+role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel:AGENT -.-> role:partnerRel:TENANT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 
 %% granting permissions to roles
-role:global:admin ==> perm:partner:INSERT
-role:partnerRel:admin ==> perm:partner:DELETE
-role:partnerRel:agent ==> perm:partner:UPDATE
-role:partnerRel:tenant ==> perm:partner:SELECT
-role:partnerRel:admin ==> perm:partnerDetails:DELETE
-role:partnerRel:agent ==> perm:partnerDetails:UPDATE
-role:partnerRel:agent ==> perm:partnerDetails:SELECT
+role:global:ADMIN ==> perm:partner:INSERT
+role:partnerRel:ADMIN ==> perm:partner:DELETE
+role:partnerRel:AGENT ==> perm:partner:UPDATE
+role:partnerRel:TENANT ==> perm:partner:SELECT
+role:partnerRel:ADMIN ==> perm:partnerDetails:DELETE
+role:partnerRel:AGENT ==> perm:partnerDetails:UPDATE
+role:partnerRel:AGENT ==> perm:partnerDetails:SELECT
 
 ```
diff --git a/src/main/resources/db/changelog/233-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/233-hs-office-partner-rbac.sql
index 9cdd92fc..b5510d8c 100644
--- a/src/main/resources/db/changelog/233-hs-office-partner-rbac.sql
+++ b/src/main/resources/db/changelog/233-hs-office-partner-rbac.sql
@@ -42,12 +42,12 @@ begin
     SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid    INTO newPartnerDetails;
     assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationAdmin(newPartnerRel));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTenant(newPartnerRel));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationAgent(newPartnerRel));
-    call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationAdmin(newPartnerRel));
-    call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAgent(newPartnerRel));
-    call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAgent(newPartnerRel));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationADMIN(newPartnerRel));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
+    call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationADMIN(newPartnerRel));
+    call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
+    call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
 
     call leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -110,23 +110,23 @@ begin
 
     if NEW.partnerRelUuid <> OLD.partnerRelUuid then
 
-        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationAdmin(oldPartnerRel));
-        call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationAdmin(newPartnerRel));
+        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationADMIN(oldPartnerRel));
+        call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationADMIN(newPartnerRel));
 
-        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationAgent(oldPartnerRel));
-        call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationAgent(newPartnerRel));
+        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
+        call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
 
-        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTenant(oldPartnerRel));
-        call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTenant(newPartnerRel));
+        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
+        call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
 
-        call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationAdmin(oldPartnerRel));
-        call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationAdmin(newPartnerRel));
+        call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationADMIN(oldPartnerRel));
+        call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationADMIN(newPartnerRel));
 
-        call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAgent(oldPartnerRel));
-        call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAgent(newPartnerRel));
+        call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
+        call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
 
-        call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAgent(oldPartnerRel));
-        call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAgent(newPartnerRel));
+        call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
+        call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
 
     end if;
 
@@ -170,7 +170,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
-                    globalAdmin());
+                    globalADMIN());
             END LOOP;
     END;
 $$;
@@ -185,7 +185,7 @@ create or replace function hs_office_partner_global_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
-            globalAdmin());
+            globalADMIN());
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.md b/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.md
index d27a1064..347896bb 100644
--- a/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.md
+++ b/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.md
@@ -18,6 +18,6 @@ subgraph partnerDetails["`**partnerDetails**`"]
 end
 
 %% granting permissions to roles
-role:global:admin ==> perm:partnerDetails:INSERT
+role:global:ADMIN ==> perm:partnerDetails:INSERT
 
 ```
diff --git a/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql
index a594823b..c99639bb 100644
--- a/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql
+++ b/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql
@@ -74,7 +74,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
-                    globalAdmin());
+                    globalADMIN());
             END LOOP;
     END;
 $$;
@@ -89,7 +89,7 @@ create or replace function hs_office_partner_details_global_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
-            globalAdmin());
+            globalADMIN());
     return NEW;
 end; $$;
 
@@ -107,8 +107,8 @@ create or replace function hs_office_partner_details_insert_permission_missing_t
     returns trigger
     language plpgsql as $$
 begin
-    raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%) assumed by user % (%)',
-        currentSubjects(), currentSubjectsUuids(), currentUser(), currentUserUuid();
+    raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%)',
+        currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger hs_office_partner_details_insert_permission_check_tg
@@ -124,7 +124,7 @@ create trigger hs_office_partner_details_insert_permission_check_tg
 
     call generateRbacIdentityViewFromQuery('hs_office_partner_details',
         $idName$
-            SELECT partnerDetails.uuid as uuid, partner_iv.idName || '-details' as idName
+            SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName
             FROM hs_office_partner_details AS partnerDetails
             JOIN hs_office_partner partner ON partner.detailsUuid = partnerDetails.uuid
             JOIN hs_office_partner_iv partner_iv ON partner_iv.uuid = partner.uuid
diff --git a/src/main/resources/db/changelog/238-hs-office-partner-test-data.sql b/src/main/resources/db/changelog/238-hs-office-partner-test-data.sql
index ae3ed66e..65017b18 100644
--- a/src/main/resources/db/changelog/238-hs-office-partner-test-data.sql
+++ b/src/main/resources/db/changelog/238-hs-office-partner-test-data.sql
@@ -24,7 +24,7 @@ declare
 begin
     idName := cleanIdentifier( partnerPersonName|| '-' || contactLabel);
     currentTask := 'creating partner test-data ' || idName;
-    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global.admin');
+    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
     execute format('set local hsadminng.currentTask to %L', currentTask);
 
     select p.* from hs_office_person p
diff --git a/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.md b/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.md
index c33e3374..4558815c 100644
--- a/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.md
+++ b/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.md
@@ -13,9 +13,9 @@ subgraph bankAccount["`**bankAccount**`"]
     subgraph bankAccount:roles[ ]
         style bankAccount:roles fill:#dd4901,stroke:white
 
-        role:bankAccount:owner[[bankAccount:owner]]
-        role:bankAccount:admin[[bankAccount:admin]]
-        role:bankAccount:referrer[[bankAccount:referrer]]
+        role:bankAccount:OWNER[[bankAccount:OWNER]]
+        role:bankAccount:ADMIN[[bankAccount:ADMIN]]
+        role:bankAccount:REFERRER[[bankAccount:REFERRER]]
     end
 
     subgraph bankAccount:permissions[ ]
@@ -29,17 +29,17 @@ subgraph bankAccount["`**bankAccount**`"]
 end
 
 %% granting roles to users
-user:creator ==> role:bankAccount:owner
+user:creator ==> role:bankAccount:OWNER
 
 %% granting roles to roles
-role:global:admin ==> role:bankAccount:owner
-role:bankAccount:owner ==> role:bankAccount:admin
-role:bankAccount:admin ==> role:bankAccount:referrer
+role:global:ADMIN ==> role:bankAccount:OWNER
+role:bankAccount:OWNER ==> role:bankAccount:ADMIN
+role:bankAccount:ADMIN ==> role:bankAccount:REFERRER
 
 %% granting permissions to roles
-role:global:guest ==> perm:bankAccount:INSERT
-role:bankAccount:owner ==> perm:bankAccount:DELETE
-role:bankAccount:admin ==> perm:bankAccount:UPDATE
-role:bankAccount:referrer ==> perm:bankAccount:SELECT
+role:global:GUEST ==> perm:bankAccount:INSERT
+role:bankAccount:OWNER ==> perm:bankAccount:DELETE
+role:bankAccount:ADMIN ==> perm:bankAccount:UPDATE
+role:bankAccount:REFERRER ==> perm:bankAccount:SELECT
 
 ```
diff --git a/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql b/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql
index c4628183..c12c4c88 100644
--- a/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql
+++ b/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql
@@ -35,22 +35,22 @@ begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
     perform createRoleWithGrants(
-        hsOfficeBankAccountOwner(NEW),
+        hsOfficeBankAccountOWNER(NEW),
             permissions => array['DELETE'],
-            incomingSuperRoles => array[globalAdmin()],
+            incomingSuperRoles => array[globalADMIN()],
             userUuids => array[currentUserUuid()]
     );
 
     perform createRoleWithGrants(
-        hsOfficeBankAccountAdmin(NEW),
+        hsOfficeBankAccountADMIN(NEW),
             permissions => array['UPDATE'],
-            incomingSuperRoles => array[hsOfficeBankAccountOwner(NEW)]
+            incomingSuperRoles => array[hsOfficeBankAccountOWNER(NEW)]
     );
 
     perform createRoleWithGrants(
-        hsOfficeBankAccountReferrer(NEW),
+        hsOfficeBankAccountREFERRER(NEW),
             permissions => array['SELECT'],
-            incomingSuperRoles => array[hsOfficeBankAccountAdmin(NEW)]
+            incomingSuperRoles => array[hsOfficeBankAccountADMIN(NEW)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -93,7 +93,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_bankaccount'),
-                    globalGuest());
+                    globalGUEST());
             END LOOP;
     END;
 $$;
@@ -108,7 +108,7 @@ create or replace function hs_office_bankaccount_global_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_bankaccount'),
-            globalGuest());
+            globalGUEST());
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md
index 43fb6ef3..aa3059f9 100644
--- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md
+++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md
@@ -13,9 +13,9 @@ subgraph bankAccount["`**bankAccount**`"]
     subgraph bankAccount:roles[ ]
         style bankAccount:roles fill:#99bcdb,stroke:white
 
-        role:bankAccount:owner[[bankAccount:owner]]
-        role:bankAccount:admin[[bankAccount:admin]]
-        role:bankAccount:referrer[[bankAccount:referrer]]
+        role:bankAccount:OWNER[[bankAccount:OWNER]]
+        role:bankAccount:ADMIN[[bankAccount:ADMIN]]
+        role:bankAccount:REFERRER[[bankAccount:REFERRER]]
     end
 end
 
@@ -26,9 +26,9 @@ subgraph debitorRel.contact["`**debitorRel.contact**`"]
     subgraph debitorRel.contact:roles[ ]
         style debitorRel.contact:roles fill:#99bcdb,stroke:white
 
-        role:debitorRel.contact:owner[[debitorRel.contact:owner]]
-        role:debitorRel.contact:admin[[debitorRel.contact:admin]]
-        role:debitorRel.contact:referrer[[debitorRel.contact:referrer]]
+        role:debitorRel.contact:OWNER[[debitorRel.contact:OWNER]]
+        role:debitorRel.contact:ADMIN[[debitorRel.contact:ADMIN]]
+        role:debitorRel.contact:REFERRER[[debitorRel.contact:REFERRER]]
     end
 end
 
@@ -39,9 +39,9 @@ subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"]
     subgraph debitorRel.anchorPerson:roles[ ]
         style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
 
-        role:debitorRel.anchorPerson:owner[[debitorRel.anchorPerson:owner]]
-        role:debitorRel.anchorPerson:admin[[debitorRel.anchorPerson:admin]]
-        role:debitorRel.anchorPerson:referrer[[debitorRel.anchorPerson:referrer]]
+        role:debitorRel.anchorPerson:OWNER[[debitorRel.anchorPerson:OWNER]]
+        role:debitorRel.anchorPerson:ADMIN[[debitorRel.anchorPerson:ADMIN]]
+        role:debitorRel.anchorPerson:REFERRER[[debitorRel.anchorPerson:REFERRER]]
     end
 end
 
@@ -52,9 +52,9 @@ subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"]
     subgraph debitorRel.holderPerson:roles[ ]
         style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:debitorRel.holderPerson:owner[[debitorRel.holderPerson:owner]]
-        role:debitorRel.holderPerson:admin[[debitorRel.holderPerson:admin]]
-        role:debitorRel.holderPerson:referrer[[debitorRel.holderPerson:referrer]]
+        role:debitorRel.holderPerson:OWNER[[debitorRel.holderPerson:OWNER]]
+        role:debitorRel.holderPerson:ADMIN[[debitorRel.holderPerson:ADMIN]]
+        role:debitorRel.holderPerson:REFERRER[[debitorRel.holderPerson:REFERRER]]
     end
 end
 
@@ -65,10 +65,10 @@ subgraph sepaMandate["`**sepaMandate**`"]
     subgraph sepaMandate:roles[ ]
         style sepaMandate:roles fill:#dd4901,stroke:white
 
-        role:sepaMandate:owner[[sepaMandate:owner]]
-        role:sepaMandate:admin[[sepaMandate:admin]]
-        role:sepaMandate:agent[[sepaMandate:agent]]
-        role:sepaMandate:referrer[[sepaMandate:referrer]]
+        role:sepaMandate:OWNER[[sepaMandate:OWNER]]
+        role:sepaMandate:ADMIN[[sepaMandate:ADMIN]]
+        role:sepaMandate:AGENT[[sepaMandate:AGENT]]
+        role:sepaMandate:REFERRER[[sepaMandate:REFERRER]]
     end
 
     subgraph sepaMandate:permissions[ ]
@@ -85,96 +85,57 @@ subgraph debitorRel["`**debitorRel**`"]
     direction TB
     style debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-    subgraph debitorRel.contact["`**debitorRel.contact**`"]
-        direction TB
-        style debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph debitorRel.contact:roles[ ]
-            style debitorRel.contact:roles fill:#99bcdb,stroke:white
-
-            role:debitorRel.contact:owner[[debitorRel.contact:owner]]
-            role:debitorRel.contact:admin[[debitorRel.contact:admin]]
-            role:debitorRel.contact:referrer[[debitorRel.contact:referrer]]
-        end
-    end
-
-    subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"]
-        direction TB
-        style debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph debitorRel.anchorPerson:roles[ ]
-            style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
-
-            role:debitorRel.anchorPerson:owner[[debitorRel.anchorPerson:owner]]
-            role:debitorRel.anchorPerson:admin[[debitorRel.anchorPerson:admin]]
-            role:debitorRel.anchorPerson:referrer[[debitorRel.anchorPerson:referrer]]
-        end
-    end
-
-    subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"]
-        direction TB
-        style debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph debitorRel.holderPerson:roles[ ]
-            style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
-
-            role:debitorRel.holderPerson:owner[[debitorRel.holderPerson:owner]]
-            role:debitorRel.holderPerson:admin[[debitorRel.holderPerson:admin]]
-            role:debitorRel.holderPerson:referrer[[debitorRel.holderPerson:referrer]]
-        end
-    end
-
     subgraph debitorRel:roles[ ]
         style debitorRel:roles fill:#99bcdb,stroke:white
 
-        role:debitorRel:owner[[debitorRel:owner]]
-        role:debitorRel:admin[[debitorRel:admin]]
-        role:debitorRel:agent[[debitorRel:agent]]
-        role:debitorRel:tenant[[debitorRel:tenant]]
+        role:debitorRel:OWNER[[debitorRel:OWNER]]
+        role:debitorRel:ADMIN[[debitorRel:ADMIN]]
+        role:debitorRel:AGENT[[debitorRel:AGENT]]
+        role:debitorRel:TENANT[[debitorRel:TENANT]]
     end
 end
 
 %% granting roles to users
-user:creator ==> role:sepaMandate:owner
+user:creator ==> role:sepaMandate:OWNER
 
 %% granting roles to roles
-role:global:admin -.-> role:debitorRel.anchorPerson:owner
-role:debitorRel.anchorPerson:owner -.-> role:debitorRel.anchorPerson:admin
-role:debitorRel.anchorPerson:admin -.-> role:debitorRel.anchorPerson:referrer
-role:global:admin -.-> role:debitorRel.holderPerson:owner
-role:debitorRel.holderPerson:owner -.-> role:debitorRel.holderPerson:admin
-role:debitorRel.holderPerson:admin -.-> role:debitorRel.holderPerson:referrer
-role:global:admin -.-> role:debitorRel.contact:owner
-role:debitorRel.contact:owner -.-> role:debitorRel.contact:admin
-role:debitorRel.contact:admin -.-> role:debitorRel.contact:referrer
-role:global:admin -.-> role:debitorRel:owner
-role:debitorRel:owner -.-> role:debitorRel:admin
-role:debitorRel.anchorPerson:admin -.-> role:debitorRel:admin
-role:debitorRel:admin -.-> role:debitorRel:agent
-role:debitorRel.holderPerson:admin -.-> role:debitorRel:agent
-role:debitorRel:agent -.-> role:debitorRel:tenant
-role:debitorRel.holderPerson:admin -.-> role:debitorRel:tenant
-role:debitorRel.contact:admin -.-> role:debitorRel:tenant
-role:debitorRel:tenant -.-> role:debitorRel.anchorPerson:referrer
-role:debitorRel:tenant -.-> role:debitorRel.holderPerson:referrer
-role:debitorRel:tenant -.-> role:debitorRel.contact:referrer
-role:global:admin -.-> role:bankAccount:owner
-role:bankAccount:owner -.-> role:bankAccount:admin
-role:bankAccount:admin -.-> role:bankAccount:referrer
-role:global:admin ==> role:sepaMandate:owner
-role:sepaMandate:owner ==> role:sepaMandate:admin
-role:sepaMandate:admin ==> role:sepaMandate:agent
-role:sepaMandate:agent ==> role:bankAccount:referrer
-role:sepaMandate:agent ==> role:debitorRel:agent
-role:sepaMandate:agent ==> role:sepaMandate:referrer
-role:bankAccount:admin ==> role:sepaMandate:referrer
-role:debitorRel:agent ==> role:sepaMandate:referrer
-role:sepaMandate:referrer ==> role:debitorRel:tenant
+role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
+role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
+role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
+role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:debitorRel.contact:OWNER
+role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
+role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:debitorRel:OWNER
+role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
+role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
+role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
+role:debitorRel:AGENT -.-> role:debitorRel:TENANT
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
+role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
+role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
+role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
+role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:bankAccount:OWNER
+role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
+role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER
+role:global:ADMIN ==> role:sepaMandate:OWNER
+role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN
+role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT
+role:sepaMandate:AGENT ==> role:bankAccount:REFERRER
+role:sepaMandate:AGENT ==> role:debitorRel:AGENT
+role:sepaMandate:AGENT ==> role:sepaMandate:REFERRER
+role:bankAccount:ADMIN ==> role:sepaMandate:REFERRER
+role:debitorRel:AGENT ==> role:sepaMandate:REFERRER
+role:sepaMandate:REFERRER ==> role:debitorRel:TENANT
 
 %% granting permissions to roles
-role:sepaMandate:owner ==> perm:sepaMandate:DELETE
-role:sepaMandate:admin ==> perm:sepaMandate:UPDATE
-role:sepaMandate:referrer ==> perm:sepaMandate:SELECT
-role:debitorRel:admin ==> perm:sepaMandate:INSERT
+role:sepaMandate:OWNER ==> perm:sepaMandate:DELETE
+role:sepaMandate:ADMIN ==> perm:sepaMandate:UPDATE
+role:sepaMandate:REFERRER ==> perm:sepaMandate:SELECT
+role:debitorRel:ADMIN ==> perm:sepaMandate:INSERT
 
 ```
diff --git a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql
index 0f168fd5..9f126a22 100644
--- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql
+++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql
@@ -48,34 +48,34 @@ begin
 
 
     perform createRoleWithGrants(
-        hsOfficeSepaMandateOwner(NEW),
+        hsOfficeSepaMandateOWNER(NEW),
             permissions => array['DELETE'],
-            incomingSuperRoles => array[globalAdmin()],
+            incomingSuperRoles => array[globalADMIN()],
             userUuids => array[currentUserUuid()]
     );
 
     perform createRoleWithGrants(
-        hsOfficeSepaMandateAdmin(NEW),
+        hsOfficeSepaMandateADMIN(NEW),
             permissions => array['UPDATE'],
-            incomingSuperRoles => array[hsOfficeSepaMandateOwner(NEW)]
+            incomingSuperRoles => array[hsOfficeSepaMandateOWNER(NEW)]
     );
 
     perform createRoleWithGrants(
-        hsOfficeSepaMandateAgent(NEW),
-            incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)],
+        hsOfficeSepaMandateAGENT(NEW),
+            incomingSuperRoles => array[hsOfficeSepaMandateADMIN(NEW)],
             outgoingSubRoles => array[
-            	hsOfficeBankAccountReferrer(newBankAccount),
-            	hsOfficeRelationAgent(newDebitorRel)]
+            	hsOfficeBankAccountREFERRER(newBankAccount),
+            	hsOfficeRelationAGENT(newDebitorRel)]
     );
 
     perform createRoleWithGrants(
-        hsOfficeSepaMandateReferrer(NEW),
+        hsOfficeSepaMandateREFERRER(NEW),
             permissions => array['SELECT'],
             incomingSuperRoles => array[
-            	hsOfficeBankAccountAdmin(newBankAccount),
-            	hsOfficeRelationAgent(newDebitorRel),
-            	hsOfficeSepaMandateAgent(NEW)],
-            outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)]
+            	hsOfficeBankAccountADMIN(newBankAccount),
+            	hsOfficeRelationAGENT(newDebitorRel),
+            	hsOfficeSepaMandateAGENT(NEW)],
+            outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -118,7 +118,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
-                    hsOfficeRelationAdmin(row));
+                    hsOfficeRelationADMIN(row));
             END LOOP;
     END;
 $$;
@@ -133,7 +133,7 @@ create or replace function hs_office_sepamandate_hs_office_relation_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
-            hsOfficeRelationAdmin(NEW));
+            hsOfficeRelationADMIN(NEW));
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/258-hs-office-sepamandate-test-data.sql b/src/main/resources/db/changelog/258-hs-office-sepamandate-test-data.sql
index 11999980..69d39165 100644
--- a/src/main/resources/db/changelog/258-hs-office-sepamandate-test-data.sql
+++ b/src/main/resources/db/changelog/258-hs-office-sepamandate-test-data.sql
@@ -20,7 +20,7 @@ declare
     relatedBankAccount  hs_office_bankAccount;
 begin
     currentTask := 'creating SEPA-mandate test-data ' || forPartnerNumber::text || forDebitorSuffix::text;
-    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global.admin');
+    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
     execute format('set local hsadminng.currentTask to %L', currentTask);
 
     select debitor.* into relatedDebitor
diff --git a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md b/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md
index a1baa702..5c43e03d 100644
--- a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md
+++ b/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md
@@ -13,9 +13,9 @@ subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"]
     subgraph debitorRel.anchorPerson:roles[ ]
         style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
 
