WIP

2024-04-21 11:04:49 +02:00 · 2024-04-21 11:04:49 +02:00 · fc8cf0a0b7
commit fc8cf0a0b7
parent 1f4a20b658
16 changed files with 1754 additions and 72 deletions
--- a/src/main/java/net/hostsharing/hsadminng/hs/hosting/server/HsHostingAssetEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/hosting/server/HsHostingAssetEntity.java
@ -33,12 +33,13 @@ import java.util.Map;
 import java.util.UUID;

 import static java.util.Optional.ofNullable;
-import static net.hostsharing.hsadminng.hs.hosting.server.HsHostingAssetType.BBB_SERVER;
 import static net.hostsharing.hsadminng.hs.hosting.server.HsHostingAssetType.CLOUD_SERVER;
 import static net.hostsharing.hsadminng.hs.hosting.server.HsHostingAssetType.MANAGED_SERVER;
+import static net.hostsharing.hsadminng.hs.hosting.server.HsHostingAssetType.MANAGED_WEBSPACE;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.CaseDef.inCaseOf;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.CaseDef.inOtherCases;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
@ -55,7 +56,7 @@ import static net.hostsharing.hsadminng.stringify.Stringify.stringify;

@Builder
@Entity
-@Table(name = "hs_hosting_server_rv")
+@Table(name = "hs_hosting_asset_rv")
@Getter
@Setter
@NoArgsConstructor
@ -87,6 +88,9 @@ public class HsHostingAssetEntity implements Stringifyable, RbacObject {
    @Enumerated(EnumType.STRING)
    private HsHostingAssetType type;

+    @Column(name = "fixedname")
+    private String fixedName; // vm1234, xyz00, example.org, xyz00_abc
+
    @Column(name = "caption")
    private String caption;

@ -134,7 +138,7 @@ public class HsHostingAssetEntity implements Stringifyable, RbacObject {
                .withRestrictedViewOrderBy(SQL.expression("caption"))
                .withUpdatableColumns("version", "caption", "config")

-                .importEntityAlias("bookingItem", HsBookingItemEntity.class,
+                .importEntityAlias("bookingItem", HsBookingItemEntity.class, usingDefaultCase(),
                    dependsOnColumn("bookingItemUuid"),
                    directlyFetchedByDependsOnColumn(),
                    NOT_NULL)
@ -144,15 +148,14 @@ public class HsHostingAssetEntity implements Stringifyable, RbacObject {
                        then -> then.toRole("bookingItem", AGENT).grantPermission(INSERT)),
                    inCaseOf(MANAGED_SERVER.name(),
                        then -> then.toRole("bookingItem", AGENT).grantPermission(INSERT)),
-                    inCaseOf(BBB_SERVER.name(),
-                        then -> then.toRole("bookingItem", AGENT).grantPermission(INSERT)),
-                    inOtherCases(then -> {
-                        then.importEntityAlias("parentAsset", HsHostingAssetEntity.class,
+                    inCaseOf(MANAGED_WEBSPACE.name(), then ->
+                        then.importEntityAlias("parentServer", HsHostingAssetEntity.class, usingCase(MANAGED_SERVER),
                                dependsOnColumn("parentAssetUuid"),
                                directlyFetchedByDependsOnColumn(),
                                NULLABLE)
-                            .toRole("parentAsset", AGENT).grantPermission(INSERT);
-                    })
+                            // TODO.rbac: implement multiple INSERT-rules, e.g. for Asset.bookingItem + Asset.parentAsset
+                            //.toRole("parentServer", AGENT).grantPermission(INSERT)
+                    )
                )

                .createRole(OWNER, (with) -> {
--- a/src/main/java/net/hostsharing/hsadminng/hs/hosting/server/HsHostingAssetType.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/hosting/server/HsHostingAssetType.java
@ -3,17 +3,18 @@ package net.hostsharing.hsadminng.hs.hosting.server;
 public enum HsHostingAssetType {
    CLOUD_SERVER,
    MANAGED_SERVER,
-    BBB_SERVER,
    MANAGED_WEBSPACE(MANAGED_SERVER),
    UNIX_USER(MANAGED_WEBSPACE),
    DOMAIN_SETUP(UNIX_USER),
-    EMAIL_ALIAS(HsHostingAssetType.DOMAIN_SETUP),
-    EMAIL_ADDRESS(HsHostingAssetType.DOMAIN_SETUP),
-    PGSQL_DATABASE(HsHostingAssetType.MANAGED_WEBSPACE),
-    PGSQL_USER(HsHostingAssetType.MANAGED_WEBSPACE),
-    MARIADB_DATABASE(HsHostingAssetType.MANAGED_WEBSPACE),

-    MARIADB_USER(HsHostingAssetType.MANAGED_WEBSPACE);
+    // TODO.spec: SECURE_MX
+    EMAIL_ALIAS(MANAGED_WEBSPACE),
+    EMAIL_ADDRESS(DOMAIN_SETUP),
+    PGSQL_USER(MANAGED_WEBSPACE),
+    PGSQL_DATABASE(MANAGED_WEBSPACE), // TODO.spec: or PGSQL_USER?
+    MARIADB_USER(MANAGED_WEBSPACE),
+    MARIADB_DATABASE(MANAGED_WEBSPACE); // TODO.spec: or MARIADB_USER?
+

    public final HsHostingAssetType parentAssetType;

--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
@ -241,7 +241,10 @@ public class InsertTriggerGenerator {

    private static <T> BinaryOperator<T> singleton() {
        return (x, y) -> {
-            throw new IllegalStateException("only a single INSERT permission grant allowed");
+            if ( !x.equals(y) ) {
+                throw new IllegalStateException("only a single INSERT permission grant allowed");
+            }
+            return x;
        };
    }

--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
@ -18,7 +18,9 @@ import java.util.function.Consumer;
 import java.util.stream.Collectors;

 import static java.lang.reflect.Modifier.isStatic;
+import static java.util.Arrays.asList;
 import static java.util.Arrays.stream;
+import static java.util.Collections.max;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
@ -314,6 +316,15 @@ public class RbacView {
        return this;
    }

+    // TODO.impl: use importEntityAlias with all parameters
+    @Deprecated
+    public RbacView importEntityAlias(
+            final String aliasName, final Class<? extends RbacObject> entityClass,
+            final Column dependsOnColum, final SQL fetchSql, final Nullable nullable) {
+        importEntityAliasImpl(aliasName, entityClass, usingDefaultCase(), fetchSql, dependsOnColum, false, nullable);
+        return this;
+    }
+
    /**
     * Imports the RBAC template from the given entity class and defines an anlias name for it.
     *
@ -325,6 +336,9 @@ public class RbacView {
     *  A JPA entity class extending RbacObject which also implements an `rbac` method returning
     *  its RBAC specification.
     *
+     * @param usingCase
+     *  Only use this case value for a switch within the rbac rules.
+     *
     * @param fetchSql
     *  An SQL SELECT statement which fetches the referenced row. Use `${REF}` to speficiy the
     *  newly created or updated row (will be replaced by NEW/OLD from the trigger method).
@ -342,19 +356,29 @@ public class RbacView {
     *     a JPA entity class extending RbacObject
     */
    public RbacView importEntityAlias(
-            final String aliasName, final Class<? extends RbacObject> entityClass,
+            final String aliasName, final Class<? extends RbacObject> entityClass, final ColumnValue usingCase,
            final Column dependsOnColum, final SQL fetchSql, final Nullable nullable) {
-        importEntityAliasImpl(aliasName, entityClass, usingDefaultCase(), fetchSql, dependsOnColum, false, nullable);
+        importEntityAliasImpl(aliasName, entityClass, usingCase, fetchSql, dependsOnColum, false, nullable);
        return this;
    }

    private EntityAlias importEntityAliasImpl(
-            final String aliasName, final Class<? extends RbacObject> entityClass, final ColumnValue forCase,
+            final String aliasName, final Class<? extends RbacObject> entityClass, final ColumnValue usingCase,
            final SQL fetchSql, final Column dependsOnColum, boolean asSubEntity, final Nullable nullable) {
-        final var entityAlias = new EntityAlias(aliasName, entityClass, fetchSql, dependsOnColum, asSubEntity, nullable);
-        entityAliases.put(aliasName, entityAlias);
+
+        final var entityAlias = ofNullable(entityAliases.get(aliasName))
+                .orElseGet(() -> {
+                    final var ea = new EntityAlias(aliasName, entityClass, usingCase, fetchSql, dependsOnColum, asSubEntity, nullable);
+                    entityAliases.put(aliasName, ea);
+                    return ea;
+                });
+
        try {
-            importAsAlias(aliasName, rbacDefinition(entityClass), forCase, asSubEntity);
+            // TODO.impl: this only works for directly recursive RBAC definitions, not for indirect recursion
+            final var rbacDef = entityClass == rootEntityAlias.entityClass
+                ? this
+                : rbacDefinition(entityClass);
+            importAsAlias(aliasName, rbacDef, usingCase, asSubEntity);
        } catch (final ReflectiveOperationException exc) {
            throw new RuntimeException("cannot import entity: " + entityClass, exc);
        }
@ -369,7 +393,7 @@ public class RbacView {
    private RbacView importAsAlias(final String aliasName, final RbacView importedRbacView, final ColumnValue forCase, final boolean asSubEntity) {
        final var mapper = new AliasNameMapper(importedRbacView, aliasName,
                asSubEntity ? entityAliases.keySet() : null);
-        importedRbacView.getEntityAliases().values().stream()
+        copyOf(importedRbacView.getEntityAliases().values()).stream()
                .filter(entityAlias -> !importedRbacView.isRootEntityAlias(entityAlias))
                .filter(entityAlias -> !entityAlias.isGlobal())
                .filter(entityAlias -> !asSubEntity || !entityAliases.containsKey(entityAlias.aliasName))
@ -377,10 +401,10 @@ public class RbacView {
                    final String mappedAliasName = mapper.map(entityAlias.aliasName);
                    entityAliases.put(mappedAliasName, new EntityAlias(mappedAliasName, entityAlias.entityClass));
                });
-        importedRbacView.getRoleDefs().forEach(roleDef -> {
+        copyOf(importedRbacView.getRoleDefs()).forEach(roleDef -> {
            new RbacRoleDefinition(findEntityAlias(mapper.map(roleDef.entityAlias.aliasName)), roleDef.role);
        });
-        importedRbacView.getGrantDefs().forEach(grantDef -> {
+        copyOf(importedRbacView.getGrantDefs()).forEach(grantDef -> {
            if ( grantDef.grantType() == RbacGrantDefinition.GrantType.ROLE_TO_ROLE &&
                    (grantDef.forCases == null || grantDef.matchesCase(forCase)) ) {
                final var importedGrantDef = findOrCreateGrantDef(
@ -411,6 +435,10 @@ public class RbacView {
        return this;
    }

+    private static <T> List<T> copyOf(final Collection<T> eas) {
+        return eas.stream().toList();
+    }
+
    private void verifyVersionColumnExists() {
        if (stream(rootEntityAlias.entityClass.getDeclaredFields())
                .noneMatch(f -> f.getAnnotation(Version.class) != null)) {
@ -615,6 +643,13 @@ public class RbacView {
            return this;
        }

+        public long level() {
+            return max(asList(
+                    superRoleDef != null ? superRoleDef.entityAlias.level() : 0,
+                    subRoleDef != null ? subRoleDef.entityAlias.level() : 0,
+                    permDef != null ? permDef.entityAlias.level() : 0));
+        }
+
        public enum GrantType {
            ROLE_TO_USER,
            ROLE_TO_ROLE,
@ -854,14 +889,14 @@ public class RbacView {
        return distinctGrantDef;
    }

