diff --git a/src/main/resources/db/changelog/010-context.sql b/src/main/resources/db/changelog/010-context.sql
index 71559b7b..4820cf9c 100644
--- a/src/main/resources/db/changelog/010-context.sql
+++ b/src/main/resources/db/changelog/010-context.sql
@@ -55,7 +55,7 @@ end; $$;
  */
 create or replace function currentTask()
     returns varchar(96)
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     currentTask varchar(96);
@@ -83,7 +83,7 @@ end; $$;
  */
 create or replace function currentRequest()
     returns varchar(512)
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     currentRequest varchar(512);
@@ -107,7 +107,7 @@ end; $$;
  */
 create or replace function currentUser()
     returns varchar(63)
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     currentUser varchar(63);
@@ -131,7 +131,7 @@ end; $$;
  */
 create or replace function assumedRoles()
     returns varchar(63)[]
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     currentSubject varchar(63);
@@ -214,7 +214,7 @@ end ; $$;
 
 create or replace function currentSubjects()
     returns varchar(63)[]
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     assumedRoles varchar(63)[];
@@ -229,7 +229,7 @@ end; $$;
 
 create or replace function hasAssumedRole()
     returns boolean
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 begin
     return array_length(assumedRoles(), 1) > 0;
diff --git a/src/main/resources/db/changelog/050-rbac-base.sql b/src/main/resources/db/changelog/050-rbac-base.sql
index 3b395d33..fea69fe9 100644
--- a/src/main/resources/db/changelog/050-rbac-base.sql
+++ b/src/main/resources/db/changelog/050-rbac-base.sql
@@ -208,7 +208,7 @@ create type RbacRoleDescriptor as
 create or replace function roleDescriptor(objectTable varchar(63), objectUuid uuid, roleType RbacRoleType)
     returns RbacRoleDescriptor
     returns null on null input
-    stable leakproof
+    stable -- leakproof
     language sql as $$
 select objectTable, objectUuid, roleType::RbacRoleType;
 $$;
@@ -432,7 +432,7 @@ $$;
 create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
     returns uuid
     returns null on null input
-    stable leakproof
+    stable -- leakproof
     language sql as $$
 select uuid
     from RbacPermission p
@@ -515,7 +515,7 @@ end; $$;
 
 create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
     returns BOOL
-    stable leakproof
+    stable -- leakproof
     language sql as $$
 select exists(
            select *
@@ -537,7 +537,7 @@ $$;
 
 create or replace function hasGlobalRoleGranted(userUuid uuid)
     returns bool
-    stable leakproof
+    stable -- leakproof
     language sql as $$
 select exists(
            select r.uuid
@@ -758,13 +758,18 @@ $$;
 
 
 -- ============================================================================
---changeset rbac-base-PGSQL-ROLES:1 endDelimiter:--//
+--changeset rbac-base-PGSQL-ROLES:1 context:dev,tc endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-create role admin;
-grant all privileges on all tables in schema public to admin;
-
-create role restricted;
-grant all privileges on all tables in schema public to restricted;
+do $$
+    begin
+        if '${ADMIN_USER}'='admin' then
+            create role admin;
+            grant all privileges on all tables in schema public to admin;
 
+            create role restricted;
+            grant all privileges on all tables in schema public to restricted;
+        end if;
+    end $$
 --//
+
diff --git a/src/main/resources/db/changelog/051-rbac-user-grant.sql b/src/main/resources/db/changelog/051-rbac-user-grant.sql
index 81cadc94..23dcbdd4 100644
--- a/src/main/resources/db/changelog/051-rbac-user-grant.sql
+++ b/src/main/resources/db/changelog/051-rbac-user-grant.sql
@@ -6,7 +6,7 @@
 
 create or replace function assumedRoleUuid()
     returns uuid
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     currentSubjectsUuids uuid[];
diff --git a/src/main/resources/db/changelog/054-rbac-context.sql b/src/main/resources/db/changelog/054-rbac-context.sql
index 32a652a6..ede86057 100644
--- a/src/main/resources/db/changelog/054-rbac-context.sql
+++ b/src/main/resources/db/changelog/054-rbac-context.sql
@@ -7,7 +7,7 @@
 
 create or replace function determineCurrentUserUuid(currentUser varchar)
     returns uuid
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     currentUserUuid uuid;
@@ -25,7 +25,7 @@ end; $$;
 
