doc/rbac-schema-f.md

@@ -24,11 +24,6 @@ Objektorientiert gedacht, enthalten solche Objekte die Zusatzdaten einer Subklas
       - Delete (\*) <-- Owner des Hauptobjektes
       - Edit <-- **Agent** des Hauptobjektes
       - View <-- Agent des Hauptobjektes
-- Für die Rollenzuordnung zwischen referenzierten Objekten gilt:
-  - Für Objekte vom Typ Root werden die Rollen des zugehörigen Aggregator-Objektes verwendet. 
-  - Gibt es Referenzen auf hierarchisch verbundene Objekte (z.B. Debitor.refundBankAccount) gilt folgende Faustregel:
-        ***Nach oben absteigen, nach unten halten oder aufsteigen.*** An einem fachlich übergeordneten Objekt wird also eine niedrigere Rolle (z.B. Debitor-admin -> Partner.agent), einem fachlich untergeordneten Objekt eine gleichwertige Rolle (z.B. Partner.admin -> Debitor.admin) zugewiesen oder sogar aufgestiegen (Debitor.admin -> Package.tenant).
-  - Für Referenzen zwischen Objekten, die nicht hierarchisch zueinander stehen (z.B. Debitor und Bankverbindung), wird auf beiden seiten abgestiegen (also Debitor.admin -> BankAccount.referrer und BankAccount.admin -> Debitor.tenant).
 
 Anmerkung: Der Typ-Begriff *Root* bezieht sich auf die Rolle im fachlichen Datenmodell. Im Bezug auf den Teilgraphen eines fachlichen Kontexts ist dies auch eine Wurzel im Sinne der Graphentheorie. Aber in anderen fachlichen Kontexten können auch diese Objekte von anderen Teilgraphen referenziert werden und werden dann zum inneren Knoten.
 

src/main/resources/db/changelog/233-hs-office-partner-rbac.md

@@ -3,70 +3,76 @@
 ```mermaid
 flowchart TB
 
-subgraph external[ ]
+subgraph global
-    style external fill:#fff
+    style global fill:#eee
     
-    subgraph global
+    role:global.admin[global.admin]    
-        style global fill:#eee
-        
-        role:global.admin[global.admin]    
-    end
-
-    subgraph partnerPerson
-        style partnerPerson fill:#eee
-        
-        role:partnerPerson.admin[global.admin]
-    end
-
-    subgraph otherRelatedPerson
-        style otherRelatedPerson fill:#eee
-        
-        role:otherRelatedPerson.admin[global.admin]
-    end
-
-    subgraph hsOfficeRelationship[hsOfficeRelationship:PARTNER]
-        direction TB
-        style hsOfficeRelationship fill:#eee
-
-        role:global.admin
-        --> role:hsOfficeRelationship.owner[relationship.owner]    
-        --> role:hsOfficeRelationship.admin[relationship.admin]    
-        --> role:hsOfficeRelationship.agent[relationship.agent]    
-        --> role:hsOfficeRelationship.tenant[relationship.tenant]
-        
-        role:partnerPerson.admin --> role:hsOfficeRelationship.agent
-        role:otherRelatedPerson.admin --> role:hsOfficeRelationship.tenant
-    end
 end
 
-subgraph internal[ ]
+subgraph hsOfficeContact
+    direction TB
+    style hsOfficeContact fill:#eee
     
-    subgraph hsOfficePartner
+    role:hsOfficeContact.admin[contact.admin]    
-        style hsOfficePartner fill:#fff
+    --> role:hsOfficeContact.tenant[contact.tenant]    
+    --> role:hsOfficeContact.guest[contact.guest]    
+end
 
-        perm:hsOfficePartner.*{{partner.*}}
+subgraph hsOfficePerson
-        role:hsOfficeRelationship.owner ==> perm:hsOfficePartner.*
+    direction TB
+    style hsOfficePerson fill:#eee
     
-        perm:hsOfficePartner.edit{{partner.edit}}
+    role:hsOfficePerson.admin[person.admin]    
-        role:hsOfficeRelationship.admin ==> perm:hsOfficePartner.edit
+    --> role:hsOfficePerson.tenant[person.tenant]    
+    --> role:hsOfficePerson.guest[person.guest]    
+end
 
-        perm:hsOfficePartner.view{{partner.view}}