-    record EntityAlias(String aliasName, Class<? extends RbacObject> entityClass, SQL fetchSql, Column dependsOnColum, boolean isSubEntity, Nullable nullable) {
+    record EntityAlias(String aliasName, Class<? extends RbacObject> entityClass, ColumnValue usingCase, SQL fetchSql, Column dependsOnColum, boolean isSubEntity, Nullable nullable) {

        public EntityAlias(final String aliasName) {
-            this(aliasName, null, null, null, false, null);
+            this(aliasName, null, null, null, null, false, null);
        }

        public EntityAlias(final String aliasName, final Class<? extends RbacObject> entityClass) {
-            this(aliasName, entityClass, null, null, false, null);
+            this(aliasName, entityClass, null, null, null, false, null);
        }

        boolean isGlobal() {
@ -872,7 +907,6 @@ public class RbacView {
            return entityClass == null;
        }

-        @NotNull
        @Override
        public SQL fetchSql() {
            if (fetchSql == null) {
@ -914,6 +948,10 @@ public class RbacView {
            }
            return dependsOnColum.column;
        }
+
+        long level() {
+            return aliasName.chars().filter(ch -> ch == '.').count() + 1;
+        }
    }

    public static String withoutRvSuffix(final String tableName) {
@ -1074,10 +1112,9 @@ public class RbacView {
            return new ColumnValue(null);
        }

-        public static ColumnValue usingCase(final String value) {
-            return new ColumnValue(value);
+        public static <E extends Enum<E>> ColumnValue usingCase(final E value) {
+            return new ColumnValue(value.name());
        }
-
        public final String value;

        private ColumnValue(final String value) {
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java
@ -15,6 +15,9 @@ public class RbacViewMermaidFlowchartGenerator {
    public static final String HOSTSHARING_LIGHT_ORANGE = "#feb28c";
    public static final String HOSTSHARING_DARK_BLUE = "#274d6e";
    public static final String HOSTSHARING_LIGHT_BLUE = "#99bcdb";
+
+    // TODO.rbac: implement level limit for all renderable items and remove items which not part of a grant
+    private static final long MAX_LEVEL_TO_RENDER = 3;
    private final RbacView rbacDef;

    private final CaseDef forCase;
@ -56,6 +59,7 @@ public class RbacViewMermaidFlowchartGenerator {

        flowchart.indented( () -> {
            rbacDef.getEntityAliases().values().stream()
+                    .filter(e -> e.level() <= MAX_LEVEL_TO_RENDER)
                    .filter(e -> e.aliasName().startsWith(entity.aliasName() + ":"))
                    .forEach(this::renderEntitySubgraph);

@ -106,6 +110,7 @@ public class RbacViewMermaidFlowchartGenerator {

    private void renderGrants(final RbacView.RbacGrantDefinition.GrantType grantType, final String comment) {
        final var grantsOfRequestedType = rbacDef.getGrantDefs().stream()
+                .filter(g -> g.level() <= MAX_LEVEL_TO_RENDER)
                .filter(g -> g.grantType() == grantType)
                .filter(this::isToBeRenderedInThisGraph)
                .toList();
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-server/7010-hs-hosting-server.sql
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-server/7010-hs-hosting-server.sql
@ -1,14 +1,29 @@
 --liquibase formatted sql

 -- ============================================================================
--changeset hosting-server-MAIN-TABLE:1 endDelimiter:--//
+--changeset hosting-asset-MAIN-TABLE:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

-create table if not exists hs_hosting_server
+create type HsHostingAssetType as enum (
+    'MANAGED_SERVER',
+    'MANAGED_WEBSPACE',
+    'UNIX_USER',
+    'DOMAIN_SETUP',
+    'EMAIL_ALIAS',
+    'EMAIL_ADDRESS',
+    'PGSQL_USER',
+    'PGSQL_DATABASE',
+    'MARIADB_USER',
+    'MARIADB_DATABASE'
+);
+
+create table if not exists hs_hosting_asset
 (
    uuid                uuid unique references RbacObject (uuid),
    version             int not null default 0,
    bookingItemUuid     uuid not null references hs_booking_item(uuid),
+    type                HsHostingAssetType,
+    parentAssetUuid     uuid null references hs_hosting_asset(uuid),
    caption             varchar(80) not null,
    config              jsonb not null
 );
@ -16,8 +31,8 @@ create table if not exists hs_hosting_server


 -- ============================================================================
--changeset hs-hosting-server-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
+--changeset hs-hosting-asset-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

