33 changed files with 104 additions and 1435 deletions
--- a/README.md
+++ b/README.md
@ -82,7 +82,7 @@ If you have at least Docker and the Java JDK installed in appropriate versions a
    # the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
    curl \
-        -H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy:ADMIN' \
+        -H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy:admin' \
        http://localhost:8080/api/test/packages
    # add a new customer
--- a/doc/rbac.md
+++ b/doc/rbac.md
@ -206,7 +206,7 @@ and the *role-stereotype* describes a role relative to a referenced business-obj
 #### owner
 The owner-role is granted to the subject which created the business object.
-E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...:ADMIN'. 
+E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...:admin'. 
 Whoever has the owner-role assigned can do everything with the related business-object, including deleting (or deactivating) it.
@ -470,14 +470,14 @@ together {
    permCustomerXyzSELECT--> boCustXyz
 }
-entity "Role customer#xyz:TENANT" as roleCustXyzTenant 
+entity "Role customer#xyz:tenant" as roleCustXyzTenant 
 roleCustXyzTenant --> permCustomerXyzSELECT
-entity "Role customer#xyz:ADMIN" as roleCustXyzAdmin
+entity "Role customer#xyz:admin" as roleCustXyzAdmin
 roleCustXyzAdmin --> roleCustXyzTenant
 roleCustXyzAdmin --> permCustomerXyzINSERT:package
-entity "Role customer#xyz:OWNER" as roleCustXyzOwner
+entity "Role customer#xyz:owner" as roleCustXyzOwner
 roleCustXyzOwner ..> roleCustXyzAdmin
 roleCustXyzOwner --> permCustomerXyzDELETE
@ -493,7 +493,7 @@ actorHostmaster --> roleAdmins
 ```
 As you can see, there something special:
-From the 'Role customer#xyz:OWNER' to the 'Role customer#xyz:admin' there is a dashed line, whereas all other lines are solid lines.
+From the 'Role customer#xyz:owner' to the 'Role customer#xyz:admin' there is a dashed line, whereas all other lines are solid lines.
 Solid lines means, that one role is granted to another and automatically assumed in all queries to the restricted views.
 The dashed line means that one role is granted to another but not automatically assumed in queries to the restricted views.
@ -541,15 +541,15 @@ together {
 }
 package {
-    entity "Role customer#xyz:TENANT" as roleCustXyzTenant
+    entity "Role customer#xyz:tenant" as roleCustXyzTenant
-    entity "Role customer#xyz:ADMIN" as roleCustXyzAdmin    
+    entity "Role customer#xyz:admin" as roleCustXyzAdmin    
-    entity "Role customer#xyz:OWNER" as roleCustXyzOwner
+    entity "Role customer#xyz:owner" as roleCustXyzOwner
 }
 package {
-    entity "Role package#xyz00:OWNER" as rolePacXyz00Owner
+    entity "Role package#xyz00:owner" as rolePacXyz00Owner
-    entity "Role package#xyz00:ADMIN" as rolePacXyz00Admin
+    entity "Role package#xyz00:admin" as rolePacXyz00Admin
-    entity "Role package#xyz00:TENANT" as rolePacXyz00Tenant
+    entity "Role package#xyz00:tenant" as rolePacXyz00Tenant
 }
 rolePacXyz00Tenant --> permPacXyz00SELECT
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionEntity.java
@ -1,11 +1,7 @@
 package net.hostsharing.hsadminng.hs.office.coopassets;
-import lombok.AllArgsConstructor;
+import lombok.*;
 import lombok.Builder;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.membership.HsOfficeMembershipEntity;
 import net.hostsharing.hsadminng.persistence.HasUuid;
@ -14,16 +10,7 @@ import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
 import org.hibernate.annotations.GenericGenerator;
-import jakarta.persistence.Column;
+import jakarta.persistence.*;
 import jakarta.persistence.Entity;
 import jakarta.persistence.EnumType;
 import jakarta.persistence.Enumerated;
 import jakarta.persistence.GeneratedValue;
 import jakarta.persistence.Id;
 import jakarta.persistence.JoinColumn;
 import jakarta.persistence.ManyToOne;
 import jakarta.persistence.Table;
 import java.io.IOException;
 import java.io.IOException;
 import java.math.BigDecimal;
 import java.time.LocalDate;
@ -33,11 +20,8 @@ import java.util.UUID;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@ -125,7 +109,7 @@ public class HsOfficeCoopAssetsTransactionEntity implements Stringifyable, HasUu
                .toRole("membership", ADMIN).grantPermission(INSERT)
                .toRole("membership", ADMIN).grantPermission(UPDATE)
-                .toRole("membership", AGENT).grantPermission(SELECT);
+                .toRole("membership", ADMIN).grantPermission(SELECT);
    }
    public static void main(String[] args) throws IOException {
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionEntity.java
@ -1,10 +1,6 @@
 package net.hostsharing.hsadminng.hs.office.coopshares;
-import lombok.AllArgsConstructor;
+import lombok.*;
 import lombok.Builder;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.membership.HsOfficeMembershipEntity;
 import net.hostsharing.hsadminng.persistence.HasUuid;
@ -13,16 +9,7 @@ import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL;
 import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
-import jakarta.persistence.Column;
+import jakarta.persistence.*;
 import jakarta.persistence.Entity;
 import jakarta.persistence.EnumType;
 import jakarta.persistence.Enumerated;
 import jakarta.persistence.GeneratedValue;
 import jakarta.persistence.Id;
 import jakarta.persistence.JoinColumn;
 import jakarta.persistence.ManyToOne;
 import jakarta.persistence.Table;
 import java.io.IOException;
 import java.io.IOException;
 import java.time.LocalDate;
 import java.util.UUID;
@ -30,11 +17,9 @@ import java.util.UUID;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@ -120,7 +105,7 @@ public class HsOfficeCoopSharesTransactionEntity implements Stringifyable, HasUu
                .toRole("membership", ADMIN).grantPermission(INSERT)
                .toRole("membership", ADMIN).grantPermission(UPDATE)
-                .toRole("membership", AGENT).grantPermission(SELECT);
+                .toRole("membership", ADMIN).grantPermission(SELECT);
    }
    public static void main(String[] args) throws IOException {
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java
@ -28,7 +28,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.REFERRER;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
@ -148,14 +148,14 @@ public class HsOfficeMembershipEntity implements HasUuid, Stringifyable {
                .createRole(OWNER, (with) -> {
                    with.owningUser(CREATOR);
                })
                .createSubRole(ADMIN, (with) -> {
                    with.incomingSuperRole("partnerRel", ADMIN);
                    with.permission(DELETE);
                })
                .createSubRole(ADMIN, (with) -> {
                    with.incomingSuperRole("partnerRel", AGENT);
                    with.permission(UPDATE);
                })
-                .createSubRole(AGENT, (with) -> {
+                .createSubRole(REFERRER, (with) -> {
                    with.incomingSuperRole("partnerRel", AGENT);
                    with.outgoingSubRole("partnerRel", TENANT);
                    with.permission(SELECT);
                });
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleController.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleController.java
@ -31,7 +31,7 @@ public class RbacRoleController implements RbacRolesApi {
        context.define(currentUser, assumedRoles);
-        final List<RbacRoleEntity> result = rbacRoleRepository.findAll();
+        final List<RbacRoleRvEntity> result = rbacRoleRepository.findAll();
        return ResponseEntity.ok(mapper.mapList(result, RbacRoleResource.class));
    }
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepository.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepository.java
@ -5,7 +5,7 @@ import org.springframework.data.repository.Repository;
 import java.util.List;
 import java.util.UUID;
-public interface RbacRoleRepository extends Repository<RbacRoleEntity, UUID> {
+public interface RbacRoleRepository extends Repository<RbacRoleRvEntity, UUID> {
    /**
     * @return the number of persistent RbacRoleEntity instances, mostly for testing purposes.