-        role:debitorRel.anchorPerson:owner[[debitorRel.anchorPerson:owner]]
-        role:debitorRel.anchorPerson:admin[[debitorRel.anchorPerson:admin]]
-        role:debitorRel.anchorPerson:referrer[[debitorRel.anchorPerson:referrer]]
+        role:debitorRel.anchorPerson:OWNER[[debitorRel.anchorPerson:OWNER]]
+        role:debitorRel.anchorPerson:ADMIN[[debitorRel.anchorPerson:ADMIN]]
+        role:debitorRel.anchorPerson:REFERRER[[debitorRel.anchorPerson:REFERRER]]
     end
 end
 
@@ -26,9 +26,9 @@ subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"]
     subgraph debitorRel.holderPerson:roles[ ]
         style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:debitorRel.holderPerson:owner[[debitorRel.holderPerson:owner]]
-        role:debitorRel.holderPerson:admin[[debitorRel.holderPerson:admin]]
-        role:debitorRel.holderPerson:referrer[[debitorRel.holderPerson:referrer]]
+        role:debitorRel.holderPerson:OWNER[[debitorRel.holderPerson:OWNER]]
+        role:debitorRel.holderPerson:ADMIN[[debitorRel.holderPerson:ADMIN]]
+        role:debitorRel.holderPerson:REFERRER[[debitorRel.holderPerson:REFERRER]]
     end
 end
 
@@ -39,9 +39,9 @@ subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
     subgraph partnerRel.holderPerson:roles[ ]
         style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel.holderPerson:owner[[partnerRel.holderPerson:owner]]
-        role:partnerRel.holderPerson:admin[[partnerRel.holderPerson:admin]]
-        role:partnerRel.holderPerson:referrer[[partnerRel.holderPerson:referrer]]
+        role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]]
+        role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]]
+        role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]]
     end
 end
 
@@ -61,52 +61,14 @@ subgraph debitor["`**debitor**`"]
     subgraph debitorRel["`**debitorRel**`"]
         direction TB
         style debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-        subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"]
-            direction TB
-            style debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-            subgraph debitorRel.anchorPerson:roles[ ]
-                style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
-
-                role:debitorRel.anchorPerson:owner[[debitorRel.anchorPerson:owner]]
-                role:debitorRel.anchorPerson:admin[[debitorRel.anchorPerson:admin]]
-                role:debitorRel.anchorPerson:referrer[[debitorRel.anchorPerson:referrer]]
-            end
-        end
-
-        subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"]
-            direction TB
-            style debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-            subgraph debitorRel.holderPerson:roles[ ]
-                style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
-
-                role:debitorRel.holderPerson:owner[[debitorRel.holderPerson:owner]]
-                role:debitorRel.holderPerson:admin[[debitorRel.holderPerson:admin]]
-                role:debitorRel.holderPerson:referrer[[debitorRel.holderPerson:referrer]]
-            end
-        end
-
-        subgraph debitorRel.contact["`**debitorRel.contact**`"]
-            direction TB
-            style debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-            subgraph debitorRel.contact:roles[ ]
-                style debitorRel.contact:roles fill:#99bcdb,stroke:white
-
-                role:debitorRel.contact:owner[[debitorRel.contact:owner]]
-                role:debitorRel.contact:admin[[debitorRel.contact:admin]]
-                role:debitorRel.contact:referrer[[debitorRel.contact:referrer]]
-            end
-        end
 
         subgraph debitorRel:roles[ ]
             style debitorRel:roles fill:#99bcdb,stroke:white
 
-            role:debitorRel:owner[[debitorRel:owner]]
-            role:debitorRel:admin[[debitorRel:admin]]
-            role:debitorRel:agent[[debitorRel:agent]]
-            role:debitorRel:tenant[[debitorRel:tenant]]
+            role:debitorRel:OWNER[[debitorRel:OWNER]]
+            role:debitorRel:ADMIN[[debitorRel:ADMIN]]
+            role:debitorRel:AGENT[[debitorRel:AGENT]]
+            role:debitorRel:TENANT[[debitorRel:TENANT]]
         end
     end
 end
@@ -115,52 +77,13 @@ subgraph partnerRel["`**partnerRel**`"]
     direction TB
     style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-    subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
-        direction TB
-        style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph partnerRel.holderPerson:roles[ ]
-            style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
-
-            role:partnerRel.holderPerson:owner[[partnerRel.holderPerson:owner]]
-            role:partnerRel.holderPerson:admin[[partnerRel.holderPerson:admin]]
-            role:partnerRel.holderPerson:referrer[[partnerRel.holderPerson:referrer]]
-        end
-    end
-
-    subgraph partnerRel.contact["`**partnerRel.contact**`"]
-        direction TB
-        style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph partnerRel.contact:roles[ ]
-            style partnerRel.contact:roles fill:#99bcdb,stroke:white
-
-            role:partnerRel.contact:owner[[partnerRel.contact:owner]]
-            role:partnerRel.contact:admin[[partnerRel.contact:admin]]
-            role:partnerRel.contact:referrer[[partnerRel.contact:referrer]]
-        end
-    end
-
-    subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
-        direction TB
-        style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph partnerRel.anchorPerson:roles[ ]
-            style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
-
-            role:partnerRel.anchorPerson:owner[[partnerRel.anchorPerson:owner]]
-            role:partnerRel.anchorPerson:admin[[partnerRel.anchorPerson:admin]]
-            role:partnerRel.anchorPerson:referrer[[partnerRel.anchorPerson:referrer]]
-        end
-    end
-
     subgraph partnerRel:roles[ ]
         style partnerRel:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel:owner[[partnerRel:owner]]
-        role:partnerRel:admin[[partnerRel:admin]]
-        role:partnerRel:agent[[partnerRel:agent]]
-        role:partnerRel:tenant[[partnerRel:tenant]]
+        role:partnerRel:OWNER[[partnerRel:OWNER]]
+        role:partnerRel:ADMIN[[partnerRel:ADMIN]]
+        role:partnerRel:AGENT[[partnerRel:AGENT]]
+        role:partnerRel:TENANT[[partnerRel:TENANT]]
     end
 end
 
@@ -171,9 +94,9 @@ subgraph partnerRel.contact["`**partnerRel.contact**`"]
     subgraph partnerRel.contact:roles[ ]
         style partnerRel.contact:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel.contact:owner[[partnerRel.contact:owner]]
-        role:partnerRel.contact:admin[[partnerRel.contact:admin]]
-        role:partnerRel.contact:referrer[[partnerRel.contact:referrer]]
+        role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]]
+        role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]]
+        role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]]
     end
 end
 
@@ -184,9 +107,9 @@ subgraph debitorRel.contact["`**debitorRel.contact**`"]
     subgraph debitorRel.contact:roles[ ]
         style debitorRel.contact:roles fill:#99bcdb,stroke:white
 
-        role:debitorRel.contact:owner[[debitorRel.contact:owner]]
-        role:debitorRel.contact:admin[[debitorRel.contact:admin]]
-        role:debitorRel.contact:referrer[[debitorRel.contact:referrer]]
+        role:debitorRel.contact:OWNER[[debitorRel.contact:OWNER]]
+        role:debitorRel.contact:ADMIN[[debitorRel.contact:ADMIN]]
+        role:debitorRel.contact:REFERRER[[debitorRel.contact:REFERRER]]
     end
 end
 
@@ -197,9 +120,9 @@ subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
     subgraph partnerRel.anchorPerson:roles[ ]
         style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel.anchorPerson:owner[[partnerRel.anchorPerson:owner]]
-        role:partnerRel.anchorPerson:admin[[partnerRel.anchorPerson:admin]]
-        role:partnerRel.anchorPerson:referrer[[partnerRel.anchorPerson:referrer]]
+        role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]]
+        role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]]
+        role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]]
     end
 end
 
@@ -210,66 +133,66 @@ subgraph refundBankAccount["`**refundBankAccount**`"]
     subgraph refundBankAccount:roles[ ]
         style refundBankAccount:roles fill:#99bcdb,stroke:white
 
-        role:refundBankAccount:owner[[refundBankAccount:owner]]
-        role:refundBankAccount:admin[[refundBankAccount:admin]]
-        role:refundBankAccount:referrer[[refundBankAccount:referrer]]
+        role:refundBankAccount:OWNER[[refundBankAccount:OWNER]]
+        role:refundBankAccount:ADMIN[[refundBankAccount:ADMIN]]
+        role:refundBankAccount:REFERRER[[refundBankAccount:REFERRER]]
     end
 end
 
 %% granting roles to roles
-role:global:admin -.-> role:debitorRel.anchorPerson:owner
-role:debitorRel.anchorPerson:owner -.-> role:debitorRel.anchorPerson:admin
-role:debitorRel.anchorPerson:admin -.-> role:debitorRel.anchorPerson:referrer
-role:global:admin -.-> role:debitorRel.holderPerson:owner
-role:debitorRel.holderPerson:owner -.-> role:debitorRel.holderPerson:admin
-role:debitorRel.holderPerson:admin -.-> role:debitorRel.holderPerson:referrer
-role:global:admin -.-> role:debitorRel.contact:owner
-role:debitorRel.contact:owner -.-> role:debitorRel.contact:admin
-role:debitorRel.contact:admin -.-> role:debitorRel.contact:referrer
-role:global:admin -.-> role:debitorRel:owner
-role:debitorRel:owner -.-> role:debitorRel:admin
-role:debitorRel.anchorPerson:admin -.-> role:debitorRel:admin
-role:debitorRel:admin -.-> role:debitorRel:agent
-role:debitorRel.holderPerson:admin -.-> role:debitorRel:agent
-role:debitorRel:agent -.-> role:debitorRel:tenant
-role:debitorRel.holderPerson:admin -.-> role:debitorRel:tenant
-role:debitorRel.contact:admin -.-> role:debitorRel:tenant
-role:debitorRel:tenant -.-> role:debitorRel.anchorPerson:referrer
-role:debitorRel:tenant -.-> role:debitorRel.holderPerson:referrer
-role:debitorRel:tenant -.-> role:debitorRel.contact:referrer
-role:global:admin -.-> role:refundBankAccount:owner
-role:refundBankAccount:owner -.-> role:refundBankAccount:admin
-role:refundBankAccount:admin -.-> role:refundBankAccount:referrer
-role:refundBankAccount:admin ==> role:debitorRel:agent
-role:debitorRel:agent ==> role:refundBankAccount:referrer
-role:global:admin -.-> role:partnerRel.anchorPerson:owner
-role:partnerRel.anchorPerson:owner -.-> role:partnerRel.anchorPerson:admin
-role:partnerRel.anchorPerson:admin -.-> role:partnerRel.anchorPerson:referrer
-role:global:admin -.-> role:partnerRel.holderPerson:owner
-role:partnerRel.holderPerson:owner -.-> role:partnerRel.holderPerson:admin
-role:partnerRel.holderPerson:admin -.-> role:partnerRel.holderPerson:referrer
-role:global:admin -.-> role:partnerRel.contact:owner
-role:partnerRel.contact:owner -.-> role:partnerRel.contact:admin
-role:partnerRel.contact:admin -.-> role:partnerRel.contact:referrer
-role:global:admin -.-> role:partnerRel:owner
-role:partnerRel:owner -.-> role:partnerRel:admin
-role:partnerRel.anchorPerson:admin -.-> role:partnerRel:admin
-role:partnerRel:admin -.-> role:partnerRel:agent
-role:partnerRel.holderPerson:admin -.-> role:partnerRel:agent
-role:partnerRel:agent -.-> role:partnerRel:tenant
-role:partnerRel.holderPerson:admin -.-> role:partnerRel:tenant
-role:partnerRel.contact:admin -.-> role:partnerRel:tenant
-role:partnerRel:tenant -.-> role:partnerRel.anchorPerson:referrer
-role:partnerRel:tenant -.-> role:partnerRel.holderPerson:referrer
-role:partnerRel:tenant -.-> role:partnerRel.contact:referrer
-role:partnerRel:admin ==> role:debitorRel:admin
-role:partnerRel:agent ==> role:debitorRel:agent
-role:debitorRel:agent ==> role:partnerRel:tenant
+role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
+role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
+role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
+role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:debitorRel.contact:OWNER
+role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
+role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:debitorRel:OWNER
+role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
+role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
+role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
+role:debitorRel:AGENT -.-> role:debitorRel:TENANT
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
+role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
+role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
+role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
+role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:refundBankAccount:OWNER
+role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
+role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER
+role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT
+role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER
+role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
+role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
+role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.contact:OWNER
+role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
+role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
+role:global:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
+role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel:AGENT -.-> role:partnerRel:TENANT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
+role:partnerRel:ADMIN ==> role:debitorRel:ADMIN
+role:partnerRel:AGENT ==> role:debitorRel:AGENT
+role:debitorRel:AGENT ==> role:partnerRel:TENANT
 
 %% granting permissions to roles
-role:global:admin ==> perm:debitor:INSERT
-role:debitorRel:owner ==> perm:debitor:DELETE
-role:debitorRel:admin ==> perm:debitor:UPDATE
-role:debitorRel:tenant ==> perm:debitor:SELECT
+role:global:ADMIN ==> perm:debitor:INSERT
+role:debitorRel:OWNER ==> perm:debitor:DELETE
+role:debitorRel:ADMIN ==> perm:debitor:UPDATE
+role:debitorRel:TENANT ==> perm:debitor:SELECT
 
 ```
diff --git a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql
index 065efff6..152f980e 100644
--- a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql
+++ b/src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql
@@ -51,15 +51,15 @@ begin
 
     SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.refundBankAccountUuid    INTO newRefundBankAccount;
 
-    call grantRoleToRole(hsOfficeBankAccountReferrer(newRefundBankAccount), hsOfficeRelationAgent(newDebitorRel));
-    call grantRoleToRole(hsOfficeRelationAdmin(newDebitorRel), hsOfficeRelationAdmin(newPartnerRel));
-    call grantRoleToRole(hsOfficeRelationAgent(newDebitorRel), hsOfficeBankAccountAdmin(newRefundBankAccount));
-    call grantRoleToRole(hsOfficeRelationAgent(newDebitorRel), hsOfficeRelationAgent(newPartnerRel));
-    call grantRoleToRole(hsOfficeRelationTenant(newPartnerRel), hsOfficeRelationAgent(newDebitorRel));
+    call grantRoleToRole(hsOfficeBankAccountREFERRER(newRefundBankAccount), hsOfficeRelationAGENT(newDebitorRel));
+    call grantRoleToRole(hsOfficeRelationADMIN(newDebitorRel), hsOfficeRelationADMIN(newPartnerRel));
+    call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeBankAccountADMIN(newRefundBankAccount));
+    call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
+    call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOwner(newDebitorRel));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTenant(newDebitorRel));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationAdmin(newDebitorRel));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
 
     call leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -143,7 +143,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
-                    globalAdmin());
+                    globalADMIN());
             END LOOP;
     END;
 $$;
@@ -158,7 +158,7 @@ create or replace function hs_office_debitor_global_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
-            globalAdmin());
+            globalADMIN());
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/278-hs-office-debitor-test-data.sql b/src/main/resources/db/changelog/278-hs-office-debitor-test-data.sql
index 5a485b31..ed965104 100644
--- a/src/main/resources/db/changelog/278-hs-office-debitor-test-data.sql
+++ b/src/main/resources/db/changelog/278-hs-office-debitor-test-data.sql
@@ -23,7 +23,7 @@ declare
 begin
     idName := cleanIdentifier( forPartnerPersonName|| '-' || forBillingContactLabel);
     currentTask := 'creating debitor test-data ' || idName;
-    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global.admin');
+    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
     execute format('set local hsadminng.currentTask to %L', currentTask);
 
     select debitorRel.uuid
diff --git a/src/main/resources/db/changelog/303-hs-office-membership-rbac.md b/src/main/resources/db/changelog/303-hs-office-membership-rbac.md
index 4f425f6e..d458212c 100644
--- a/src/main/resources/db/changelog/303-hs-office-membership-rbac.md
+++ b/src/main/resources/db/changelog/303-hs-office-membership-rbac.md
@@ -10,52 +10,13 @@ subgraph partnerRel["`**partnerRel**`"]
     direction TB
     style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-    subgraph partnerRel.contact["`**partnerRel.contact**`"]
-        direction TB
-        style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph partnerRel.contact:roles[ ]
-            style partnerRel.contact:roles fill:#99bcdb,stroke:white
-
-            role:partnerRel.contact:owner[[partnerRel.contact:owner]]
-            role:partnerRel.contact:admin[[partnerRel.contact:admin]]
-            role:partnerRel.contact:referrer[[partnerRel.contact:referrer]]
-        end
-    end
-
-    subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
-        direction TB
-        style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph partnerRel.anchorPerson:roles[ ]
-            style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
-
-            role:partnerRel.anchorPerson:owner[[partnerRel.anchorPerson:owner]]
-            role:partnerRel.anchorPerson:admin[[partnerRel.anchorPerson:admin]]
-            role:partnerRel.anchorPerson:referrer[[partnerRel.anchorPerson:referrer]]
-        end
-    end
-
-    subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
-        direction TB
-        style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
-
-        subgraph partnerRel.holderPerson:roles[ ]
-            style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
-
-            role:partnerRel.holderPerson:owner[[partnerRel.holderPerson:owner]]
-            role:partnerRel.holderPerson:admin[[partnerRel.holderPerson:admin]]
-            role:partnerRel.holderPerson:referrer[[partnerRel.holderPerson:referrer]]
-        end
-    end
-
     subgraph partnerRel:roles[ ]
         style partnerRel:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel:owner[[partnerRel:owner]]
-        role:partnerRel:admin[[partnerRel:admin]]
-        role:partnerRel:agent[[partnerRel:agent]]
-        role:partnerRel:tenant[[partnerRel:tenant]]
+        role:partnerRel:OWNER[[partnerRel:OWNER]]
+        role:partnerRel:ADMIN[[partnerRel:ADMIN]]
+        role:partnerRel:AGENT[[partnerRel:AGENT]]
+        role:partnerRel:TENANT[[partnerRel:TENANT]]
     end
 end
 
@@ -66,9 +27,9 @@ subgraph partnerRel.contact["`**partnerRel.contact**`"]
     subgraph partnerRel.contact:roles[ ]
         style partnerRel.contact:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel.contact:owner[[partnerRel.contact:owner]]
-        role:partnerRel.contact:admin[[partnerRel.contact:admin]]
-        role:partnerRel.contact:referrer[[partnerRel.contact:referrer]]
+        role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]]
+        role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]]
+        role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]]
     end
 end
 
@@ -79,9 +40,9 @@ subgraph membership["`**membership**`"]
     subgraph membership:roles[ ]
         style membership:roles fill:#dd4901,stroke:white
 
-        role:membership:owner[[membership:owner]]
-        role:membership:admin[[membership:admin]]
-        role:membership:referrer[[membership:referrer]]
+        role:membership:OWNER[[membership:OWNER]]
+        role:membership:ADMIN[[membership:ADMIN]]
+        role:membership:REFERRER[[membership:REFERRER]]
     end
 
     subgraph membership:permissions[ ]
@@ -101,9 +62,9 @@ subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
     subgraph partnerRel.anchorPerson:roles[ ]
         style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel.anchorPerson:owner[[partnerRel.anchorPerson:owner]]
-        role:partnerRel.anchorPerson:admin[[partnerRel.anchorPerson:admin]]
-        role:partnerRel.anchorPerson:referrer[[partnerRel.anchorPerson:referrer]]
+        role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]]
+        role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]]
+        role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]]
     end
 end
 
@@ -114,46 +75,46 @@ subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
     subgraph partnerRel.holderPerson:roles[ ]
         style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:partnerRel.holderPerson:owner[[partnerRel.holderPerson:owner]]
-        role:partnerRel.holderPerson:admin[[partnerRel.holderPerson:admin]]
-        role:partnerRel.holderPerson:referrer[[partnerRel.holderPerson:referrer]]
+        role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]]
+        role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]]
+        role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]]
     end
 end
 
 %% granting roles to users
-user:creator ==> role:membership:owner
+user:creator ==> role:membership:OWNER
 
 %% granting roles to roles
-role:global:admin -.-> role:partnerRel.anchorPerson:owner
-role:partnerRel.anchorPerson:owner -.-> role:partnerRel.anchorPerson:admin
-role:partnerRel.anchorPerson:admin -.-> role:partnerRel.anchorPerson:referrer
-role:global:admin -.-> role:partnerRel.holderPerson:owner
-role:partnerRel.holderPerson:owner -.-> role:partnerRel.holderPerson:admin
-role:partnerRel.holderPerson:admin -.-> role:partnerRel.holderPerson:referrer
-role:global:admin -.-> role:partnerRel.contact:owner
-role:partnerRel.contact:owner -.-> role:partnerRel.contact:admin
-role:partnerRel.contact:admin -.-> role:partnerRel.contact:referrer
-role:global:admin -.-> role:partnerRel:owner
-role:partnerRel:owner -.-> role:partnerRel:admin
-role:partnerRel.anchorPerson:admin -.-> role:partnerRel:admin
-role:partnerRel:admin -.-> role:partnerRel:agent
-role:partnerRel.holderPerson:admin -.-> role:partnerRel:agent
-role:partnerRel:agent -.-> role:partnerRel:tenant
-role:partnerRel.holderPerson:admin -.-> role:partnerRel:tenant
-role:partnerRel.contact:admin -.-> role:partnerRel:tenant
-role:partnerRel:tenant -.-> role:partnerRel.anchorPerson:referrer
-role:partnerRel:tenant -.-> role:partnerRel.holderPerson:referrer
-role:partnerRel:tenant -.-> role:partnerRel.contact:referrer
-role:partnerRel:admin ==> role:membership:owner
-role:membership:owner ==> role:membership:admin
-role:partnerRel:agent ==> role:membership:admin
-role:membership:admin ==> role:membership:referrer
-role:membership:referrer ==> role:partnerRel:tenant
+role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
+role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
+role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.contact:OWNER
+role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
+role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
+role:global:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
+role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel:AGENT -.-> role:partnerRel:TENANT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
+role:partnerRel:ADMIN ==> role:membership:OWNER
+role:membership:OWNER ==> role:membership:ADMIN
+role:partnerRel:AGENT ==> role:membership:ADMIN
+role:membership:ADMIN ==> role:membership:REFERRER
+role:membership:REFERRER ==> role:partnerRel:TENANT
 
 %% granting permissions to roles
-role:global:admin ==> perm:membership:INSERT
-role:membership:owner ==> perm:membership:DELETE
-role:membership:admin ==> perm:membership:UPDATE
-role:membership:referrer ==> perm:membership:SELECT
+role:global:ADMIN ==> perm:membership:INSERT
+role:membership:OWNER ==> perm:membership:DELETE
+role:membership:ADMIN ==> perm:membership:UPDATE
+role:membership:REFERRER ==> perm:membership:SELECT
 