-call create_journal('hs_hosting_server');
+call create_journal('hs_hosting_asset');
 --//
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-CLOUD_SERVER.md
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-CLOUD_SERVER.md
@ -0,0 +1,476 @@
+### rbac asset inCaseOf:CLOUD_SERVER
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph parentServer.bookingItem["`**parentServer.bookingItem**`"]
+    direction TB
+    style parentServer.bookingItem fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem:roles[ ]
+        style parentServer.bookingItem:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem:OWNER[[parentServer.bookingItem:OWNER]]
+        role:parentServer.bookingItem:ADMIN[[parentServer.bookingItem:ADMIN]]
+        role:parentServer.bookingItem:AGENT[[parentServer.bookingItem:AGENT]]
+        role:parentServer.bookingItem:TENANT[[parentServer.bookingItem:TENANT]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel.anchorPerson["`**parentServer.bookingItem.debitorRel.anchorPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel.anchorPerson:roles[ ]
+        style parentServer.bookingItem.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel.anchorPerson:OWNER[[parentServer.bookingItem.debitorRel.anchorPerson:OWNER]]
+        role:parentServer.bookingItem.debitorRel.anchorPerson:ADMIN[[parentServer.bookingItem.debitorRel.anchorPerson:ADMIN]]
+        role:parentServer.bookingItem.debitorRel.anchorPerson:REFERRER[[parentServer.bookingItem.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel.holderPerson["`**parentServer.bookingItem.debitorRel.holderPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel.holderPerson:roles[ ]
+        style parentServer.bookingItem.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel.holderPerson:OWNER[[parentServer.bookingItem.debitorRel.holderPerson:OWNER]]
+        role:parentServer.bookingItem.debitorRel.holderPerson:ADMIN[[parentServer.bookingItem.debitorRel.holderPerson:ADMIN]]
+        role:parentServer.bookingItem.debitorRel.holderPerson:REFERRER[[parentServer.bookingItem.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer["`**parentServer**`"]
+    direction TB
+    style parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson["`**parentServer.bookingItem.debitor.partnerRel.holderPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel.holderPerson:OWNER[[parentServer.bookingItem.debitor.partnerRel.holderPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel.holderPerson:ADMIN[[parentServer.bookingItem.debitor.partnerRel.holderPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel.holderPerson:REFERRER[[parentServer.bookingItem.debitor.partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel.anchorPerson["`**parentServer.bookingItem.debitor.partnerRel.anchorPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel.anchorPerson:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel.anchorPerson:OWNER[[parentServer.bookingItem.debitor.partnerRel.anchorPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel.anchorPerson:ADMIN[[parentServer.bookingItem.debitor.partnerRel.anchorPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel.anchorPerson:REFERRER[[parentServer.bookingItem.debitor.partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.debitorRel.anchorPerson["`**bookingItem.debitor.debitorRel.anchorPerson**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel.anchorPerson:roles[ ]
+        style bookingItem.debitor.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel.anchorPerson:OWNER[[bookingItem.debitor.debitorRel.anchorPerson:OWNER]]
+        role:bookingItem.debitor.debitorRel.anchorPerson:ADMIN[[bookingItem.debitor.debitorRel.anchorPerson:ADMIN]]
+        role:bookingItem.debitor.debitorRel.anchorPerson:REFERRER[[bookingItem.debitor.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel.contact["`**parentServer.bookingItem.debitorRel.contact**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel.contact:roles[ ]
+        style parentServer.bookingItem.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel.contact:OWNER[[parentServer.bookingItem.debitorRel.contact:OWNER]]
+        role:parentServer.bookingItem.debitorRel.contact:ADMIN[[parentServer.bookingItem.debitorRel.contact:ADMIN]]
+        role:parentServer.bookingItem.debitorRel.contact:REFERRER[[parentServer.bookingItem.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel["`**bookingItem.debitor.partnerRel**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel:roles[ ]
+        style bookingItem.debitor.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel:OWNER[[bookingItem.debitor.partnerRel:OWNER]]
+        role:bookingItem.debitor.partnerRel:ADMIN[[bookingItem.debitor.partnerRel:ADMIN]]
+        role:bookingItem.debitor.partnerRel:AGENT[[bookingItem.debitor.partnerRel:AGENT]]
+        role:bookingItem.debitor.partnerRel:TENANT[[bookingItem.debitor.partnerRel:TENANT]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel.anchorPerson["`**bookingItem.debitor.partnerRel.anchorPerson**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel.anchorPerson:roles[ ]
+        style bookingItem.debitor.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel.anchorPerson:OWNER[[bookingItem.debitor.partnerRel.anchorPerson:OWNER]]
+        role:bookingItem.debitor.partnerRel.anchorPerson:ADMIN[[bookingItem.debitor.partnerRel.anchorPerson:ADMIN]]
+        role:bookingItem.debitor.partnerRel.anchorPerson:REFERRER[[bookingItem.debitor.partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitorRel["`**bookingItem.debitorRel**`"]
+    direction TB
+    style bookingItem.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel:roles[ ]
+        style bookingItem.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel:OWNER[[bookingItem.debitorRel:OWNER]]
+        role:bookingItem.debitorRel:ADMIN[[bookingItem.debitorRel:ADMIN]]
+        role:bookingItem.debitorRel:AGENT[[bookingItem.debitorRel:AGENT]]
+        role:bookingItem.debitorRel:TENANT[[bookingItem.debitorRel:TENANT]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel.contact["`**parentServer.bookingItem.debitor.partnerRel.contact**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel.contact:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel.contact:OWNER[[parentServer.bookingItem.debitor.partnerRel.contact:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel.contact:ADMIN[[parentServer.bookingItem.debitor.partnerRel.contact:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel.contact:REFERRER[[parentServer.bookingItem.debitor.partnerRel.contact:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitorRel.anchorPerson["`**bookingItem.debitorRel.anchorPerson**`"]
+    direction TB
+    style bookingItem.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel.anchorPerson:roles[ ]
+        style bookingItem.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel.anchorPerson:OWNER[[bookingItem.debitorRel.anchorPerson:OWNER]]
+        role:bookingItem.debitorRel.anchorPerson:ADMIN[[bookingItem.debitorRel.anchorPerson:ADMIN]]
+        role:bookingItem.debitorRel.anchorPerson:REFERRER[[bookingItem.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel["`**parentServer.bookingItem.debitor.debitorRel**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel:OWNER[[parentServer.bookingItem.debitor.debitorRel:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel:ADMIN[[parentServer.bookingItem.debitor.debitorRel:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel:AGENT[[parentServer.bookingItem.debitor.debitorRel:AGENT]]
+        role:parentServer.bookingItem.debitor.debitorRel:TENANT[[parentServer.bookingItem.debitor.debitorRel:TENANT]]
+    end
+end
+
+subgraph bookingItem.debitorRel.holderPerson["`**bookingItem.debitorRel.holderPerson**`"]
+    direction TB
+    style bookingItem.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel.holderPerson:roles[ ]
+        style bookingItem.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel.holderPerson:OWNER[[bookingItem.debitorRel.holderPerson:OWNER]]
+        role:bookingItem.debitorRel.holderPerson:ADMIN[[bookingItem.debitorRel.holderPerson:ADMIN]]
+        role:bookingItem.debitorRel.holderPerson:REFERRER[[bookingItem.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.refundBankAccount["`**bookingItem.debitor.refundBankAccount**`"]
+    direction TB
+    style bookingItem.debitor.refundBankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.refundBankAccount:roles[ ]
+        style bookingItem.debitor.refundBankAccount:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.refundBankAccount:OWNER[[bookingItem.debitor.refundBankAccount:OWNER]]
+        role:bookingItem.debitor.refundBankAccount:ADMIN[[bookingItem.debitor.refundBankAccount:ADMIN]]
+        role:bookingItem.debitor.refundBankAccount:REFERRER[[bookingItem.debitor.refundBankAccount:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel["`**parentServer.bookingItem.debitor.partnerRel**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel:OWNER[[parentServer.bookingItem.debitor.partnerRel:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel:ADMIN[[parentServer.bookingItem.debitor.partnerRel:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel:AGENT[[parentServer.bookingItem.debitor.partnerRel:AGENT]]
+        role:parentServer.bookingItem.debitor.partnerRel:TENANT[[parentServer.bookingItem.debitor.partnerRel:TENANT]]
+    end
+end
+
+subgraph bookingItem.debitor.debitorRel.contact["`**bookingItem.debitor.debitorRel.contact**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel.contact:roles[ ]
+        style bookingItem.debitor.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel.contact:OWNER[[bookingItem.debitor.debitorRel.contact:OWNER]]
+        role:bookingItem.debitor.debitorRel.contact:ADMIN[[bookingItem.debitor.debitorRel.contact:ADMIN]]
+        role:bookingItem.debitor.debitorRel.contact:REFERRER[[bookingItem.debitor.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor["`**parentServer.bookingItem.debitor**`"]
+    direction TB
+    style parentServer.bookingItem.debitor fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel.holderPerson["`**parentServer.bookingItem.debitor.debitorRel.holderPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel.holderPerson:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel.holderPerson:OWNER[[parentServer.bookingItem.debitor.debitorRel.holderPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel.holderPerson:ADMIN[[parentServer.bookingItem.debitor.debitorRel.holderPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel.holderPerson:REFERRER[[parentServer.bookingItem.debitor.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel.contact["`**bookingItem.debitor.partnerRel.contact**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel.contact:roles[ ]
+        style bookingItem.debitor.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel.contact:OWNER[[bookingItem.debitor.partnerRel.contact:OWNER]]
+        role:bookingItem.debitor.partnerRel.contact:ADMIN[[bookingItem.debitor.partnerRel.contact:ADMIN]]
+        role:bookingItem.debitor.partnerRel.contact:REFERRER[[bookingItem.debitor.partnerRel.contact:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel["`**parentServer.bookingItem.debitorRel**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel:roles[ ]
+        style parentServer.bookingItem.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel:OWNER[[parentServer.bookingItem.debitorRel:OWNER]]
+        role:parentServer.bookingItem.debitorRel:ADMIN[[parentServer.bookingItem.debitorRel:ADMIN]]
+        role:parentServer.bookingItem.debitorRel:AGENT[[parentServer.bookingItem.debitorRel:AGENT]]
+        role:parentServer.bookingItem.debitorRel:TENANT[[parentServer.bookingItem.debitorRel:TENANT]]
+    end
+end
+
+subgraph bookingItem["`**bookingItem**`"]
+    direction TB
+    style bookingItem fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem:roles[ ]
+        style bookingItem:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem:OWNER[[bookingItem:OWNER]]
+        role:bookingItem:ADMIN[[bookingItem:ADMIN]]
+        role:bookingItem:AGENT[[bookingItem:AGENT]]
+        role:bookingItem:TENANT[[bookingItem:TENANT]]
+    end
+end
+
+subgraph parentServer.parentServer["`**parentServer.parentServer**`"]
+    direction TB
+    style parentServer.parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel.contact["`**parentServer.bookingItem.debitor.debitorRel.contact**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel.contact:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel.contact:OWNER[[parentServer.bookingItem.debitor.debitorRel.contact:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel.contact:ADMIN[[parentServer.bookingItem.debitor.debitorRel.contact:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel.contact:REFERRER[[parentServer.bookingItem.debitor.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel.holderPerson["`**bookingItem.debitor.partnerRel.holderPerson**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel.holderPerson:roles[ ]
+        style bookingItem.debitor.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel.holderPerson:OWNER[[bookingItem.debitor.partnerRel.holderPerson:OWNER]]
+        role:bookingItem.debitor.partnerRel.holderPerson:ADMIN[[bookingItem.debitor.partnerRel.holderPerson:ADMIN]]
+        role:bookingItem.debitor.partnerRel.holderPerson:REFERRER[[bookingItem.debitor.partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitorRel.contact["`**bookingItem.debitorRel.contact**`"]
+    direction TB
+    style bookingItem.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel.contact:roles[ ]
+        style bookingItem.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel.contact:OWNER[[bookingItem.debitorRel.contact:OWNER]]
+        role:bookingItem.debitorRel.contact:ADMIN[[bookingItem.debitorRel.contact:ADMIN]]
+        role:bookingItem.debitorRel.contact:REFERRER[[bookingItem.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.refundBankAccount["`**parentServer.bookingItem.debitor.refundBankAccount**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.refundBankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.refundBankAccount:roles[ ]
+        style parentServer.bookingItem.debitor.refundBankAccount:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.refundBankAccount:OWNER[[parentServer.bookingItem.debitor.refundBankAccount:OWNER]]
+        role:parentServer.bookingItem.debitor.refundBankAccount:ADMIN[[parentServer.bookingItem.debitor.refundBankAccount:ADMIN]]
+        role:parentServer.bookingItem.debitor.refundBankAccount:REFERRER[[parentServer.bookingItem.debitor.refundBankAccount:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor["`**bookingItem.debitor**`"]
+    direction TB
+    style bookingItem.debitor fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph bookingItem.debitor.debitorRel.holderPerson["`**bookingItem.debitor.debitorRel.holderPerson**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel.holderPerson:roles[ ]
+        style bookingItem.debitor.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel.holderPerson:OWNER[[bookingItem.debitor.debitorRel.holderPerson:OWNER]]
+        role:bookingItem.debitor.debitorRel.holderPerson:ADMIN[[bookingItem.debitor.debitorRel.holderPerson:ADMIN]]
+        role:bookingItem.debitor.debitorRel.holderPerson:REFERRER[[bookingItem.debitor.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.debitorRel["`**bookingItem.debitor.debitorRel**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel:roles[ ]
+        style bookingItem.debitor.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel:OWNER[[bookingItem.debitor.debitorRel:OWNER]]
+        role:bookingItem.debitor.debitorRel:ADMIN[[bookingItem.debitor.debitorRel:ADMIN]]
+        role:bookingItem.debitor.debitorRel:AGENT[[bookingItem.debitor.debitorRel:AGENT]]
+        role:bookingItem.debitor.debitorRel:TENANT[[bookingItem.debitor.debitorRel:TENANT]]
+    end
+end
+
+subgraph asset["`**asset**`"]
+    direction TB
+    style asset fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph asset:roles[ ]
+        style asset:roles fill:#dd4901,stroke:white
+
+        role:asset:OWNER[[asset:OWNER]]
+        role:asset:ADMIN[[asset:ADMIN]]
+        role:asset:TENANT[[asset:TENANT]]
+    end
+
+    subgraph asset:permissions[ ]
+        style asset:permissions fill:#dd4901,stroke:white
+
+        perm:asset:INSERT{{asset:INSERT}}
+        perm:asset:DELETE{{asset:DELETE}}
+        perm:asset:UPDATE{{asset:UPDATE}}
+        perm:asset:SELECT{{asset:SELECT}}
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel.anchorPerson["`**parentServer.bookingItem.debitor.debitorRel.anchorPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel.anchorPerson:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel.anchorPerson:OWNER[[parentServer.bookingItem.debitor.debitorRel.anchorPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel.anchorPerson:ADMIN[[parentServer.bookingItem.debitor.debitorRel.anchorPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel.anchorPerson:REFERRER[[parentServer.bookingItem.debitor.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:bookingItem.debitor.debitorRel:OWNER
+role:bookingItem.debitor.debitorRel:OWNER -.-> role:bookingItem.debitor.debitorRel:ADMIN
