Schema-F um Root-Objekt Beziehungen zu weiteren Objekten ergänzt

doc/rbac-schema-f.md

@@ -24,6 +24,11 @@ Objektorientiert gedacht, enthalten solche Objekte die Zusatzdaten einer Subklas
       - Delete (\*) <-- Owner des Hauptobjektes
       - Edit <-- **Agent** des Hauptobjektes
       - View <-- Agent des Hauptobjektes
+- Für die Rollenzuordnung zwischen referenzierten Objekten gilt:
+  - Für Objekte vom Typ Root werden die Rollen des zugehörigen Aggregator-Objektes verwendet. 
+  - Gibt es Referenzen auf hierarchisch verbundene Objekte (z.B. Debitor.refundBankAccount) gilt folgende Faustregel:
+        ***Nach oben absteigen, nach unten halten oder aufsteigen.*** An einem fachlich übergeordneten Objekt wird also eine niedrigere Rolle (z.B. Debitor-admin -> Partner.agent), einem fachlich untergeordneten Objekt eine gleichwertige Rolle (z.B. Partner.admin -> Debitor.admin) zugewiesen oder sogar aufgestiegen (Debitor.admin -> Package.tenant).
+  - Für Referenzen zwischen Objekten, die nicht hierarchisch zueinander stehen (z.B. Debitor und Bankverbindung), wird auf beiden seiten abgestiegen (also Debitor.admin -> BankAccount.referrer und BankAccount.admin -> Debitor.tenant).
 
 Anmerkung: Der Typ-Begriff *Root* bezieht sich auf die Rolle im fachlichen Datenmodell. Im Bezug auf den Teilgraphen eines fachlichen Kontexts ist dies auch eine Wurzel im Sinne der Graphentheorie. Aber in anderen fachlichen Kontexten können auch diese Objekte von anderen Teilgraphen referenziert werden und werden dann zum inneren Knoten.
 

src/main/resources/db/changelog/233-hs-office-partner-rbac.md

@@ -3,76 +3,70 @@
 ```mermaid
 flowchart TB
 
+subgraph external[ ]
+    style external fill:#fff
+    
     subgraph global
         style global fill:#eee
         
         role:global.admin[global.admin]    
     end
 
-subgraph hsOfficeContact
+    subgraph partnerPerson
-    direction TB
+        style partnerPerson fill:#eee
-    style hsOfficeContact fill:#eee
         
-    role:hsOfficeContact.admin[contact.admin]    
+        role:partnerPerson.admin[global.admin]
-    --> role:hsOfficeContact.tenant[contact.tenant]    
-    --> role:hsOfficeContact.guest[contact.guest]    
     end
 
-subgraph hsOfficePerson
+    subgraph otherRelatedPerson
-    direction TB
+        style otherRelatedPerson fill:#eee
-    style hsOfficePerson fill:#eee
         
-    role:hsOfficePerson.admin[person.admin]    
+        role:otherRelatedPerson.admin[global.admin]
-    --> role:hsOfficePerson.tenant[person.tenant]    
+    end
-    --> role:hsOfficePerson.guest[person.guest]    
+
+    subgraph hsOfficeRelationship[hsOfficeRelationship:PARTNER]
+        direction TB
+        style hsOfficeRelationship fill:#eee
+
+        role:global.admin
+        --> role:hsOfficeRelationship.owner[relationship.owner]    
+        --> role:hsOfficeRelationship.admin[relationship.admin]    
+        --> role:hsOfficeRelationship.agent[relationship.agent]    
+        --> role:hsOfficeRelationship.tenant[relationship.tenant]
+        
+        role:partnerPerson.admin --> role:hsOfficeRelationship.agent
+        role:otherRelatedPerson.admin --> role:hsOfficeRelationship.tenant
+    end
+end
+
+subgraph internal[ ]
+
+    subgraph hsOfficePartner
+        style hsOfficePartner fill:#fff
+        
+        perm:hsOfficePartner.*{{partner.*}}
+        role:hsOfficeRelationship.owner ==> perm:hsOfficePartner.*
+        
+        perm:hsOfficePartner.edit{{partner.edit}}
+        role:hsOfficeRelationship.admin ==> perm:hsOfficePartner.edit
+        
+        perm:hsOfficePartner.view{{partner.view}}