 ```
diff --git a/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql
index 17dbc84c..9c423ba4 100644
--- a/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql
+++ b/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql
@@ -44,25 +44,25 @@ begin
 
 
     perform createRoleWithGrants(
-        hsOfficeMembershipOwner(NEW),
+        hsOfficeMembershipOWNER(NEW),
             permissions => array['DELETE'],
-            incomingSuperRoles => array[hsOfficeRelationAdmin(newPartnerRel)],
+            incomingSuperRoles => array[hsOfficeRelationADMIN(newPartnerRel)],
             userUuids => array[currentUserUuid()]
     );
 
     perform createRoleWithGrants(
-        hsOfficeMembershipAdmin(NEW),
+        hsOfficeMembershipADMIN(NEW),
             permissions => array['UPDATE'],
             incomingSuperRoles => array[
-            	hsOfficeMembershipOwner(NEW),
-            	hsOfficeRelationAgent(newPartnerRel)]
+            	hsOfficeMembershipOWNER(NEW),
+            	hsOfficeRelationAGENT(newPartnerRel)]
     );
 
     perform createRoleWithGrants(
-        hsOfficeMembershipReferrer(NEW),
+        hsOfficeMembershipREFERRER(NEW),
             permissions => array['SELECT'],
-            incomingSuperRoles => array[hsOfficeMembershipAdmin(NEW)],
-            outgoingSubRoles => array[hsOfficeRelationTenant(newPartnerRel)]
+            incomingSuperRoles => array[hsOfficeMembershipADMIN(NEW)],
+            outgoingSubRoles => array[hsOfficeRelationTENANT(newPartnerRel)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -105,7 +105,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
-                    globalAdmin());
+                    globalADMIN());
             END LOOP;
     END;
 $$;
@@ -120,7 +120,7 @@ create or replace function hs_office_membership_global_insert_tf()
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
-            globalAdmin());
+            globalADMIN());
     return NEW;
 end; $$;
 
diff --git a/src/main/resources/db/changelog/308-hs-office-membership-test-data.sql b/src/main/resources/db/changelog/308-hs-office-membership-test-data.sql
index 9d574a58..d49a5344 100644
--- a/src/main/resources/db/changelog/308-hs-office-membership-test-data.sql
+++ b/src/main/resources/db/changelog/308-hs-office-membership-test-data.sql
@@ -19,7 +19,7 @@ begin
     currentTask := 'creating Membership test-data ' ||
                     'P-' || forPartnerNumber::text ||
                     'M-...' || newMemberNumberSuffix;
-    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global.admin');
+    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
     execute format('set local hsadminng.currentTask to %L', currentTask);
 
     select partner.* from hs_office_partner partner
diff --git a/src/test/java/net/hostsharing/hsadminng/context/ContextIntegrationTests.java b/src/test/java/net/hostsharing/hsadminng/context/ContextIntegrationTests.java
index c02cb944..0daa0a15 100644
--- a/src/test/java/net/hostsharing/hsadminng/context/ContextIntegrationTests.java
+++ b/src/test/java/net/hostsharing/hsadminng/context/ContextIntegrationTests.java
@@ -59,13 +59,13 @@ class ContextIntegrationTests {
     void defineWithoutCurrentUserButWithAssumedRoles() {
         // when
         final var result = jpaAttempt.transacted(() ->
-                context.define(null, "test_package#yyy00.admin")
+                context.define(null, "test_package#yyy00:ADMIN")
         );
 
         // then
         result.assertExceptionWithRootCauseMessage(
                 jakarta.persistence.PersistenceException.class,
-                "ERROR: [403] undefined has no permission to assume role test_package#yyy00.admin");
+                "ERROR: [403] undefined has no permission to assume role test_package#yyy00:ADMIN");
     }
 
     @Test
@@ -85,7 +85,7 @@ class ContextIntegrationTests {
     @Transactional
     void defineWithCurrentUserAndAssumedRoles() {
         // given
-        context.define("superuser-alex@hostsharing.net", "test_customer#xxx.owner;test_customer#yyy.owner");
+        context.define("superuser-alex@hostsharing.net", "test_customer#xxx:OWNER;test_customer#yyy:OWNER");
 
         // when
         final var currentUser = context.getCurrentUser();
@@ -93,7 +93,7 @@ class ContextIntegrationTests {
 
         // then
         assertThat(context.getAssumedRoles())
-                .isEqualTo(Array.of("test_customer#xxx.owner", "test_customer#yyy.owner"));
+                .isEqualTo(Array.of("test_customer#xxx:OWNER", "test_customer#yyy:OWNER"));
         assertThat(context.currentSubjectsUuids()).hasSize(2);
     }
 
@@ -101,12 +101,12 @@ class ContextIntegrationTests {
     public void defineContextWithCurrentUserAndAssumeInaccessibleRole() {
         // when
         final var result = jpaAttempt.transacted(() ->
-                context.define("customer-admin@xxx.example.com", "test_package#yyy00.admin")
+                context.define("customer-admin@xxx.example.com", "test_package#yyy00:ADMIN")
         );
 
         // then
         result.assertExceptionWithRootCauseMessage(
                 jakarta.persistence.PersistenceException.class,
-                "ERROR: [403] user customer-admin@xxx.example.com has no permission to assume role test_package#yyy00.admin");
+                "ERROR: [403] user customer-admin@xxx.example.com has no permission to assume role test_package#yyy00:ADMIN");
     }
 }
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java
index fd484c4c..f0541813 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java
@@ -102,21 +102,21 @@ class HsOfficeBankAccountRepositoryIntegrationTest extends ContextBasedTestWithC
             final var roles = rawRoleRepo.findAll();
             assertThat(distinctRoleNamesOf(roles)).containsExactlyInAnyOrder(Array.from(
                     initialRoleNames,
-                    "hs_office_bankaccount#DE25500105176934832579.owner",
-                    "hs_office_bankaccount#DE25500105176934832579.admin",
-                    "hs_office_bankaccount#DE25500105176934832579.referrer"
+                    "hs_office_bankaccount#DE25500105176934832579:OWNER",
+                    "hs_office_bankaccount#DE25500105176934832579:ADMIN",
+                    "hs_office_bankaccount#DE25500105176934832579:REFERRER"
             ));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
                     initialGrantNames,
-                    "{ grant perm DELETE on hs_office_bankaccount#DE25500105176934832579 to role hs_office_bankaccount#DE25500105176934832579.owner     by system and assume }",
-                    "{ grant role hs_office_bankaccount#DE25500105176934832579.owner     to role global#global.admin                                    by system and assume }",
-                    "{ grant role hs_office_bankaccount#DE25500105176934832579.owner     to user selfregistered-user-drew@hostsharing.org               by hs_office_bankaccount#DE25500105176934832579.owner and assume }",
+                    "{ grant perm:hs_office_bankaccount#DE25500105176934832579:DELETE   to role:hs_office_bankaccount#DE25500105176934832579:OWNER     by system and assume }",
+                    "{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER    to role:global#global:ADMIN                                    by system and assume }",
+                    "{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER    to user:selfregistered-user-drew@hostsharing.org               by hs_office_bankaccount#DE25500105176934832579:OWNER and assume }",
 
-                    "{ grant role hs_office_bankaccount#DE25500105176934832579.admin     to role hs_office_bankaccount#DE25500105176934832579.owner     by system and assume }",
-                    "{ grant perm UPDATE on hs_office_bankaccount#DE25500105176934832579 to role hs_office_bankaccount#DE25500105176934832579.admin     by system and assume }",
+                    "{ grant role:hs_office_bankaccount#DE25500105176934832579:ADMIN    to role:hs_office_bankaccount#DE25500105176934832579:OWNER     by system and assume }",
+                    "{ grant perm:hs_office_bankaccount#DE25500105176934832579:UPDATE   to role:hs_office_bankaccount#DE25500105176934832579:ADMIN     by system and assume }",
 
-                    "{ grant perm SELECT on hs_office_bankaccount#DE25500105176934832579 to role hs_office_bankaccount#DE25500105176934832579.referrer  by system and assume }",
-                    "{ grant role hs_office_bankaccount#DE25500105176934832579.referrer  to role hs_office_bankaccount#DE25500105176934832579.admin     by system and assume }",
+                    "{ grant perm:hs_office_bankaccount#DE25500105176934832579:SELECT   to role:hs_office_bankaccount#DE25500105176934832579:REFERRER  by system and assume }",
+                    "{ grant role:hs_office_bankaccount#DE25500105176934832579:REFERRER to role:hs_office_bankaccount#DE25500105176934832579:ADMIN     by system and assume }",
                     null
             ));
         }
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactRepositoryIntegrationTest.java
index 259f88fe..3187a4f4 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactRepositoryIntegrationTest.java
@@ -103,20 +103,20 @@ class HsOfficeContactRepositoryIntegrationTest extends ContextBasedTestWithClean
             final var roles = rawRoleRepo.findAll();
             assertThat(distinctRoleNamesOf(roles)).containsExactlyInAnyOrder(Array.from(
                     initialRoleNames,
-                    "hs_office_contact#anothernewcontact.owner",
-                    "hs_office_contact#anothernewcontact.admin",
-                    "hs_office_contact#anothernewcontact.referrer"
+                    "hs_office_contact#anothernewcontact:OWNER",
+                    "hs_office_contact#anothernewcontact:ADMIN",
+                    "hs_office_contact#anothernewcontact:REFERRER"
             ));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
                     initialGrantNames,
-                    "{ grant role hs_office_contact#anothernewcontact.owner     to role global#global.admin                          by system and assume }",
-                    "{ grant perm UPDATE on hs_office_contact#anothernewcontact to role hs_office_contact#anothernewcontact.admin    by system and assume }",
-                    "{ grant role hs_office_contact#anothernewcontact.owner     to user selfregistered-user-drew@hostsharing.org     by hs_office_contact#anothernewcontact.owner and assume }",
-                    "{ grant perm DELETE on hs_office_contact#anothernewcontact to role hs_office_contact#anothernewcontact.owner    by system and assume }",
-                    "{ grant role hs_office_contact#anothernewcontact.admin     to role hs_office_contact#anothernewcontact.owner    by system and assume }",
+                    "{ grant role:hs_office_contact#anothernewcontact:OWNER     to role:global#global:ADMIN                          by system and assume }",
+                    "{ grant perm:hs_office_contact#anothernewcontact:UPDATE    to role:hs_office_contact#anothernewcontact:ADMIN    by system and assume }",
+                    "{ grant role:hs_office_contact#anothernewcontact:OWNER     to user:selfregistered-user-drew@hostsharing.org     by hs_office_contact#anothernewcontact:OWNER and assume }",
+                    "{ grant perm:hs_office_contact#anothernewcontact:DELETE     to role:hs_office_contact#anothernewcontact:OWNER    by system and assume }",
+                    "{ grant role:hs_office_contact#anothernewcontact:ADMIN     to role:hs_office_contact#anothernewcontact:OWNER    by system and assume }",
 
-                    "{ grant perm SELECT on hs_office_contact#anothernewcontact to role hs_office_contact#anothernewcontact.referrer by system and assume }",
-                    "{ grant role hs_office_contact#anothernewcontact.referrer  to role hs_office_contact#anothernewcontact.admin    by system and assume }"
+                    "{ grant perm:hs_office_contact#anothernewcontact:SELECT    to role:hs_office_contact#anothernewcontact:REFERRER by system and assume }",
+                    "{ grant role:hs_office_contact#anothernewcontact:REFERRER  to role:hs_office_contact#anothernewcontact:ADMIN    by system and assume }"
             ));
         }
 
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java
index 7031476e..40163eab 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java
@@ -112,8 +112,8 @@ class HsOfficeCoopAssetsTransactionRepositoryIntegrationTest extends ContextBase
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(Array.fromFormatted(
                             initialGrantNames,
-                            "{ grant perm SELECT on coopassetstransaction#temprefB to role membership#M-1000101.admin by system and assume }",
-                            "{ grant perm UPDATE on coopassetstransaction#temprefB to role membership#M-1000101.admin by system and assume }",
+                            "{ grant perm:coopassetstransaction#temprefB:SELECT to role:membership#M-1000101:ADMIN by system and assume }",
+                            "{ grant perm:coopassetstransaction#temprefB:UPDATE to role:membership#M-1000101:ADMIN by system and assume }",
                             null));
         }
 
@@ -194,7 +194,7 @@ class HsOfficeCoopAssetsTransactionRepositoryIntegrationTest extends ContextBase
         @Test
         public void partnerPersonAdmin_canViewRelatedCoopAssetsTransactions() {
             // given:
-            context("superuser-alex@hostsharing.net", "hs_office_person#FirstGmbH.admin");
+            context("superuser-alex@hostsharing.net", "hs_office_person#FirstGmbH:ADMIN");
 
             // when:
             final var result = coopAssetsTransactionRepo.findCoopAssetsTransactionByOptionalMembershipUuidAndDateRange(
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
index 16880741..37d67592 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
@@ -111,8 +111,8 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(Array.fromFormatted(
                             initialGrantNames,
-                            "{ grant perm SELECT on coopsharestransaction#temprefB to role membership#M-1000101.admin by system and assume }",
-                            "{ grant perm UPDATE on coopsharestransaction#temprefB to role membership#M-1000101.admin by system and assume }",
+                            "{ grant perm:coopsharestransaction#temprefB:SELECT to role:membership#M-1000101.admin by system and assume }",
+                            "{ grant perm:coopsharestransaction#temprefB:UPDATE to role:membership#M-1000101.admin by system and assume }",
                             null));
         }
 
@@ -193,7 +193,7 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
         @Test
         public void normalUser_canViewOnlyRelatedCoopSharesTransactions() {
             // given:
-            context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000101.admin");
+            context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000101:ADMIN");
 
             // when:
             final var result = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
index 975ad961..c2e3fffd 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
@@ -635,7 +635,7 @@ class HsOfficeDebitorControllerAcceptanceTest extends ContextBasedTestWithCleanu
             RestAssured // @formatter:off
                     .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "hs_office_contact#fourthcontact.admin")
+                    .header("assumed-roles", "hs_office_contact#fourthcontact:ADMIN")
                     .contentType(ContentType.JSON)
                     .body("""
                            {
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java
index 5f53df24..7a3dfbb7 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java
@@ -172,44 +172,44 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
             // then
             assertThat(distinctRoleNamesOf(rawRoleRepo.findAll())).containsExactlyInAnyOrder(Array.from(
                     initialRoleNames,
-                    "hs_office_relation#FirstGmbH-with-DEBITOR-FourtheG.owner",
-                    "hs_office_relation#FirstGmbH-with-DEBITOR-FourtheG.admin",
-                    "hs_office_relation#FirstGmbH-with-DEBITOR-FourtheG.agent",
-                    "hs_office_relation#FirstGmbH-with-DEBITOR-FourtheG.tenant"));
+                    "hs_office_relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER",
+                    "hs_office_relation#FirstGmbH-with-DEBITOR-FourtheG:ADMIN",
+                    "hs_office_relation#FirstGmbH-with-DEBITOR-FourtheG:AGENT",
+                    "hs_office_relation#FirstGmbH-with-DEBITOR-FourtheG:TENANT"));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                 .map(s -> s.replace("hs_office_", ""))
                 .containsExactlyInAnyOrder(Array.fromFormatted(
                     initialGrantNames,
-                    "{ grant perm INSERT into sepamandate with relation#FirstGmbH-with-DEBITOR-FourtheG to role relation#FirstGmbH-with-DEBITOR-FourtheG.admin by system and assume }",
+                    "{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:INSERT>sepamandate to role:relation#FirstGmbH-with-DEBITOR-FourtheG:ADMIN by system and assume }",
 
                     // owner
-                    "{ grant perm DELETE on debitor#D-1000122 to role relation#FirstGmbH-with-DEBITOR-FourtheG.owner by system and assume }",
-                    "{ grant perm DELETE on relation#FirstGmbH-with-DEBITOR-FourtheG to role relation#FirstGmbH-with-DEBITOR-FourtheG.owner by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.owner to role global#global.admin by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.owner to user superuser-alex@hostsharing.net by relation#FirstGmbH-with-DEBITOR-FourtheG.owner and assume }",
+                    "{ grant perm:debitor#D-1000122:DELETE                          to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
+                    "{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:DELETE   to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER    to role:global#global:ADMIN by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER    to user:superuser-alex@hostsharing.net by relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER and assume }",
 
                     // admin
-                    "{ grant perm UPDATE on debitor#D-1000122 to role relation#FirstGmbH-with-DEBITOR-FourtheG.admin by system and assume }",
-                    "{ grant perm UPDATE on relation#FirstGmbH-with-DEBITOR-FourtheG to role relation#FirstGmbH-with-DEBITOR-FourtheG.admin by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.admin to role relation#FirstGmbH-with-DEBITOR-FourtheG.owner by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.admin to role person#FirstGmbH.admin by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.admin to role relation#HostsharingeG-with-PARTNER-FirstGmbH.admin by system and assume }",
+                    "{ grant perm:debitor#D-1000122:UPDATE                          to role:relation#FirstGmbH-with-DEBITOR-FourtheG:ADMIN by system and assume }",
+                    "{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:UPDATE   to role:relation#FirstGmbH-with-DEBITOR-FourtheG:ADMIN by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:ADMIN    to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:ADMIN    to role:person#FirstGmbH:ADMIN by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:ADMIN    to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN by system and assume }",
 
                     // agent
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.agent to role person#FourtheG.admin by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.agent to role relation#FirstGmbH-with-DEBITOR-FourtheG.admin by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.agent to role relation#HostsharingeG-with-PARTNER-FirstGmbH.agent by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:AGENT    to role:person#FourtheG:ADMIN by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:AGENT    to role:relation#FirstGmbH-with-DEBITOR-FourtheG:ADMIN by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:AGENT    to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT by system and assume }",
 