+role:bookingItem.debitor.debitorRel:ADMIN -.-> role:bookingItem.debitor.debitorRel:AGENT
+role:bookingItem.debitor.debitorRel:AGENT -.-> role:bookingItem.debitor.debitorRel:TENANT
+role:global:ADMIN -.-> role:bookingItem.debitor.refundBankAccount:OWNER
+role:bookingItem.debitor.refundBankAccount:OWNER -.-> role:bookingItem.debitor.refundBankAccount:ADMIN
+role:bookingItem.debitor.refundBankAccount:ADMIN -.-> role:bookingItem.debitor.refundBankAccount:REFERRER
+role:bookingItem.debitor.refundBankAccount:ADMIN -.-> role:bookingItem.debitor.debitorRel:AGENT
+role:bookingItem.debitor.debitorRel:AGENT -.-> role:bookingItem.debitor.refundBankAccount:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitor.partnerRel:OWNER
+role:bookingItem.debitor.partnerRel:OWNER -.-> role:bookingItem.debitor.partnerRel:ADMIN
+role:bookingItem.debitor.partnerRel:ADMIN -.-> role:bookingItem.debitor.partnerRel:AGENT
+role:bookingItem.debitor.partnerRel:AGENT -.-> role:bookingItem.debitor.partnerRel:TENANT
+role:bookingItem.debitor.partnerRel:ADMIN -.-> role:bookingItem.debitor.debitorRel:ADMIN
+role:bookingItem.debitor.partnerRel:AGENT -.-> role:bookingItem.debitor.debitorRel:AGENT
+role:bookingItem.debitor.debitorRel:AGENT -.-> role:bookingItem.debitor.partnerRel:TENANT
+role:global:ADMIN -.-> role:bookingItem.debitorRel.anchorPerson:OWNER
+role:bookingItem.debitorRel.anchorPerson:OWNER -.-> role:bookingItem.debitorRel.anchorPerson:ADMIN
+role:bookingItem.debitorRel.anchorPerson:ADMIN -.-> role:bookingItem.debitorRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitorRel.holderPerson:OWNER
+role:bookingItem.debitorRel.holderPerson:OWNER -.-> role:bookingItem.debitorRel.holderPerson:ADMIN
+role:bookingItem.debitorRel.holderPerson:ADMIN -.-> role:bookingItem.debitorRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitorRel.contact:OWNER
+role:bookingItem.debitorRel.contact:OWNER -.-> role:bookingItem.debitorRel.contact:ADMIN
+role:bookingItem.debitorRel.contact:ADMIN -.-> role:bookingItem.debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
+role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
+role:bookingItem.debitorRel.contact:ADMIN -.-> role:bookingItem.debitorRel:TENANT
+role:bookingItem.debitorRel:TENANT -.-> role:bookingItem.debitorRel.anchorPerson:REFERRER
+role:bookingItem.debitorRel:TENANT -.-> role:bookingItem.debitorRel.holderPerson:REFERRER
+role:bookingItem.debitorRel:TENANT -.-> role:bookingItem.debitorRel.contact:REFERRER
+role:bookingItem.debitorRel.anchorPerson:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel.holderPerson:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
+role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
+role:bookingItem:ADMIN -.-> role:bookingItem:AGENT
+role:bookingItem:AGENT -.-> role:bookingItem:TENANT
+role:bookingItem:TENANT -.-> role:bookingItem.debitorRel:TENANT
+role:bookingItem:ADMIN ==> role:asset:OWNER
+role:asset:OWNER ==> role:asset:ADMIN
+role:asset:ADMIN ==> role:asset:TENANT
+role:asset:TENANT ==> role:bookingItem:TENANT
+
+%% granting permissions to roles
+role:bookingItem:AGENT ==> perm:asset:INSERT
+role:asset:OWNER ==> perm:asset:DELETE
+role:asset:ADMIN ==> perm:asset:UPDATE
+role:asset:TENANT ==> perm:asset:SELECT
+
+```
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_SERVER.md
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_SERVER.md
@ -0,0 +1,476 @@
+### rbac asset inCaseOf:MANAGED_SERVER
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph parentServer.bookingItem["`**parentServer.bookingItem**`"]
+    direction TB
+    style parentServer.bookingItem fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem:roles[ ]
+        style parentServer.bookingItem:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem:OWNER[[parentServer.bookingItem:OWNER]]
+        role:parentServer.bookingItem:ADMIN[[parentServer.bookingItem:ADMIN]]
+        role:parentServer.bookingItem:AGENT[[parentServer.bookingItem:AGENT]]
+        role:parentServer.bookingItem:TENANT[[parentServer.bookingItem:TENANT]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel.anchorPerson["`**parentServer.bookingItem.debitorRel.anchorPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel.anchorPerson:roles[ ]
+        style parentServer.bookingItem.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel.anchorPerson:OWNER[[parentServer.bookingItem.debitorRel.anchorPerson:OWNER]]
+        role:parentServer.bookingItem.debitorRel.anchorPerson:ADMIN[[parentServer.bookingItem.debitorRel.anchorPerson:ADMIN]]
+        role:parentServer.bookingItem.debitorRel.anchorPerson:REFERRER[[parentServer.bookingItem.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel.holderPerson["`**parentServer.bookingItem.debitorRel.holderPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel.holderPerson:roles[ ]
+        style parentServer.bookingItem.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel.holderPerson:OWNER[[parentServer.bookingItem.debitorRel.holderPerson:OWNER]]
+        role:parentServer.bookingItem.debitorRel.holderPerson:ADMIN[[parentServer.bookingItem.debitorRel.holderPerson:ADMIN]]
+        role:parentServer.bookingItem.debitorRel.holderPerson:REFERRER[[parentServer.bookingItem.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer["`**parentServer**`"]
+    direction TB
+    style parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson["`**parentServer.bookingItem.debitor.partnerRel.holderPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel.holderPerson:OWNER[[parentServer.bookingItem.debitor.partnerRel.holderPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel.holderPerson:ADMIN[[parentServer.bookingItem.debitor.partnerRel.holderPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel.holderPerson:REFERRER[[parentServer.bookingItem.debitor.partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel.anchorPerson["`**parentServer.bookingItem.debitor.partnerRel.anchorPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel.anchorPerson:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel.anchorPerson:OWNER[[parentServer.bookingItem.debitor.partnerRel.anchorPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel.anchorPerson:ADMIN[[parentServer.bookingItem.debitor.partnerRel.anchorPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel.anchorPerson:REFERRER[[parentServer.bookingItem.debitor.partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.debitorRel.anchorPerson["`**bookingItem.debitor.debitorRel.anchorPerson**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel.anchorPerson:roles[ ]
+        style bookingItem.debitor.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel.anchorPerson:OWNER[[bookingItem.debitor.debitorRel.anchorPerson:OWNER]]
+        role:bookingItem.debitor.debitorRel.anchorPerson:ADMIN[[bookingItem.debitor.debitorRel.anchorPerson:ADMIN]]
+        role:bookingItem.debitor.debitorRel.anchorPerson:REFERRER[[bookingItem.debitor.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel.contact["`**parentServer.bookingItem.debitorRel.contact**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel.contact:roles[ ]
+        style parentServer.bookingItem.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel.contact:OWNER[[parentServer.bookingItem.debitorRel.contact:OWNER]]
+        role:parentServer.bookingItem.debitorRel.contact:ADMIN[[parentServer.bookingItem.debitorRel.contact:ADMIN]]
+        role:parentServer.bookingItem.debitorRel.contact:REFERRER[[parentServer.bookingItem.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel["`**bookingItem.debitor.partnerRel**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel:roles[ ]
+        style bookingItem.debitor.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel:OWNER[[bookingItem.debitor.partnerRel:OWNER]]
+        role:bookingItem.debitor.partnerRel:ADMIN[[bookingItem.debitor.partnerRel:ADMIN]]
+        role:bookingItem.debitor.partnerRel:AGENT[[bookingItem.debitor.partnerRel:AGENT]]
+        role:bookingItem.debitor.partnerRel:TENANT[[bookingItem.debitor.partnerRel:TENANT]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel.anchorPerson["`**bookingItem.debitor.partnerRel.anchorPerson**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel.anchorPerson:roles[ ]
+        style bookingItem.debitor.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel.anchorPerson:OWNER[[bookingItem.debitor.partnerRel.anchorPerson:OWNER]]
+        role:bookingItem.debitor.partnerRel.anchorPerson:ADMIN[[bookingItem.debitor.partnerRel.anchorPerson:ADMIN]]
+        role:bookingItem.debitor.partnerRel.anchorPerson:REFERRER[[bookingItem.debitor.partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitorRel["`**bookingItem.debitorRel**`"]
+    direction TB
+    style bookingItem.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel:roles[ ]
+        style bookingItem.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel:OWNER[[bookingItem.debitorRel:OWNER]]
+        role:bookingItem.debitorRel:ADMIN[[bookingItem.debitorRel:ADMIN]]
+        role:bookingItem.debitorRel:AGENT[[bookingItem.debitorRel:AGENT]]
+        role:bookingItem.debitorRel:TENANT[[bookingItem.debitorRel:TENANT]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel.contact["`**parentServer.bookingItem.debitor.partnerRel.contact**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel.contact:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel.contact:OWNER[[parentServer.bookingItem.debitor.partnerRel.contact:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel.contact:ADMIN[[parentServer.bookingItem.debitor.partnerRel.contact:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel.contact:REFERRER[[parentServer.bookingItem.debitor.partnerRel.contact:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitorRel.anchorPerson["`**bookingItem.debitorRel.anchorPerson**`"]
+    direction TB
+    style bookingItem.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel.anchorPerson:roles[ ]
+        style bookingItem.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel.anchorPerson:OWNER[[bookingItem.debitorRel.anchorPerson:OWNER]]
+        role:bookingItem.debitorRel.anchorPerson:ADMIN[[bookingItem.debitorRel.anchorPerson:ADMIN]]
+        role:bookingItem.debitorRel.anchorPerson:REFERRER[[bookingItem.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel["`**parentServer.bookingItem.debitor.debitorRel**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel:OWNER[[parentServer.bookingItem.debitor.debitorRel:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel:ADMIN[[parentServer.bookingItem.debitor.debitorRel:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel:AGENT[[parentServer.bookingItem.debitor.debitorRel:AGENT]]
+        role:parentServer.bookingItem.debitor.debitorRel:TENANT[[parentServer.bookingItem.debitor.debitorRel:TENANT]]
+    end
+end
+
+subgraph bookingItem.debitorRel.holderPerson["`**bookingItem.debitorRel.holderPerson**`"]
+    direction TB
+    style bookingItem.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel.holderPerson:roles[ ]
+        style bookingItem.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel.holderPerson:OWNER[[bookingItem.debitorRel.holderPerson:OWNER]]
+        role:bookingItem.debitorRel.holderPerson:ADMIN[[bookingItem.debitorRel.holderPerson:ADMIN]]
+        role:bookingItem.debitorRel.holderPerson:REFERRER[[bookingItem.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.refundBankAccount["`**bookingItem.debitor.refundBankAccount**`"]
+    direction TB
+    style bookingItem.debitor.refundBankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.refundBankAccount:roles[ ]
+        style bookingItem.debitor.refundBankAccount:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.refundBankAccount:OWNER[[bookingItem.debitor.refundBankAccount:OWNER]]
+        role:bookingItem.debitor.refundBankAccount:ADMIN[[bookingItem.debitor.refundBankAccount:ADMIN]]
+        role:bookingItem.debitor.refundBankAccount:REFERRER[[bookingItem.debitor.refundBankAccount:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel["`**parentServer.bookingItem.debitor.partnerRel**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel:OWNER[[parentServer.bookingItem.debitor.partnerRel:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel:ADMIN[[parentServer.bookingItem.debitor.partnerRel:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel:AGENT[[parentServer.bookingItem.debitor.partnerRel:AGENT]]
+        role:parentServer.bookingItem.debitor.partnerRel:TENANT[[parentServer.bookingItem.debitor.partnerRel:TENANT]]
+    end
+end
+
+subgraph bookingItem.debitor.debitorRel.contact["`**bookingItem.debitor.debitorRel.contact**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel.contact:roles[ ]
+        style bookingItem.debitor.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel.contact:OWNER[[bookingItem.debitor.debitorRel.contact:OWNER]]
+        role:bookingItem.debitor.debitorRel.contact:ADMIN[[bookingItem.debitor.debitorRel.contact:ADMIN]]
+        role:bookingItem.debitor.debitorRel.contact:REFERRER[[bookingItem.debitor.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor["`**parentServer.bookingItem.debitor**`"]
+    direction TB
+    style parentServer.bookingItem.debitor fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel.holderPerson["`**parentServer.bookingItem.debitor.debitorRel.holderPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel.holderPerson:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel.holderPerson:OWNER[[parentServer.bookingItem.debitor.debitorRel.holderPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel.holderPerson:ADMIN[[parentServer.bookingItem.debitor.debitorRel.holderPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel.holderPerson:REFERRER[[parentServer.bookingItem.debitor.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel.contact["`**bookingItem.debitor.partnerRel.contact**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel.contact:roles[ ]
+        style bookingItem.debitor.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel.contact:OWNER[[bookingItem.debitor.partnerRel.contact:OWNER]]
+        role:bookingItem.debitor.partnerRel.contact:ADMIN[[bookingItem.debitor.partnerRel.contact:ADMIN]]
+        role:bookingItem.debitor.partnerRel.contact:REFERRER[[bookingItem.debitor.partnerRel.contact:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel["`**parentServer.bookingItem.debitorRel**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel:roles[ ]
+        style parentServer.bookingItem.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel:OWNER[[parentServer.bookingItem.debitorRel:OWNER]]
+        role:parentServer.bookingItem.debitorRel:ADMIN[[parentServer.bookingItem.debitorRel:ADMIN]]
+        role:parentServer.bookingItem.debitorRel:AGENT[[parentServer.bookingItem.debitorRel:AGENT]]
+        role:parentServer.bookingItem.debitorRel:TENANT[[parentServer.bookingItem.debitorRel:TENANT]]
+    end
+end
+
+subgraph bookingItem["`**bookingItem**`"]
+    direction TB
+    style bookingItem fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem:roles[ ]
+        style bookingItem:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem:OWNER[[bookingItem:OWNER]]
+        role:bookingItem:ADMIN[[bookingItem:ADMIN]]
+        role:bookingItem:AGENT[[bookingItem:AGENT]]
+        role:bookingItem:TENANT[[bookingItem:TENANT]]
+    end
+end
+
+subgraph parentServer.parentServer["`**parentServer.parentServer**`"]
+    direction TB
+    style parentServer.parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel.contact["`**parentServer.bookingItem.debitor.debitorRel.contact**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel.contact:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel.contact:OWNER[[parentServer.bookingItem.debitor.debitorRel.contact:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel.contact:ADMIN[[parentServer.bookingItem.debitor.debitorRel.contact:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel.contact:REFERRER[[parentServer.bookingItem.debitor.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel.holderPerson["`**bookingItem.debitor.partnerRel.holderPerson**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel.holderPerson:roles[ ]
+        style bookingItem.debitor.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel.holderPerson:OWNER[[bookingItem.debitor.partnerRel.holderPerson:OWNER]]
+        role:bookingItem.debitor.partnerRel.holderPerson:ADMIN[[bookingItem.debitor.partnerRel.holderPerson:ADMIN]]
+        role:bookingItem.debitor.partnerRel.holderPerson:REFERRER[[bookingItem.debitor.partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitorRel.contact["`**bookingItem.debitorRel.contact**`"]
+    direction TB
+    style bookingItem.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel.contact:roles[ ]
+        style bookingItem.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel.contact:OWNER[[bookingItem.debitorRel.contact:OWNER]]
+        role:bookingItem.debitorRel.contact:ADMIN[[bookingItem.debitorRel.contact:ADMIN]]
+        role:bookingItem.debitorRel.contact:REFERRER[[bookingItem.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.refundBankAccount["`**parentServer.bookingItem.debitor.refundBankAccount**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.refundBankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.refundBankAccount:roles[ ]