@ -15,7 +15,7 @@ public interface RbacRoleRepository extends Repository<RbacRoleEntity, UUID> {
    /**
     * @return all persistent RbacRoleEntity instances, assigned to the current subject (user or assumed roles)
     */
-    List<RbacRoleEntity> findAll();
+    List<RbacRoleRvEntity> findAll();
-    RbacRoleEntity findByRoleName(String roleName);
+    RbacRoleRvEntity findByRoleName(String roleName);
 }
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRvEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRvEntity.java
@ -15,7 +15,7 @@ import java.util.UUID;
@Immutable
@NoArgsConstructor
@AllArgsConstructor
-public class RbacRoleEntity {
+public class RbacRoleRvEntity {
    @Id
    @GeneratedValue
--- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
+++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
@ -139,7 +139,7 @@ select 'global', (select uuid from RbacObject where objectTable = 'global'), 'GU
 $$;
 begin transaction;
-    call defineContext('creating role:global#globa:guest', null, null, null);
+    call defineContext('creating role:global#loba:guest', null, null, null);
    select createRole(globalGuest());
 commit;
 --//
--- a/src/main/resources/db/changelog/133-test-domain-rbac.md
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.md
@ -1,75 +0,0 @@
 ### rbac domain
 This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
 flowchart TB
 subgraph package.customer["`**package.customer**`"]
    direction TB
    style package.customer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph package.customer:roles[ ]
        style package.customer:roles fill:#99bcdb,stroke:white
        role:package.customer:OWNER[[package.customer:OWNER]]
        role:package.customer:ADMIN[[package.customer:ADMIN]]
        role:package.customer:TENANT[[package.customer:TENANT]]
    end
 end
 subgraph package["`**package**`"]
    direction TB
    style package fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph package:roles[ ]
        style package:roles fill:#99bcdb,stroke:white
        role:package:OWNER[[package:OWNER]]
        role:package:ADMIN[[package:ADMIN]]
        role:package:TENANT[[package:TENANT]]
    end
 end
 subgraph domain["`**domain**`"]
    direction TB
    style domain fill:#dd4901,stroke:#274d6e,stroke-width:8px
    subgraph domain:roles[ ]
        style domain:roles fill:#dd4901,stroke:white
        role:domain:OWNER[[domain:OWNER]]
        role:domain:ADMIN[[domain:ADMIN]]
    end
    subgraph domain:permissions[ ]
        style domain:permissions fill:#dd4901,stroke:white
        perm:domain:INSERT{{domain:INSERT}}
        perm:domain:DELETE{{domain:DELETE}}
        perm:domain:UPDATE{{domain:UPDATE}}
        perm:domain:SELECT{{domain:SELECT}}
    end
 end
 %% granting roles to roles
 role:global:ADMIN -.->|XX| role:package.customer:OWNER
 role:package.customer:OWNER -.-> role:package.customer:ADMIN
 role:package.customer:ADMIN -.-> role:package.customer:TENANT
 role:package.customer:ADMIN -.-> role:package:OWNER
 role:package:OWNER -.-> role:package:ADMIN
 role:package:ADMIN -.-> role:package:TENANT
 role:package:TENANT -.-> role:package.customer:TENANT
 role:package:ADMIN ==> role:domain:OWNER
 role:domain:OWNER ==> role:package:TENANT
 role:domain:OWNER ==> role:domain:ADMIN
 role:domain:ADMIN ==> role:package:TENANT
 %% granting permissions to roles
 role:package:ADMIN ==> perm:domain:INSERT
 role:domain:OWNER ==> perm:domain:DELETE
 role:domain:OWNER ==> perm:domain:UPDATE
 role:domain:ADMIN ==> perm:domain:SELECT
 ```
--- a/src/main/resources/db/changelog/223-hs-office-relation-rbac.md
+++ b/src/main/resources/db/changelog/223-hs-office-relation-rbac.md
@ -1,102 +0,0 @@
 ### rbac relation
 This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
 flowchart TB
 subgraph holderPerson["`**holderPerson**`"]
    direction TB
    style holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph holderPerson:roles[ ]
        style holderPerson:roles fill:#99bcdb,stroke:white
        role:holderPerson:OWNER[[holderPerson:OWNER]]
        role:holderPerson:ADMIN[[holderPerson:ADMIN]]
        role:holderPerson:REFERRER[[holderPerson:REFERRER]]
    end
 end
 subgraph anchorPerson["`**anchorPerson**`"]
    direction TB
    style anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph anchorPerson:roles[ ]
        style anchorPerson:roles fill:#99bcdb,stroke:white
        role:anchorPerson:OWNER[[anchorPerson:OWNER]]
        role:anchorPerson:ADMIN[[anchorPerson:ADMIN]]
        role:anchorPerson:REFERRER[[anchorPerson:REFERRER]]
    end
 end
 subgraph contact["`**contact**`"]
    direction TB
    style contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph contact:roles[ ]
        style contact:roles fill:#99bcdb,stroke:white
        role:contact:OWNER[[contact:OWNER]]
        role:contact:ADMIN[[contact:ADMIN]]
        role:contact:REFERRER[[contact:REFERRER]]
    end
 end
 subgraph relation["`**relation**`"]
    direction TB
    style relation fill:#dd4901,stroke:#274d6e,stroke-width:8px
    subgraph relation:roles[ ]
        style relation:roles fill:#dd4901,stroke:white
        role:relation:OWNER[[relation:OWNER]]
        role:relation:ADMIN[[relation:ADMIN]]
        role:relation:AGENT[[relation:AGENT]]
        role:relation:TENANT[[relation:TENANT]]
    end
    subgraph relation:permissions[ ]
        style relation:permissions fill:#dd4901,stroke:white
        perm:relation:DELETE{{relation:DELETE}}
        perm:relation:UPDATE{{relation:UPDATE}}
        perm:relation:SELECT{{relation:SELECT}}
        perm:relation:INSERT{{relation:INSERT}}
    end
 end
 %% granting roles to users
 user:creator ==> role:relation:OWNER
 %% granting roles to roles
 role:global:ADMIN -.-> role:anchorPerson:OWNER
 role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
 role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
 role:global:ADMIN -.-> role:holderPerson:OWNER
 role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
 role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
 role:global:ADMIN -.-> role:contact:OWNER
 role:contact:OWNER -.-> role:contact:ADMIN
 role:contact:ADMIN -.-> role:contact:REFERRER
 role:global:ADMIN ==> role:relation:OWNER
 role:relation:OWNER ==> role:relation:ADMIN
 role:anchorPerson:ADMIN ==> role:relation:ADMIN
 role:relation:ADMIN ==> role:relation:AGENT
 role:holderPerson:ADMIN ==> role:relation:AGENT
 role:relation:AGENT ==> role:relation:TENANT
 role:holderPerson:ADMIN ==> role:relation:TENANT
 role:contact:ADMIN ==> role:relation:TENANT
 role:relation:TENANT ==> role:anchorPerson:REFERRER
 role:relation:TENANT ==> role:holderPerson:REFERRER
 role:relation:TENANT ==> role:contact:REFERRER
 %% granting permissions to roles
 role:relation:OWNER ==> perm:relation:DELETE
 role:relation:ADMIN ==> perm:relation:UPDATE
 role:relation:TENANT ==> perm:relation:SELECT
 role:anchorPerson:ADMIN ==> perm:relation:INSERT
 ```
--- a/src/main/resources/db/changelog/233-hs-office-partner-rbac.md
+++ b/src/main/resources/db/changelog/233-hs-office-partner-rbac.md
@ -1,120 +0,0 @@
 ### rbac partner
 This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
 flowchart TB
 subgraph partnerRel.contact["`**partnerRel.contact**`"]
    direction TB
    style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel.contact:roles[ ]
        style partnerRel.contact:roles fill:#99bcdb,stroke:white
        role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]]
        role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]]
        role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]]
    end
 end
 subgraph partner["`**partner**`"]
    direction TB
    style partner fill:#dd4901,stroke:#274d6e,stroke-width:8px
    subgraph partner:permissions[ ]
        style partner:permissions fill:#dd4901,stroke:white
        perm:partner:INSERT{{partner:INSERT}}
        perm:partner:DELETE{{partner:DELETE}}
        perm:partner:UPDATE{{partner:UPDATE}}
        perm:partner:SELECT{{partner:SELECT}}
    end
    subgraph partnerRel["`**partnerRel**`"]
        direction TB
        style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
        subgraph partnerRel:roles[ ]
            style partnerRel:roles fill:#99bcdb,stroke:white
            role:partnerRel:OWNER[[partnerRel:OWNER]]
            role:partnerRel:ADMIN[[partnerRel:ADMIN]]
            role:partnerRel:AGENT[[partnerRel:AGENT]]
            role:partnerRel:TENANT[[partnerRel:TENANT]]
        end
    end
 end
 subgraph partnerDetails["`**partnerDetails**`"]
    direction TB
    style partnerDetails fill:#feb28c,stroke:#274d6e,stroke-width:8px