                     // tenant
-                    "{ grant perm SELECT on debitor#D-1000122 to role relation#FirstGmbH-with-DEBITOR-FourtheG.tenant by system and assume }",
-                    "{ grant perm SELECT on relation#FirstGmbH-with-DEBITOR-FourtheG to role relation#FirstGmbH-with-DEBITOR-FourtheG.tenant by system and assume }",
-                    "{ grant role relation#HostsharingeG-with-PARTNER-FirstGmbH.tenant to role relation#FirstGmbH-with-DEBITOR-FourtheG.agent by system and assume }",
-                    "{ grant role contact#fourthcontact.referrer to role relation#FirstGmbH-with-DEBITOR-FourtheG.tenant by system and assume }",
-                    "{ grant role person#FirstGmbH.referrer to role relation#FirstGmbH-with-DEBITOR-FourtheG.tenant by system and assume }",
-                    "{ grant role person#FourtheG.referrer to role relation#FirstGmbH-with-DEBITOR-FourtheG.tenant by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.tenant to role contact#fourthcontact.admin by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.tenant to role person#FourtheG.admin by system and assume }",
-                    "{ grant role relation#FirstGmbH-with-DEBITOR-FourtheG.tenant to role relation#FirstGmbH-with-DEBITOR-FourtheG.agent by system and assume }",
+                    "{ grant perm:debitor#D-1000122:SELECT                          to role:relation#FirstGmbH-with-DEBITOR-FourtheG:TENANT by system and assume }",
+                    "{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:SELECT   to role:relation#FirstGmbH-with-DEBITOR-FourtheG:TENANT by system and assume }",
+                    "{ grant role:relation#HostsharingeG-with-PARTNER-FirstGmbH:TENANT to role:relation#FirstGmbH-with-DEBITOR-FourtheG:AGENT by system and assume }",
+                    "{ grant role:contact#fourthcontact:REFERRER                    to role:relation#FirstGmbH-with-DEBITOR-FourtheG:TENANT by system and assume }",
+                    "{ grant role:person#FirstGmbH:REFERRER                         to role:relation#FirstGmbH-with-DEBITOR-FourtheG:TENANT by system and assume }",
+                    "{ grant role:person#FourtheG:REFERRER                          to role:relation#FirstGmbH-with-DEBITOR-FourtheG:TENANT by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:TENANT   to role:contact#fourthcontact:ADMIN by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:TENANT   to role:person#FourtheG:ADMIN by system and assume }",
+                    "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:TENANT   to role:relation#FirstGmbH-with-DEBITOR-FourtheG:AGENT by system and assume }",
 
                     null));
         }
@@ -243,9 +243,9 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
         @ParameterizedTest
         @Disabled // TODO: reactivate once partner.person + partner.contact  are removed
         @ValueSource(strings = {
-                "hs_office_partner#10001:FirstGmbH-firstcontact.admin",
-                "hs_office_person#FirstGmbH.admin",
-                "hs_office_contact#firstcontact.admin",
+                "hs_office_partner#10001:FirstGmbH-firstcontact:ADMIN",
+                "hs_office_person#FirstGmbH:ADMIN",
+                "hs_office_contact#firstcontact:ADMIN",
         })
         public void relatedPersonAdmin_canViewRelatedDebitors(final String assumedRole) {
             // given:
@@ -317,7 +317,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
 
             assertThatDebitorIsVisibleForUserWithRole(
                     givenDebitor,
-                    "hs_office_relation#FourtheG-with-DEBITOR-FourtheG.admin", true);
+                    "hs_office_relation#FourtheG-with-DEBITOR-FourtheG:ADMIN", true);
             final var givenNewPartnerPerson = one(personRepo.findPersonByOptionalNameLike("First"));
             final var givenNewBillingPerson = one(personRepo.findPersonByOptionalNameLike("Firby"));
             final var givenNewContact = one(contactRepo.findContactByOptionalLabelLike("sixth contact"));
@@ -346,31 +346,31 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
             result.assertSuccessful();
             assertThatDebitorIsVisibleForUserWithRole(
                     result.returnedValue(),
-                    "global#global.admin", true);
+                    "global#global:ADMIN", true);
 
             // ... partner role was reassigned:
             assertThatDebitorIsNotVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_relation#FourtheG-with-DEBITOR-FourtheG.admin");
+                    "hs_office_relation#FourtheG-with-DEBITOR-FourtheG:ADMIN");
             assertThatDebitorIsVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_relation#FirstGmbH-with-DEBITOR-FirbySusan.agent", true);
+                    "hs_office_relation#FirstGmbH-with-DEBITOR-FirbySusan:AGENT", true);
 
             // ... contact role was reassigned:
             assertThatDebitorIsNotVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_contact#fifthcontact.admin");
+                    "hs_office_contact#fifthcontact:ADMIN");
             assertThatDebitorIsVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_contact#sixthcontact.admin", false);
+                    "hs_office_contact#sixthcontact:ADMIN", false);
 
             // ... bank-account role was reassigned:
             assertThatDebitorIsNotVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_bankaccount#DE02200505501015871393.admin");
+                    "hs_office_bankaccount#DE02200505501015871393:ADMIN");
             assertThatDebitorIsVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_bankaccount#DE02120300000000202051.admin", true);
+                    "hs_office_bankaccount#DE02120300000000202051:ADMIN", true);
         }
 
         @Test
@@ -380,7 +380,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
             final var givenDebitor = givenSomeTemporaryDebitor("Fourth", "fifth contact", null, "fig");
             assertThatDebitorIsVisibleForUserWithRole(
                     givenDebitor,
-                    "hs_office_relation#FourtheG-with-DEBITOR-FourtheG.admin", true);
+                    "hs_office_relation#FourtheG-with-DEBITOR-FourtheG:ADMIN", true);
             assertThatDebitorActuallyInDatabase(givenDebitor, true);
             final var givenNewBankAccount = one(bankAccountRepo.findByOptionalHolderLike("first"));
 
@@ -395,12 +395,12 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
             result.assertSuccessful();
             assertThatDebitorIsVisibleForUserWithRole(
                     result.returnedValue(),
-                    "global#global.admin", true);
+                    "global#global:ADMIN", true);
 
             // ... bank-account role was assigned:
             assertThatDebitorIsVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_bankaccount#DE02120300000000202051.admin", true);
+                    "hs_office_bankaccount#DE02120300000000202051:ADMIN", true);
         }
 
         @Test
@@ -410,7 +410,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
             final var givenDebitor = givenSomeTemporaryDebitor("Fourth", "fifth contact", "Fourth", "fih");
             assertThatDebitorIsVisibleForUserWithRole(
                     givenDebitor,
-                    "hs_office_relation#HostsharingeG-with-PARTNER-FourtheG.agent", true);
+                    "hs_office_relation#HostsharingeG-with-PARTNER-FourtheG:AGENT", true);
             assertThatDebitorActuallyInDatabase(givenDebitor, true);
 
             // when
@@ -424,12 +424,12 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
             result.assertSuccessful();
             assertThatDebitorIsVisibleForUserWithRole(
                     result.returnedValue(),
-                    "global#global.admin", true);
+                    "global#global:ADMIN", true);
 
             // ... bank-account role was removed from previous bank-account admin:
             assertThatDebitorIsNotVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_bankaccount#DE02200505501015871393.admin");
+                    "hs_office_bankaccount#DE02200505501015871393:ADMIN");
         }
 
         @Test
@@ -439,12 +439,12 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
             final var givenDebitor = givenSomeTemporaryDebitor("Fourth", "eighth", "Fourth", "eig");
             assertThatDebitorIsVisibleForUserWithRole(
                     givenDebitor,
-                    "hs_office_relation#HostsharingeG-with-PARTNER-FourtheG.agent", true);
+                    "hs_office_relation#HostsharingeG-with-PARTNER-FourtheG:AGENT", true);
             assertThatDebitorActuallyInDatabase(givenDebitor, true);
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("superuser-alex@hostsharing.net", "hs_office_relation#HostsharingeG-with-PARTNER-FourtheG.agent");
+                context("superuser-alex@hostsharing.net", "hs_office_relation#HostsharingeG-with-PARTNER-FourtheG:AGENT");
                 givenDebitor.setVatId("NEW-VAT-ID");
                 return toCleanup(debitorRepo.save(givenDebitor));
             });
@@ -462,11 +462,11 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
             assertThatDebitorActuallyInDatabase(givenDebitor, true);
             assertThatDebitorIsVisibleForUserWithRole(
                     givenDebitor,
-                    "hs_office_contact#ninthcontact.admin", false);
+                    "hs_office_contact#ninthcontact:ADMIN", false);
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("superuser-alex@hostsharing.net", "hs_office_contact#ninthcontact.admin");
+                context("superuser-alex@hostsharing.net", "hs_office_contact#ninthcontact:ADMIN");
                 givenDebitor.setVatId("NEW-VAT-ID");
                 return toCleanup(debitorRepo.save(givenDebitor));
             });
@@ -545,7 +545,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("superuser-alex@hostsharing.net", "hs_office_relation#FourtheG-with-DEBITOR-FourtheG.admin");
+                context("superuser-alex@hostsharing.net", "hs_office_relation#FourtheG-with-DEBITOR-FourtheG:ADMIN");
                 assertThat(debitorRepo.findByUuid(givenDebitor.getUuid())).isPresent();
 
                 debitorRepo.deleteByUuid(givenDebitor.getUuid());
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java
index c0d69951..c0def119 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java
@@ -269,7 +269,7 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "hs_office_relation#HostsharingeG-with-PARTNER-ThirdOHG.agent")
+                    .header("assumed-roles", "hs_office_relation#HostsharingeG-with-PARTNER-ThirdOHG:AGENT")
                     .port(port)
                 .when()
                     .get("http://localhost/api/hs/office/memberships/" + givenMembershipUuid)
@@ -338,7 +338,7 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
         void partnerRelAgent_canPatchValidityOfRelatedMembership() {
 
             // given
-            final var givenPartnerAgent = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH.agent";
+            final var givenPartnerAgent = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT";
             context.define("superuser-alex@hostsharing.net", givenPartnerAgent);
             final var givenMembership = givenSomeTemporaryMembershipBessler("First");
 
@@ -401,7 +401,7 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH.agent")
+                    .header("assumed-roles", "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT")
                     .port(port)
                 .when()
                     .delete("http://localhost/api/hs/office/memberships/" + givenMembership.getUuid())
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java
index a53b2705..f6f7e518 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java
@@ -91,7 +91,6 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
             context("superuser-alex@hostsharing.net");
             final var initialRoleNames = distinctRoleNamesOf(rawRoleRepo.findAll());
             final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll()).stream()
-                    .map(s -> s.replace("GmbH-firstcontact", ""))
                     .map(s -> s.replace("hs_office_", ""))
                     .toList();
 
@@ -111,31 +110,30 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
             final var all = rawRoleRepo.findAll();
             assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
                     initialRoleNames,
-                    "hs_office_membership#M-1000117.admin",
-                    "hs_office_membership#M-1000117.owner",
-                    "hs_office_membership#M-1000117.referrer"));
+                    "hs_office_membership#M-1000117:ADMIN",
+                    "hs_office_membership#M-1000117:OWNER",
+                    "hs_office_membership#M-1000117:REFERRER"));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
-                    .map(s -> s.replace("GmbH-firstcontact", ""))
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(Array.fromFormatted(
                             initialGrantNames,
 
                             // owner
-                            "{ grant perm DELETE on membership#M-1000117 to role membership#M-1000117.owner by system and assume }",
+                            "{ grant perm:membership#M-1000117:DELETE       to role:membership#M-1000117:OWNER by system and assume }",
 
                             // admin
-                            "{ grant perm UPDATE on membership#M-1000117 to role membership#M-1000117.admin by system and assume }",
-                            "{ grant role membership#M-1000117.admin to role membership#M-1000117.owner by system and assume }",
-                            "{ grant role membership#M-1000117.owner to role relation#HostsharingeG-with-PARTNER-FirstGmbH.admin by system and assume }",
-                            "{ grant role membership#M-1000117.owner to user superuser-alex@hostsharing.net by membership#M-1000117.owner and assume }",
+                            "{ grant perm:membership#M-1000117:UPDATE       to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN        to role:membership#M-1000117:OWNER by system and assume }",
+                            "{ grant role:membership#M-1000117:OWNER        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN by system and assume }",
+                            "{ grant role:membership#M-1000117:OWNER        to user:superuser-alex@hostsharing.net by membership#M-1000117:OWNER and assume }",
 
                             // agent
-                            "{ grant role membership#M-1000117.admin to role relation#HostsharingeG-with-PARTNER-FirstGmbH.agent by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT by system and assume }",
 
                             // referrer
-                            "{ grant perm SELECT on membership#M-1000117 to role membership#M-1000117.referrer by system and assume }",
-                            "{ grant role membership#M-1000117.referrer to role membership#M-1000117.admin by system and assume }",
-                            "{ grant role relation#HostsharingeG-with-PARTNER-FirstGmbH.tenant to role membership#M-1000117.referrer by system and assume }",
+                            "{ grant perm:membership#M-1000117:SELECT       to role:membership#M-1000117:REFERRER by system and assume }",
+                            "{ grant role:membership#M-1000117:REFERRER     to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-FirstGmbH:TENANT to role:membership#M-1000117:REFERRER by system and assume }",
 
                             null));
         }
@@ -230,13 +228,13 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
             assertThatMembershipExistsAndIsAccessibleToCurrentContext(givenMembership);
             assertThatMembershipIsVisibleForRole(
                     givenMembership,
-                    "hs_office_membership#M-1000113.referrer");
+                    "hs_office_membership#M-1000113:REFERRER");
             final var newValidityEnd = LocalDate.now();
 
             // when
             final var result = jpaAttempt.transacted(() -> {
                 // TODO: we should test with debitor- and partner-admin as well
-                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113.referrer");
+                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113:REFERRER");
                 givenMembership.setValidity(
                         Range.closedOpen(givenMembership.getValidity().lower(), newValidityEnd));
                 return membershipRepo.save(givenMembership);
@@ -294,7 +292,7 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("superuser-alex@hostsharing.net", "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH.agent");
+                context("superuser-alex@hostsharing.net", "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT");
                 assertThat(membershipRepo.findByUuid(givenMembership.getUuid())).isPresent();
 
                 membershipRepo.deleteByUuid(givenMembership.getUuid());
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeData.java b/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeData.java
index bb42901d..4010167d 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeData.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeData.java
@@ -106,7 +106,7 @@ import static org.assertj.core.api.Fail.fail;
 @Tag("import")
 @DataJpaTest(properties = {
         "spring.datasource.url=${HSADMINNG_POSTGRES_JDBC_URL:jdbc:tc:postgresql:15.5-bookworm:///spring_boot_testcontainers}",
-        "spring.datasource.username=${HSADMINNG_POSTGRES_ADMIN_USERNAME:admin}",
+        "spring.datasource.username=${HSADMINNG_POSTGRES_ADMIN_USERNAME:ADMIN}",
         "spring.datasource.password=${HSADMINNG_POSTGRES_ADMIN_PASSWORD:password}",
         "hsadminng.superuser=${HSADMINNG_SUPERUSER:superuser-alex@hostsharing.net}"
 })
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java
index 94bcb9fe..98bff812 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java
@@ -132,52 +132,52 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
             // then
             assertThat(distinctRoleNamesOf(rawRoleRepo.findAll())).containsExactlyInAnyOrder(Array.from(
                     initialRoleNames,
-                    "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.owner",
-                    "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.admin",
-                    "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.agent",
-                    "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.tenant"));
+                    "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler:OWNER",
+                    "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler:ADMIN",
+                    "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler:AGENT",
+                    "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler:TENANT"));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                     .map(s -> s.replace("ErbenBesslerMelBessler", "EBess"))
                     .map(s -> s.replace("fourthcontact", "4th"))
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(distinct(fromFormatted(
                             initialGrantNames,
-                            "{ grant perm INSERT into sepamandate with relation#HostsharingeG-with-PARTNER-EBess to role relation#HostsharingeG-with-PARTNER-EBess.admin by system and assume }",
+                            "{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:INSERT>sepamandate  to role:relation#HostsharingeG-with-PARTNER-EBess:ADMIN by system and assume }",
 
                             // permissions on partner
-                            "{ grant perm DELETE on partner#P-20032 to role relation#HostsharingeG-with-PARTNER-EBess.admin by system and assume }",
-                            "{ grant perm UPDATE on partner#P-20032 to role relation#HostsharingeG-with-PARTNER-EBess.agent by system and assume }",
-                            "{ grant perm SELECT on partner#P-20032 to role relation#HostsharingeG-with-PARTNER-EBess.tenant by system and assume }",
+                            "{ grant perm:partner#P-20032:DELETE                            to role:relation#HostsharingeG-with-PARTNER-EBess:ADMIN by system and assume }",
+                            "{ grant perm:partner#P-20032:UPDATE                            to role:relation#HostsharingeG-with-PARTNER-EBess:AGENT by system and assume }",
+                            "{ grant perm:partner#P-20032:SELECT                            to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }",
 
                             // permissions on partner-details
-                            "{ grant perm DELETE on partner_details#P-20032-details to role relation#HostsharingeG-with-PARTNER-EBess.admin by system and assume }",
-                            "{ grant perm UPDATE on partner_details#P-20032-details to role relation#HostsharingeG-with-PARTNER-EBess.agent by system and assume }",
-                            "{ grant perm SELECT on partner_details#P-20032-details to role relation#HostsharingeG-with-PARTNER-EBess.agent by system and assume }",
+                            "{ grant perm:partner_details#P-20032:DELETE                    to role:relation#HostsharingeG-with-PARTNER-EBess:ADMIN by system and assume }",
+                            "{ grant perm:partner_details#P-20032:UPDATE                    to role:relation#HostsharingeG-with-PARTNER-EBess:AGENT by system and assume }",
+                            "{ grant perm:partner_details#P-20032:SELECT                    to role:relation#HostsharingeG-with-PARTNER-EBess:AGENT by system and assume }",
 
                             // permissions on partner-relation
-                            "{ grant perm DELETE on relation#HostsharingeG-with-PARTNER-EBess to role relation#HostsharingeG-with-PARTNER-EBess.owner by system and assume }",
-                            "{ grant perm UPDATE on relation#HostsharingeG-with-PARTNER-EBess to role relation#HostsharingeG-with-PARTNER-EBess.admin by system and assume }",
-                            "{ grant perm SELECT on relation#HostsharingeG-with-PARTNER-EBess to role relation#HostsharingeG-with-PARTNER-EBess.tenant by system and assume }",
+                            "{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:DELETE  to role:relation#HostsharingeG-with-PARTNER-EBess:OWNER by system and assume }",
+                            "{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:UPDATE  to role:relation#HostsharingeG-with-PARTNER-EBess:ADMIN by system and assume }",
+                            "{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:SELECT  to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }",
 
                             // relation owner
-                            "{ grant role relation#HostsharingeG-with-PARTNER-EBess.owner to role global#global.admin by system and assume }",
-                            "{ grant role relation#HostsharingeG-with-PARTNER-EBess.owner to user superuser-alex@hostsharing.net by relation#HostsharingeG-with-PARTNER-EBess.owner and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER   to role:global#global:ADMIN by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER   to user:superuser-alex@hostsharing.net by relation#HostsharingeG-with-PARTNER-EBess:OWNER and assume }",
 
                             // relation admin
-                            "{ grant role relation#HostsharingeG-with-PARTNER-EBess.admin to role relation#HostsharingeG-with-PARTNER-EBess.owner by system and assume }",
-                            "{ grant role relation#HostsharingeG-with-PARTNER-EBess.admin to role person#HostsharingeG.admin by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:ADMIN   to role:relation#HostsharingeG-with-PARTNER-EBess:OWNER by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:ADMIN   to role:person#HostsharingeG:ADMIN by system and assume }",
 
                             // relation agent
-                            "{ grant role relation#HostsharingeG-with-PARTNER-EBess.agent to role person#EBess.admin by system and assume }",
-                            "{ grant role relation#HostsharingeG-with-PARTNER-EBess.agent to role relation#HostsharingeG-with-PARTNER-EBess.admin by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:AGENT   to role:person#EBess:ADMIN by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:AGENT   to role:relation#HostsharingeG-with-PARTNER-EBess:ADMIN by system and assume }",
 
                             // relation tenant
-                            "{ grant role contact#4th.referrer to role relation#HostsharingeG-with-PARTNER-EBess.tenant by system and assume }",
-                            "{ grant role person#EBess.referrer to role relation#HostsharingeG-with-PARTNER-EBess.tenant by system and assume }",
-                            "{ grant role person#HostsharingeG.referrer to role relation#HostsharingeG-with-PARTNER-EBess.tenant by system and assume }",
-                            "{ grant role relation#HostsharingeG-with-PARTNER-EBess.tenant to role contact#4th.admin by system and assume }",
-                            "{ grant role relation#HostsharingeG-with-PARTNER-EBess.tenant to role person#EBess.admin by system and assume }",
-                            "{ grant role relation#HostsharingeG-with-PARTNER-EBess.tenant to role relation#HostsharingeG-with-PARTNER-EBess.agent by system and assume }",
+                            "{ grant role:contact#4th:REFERRER                              to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }",
+                            "{ grant role:person#EBess:REFERRER                             to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }",
+                            "{ grant role:person#HostsharingeG:REFERRER                     to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:TENANT  to role:contact#4th:ADMIN by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:TENANT  to role:person#EBess:ADMIN by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:TENANT  to role:relation#HostsharingeG-with-PARTNER-EBess:AGENT by system and assume }",
                             null)));
         }
 
@@ -266,7 +266,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
             final var givenPartner = givenSomeTemporaryHostsharingPartner(20036, "Erben Bessler", "fifth contact");
             assertThatPartnerIsVisibleForUserWithRole(
                     givenPartner,
-                    "hs_office_person#ErbenBesslerMelBessler.admin");
+                    "hs_office_person#ErbenBesslerMelBessler:ADMIN");
             assertThatPartnerActuallyInDatabase(givenPartner);
 