+        style parentServer.bookingItem.debitor.refundBankAccount:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.refundBankAccount:OWNER[[parentServer.bookingItem.debitor.refundBankAccount:OWNER]]
+        role:parentServer.bookingItem.debitor.refundBankAccount:ADMIN[[parentServer.bookingItem.debitor.refundBankAccount:ADMIN]]
+        role:parentServer.bookingItem.debitor.refundBankAccount:REFERRER[[parentServer.bookingItem.debitor.refundBankAccount:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor["`**bookingItem.debitor**`"]
+    direction TB
+    style bookingItem.debitor fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph bookingItem.debitor.debitorRel.holderPerson["`**bookingItem.debitor.debitorRel.holderPerson**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel.holderPerson:roles[ ]
+        style bookingItem.debitor.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel.holderPerson:OWNER[[bookingItem.debitor.debitorRel.holderPerson:OWNER]]
+        role:bookingItem.debitor.debitorRel.holderPerson:ADMIN[[bookingItem.debitor.debitorRel.holderPerson:ADMIN]]
+        role:bookingItem.debitor.debitorRel.holderPerson:REFERRER[[bookingItem.debitor.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.debitorRel["`**bookingItem.debitor.debitorRel**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel:roles[ ]
+        style bookingItem.debitor.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel:OWNER[[bookingItem.debitor.debitorRel:OWNER]]
+        role:bookingItem.debitor.debitorRel:ADMIN[[bookingItem.debitor.debitorRel:ADMIN]]
+        role:bookingItem.debitor.debitorRel:AGENT[[bookingItem.debitor.debitorRel:AGENT]]
+        role:bookingItem.debitor.debitorRel:TENANT[[bookingItem.debitor.debitorRel:TENANT]]
+    end
+end
+
+subgraph asset["`**asset**`"]
+    direction TB
+    style asset fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph asset:roles[ ]
+        style asset:roles fill:#dd4901,stroke:white
+
+        role:asset:OWNER[[asset:OWNER]]
+        role:asset:ADMIN[[asset:ADMIN]]
+        role:asset:TENANT[[asset:TENANT]]
+    end
+
+    subgraph asset:permissions[ ]
+        style asset:permissions fill:#dd4901,stroke:white
+
+        perm:asset:INSERT{{asset:INSERT}}
+        perm:asset:DELETE{{asset:DELETE}}
+        perm:asset:UPDATE{{asset:UPDATE}}
+        perm:asset:SELECT{{asset:SELECT}}
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel.anchorPerson["`**parentServer.bookingItem.debitor.debitorRel.anchorPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel.anchorPerson:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel.anchorPerson:OWNER[[parentServer.bookingItem.debitor.debitorRel.anchorPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel.anchorPerson:ADMIN[[parentServer.bookingItem.debitor.debitorRel.anchorPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel.anchorPerson:REFERRER[[parentServer.bookingItem.debitor.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:bookingItem.debitor.debitorRel:OWNER
+role:bookingItem.debitor.debitorRel:OWNER -.-> role:bookingItem.debitor.debitorRel:ADMIN
+role:bookingItem.debitor.debitorRel:ADMIN -.-> role:bookingItem.debitor.debitorRel:AGENT
+role:bookingItem.debitor.debitorRel:AGENT -.-> role:bookingItem.debitor.debitorRel:TENANT
+role:global:ADMIN -.-> role:bookingItem.debitor.refundBankAccount:OWNER
+role:bookingItem.debitor.refundBankAccount:OWNER -.-> role:bookingItem.debitor.refundBankAccount:ADMIN
+role:bookingItem.debitor.refundBankAccount:ADMIN -.-> role:bookingItem.debitor.refundBankAccount:REFERRER
+role:bookingItem.debitor.refundBankAccount:ADMIN -.-> role:bookingItem.debitor.debitorRel:AGENT
+role:bookingItem.debitor.debitorRel:AGENT -.-> role:bookingItem.debitor.refundBankAccount:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitor.partnerRel:OWNER
+role:bookingItem.debitor.partnerRel:OWNER -.-> role:bookingItem.debitor.partnerRel:ADMIN
+role:bookingItem.debitor.partnerRel:ADMIN -.-> role:bookingItem.debitor.partnerRel:AGENT
+role:bookingItem.debitor.partnerRel:AGENT -.-> role:bookingItem.debitor.partnerRel:TENANT
+role:bookingItem.debitor.partnerRel:ADMIN -.-> role:bookingItem.debitor.debitorRel:ADMIN
+role:bookingItem.debitor.partnerRel:AGENT -.-> role:bookingItem.debitor.debitorRel:AGENT
+role:bookingItem.debitor.debitorRel:AGENT -.-> role:bookingItem.debitor.partnerRel:TENANT
+role:global:ADMIN -.-> role:bookingItem.debitorRel.anchorPerson:OWNER
+role:bookingItem.debitorRel.anchorPerson:OWNER -.-> role:bookingItem.debitorRel.anchorPerson:ADMIN
+role:bookingItem.debitorRel.anchorPerson:ADMIN -.-> role:bookingItem.debitorRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitorRel.holderPerson:OWNER
+role:bookingItem.debitorRel.holderPerson:OWNER -.-> role:bookingItem.debitorRel.holderPerson:ADMIN
+role:bookingItem.debitorRel.holderPerson:ADMIN -.-> role:bookingItem.debitorRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitorRel.contact:OWNER
+role:bookingItem.debitorRel.contact:OWNER -.-> role:bookingItem.debitorRel.contact:ADMIN
+role:bookingItem.debitorRel.contact:ADMIN -.-> role:bookingItem.debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
+role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
+role:bookingItem.debitorRel.contact:ADMIN -.-> role:bookingItem.debitorRel:TENANT
+role:bookingItem.debitorRel:TENANT -.-> role:bookingItem.debitorRel.anchorPerson:REFERRER
+role:bookingItem.debitorRel:TENANT -.-> role:bookingItem.debitorRel.holderPerson:REFERRER
+role:bookingItem.debitorRel:TENANT -.-> role:bookingItem.debitorRel.contact:REFERRER
+role:bookingItem.debitorRel.anchorPerson:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel.holderPerson:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
+role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
+role:bookingItem:ADMIN -.-> role:bookingItem:AGENT
+role:bookingItem:AGENT -.-> role:bookingItem:TENANT
+role:bookingItem:TENANT -.-> role:bookingItem.debitorRel:TENANT
+role:bookingItem:ADMIN ==> role:asset:OWNER
+role:asset:OWNER ==> role:asset:ADMIN
+role:asset:ADMIN ==> role:asset:TENANT
+role:asset:TENANT ==> role:bookingItem:TENANT
+
+%% granting permissions to roles
+role:bookingItem:AGENT ==> perm:asset:INSERT
+role:asset:OWNER ==> perm:asset:DELETE
+role:asset:ADMIN ==> perm:asset:UPDATE
+role:asset:TENANT ==> perm:asset:SELECT
+
+```
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_WEBSPACE.md
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_WEBSPACE.md
@ -0,0 +1,486 @@
+### rbac asset inCaseOf:MANAGED_WEBSPACE
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph parentServer.bookingItem["`**parentServer.bookingItem**`"]
+    direction TB
+    style parentServer.bookingItem fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem:roles[ ]
+        style parentServer.bookingItem:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem:OWNER[[parentServer.bookingItem:OWNER]]
+        role:parentServer.bookingItem:ADMIN[[parentServer.bookingItem:ADMIN]]
+        role:parentServer.bookingItem:AGENT[[parentServer.bookingItem:AGENT]]
+        role:parentServer.bookingItem:TENANT[[parentServer.bookingItem:TENANT]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel.anchorPerson["`**parentServer.bookingItem.debitorRel.anchorPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel.anchorPerson:roles[ ]
+        style parentServer.bookingItem.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel.anchorPerson:OWNER[[parentServer.bookingItem.debitorRel.anchorPerson:OWNER]]
+        role:parentServer.bookingItem.debitorRel.anchorPerson:ADMIN[[parentServer.bookingItem.debitorRel.anchorPerson:ADMIN]]
+        role:parentServer.bookingItem.debitorRel.anchorPerson:REFERRER[[parentServer.bookingItem.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel.holderPerson["`**parentServer.bookingItem.debitorRel.holderPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel.holderPerson:roles[ ]
+        style parentServer.bookingItem.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel.holderPerson:OWNER[[parentServer.bookingItem.debitorRel.holderPerson:OWNER]]
+        role:parentServer.bookingItem.debitorRel.holderPerson:ADMIN[[parentServer.bookingItem.debitorRel.holderPerson:ADMIN]]
+        role:parentServer.bookingItem.debitorRel.holderPerson:REFERRER[[parentServer.bookingItem.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer["`**parentServer**`"]
+    direction TB
+    style parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson["`**parentServer.bookingItem.debitor.partnerRel.holderPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel.holderPerson:OWNER[[parentServer.bookingItem.debitor.partnerRel.holderPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel.holderPerson:ADMIN[[parentServer.bookingItem.debitor.partnerRel.holderPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel.holderPerson:REFERRER[[parentServer.bookingItem.debitor.partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel.anchorPerson["`**parentServer.bookingItem.debitor.partnerRel.anchorPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel.anchorPerson:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel.anchorPerson:OWNER[[parentServer.bookingItem.debitor.partnerRel.anchorPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel.anchorPerson:ADMIN[[parentServer.bookingItem.debitor.partnerRel.anchorPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel.anchorPerson:REFERRER[[parentServer.bookingItem.debitor.partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.debitorRel.anchorPerson["`**bookingItem.debitor.debitorRel.anchorPerson**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel.anchorPerson:roles[ ]
+        style bookingItem.debitor.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel.anchorPerson:OWNER[[bookingItem.debitor.debitorRel.anchorPerson:OWNER]]
+        role:bookingItem.debitor.debitorRel.anchorPerson:ADMIN[[bookingItem.debitor.debitorRel.anchorPerson:ADMIN]]
+        role:bookingItem.debitor.debitorRel.anchorPerson:REFERRER[[bookingItem.debitor.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel.contact["`**parentServer.bookingItem.debitorRel.contact**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel.contact:roles[ ]
+        style parentServer.bookingItem.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel.contact:OWNER[[parentServer.bookingItem.debitorRel.contact:OWNER]]
+        role:parentServer.bookingItem.debitorRel.contact:ADMIN[[parentServer.bookingItem.debitorRel.contact:ADMIN]]
+        role:parentServer.bookingItem.debitorRel.contact:REFERRER[[parentServer.bookingItem.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel["`**bookingItem.debitor.partnerRel**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel:roles[ ]
+        style bookingItem.debitor.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel:OWNER[[bookingItem.debitor.partnerRel:OWNER]]
+        role:bookingItem.debitor.partnerRel:ADMIN[[bookingItem.debitor.partnerRel:ADMIN]]
+        role:bookingItem.debitor.partnerRel:AGENT[[bookingItem.debitor.partnerRel:AGENT]]
+        role:bookingItem.debitor.partnerRel:TENANT[[bookingItem.debitor.partnerRel:TENANT]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel.anchorPerson["`**bookingItem.debitor.partnerRel.anchorPerson**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel.anchorPerson:roles[ ]
+        style bookingItem.debitor.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel.anchorPerson:OWNER[[bookingItem.debitor.partnerRel.anchorPerson:OWNER]]
+        role:bookingItem.debitor.partnerRel.anchorPerson:ADMIN[[bookingItem.debitor.partnerRel.anchorPerson:ADMIN]]
+        role:bookingItem.debitor.partnerRel.anchorPerson:REFERRER[[bookingItem.debitor.partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitorRel["`**bookingItem.debitorRel**`"]
+    direction TB
+    style bookingItem.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel:roles[ ]
+        style bookingItem.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel:OWNER[[bookingItem.debitorRel:OWNER]]
+        role:bookingItem.debitorRel:ADMIN[[bookingItem.debitorRel:ADMIN]]
+        role:bookingItem.debitorRel:AGENT[[bookingItem.debitorRel:AGENT]]
+        role:bookingItem.debitorRel:TENANT[[bookingItem.debitorRel:TENANT]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel.contact["`**parentServer.bookingItem.debitor.partnerRel.contact**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel.contact:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel.contact:OWNER[[parentServer.bookingItem.debitor.partnerRel.contact:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel.contact:ADMIN[[parentServer.bookingItem.debitor.partnerRel.contact:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel.contact:REFERRER[[parentServer.bookingItem.debitor.partnerRel.contact:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitorRel.anchorPerson["`**bookingItem.debitorRel.anchorPerson**`"]
+    direction TB
+    style bookingItem.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel.anchorPerson:roles[ ]
+        style bookingItem.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel.anchorPerson:OWNER[[bookingItem.debitorRel.anchorPerson:OWNER]]
+        role:bookingItem.debitorRel.anchorPerson:ADMIN[[bookingItem.debitorRel.anchorPerson:ADMIN]]
+        role:bookingItem.debitorRel.anchorPerson:REFERRER[[bookingItem.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel["`**parentServer.bookingItem.debitor.debitorRel**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel:OWNER[[parentServer.bookingItem.debitor.debitorRel:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel:ADMIN[[parentServer.bookingItem.debitor.debitorRel:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel:AGENT[[parentServer.bookingItem.debitor.debitorRel:AGENT]]
+        role:parentServer.bookingItem.debitor.debitorRel:TENANT[[parentServer.bookingItem.debitor.debitorRel:TENANT]]
+    end
+end
+
+subgraph bookingItem.debitorRel.holderPerson["`**bookingItem.debitorRel.holderPerson**`"]
+    direction TB
+    style bookingItem.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel.holderPerson:roles[ ]
+        style bookingItem.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel.holderPerson:OWNER[[bookingItem.debitorRel.holderPerson:OWNER]]
+        role:bookingItem.debitorRel.holderPerson:ADMIN[[bookingItem.debitorRel.holderPerson:ADMIN]]
+        role:bookingItem.debitorRel.holderPerson:REFERRER[[bookingItem.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.refundBankAccount["`**bookingItem.debitor.refundBankAccount**`"]
+    direction TB
+    style bookingItem.debitor.refundBankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.refundBankAccount:roles[ ]
+        style bookingItem.debitor.refundBankAccount:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.refundBankAccount:OWNER[[bookingItem.debitor.refundBankAccount:OWNER]]
+        role:bookingItem.debitor.refundBankAccount:ADMIN[[bookingItem.debitor.refundBankAccount:ADMIN]]
+        role:bookingItem.debitor.refundBankAccount:REFERRER[[bookingItem.debitor.refundBankAccount:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.partnerRel["`**parentServer.bookingItem.debitor.partnerRel**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.partnerRel:roles[ ]
+        style parentServer.bookingItem.debitor.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.partnerRel:OWNER[[parentServer.bookingItem.debitor.partnerRel:OWNER]]
+        role:parentServer.bookingItem.debitor.partnerRel:ADMIN[[parentServer.bookingItem.debitor.partnerRel:ADMIN]]
+        role:parentServer.bookingItem.debitor.partnerRel:AGENT[[parentServer.bookingItem.debitor.partnerRel:AGENT]]
+        role:parentServer.bookingItem.debitor.partnerRel:TENANT[[parentServer.bookingItem.debitor.partnerRel:TENANT]]
+    end
+end
+
+subgraph bookingItem.debitor.debitorRel.contact["`**bookingItem.debitor.debitorRel.contact**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel.contact:roles[ ]
+        style bookingItem.debitor.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel.contact:OWNER[[bookingItem.debitor.debitorRel.contact:OWNER]]
+        role:bookingItem.debitor.debitorRel.contact:ADMIN[[bookingItem.debitor.debitorRel.contact:ADMIN]]
+        role:bookingItem.debitor.debitorRel.contact:REFERRER[[bookingItem.debitor.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor["`**parentServer.bookingItem.debitor**`"]
+    direction TB
+    style parentServer.bookingItem.debitor fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel.holderPerson["`**parentServer.bookingItem.debitor.debitorRel.holderPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel.holderPerson:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel.holderPerson:OWNER[[parentServer.bookingItem.debitor.debitorRel.holderPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel.holderPerson:ADMIN[[parentServer.bookingItem.debitor.debitorRel.holderPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel.holderPerson:REFERRER[[parentServer.bookingItem.debitor.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel.contact["`**bookingItem.debitor.partnerRel.contact**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel.contact:roles[ ]
+        style bookingItem.debitor.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel.contact:OWNER[[bookingItem.debitor.partnerRel.contact:OWNER]]