+subgraph hsOfficePartnerDetails
-        role:hsOfficeRelationship.tenant ==> perm:hsOfficePartner.view
+    direction TB
-    end
     
-    subgraph hsOfficePartnerDetails
+    perm:hsOfficePartnerDetails.*{{partner.*}}
-        direction TB
+    perm:hsOfficePartnerDetails.edit{{partner.edit}}
-        style hsOfficePartnerDetails fill:#eee
+    perm:hsOfficePartnerDetails.view{{partner.view}}
+end
 
-        perm:hsOfficePartnerDetails.*{{partnerDetails.*}}
+subgraph hsOfficePartner
-        role:hsOfficeRelationship.owner ==> perm:hsOfficePartnerDetails.*
                     
-        perm:hsOfficePartnerDetails.edit{{partnerDetails.edit}}
+   role:hsOfficePartner.owner[partner.owner]
-        role:hsOfficeRelationship.agent ==> perm:hsOfficePartnerDetails.edit
+   %% permissions
-        role:hsOfficeRelationship.agent ==> perm:hsOfficePartnerDetails.view
+       role:hsOfficePartner.owner --> perm:hsOfficePartner.*{{partner.*}}
+       role:hsOfficePartner.owner --> perm:hsOfficePartnerDetails.*{{partner.*}}
+   %% incoming
+       role:global.admin ---> role:hsOfficePartner.owner
   
-        perm:hsOfficePartnerDetails.view{{partnerDetails.view}}
+   role:hsOfficePartner.admin[partner.admin]
-    end
+   %% permissions
+       role:hsOfficePartner.admin --> perm:hsOfficePartner.edit{{partner.edit}}
+       role:hsOfficePartner.admin --> perm:hsOfficePartnerDetails.edit{{partner.edit}}
+   %% incoming
+       role:hsOfficePartner.owner ---> role:hsOfficePartner.admin
+   %% outgoing
+       role:hsOfficePartner.admin --> role:hsOfficePerson.tenant
+       role:hsOfficePartner.admin --> role:hsOfficeContact.tenant
   
+   role:hsOfficePartner.agent[partner.agent]
+   %% permissions
+       role:hsOfficePartner.agent --> perm:hsOfficePartnerDetails.view{{partner.view}}
+   %% incoming
+       role:hsOfficePartner.admin ---> role:hsOfficePartner.agent
+       role:hsOfficePerson.admin --> role:hsOfficePartner.agent
+       role:hsOfficeContact.admin --> role:hsOfficePartner.agent
+  
+   role:hsOfficePartner.tenant[partner.tenant]
+   %% incoming
+       role:hsOfficePartner.agent --> role:hsOfficePartner.tenant
+   %% outgoing   
+       role:hsOfficePartner.tenant --> role:hsOfficePerson.guest
+       role:hsOfficePartner.tenant --> role:hsOfficeContact.guest
+
+   role:hsOfficePartner.guest[partner.guest]
+   %% permissions
+       role:hsOfficePartner.guest -->  perm:hsOfficePartner.view{{partner.view}}
+   %% incoming
+       role:hsOfficePartner.tenant --> role:hsOfficePartner.guest
 end
 ```

src/main/resources/db/changelog/273-hs-office-debitor-rbac.md

@@ -3,78 +3,248 @@
 ```mermaid
 flowchart TB
 
-subgraph bank[ ]
+subgraph global
-    style bank fill:#fff
+    style global fill:#eee
     
-    subgraph refundBankAccount
+    role:global.admin[global.admin]    
-        direction TB
-        style refundBankAccount fill:#eee
-        
-        role:refundBankAccount.owner[bankAccount.owner]
-        --> role:refundBankAccount.admin[bankAccount.admin]
-        --> role:refundBankAccount.referrer[bankAccount.referrer]
-    end
 end
 
-subgraph partner[ ]
+subgraph office
-    style partner fill:#fff
+    style office fill:#eee
     
-    subgraph partnerRelationship[hsOfficeRelationship:PARTNER]
+    subgraph sepa
-        direction TB
-        style partnerRelationship fill:#eee
     
-        role:partnerRelationship.owner[relationship.owner]
+    subgraph bankaccount
-        --> role:partnerRelationship.admin[relationship.admin]
+        style bankaccount fill: #e9f7ef
-        --> role:partnerRelationship.agent[relationship.agent]