 create or replace function determineCurrentSubjectsUuids(currentUserUuid uuid, assumedRoles varchar)
     returns uuid[]
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     roleName            text;
@@ -116,7 +116,7 @@ end; $$;
 
 create or replace function currentUserUuid()
     returns uuid
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     currentUserUuid text;
@@ -150,7 +150,7 @@ end; $$;
  */
 create or replace function currentSubjectsUuids()
     returns uuid[]
-    stable leakproof
+    stable -- leakproof
     language plpgsql as $$
 declare
     currentSubjectsUuids text;
diff --git a/src/main/resources/db/changelog/055-rbac-views.sql b/src/main/resources/db/changelog/055-rbac-views.sql
index 68ea11b5..054b6df1 100644
--- a/src/main/resources/db/changelog/055-rbac-views.sql
+++ b/src/main/resources/db/changelog/055-rbac-views.sql
@@ -41,7 +41,7 @@ select *
         ) as unordered
         -- @formatter:on
         order by objectTable || '#' || objectIdName || '.' || roleType;
-grant all privileges on rbacrole_rv to restricted;
+grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
 --//
 
 
@@ -126,7 +126,7 @@ select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) ||
              join RbacObject as o on o.uuid = r.objectUuid
     order by grantedRoleIdName;
 -- @formatter:on
-grant all privileges on rbacrole_rv to restricted;
+grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
 --//
 
 
@@ -240,7 +240,7 @@ create or replace view RbacUser_rv as
         ) as unordered
         -- @formatter:on
         order by unordered.name;
-grant all privileges on RbacUser_rv to restricted;
+grant all privileges on RbacUser_rv to ${RESTRICTED_USER};
 --//
 
 -- ============================================================================
@@ -326,7 +326,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
     join rbacgrants g on g.ascendantuuid = r.uuid
     join rbacpermission p on p.uuid = g.descendantuuid
     join rbacobject o on o.uuid = p.objectuuid;
-grant all privileges on RbacOwnGrantedPermissions_rv to restricted;
+grant all privileges on RbacOwnGrantedPermissions_rv to ${RESTRICTED_USER};
 -- @formatter:om
 
 -- ============================================================================
diff --git a/src/main/resources/db/changelog/058-rbac-generators.sql b/src/main/resources/db/changelog/058-rbac-generators.sql
index 82685028..70dfc021 100644
--- a/src/main/resources/db/changelog/058-rbac-generators.sql
+++ b/src/main/resources/db/changelog/058-rbac-generators.sql
@@ -104,7 +104,7 @@ begin
             create or replace view %1$s_iv as
             select target.uuid, cleanIdentifier(%2$s) as idName
                 from %1$s as target;
-            grant all privileges on %1$s_iv to restricted;
+            grant all privileges on %1$s_iv to ${RESTRICTED_USER};
         $sql$, targetTable, idNameExpression);
     execute sql;
 
@@ -157,7 +157,7 @@ begin
                 from %1$s as target
                 where target.uuid in (select * from accessibleObjects)
                 order by %2$s;
-            grant all privileges on %1$s_rv to restricted;
+            grant all privileges on %1$s_rv to ${RESTRICTED_USER};
         $sql$, targetTable, orderBy);
     execute sql;
 
diff --git a/src/main/resources/db/changelog/080-rbac-global.sql b/src/main/resources/db/changelog/080-rbac-global.sql
index deb690c0..e2141f55 100644
--- a/src/main/resources/db/changelog/080-rbac-global.sql
+++ b/src/main/resources/db/changelog/080-rbac-global.sql
@@ -18,7 +18,7 @@ create table Global
 );
 create unique index Global_Singleton on Global ((0));
 
-grant select on global to restricted;
+grant select on global to ${RESTRICTED_USER};
 --//
 
 
@@ -48,7 +48,7 @@ drop view if exists global_iv;
 create or replace view global_iv as
 select target.uuid, target.name as idName
     from global as target;
-grant all privileges on global_iv to restricted;
+grant all privileges on global_iv to ${RESTRICTED_USER};
 