+        role:bookingItem.debitor.partnerRel.contact:ADMIN[[bookingItem.debitor.partnerRel.contact:ADMIN]]
+        role:bookingItem.debitor.partnerRel.contact:REFERRER[[bookingItem.debitor.partnerRel.contact:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitorRel["`**parentServer.bookingItem.debitorRel**`"]
+    direction TB
+    style parentServer.bookingItem.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitorRel:roles[ ]
+        style parentServer.bookingItem.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitorRel:OWNER[[parentServer.bookingItem.debitorRel:OWNER]]
+        role:parentServer.bookingItem.debitorRel:ADMIN[[parentServer.bookingItem.debitorRel:ADMIN]]
+        role:parentServer.bookingItem.debitorRel:AGENT[[parentServer.bookingItem.debitorRel:AGENT]]
+        role:parentServer.bookingItem.debitorRel:TENANT[[parentServer.bookingItem.debitorRel:TENANT]]
+    end
+end
+
+subgraph bookingItem["`**bookingItem**`"]
+    direction TB
+    style bookingItem fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem:roles[ ]
+        style bookingItem:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem:OWNER[[bookingItem:OWNER]]
+        role:bookingItem:ADMIN[[bookingItem:ADMIN]]
+        role:bookingItem:AGENT[[bookingItem:AGENT]]
+        role:bookingItem:TENANT[[bookingItem:TENANT]]
+    end
+end
+
+subgraph parentServer.parentServer["`**parentServer.parentServer**`"]
+    direction TB
+    style parentServer.parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel.contact["`**parentServer.bookingItem.debitor.debitorRel.contact**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel.contact:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel.contact:OWNER[[parentServer.bookingItem.debitor.debitorRel.contact:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel.contact:ADMIN[[parentServer.bookingItem.debitor.debitorRel.contact:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel.contact:REFERRER[[parentServer.bookingItem.debitor.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.partnerRel.holderPerson["`**bookingItem.debitor.partnerRel.holderPerson**`"]
+    direction TB
+    style bookingItem.debitor.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.partnerRel.holderPerson:roles[ ]
+        style bookingItem.debitor.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.partnerRel.holderPerson:OWNER[[bookingItem.debitor.partnerRel.holderPerson:OWNER]]
+        role:bookingItem.debitor.partnerRel.holderPerson:ADMIN[[bookingItem.debitor.partnerRel.holderPerson:ADMIN]]
+        role:bookingItem.debitor.partnerRel.holderPerson:REFERRER[[bookingItem.debitor.partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitorRel.contact["`**bookingItem.debitorRel.contact**`"]
+    direction TB
+    style bookingItem.debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitorRel.contact:roles[ ]
+        style bookingItem.debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitorRel.contact:OWNER[[bookingItem.debitorRel.contact:OWNER]]
+        role:bookingItem.debitorRel.contact:ADMIN[[bookingItem.debitorRel.contact:ADMIN]]
+        role:bookingItem.debitorRel.contact:REFERRER[[bookingItem.debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.refundBankAccount["`**parentServer.bookingItem.debitor.refundBankAccount**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.refundBankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.refundBankAccount:roles[ ]
+        style parentServer.bookingItem.debitor.refundBankAccount:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.refundBankAccount:OWNER[[parentServer.bookingItem.debitor.refundBankAccount:OWNER]]
+        role:parentServer.bookingItem.debitor.refundBankAccount:ADMIN[[parentServer.bookingItem.debitor.refundBankAccount:ADMIN]]
+        role:parentServer.bookingItem.debitor.refundBankAccount:REFERRER[[parentServer.bookingItem.debitor.refundBankAccount:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor["`**bookingItem.debitor**`"]
+    direction TB
+    style bookingItem.debitor fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+end
+
+subgraph bookingItem.debitor.debitorRel.holderPerson["`**bookingItem.debitor.debitorRel.holderPerson**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel.holderPerson:roles[ ]
+        style bookingItem.debitor.debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel.holderPerson:OWNER[[bookingItem.debitor.debitorRel.holderPerson:OWNER]]
+        role:bookingItem.debitor.debitorRel.holderPerson:ADMIN[[bookingItem.debitor.debitorRel.holderPerson:ADMIN]]
+        role:bookingItem.debitor.debitorRel.holderPerson:REFERRER[[bookingItem.debitor.debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph bookingItem.debitor.debitorRel["`**bookingItem.debitor.debitorRel**`"]
+    direction TB
+    style bookingItem.debitor.debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bookingItem.debitor.debitorRel:roles[ ]
+        style bookingItem.debitor.debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:bookingItem.debitor.debitorRel:OWNER[[bookingItem.debitor.debitorRel:OWNER]]
+        role:bookingItem.debitor.debitorRel:ADMIN[[bookingItem.debitor.debitorRel:ADMIN]]
+        role:bookingItem.debitor.debitorRel:AGENT[[bookingItem.debitor.debitorRel:AGENT]]
+        role:bookingItem.debitor.debitorRel:TENANT[[bookingItem.debitor.debitorRel:TENANT]]
+    end
+end
+
+subgraph asset["`**asset**`"]
+    direction TB
+    style asset fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph asset:roles[ ]
+        style asset:roles fill:#dd4901,stroke:white
+
+        role:asset:OWNER[[asset:OWNER]]
+        role:asset:ADMIN[[asset:ADMIN]]
+        role:asset:TENANT[[asset:TENANT]]
+    end
+
+    subgraph asset:permissions[ ]
+        style asset:permissions fill:#dd4901,stroke:white
+
+        perm:asset:INSERT{{asset:INSERT}}
+        perm:asset:DELETE{{asset:DELETE}}
+        perm:asset:UPDATE{{asset:UPDATE}}
+        perm:asset:SELECT{{asset:SELECT}}
+    end
+end
+
+subgraph parentServer.bookingItem.debitor.debitorRel.anchorPerson["`**parentServer.bookingItem.debitor.debitorRel.anchorPerson**`"]
+    direction TB
+    style parentServer.bookingItem.debitor.debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph parentServer.bookingItem.debitor.debitorRel.anchorPerson:roles[ ]
+        style parentServer.bookingItem.debitor.debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:parentServer.bookingItem.debitor.debitorRel.anchorPerson:OWNER[[parentServer.bookingItem.debitor.debitorRel.anchorPerson:OWNER]]
+        role:parentServer.bookingItem.debitor.debitorRel.anchorPerson:ADMIN[[parentServer.bookingItem.debitor.debitorRel.anchorPerson:ADMIN]]
+        role:parentServer.bookingItem.debitor.debitorRel.anchorPerson:REFERRER[[parentServer.bookingItem.debitor.debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:bookingItem.debitor.debitorRel:OWNER
+role:bookingItem.debitor.debitorRel:OWNER -.-> role:bookingItem.debitor.debitorRel:ADMIN
+role:bookingItem.debitor.debitorRel:ADMIN -.-> role:bookingItem.debitor.debitorRel:AGENT
+role:bookingItem.debitor.debitorRel:AGENT -.-> role:bookingItem.debitor.debitorRel:TENANT
+role:global:ADMIN -.-> role:bookingItem.debitor.refundBankAccount:OWNER
+role:bookingItem.debitor.refundBankAccount:OWNER -.-> role:bookingItem.debitor.refundBankAccount:ADMIN
+role:bookingItem.debitor.refundBankAccount:ADMIN -.-> role:bookingItem.debitor.refundBankAccount:REFERRER
+role:bookingItem.debitor.refundBankAccount:ADMIN -.-> role:bookingItem.debitor.debitorRel:AGENT
+role:bookingItem.debitor.debitorRel:AGENT -.-> role:bookingItem.debitor.refundBankAccount:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitor.partnerRel:OWNER
+role:bookingItem.debitor.partnerRel:OWNER -.-> role:bookingItem.debitor.partnerRel:ADMIN
+role:bookingItem.debitor.partnerRel:ADMIN -.-> role:bookingItem.debitor.partnerRel:AGENT
+role:bookingItem.debitor.partnerRel:AGENT -.-> role:bookingItem.debitor.partnerRel:TENANT
+role:bookingItem.debitor.partnerRel:ADMIN -.-> role:bookingItem.debitor.debitorRel:ADMIN
+role:bookingItem.debitor.partnerRel:AGENT -.-> role:bookingItem.debitor.debitorRel:AGENT
+role:bookingItem.debitor.debitorRel:AGENT -.-> role:bookingItem.debitor.partnerRel:TENANT
+role:global:ADMIN -.-> role:bookingItem.debitorRel.anchorPerson:OWNER
+role:bookingItem.debitorRel.anchorPerson:OWNER -.-> role:bookingItem.debitorRel.anchorPerson:ADMIN
+role:bookingItem.debitorRel.anchorPerson:ADMIN -.-> role:bookingItem.debitorRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitorRel.holderPerson:OWNER
+role:bookingItem.debitorRel.holderPerson:OWNER -.-> role:bookingItem.debitorRel.holderPerson:ADMIN
+role:bookingItem.debitorRel.holderPerson:ADMIN -.-> role:bookingItem.debitorRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitorRel.contact:OWNER
+role:bookingItem.debitorRel.contact:OWNER -.-> role:bookingItem.debitorRel.contact:ADMIN
+role:bookingItem.debitorRel.contact:ADMIN -.-> role:bookingItem.debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
+role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
+role:bookingItem.debitorRel.contact:ADMIN -.-> role:bookingItem.debitorRel:TENANT
+role:bookingItem.debitorRel:TENANT -.-> role:bookingItem.debitorRel.anchorPerson:REFERRER
+role:bookingItem.debitorRel:TENANT -.-> role:bookingItem.debitorRel.holderPerson:REFERRER
+role:bookingItem.debitorRel:TENANT -.-> role:bookingItem.debitorRel.contact:REFERRER
+role:bookingItem.debitorRel.anchorPerson:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel.holderPerson:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
+role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
+role:bookingItem:ADMIN -.-> role:bookingItem:AGENT
+role:bookingItem:AGENT -.-> role:bookingItem:TENANT
+role:bookingItem:TENANT -.-> role:bookingItem.debitorRel:TENANT
+role:global:ADMIN -.-> role:parentServer.bookingItem.debitorRel:OWNER
+role:parentServer.bookingItem.debitorRel:OWNER -.-> role:parentServer.bookingItem.debitorRel:ADMIN
+role:parentServer.bookingItem.debitorRel:ADMIN -.-> role:parentServer.bookingItem.debitorRel:AGENT
+role:parentServer.bookingItem.debitorRel:AGENT -.-> role:parentServer.bookingItem.debitorRel:TENANT
+role:parentServer.bookingItem.debitorRel:AGENT -.-> role:parentServer.bookingItem:OWNER
+role:parentServer.bookingItem:OWNER -.-> role:parentServer.bookingItem:ADMIN
+role:parentServer.bookingItem.debitorRel:AGENT -.-> role:parentServer.bookingItem:ADMIN
+role:parentServer.bookingItem:ADMIN -.-> role:parentServer.bookingItem:AGENT
+role:parentServer.bookingItem:AGENT -.-> role:parentServer.bookingItem:TENANT
+role:parentServer.bookingItem:TENANT -.-> role:parentServer.bookingItem.debitorRel:TENANT
+role:bookingItem:ADMIN ==> role:asset:OWNER
+role:asset:OWNER ==> role:asset:ADMIN
+role:asset:ADMIN ==> role:asset:TENANT
+role:asset:TENANT ==> role:bookingItem:TENANT
+
+%% granting permissions to roles
+role:bookingItem:AGENT ==> perm:asset:INSERT
+role:asset:OWNER ==> perm:asset:DELETE
+role:asset:ADMIN ==> perm:asset:UPDATE
+role:asset:TENANT ==> perm:asset:SELECT
+
+```
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql
@ -0,0 +1,180 @@
+--liquibase formatted sql
+-- This code generated was by RbacViewPostgresGenerator, do not amend manually.
+
+
+-- ============================================================================
+--changeset hs-hosting-asset-rbac-OBJECT:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+call generateRelatedRbacObject('hs_hosting_asset');
+--//
+
+
+-- ============================================================================
+--changeset hs-hosting-asset-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+call generateRbacRoleDescriptors('hsHostingAsset', 'hs_hosting_asset');
+--//
+
+
+-- ============================================================================
+--changeset hs-hosting-asset-rbac-insert-trigger:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+/*
+    Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
+ */
+
+create or replace procedure buildRbacSystemForHsHostingAsset(
+    NEW hs_hosting_asset
+)
+    language plpgsql as $$
+
+declare
+    newParentServer hs_hosting_asset;
+    newBookingItem hs_booking_item;
+
+begin
+    call enterTriggerForObjectUuid(NEW.uuid);
+
+    SELECT * FROM hs_hosting_asset WHERE uuid = NEW.parentAssetUuid    INTO newParentServer;
+
+    SELECT * FROM hs_booking_item WHERE uuid = NEW.bookingItemUuid    INTO newBookingItem;
+    assert newBookingItem.uuid is not null, format('newBookingItem must not be null for NEW.bookingItemUuid = %s', NEW.bookingItemUuid);
+
+
+    perform createRoleWithGrants(
+        hsHostingAssetOWNER(NEW),
+            permissions => array['DELETE'],
+            incomingSuperRoles => array[hsBookingItemADMIN(newBookingItem)]
+    );
+
+    perform createRoleWithGrants(
+        hsHostingAssetADMIN(NEW),
+            permissions => array['UPDATE'],
+            incomingSuperRoles => array[hsHostingAssetOWNER(NEW)]
+    );
+
+    perform createRoleWithGrants(
+        hsHostingAssetTENANT(NEW),
+            permissions => array['SELECT'],
+            incomingSuperRoles => array[hsHostingAssetADMIN(NEW)],
+            outgoingSubRoles => array[hsBookingItemTENANT(newBookingItem)]
+    );
+
+    IF NEW.type = 'CLOUD_SERVER' THEN
+    ELSIF NEW.type = 'MANAGED_SERVER' THEN
+    ELSIF NEW.type = 'MANAGED_WEBSPACE' THEN
+    END IF;
+
+    call leaveTriggerForObjectUuid(NEW.uuid);
+end; $$;
+
+/*
+    AFTER INSERT TRIGGER to create the role+grant structure for a new hs_hosting_asset row.
+ */
+
+create or replace function insertTriggerForHsHostingAsset_tf()
+    returns trigger
+    language plpgsql
+    strict as $$
+begin
+    call buildRbacSystemForHsHostingAsset(NEW);
+    return NEW;
+end; $$;
+
+create trigger insertTriggerForHsHostingAsset_tg
+    after insert on hs_hosting_asset
+    for each row
+execute procedure insertTriggerForHsHostingAsset_tf();
+--//
+
+
+-- ============================================================================
+--changeset hs-hosting-asset-rbac-INSERT:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+/*
+    Creates INSERT INTO hs_hosting_asset permissions for the related hs_booking_item rows.
+ */
+do language plpgsql $$
+    declare
+        row hs_booking_item;
+    begin
+        call defineContext('create INSERT INTO hs_hosting_asset permissions for the related hs_booking_item rows');
+
+        FOR row IN SELECT * FROM hs_booking_item
+            LOOP
+                call grantPermissionToRole(
+                    createPermission(row.uuid, 'INSERT', 'hs_hosting_asset'),
+                    hsBookingItemAGENT(row));
+            END LOOP;
+    END;
+$$;
+
+/**
+    Adds hs_hosting_asset INSERT permission to specified role of new hs_booking_item rows.
+*/
+create or replace function hs_hosting_asset_hs_booking_item_insert_tf()
+    returns trigger
+    language plpgsql
+    strict as $$
+begin
+    call grantPermissionToRole(
+            createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
+            hsBookingItemAGENT(NEW));
+    return NEW;
+end; $$;
+
+-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
+create trigger z_hs_hosting_asset_hs_booking_item_insert_tg
+    after insert on hs_booking_item
+    for each row
+execute procedure hs_hosting_asset_hs_booking_item_insert_tf();
+
+/**
+    Checks if the user or assumed roles are allowed to insert a row to hs_hosting_asset,
+    where the check is performed by a direct role.
+
+    A direct role is a role depending on a foreign key directly available in the NEW row.
+*/
+create or replace function hs_hosting_asset_insert_permission_missing_tf()
+    returns trigger
+    language plpgsql as $$
+begin
+    raise exception '[403] insert into hs_hosting_asset not allowed for current subjects % (%)',
+        currentSubjects(), currentSubjectsUuids();
+end; $$;
+
+create trigger hs_hosting_asset_insert_permission_check_tg
+    before insert on hs_hosting_asset
+    for each row
+    when ( not hasInsertPermission(NEW.bookingItemUuid, 'INSERT', 'hs_hosting_asset') )
+        execute procedure hs_hosting_asset_insert_permission_missing_tf();
+--//
+
+-- ============================================================================
+--changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+    call generateRbacIdentityViewFromQuery('hs_hosting_asset',
+        $idName$
+            SELECT asset.uuid as uuid, bookingItemIV.idName || '-' || cleanIdentifier(asset.caption) as idName
+            FROM hs_hosting_asset asset
+            JOIN hs_booking_item_iv bookingItemIV ON bookingItemIV.uuid = asset.bookingItemUuid
+        $idName$);
+--//
+
+-- ============================================================================
+--changeset hs-hosting-asset-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+call generateRbacRestrictedView('hs_hosting_asset',
+    $orderBy$
+        caption
+    $orderBy$,
+    $updates$
+        version = new.version,
+        caption = new.caption,
+        config = new.config
+    $updates$);
+--//
+
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-server/7018-hs-hosting-server-test-data.sql
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-server/7018-hs-hosting-server-test-data.sql
@ -2,13 +2,13 @@