-        --> role:partnerRelationship.tenant[relationship.tenant]
         
-        partnerPerson[e.g. partnerPerson.admin]  --> role:partnerRelationship.agent
+        user:hsOfficeBankAccount.creator([bankaccount.creator])        
-        otherPerson[e.g. operationalPerson.admin] --> role:partnerRelationship.tenant
+    
+        role:hsOfficeBankAccount.owner[bankaccount.owner]
+        %% permissions
+            role:hsOfficeBankAccount.owner --> perm:hsOfficeBankAccount.*{{bankaccount.*}}
+        %% incoming
+            role:global.admin --> role:hsOfficeBankAccount.owner
+            user:hsOfficeBankAccount.creator ---> role:hsOfficeBankAccount.owner
+            
+        role:hsOfficeBankAccount.admin[bankaccount.admin]
+        %% permissions
+            role:hsOfficeBankAccount.admin --> perm:hsOfficeBankAccount.edit{{bankaccount.edit}}
+        %% incoming
+            role:hsOfficeBankAccount.owner ---> role:hsOfficeBankAccount.admin         
+        
+        role:hsOfficeBankAccount.tenant[bankaccount.tenant]
+        %% incoming
+            role:hsOfficeBankAccount.admin ---> role:hsOfficeBankAccount.tenant
+        
+        role:hsOfficeBankAccount.guest[bankaccount.guest]
+        %% permissions
+            role:hsOfficeBankAccount.guest --> perm:hsOfficeBankAccount.view{{bankaccount.view}}
+        %% incoming
+            role:hsOfficeBankAccount.tenant ---> role:hsOfficeBankAccount.guest
     end
-end
     
-subgraph internal[ ]
+    subgraph hsOfficeSepaMandate
-    direction TB
+    end
-    style internal fill:#fff
     
-    subgraph debitorRelationship[hsOfficeRelationship:DEBITOR]
+    end
-        direction TB
+   
-        style debitorRelationship fill:#eee
+    subgraph contact
+        style contact fill: #e9f7ef
+        
+        user:hsOfficeContact.creator([contact.creator])
+    
+        role:hsOfficeContact.owner[contact.owner]
+        %% permissions
+            role:hsOfficeContact.owner --> perm:hsOfficeContact.*{{contact.*}}
+        %% incoming
+            role:global.admin --> role:hsOfficeContact.owner
+            user:hsOfficeContact.creator ---> role:hsOfficeContact.owner
+            
+        role:hsOfficeContact.admin[contact.admin]
+        %% permissions
+            role:hsOfficeContact.admin ---> perm:hsOfficeContact.edit{{contact.edit}}
+        %% incoming
+            role:hsOfficeContact.owner ---> role:hsOfficeContact.admin         
+        
+        role:hsOfficeContact.tenant[contact.tenant]
+        %% incoming
+            role:hsOfficeContact.admin ----> role:hsOfficeContact.tenant
+        
+        role:hsOfficeContact.guest[contact.guest]
+        %% permissions
+            role:hsOfficeContact.guest --> perm:hsOfficeContact.view{{contact.view}}
+        %% incoming
+            role:hsOfficeContact.tenant ---> role:hsOfficeContact.guest
+    end
+    
+    subgraph partner-person
+   
+    subgraph person
+        style person fill: #e9f7ef
+        
+        user:hsOfficePerson.creator([personcreator])
+        
+        role:hsOfficePerson.owner[person.owner]
+        %% permissions
+            role:hsOfficePerson.owner --> perm:hsOfficePerson.*{{person.*}}
+        %% incoming
+            user:hsOfficePerson.creator ---> role:hsOfficePerson.owner
+            role:global.admin --> role:hsOfficePerson.owner
+        
+        role:hsOfficePerson.admin[person.admin]
+        %% permissions
+            role:hsOfficePerson.admin --> perm:hsOfficePerson.edit{{person.edit}}
+        %% incoming
+            role:hsOfficePerson.owner ---> role:hsOfficePerson.admin