+        role:hsOfficeRelationship.tenant ==> perm:hsOfficePartner.view
     end
 
     subgraph hsOfficePartnerDetails
         direction TB
+        style hsOfficePartnerDetails fill:#eee
         
-    perm:hsOfficePartnerDetails.*{{partner.*}}
+        perm:hsOfficePartnerDetails.*{{partnerDetails.*}}
-    perm:hsOfficePartnerDetails.edit{{partner.edit}}
+        role:hsOfficeRelationship.owner ==> perm:hsOfficePartnerDetails.*
-    perm:hsOfficePartnerDetails.view{{partner.view}}
+
+        perm:hsOfficePartnerDetails.edit{{partnerDetails.edit}}
+        role:hsOfficeRelationship.agent ==> perm:hsOfficePartnerDetails.edit
+        role:hsOfficeRelationship.agent ==> perm:hsOfficePartnerDetails.view
+        
+        perm:hsOfficePartnerDetails.view{{partnerDetails.view}}
     end
 
-subgraph hsOfficePartner
-                    
-   role:hsOfficePartner.owner[partner.owner]
-   %% permissions
-       role:hsOfficePartner.owner --> perm:hsOfficePartner.*{{partner.*}}
-       role:hsOfficePartner.owner --> perm:hsOfficePartnerDetails.*{{partner.*}}
-   %% incoming
-       role:global.admin ---> role:hsOfficePartner.owner
-  
-   role:hsOfficePartner.admin[partner.admin]
-   %% permissions
-       role:hsOfficePartner.admin --> perm:hsOfficePartner.edit{{partner.edit}}
-       role:hsOfficePartner.admin --> perm:hsOfficePartnerDetails.edit{{partner.edit}}
-   %% incoming
-       role:hsOfficePartner.owner ---> role:hsOfficePartner.admin
-   %% outgoing
-       role:hsOfficePartner.admin --> role:hsOfficePerson.tenant
-       role:hsOfficePartner.admin --> role:hsOfficeContact.tenant
-  
-   role:hsOfficePartner.agent[partner.agent]
-   %% permissions
-       role:hsOfficePartner.agent --> perm:hsOfficePartnerDetails.view{{partner.view}}
-   %% incoming
-       role:hsOfficePartner.admin ---> role:hsOfficePartner.agent
-       role:hsOfficePerson.admin --> role:hsOfficePartner.agent
-       role:hsOfficeContact.admin --> role:hsOfficePartner.agent
-  
-   role:hsOfficePartner.tenant[partner.tenant]
-   %% incoming
-       role:hsOfficePartner.agent --> role:hsOfficePartner.tenant
-   %% outgoing   
-       role:hsOfficePartner.tenant --> role:hsOfficePerson.guest
-       role:hsOfficePartner.tenant --> role:hsOfficeContact.guest
-
-   role:hsOfficePartner.guest[partner.guest]
-   %% permissions
-       role:hsOfficePartner.guest -->  perm:hsOfficePartner.view{{partner.view}}
-   %% incoming
-       role:hsOfficePartner.tenant --> role:hsOfficePartner.guest
 end
 ```

src/main/resources/db/changelog/273-hs-office-debitor-rbac.md

@@ -3,248 +3,78 @@
 ```mermaid
 flowchart TB
 
-subgraph global
+subgraph bank[ ]
-    style global fill:#eee
+    style bank fill:#fff
     
-    role:global.admin[global.admin]    
+    subgraph refundBankAccount
+        direction TB
+        style refundBankAccount fill:#eee
+        
+        role:refundBankAccount.owner[bankAccount.owner]
+        --> role:refundBankAccount.admin[bankAccount.admin]
+        --> role:refundBankAccount.referrer[bankAccount.referrer]
+    end
 end
 
-subgraph office
+subgraph partner[ ]
-    style office fill:#eee
+    style partner fill:#fff
 
-    subgraph sepa
+    subgraph partnerRelationship[hsOfficeRelationship:PARTNER]
+        direction TB
+        style partnerRelationship fill:#eee
         
-    subgraph bankaccount
+        role:partnerRelationship.owner[relationship.owner]
-        style bankaccount fill: #e9f7ef
+        --> role:partnerRelationship.admin[relationship.admin]
+        --> role:partnerRelationship.agent[relationship.agent]