    subgraph partnerDetails:permissions[ ]
        style partnerDetails:permissions fill:#feb28c,stroke:white
        perm:partnerDetails:DELETE{{partnerDetails:DELETE}}
        perm:partnerDetails:UPDATE{{partnerDetails:UPDATE}}
        perm:partnerDetails:SELECT{{partnerDetails:SELECT}}
    end
 end
 subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
    direction TB
    style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel.anchorPerson:roles[ ]
        style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
        role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]]
        role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]]
        role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]]
    end
 end
 subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
    direction TB
    style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel.holderPerson:roles[ ]
        style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
        role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]]
        role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]]
        role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]]
    end
 end
 %% granting roles to roles
 role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
 role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
 role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
 role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
 role:global:ADMIN -.-> role:partnerRel.contact:OWNER
 role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
 role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:partnerRel:OWNER
 role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
 role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel:AGENT -.-> role:partnerRel:TENANT
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 %% granting permissions to roles
 role:global:ADMIN ==> perm:partner:INSERT
 role:partnerRel:ADMIN ==> perm:partner:DELETE
 role:partnerRel:AGENT ==> perm:partner:UPDATE
 role:partnerRel:TENANT ==> perm:partner:SELECT
 role:partnerRel:ADMIN ==> perm:partnerDetails:DELETE
 role:partnerRel:AGENT ==> perm:partnerDetails:UPDATE
 role:partnerRel:AGENT ==> perm:partnerDetails:SELECT
 ```
--- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md
+++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md
@ -1,141 +0,0 @@
 ### rbac sepaMandate
 This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
 flowchart TB
 subgraph bankAccount["`**bankAccount**`"]
    direction TB
    style bankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph bankAccount:roles[ ]
        style bankAccount:roles fill:#99bcdb,stroke:white
        role:bankAccount:OWNER[[bankAccount:OWNER]]
        role:bankAccount:ADMIN[[bankAccount:ADMIN]]
        role:bankAccount:REFERRER[[bankAccount:REFERRER]]
    end
 end
 subgraph debitorRel.contact["`**debitorRel.contact**`"]
    direction TB
    style debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph debitorRel.contact:roles[ ]
        style debitorRel.contact:roles fill:#99bcdb,stroke:white
        role:debitorRel.contact:OWNER[[debitorRel.contact:OWNER]]
        role:debitorRel.contact:ADMIN[[debitorRel.contact:ADMIN]]
        role:debitorRel.contact:REFERRER[[debitorRel.contact:REFERRER]]
    end
 end
 subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"]
    direction TB
    style debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph debitorRel.anchorPerson:roles[ ]
        style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
        role:debitorRel.anchorPerson:OWNER[[debitorRel.anchorPerson:OWNER]]
        role:debitorRel.anchorPerson:ADMIN[[debitorRel.anchorPerson:ADMIN]]
        role:debitorRel.anchorPerson:REFERRER[[debitorRel.anchorPerson:REFERRER]]
    end
 end
 subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"]
    direction TB
    style debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph debitorRel.holderPerson:roles[ ]
        style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
        role:debitorRel.holderPerson:OWNER[[debitorRel.holderPerson:OWNER]]
        role:debitorRel.holderPerson:ADMIN[[debitorRel.holderPerson:ADMIN]]
        role:debitorRel.holderPerson:REFERRER[[debitorRel.holderPerson:REFERRER]]
    end
 end
 subgraph sepaMandate["`**sepaMandate**`"]
    direction TB
    style sepaMandate fill:#dd4901,stroke:#274d6e,stroke-width:8px
    subgraph sepaMandate:roles[ ]
        style sepaMandate:roles fill:#dd4901,stroke:white
        role:sepaMandate:OWNER[[sepaMandate:OWNER]]
        role:sepaMandate:ADMIN[[sepaMandate:ADMIN]]
        role:sepaMandate:AGENT[[sepaMandate:AGENT]]
        role:sepaMandate:REFERRER[[sepaMandate:REFERRER]]
    end
    subgraph sepaMandate:permissions[ ]
        style sepaMandate:permissions fill:#dd4901,stroke:white
        perm:sepaMandate:DELETE{{sepaMandate:DELETE}}
        perm:sepaMandate:UPDATE{{sepaMandate:UPDATE}}
        perm:sepaMandate:SELECT{{sepaMandate:SELECT}}
        perm:sepaMandate:INSERT{{sepaMandate:INSERT}}
    end
 end
 subgraph debitorRel["`**debitorRel**`"]
    direction TB
    style debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph debitorRel:roles[ ]
        style debitorRel:roles fill:#99bcdb,stroke:white
        role:debitorRel:OWNER[[debitorRel:OWNER]]
        role:debitorRel:ADMIN[[debitorRel:ADMIN]]
        role:debitorRel:AGENT[[debitorRel:AGENT]]
        role:debitorRel:TENANT[[debitorRel:TENANT]]
    end
 end
 %% granting roles to users
 user:creator ==> role:sepaMandate:OWNER
 %% granting roles to roles
 role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
 role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
 role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
 role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
 role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
 role:global:ADMIN -.-> role:debitorRel.contact:OWNER
 role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
 role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
 role:global:ADMIN -.-> role:debitorRel:OWNER
 role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
 role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
 role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
 role:debitorRel:AGENT -.-> role:debitorRel:TENANT
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
 role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
 role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
 role:global:ADMIN -.-> role:bankAccount:OWNER
 role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
 role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER
 role:global:ADMIN ==> role:sepaMandate:OWNER
 role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN
 role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT
 role:sepaMandate:AGENT ==> role:bankAccount:REFERRER
 role:sepaMandate:AGENT ==> role:debitorRel:AGENT
 role:sepaMandate:AGENT ==> role:sepaMandate:REFERRER
 role:bankAccount:ADMIN ==> role:sepaMandate:REFERRER
 role:debitorRel:AGENT ==> role:sepaMandate:REFERRER
 role:sepaMandate:REFERRER ==> role:debitorRel:TENANT
 %% granting permissions to roles
 role:sepaMandate:OWNER ==> perm:sepaMandate:DELETE
 role:sepaMandate:ADMIN ==> perm:sepaMandate:UPDATE
 role:sepaMandate:REFERRER ==> perm:sepaMandate:SELECT
 role:debitorRel:ADMIN ==> perm:sepaMandate:INSERT
 ```
--- a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md
+++ b/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md
@ -1,198 +0,0 @@
 ### rbac debitor
 This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
 flowchart TB
 subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"]
    direction TB
    style debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph debitorRel.anchorPerson:roles[ ]
        style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
        role:debitorRel.anchorPerson:OWNER[[debitorRel.anchorPerson:OWNER]]
        role:debitorRel.anchorPerson:ADMIN[[debitorRel.anchorPerson:ADMIN]]
        role:debitorRel.anchorPerson:REFERRER[[debitorRel.anchorPerson:REFERRER]]
    end
 end
 subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"]
    direction TB
    style debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph debitorRel.holderPerson:roles[ ]
        style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
        role:debitorRel.holderPerson:OWNER[[debitorRel.holderPerson:OWNER]]
        role:debitorRel.holderPerson:ADMIN[[debitorRel.holderPerson:ADMIN]]
        role:debitorRel.holderPerson:REFERRER[[debitorRel.holderPerson:REFERRER]]
    end
 end
 subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
    direction TB
    style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel.holderPerson:roles[ ]
        style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
        role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]]
        role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]]
        role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]]
    end
 end
 subgraph debitor["`**debitor**`"]
    direction TB
    style debitor fill:#dd4901,stroke:#274d6e,stroke-width:8px
    subgraph debitor:permissions[ ]
        style debitor:permissions fill:#dd4901,stroke:white
        perm:debitor:INSERT{{debitor:INSERT}}
        perm:debitor:DELETE{{debitor:DELETE}}
        perm:debitor:UPDATE{{debitor:UPDATE}}
        perm:debitor:SELECT{{debitor:SELECT}}
    end
    subgraph debitorRel["`**debitorRel**`"]
        direction TB
        style debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
        subgraph debitorRel:roles[ ]
            style debitorRel:roles fill:#99bcdb,stroke:white
            role:debitorRel:OWNER[[debitorRel:OWNER]]
            role:debitorRel:ADMIN[[debitorRel:ADMIN]]
            role:debitorRel:AGENT[[debitorRel:AGENT]]
            role:debitorRel:TENANT[[debitorRel:TENANT]]
        end
    end
 end
 subgraph partnerRel["`**partnerRel**`"]
    direction TB
    style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel:roles[ ]
        style partnerRel:roles fill:#99bcdb,stroke:white
        role:partnerRel:OWNER[[partnerRel:OWNER]]
        role:partnerRel:ADMIN[[partnerRel:ADMIN]]
        role:partnerRel:AGENT[[partnerRel:AGENT]]
        role:partnerRel:TENANT[[partnerRel:TENANT]]
    end
 end
 subgraph partnerRel.contact["`**partnerRel.contact**`"]
    direction TB
    style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel.contact:roles[ ]
        style partnerRel.contact:roles fill:#99bcdb,stroke:white
        role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]]
        role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]]
        role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]]
    end
 end
 subgraph debitorRel.contact["`**debitorRel.contact**`"]
    direction TB
    style debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph debitorRel.contact:roles[ ]
        style debitorRel.contact:roles fill:#99bcdb,stroke:white
        role:debitorRel.contact:OWNER[[debitorRel.contact:OWNER]]
        role:debitorRel.contact:ADMIN[[debitorRel.contact:ADMIN]]
        role:debitorRel.contact:REFERRER[[debitorRel.contact:REFERRER]]
    end
 end
 subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
    direction TB
    style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel.anchorPerson:roles[ ]
        style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
        role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]]
        role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]]
        role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]]
    end
 end
 subgraph refundBankAccount["`**refundBankAccount**`"]
    direction TB
    style refundBankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph refundBankAccount:roles[ ]
        style refundBankAccount:roles fill:#99bcdb,stroke:white
        role:refundBankAccount:OWNER[[refundBankAccount:OWNER]]
        role:refundBankAccount:ADMIN[[refundBankAccount:ADMIN]]
        role:refundBankAccount:REFERRER[[refundBankAccount:REFERRER]]
    end
 end
 %% granting roles to roles
 role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
 role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
 role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
 role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
 role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
 role:global:ADMIN -.-> role:debitorRel.contact:OWNER
 role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
 role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
 role:global:ADMIN -.-> role:debitorRel:OWNER
 role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
 role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
 role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
 role:debitorRel:AGENT -.-> role:debitorRel:TENANT
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
 role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
 role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
 role:global:ADMIN -.-> role:refundBankAccount:OWNER
 role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
 role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER
 role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT
 role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER
 role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
 role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
 role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
 role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
 role:global:ADMIN -.-> role:partnerRel.contact:OWNER
 role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
 role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:partnerRel:OWNER
 role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
 role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel:AGENT -.-> role:partnerRel:TENANT
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 role:partnerRel:ADMIN ==> role:debitorRel:ADMIN
 role:partnerRel:AGENT ==> role:debitorRel:AGENT
 role:debitorRel:AGENT ==> role:partnerRel:TENANT
 %% granting permissions to roles
 role:global:ADMIN ==> perm:debitor:INSERT
 role:debitorRel:OWNER ==> perm:debitor:DELETE
 role:debitorRel:ADMIN ==> perm:debitor:UPDATE
 role:debitorRel:TENANT ==> perm:debitor:SELECT
 ```
--- a/src/main/resources/db/changelog/303-hs-office-membership-rbac.md
+++ b/src/main/resources/db/changelog/303-hs-office-membership-rbac.md
@ -1,120 +0,0 @@
 ### rbac membership
 This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
 flowchart TB
 subgraph partnerRel["`**partnerRel**`"]
    direction TB
    style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel:roles[ ]
        style partnerRel:roles fill:#99bcdb,stroke:white
        role:partnerRel:OWNER[[partnerRel:OWNER]]
        role:partnerRel:ADMIN[[partnerRel:ADMIN]]
        role:partnerRel:AGENT[[partnerRel:AGENT]]
        role:partnerRel:TENANT[[partnerRel:TENANT]]
    end
 end
 subgraph partnerRel.contact["`**partnerRel.contact**`"]
    direction TB
    style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel.contact:roles[ ]
        style partnerRel.contact:roles fill:#99bcdb,stroke:white
        role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]]
        role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]]
        role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]]
    end
 end
 subgraph membership["`**membership**`"]
    direction TB
    style membership fill:#dd4901,stroke:#274d6e,stroke-width:8px
    subgraph membership:roles[ ]
        style membership:roles fill:#dd4901,stroke:white
        role:membership:OWNER[[membership:OWNER]]
        role:membership:ADMIN[[membership:ADMIN]]
        role:membership:AGENT[[membership:AGENT]]
    end
    subgraph membership:permissions[ ]
        style membership:permissions fill:#dd4901,stroke:white
        perm:membership:INSERT{{membership:INSERT}}
        perm:membership:DELETE{{membership:DELETE}}
        perm:membership:UPDATE{{membership:UPDATE}}
        perm:membership:SELECT{{membership:SELECT}}
    end
 end
 subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
    direction TB
    style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel.anchorPerson:roles[ ]
        style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
        role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]]
        role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]]
        role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]]
    end
 end
 subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
    direction TB
    style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph partnerRel.holderPerson:roles[ ]
        style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
        role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]]
        role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]]
        role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]]
    end
 end
 %% granting roles to users
 user:creator ==> role:membership:OWNER
 %% granting roles to roles
 role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