+        
+        role:hsOfficePerson.tenant[person.tenant]
+        %% incoming
+            role:hsOfficePerson.admin -----> role:hsOfficePerson.tenant
+        
+        role:hsOfficePerson.guest[person.guest]
+        %% permissions
+            role:hsOfficePerson.guest --> perm:hsOfficePerson.edit{{person.view}}
+        %% incoming
+            role:hsOfficePerson.tenant ---> role:hsOfficePerson.guest
+    end
+    
+    subgraph partner
+    
+       role:hsOfficePartner.owner[partner.owner]
+       %% permissions
+           role:hsOfficePartner.owner --> perm:hsOfficePartner.*{{partner.*}}
+       %% incoming
+           role:global.admin ---> role:hsOfficePartner.owner
+      
+       role:hsOfficePartner.admin[partner.admin]
+       %% permissions
+           role:hsOfficePartner.admin --> perm:hsOfficePartner.edit{{partner.edit}}
+       %% incoming
+           role:hsOfficePartner.owner ---> role:hsOfficePartner.admin
+       %% outgoing
+           role:hsOfficePartner.admin --> role:hsOfficePerson.tenant
+           role:hsOfficePartner.admin --> role:hsOfficeContact.tenant
+      
+       role:hsOfficePartner.agent[partner.agent]
+       %% incoming
+           role:hsOfficePartner.admin --> role:hsOfficePartner.agent
+           role:hsOfficePerson.admin --> role:hsOfficePartner.agent
+           role:hsOfficeContact.admin --> role:hsOfficePartner.agent
+      
+       role:hsOfficePartner.tenant[partner.tenant]
+       %% incoming
+           role:hsOfficePartner.agent ---> role:hsOfficePartner.tenant
+       %% outgoing   
+           role:hsOfficePartner.tenant --> role:hsOfficePerson.guest
+           role:hsOfficePartner.tenant --> role:hsOfficeContact.guest
+    
+       role:hsOfficePartner.guest[partner.guest]
+       %% permissions
+           role:hsOfficePartner.guest -->  perm:hsOfficePartner.view{{partner.view}}
+       %% incoming
+           role:hsOfficePartner.tenant ---> role:hsOfficePartner.guest
+    end
     
-        role:debitorRelationship.owner[relationship.owner]
-        --> role:debitorRelationship.admin[relationship.admin]
-        --> role:debitorRelationship.agent[relationship.agent]
-        --> role:debitorRelationship.tenant[relationship.tenant]
     end
     
     subgraph debitor
-        direction TB
+        style debitor stroke-width:6px
     
-        role:debitorRelationship.owner[debitorRelationship.owner]
+        user:hsOfficeDebitor.creator([debitor.creator])
+        %% created by role
+            user:hsOfficeDebitor.creator --> role:hsOfficePartner.agent
+    
+        role:hsOfficeDebitor.owner[debitor.owner]
         %% permissions
-            ==> perm:debitor.*{{debitor.*}}
+            role:hsOfficeDebitor.owner --> perm:hsOfficeDebitor.*{{debitor.*}}
+        %% incoming
+            user:hsOfficeDebitor.creator --> role:hsOfficeDebitor.owner
+            role:global.admin --> role:hsOfficeDebitor.owner
             
-        role:debitorRelationship.admin[debitorRelationship.admin]
+        role:hsOfficeDebitor.admin[debitor.admin]
         %% permissions
-            ==> perm:debitor.edit{{debitorRelationship.edit}}
+            role:hsOfficeDebitor.admin --> perm:hsOfficeDebitor.edit{{debitor.edit}}
         %% incoming
-            role:partnerRelationship.admin ==> role:debitorRelationship.admin
+            role:hsOfficeDebitor.owner ---> role:hsOfficeDebitor.admin         
-        %% outgoing
-            role:debitorRelationship.admin ==> role:partnerRelationship.agent
             
-        role:debitorRelationship.agent[debitorRelationship.agent]