             // when
@@ -281,13 +281,13 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
 
             assertThatPartnerIsVisibleForUserWithRole(
                     givenPartner,
-                    "global#global.admin");
+                    "global#global:ADMIN");
             assertThatPartnerIsVisibleForUserWithRole(
                     givenPartner,
-                    "hs_office_person#ThirdOHG.admin");
+                    "hs_office_person#ThirdOHG:ADMIN");
             assertThatPartnerIsNotVisibleForUserWithRole(
                     givenPartner,
-                    "hs_office_person#ErbenBesslerMelBessler.admin");
+                    "hs_office_person#ErbenBesslerMelBessler:ADMIN");
         }
 
         @Test
@@ -297,13 +297,13 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
             final var givenPartner = givenSomeTemporaryHostsharingPartner(20037, "Erben Bessler", "ninth");
             assertThatPartnerIsVisibleForUserWithRole(
                     givenPartner,
-                    "hs_office_person#ErbenBesslerMelBessler.admin");
+                    "hs_office_person#ErbenBesslerMelBessler:ADMIN");
             assertThatPartnerActuallyInDatabase(givenPartner);
 
             // when
             final var result = jpaAttempt.transacted(() -> {
                 context("superuser-alex@hostsharing.net",
-                        "hs_office_person#ErbenBesslerMelBessler.admin");
+                        "hs_office_person#ErbenBesslerMelBessler:ADMIN");
                 givenPartner.getDetails().setBirthName("new birthname");
                 return partnerRepo.save(givenPartner);
             });
@@ -319,20 +319,20 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
             final var givenPartner = givenSomeTemporaryHostsharingPartner(20037, "Erben Bessler", "ninth");
             assertThatPartnerIsVisibleForUserWithRole(
                     givenPartner,
-                    "hs_office_person#ErbenBesslerMelBessler.admin");
+                    "hs_office_person#ErbenBesslerMelBessler:ADMIN");
             assertThatPartnerActuallyInDatabase(givenPartner);
 
             // when
             final var result = jpaAttempt.transacted(() -> {
                 context("superuser-alex@hostsharing.net",
-                        "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.tenant");
+                        "hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler:TENANT");
                 givenPartner.getDetails().setBirthName("new birthname");
                 return partnerRepo.save(givenPartner);
             });
 
             // then
             result.assertExceptionWithRootCauseMessage(JpaSystemException.class,
-                    "[403] insert into hs_office_partner_details not allowed for current subjects {hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.tenant}");
+                    "[403] insert into hs_office_partner_details not allowed for current subjects {hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler:TENANT}");
         }
 
         private void assertThatPartnerActuallyInDatabase(final HsOfficePartnerEntity saved) {
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRepositoryIntegrationTest.java
index de198b47..ca4d82d4 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRepositoryIntegrationTest.java
@@ -102,23 +102,23 @@ class HsOfficePersonRepositoryIntegrationTest extends ContextBasedTestWithCleanu
             assertThat(distinctRoleNamesOf(rawRoleRepo.findAll())).containsExactlyInAnyOrder(
                     Array.from(
                             initialRoleNames,
-                            "hs_office_person#anothernewperson.owner",
-                            "hs_office_person#anothernewperson.admin",
-                            "hs_office_person#anothernewperson.referrer"
+                            "hs_office_person#anothernewperson:OWNER",
+                            "hs_office_person#anothernewperson:ADMIN",
+                            "hs_office_person#anothernewperson:REFERRER"
                     ));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(
-                    Array.from(
+                    Array.fromFormatted(
                             initialGrantNames,
-                            "{ grant perm INSERT into hs_office_relation with hs_office_person#anothernewperson to role hs_office_person#anothernewperson.admin by system and assume }",
+                            "{ grant perm:hs_office_person#anothernewperson:INSERT>hs_office_relation to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
 
-                            "{ grant role hs_office_person#anothernewperson.owner to user selfregistered-user-drew@hostsharing.org by hs_office_person#anothernewperson.owner and assume }",
-                            "{ grant role hs_office_person#anothernewperson.owner to role global#global.admin by system and assume }",
-                            "{ grant perm UPDATE on hs_office_person#anothernewperson to role hs_office_person#anothernewperson.admin by system and assume }",
-                            "{ grant perm DELETE on hs_office_person#anothernewperson to role hs_office_person#anothernewperson.owner by system and assume }",
-                            "{ grant role hs_office_person#anothernewperson.admin to role hs_office_person#anothernewperson.owner by system and assume }",
+                            "{ grant role:hs_office_person#anothernewperson:OWNER       to user:selfregistered-user-drew@hostsharing.org by hs_office_person#anothernewperson:OWNER and assume }",
+                            "{ grant role:hs_office_person#anothernewperson:OWNER       to role:global#global:ADMIN by system and assume }",
+                            "{ grant perm:hs_office_person#anothernewperson:UPDATE      to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
+                            "{ grant perm:hs_office_person#anothernewperson:DELETE      to role:hs_office_person#anothernewperson:OWNER by system and assume }",
+                            "{ grant role:hs_office_person#anothernewperson:ADMIN       to role:hs_office_person#anothernewperson:OWNER by system and assume }",
 
-                            "{ grant perm SELECT on hs_office_person#anothernewperson to role hs_office_person#anothernewperson.referrer by system and assume }",
-                            "{ grant role hs_office_person#anothernewperson.referrer to role hs_office_person#anothernewperson.admin by system and assume }"
+                            "{ grant perm:hs_office_person#anothernewperson:SELECT      to role:hs_office_person#anothernewperson:REFERRER by system and assume }",
+                            "{ grant role:hs_office_person#anothernewperson:REFERRER    to role:hs_office_person#anothernewperson:ADMIN by system and assume }"
                     ));
         }
 
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
index 58ad8ae7..f474de0c 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
@@ -125,35 +125,35 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
             // then
             assertThat(distinctRoleNamesOf(rawRoleRepo.findAll())).containsExactlyInAnyOrder(Array.from(
                     initialRoleNames,
-                    "hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner",
-                    "hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin",
-                    "hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent",
-                    "hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant"));
+                    "hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER",
+                    "hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN",
+                    "hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:AGENT",
+                    "hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT"));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
                     initialGrantNames,
                     // TODO: this grant should only be created for DEBITOR-Relationships, thus the RBAC DSL needs to support conditional grants
-                    "{ grant perm INSERT into hs_office_sepamandate with hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
+                    "{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:INSERT>hs_office_sepamandate to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
 
-                    "{ grant perm DELETE on hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
-                    "{ grant role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to role global#global.admin by system and assume }",
-                    "{ grant role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to user superuser-alex@hostsharing.net by hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner and assume }",
+                    "{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
+                    "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:global#global:ADMIN by system and assume }",
+                    "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to user:superuser-alex@hostsharing.net by hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER and assume }",
 
-                    "{ grant perm UPDATE on hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
-                    "{ grant role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
-                    "{ grant role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }",
+                    "{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
+                    "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
+                    "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN to role:hs_office_person#ErbenBesslerMelBessler:ADMIN by system and assume }",
 
-                    "{ grant role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_person#BesslerBert.admin by system and assume }",
-                    "{ grant role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
+                    "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:AGENT to role:hs_office_person#BesslerBert:ADMIN by system and assume }",
+                    "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:AGENT to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
 
-                    "{ grant perm SELECT on hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
-                    "{ grant role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent by system and assume }",
-                    "{ grant role hs_office_person#BesslerBert.referrer to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
-                    "{ grant role hs_office_person#ErbenBesslerMelBessler.referrer to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
-                    "{ grant role hs_office_contact#fourthcontact.referrer to role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
+                    "{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:SELECT to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT by system and assume }",
+                    "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:AGENT by system and assume }",
+                    "{ grant role:hs_office_person#BesslerBert:REFERRER to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT by system and assume }",
+                    "{ grant role:hs_office_person#ErbenBesslerMelBessler:REFERRER to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT by system and assume }",
+                    "{ grant role:hs_office_contact#fourthcontact:REFERRER to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT by system and assume }",
 
                     // REPRESENTATIVE holder person -> (represented) anchor person
-                    "{ grant role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_contact#fourthcontact.admin by system and assume }",
-                    "{ grant role hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_person#BesslerBert.admin by system and assume }",
+                    "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT to role:hs_office_contact#fourthcontact:ADMIN by system and assume }",
+                    "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT to role:hs_office_person#BesslerBert:ADMIN by system and assume }",
 
                     null)
             );
@@ -219,7 +219,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
                     "Bert", "fifth contact");
             assertThatRelationIsVisibleForUserWithRole(
                     givenRelation,
-                    "hs_office_person#ErbenBesslerMelBessler.admin");
+                    "hs_office_person#ErbenBesslerMelBessler:ADMIN");
             assertThatRelationActuallyInDatabase(givenRelation);
             context("superuser-alex@hostsharing.net");
             final var givenContact = contactRepo.findContactByOptionalLabelLike("sixth contact").stream().findFirst().orElseThrow();
@@ -236,14 +236,14 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
             assertThat(result.returnedValue().getContact().getLabel()).isEqualTo("sixth contact");
             assertThatRelationIsVisibleForUserWithRole(
                     result.returnedValue(),
-                    "global#global.admin");
+                    "global#global:ADMIN");
             assertThatRelationIsVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_contact#sixthcontact.admin");
+                    "hs_office_contact#sixthcontact:ADMIN");
 
             assertThatRelationIsNotVisibleForUserWithRole(
                     result.returnedValue(),
-                    "hs_office_contact#fifthcontact.admin");
+                    "hs_office_contact#fifthcontact:ADMIN");
 
             relationRepo.deleteByUuid(givenRelation.getUuid());
         }
@@ -256,12 +256,12 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
                     "Anita", "eighth");
             assertThatRelationIsVisibleForUserWithRole(
                     givenRelation,
-                    "hs_office_person#BesslerAnita.admin");
+                    "hs_office_person#BesslerAnita:ADMIN");
             assertThatRelationActuallyInDatabase(givenRelation);
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("superuser-alex@hostsharing.net", "hs_office_person#BesslerAnita.admin");
+                context("superuser-alex@hostsharing.net", "hs_office_person#BesslerAnita:ADMIN");
                 givenRelation.setContact(null);
                 return relationRepo.save(givenRelation);
             });
@@ -279,12 +279,12 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
                     "Anita", "ninth");
             assertThatRelationIsVisibleForUserWithRole(
                     givenRelation,
-                    "hs_office_contact#ninthcontact.admin");
+                    "hs_office_contact#ninthcontact:ADMIN");
             assertThatRelationActuallyInDatabase(givenRelation);
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("superuser-alex@hostsharing.net", "hs_office_contact#ninthcontact.admin");
+                context("superuser-alex@hostsharing.net", "hs_office_contact#ninthcontact:ADMIN");
                 givenRelation.setContact(null); // TODO
                 return relationRepo.save(givenRelation);
             });
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateRepositoryIntegrationTest.java
index 9ffa28f2..a0555579 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateRepositoryIntegrationTest.java
@@ -117,35 +117,35 @@ class HsOfficeSepaMandateRepositoryIntegrationTest extends ContextBasedTestWithC
             final var all = rawRoleRepo.findAll();
             assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
                     initialRoleNames,
-                    "hs_office_sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).admin",
-                    "hs_office_sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).agent",
-                    "hs_office_sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).owner",
-                    "hs_office_sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).referrer"));
+                    "hs_office_sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):ADMIN",
+                    "hs_office_sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):AGENT",
+                    "hs_office_sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER",
+                    "hs_office_sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):REFERRER"));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(fromFormatted(
                             initialGrantNames,
 
                             // owner
-                            "{ grant perm DELETE on sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01) to role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).owner by system and assume }",
-                            "{ grant role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).owner to role global#global.admin by system and assume }",
-                            "{ grant role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).owner to user superuser-alex@hostsharing.net by sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).owner and assume }",
+                            "{ grant perm:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):DELETE to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER by system and assume }",
+                            "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to role:global#global:ADMIN by system and assume }",
+                            "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to user:superuser-alex@hostsharing.net by sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER and assume }",
 
                             // admin
-                            "{ grant perm UPDATE on sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01) to role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).admin by system and assume }",
-                            "{ grant role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).admin to role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).owner by system and assume }",
+                            "{ grant perm:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):UPDATE to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):ADMIN by system and assume }",
+                            "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):ADMIN to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER by system and assume }",
 
                             // agent
-                            "{ grant role bankaccount#DE02600501010002034304.referrer to role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).agent by system and assume }",
-                            "{ grant role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).agent to role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).admin by system and assume }",
-                            "{ grant role relation#FirstGmbH-with-DEBITOR-FirstGmbH.agent to role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).agent by system and assume }",
+                            "{ grant role:bankaccount#DE02600501010002034304:REFERRER to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):AGENT by system and assume }",
+                            "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):AGENT to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):ADMIN by system and assume }",
+                            "{ grant role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:AGENT to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):AGENT by system and assume }",
 
                             // referrer
-                            "{ grant perm SELECT on sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01) to role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).referrer by system and assume }",
-                            "{ grant role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).referrer to role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).agent by system and assume }",
-                            "{ grant role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).referrer to role bankaccount#DE02600501010002034304.admin by system and assume }",
-                            "{ grant role relation#FirstGmbH-with-DEBITOR-FirstGmbH.tenant to role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).referrer by system and assume }",
-                            "{ grant role sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01).referrer to role relation#FirstGmbH-with-DEBITOR-FirstGmbH.agent by system and assume }",
+                            "{ grant perm:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):SELECT to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):REFERRER by system and assume }",
+                            "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):REFERRER to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):AGENT by system and assume }",
+                            "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):REFERRER to role:bankaccount#DE02600501010002034304:ADMIN by system and assume }",
+                            "{ grant role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:TENANT to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):REFERRER by system and assume }",
+                            "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):REFERRER to role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:AGENT by system and assume }",
 
                             null));
         }
@@ -233,7 +233,7 @@ class HsOfficeSepaMandateRepositoryIntegrationTest extends ContextBasedTestWithC
             final var givenSepaMandate = givenSomeTemporarySepaMandate("DE02600501010002034304");
             assertThatSepaMandateIsVisibleForUserWithRole(
                     givenSepaMandate,
-                    "hs_office_bankaccount#DE02600501010002034304.admin");
+                    "hs_office_bankaccount#DE02600501010002034304:ADMIN");
 
             // when
             final var result = jpaAttempt.transacted(() -> {
@@ -262,13 +262,13 @@ class HsOfficeSepaMandateRepositoryIntegrationTest extends ContextBasedTestWithC
             final var givenSepaMandate = givenSomeTemporarySepaMandate("DE02300606010002474689");
             assertThatSepaMandateIsVisibleForUserWithRole(
                     givenSepaMandate,
-                    "hs_office_bankaccount#DE02300606010002474689.admin");
+                    "hs_office_bankaccount#DE02300606010002474689:ADMIN");
             assertThatSepaMandateActuallyInDatabase(givenSepaMandate);
             final var newValidityEnd = LocalDate.now();
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("superuser-alex@hostsharing.net", "hs_office_bankaccount#DE02300606010002474689.admin");
+                context("superuser-alex@hostsharing.net", "hs_office_bankaccount#DE02300606010002474689:ADMIN");
 
                 givenSepaMandate.setValidity(Range.closedOpen(
                         givenSepaMandate.getValidity().lower(), newValidityEnd));
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java b/src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java
index 722fd87e..1866f483 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java
@@ -6,7 +6,7 @@ import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantEntity;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantRepository;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantsDiagramService;
 import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
-import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleEntity;
+import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRvEntity;
 import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRepository;
 import net.hostsharing.test.JpaAttempt;
 import org.jetbrains.annotations.NotNull;
@@ -255,7 +255,7 @@ public abstract class ContextBasedTestWithCleanup extends ContextBasedTest {
         return jpaAttempt.transacted(() -> {
             context.define("superuser-alex@hostsharing.net", null);
             return rbacRoleRepo.findAll().stream()
-                    .map(RbacRoleEntity::getRoleName)
+                    .map(RbacRoleRvEntity::getRoleName)
                     .collect(toSet());
         }).assertSuccessful().returnedValue();
     }
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java
index f56baf34..8bcfd28e 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java
@@ -5,7 +5,7 @@ import io.restassured.http.ContentType;
 import io.restassured.response.ValidatableResponse;
 import net.hostsharing.hsadminng.HsadminNgApplication;
 import net.hostsharing.hsadminng.context.ContextBasedTest;
-import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleEntity;
+import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRvEntity;
 import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRepository;
 import net.hostsharing.hsadminng.rbac.rbacuser.RbacUserEntity;
 import net.hostsharing.hsadminng.rbac.rbacuser.RbacUserRepository;
@@ -74,37 +74,37 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
                     .body("", hasItem(
                             allOf(
                                 // TODO: should there be a grantedByRole or just a grantedByTrigger?
-                                hasEntry("grantedByRoleIdName", "test_customer#xxx.owner"),
-                                hasEntry("grantedRoleIdName", "test_customer#xxx.admin"),
+                                hasEntry("grantedByRoleIdName", "test_customer#xxx:OWNER"),
+                                hasEntry("grantedRoleIdName", "test_customer#xxx:ADMIN"),
                                 hasEntry("granteeUserName", "customer-admin@xxx.example.com")
                             )
                     ))
                     .body("", hasItem(
                             allOf(
                                     // TODO: should there be a grantedByRole or just a grantedByTrigger?
-                                    hasEntry("grantedByRoleIdName", "test_customer#yyy.owner"),
-                                    hasEntry("grantedRoleIdName", "test_customer#yyy.admin"),
+                                    hasEntry("grantedByRoleIdName", "test_customer#yyy:OWNER"),
+                                    hasEntry("grantedRoleIdName", "test_customer#yyy:ADMIN"),
                                     hasEntry("granteeUserName", "customer-admin@yyy.example.com")
                             )
                     ))
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("grantedByRoleIdName", "global#global.admin"),
-                                    hasEntry("grantedRoleIdName", "global#global.admin"),
+                                    hasEntry("grantedByRoleIdName", "global#global:ADMIN"),
+                                    hasEntry("grantedRoleIdName", "global#global:ADMIN"),
                                     hasEntry("granteeUserName", "superuser-fran@hostsharing.net")
                             )
                     ))
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("grantedByRoleIdName", "test_customer#xxx.admin"),
-                                    hasEntry("grantedRoleIdName", "test_package#xxx00.admin"),
+                                    hasEntry("grantedByRoleIdName", "test_customer#xxx:ADMIN"),
+                                    hasEntry("grantedRoleIdName", "test_package#xxx00:ADMIN"),
                                     hasEntry("granteeUserName", "pac-admin-xxx00@xxx.example.com")
                             )
                     ))
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("grantedByRoleIdName", "test_customer#zzz.admin"),
-                                    hasEntry("grantedRoleIdName", "test_package#zzz02.admin"),
+                                    hasEntry("grantedByRoleIdName", "test_customer#zzz:ADMIN"),
+                                    hasEntry("grantedRoleIdName", "test_package#zzz02:ADMIN"),
                                     hasEntry("granteeUserName", "pac-admin-zzz02@zzz.example.com")
                             )
                     ))
@@ -118,7 +118,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_package#yyy00.admin")
+                    .header("assumed-roles", "test_package#yyy00:ADMIN")
                     .port(port)
                 .when()
                     .get("http://localhost/api/rbac/grants")
@@ -127,8 +127,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
                     .contentType("application/json")
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("grantedByRoleIdName", "test_customer#yyy.admin"),
-                                    hasEntry("grantedRoleIdName", "test_package#yyy00.admin"),
+                                    hasEntry("grantedByRoleIdName", "test_customer#yyy:ADMIN"),
+                                    hasEntry("grantedRoleIdName", "test_package#yyy00:ADMIN"),
                                     hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com")
                             )
                     ))
@@ -150,13 +150,13 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
                     .contentType("application/json")
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("grantedByRoleIdName", "test_customer#yyy.admin"),
-                                    hasEntry("grantedRoleIdName", "test_package#yyy00.admin"),
+                                    hasEntry("grantedByRoleIdName", "test_customer#yyy:ADMIN"),
+                                    hasEntry("grantedRoleIdName", "test_package#yyy00:ADMIN"),
                                     hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com")
                             )
                     ))
-                    .body("[0].grantedByRoleIdName", is("test_customer#yyy.admin"))
-                    .body("[0].grantedRoleIdName", is("test_package#yyy00.admin"))
+                    .body("[0].grantedByRoleIdName", is("test_customer#yyy:ADMIN"))
+                    .body("[0].grantedRoleIdName", is("test_package#yyy00:ADMIN"))
                     .body("[0].granteeUserName", is("pac-admin-yyy00@yyy.example.com"));
             // @formatter:on
         }
@@ -171,7 +171,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             // given
             final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
             final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
-            final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
+            final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
 
             // when
             final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@@ -180,8 +180,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             // then
             grant.assertThat()
                     .statusCode(200)
-                    .body("grantedByRoleIdName", is("test_customer#xxx.admin"))
-                    .body("grantedRoleIdName", is("test_package#xxx00.admin"))
+                    .body("grantedByRoleIdName", is("test_customer#xxx:ADMIN"))
+                    .body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
                     .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
         }
 