 role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
 role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
 role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
 role:global:ADMIN -.-> role:partnerRel.contact:OWNER
 role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
 role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:partnerRel:OWNER
 role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
 role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel:AGENT -.-> role:partnerRel:TENANT
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 role:membership:OWNER ==> role:membership:ADMIN
 role:partnerRel:ADMIN ==> role:membership:ADMIN
 role:membership:ADMIN ==> role:membership:AGENT
 role:partnerRel:AGENT ==> role:membership:AGENT
 role:membership:AGENT ==> role:partnerRel:TENANT
 %% granting permissions to roles
 role:global:ADMIN ==> perm:membership:INSERT
 role:membership:ADMIN ==> perm:membership:DELETE
 role:membership:ADMIN ==> perm:membership:UPDATE
 role:membership:AGENT ==> perm:membership:SELECT
 ```
--- a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md
+++ b/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md
@ -1,120 +0,0 @@
 ### rbac coopSharesTransaction
 This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
 flowchart TB
 subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
    direction TB
    style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership.partnerRel.holderPerson:roles[ ]
        style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
        role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]]
        role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]]
        role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]]
    end
 end
 subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
    direction TB
    style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership.partnerRel.anchorPerson:roles[ ]
        style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
        role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]]
        role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]]
        role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]]
    end
 end
 subgraph coopSharesTransaction["`**coopSharesTransaction**`"]
    direction TB
    style coopSharesTransaction fill:#dd4901,stroke:#274d6e,stroke-width:8px
    subgraph coopSharesTransaction:permissions[ ]
        style coopSharesTransaction:permissions fill:#dd4901,stroke:white
        perm:coopSharesTransaction:INSERT{{coopSharesTransaction:INSERT}}
        perm:coopSharesTransaction:UPDATE{{coopSharesTransaction:UPDATE}}
        perm:coopSharesTransaction:SELECT{{coopSharesTransaction:SELECT}}
    end
 end
 subgraph membership["`**membership**`"]
    direction TB
    style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership:roles[ ]
        style membership:roles fill:#99bcdb,stroke:white
        role:membership:OWNER[[membership:OWNER]]
        role:membership:ADMIN[[membership:ADMIN]]
        role:membership:AGENT[[membership:AGENT]]
    end
 end
 subgraph membership.partnerRel["`**membership.partnerRel**`"]
    direction TB
    style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership.partnerRel:roles[ ]
        style membership.partnerRel:roles fill:#99bcdb,stroke:white
        role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]]
        role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]]
        role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]]
        role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]]
    end
 end
 subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
    direction TB
    style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership.partnerRel.contact:roles[ ]
        style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
        role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]]
        role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]]
        role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]]
    end
 end
 %% granting roles to roles
 role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
 role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
 role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
 role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
 role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
 role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:membership.partnerRel:OWNER
 role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
 role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
 role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
 role:membership:OWNER -.-> role:membership:ADMIN
 role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
 role:membership:ADMIN -.-> role:membership:AGENT
 role:membership.partnerRel:AGENT -.-> role:membership:AGENT
 role:membership:AGENT -.-> role:membership.partnerRel:TENANT
 %% granting permissions to roles
 role:membership:ADMIN ==> perm:coopSharesTransaction:INSERT
 role:membership:ADMIN ==> perm:coopSharesTransaction:UPDATE
 role:membership:AGENT ==> perm:coopSharesTransaction:SELECT
 ```
--- a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql
+++ b/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql
@ -1,151 +0,0 @@
 --liquibase formatted sql
 -- This code generated was by RbacViewPostgresGenerator, do not amend manually.
 -- ============================================================================
 --changeset hs-office-coopsharestransaction-rbac-OBJECT:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call generateRelatedRbacObject('hs_office_coopsharestransaction');
 --//
 -- ============================================================================
 --changeset hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction');
 --//
 -- ============================================================================
 --changeset hs-office-coopsharestransaction-rbac-insert-trigger:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
    Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
 */
 create or replace procedure buildRbacSystemForHsOfficeCoopSharesTransaction(
    NEW hs_office_coopsharestransaction
 )
    language plpgsql as $$
 declare
    newMembership hs_office_membership;
 begin
    call enterTriggerForObjectUuid(NEW.uuid);
    SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
    assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
    call leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
 /*
    AFTER INSERT TRIGGER to create the role+grant structure for a new hs_office_coopsharestransaction row.
 */
 create or replace function insertTriggerForHsOfficeCoopSharesTransaction_tf()
    returns trigger
    language plpgsql
    strict as $$
 begin
    call buildRbacSystemForHsOfficeCoopSharesTransaction(NEW);
    return NEW;
 end; $$;
 create trigger insertTriggerForHsOfficeCoopSharesTransaction_tg
    after insert on hs_office_coopsharestransaction
    for each row
 execute procedure insertTriggerForHsOfficeCoopSharesTransaction_tf();
 --//
 -- ============================================================================
 --changeset hs-office-coopsharestransaction-rbac-INSERT:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
    Creates INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows.
 */
 do language plpgsql $$
    declare
        row hs_office_membership;
    begin
        call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows');
        FOR row IN SELECT * FROM hs_office_membership
            LOOP
                call grantPermissionToRole(
                    createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
                    hsOfficeMembershipADMIN(row));
            END LOOP;
    END;
 $$;
 /**
    Adds hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
 */
 create or replace function hs_office_coopsharestransaction_hs_office_membership_insert_tf()
    returns trigger
    language plpgsql
    strict as $$
 begin
    call grantPermissionToRole(
            createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
            hsOfficeMembershipADMIN(NEW));
    return NEW;
 end; $$;
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
 create trigger z_hs_office_coopsharestransaction_hs_office_membership_insert_tg
    after insert on hs_office_membership
    for each row
 execute procedure hs_office_coopsharestransaction_hs_office_membership_insert_tf();
 /**
    Checks if the user or assumed roles are allowed to insert a row to hs_office_coopsharestransaction,
    where the check is performed by a direct role.