+        role:hsOfficeDebitor.agent[debitor.agent]
         %% incoming
-            role:partnerRelationship.agent ==> role:debitorRelationship.agent
+            role:hsOfficeDebitor.admin ---> role:hsOfficeDebitor.agent         
-            role:refundBankAccount.admin ==> role:debitorRelationship.agent
+            role:hsOfficePartner.admin --> role:hsOfficeDebitor.agent
         %% outgoing
-            role:debitorRelationship.agent ==> role:partnerRelationship.tenant
+            role:hsOfficeDebitor.agent --> role:hsOfficeBankAccount.tenant
-            role:debitorRelationship.agent ==> role:refundBankAccount.referrer
     
-        role:debitorRelationship.tenant[debitorRelationship.tenant]
+        role:hsOfficeDebitor.tenant[debitor.tenant]
-        ==> perm:debitor.view{{debitor.view}}
+        %% incoming
+            role:hsOfficeDebitor.agent ---> role:hsOfficeDebitor.tenant
+            role:hsOfficePartner.agent --> role:hsOfficeDebitor.tenant
+            role:hsOfficeBankAccount.admin --> role:hsOfficeDebitor.tenant
+        %% outgoing
+            role:hsOfficeDebitor.tenant --> role:hsOfficePartner.tenant
+            role:hsOfficeDebitor.tenant --> role:hsOfficeContact.guest
         
+        role:hsOfficeDebitor.guest[debitor.guest]
+        %% permissions
+            role:hsOfficeDebitor.guest --> perm:hsOfficeDebitor.view{{debitor.view}}
+        %% incoming
+            role:hsOfficeDebitor.tenant --> role:hsOfficeDebitor.guest
     end
     
 end
+
+subgraph hsOfficeSepaMandate
+                    
+   role:hsOfficeSepaMandate.owner[sepaMandate.owner]
+   %% permissions
+       role:hsOfficeSepaMandate.owner --> perm:hsOfficeSepaMandate.*{{sepaMandate.*}}
+   %% incoming
+       role:global.admin ---> role:hsOfficeSepaMandate.owner
+  
+   role:hsOfficeSepaMandate.admin[sepaMandate.admin]
+   %% permissions
+       role:hsOfficeSepaMandate.admin --> perm:hsOfficeSepaMandate.edit{{sepaMandate.edit}}
+   %% incoming
+       role:hsOfficeSepaMandate.owner ---> role:hsOfficeSepaMandate.admin
+  
+   role:hsOfficeSepaMandate.agent[sepaMandate.agent]
+   %% incoming
+       role:hsOfficeSepaMandate.admin ---> role:hsOfficeSepaMandate.agent
+       role:hsOfficeDebitor.admin --> role:hsOfficeSepaMandate.agent
+       role:hsOfficeBankAccount.admin --> role:hsOfficeSepaMandate.agent
+   %% outgoing
+       role:hsOfficeSepaMandate.agent --> role:hsOfficeDebitor.tenant
+       role:hsOfficeSepaMandate.admin --> role:hsOfficeBankAccount.tenant
+  
+   role:hsOfficeSepaMandate.tenant[sepaMandate.tenant]
+   %% incoming
+       role:hsOfficeSepaMandate.agent --> role:hsOfficeSepaMandate.tenant
+   %% outgoing   
+       role:hsOfficeSepaMandate.tenant --> role:hsOfficeDebitor.guest
+       role:hsOfficeSepaMandate.tenant --> role:hsOfficeBankAccount.guest
+
+   role:hsOfficeSepaMandate.guest[sepaMandate.guest]
+   %% permissions
+       role:hsOfficeSepaMandate.guest -->  perm:hsOfficeSepaMandate.view{{sepaMandate.view}}
+   %% incoming
+       role:hsOfficeSepaMandate.tenant --> role:hsOfficeSepaMandate.guest
+end
+
+subgraph hosting
+    style hosting fill:#eee
+    
+    subgraph package
+        style package fill: #e9f7ef
+        
+        role:package.owner[package.owner]
+         --> role:package.admin[package.admin]
+         --> role:package.tenant[package.tenant]
+         
+        role:hsOfficeDebitor.agent --> role:package.owner        
+        role:package.admin --> role:hsOfficeDebitor.tenant
+        role:hsOfficePartner.tenant --> role:hsOfficeDebitor.guest
+    end
+end
+
+
 ```