@@ -191,7 +191,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             // given
             final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
             final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
-            final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
+            final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
 
             // when
             final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@@ -200,8 +200,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             // then
             grant.assertThat()
                     .statusCode(200)
-                    .body("grantedByRoleIdName", is("test_customer#xxx.admin"))
-                    .body("grantedRoleIdName", is("test_package#xxx00.admin"))
+                    .body("grantedByRoleIdName", is("test_customer#xxx:ADMIN"))
+                    .body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
                     .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
         }
 
@@ -211,9 +211,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             // given
             final var givenCurrentUserAsPackageAdmin = new Subject(
                     "pac-admin-xxx00@xxx.example.com",
-                    "test_package#xxx00.admin");
+                    "test_package#xxx00:ADMIN");
             final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
-            final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
+            final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
 
             // when
             final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@@ -222,8 +222,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             // then
             grant.assertThat()
                     .statusCode(200)
-                    .body("grantedByRoleIdName", is("test_customer#xxx.admin"))
-                    .body("grantedRoleIdName", is("test_package#xxx00.admin"))
+                    .body("grantedByRoleIdName", is("test_customer#xxx:ADMIN"))
+                    .body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
                     .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
         }
 
@@ -234,9 +234,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             // given
             final var givenCurrentUserAsPackageAdmin = new Subject(
                     "pac-admin-xxx00@xxx.example.com",
-                    "test_package#xxx00.tenant");
+                    "test_package#xxx00:TENANT");
             final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
-            final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
+            final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
             final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
                     .forGrantedRole(givenGrantedRole).toGranteeUser(givenGranteeUser);
 
@@ -255,10 +255,10 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
 
             // given
             final var givenNewUser = createRBacUser();
-            final var givenRoleToGrant = "test_package#xxx00.admin";
+            final var givenRoleToGrant = "test_package#xxx00:ADMIN";
             final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
             final var givenOwnPackageAdminRole =
-                    findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
+                    getRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
 
             // when
             final var response = givenCurrentUserAsPackageAdmin
@@ -268,15 +268,15 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             // then
             response.assertThat()
                     .statusCode(201)
-                    .body("grantedByRoleIdName", is("test_package#xxx00.admin"))
+                    .body("grantedByRoleIdName", is("test_package#xxx00:ADMIN"))
                     .body("assumed", is(true))
-                    .body("grantedRoleIdName", is("test_package#xxx00.admin"))
+                    .body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
                     .body("granteeUserName", is(givenNewUser.getName()));
             assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
                     .extracting(RbacGrantEntity::toDisplay)
-                    .contains("{ grant role " + givenOwnPackageAdminRole.getRoleName() +
-                            " to user " + givenNewUser.getName() +
-                            " by role " + givenRoleToGrant + " and assume }");
+                    .contains("{ grant role:" + givenOwnPackageAdminRole.getRoleName() +
+                            " to user:" + givenNewUser.getName() +
+                            " by role:" + givenRoleToGrant + " and assume }");
         }
 
         @Test
@@ -285,9 +285,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
 
             // given
             final var givenNewUser = createRBacUser();
-            final var givenRoleToGrant = "test_package#xxx00.admin";
+            final var givenRoleToGrant = "test_package#xxx00:ADMIN";
             final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
-            final var givenAlienPackageAdminRole = findRbacRoleByName("test_package#yyy00.admin");
+            final var givenAlienPackageAdminRole = getRbacRoleByName("test_package#yyy00:ADMIN");
 
             // when
             final var result = givenCurrentUserAsPackageAdmin
@@ -298,7 +298,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             result.assertThat()
                     .statusCode(403)
                     .body("message", containsString("Access to granted role"))
-                    .body("message", containsString("forbidden for test_package#xxx00.admin"));
+                    .body("message", containsString("forbidden for test_package#xxx00:ADMIN"));
             assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
                     .extracting(RbacGrantEntity::getGranteeUserName)
                     .doesNotContain(givenNewUser.getName());
@@ -315,9 +315,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
 
             // given
             final var givenArbitraryUser = createRBacUser();
-            final var givenRoleToGrant = "test_package#xxx00.admin";
+            final var givenRoleToGrant = "test_package#xxx00:ADMIN";
             final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
-            final var givenOwnPackageAdminRole = findRbacRoleByName("test_package#xxx00.admin");
+            final var givenOwnPackageAdminRole = getRbacRoleByName("test_package#xxx00:ADMIN");
 
             // and given an existing grant
             assumeCreated(givenCurrentUserAsPackageAdmin
@@ -325,7 +325,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
                     .toUser(givenArbitraryUser));
             assumeGrantExists(
                     givenCurrentUserAsPackageAdmin,
-                    "{ grant role %s to user %s by role %s and assume }".formatted(
+                    "{ grant role:%s to user:%s by role:%s and assume }".formatted(
                             givenOwnPackageAdminRole.getRoleName(),
                             givenArbitraryUser.getName(),
                             givenCurrentUserAsPackageAdmin.assumedRole));
@@ -361,11 +361,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             this(currentUser, "");
         }
 
-        GrantFixture grantsRole(final RbacRoleEntity givenOwnPackageAdminRole) {
+        GrantFixture grantsRole(final RbacRoleRvEntity givenOwnPackageAdminRole) {
             return new GrantFixture(givenOwnPackageAdminRole);
         }
 
-        RevokeFixture revokesRole(final RbacRoleEntity givenOwnPackageAdminRole) {
+        RevokeFixture revokesRole(final RbacRoleRvEntity givenOwnPackageAdminRole) {
             return new RevokeFixture(givenOwnPackageAdminRole);
         }
 
@@ -376,11 +376,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
         class GrantFixture {
 
             private Subject grantingSubject = Subject.this;
-            private final RbacRoleEntity grantedRole;
+            private final RbacRoleRvEntity grantedRole;
             private boolean assumed;
             private RbacUserEntity granteeUser;
 
-            public GrantFixture(final RbacRoleEntity roleToGrant) {
+            public GrantFixture(final RbacRoleRvEntity roleToGrant) {
                 this.grantedRole = roleToGrant;
             }
 
@@ -417,11 +417,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
         class RevokeFixture {
 
             private Subject currentSubject = Subject.this;
-            private final RbacRoleEntity grantedRole;
+            private final RbacRoleRvEntity grantedRole;
             private boolean assumed;
             private RbacUserEntity granteeUser;
 
-            public RevokeFixture(final RbacRoleEntity roleToGrant) {
+            public RevokeFixture(final RbacRoleRvEntity roleToGrant) {
                 this.grantedRole = roleToGrant;
             }
 
@@ -455,9 +455,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
         private class GetGrantByIdFixture {
 
             private Subject currentSubject = Subject.this;
-            private RbacRoleEntity grantedRole;
+            private RbacRoleRvEntity grantedRole;
 
-            GetGrantByIdFixture forGrantedRole(final RbacRoleEntity grantedRole) {
+            GetGrantByIdFixture forGrantedRole(final RbacRoleRvEntity grantedRole) {
                 this.grantedRole = grantedRole;
                 return this;
             }
@@ -504,13 +504,13 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
         return jpaAttempt.transacted(() -> {
             context("superuser-alex@hostsharing.net", null);
             return rbacUserRepository.findByName(userName);
-        }).returnedValue();
+        }).assertNotNull().returnedValue();
     }
 
-    RbacRoleEntity findRbacRoleByName(final String roleName) {
+    RbacRoleRvEntity getRbacRoleByName(final String roleName) {
         return jpaAttempt.transacted(() -> {
             context("superuser-alex@hostsharing.net", null);
             return rbacRoleRepository.findByRoleName(roleName);
-        }).returnedValue();
+        }).assertNotNull().returnedValue();
     }
 }
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntityUnitTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntityUnitTest.java
index eea18932..c0bd82cc 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntityUnitTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntityUnitTest.java
@@ -34,13 +34,13 @@ class RbacGrantEntityUnitTest {
                 "GrantEE",  UUID.randomUUID(),
                 true,
                 "ObjectTable", "ObjectId", UUID.randomUUID(),
-                RbacRoleType.admin); // @formatter:on
+                RbacRoleType.ADMIN); // @formatter:on
 
         // when
         final var display = entity.toDisplay();
 
         // then
-        assertThat(display).isEqualTo("{ grant role GrantED to user GrantEE by role GrantER and assume }");
+        assertThat(display).isEqualTo("{ grant role:GrantED to user:GrantEE by role:GrantER and assume }");
     }
 
     @Test
@@ -52,12 +52,12 @@ class RbacGrantEntityUnitTest {
                 "GrantEE",  UUID.randomUUID(),
                 false,
                 "ObjectTable", "ObjectId", UUID.randomUUID(),
-                RbacRoleType.owner); // @formatter:on
+                RbacRoleType.OWNER); // @formatter:on
 
         // when
         final var display = entity.toDisplay();
 
         // then
-        assertThat(display).isEqualTo("{ grant role GrantED to user GrantEE by role GrantER }");
+        assertThat(display).isEqualTo("{ grant role:GrantED to user:GrantEE by role:GrantER }");
     }
 }
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepositoryIntegrationTest.java
index 8ce615b7..0ee1f297 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepositoryIntegrationTest.java
@@ -69,7 +69,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
             // then
             exactlyTheseRbacGrantsAreReturned(
                     result,
-                    "{ grant role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin and assume }");
+                    "{ grant role:test_package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:test_customer#xxx:ADMIN and assume }");
         }
 
         @Test
@@ -84,17 +84,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
             // then
             exactlyTheseRbacGrantsAreReturned(
                     result,
-                    "{ grant role test_customer#xxx.admin to user customer-admin@xxx.example.com by role test_customer#xxx.owner and assume }",
-                    "{ grant role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin and assume }",
-                    "{ grant role test_package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role test_customer#xxx.admin and assume }",
-                    "{ grant role test_package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role test_customer#xxx.admin and assume }");
+                    "{ grant role:test_customer#xxx:ADMIN to user:customer-admin@xxx.example.com by role:test_customer#xxx:OWNER and assume }",
+                    "{ grant role:test_package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:test_customer#xxx:ADMIN and assume }",
+                    "{ grant role:test_package#xxx01:ADMIN to user:pac-admin-xxx01@xxx.example.com by role:test_customer#xxx:ADMIN and assume }",
+                    "{ grant role:test_package#xxx02:ADMIN to user:pac-admin-xxx02@xxx.example.com by role:test_customer#xxx:ADMIN and assume }");
         }
 
         @Test
         @Accepts({ "GRT:L(List)" })
         public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
             // given:
-            context("customer-admin@xxx.example.com", "test_package#xxx00.admin");
+            context("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
 
             // when
             final var result = rbacGrantRepository.findAll();
@@ -102,7 +102,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
             // then
             exactlyTheseRbacGrantsAreReturned(
                     result,
-                    "{ grant role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin and assume }");
+                    "{ grant role:test_package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:test_customer#xxx:ADMIN and assume }");
         }
     }
 
@@ -112,9 +112,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
         @Test
         public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
             // given
-            context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
+            context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
             final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
-            final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00.admin").getUuid();
+            final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00:ADMIN").getUuid();
 
             // when
             final var grant = RbacGrantEntity.builder()
@@ -130,7 +130,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
             assertThat(rbacGrantRepository.findAll())
                     .extracting(RbacGrantEntity::toDisplay)
                     .contains(
-                            "{ grant role test_package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role test_customer#xxx.admin and assume }");
+                            "{ grant role:test_package#xxx00:ADMIN to user:pac-admin-zzz00@zzz.example.com by role:test_customer#xxx:ADMIN and assume }");
         }
 
         @Test
@@ -143,14 +143,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
                 context("customer-admin@xxx.example.com", null);
                 return new Given(
                         createNewUser(),
-                        rbacRoleRepository.findByRoleName("test_package#xxx00.owner").getUuid()
+                        rbacRoleRepository.findByRoleName("test_package#xxx00:OWNER").getUuid()
                 );
             }).assumeSuccessful().returnedValue();
 
             // when
             final var attempt = jpaAttempt.transacted(() -> {
                 // now we try to use these uuids as a less privileged user
-                context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin");
+                context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
                 final var grant = RbacGrantEntity.builder()
                         .granteeUserUuid(given.arbitraryUser.getUuid())
                         .grantedRoleUuid(given.packageOwnerRoleUuid)
@@ -162,8 +162,8 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
             // then
             attempt.assertExceptionWithRootCauseMessage(
                     JpaSystemException.class,
-                    "ERROR: [403] Access to granted role test_package#xxx00.owner",
-                    "forbidden for test_package#xxx00.admin");
+                    "ERROR: [403] Access to granted role test_package#xxx00:OWNER",
+                    "forbidden for test_package#xxx00:ADMIN");
             jpaAttempt.transacted(() -> {
                 // finally, we use the new user to make sure, no roles were granted
                 context(given.arbitraryUser.getName(), null);
@@ -180,16 +180,16 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
         public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
             // given
             final var grant = create(grant()
-                    .byUser("customer-admin@xxx.example.com").withAssumedRole("test_customer#xxx.admin")
-                    .grantingRole("test_package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
+                    .byUser("customer-admin@xxx.example.com").withAssumedRole("test_customer#xxx:ADMIN")
+                    .grantingRole("test_package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
 
             // when
-            context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
+            context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
             final var revokeAttempt = attempt(em, () ->
                     rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()));
 
             // then
-            context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
+            context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
             assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
             assertThat(rbacGrantRepository.findAll())
                     .extracting(RbacGrantEntity::getGranteeUserName)
@@ -201,17 +201,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
             // given
             final var newUser = createNewUserTransacted();
             final var grant = create(grant()
-                    .byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00.admin")
-                    .grantingRole("test_package#xxx00.admin").toUser(newUser.getName()));
+                    .byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00:ADMIN")
+                    .grantingRole("test_package#xxx00:ADMIN").toUser(newUser.getName()));
 
             // when
-            context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin");
+            context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
             final var revokeAttempt = attempt(em, () ->
                     rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()));
 
             // then
             assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
-            context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
+            context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
             assertThat(rbacGrantRepository.findAll())
                     .extracting(RbacGrantEntity::getGranteeUserName)
                     .doesNotContain("pac-admin-zzz00@zzz.example.com");
@@ -221,19 +221,19 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
         public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
             // given
             final var grant = create(grant()
-                    .byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00.owner")
-                    .grantingRole("test_package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
-            final var grantedByRole = rbacRoleRepository.findByRoleName("test_package#xxx00.owner");
+                    .byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00:OWNER")
+                    .grantingRole("test_package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
+            final var grantedByRole = rbacRoleRepository.findByRoleName("test_package#xxx00:OWNER");
 
             // when
-            context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin");
+            context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
             final var revokeAttempt = attempt(em, () ->
                     rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()));
 
             // then
             revokeAttempt.assertExceptionWithRootCauseMessage(
                     JpaSystemException.class,
-                    "ERROR: [403] Revoking role created by %s is forbidden for {test_package#xxx00.admin}.".formatted(
+                    "ERROR: [403] Revoking role created by %s is forbidden for {test_package#xxx00:ADMIN}.".formatted(
                             grantedByRole.getUuid()
                     ));
         }
@@ -254,7 +254,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
             assertThat(grantAttempt.caughtException()).isNull();
             assertThat(rawRbacGrantRepository.findAll())
                     .extracting(RawRbacGrantEntity::toDisplay)
-                    .contains("{ grant role %s to user %s by %s and assume }".formatted(
+                    .contains("{ grant role:%s to user:%s by %s and assume }".formatted(
                             with.grantedRole, with.granteeUserName, with.assumedRole
                     ));
 
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramServiceIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramServiceIntegrationTest.java
index 0e0421c8..5d228314 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramServiceIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramServiceIntegrationTest.java
@@ -54,43 +54,43 @@ class RbacGrantsDiagramServiceIntegrationTest extends ContextBasedTestWithCleanu
 
     @Test
     void allGrantsToCurrentUser() {
-        context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa.owner");
+        context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa:OWNER");
         final var graph = grantsMermaidService.allGrantsToCurrentUser(EnumSet.of(Include.TEST_ENTITIES));
 
         assertThat(graph).isEqualTo("""
                 flowchart TB
                        
-                role:test_domain#xxx00-aaaa.admin --> role:test_package#xxx00.tenant
-                role:test_domain#xxx00-aaaa.owner --> role:test_domain#xxx00-aaaa.admin
-                role:test_domain#xxx00-aaaa.owner --> role:test_package#xxx00.tenant
-                role:test_package#xxx00.tenant --> role:test_customer#xxx.tenant
+                role:test_domain#xxx00-aaaa:ADMIN --> role:test_package#xxx00:TENANT
+                role:test_domain#xxx00-aaaa:OWNER --> role:test_domain#xxx00-aaaa:ADMIN
+                role:test_domain#xxx00-aaaa:OWNER --> role:test_package#xxx00:TENANT
+                role:test_package#xxx00:TENANT --> role:test_customer#xxx:TENANT
                 """.trim());
     }
 
     @Test
     void allGrantsToCurrentUserIncludingPermissions() {
-        context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa.owner");
+        context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa:OWNER");
         final var graph = grantsMermaidService.allGrantsToCurrentUser(EnumSet.of(Include.TEST_ENTITIES, Include.PERMISSIONS));
 
         assertThat(graph).isEqualTo("""
                 flowchart TB
                       
-                role:test_customer#xxx.tenant --> perm:SELECT:on:test_customer#xxx
-                role:test_domain#xxx00-aaaa.admin --> perm:SELECT:on:test_domain#xxx00-aaaa
-                role:test_domain#xxx00-aaaa.admin --> role:test_package#xxx00.tenant
-                role:test_domain#xxx00-aaaa.owner --> perm:DELETE:on:test_domain#xxx00-aaaa
-                role:test_domain#xxx00-aaaa.owner --> perm:UPDATE:on:test_domain#xxx00-aaaa
-                role:test_domain#xxx00-aaaa.owner --> role:test_domain#xxx00-aaaa.admin
-                role:test_domain#xxx00-aaaa.owner --> role:test_package#xxx00.tenant
-                role:test_package#xxx00.tenant --> perm:SELECT:on:test_package#xxx00
-                role:test_package#xxx00.tenant --> role:test_customer#xxx.tenant
+                role:test_customer#xxx:TENANT --> perm:test_customer#xxx:SELECT
+                role:test_domain#xxx00-aaaa:ADMIN --> perm:test_domain#xxx00-aaaa:SELECT
+                role:test_domain#xxx00-aaaa:ADMIN --> role:test_package#xxx00:TENANT
+                role:test_domain#xxx00-aaaa:OWNER --> perm:test_domain#xxx00-aaaa:DELETE
+                role:test_domain#xxx00-aaaa:OWNER --> perm:test_domain#xxx00-aaaa:UPDATE
+                role:test_domain#xxx00-aaaa:OWNER --> role:test_domain#xxx00-aaaa:ADMIN
+                role:test_domain#xxx00-aaaa:OWNER --> role:test_package#xxx00:TENANT
+                role:test_package#xxx00:TENANT --> perm:test_package#xxx00:SELECT
+                role:test_package#xxx00:TENANT --> role:test_customer#xxx:TENANT
                 """.trim());
     }
 
     @Test
     @Disabled // enable to generate from a real database
     void print() throws IOException {
-        //context("superuser-alex@hostsharing.net", "hs_office_person#FirbySusan.admin");
+        //context("superuser-alex@hostsharing.net", "hs_office_person#FirbySusan:ADMIN");
         context("superuser-alex@hostsharing.net");
 
         //final var graph = grantsMermaidService.allGrantsToCurrentUser(EnumSet.of(Include.NON_TEST_ENTITIES, Include.PERMISSIONS));
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RawRbacRoleEntity.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RawRbacRoleEntity.java
index 2f4d15f5..e80f8ce6 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RawRbacRoleEntity.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RawRbacRoleEntity.java
@@ -35,7 +35,7 @@ public class RawRbacRoleEntity {
     @Enumerated(EnumType.STRING)
     private RbacRoleType roleType;
 
-    @Formula("objectTable||'#'||objectIdName||'.'||roleType")
+    @Formula("objectTable||'#'||objectIdName||':'||roleType")
     private String roleName;
 