    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
 create or replace function hs_office_coopsharestransaction_insert_permission_missing_tf()
    returns trigger
    language plpgsql as $$
 begin
    raise exception '[403] insert into hs_office_coopsharestransaction not allowed for current subjects % (%)',
        currentSubjects(), currentSubjectsUuids();
 end; $$;
 create trigger hs_office_coopsharestransaction_insert_permission_check_tg
    before insert on hs_office_coopsharestransaction
    for each row
    when ( not hasInsertPermission(NEW.membershipUuid, 'INSERT', 'hs_office_coopsharestransaction') )
        execute procedure hs_office_coopsharestransaction_insert_permission_missing_tf();
 --//
 -- ============================================================================
 --changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
    $idName$
        reference
    $idName$);
 --//
 -- ============================================================================
 --changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call generateRbacRestrictedView('hs_office_coopsharestransaction',
    $orderBy$
        reference
    $orderBy$,
    $updates$
        comment = new.comment
    $updates$);
 --//
--- a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md
+++ b/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md
@ -1,120 +0,0 @@
 ### rbac coopAssetsTransaction
 This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
 flowchart TB
 subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
    direction TB
    style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership.partnerRel.holderPerson:roles[ ]
        style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
        role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]]
        role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]]
        role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]]
    end
 end
 subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
    direction TB
    style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership.partnerRel.anchorPerson:roles[ ]
        style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
        role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]]
        role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]]
        role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]]
    end
 end
 subgraph coopAssetsTransaction["`**coopAssetsTransaction**`"]
    direction TB
    style coopAssetsTransaction fill:#dd4901,stroke:#274d6e,stroke-width:8px
    subgraph coopAssetsTransaction:permissions[ ]
        style coopAssetsTransaction:permissions fill:#dd4901,stroke:white
        perm:coopAssetsTransaction:INSERT{{coopAssetsTransaction:INSERT}}
        perm:coopAssetsTransaction:UPDATE{{coopAssetsTransaction:UPDATE}}
        perm:coopAssetsTransaction:SELECT{{coopAssetsTransaction:SELECT}}
    end
 end
 subgraph membership["`**membership**`"]
    direction TB
    style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership:roles[ ]
        style membership:roles fill:#99bcdb,stroke:white
        role:membership:OWNER[[membership:OWNER]]
        role:membership:ADMIN[[membership:ADMIN]]
        role:membership:AGENT[[membership:AGENT]]
    end
 end
 subgraph membership.partnerRel["`**membership.partnerRel**`"]
    direction TB
    style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership.partnerRel:roles[ ]
        style membership.partnerRel:roles fill:#99bcdb,stroke:white
        role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]]
        role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]]
        role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]]
        role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]]
    end
 end
 subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
    direction TB
    style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
    subgraph membership.partnerRel.contact:roles[ ]
        style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
        role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]]
        role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]]
        role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]]
    end
 end
 %% granting roles to roles
 role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
 role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
 role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
 role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
 role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
 role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:membership.partnerRel:OWNER
 role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
 role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
 role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
 role:membership:OWNER -.-> role:membership:ADMIN
 role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
 role:membership:ADMIN -.-> role:membership:AGENT
 role:membership.partnerRel:AGENT -.-> role:membership:AGENT
 role:membership:AGENT -.-> role:membership.partnerRel:TENANT
 %% granting permissions to roles
 role:membership:ADMIN ==> perm:coopAssetsTransaction:INSERT
 role:membership:ADMIN ==> perm:coopAssetsTransaction:UPDATE
 role:membership:AGENT ==> perm:coopAssetsTransaction:SELECT
 ```
--- a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql
+++ b/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql
@ -1,151 +0,0 @@
 --liquibase formatted sql
 -- This code generated was by RbacViewPostgresGenerator, do not amend manually.
 -- ============================================================================
 --changeset hs-office-coopassetstransaction-rbac-OBJECT:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call generateRelatedRbacObject('hs_office_coopassetstransaction');
 --//
 -- ============================================================================
 --changeset hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction');
 --//
 -- ============================================================================
 --changeset hs-office-coopassetstransaction-rbac-insert-trigger:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
    Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
 */
 create or replace procedure buildRbacSystemForHsOfficeCoopAssetsTransaction(
    NEW hs_office_coopassetstransaction
 )
    language plpgsql as $$
 declare
    newMembership hs_office_membership;
 begin
    call enterTriggerForObjectUuid(NEW.uuid);
    SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
    assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
    call leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
 /*
    AFTER INSERT TRIGGER to create the role+grant structure for a new hs_office_coopassetstransaction row.
 */
 create or replace function insertTriggerForHsOfficeCoopAssetsTransaction_tf()
    returns trigger
    language plpgsql
    strict as $$
 begin
    call buildRbacSystemForHsOfficeCoopAssetsTransaction(NEW);
    return NEW;
 end; $$;
 create trigger insertTriggerForHsOfficeCoopAssetsTransaction_tg
    after insert on hs_office_coopassetstransaction
    for each row
 execute procedure insertTriggerForHsOfficeCoopAssetsTransaction_tf();
 --//
 -- ============================================================================
 --changeset hs-office-coopassetstransaction-rbac-INSERT:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
    Creates INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows.
 */
 do language plpgsql $$
    declare
        row hs_office_membership;
    begin
        call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows');
        FOR row IN SELECT * FROM hs_office_membership
            LOOP
                call grantPermissionToRole(
                    createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
                    hsOfficeMembershipADMIN(row));
            END LOOP;
    END;
 $$;
 /**
    Adds hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
 */
 create or replace function hs_office_coopassetstransaction_hs_office_membership_insert_tf()
    returns trigger
    language plpgsql
    strict as $$
 begin
    call grantPermissionToRole(
            createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
            hsOfficeMembershipADMIN(NEW));
    return NEW;
 end; $$;
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
 create trigger z_hs_office_coopassetstransaction_hs_office_membership_insert_tg
    after insert on hs_office_membership
    for each row
 execute procedure hs_office_coopassetstransaction_hs_office_membership_insert_tf();
 /**
    Checks if the user or assumed roles are allowed to insert a row to hs_office_coopassetstransaction,
    where the check is performed by a direct role.
    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
 create or replace function hs_office_coopassetstransaction_insert_permission_missing_tf()
    returns trigger
    language plpgsql as $$
 begin
    raise exception '[403] insert into hs_office_coopassetstransaction not allowed for current subjects % (%)',
        currentSubjects(), currentSubjectsUuids();
 end; $$;
 create trigger hs_office_coopassetstransaction_insert_permission_check_tg
    before insert on hs_office_coopassetstransaction
    for each row
    when ( not hasInsertPermission(NEW.membershipUuid, 'INSERT', 'hs_office_coopassetstransaction') )
        execute procedure hs_office_coopassetstransaction_insert_permission_missing_tf();
 --//
 -- ============================================================================
 --changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
    $idName$
        reference
    $idName$);
 --//
 -- ============================================================================
 --changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call generateRbacRestrictedView('hs_office_coopassetstransaction',
    $orderBy$
        reference
    $orderBy$,
    $updates$
        comment = new.comment
    $updates$);
 --//
--- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md
@ -42,7 +42,7 @@ subgraph membership["`**membership**`"]
        role:membership:OWNER[[membership:OWNER]]
        role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:AGENT[[membership:AGENT]]
+        role:membership:REFERRER[[membership:REFERRER]]
    end
    subgraph membership:permissions[ ]
@ -105,16 +105,16 @@ role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 role:partnerRel:ADMIN ==> role:membership:OWNER
 role:membership:OWNER ==> role:membership:ADMIN
-role:partnerRel:ADMIN ==> role:membership:ADMIN
+role:partnerRel:AGENT ==> role:membership:ADMIN
-role:membership:ADMIN ==> role:membership:AGENT
+role:membership:ADMIN ==> role:membership:REFERRER
-role:partnerRel:AGENT ==> role:membership:AGENT
+role:membership:REFERRER ==> role:partnerRel:TENANT
 role:membership:AGENT ==> role:partnerRel:TENANT
 %% granting permissions to roles
 role:global:ADMIN ==> perm:membership:INSERT
-role:membership:ADMIN ==> perm:membership:DELETE
+role:membership:OWNER ==> perm:membership:DELETE
 role:membership:ADMIN ==> perm:membership:UPDATE
-role:membership:AGENT ==> perm:membership:SELECT
+role:membership:REFERRER ==> perm:membership:SELECT
 ```
--- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
@ -45,23 +45,23 @@ begin
    perform createRoleWithGrants(
        hsOfficeMembershipOWNER(NEW),
            permissions => array['DELETE'],
            incomingSuperRoles => array[hsOfficeRelationADMIN(newPartnerRel)],
            userUuids => array[currentUserUuid()]
    );
    perform createRoleWithGrants(
        hsOfficeMembershipADMIN(NEW),
-            permissions => array['DELETE', 'UPDATE'],
+            permissions => array['UPDATE'],
            incomingSuperRoles => array[
            	hsOfficeMembershipOWNER(NEW),
-            	hsOfficeRelationADMIN(newPartnerRel)]
+            	hsOfficeRelationAGENT(newPartnerRel)]
    );
    perform createRoleWithGrants(
-        hsOfficeMembershipAGENT(NEW),
+        hsOfficeMembershipREFERRER(NEW),
            permissions => array['SELECT'],
-            incomingSuperRoles => array[
+            incomingSuperRoles => array[hsOfficeMembershipADMIN(NEW)],
            	hsOfficeMembershipADMIN(NEW),
            	hsOfficeRelationAGENT(newPartnerRel)],
            outgoingSubRoles => array[hsOfficeRelationTENANT(newPartnerRel)]
    );
--- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md
@ -54,7 +54,7 @@ subgraph membership["`**membership**`"]
        role:membership:OWNER[[membership:OWNER]]
        role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:AGENT[[membership:AGENT]]
+        role:membership:REFERRER[[membership:REFERRER]]
    end
 end
@ -106,15 +106,15 @@ role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
 role:membership.partnerRel:ADMIN -.-> role:membership:OWNER
 role:membership:OWNER -.-> role:membership:ADMIN
-role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
+role:membership.partnerRel:AGENT -.-> role:membership:ADMIN
-role:membership:ADMIN -.-> role:membership:AGENT
+role:membership:ADMIN -.-> role:membership:REFERRER
-role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:REFERRER -.-> role:membership.partnerRel:TENANT
 role:membership:AGENT -.-> role:membership.partnerRel:TENANT
 %% granting permissions to roles
 role:membership:ADMIN ==> perm:coopSharesTransaction:INSERT
 role:membership:ADMIN ==> perm:coopSharesTransaction:UPDATE
-role:membership:AGENT ==> perm:coopSharesTransaction:SELECT
+role:membership:ADMIN ==> perm:coopSharesTransaction:SELECT
 ```
--- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql
@ -38,7 +38,7 @@ begin
    SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
    assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipADMIN(newMembership));
    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
    call leaveTriggerForObjectUuid(NEW.uuid);
--- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md
@ -54,7 +54,7 @@ subgraph membership["`**membership**`"]
        role:membership:OWNER[[membership:OWNER]]
        role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:AGENT[[membership:AGENT]]
+        role:membership:REFERRER[[membership:REFERRER]]
    end
 end
@ -106,15 +106,15 @@ role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
 role:membership.partnerRel:ADMIN -.-> role:membership:OWNER
 role:membership:OWNER -.-> role:membership:ADMIN
-role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
+role:membership.partnerRel:AGENT -.-> role:membership:ADMIN
-role:membership:ADMIN -.-> role:membership:AGENT
+role:membership:ADMIN -.-> role:membership:REFERRER
-role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:REFERRER -.-> role:membership.partnerRel:TENANT
 role:membership:AGENT -.-> role:membership.partnerRel:TENANT
 %% granting permissions to roles
 role:membership:ADMIN ==> perm:coopAssetsTransaction:INSERT
 role:membership:ADMIN ==> perm:coopAssetsTransaction:UPDATE
-role:membership:AGENT ==> perm:coopAssetsTransaction:SELECT
+role:membership:ADMIN ==> perm:coopAssetsTransaction:SELECT
 ```
--- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql
@ -38,7 +38,7 @@ begin
    SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
    assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipADMIN(newMembership));
    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
    call leaveTriggerForObjectUuid(NEW.uuid);
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java
@ -112,7 +112,7 @@ class HsOfficeCoopAssetsTransactionRepositoryIntegrationTest extends ContextBase
                    .map(s -> s.replace("hs_office_", ""))
                    .containsExactlyInAnyOrder(Array.fromFormatted(
                            initialGrantNames,
-                            "{ grant perm:coopassetstransaction#temprefB:SELECT to role:membership#M-1000101:AGENT by system and assume }",
+                            "{ grant perm:coopassetstransaction#temprefB:SELECT to role:membership#M-1000101:ADMIN by system and assume }",
                            "{ grant perm:coopassetstransaction#temprefB:UPDATE to role:membership#M-1000101:ADMIN by system and assume }",
                            null));
        }
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
@ -111,8 +111,8 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
                    .map(s -> s.replace("hs_office_", ""))
                    .containsExactlyInAnyOrder(Array.fromFormatted(
                            initialGrantNames,
-                            "{ grant perm:coopsharestransaction#temprefB:SELECT to role:membership#M-1000101:AGENT by system and assume }",
+                            "{ grant perm:coopsharestransaction#temprefB:SELECT to role:membership#M-1000101.admin by system and assume }",
-                            "{ grant perm:coopsharestransaction#temprefB:UPDATE to role:membership#M-1000101:ADMIN by system and assume }",
+                            "{ grant perm:coopsharestransaction#temprefB:UPDATE to role:membership#M-1000101.admin by system and assume }",
                            null));
        }
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java
@ -335,18 +335,18 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
        }
        @Test
-        void partnerRelAdmin_canPatchValidityOfRelatedMembership() {
+        void partnerRelAgent_canPatchValidityOfRelatedMembership() {
            // given
-            final var givenPartnerAdmin = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN";
+            final var givenPartnerAgent = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT";
-            context.define("superuser-alex@hostsharing.net", givenPartnerAdmin);
+            context.define("superuser-alex@hostsharing.net", givenPartnerAgent);
            final var givenMembership = givenSomeTemporaryMembershipBessler("First");
            // when
            RestAssured // @formatter:off
                .given()
                    .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", givenPartnerAdmin)
+                    .header("assumed-roles", givenPartnerAgent)
                    .contentType(ContentType.JSON)
                    .body("""
                           {
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java
@ -110,32 +110,30 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
            final var all = rawRoleRepo.findAll();
            assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
                    initialRoleNames,
                    "hs_office_membership#M-1000117:OWNER",
                    "hs_office_membership#M-1000117:ADMIN",
-                    "hs_office_membership#M-1000117:AGENT"));
+                    "hs_office_membership#M-1000117:OWNER",
                    "hs_office_membership#M-1000117:REFERRER"));
            assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                    .map(s -> s.replace("hs_office_", ""))
                    .containsExactlyInAnyOrder(Array.fromFormatted(
                            initialGrantNames,
                            // insert
                            "{ grant perm:membership#M-1000117:INSERT>coopassetstransaction to role:membership#M-1000117:ADMIN by system and assume }",
                            "{ grant perm:membership#M-1000117:INSERT>coopsharestransaction to role:membership#M-1000117:ADMIN by system and assume }",
                            // owner
-                            "{ grant perm:membership#M-1000117:DELETE to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant perm:membership#M-1000117:DELETE       to role:membership#M-1000117:OWNER by system and assume }",
                            "{ grant role:membership#M-1000117:OWNER to user:superuser-alex@hostsharing.net by membership#M-1000117:OWNER and assume }",
                            // admin
-                            "{ grant perm:membership#M-1000117:UPDATE to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant perm:membership#M-1000117:UPDATE       to role:membership#M-1000117:ADMIN by system and assume }",