 /*
     Returns the objectUuid for a given identifying name (in this case the idName).
@@ -99,7 +99,7 @@ commit;
 create or replace function globalAdmin()
     returns RbacRoleDescriptor
     returns null on null input
-    stable leakproof
+    stable -- leakproof
     language sql as $$
 select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
 $$;
diff --git a/src/main/resources/db/changelog/123-test-package-rbac.sql b/src/main/resources/db/changelog/123-test-package-rbac.sql
index f4eb2edd..d97f6148 100644
--- a/src/main/resources/db/changelog/123-test-package-rbac.sql
+++ b/src/main/resources/db/changelog/123-test-package-rbac.sql
@@ -93,7 +93,7 @@ call generateRbacIdentityView('test_package', 'target.name');
 --     from test_package as target
 --     where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
 --     order by target.name;
--- grant all privileges on test_package_rv to restricted;
+-- grant all privileges on test_package_rv to ${RESTRICTED_USER};
 
 call generateRbacRestrictedView('test_package', 'target.name',
     $updates$
diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.sql b/src/main/resources/db/changelog/133-test-domain-rbac.sql
index ceeb5de3..fcd5e4b7 100644
--- a/src/main/resources/db/changelog/133-test-domain-rbac.sql
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql
@@ -110,5 +110,5 @@ create or replace view test_domain_rv as
 select target.*
     from test_domain as target
     where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
-grant all privileges on test_domain_rv to restricted;
+grant all privileges on test_domain_rv to ${RESTRICTED_USER};
 --//
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeTables.java b/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeTables.java
index b5c30035..bbb1efd4 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeTables.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeTables.java
@@ -54,10 +54,27 @@ import static org.assertj.core.api.Assertions.assertThat;
  * There is some test data in Java resources to verify the data conversion.
  * For a real import a main method will be added later
  * which reads CSV files from the file system.
+ *
+ * When run on a Hostsharing database, it needs the following settings (hsh99_... just examples):
+ *
+ * CREATE USER hsh99_admin WITH PASSWORD 'password';
+ * GRANT ALL ON SCHEMA public TO hsh99_admin;
+ *
+ * CREATE USER hsh99_restricted WITH PASSWORD 'password';
+ * GRANT ALL PRIVILEGES ON ALL TALBES IN SCHEMA hsh99_hsadminng to hsh99_restricted
+ *
+ * CREATE EXTENSION "uuid-ossp";
+ *
+ * And the environment variables  ADMIN_USER and RESTRICTED_USER have to be set to the actual users.
+ * TODO: password
  */
-
-@Disabled
-@DataJpaTest(properties = "spring.datasource.url=jdbc:postgresql://localhost:5432/postgres")
+// @Disabled
+@DataJpaTest(properties = {
+        "spring.profiles.active=migration",
+        "spring.datasource.url=jdbc:postgresql://localhost:5432/postgres",
+        "spring.datasource.username=hsh99_admin",
+        "spring.datasource.password=password"
+})
 @Import({ Context.class, JpaAttempt.class })
 @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
 public class ImportOfficeTables extends ContextBasedTest {
diff --git a/src/test/java/net/hostsharing/hsadminng/mapper/PostgresArrayIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/mapper/PostgresArrayIntegrationTest.java
index c76141b1..8f3e95e0 100644
--- a/src/test/java/net/hostsharing/hsadminng/mapper/PostgresArrayIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/mapper/PostgresArrayIntegrationTest.java
@@ -22,7 +22,7 @@ class PostgresArrayIntegrationTest {
         em.createNativeQuery("""            
             create or replace function returnEmptyArray()
                 returns text[]
-                stable leakproof
+                stable -- leakproof
                 language plpgsql as $$
             declare
                 emptyArray text[] = '{}';
@@ -42,7 +42,7 @@ class PostgresArrayIntegrationTest {
         em.createNativeQuery("""            
             create or replace function returnStringArray()
                 returns varchar(63)[]
-                stable leakproof
+                stable -- leakproof
                 language plpgsql as $$
             declare
                 text1 text = 'one';
@@ -65,7 +65,7 @@ class PostgresArrayIntegrationTest {
         em.createNativeQuery("""            
             create or replace function returnUuidArray()
                 returns uuid[]
-                stable leakproof
+                stable -- leakproof
                 language plpgsql as $$
             declare
                 uuid1 UUID = 'f47ac10b-58cc-4372-a567-0e02b2c3d479';