+        --> role:partnerRelationship.tenant[relationship.tenant]
 
-        user:hsOfficeBankAccount.creator([bankaccount.creator])        
+        partnerPerson[e.g. partnerPerson.admin]  --> role:partnerRelationship.agent
-    
+        otherPerson[e.g. operationalPerson.admin] --> role:partnerRelationship.tenant
-        role:hsOfficeBankAccount.owner[bankaccount.owner]
+    end
-        %% permissions
-            role:hsOfficeBankAccount.owner --> perm:hsOfficeBankAccount.*{{bankaccount.*}}
-        %% incoming
-            role:global.admin --> role:hsOfficeBankAccount.owner
-            user:hsOfficeBankAccount.creator ---> role:hsOfficeBankAccount.owner
-            
-        role:hsOfficeBankAccount.admin[bankaccount.admin]
-        %% permissions
-            role:hsOfficeBankAccount.admin --> perm:hsOfficeBankAccount.edit{{bankaccount.edit}}
-        %% incoming
-            role:hsOfficeBankAccount.owner ---> role:hsOfficeBankAccount.admin         
-        
-        role:hsOfficeBankAccount.tenant[bankaccount.tenant]
-        %% incoming
-            role:hsOfficeBankAccount.admin ---> role:hsOfficeBankAccount.tenant
-        
-        role:hsOfficeBankAccount.guest[bankaccount.guest]
-        %% permissions
-            role:hsOfficeBankAccount.guest --> perm:hsOfficeBankAccount.view{{bankaccount.view}}
-        %% incoming
-            role:hsOfficeBankAccount.tenant ---> role:hsOfficeBankAccount.guest
 end
 
-    subgraph hsOfficeSepaMandate
+subgraph internal[ ]
-    end
+    direction TB
+    style internal fill:#fff
 
-    end
+    subgraph debitorRelationship[hsOfficeRelationship:DEBITOR]
-   
+        direction TB
-    subgraph contact
+        style debitorRelationship fill:#eee
-        style contact fill: #e9f7ef
-        
-        user:hsOfficeContact.creator([contact.creator])
-    
-        role:hsOfficeContact.owner[contact.owner]
-        %% permissions
-            role:hsOfficeContact.owner --> perm:hsOfficeContact.*{{contact.*}}
-        %% incoming
-            role:global.admin --> role:hsOfficeContact.owner
-            user:hsOfficeContact.creator ---> role:hsOfficeContact.owner
-            
-        role:hsOfficeContact.admin[contact.admin]
-        %% permissions
-            role:hsOfficeContact.admin ---> perm:hsOfficeContact.edit{{contact.edit}}
-        %% incoming
-            role:hsOfficeContact.owner ---> role:hsOfficeContact.admin         
-        
-        role:hsOfficeContact.tenant[contact.tenant]
-        %% incoming
-            role:hsOfficeContact.admin ----> role:hsOfficeContact.tenant
-        
-        role:hsOfficeContact.guest[contact.guest]
-        %% permissions
-            role:hsOfficeContact.guest --> perm:hsOfficeContact.view{{contact.view}}
-        %% incoming
-            role:hsOfficeContact.tenant ---> role:hsOfficeContact.guest
-    end
-    
-    subgraph partner-person
-   
-    subgraph person
-        style person fill: #e9f7ef
-        
-        user:hsOfficePerson.creator([personcreator])
-        
-        role:hsOfficePerson.owner[person.owner]
-        %% permissions
-            role:hsOfficePerson.owner --> perm:hsOfficePerson.*{{person.*}}
-        %% incoming
-            user:hsOfficePerson.creator ---> role:hsOfficePerson.owner
-            role:global.admin --> role:hsOfficePerson.owner
-        
-        role:hsOfficePerson.admin[person.admin]
-        %% permissions
-            role:hsOfficePerson.admin --> perm:hsOfficePerson.edit{{person.edit}}
-        %% incoming
-            role:hsOfficePerson.owner ---> role:hsOfficePerson.admin