     @NotNull
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java
index 5de93348..d318cc04 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java
@@ -45,14 +45,14 @@ class RbacRoleControllerAcceptanceTest {
             .then().assertThat()
                 .statusCode(200)
                 .contentType("application/json")
-                .body("", hasItem(hasEntry("roleName", "test_customer#xxx.admin")))
-                .body("", hasItem(hasEntry("roleName", "test_customer#xxx.owner")))
-                .body("", hasItem(hasEntry("roleName", "test_customer#xxx.tenant")))
+                .body("", hasItem(hasEntry("roleName", "test_customer#xxx:ADMIN")))
+                .body("", hasItem(hasEntry("roleName", "test_customer#xxx:OWNER")))
+                .body("", hasItem(hasEntry("roleName", "test_customer#xxx:TENANT")))
                 // ...
-                .body("", hasItem(hasEntry("roleName", "global#global.admin")))
-                .body("", hasItem(hasEntry("roleName", "test_customer#yyy.admin")))
-                .body("", hasItem(hasEntry("roleName", "test_package#yyy00.admin")))
-                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa.owner")))
+                .body("", hasItem(hasEntry("roleName", "global#global:ADMIN")))
+                .body("", hasItem(hasEntry("roleName", "test_customer#yyy:ADMIN")))
+                .body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
+                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))
                 .body( "size()", greaterThanOrEqualTo(73)); // increases with new test data
         // @formatter:on
     }
@@ -65,7 +65,7 @@ class RbacRoleControllerAcceptanceTest {
         RestAssured
             .given()
                 .header("current-user", "superuser-alex@hostsharing.net")
-                .header("assumed-roles", "test_package#yyy00.admin")
+                .header("assumed-roles", "test_package#yyy00:ADMIN")
                 .port(port)
             .when()
                 .get("http://localhost/api/rbac/roles")
@@ -75,18 +75,18 @@ class RbacRoleControllerAcceptanceTest {
                 .statusCode(200)
                 .contentType("application/json")
 
-                .body("", hasItem(hasEntry("roleName", "test_customer#yyy.tenant")))
-                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa.owner")))
-                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa.admin")))
-                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaab.owner")))
-                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaab.admin")))
-                .body("", hasItem(hasEntry("roleName", "test_package#yyy00.admin")))
-                .body("", hasItem(hasEntry("roleName", "test_package#yyy00.tenant")))
+                .body("", hasItem(hasEntry("roleName", "test_customer#yyy:TENANT")))
+                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))
+                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:ADMIN")))
+                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaab:OWNER")))
+                .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaab:ADMIN")))
+                .body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
+                .body("", hasItem(hasEntry("roleName", "test_package#yyy00:TENANT")))
 
-                .body("", not(hasItem(hasEntry("roleName", "test_customer#xxx.tenant"))))
-                .body("", not(hasItem(hasEntry("roleName", "test_domain#xxx00-aaaa.admin"))))
-                .body("", not(hasItem(hasEntry("roleName", "test_package#xxx00.admin"))))
-                .body("", not(hasItem(hasEntry("roleName", "test_package#xxx00.tenant"))))
+                .body("", not(hasItem(hasEntry("roleName", "test_customer#xxx:TENANT"))))
+                .body("", not(hasItem(hasEntry("roleName", "test_domain#xxx00-aaaa:ADMIN"))))
+                .body("", not(hasItem(hasEntry("roleName", "test_package#xxx00:ADMIN"))))
+                .body("", not(hasItem(hasEntry("roleName", "test_package#xxx00:TENANT"))))
         ;
         // @formatter:on
     }
@@ -106,15 +106,15 @@ class RbacRoleControllerAcceptanceTest {
                 .statusCode(200)
                 .contentType("application/json")
 
-                .body("", hasItem(hasEntry("roleName", "test_customer#zzz.tenant")))
-                .body("", hasItem(hasEntry("roleName", "test_domain#zzz00-aaaa.admin")))
-                .body("", hasItem(hasEntry("roleName", "test_package#zzz00.admin")))
-                .body("", hasItem(hasEntry("roleName", "test_package#zzz00.tenant")))
+                .body("", hasItem(hasEntry("roleName", "test_customer#zzz:TENANT")))
+                .body("", hasItem(hasEntry("roleName", "test_domain#zzz00-aaaa:ADMIN")))
+                .body("", hasItem(hasEntry("roleName", "test_package#zzz00:ADMIN")))
+                .body("", hasItem(hasEntry("roleName", "test_package#zzz00:TENANT")))
 
-                .body("", not(hasItem(hasEntry("roleName", "test_customer#yyy.tenant"))))
-                .body("", not(hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa.admin"))))
-                .body("", not(hasItem(hasEntry("roleName", "test_package#yyy00.admin"))))
-                .body("", not(hasItem(hasEntry("roleName", "test_package#yyy00.tenant"))));
+                .body("", not(hasItem(hasEntry("roleName", "test_customer#yyy:TENANT"))))
+                .body("", not(hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:ADMIN"))))
+                .body("", not(hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN"))))
+                .body("", not(hasItem(hasEntry("roleName", "test_package#yyy00:TENANT"))));
         // @formatter:on
     }
 }
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java
index c10a9cbc..44b3885e 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java
@@ -73,9 +73,9 @@ class RbacRoleControllerRestTest {
                 // then
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$", hasSize(3)))
-                .andExpect(jsonPath("$[0].roleName", is("global#global.admin")))
-                .andExpect(jsonPath("$[1].roleName", is("test_customer#xxx.owner")))
-                .andExpect(jsonPath("$[2].roleName", is("test_customer#xxx.admin")))
+                .andExpect(jsonPath("$[0].roleName", is("global#global:ADMIN")))
+                .andExpect(jsonPath("$[1].roleName", is("test_customer#xxx:OWNER")))
+                .andExpect(jsonPath("$[2].roleName", is("test_customer#xxx:ADMIN")))
                 .andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
                 .andExpect(jsonPath("$[2].objectUuid", is(customerXxxAdmin.getObjectUuid().toString())))
                 .andExpect(jsonPath("$[2].objectTable", is(customerXxxAdmin.getObjectTable().toString())))
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java
index 197e0bc0..d94382d7 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java
@@ -39,19 +39,19 @@ class RbacRoleRepositoryIntegrationTest {
 
         private static final String[] ALL_TEST_DATA_ROLES = Array.of(
                 // @formatter:off
-            "global#global.admin",
-                "test_customer#xxx.admin", "test_customer#xxx.owner", "test_customer#xxx.tenant",
-                    "test_package#xxx00.admin", "test_package#xxx00.owner", "test_package#xxx00.tenant",
-                    "test_package#xxx01.admin", "test_package#xxx01.owner", "test_package#xxx01.tenant",
-                    "test_package#xxx02.admin", "test_package#xxx02.owner", "test_package#xxx02.tenant",
-                "test_customer#yyy.admin", "test_customer#yyy.owner", "test_customer#yyy.tenant",
-                    "test_package#yyy00.admin", "test_package#yyy00.owner", "test_package#yyy00.tenant",
-                    "test_package#yyy01.admin", "test_package#yyy01.owner", "test_package#yyy01.tenant",
-                    "test_package#yyy02.admin", "test_package#yyy02.owner", "test_package#yyy02.tenant",
-                "test_customer#zzz.admin", "test_customer#zzz.owner", "test_customer#zzz.tenant",
-                    "test_package#zzz00.admin", "test_package#zzz00.owner", "test_package#zzz00.tenant",
-                    "test_package#zzz01.admin", "test_package#zzz01.owner", "test_package#zzz01.tenant",
-                    "test_package#zzz02.admin", "test_package#zzz02.owner", "test_package#zzz02.tenant"
+            "global#global:ADMIN",
+                "test_customer#xxx:ADMIN", "test_customer#xxx:OWNER", "test_customer#xxx:TENANT",
+                    "test_package#xxx00:ADMIN", "test_package#xxx00:OWNER", "test_package#xxx00:TENANT",
+                    "test_package#xxx01:ADMIN", "test_package#xxx01:OWNER", "test_package#xxx01:TENANT",
+                    "test_package#xxx02:ADMIN", "test_package#xxx02:OWNER", "test_package#xxx02:TENANT",
+                "test_customer#yyy:ADMIN", "test_customer#yyy:OWNER", "test_customer#yyy:TENANT",
+                    "test_package#yyy00:ADMIN", "test_package#yyy00:OWNER", "test_package#yyy00:TENANT",
+                    "test_package#yyy01:ADMIN", "test_package#yyy01:OWNER", "test_package#yyy01:TENANT",
+                    "test_package#yyy02:ADMIN", "test_package#yyy02:OWNER", "test_package#yyy02:TENANT",
+                "test_customer#zzz:ADMIN", "test_customer#zzz:OWNER", "test_customer#zzz:TENANT",
+                    "test_package#zzz00:ADMIN", "test_package#zzz00:OWNER", "test_package#zzz00:TENANT",
+                    "test_package#zzz01:ADMIN", "test_package#zzz01:OWNER", "test_package#zzz01:TENANT",
+                    "test_package#zzz02:ADMIN", "test_package#zzz02:OWNER", "test_package#zzz02:TENANT"
             // @formatter:on
         );
 
@@ -70,7 +70,7 @@ class RbacRoleRepositoryIntegrationTest {
         @Test
         public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() {
             given:
-            context.define("superuser-alex@hostsharing.net", "global#global.admin");
+            context.define("superuser-alex@hostsharing.net", "global#global:ADMIN");
 
             // when
             final var result = rbacRoleRepository.findAll();
@@ -91,49 +91,49 @@ class RbacRoleRepositoryIntegrationTest {
             allTheseRbacRolesAreReturned(
                     result,
                     // @formatter:off
-                "test_customer#xxx.admin",
-                "test_customer#xxx.tenant",
-                "test_package#xxx00.admin",
-                "test_package#xxx00.owner",
-                "test_package#xxx00.tenant",
-                "test_package#xxx01.admin",
-                "test_package#xxx01.owner",
-                "test_package#xxx01.tenant",
+                "test_customer#xxx:ADMIN",
+                "test_customer#xxx:TENANT",
+                "test_package#xxx00:ADMIN",
+                "test_package#xxx00:OWNER",
+                "test_package#xxx00:TENANT",
+                "test_package#xxx01:ADMIN",
+                "test_package#xxx01:OWNER",
+                "test_package#xxx01:TENANT",
                 // ...
-                "test_domain#xxx00-aaaa.admin",
-                "test_domain#xxx00-aaaa.owner",
+                "test_domain#xxx00-aaaa:ADMIN",
+                "test_domain#xxx00-aaaa:OWNER",
                 // ..
-                "test_domain#xxx01-aaab.admin",
-                "test_domain#xxx01-aaab.owner"
+                "test_domain#xxx01-aaab:ADMIN",
+                "test_domain#xxx01-aaab:OWNER"
                 // @formatter:on
             );
             noneOfTheseRbacRolesIsReturned(
                     result,
                     // @formatter:off
-                "global#global.admin",
-                "test_customer#xxx.owner",
-                "test_package#yyy00.admin",
-                "test_package#yyy00.owner",
-                "test_package#yyy00.tenant"
+                "global#global:ADMIN",
+                "test_customer#xxx:OWNER",
+                "test_package#yyy00:ADMIN",
+                "test_package#yyy00:OWNER",
+                "test_package#yyy00:TENANT"
                 // @formatter:on
             );
         }
 
         @Test
         public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
-            context.define("customer-admin@xxx.example.com", "test_package#xxx00.admin");
+            context.define("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
 
             final var result = rbacRoleRepository.findAll();
 
             exactlyTheseRbacRolesAreReturned(
                     result,
-                    "test_customer#xxx.tenant",
-                    "test_package#xxx00.admin",
-                    "test_package#xxx00.tenant",
-                    "test_domain#xxx00-aaaa.admin",
-                    "test_domain#xxx00-aaaa.owner",
-                    "test_domain#xxx00-aaab.admin",
-                    "test_domain#xxx00-aaab.owner");
+                    "test_customer#xxx:TENANT",
+                    "test_package#xxx00:ADMIN",
+                    "test_package#xxx00:TENANT",
+                    "test_domain#xxx00-aaaa:ADMIN",
+                    "test_domain#xxx00-aaaa:OWNER",
+                    "test_domain#xxx00-aaab:ADMIN",
+                    "test_domain#xxx00-aaab:OWNER");
         }
 
         @Test
@@ -157,39 +157,39 @@ class RbacRoleRepositoryIntegrationTest {
         void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
             context.define("customer-admin@xxx.example.com");
 
-            final var result = rbacRoleRepository.findByRoleName("test_customer#xxx.admin");
+            final var result = rbacRoleRepository.findByRoleName("test_customer#xxx:ADMIN");
 
             assertThat(result).isNotNull();
             assertThat(result.getObjectTable()).isEqualTo("test_customer");
             assertThat(result.getObjectIdName()).isEqualTo("xxx");
-            assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin);
+            assertThat(result.getRoleType()).isEqualTo(RbacRoleType.ADMIN);
         }
 
         @Test
         void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
             context.define("customer-admin@xxx.example.com");
 
-            final var result = rbacRoleRepository.findByRoleName("test_customer#bbb.admin");
+            final var result = rbacRoleRepository.findByRoleName("test_customer#bbb:ADMIN");
 
             assertThat(result).isNull();
         }
     }
 
-    void exactlyTheseRbacRolesAreReturned(final List<RbacRoleEntity> actualResult, final String... expectedRoleNames) {
+    void exactlyTheseRbacRolesAreReturned(final List<RbacRoleRvEntity> actualResult, final String... expectedRoleNames) {
         assertThat(actualResult)
-                .extracting(RbacRoleEntity::getRoleName)
+                .extracting(RbacRoleRvEntity::getRoleName)
                 .containsExactlyInAnyOrder(expectedRoleNames);
     }
 
-    void allTheseRbacRolesAreReturned(final List<RbacRoleEntity> actualResult, final String... expectedRoleNames) {
+    void allTheseRbacRolesAreReturned(final List<RbacRoleRvEntity> actualResult, final String... expectedRoleNames) {
         assertThat(actualResult)
-                .extracting(RbacRoleEntity::getRoleName)
+                .extracting(RbacRoleRvEntity::getRoleName)
                 .contains(expectedRoleNames);
     }
 
-    void noneOfTheseRbacRolesIsReturned(final List<RbacRoleEntity> actualResult, final String... unexpectedRoleNames) {
+    void noneOfTheseRbacRolesIsReturned(final List<RbacRoleRvEntity> actualResult, final String... unexpectedRoleNames) {
         assertThat(actualResult)
-                .extracting(RbacRoleEntity::getRoleName)
+                .extracting(RbacRoleRvEntity::getRoleName)
                 .doesNotContain(unexpectedRoleNames);
     }
 
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java
index 652679f3..9eb0f3c7 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java
@@ -4,11 +4,11 @@ import static java.util.UUID.randomUUID;
 
 public class TestRbacRole {
 
-    public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.admin);
-    static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.owner);
-    static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.admin);
+    public static final RbacRoleRvEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN);
+    static final RbacRoleRvEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
+    static final RbacRoleRvEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
 
-    static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
-        return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+'.'+roleType);
+    static public RbacRoleRvEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
+        return new RbacRoleRvEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+':'+roleType);
     }
 }
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java
index 9d7e16ca..6faa28ff 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java
@@ -104,7 +104,7 @@ class RbacUserControllerAcceptanceTest {
             RestAssured
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#yyy.admin")
+                    .header("assumed-roles", "test_customer#yyy:ADMIN")
                     .port(port)
                 .when()
                     .get("http://localhost/api/rbac/users/" + givenUser.getUuid())
@@ -210,7 +210,7 @@ class RbacUserControllerAcceptanceTest {
             RestAssured
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#yyy.admin")
+                    .header("assumed-roles", "test_customer#yyy:ADMIN")
                     .port(port)
                 .when()
                     .get("http://localhost/api/rbac/users")
@@ -287,12 +287,12 @@ class RbacUserControllerAcceptanceTest {
                     .contentType("application/json")
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("roleName", "test_customer#yyy.tenant"),
+                                    hasEntry("roleName", "test_customer#yyy:TENANT"),
                                     hasEntry("op", "SELECT"))
                     ))
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
+                                    hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"),
                                     hasEntry("op", "DELETE"))
                     ))
                     // actual content tested in integration test, so this is enough for here:
@@ -309,7 +309,7 @@ class RbacUserControllerAcceptanceTest {
             RestAssured
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#yyy.admin")
+                    .header("assumed-roles", "test_customer#yyy:ADMIN")
                     .port(port)
                 .when()
                     .get("http://localhost/api/rbac/users/" + givenUser.getUuid() + "/permissions")
@@ -318,12 +318,12 @@ class RbacUserControllerAcceptanceTest {
                     .contentType("application/json")
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("roleName", "test_customer#yyy.tenant"),
+                                    hasEntry("roleName", "test_customer#yyy:TENANT"),
                                     hasEntry("op", "SELECT"))
                     ))
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
+                                    hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"),
                                     hasEntry("op", "DELETE"))
                     ))
                     // actual content tested in integration test, so this is enough for here:
@@ -348,12 +348,12 @@ class RbacUserControllerAcceptanceTest {
                     .contentType("application/json")
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("roleName", "test_customer#yyy.tenant"),
+                                    hasEntry("roleName", "test_customer#yyy:TENANT"),
                                     hasEntry("op", "SELECT"))
                     ))
                     .body("", hasItem(
                             allOf(
-                                    hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
+                                    hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"),
                                     hasEntry("op", "DELETE"))
                     ))
                     // actual content tested in integration test, so this is enough for here:
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java
index c63047ed..43c8bff1 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java
@@ -116,7 +116,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
         @Test
         public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacUsers() {
             given:
-            context("superuser-alex@hostsharing.net", "global#global.admin");
+            context("superuser-alex@hostsharing.net", "global#global:ADMIN");
 
             // when
             final var result = rbacUserRepository.findByOptionalNameLike(null);
@@ -128,7 +128,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
         @Test
         public void globalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
             given:
-            context("superuser-alex@hostsharing.net", "test_customer#xxx.admin");
+            context("superuser-alex@hostsharing.net", "test_customer#xxx:ADMIN");
 
             // when
             final var result = rbacUserRepository.findByOptionalNameLike(null);
@@ -159,7 +159,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
 
         @Test
         public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
-            context("customer-admin@xxx.example.com", "test_package#xxx00.admin");
+            context("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
 
             final var result = rbacUserRepository.findByOptionalNameLike(null);
 
@@ -182,47 +182,47 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
 
         private static final String[] ALL_USER_PERMISSIONS = Array.of(
                 // @formatter:off
-                "test_customer#xxx.admin -> test_customer#xxx: SELECT",
-                "test_customer#xxx.owner -> test_customer#xxx: DELETE",
-                "test_customer#xxx.tenant -> test_customer#xxx: SELECT",
-                "test_customer#xxx.admin -> test_customer#xxx: INSERT:test_package",
-                "test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
-                "test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
-                "test_package#xxx00.tenant -> test_package#xxx00: SELECT",
-                "test_package#xxx01.admin -> test_package#xxx01: INSERT:test_domain",
-                "test_package#xxx01.admin -> test_package#xxx01: INSERT:test_domain",
-                "test_package#xxx01.tenant -> test_package#xxx01: SELECT",
-                "test_package#xxx02.admin -> test_package#xxx02: INSERT:test_domain",
-                "test_package#xxx02.admin -> test_package#xxx02: INSERT:test_domain",
-                "test_package#xxx02.tenant -> test_package#xxx02: SELECT",
+                "test_customer#xxx:ADMIN -> test_customer#xxx: SELECT",
+                "test_customer#xxx:OWNER -> test_customer#xxx: DELETE",
+                "test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
+                "test_customer#xxx:ADMIN -> test_customer#xxx: INSERT:test_package",
+                "test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
+                "test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
+                "test_package#xxx00:TENANT -> test_package#xxx00: SELECT",
+                "test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
+                "test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
+                "test_package#xxx01:TENANT -> test_package#xxx01: SELECT",
+                "test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
+                "test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
+                "test_package#xxx02:TENANT -> test_package#xxx02: SELECT",
 
-                "test_customer#yyy.admin -> test_customer#yyy: SELECT",
-                "test_customer#yyy.owner -> test_customer#yyy: DELETE",
-                "test_customer#yyy.tenant -> test_customer#yyy: SELECT",
-                "test_customer#yyy.admin -> test_customer#yyy: INSERT:test_package",
-                "test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
-                "test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
-                "test_package#yyy00.tenant -> test_package#yyy00: SELECT",
-                "test_package#yyy01.admin -> test_package#yyy01: INSERT:test_domain",
-                "test_package#yyy01.admin -> test_package#yyy01: INSERT:test_domain",
-                "test_package#yyy01.tenant -> test_package#yyy01: SELECT",
-                "test_package#yyy02.admin -> test_package#yyy02: INSERT:test_domain",
-                "test_package#yyy02.admin -> test_package#yyy02: INSERT:test_domain",
-                "test_package#yyy02.tenant -> test_package#yyy02: SELECT",
+                "test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
+                "test_customer#yyy:OWNER -> test_customer#yyy: DELETE",
+                "test_customer#yyy:TENANT -> test_customer#yyy: SELECT",
+                "test_customer#yyy:ADMIN -> test_customer#yyy: INSERT:test_package",
+                "test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
+                "test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
+                "test_package#yyy00:TENANT -> test_package#yyy00: SELECT",
+                "test_package#yyy01:ADMIN -> test_package#yyy01: INSERT:test_domain",
+                "test_package#yyy01:ADMIN -> test_package#yyy01: INSERT:test_domain",
+                "test_package#yyy01:TENANT -> test_package#yyy01: SELECT",
+                "test_package#yyy02:ADMIN -> test_package#yyy02: INSERT:test_domain",
+                "test_package#yyy02:ADMIN -> test_package#yyy02: INSERT:test_domain",
+                "test_package#yyy02:TENANT -> test_package#yyy02: SELECT",
 