 -- ============================================================================
--changeset hs-hosting-server-TEST-DATA-GENERATOR:1 endDelimiter:--//
+--changeset hs-hosting-asset-TEST-DATA-GENERATOR:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

 /*
-    Creates a single hs_hosting_server test record.
+    Creates a single hs_hosting_asset test record.
 */
-create or replace procedure createHsHostingServerTestData(
+create or replace procedure createHsHostingAssetTestData(
    givenPartnerNumber numeric,
    givenDebitorSuffix char(2)
    )
@ -18,7 +18,7 @@ declare
    relatedDebitor      hs_office_debitor;
    relatedBookingItem  hs_booking_item;
 begin
-    currentTask := 'creating hosting-server test-data ' || givenPartnerNumber::text || givenDebitorSuffix;
+    currentTask := 'creating hosting-asset test-data ' || givenPartnerNumber::text || givenDebitorSuffix;
    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
    execute format('set local hsadminng.currentTask to %L', currentTask);

@ -33,25 +33,25 @@ begin
        where item.debitoruuid = relatedDebitor.uuid
            and item.caption = 'some PrivateCloud';

-    raise notice 'creating test hosting-server: %', givenPartnerNumber::text || givenDebitorSuffix::text;
+    raise notice 'creating test hosting-asset: %', givenPartnerNumber::text || givenDebitorSuffix::text;
    raise notice '- using debitor (%): %', relatedDebitor.uuid, relatedDebitor;
    insert
-        into hs_hosting_server (uuid, bookingitemuuid, caption, config)
-        values (uuid_generate_v4(), relatedBookingItem.uuid, 'some ManagedServer', '{ "CPU": 2, "SDD": 512, "extra": 42 }'::jsonb),
-               (uuid_generate_v4(), relatedBookingItem.uuid, 'another CloudServer', '{ "CPU": 2, "HDD": 1024, "extra": 42 }'::jsonb),
+        into hs_hosting_asset (uuid, bookingitemuuid, caption, config)
+        values (uuid_generate_v4(), relatedBookingItem.uuid, 'some ManagedAsset', '{ "CPU": 2, "SDD": 512, "extra": 42 }'::jsonb),
+               (uuid_generate_v4(), relatedBookingItem.uuid, 'another CloudAsset', '{ "CPU": 2, "HDD": 1024, "extra": 42 }'::jsonb),
               (uuid_generate_v4(), relatedBookingItem.uuid, 'some Whatever', '{ "CPU": 1, "SDD": 512, "HDD": 2048, "extra": 42 }'::jsonb);
 end; $$;
 --//