-        
-        role:hsOfficePerson.tenant[person.tenant]
-        %% incoming
-            role:hsOfficePerson.admin -----> role:hsOfficePerson.tenant
-        
-        role:hsOfficePerson.guest[person.guest]
-        %% permissions
-            role:hsOfficePerson.guest --> perm:hsOfficePerson.edit{{person.view}}
-        %% incoming
-            role:hsOfficePerson.tenant ---> role:hsOfficePerson.guest
-    end
-    
-    subgraph partner
-    
-       role:hsOfficePartner.owner[partner.owner]
-       %% permissions
-           role:hsOfficePartner.owner --> perm:hsOfficePartner.*{{partner.*}}
-       %% incoming
-           role:global.admin ---> role:hsOfficePartner.owner
-      
-       role:hsOfficePartner.admin[partner.admin]
-       %% permissions
-           role:hsOfficePartner.admin --> perm:hsOfficePartner.edit{{partner.edit}}
-       %% incoming
-           role:hsOfficePartner.owner ---> role:hsOfficePartner.admin
-       %% outgoing
-           role:hsOfficePartner.admin --> role:hsOfficePerson.tenant
-           role:hsOfficePartner.admin --> role:hsOfficeContact.tenant
-      
-       role:hsOfficePartner.agent[partner.agent]
-       %% incoming
-           role:hsOfficePartner.admin --> role:hsOfficePartner.agent
-           role:hsOfficePerson.admin --> role:hsOfficePartner.agent
-           role:hsOfficeContact.admin --> role:hsOfficePartner.agent
-      
-       role:hsOfficePartner.tenant[partner.tenant]
-       %% incoming
-           role:hsOfficePartner.agent ---> role:hsOfficePartner.tenant
-       %% outgoing   
-           role:hsOfficePartner.tenant --> role:hsOfficePerson.guest
-           role:hsOfficePartner.tenant --> role:hsOfficeContact.guest
-    
-       role:hsOfficePartner.guest[partner.guest]
-       %% permissions
-           role:hsOfficePartner.guest -->  perm:hsOfficePartner.view{{partner.view}}
-       %% incoming
-           role:hsOfficePartner.tenant ---> role:hsOfficePartner.guest
-    end
         
+        role:debitorRelationship.owner[relationship.owner]
+        --> role:debitorRelationship.admin[relationship.admin]
+        --> role:debitorRelationship.agent[relationship.agent]
+        --> role:debitorRelationship.tenant[relationship.tenant]
     end
 
     subgraph debitor
-        style debitor stroke-width:6px
+        direction TB
         
-        user:hsOfficeDebitor.creator([debitor.creator])
+        role:debitorRelationship.owner[debitorRelationship.owner]
-        %% created by role
-            user:hsOfficeDebitor.creator --> role:hsOfficePartner.agent
-    
-        role:hsOfficeDebitor.owner[debitor.owner]
         %% permissions
-            role:hsOfficeDebitor.owner --> perm:hsOfficeDebitor.*{{debitor.*}}
+            ==> perm:debitor.*{{debitor.*}}
-        %% incoming
-            user:hsOfficeDebitor.creator --> role:hsOfficeDebitor.owner
-            role:global.admin --> role:hsOfficeDebitor.owner
 
-        role:hsOfficeDebitor.admin[debitor.admin]
+        role:debitorRelationship.admin[debitorRelationship.admin]
         %% permissions
-            role:hsOfficeDebitor.admin --> perm:hsOfficeDebitor.edit{{debitor.edit}}
+            ==> perm:debitor.edit{{debitorRelationship.edit}}
         %% incoming        
-            role:hsOfficeDebitor.owner ---> role:hsOfficeDebitor.admin         
+            role:partnerRelationship.admin ==> role:debitorRelationship.admin
-            
-        role:hsOfficeDebitor.agent[debitor.agent]
-        %% incoming
-            role:hsOfficeDebitor.admin ---> role:hsOfficeDebitor.agent         