-                            "{ grant role:membership#M-1000117:ADMIN to role:membership#M-1000117:OWNER by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN        to role:membership#M-1000117:OWNER by system and assume }",
-                            "{ grant role:membership#M-1000117:ADMIN to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN by system and assume }",
+                            "{ grant role:membership#M-1000117:OWNER        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN by system and assume }",
                            "{ grant role:membership#M-1000117:OWNER        to user:superuser-alex@hostsharing.net by membership#M-1000117:OWNER and assume }",
                            // agent
-                            "{ grant perm:membership#M-1000117:SELECT to role:membership#M-1000117:AGENT by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT by system and assume }",
                            "{ grant role:membership#M-1000117:AGENT to role:membership#M-1000117:ADMIN by system and assume }",
-                            "{ grant role:membership#M-1000117:AGENT to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT by system and assume }",
+                            // referrer
-                            "{ grant role:relation#HostsharingeG-with-PARTNER-FirstGmbH:TENANT to role:membership#M-1000117:AGENT by system and assume }",
+                            "{ grant perm:membership#M-1000117:SELECT       to role:membership#M-1000117:REFERRER by system and assume }",
                            "{ grant role:membership#M-1000117:REFERRER     to role:membership#M-1000117:ADMIN by system and assume }",
                            "{ grant role:relation#HostsharingeG-with-PARTNER-FirstGmbH:TENANT to role:membership#M-1000117:REFERRER by system and assume }",
                            null));
        }
@ -223,20 +221,20 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
        }
        @Test
-        public void membershipAgent_canViewButNotUpdateRelatedMembership() {
+        public void membershipReferrer_canViewButNotUpdateRelatedMembership() {
            // given
            context("superuser-alex@hostsharing.net");
            final var givenMembership = givenSomeTemporaryMembership("First", "13");
            assertThatMembershipExistsAndIsAccessibleToCurrentContext(givenMembership);
            assertThatMembershipIsVisibleForRole(
                    givenMembership,
-                    "hs_office_membership#M-1000113:AGENT");
+                    "hs_office_membership#M-1000113:REFERRER");
            final var newValidityEnd = LocalDate.now();
            // when
            final var result = jpaAttempt.transacted(() -> {
                // TODO: we should test with debitor- and partner-admin as well
-                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113:AGENT");
+                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113:REFERRER");
                givenMembership.setValidity(
                        Range.closedOpen(givenMembership.getValidity().lower(), newValidityEnd));
                return membershipRepo.save(givenMembership);
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java
@ -6,7 +6,7 @@ import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantEntity;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantRepository;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantsDiagramService;
 import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
-import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleEntity;
+import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRvEntity;
 import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRepository;
 import net.hostsharing.test.JpaAttempt;
 import org.jetbrains.annotations.NotNull;
@ -255,7 +255,7 @@ public abstract class ContextBasedTestWithCleanup extends ContextBasedTest {
        return jpaAttempt.transacted(() -> {
            context.define("superuser-alex@hostsharing.net", null);
            return rbacRoleRepo.findAll().stream()
-                    .map(RbacRoleEntity::getRoleName)
+                    .map(RbacRoleRvEntity::getRoleName)
                    .collect(toSet());
        }).assertSuccessful().returnedValue();
    }
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java
@ -5,7 +5,7 @@ import io.restassured.http.ContentType;
 import io.restassured.response.ValidatableResponse;
 import net.hostsharing.hsadminng.HsadminNgApplication;
 import net.hostsharing.hsadminng.context.ContextBasedTest;
-import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleEntity;
+import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRvEntity;
 import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRepository;
 import net.hostsharing.hsadminng.rbac.rbacuser.RbacUserEntity;
 import net.hostsharing.hsadminng.rbac.rbacuser.RbacUserRepository;
@ -361,11 +361,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
            this(currentUser, "");
        }
-        GrantFixture grantsRole(final RbacRoleEntity givenOwnPackageAdminRole) {
+        GrantFixture grantsRole(final RbacRoleRvEntity givenOwnPackageAdminRole) {
            return new GrantFixture(givenOwnPackageAdminRole);
        }
-        RevokeFixture revokesRole(final RbacRoleEntity givenOwnPackageAdminRole) {
+        RevokeFixture revokesRole(final RbacRoleRvEntity givenOwnPackageAdminRole) {
            return new RevokeFixture(givenOwnPackageAdminRole);
        }
@ -376,11 +376,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
        class GrantFixture {
            private Subject grantingSubject = Subject.this;
-            private final RbacRoleEntity grantedRole;
+            private final RbacRoleRvEntity grantedRole;
            private boolean assumed;
            private RbacUserEntity granteeUser;
-            public GrantFixture(final RbacRoleEntity roleToGrant) {
+            public GrantFixture(final RbacRoleRvEntity roleToGrant) {
                this.grantedRole = roleToGrant;
            }
@ -417,11 +417,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
        class RevokeFixture {
            private Subject currentSubject = Subject.this;
-            private final RbacRoleEntity grantedRole;
+            private final RbacRoleRvEntity grantedRole;
            private boolean assumed;
            private RbacUserEntity granteeUser;
-            public RevokeFixture(final RbacRoleEntity roleToGrant) {
+            public RevokeFixture(final RbacRoleRvEntity roleToGrant) {
                this.grantedRole = roleToGrant;
            }
@ -455,9 +455,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
        private class GetGrantByIdFixture {
            private Subject currentSubject = Subject.this;
-            private RbacRoleEntity grantedRole;
+            private RbacRoleRvEntity grantedRole;
-            GetGrantByIdFixture forGrantedRole(final RbacRoleEntity grantedRole) {
+            GetGrantByIdFixture forGrantedRole(final RbacRoleRvEntity grantedRole) {
                this.grantedRole = grantedRole;
                return this;
            }
@ -507,7 +507,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
        }).assertNotNull().returnedValue();
    }
-    RbacRoleEntity getRbacRoleByName(final String roleName) {
+    RbacRoleRvEntity getRbacRoleByName(final String roleName) {
        return jpaAttempt.transacted(() -> {
            context("superuser-alex@hostsharing.net", null);
            return rbacRoleRepository.findByRoleName(roleName);
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java
@ -175,21 +175,21 @@ class RbacRoleRepositoryIntegrationTest {
        }
    }
-    void exactlyTheseRbacRolesAreReturned(final List<RbacRoleEntity> actualResult, final String... expectedRoleNames) {
+    void exactlyTheseRbacRolesAreReturned(final List<RbacRoleRvEntity> actualResult, final String... expectedRoleNames) {
        assertThat(actualResult)
-                .extracting(RbacRoleEntity::getRoleName)
+                .extracting(RbacRoleRvEntity::getRoleName)
                .containsExactlyInAnyOrder(expectedRoleNames);
    }
-    void allTheseRbacRolesAreReturned(final List<RbacRoleEntity> actualResult, final String... expectedRoleNames) {
+    void allTheseRbacRolesAreReturned(final List<RbacRoleRvEntity> actualResult, final String... expectedRoleNames) {
        assertThat(actualResult)
-                .extracting(RbacRoleEntity::getRoleName)
+                .extracting(RbacRoleRvEntity::getRoleName)
                .contains(expectedRoleNames);
    }
-    void noneOfTheseRbacRolesIsReturned(final List<RbacRoleEntity> actualResult, final String... unexpectedRoleNames) {
+    void noneOfTheseRbacRolesIsReturned(final List<RbacRoleRvEntity> actualResult, final String... unexpectedRoleNames) {
        assertThat(actualResult)
-                .extracting(RbacRoleEntity::getRoleName)
+                .extracting(RbacRoleRvEntity::getRoleName)
                .doesNotContain(unexpectedRoleNames);
    }
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java
@ -4,11 +4,11 @@ import static java.util.UUID.randomUUID;
 public class TestRbacRole {
-    public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN);
+    public static final RbacRoleRvEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN);
-    static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
+    static final RbacRoleRvEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
-    static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
+    static final RbacRoleRvEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
-    static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
+    static public RbacRoleRvEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
-        return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+':'+roleType);
+        return new RbacRoleRvEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+':'+roleType);
    }
 }