 -- ============================================================================
--changeset hs-hosting-server-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--//
+--changeset hs-hosting-asset-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--//
 -- ----------------------------------------------------------------------------

 do language plpgsql $$
    begin
-        call createHsHostingServerTestData(10001, '11');
-        call createHsHostingServerTestData(10002, '12');
-        call createHsHostingServerTestData(10003, '13');
+        call createHsHostingAssetTestData(10001, '11');
+        call createHsHostingAssetTestData(10002, '12');
+        call createHsHostingAssetTestData(10003, '13');
    end;
 $$;
--- a/src/main/resources/db/changelog/db.changelog-master.yaml
+++ b/src/main/resources/db/changelog/db.changelog-master.yaml
@ -134,8 +134,8 @@ databaseChangeLog:
    - include:
        file: db/changelog/6-hs-booking/601-booking-item/6018-hs-booking-item-test-data.sql
    - include:
-        file: db/changelog/7-hs-hosting/701-hosting-server/7010-hs-hosting-server.sql
+        file: db/changelog/7-hs-hosting/701-hosting-asset/7010-hs-hosting-asset.sql
    - include:
-        file: db/changelog/7-hs-hosting/701-hosting-server/7013-hs-hosting-server-rbac.sql
+        file: db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-server-rbac.sql
    - include:
-        file: db/changelog/7-hs-hosting/701-hosting-server/7018-hs-hosting-server-test-data.sql
+        file: db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql
--- a/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java
@ -120,7 +120,7 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup

                            // insert+delete
                            "{ grant perm:hs_booking_item#D-1000111-somenewbookingitem:DELETE to role:global#global:ADMIN by system and assume }",
-                            "{ grant perm:hs_booking_item#D-1000111-somenewbookingitem:INSERT>hs_hosting_server to role:hs_booking_item#D-1000111-somenewbookingitem:AGENT by system and assume }",
+                            "{ grant perm:hs_booking_item#D-1000111-somenewbookingitem:INSERT>hs_hosting_asset to role:hs_booking_item#D-1000111-somenewbookingitem:AGENT by system and assume }",

                            // owner
                            //"{ grant perm:hs_booking_item#D-1000111-somenewbookingitem:UPDATE to role:hs_booking_item#D-1000111-somenewbookingitem:OWNER by system and assume }",
--- a/src/test/java/net/hostsharing/hsadminng/hs/hosting/server/HsHostingAssetEntityUnitTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/hosting/server/HsHostingAssetEntityUnitTest.java
@ -24,7 +24,7 @@ class HsHostingAssetEntityUnitTest {
        final var result = givenServer.toString();

        assertThat(result).isEqualTo(
-                "HsHostingServerEntity(D-1000100:test booking item, some caption, { CPUs: 2, HDD-storage: 2048, SSD-storage: 512 })");
+                "HsHostingAssetEntity(D-1000100:test booking item, some caption, { CPUs: 2, HDD-storage: 2048, SSD-storage: 512 })");
    }

    @Test
--- a/src/test/java/net/hostsharing/hsadminng/hs/hosting/server/HsHostingAssetRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/hosting/server/HsHostingAssetRepositoryIntegrationTest.java
@ -109,27 +109,27 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
            final var all = rawRoleRepo.findAll();
            assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
                    initialRoleNames,
-                    "hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:ADMIN",
-                    "hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:OWNER",
-                    "hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:TENANT"));
+                    "hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:ADMIN",
+                    "hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:OWNER",
+                    "hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:TENANT"));
            assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                    .map(s -> s.replace("hs_office_", ""))
                    .containsExactlyInAnyOrder(fromFormatted(
                            initialGrantNames,
                            // global-admin
-                            "{ grant perm:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:DELETE to role:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:OWNER by system and assume }",
+                            "{ grant perm:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:DELETE to role:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:OWNER by system and assume }",

                            // owner
-                            "{ grant perm:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:UPDATE to role:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:ADMIN by system and assume }",
+                            "{ grant perm:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:UPDATE to role:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:ADMIN by system and assume }",

                            // admin
-                            "{ grant role:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:ADMIN to role:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:OWNER by system and assume }",
-                            "{ grant role:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:OWNER to role:hs_booking_item#D-1000111-someCloudServer:ADMIN by system and assume }",
+                            "{ grant role:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:ADMIN to role:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:OWNER by system and assume }",
+                            "{ grant role:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:OWNER to role:hs_booking_item#D-1000111-someCloudServer:ADMIN by system and assume }",

                            // tenant
-                            "{ grant role:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:TENANT to role:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:ADMIN by system and assume }",
-                            "{ grant perm:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:SELECT to role:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:TENANT by system and assume }",
-                            "{ grant role:hs_booking_item#D-1000111-someCloudServer:TENANT to role:hs_hosting_server#D-1000111-someCloudServer-somenewbookingserver:TENANT by system and assume }",
+                            "{ grant role:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:TENANT to role:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:ADMIN by system and assume }",
+                            "{ grant perm:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:SELECT to role:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:TENANT by system and assume }",
+                            "{ grant role:hs_booking_item#D-1000111-someCloudServer:TENANT to role:hs_hosting_asset#D-1000111-someCloudServer-somenewbookingserver:TENANT by system and assume }",

                            null));
        }
@ -265,7 +265,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu

            // when
            final var result = jpaAttempt.transacted(() -> {
-                context("person-FirbySusan@example.com", "hs_hosting_server#D-1000111-someCloudServer-sometempbookingserver:ADMIN");
+                context("person-FirbySusan@example.com", "hs_hosting_asset#D-1000111-someCloudServer-sometempbookingserver:ADMIN");
                assertThat(serverRepo.findByUuid(givenServer.getUuid())).isPresent();

                serverRepo.deleteByUuid(givenServer.getUuid());
@ -274,7 +274,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
            // then
            result.assertExceptionWithRootCauseMessage(
                    JpaSystemException.class,
-                    "[403] Subject ", " is not allowed to delete hs_hosting_server");
+                    "[403] Subject ", " is not allowed to delete hs_hosting_asset");
            assertThat(jpaAttempt.transacted(() -> {
                context("superuser-alex@hostsharing.net");
                return serverRepo.findByUuid(givenServer.getUuid());
@ -309,7 +309,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
        final var query = em.createNativeQuery("""
                select currentTask, targetTable, targetOp
                    from tx_journal_v
-                    where targettable = 'hs_hosting_server';
+                    where targettable = 'hs_hosting_asset';
                    """);

        // when
@ -317,9 +317,9 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu

        // then
        assertThat(customerLogEntries).map(Arrays::toString).contains(
-                "[creating hosting-server test-data 1000111, hs_hosting_server, INSERT]",
-                "[creating hosting-server test-data 1000212, hs_hosting_server, INSERT]",
-                "[creating hosting-server test-data 1000313, hs_hosting_server, INSERT]");
+                "[creating hosting-server test-data 1000111, hs_hosting_asset, INSERT]",
+                "[creating hosting-server test-data 1000212, hs_hosting_asset, INSERT]",
+                "[creating hosting-server test-data 1000313, hs_hosting_asset, INSERT]");
    }

    private HsHostingAssetEntity givenSomeTemporaryServer(final String debitorName) {
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeData.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeData.java
@ -620,7 +620,7 @@ public class ImportOfficeData extends ContextBasedTest {
    private void deleteTestDataFromHsOfficeTables() {
        jpaAttempt.transacted(() -> {
            context(rbacSuperuser);
-            em.createNativeQuery("delete from hs_hosting_server where true").executeUpdate();
+            em.createNativeQuery("delete from hs_hosting_asset where true").executeUpdate();
            em.createNativeQuery("delete from hs_booking_item where true").executeUpdate();
            em.createNativeQuery("delete from hs_office_coopassetstransaction where true").executeUpdate();
            em.createNativeQuery("delete from hs_office_coopassetstransaction_legacy_id where true").executeUpdate();