-                "test_customer#zzz.admin -> test_customer#zzz: SELECT",
-                "test_customer#zzz.owner -> test_customer#zzz: DELETE",
-                "test_customer#zzz.tenant -> test_customer#zzz: SELECT",
-                "test_customer#zzz.admin -> test_customer#zzz: INSERT:test_package",
-                "test_package#zzz00.admin -> test_package#zzz00: INSERT:test_domain",
-                "test_package#zzz00.admin -> test_package#zzz00: INSERT:test_domain",
-                "test_package#zzz00.tenant -> test_package#zzz00: SELECT",
-                "test_package#zzz01.admin -> test_package#zzz01: INSERT:test_domain",
-                "test_package#zzz01.admin -> test_package#zzz01: INSERT:test_domain",
-                "test_package#zzz01.tenant -> test_package#zzz01: SELECT",
-                "test_package#zzz02.admin -> test_package#zzz02: INSERT:test_domain",
-                "test_package#zzz02.admin -> test_package#zzz02: INSERT:test_domain",
-                "test_package#zzz02.tenant -> test_package#zzz02: SELECT"
+                "test_customer#zzz:ADMIN -> test_customer#zzz: SELECT",
+                "test_customer#zzz:OWNER -> test_customer#zzz: DELETE",
+                "test_customer#zzz:TENANT -> test_customer#zzz: SELECT",
+                "test_customer#zzz:ADMIN -> test_customer#zzz: INSERT:test_package",
+                "test_package#zzz00:ADMIN -> test_package#zzz00: INSERT:test_domain",
+                "test_package#zzz00:ADMIN -> test_package#zzz00: INSERT:test_domain",
+                "test_package#zzz00:TENANT -> test_package#zzz00: SELECT",
+                "test_package#zzz01:ADMIN -> test_package#zzz01: INSERT:test_domain",
+                "test_package#zzz01:ADMIN -> test_package#zzz01: INSERT:test_domain",
+                "test_package#zzz01:TENANT -> test_package#zzz01: SELECT",
+                "test_package#zzz02:ADMIN -> test_package#zzz02: INSERT:test_domain",
+                "test_package#zzz02:ADMIN -> test_package#zzz02: INSERT:test_domain",
+                "test_package#zzz02:TENANT -> test_package#zzz02: SELECT"
                 // @formatter:on
         );
 
@@ -252,32 +252,32 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
             allTheseRbacPermissionsAreReturned(
                     result,
                     // @formatter:off
-                "test_customer#xxx.admin -> test_customer#xxx: INSERT:test_package",
-                "test_customer#xxx.admin -> test_customer#xxx: SELECT",
-                "test_customer#xxx.tenant -> test_customer#xxx: SELECT",
+                "test_customer#xxx:ADMIN -> test_customer#xxx: INSERT:test_package",
+                "test_customer#xxx:ADMIN -> test_customer#xxx: SELECT",
+                "test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
 
-                "test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
-                "test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
-                "test_package#xxx00.tenant -> test_package#xxx00: SELECT",
-                "test_domain#xxx00-aaaa.owner -> test_domain#xxx00-aaaa: DELETE",
+                "test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
+                "test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
+                "test_package#xxx00:TENANT -> test_package#xxx00: SELECT",
+                "test_domain#xxx00-aaaa:OWNER -> test_domain#xxx00-aaaa: DELETE",
 
-                "test_package#xxx01.admin -> test_package#xxx01: INSERT:test_domain",
-                "test_package#xxx01.admin -> test_package#xxx01: INSERT:test_domain",
-                "test_package#xxx01.tenant -> test_package#xxx01: SELECT",
-                "test_domain#xxx01-aaaa.owner -> test_domain#xxx01-aaaa: DELETE",
+                "test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
+                "test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
+                "test_package#xxx01:TENANT -> test_package#xxx01: SELECT",
+                "test_domain#xxx01-aaaa:OWNER -> test_domain#xxx01-aaaa: DELETE",
 
-                "test_package#xxx02.admin -> test_package#xxx02: INSERT:test_domain",
-                "test_package#xxx02.admin -> test_package#xxx02: INSERT:test_domain",
-                "test_package#xxx02.tenant -> test_package#xxx02: SELECT",
-                "test_domain#xxx02-aaaa.owner -> test_domain#xxx02-aaaa: DELETE"
+                "test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
+                "test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
+                "test_package#xxx02:TENANT -> test_package#xxx02: SELECT",
+                "test_domain#xxx02-aaaa:OWNER -> test_domain#xxx02-aaaa: DELETE"
                 // @formatter:on
             );
             noneOfTheseRbacPermissionsAreReturned(
                     result,
                     // @formatter:off
-                "test_customer#yyy.admin -> test_customer#yyy: INSERT:test_package",
-                "test_customer#yyy.admin -> test_customer#yyy: SELECT",
-                "test_customer#yyy.tenant -> test_customer#yyy: SELECT"
+                "test_customer#yyy:ADMIN -> test_customer#yyy: INSERT:test_package",
+                "test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
+                "test_customer#yyy:TENANT -> test_customer#yyy: SELECT"
                 // @formatter:on
             );
         }
@@ -312,26 +312,26 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
             allTheseRbacPermissionsAreReturned(
                     result,
                     // @formatter:off
-                "test_customer#xxx.tenant -> test_customer#xxx: SELECT",
-                // "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
-                "test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
-                "test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
-                "test_package#xxx00.tenant -> test_package#xxx00: SELECT",
-                "test_domain#xxx00-aaaa.owner -> test_domain#xxx00-aaaa: DELETE",
-                "test_domain#xxx00-aaab.owner -> test_domain#xxx00-aaab: DELETE"
+                "test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
+                // "test_customer#xxx:ADMIN -> test_customer#xxx: view" - Not permissions through the customer admin!
+                "test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
+                "test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
+                "test_package#xxx00:TENANT -> test_package#xxx00: SELECT",
+                "test_domain#xxx00-aaaa:OWNER -> test_domain#xxx00-aaaa: DELETE",
+                "test_domain#xxx00-aaab:OWNER -> test_domain#xxx00-aaab: DELETE"
                 // @formatter:on
             );
             noneOfTheseRbacPermissionsAreReturned(
                     result,
                     // @formatter:off
-                "test_customer#yyy.admin -> test_customer#yyy: INSERT:test_package",
-                "test_customer#yyy.admin -> test_customer#yyy: SELECT",
-                "test_customer#yyy.tenant -> test_customer#yyy: SELECT",
-                "test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
-                "test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
-                "test_package#yyy00.tenant -> test_package#yyy00: SELECT",
-                "test_domain#yyy00-aaaa.owner -> test_domain#yyy00-aaaa: DELETE",
-                "test_domain#yyy00-aaab.owner -> test_domain#yyy00-aaab: DELETE"
+                "test_customer#yyy:ADMIN -> test_customer#yyy: INSERT:test_package",
+                "test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
+                "test_customer#yyy:TENANT -> test_customer#yyy: SELECT",
+                "test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
+                "test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
+                "test_package#yyy00:TENANT -> test_package#yyy00: SELECT",
+                "test_domain#yyy00-aaaa:OWNER -> test_domain#yyy00-aaaa: DELETE",
+                "test_domain#yyy00-aaab:OWNER -> test_domain#yyy00-aaab: DELETE"
                 // @formatter:on
             );
         }
@@ -360,26 +360,26 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
             allTheseRbacPermissionsAreReturned(
                     result,
                     // @formatter:off
-                "test_customer#xxx.tenant -> test_customer#xxx: SELECT",
-                // "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
-                "test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
-                "test_package#xxx00.tenant -> test_package#xxx00: SELECT"
+                "test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
+                // "test_customer#xxx:ADMIN -> test_customer#xxx: view" - Not permissions through the customer admin!
+                "test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
+                "test_package#xxx00:TENANT -> test_package#xxx00: SELECT"
                 // @formatter:on
             );
             noneOfTheseRbacPermissionsAreReturned(
                     result,
                     // @formatter:off
                 // no customer admin permissions
-                "test_customer#xxx.admin -> test_customer#xxx: add-package",
+                "test_customer#xxx:ADMIN -> test_customer#xxx: add-package",
                 // no permissions on other customer's objects
-                "test_customer#yyy.admin -> test_customer#yyy: add-package",
-                "test_customer#yyy.admin -> test_customer#yyy: SELECT",
-                "test_customer#yyy.tenant -> test_customer#yyy: SELECT",
-                "test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
-                "test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
-                "test_package#yyy00.tenant -> test_package#yyy00: SELECT",
-                "test_domain#yyy00-aaaa.owner -> test_domain#yyy00-aaaa: DELETE",
-                "test_domain#yyy00-xxxb.owner -> test_domain#yyy00-xxxb: DELETE"
+                "test_customer#yyy:ADMIN -> test_customer#yyy: add-package",
+                "test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
+                "test_customer#yyy:TENANT -> test_customer#yyy: SELECT",
+                "test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
+                "test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
+                "test_package#yyy00:TENANT -> test_package#yyy00: SELECT",
+                "test_domain#yyy00-aaaa:OWNER -> test_domain#yyy00-aaaa: DELETE",
+                "test_domain#yyy00-xxxb:OWNER -> test_domain#yyy00-xxxb: DELETE"
                 // @formatter:on
             );
         }
diff --git a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java
index e9e1d47c..1d7bf4e5 100644
--- a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java
@@ -89,7 +89,7 @@ class TestCustomerControllerAcceptanceTest {
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#yyy.admin")
+                    .header("assumed-roles", "test_customer#yyy:ADMIN")
                     .port(port)
                 .when()
                     .get("http://localhost/api/test/customers")
@@ -148,7 +148,7 @@ class TestCustomerControllerAcceptanceTest {
             // finally, the new customer can be viewed by its own admin
             final var newUserUuid = UUID.fromString(
                     location.substring(location.lastIndexOf('/') + 1));
-            context.define("superuser-fran@hostsharing.net", "test_customer#uuu.admin");
+            context.define("superuser-fran@hostsharing.net", "test_customer#uuu:ADMIN");
             assertThat(testCustomerRepository.findByUuid(newUserUuid))
                     .hasValueSatisfying(c -> assertThat(c.getPrefix()).isEqualTo("uuu"));
         }
@@ -159,7 +159,7 @@ class TestCustomerControllerAcceptanceTest {
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#xxx.admin")
+                    .header("assumed-roles", "test_customer#xxx:ADMIN")
                     .contentType(ContentType.JSON)
                     .body("""
                               {
@@ -175,7 +175,7 @@ class TestCustomerControllerAcceptanceTest {
                     .statusCode(403)
                     .contentType(ContentType.JSON)
                     .statusCode(403)
-                    .body("message", containsString("insert into test_customer not allowed for current subjects {test_customer#xxx.admin}"));
+                    .body("message", containsString("insert into test_customer not allowed for current subjects {test_customer#xxx:ADMIN}"));
             // @formatter:on
 
             // finally, the new customer was not created
diff --git a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntityUnitTest.java b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntityUnitTest.java
index d576396a..962cef38 100644
--- a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntityUnitTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntityUnitTest.java
@@ -21,9 +21,9 @@ class TestCustomerEntityUnitTest {
                     subgraph customer:roles[ ]
                         style customer:roles fill:#dd4901,stroke:white
                    
-                        role:customer:owner[[customer:owner]]
-                        role:customer:admin[[customer:admin]]
-                        role:customer:tenant[[customer:tenant]]
+                        role:customer:OWNER[[customer:OWNER]]
+                        role:customer:ADMIN[[customer:ADMIN]]
+                        role:customer:TENANT[[customer:TENANT]]
                     end
                    
                     subgraph customer:permissions[ ]
@@ -37,18 +37,18 @@ class TestCustomerEntityUnitTest {
                 end
                 
                 %% granting roles to users
-                user:creator ==>|XX| role:customer:owner
+                user:creator ==>|XX| role:customer:OWNER
 
                 %% granting roles to roles
-                role:global:admin ==>|XX| role:customer:owner
-                role:customer:owner ==> role:customer:admin
-                role:customer:admin ==> role:customer:tenant
+                role:global:ADMIN ==>|XX| role:customer:OWNER
+                role:customer:OWNER ==> role:customer:ADMIN
+                role:customer:ADMIN ==> role:customer:TENANT
                 
                 %% granting permissions to roles
-                role:global:admin ==> perm:customer:INSERT
-                role:customer:owner ==> perm:customer:DELETE
-                role:customer:admin ==> perm:customer:UPDATE
-                role:customer:tenant ==> perm:customer:SELECT
+                role:global:ADMIN ==> perm:customer:INSERT
+                role:customer:OWNER ==> perm:customer:DELETE
+                role:customer:ADMIN ==> perm:customer:UPDATE
+                role:customer:TENANT ==> perm:customer:SELECT
                 """);
     }
 }
diff --git a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerRepositoryIntegrationTest.java
index 27458b14..591ce0eb 100644
--- a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerRepositoryIntegrationTest.java
@@ -54,7 +54,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
         @Test
         public void globalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
             // given
-            context("superuser-alex@hostsharing.net", "test_customer#xxx.admin");
+            context("superuser-alex@hostsharing.net", "test_customer#xxx:ADMIN");
 
             // when
             final var result = attempt(em, () -> {
@@ -66,7 +66,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
             // then
             result.assertExceptionWithRootCauseMessage(
                     PersistenceException.class,
-                    "ERROR: [403] insert into test_customer not allowed for current subjects {test_customer#xxx.admin}");
+                    "ERROR: [403] insert into test_customer not allowed for current subjects {test_customer#xxx:ADMIN}");
         }
 
         @Test
@@ -112,7 +112,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
         @Test
         public void globalAdmin_withAssumedCustomerOwnerRole_canViewExactlyThatCustomer() {
             given:
-            context("superuser-alex@hostsharing.net", "test_customer#yyy.owner");
+            context("superuser-alex@hostsharing.net", "test_customer#yyy:OWNER");
 
             // when
             final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);
@@ -137,7 +137,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
         public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
             context("customer-admin@xxx.example.com");
 
-            context("customer-admin@xxx.example.com", "test_package#xxx00.admin");
+            context("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
 
             final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);
 
diff --git a/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageControllerAcceptanceTest.java
index fd51ebf8..0e52cc40 100644
--- a/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageControllerAcceptanceTest.java
@@ -44,7 +44,7 @@ class TestPackageControllerAcceptanceTest {
             RestAssured
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#xxx.admin")
+                    .header("assumed-roles", "test_customer#xxx:ADMIN")
                     .port(port)
                 .when()
                     .get("http://localhost/api/test/packages")
@@ -66,7 +66,7 @@ class TestPackageControllerAcceptanceTest {
             RestAssured
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#xxx.admin")
+                    .header("assumed-roles", "test_customer#xxx:ADMIN")
                     .port(port)
                 .when()
                     .get("http://localhost/api/test/packages?name=xxx01")
@@ -95,7 +95,7 @@ class TestPackageControllerAcceptanceTest {
             RestAssured
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#xxx.admin")
+                    .header("assumed-roles", "test_customer#xxx:ADMIN")
                     .contentType(ContentType.JSON)
                     .body(format("""
                             {
@@ -126,7 +126,7 @@ class TestPackageControllerAcceptanceTest {
             RestAssured
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#xxx.admin")
+                    .header("assumed-roles", "test_customer#xxx:ADMIN")
                     .contentType(ContentType.JSON)
                     .body("""
                             {
@@ -156,7 +156,7 @@ class TestPackageControllerAcceptanceTest {
             RestAssured
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", "test_customer#xxx.admin")
+                    .header("assumed-roles", "test_customer#xxx:ADMIN")
                     .contentType(ContentType.JSON)
                     .body("{}")
                     .port(port)
@@ -176,7 +176,7 @@ class TestPackageControllerAcceptanceTest {
         return UUID.fromString(RestAssured
             .given()
                 .header("current-user", "superuser-alex@hostsharing.net")
-                .header("assumed-roles", "test_customer#xxx.admin")
+                .header("assumed-roles", "test_customer#xxx:ADMIN")
                 .port(port)
             .when()
                 .get("http://localhost/api/test/packages?name={packageName}", packageName)
@@ -188,7 +188,7 @@ class TestPackageControllerAcceptanceTest {
     }
 
     String getDescriptionOfPackage(final String packageName) {
-        context.define("superuser-alex@hostsharing.net","test_customer#xxx.admin");
+        context.define("superuser-alex@hostsharing.net","test_customer#xxx:ADMIN");
         return testPackageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
     }
 }
diff --git a/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageEntityUnitTest.java b/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageEntityUnitTest.java
index c5dccfd3..79dcfec2 100644
--- a/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageEntityUnitTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageEntityUnitTest.java
@@ -21,9 +21,9 @@ class TestPackageEntityUnitTest {
                    subgraph package:roles[ ]
                        style package:roles fill:#dd4901,stroke:white
 
-                       role:package:owner[[package:owner]]
-                       role:package:admin[[package:admin]]
-                       role:package:tenant[[package:tenant]]
+                       role:package:OWNER[[package:OWNER]]
+                       role:package:ADMIN[[package:ADMIN]]
+                       role:package:TENANT[[package:TENANT]]
                    end
 
                    subgraph package:permissions[ ]
@@ -43,26 +43,26 @@ class TestPackageEntityUnitTest {
                    subgraph customer:roles[ ]
                        style customer:roles fill:#99bcdb,stroke:white
                
-                       role:customer:owner[[customer:owner]]
-                       role:customer:admin[[customer:admin]]
-                       role:customer:tenant[[customer:tenant]]
+                       role:customer:OWNER[[customer:OWNER]]
+                       role:customer:ADMIN[[customer:ADMIN]]
+                       role:customer:TENANT[[customer:TENANT]]
                    end
                end
 
                %% granting roles to roles
-               role:global:admin -.->|XX| role:customer:owner
-               role:customer:owner -.-> role:customer:admin
-               role:customer:admin -.-> role:customer:tenant
-               role:customer:admin ==> role:package:owner
-               role:package:owner ==> role:package:admin
-               role:package:admin ==> role:package:tenant
-               role:package:tenant ==> role:customer:tenant
+               role:global:ADMIN -.->|XX| role:customer:OWNER
+               role:customer:OWNER -.-> role:customer:ADMIN
+               role:customer:ADMIN -.-> role:customer:TENANT
+               role:customer:ADMIN ==> role:package:OWNER
+               role:package:OWNER ==> role:package:ADMIN
+               role:package:ADMIN ==> role:package:TENANT
+               role:package:TENANT ==> role:customer:TENANT
 
                %% granting permissions to roles
-               role:customer:admin ==> perm:package:INSERT
-               role:package:owner ==> perm:package:DELETE
-               role:package:owner ==> perm:package:UPDATE
-               role:package:tenant ==> perm:package:SELECT
+               role:customer:ADMIN ==> perm:package:INSERT
+               role:package:OWNER ==> perm:package:DELETE
+               role:package:OWNER ==> perm:package:UPDATE
+               role:package:TENANT ==> perm:package:SELECT
                 """);
     }
 }
diff --git a/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageRepositoryIntegrationTest.java
index a201d79e..49412b3b 100644
--- a/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageRepositoryIntegrationTest.java
@@ -53,7 +53,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
         @Test
         public void globalAdmin_withAssumedglobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() {
             given:
-            context.define("superuser-alex@hostsharing.net", "global#global.admin");
+            context.define("superuser-alex@hostsharing.net", "global#global:ADMIN");
 
             // when
             final var result = testPackageRepository.findAllByOptionalNameLike(null);
@@ -76,7 +76,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
 
         @Test
         public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
-            context.define("customer-admin@xxx.example.com", "test_package#xxx00.admin");
+            context.define("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
 
             final var result = testPackageRepository.findAllByOptionalNameLike(null);
 
@@ -90,17 +90,17 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
         @Test
         public void supportsOptimisticLocking() {
             // given
-            globalAdminWithAssumedRole("test_package#xxx00.admin");
+            globalAdminWithAssumedRole("test_package#xxx00:ADMIN");
             final var pac = testPackageRepository.findAllByOptionalNameLike("%").get(0);
 
             // when
             final var result1 = jpaAttempt.transacted(() -> {
-                globalAdminWithAssumedRole("test_package#xxx00.owner");
+                globalAdminWithAssumedRole("test_package#xxx00:OWNER");
                 pac.setDescription("description set by thread 1");
                 testPackageRepository.save(pac);
             });
             final var result2 = jpaAttempt.transacted(() -> {
-                globalAdminWithAssumedRole("test_package#xxx00.owner");
+                globalAdminWithAssumedRole("test_package#xxx00:OWNER");
                 pac.setDescription("description set by thread 2");
                 testPackageRepository.save(pac);
                 sleep(1500);
diff --git a/src/test/java/net/hostsharing/test/JpaAttempt.java b/src/test/java/net/hostsharing/test/JpaAttempt.java
index 3d5c50ee..86a332cd 100644
--- a/src/test/java/net/hostsharing/test/JpaAttempt.java
+++ b/src/test/java/net/hostsharing/test/JpaAttempt.java
@@ -154,6 +154,11 @@ public class JpaAttempt {
             return this;
         }
 
+        public JpaResult<T> assertNotNull() {
+            assertThat(returnedValue()).isNotNull();
+            return this;
+        }
+
         private String firstRootCauseMessageLineOf(final RuntimeException exception) {
             final var rootCause = NestedExceptionUtils.getRootCause(exception);
             return Optional.ofNullable(rootCause)