-            role:hsOfficePartner.admin --> role:hsOfficeDebitor.agent
         %% outgoing
-            role:hsOfficeDebitor.agent --> role:hsOfficeBankAccount.tenant
+            role:debitorRelationship.admin ==> role:partnerRelationship.agent
 
-        role:hsOfficeDebitor.tenant[debitor.tenant]
+        role:debitorRelationship.agent[debitorRelationship.agent]
         %% incoming
-            role:hsOfficeDebitor.agent ---> role:hsOfficeDebitor.tenant
+            role:partnerRelationship.agent ==> role:debitorRelationship.agent
-            role:hsOfficePartner.agent --> role:hsOfficeDebitor.tenant
+            role:refundBankAccount.admin ==> role:debitorRelationship.agent
-            role:hsOfficeBankAccount.admin --> role:hsOfficeDebitor.tenant
         %% outgoing
-            role:hsOfficeDebitor.tenant --> role:hsOfficePartner.tenant
+            role:debitorRelationship.agent ==> role:partnerRelationship.tenant
-            role:hsOfficeDebitor.tenant --> role:hsOfficeContact.guest
+            role:debitorRelationship.agent ==> role:refundBankAccount.referrer
         
-        role:hsOfficeDebitor.guest[debitor.guest]
+        role:debitorRelationship.tenant[debitorRelationship.tenant]
-        %% permissions
+        ==> perm:debitor.view{{debitor.view}}
-            role:hsOfficeDebitor.guest --> perm:hsOfficeDebitor.view{{debitor.view}}
-        %% incoming
-            role:hsOfficeDebitor.tenant --> role:hsOfficeDebitor.guest
-    end
         
     end
 
-subgraph hsOfficeSepaMandate
-                    
-   role:hsOfficeSepaMandate.owner[sepaMandate.owner]
-   %% permissions
-       role:hsOfficeSepaMandate.owner --> perm:hsOfficeSepaMandate.*{{sepaMandate.*}}
-   %% incoming
-       role:global.admin ---> role:hsOfficeSepaMandate.owner
-  
-   role:hsOfficeSepaMandate.admin[sepaMandate.admin]
-   %% permissions
-       role:hsOfficeSepaMandate.admin --> perm:hsOfficeSepaMandate.edit{{sepaMandate.edit}}
-   %% incoming
-       role:hsOfficeSepaMandate.owner ---> role:hsOfficeSepaMandate.admin
-  
-   role:hsOfficeSepaMandate.agent[sepaMandate.agent]
-   %% incoming
-       role:hsOfficeSepaMandate.admin ---> role:hsOfficeSepaMandate.agent
-       role:hsOfficeDebitor.admin --> role:hsOfficeSepaMandate.agent
-       role:hsOfficeBankAccount.admin --> role:hsOfficeSepaMandate.agent
-   %% outgoing
-       role:hsOfficeSepaMandate.agent --> role:hsOfficeDebitor.tenant
-       role:hsOfficeSepaMandate.admin --> role:hsOfficeBankAccount.tenant
-  
-   role:hsOfficeSepaMandate.tenant[sepaMandate.tenant]
-   %% incoming
-       role:hsOfficeSepaMandate.agent --> role:hsOfficeSepaMandate.tenant
-   %% outgoing   
-       role:hsOfficeSepaMandate.tenant --> role:hsOfficeDebitor.guest
-       role:hsOfficeSepaMandate.tenant --> role:hsOfficeBankAccount.guest
-
-   role:hsOfficeSepaMandate.guest[sepaMandate.guest]
-   %% permissions
-       role:hsOfficeSepaMandate.guest -->  perm:hsOfficeSepaMandate.view{{sepaMandate.view}}
-   %% incoming
-       role:hsOfficeSepaMandate.tenant --> role:hsOfficeSepaMandate.guest
 end
-
-subgraph hosting
-    style hosting fill:#eee
-    
-    subgraph package
-        style package fill: #e9f7ef
-        
-        role:package.owner[package.owner]
-         --> role:package.admin[package.admin]
-         --> role:package.tenant[package.tenant]
-         
-        role:hsOfficeDebitor.agent --> role:package.owner        
-        role:package.admin --> role:hsOfficeDebitor.tenant
-        role:hsOfficePartner.tenant --> role:hsOfficeDebitor.guest
-    end
-end
-
-
 ```