aftermaths from merging master

# Conflicts:
#	README.md
#	doc/rbac.md
#	src/main/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionEntity.java
#	src/main/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionEntity.java
#	src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java
#	src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
#	src/main/resources/db/changelog/133-test-domain-rbac.md
#	src/main/resources/db/changelog/223-hs-office-relation-rbac.md
#	src/main/resources/db/changelog/233-hs-office-partner-rbac.md
#	src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md
#	src/main/resources/db/changelog/273-hs-office-debitor-rbac.md
#	src/main/resources/db/changelog/303-hs-office-membership-rbac.md
#	src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md
#	src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql
#	src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md
#	src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql
#	src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
#	src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java
#	src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
#	src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java
#	src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java
#	src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java
#	src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java

README.md

@@ -82,7 +82,7 @@ If you have at least Docker and the Java JDK installed in appropriate versions a
 
     # the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
     curl \
-        -H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy:admin' \
+        -H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy:ADMIN' \
         http://localhost:8080/api/test/packages
 
     # add a new customer

doc/rbac.md

@@ -206,7 +206,7 @@ and the *role-stereotype* describes a role relative to a referenced business-obj
 #### owner
 
 The owner-role is granted to the subject which created the business object.
-E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...:admin'. 
+E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...:ADMIN'. 
 
 Whoever has the owner-role assigned can do everything with the related business-object, including deleting (or deactivating) it.
 
@@ -470,14 +470,14 @@ together {
     permCustomerXyzSELECT--> boCustXyz
 }
 
-entity "Role customer#xyz:tenant" as roleCustXyzTenant 
+entity "Role customer#xyz:TENANT" as roleCustXyzTenant 
 roleCustXyzTenant --> permCustomerXyzSELECT
 
-entity "Role customer#xyz:admin" as roleCustXyzAdmin
+entity "Role customer#xyz:ADMIN" as roleCustXyzAdmin
 roleCustXyzAdmin --> roleCustXyzTenant
 roleCustXyzAdmin --> permCustomerXyzINSERT:package
 
-entity "Role customer#xyz:owner" as roleCustXyzOwner
+entity "Role customer#xyz:OWNER" as roleCustXyzOwner
 roleCustXyzOwner ..> roleCustXyzAdmin
 roleCustXyzOwner --> permCustomerXyzDELETE
 
@@ -493,7 +493,7 @@ actorHostmaster --> roleAdmins
 ```
 
 As you can see, there something special:
-From the 'Role customer#xyz:owner' to the 'Role customer#xyz:admin' there is a dashed line, whereas all other lines are solid lines.
+From the 'Role customer#xyz:OWNER' to the 'Role customer#xyz:admin' there is a dashed line, whereas all other lines are solid lines.
 Solid lines means, that one role is granted to another and automatically assumed in all queries to the restricted views.
 The dashed line means that one role is granted to another but not automatically assumed in queries to the restricted views.
 
@@ -541,15 +541,15 @@ together {
 }
 
 package {
-    entity "Role customer#xyz:tenant" as roleCustXyzTenant
+    entity "Role customer#xyz:TENANT" as roleCustXyzTenant
-    entity "Role customer#xyz:admin" as roleCustXyzAdmin    
+    entity "Role customer#xyz:ADMIN" as roleCustXyzAdmin    
-    entity "Role customer#xyz:owner" as roleCustXyzOwner
+    entity "Role customer#xyz:OWNER" as roleCustXyzOwner
 }
 
 package {
-    entity "Role package#xyz00:owner" as rolePacXyz00Owner
+    entity "Role package#xyz00:OWNER" as rolePacXyz00Owner
-    entity "Role package#xyz00:admin" as rolePacXyz00Admin
+    entity "Role package#xyz00:ADMIN" as rolePacXyz00Admin
-    entity "Role package#xyz00:tenant" as rolePacXyz00Tenant
+    entity "Role package#xyz00:TENANT" as rolePacXyz00Tenant
 }
 
 rolePacXyz00Tenant --> permPacXyz00SELECT

src/main/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionEntity.java

@@ -1,7 +1,11 @@
 
 package net.hostsharing.hsadminng.hs.office.coopassets;
 
-import lombok.*;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.membership.HsOfficeMembershipEntity;
 import net.hostsharing.hsadminng.persistence.HasUuid;
@@ -10,7 +14,16 @@ import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
 import org.hibernate.annotations.GenericGenerator;
 
-import jakarta.persistence.*;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+import java.io.IOException;
 import java.io.IOException;
 import java.math.BigDecimal;
 import java.time.LocalDate;
@@ -20,8 +33,11 @@ import java.util.UUID;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@@ -109,7 +125,7 @@ public class HsOfficeCoopAssetsTransactionEntity implements Stringifyable, HasUu
 
                 .toRole("membership", ADMIN).grantPermission(INSERT)
                 .toRole("membership", ADMIN).grantPermission(UPDATE)
-                .toRole("membership", ADMIN).grantPermission(SELECT);
+                .toRole("membership", AGENT).grantPermission(SELECT);
     }
 
     public static void main(String[] args) throws IOException {

src/main/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionEntity.java

@@ -1,6 +1,10 @@
 package net.hostsharing.hsadminng.hs.office.coopshares;
 
-import lombok.*;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.membership.HsOfficeMembershipEntity;
 import net.hostsharing.hsadminng.persistence.HasUuid;
@@ -9,7 +13,16 @@ import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL;
 import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
 
-import jakarta.persistence.*;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+import java.io.IOException;
 import java.io.IOException;
 import java.time.LocalDate;
 import java.util.UUID;
@@ -17,9 +30,11 @@ import java.util.UUID;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@@ -105,7 +120,7 @@ public class HsOfficeCoopSharesTransactionEntity implements Stringifyable, HasUu
 
                 .toRole("membership", ADMIN).grantPermission(INSERT)
                 .toRole("membership", ADMIN).grantPermission(UPDATE)
-                .toRole("membership", ADMIN).grantPermission(SELECT);
+                .toRole("membership", AGENT).grantPermission(SELECT);
     }
 
     public static void main(String[] args) throws IOException {

src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java

@@ -28,7 +28,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.REFERRER;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
@@ -148,14 +148,14 @@ public class HsOfficeMembershipEntity implements HasUuid, Stringifyable {
 
                 .createRole(OWNER, (with) -> {
                     with.owningUser(CREATOR);
-                    with.incomingSuperRole("partnerRel", ADMIN);
-                    with.permission(DELETE);
                 })
                 .createSubRole(ADMIN, (with) -> {
-                    with.incomingSuperRole("partnerRel", AGENT);
+                    with.incomingSuperRole("partnerRel", ADMIN);
+                    with.permission(DELETE);
                     with.permission(UPDATE);
                 })
-                .createSubRole(REFERRER, (with) -> {
+                .createSubRole(AGENT, (with) -> {
+                    with.incomingSuperRole("partnerRel", AGENT);
                     with.outgoingSubRole("partnerRel", TENANT);
                     with.permission(SELECT);
                 });

src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleController.java

@@ -31,7 +31,7 @@ public class RbacRoleController implements RbacRolesApi {
 
         context.define(currentUser, assumedRoles);
 
-        final List<RbacRoleRvEntity> result = rbacRoleRepository.findAll();
+        final List<RbacRoleEntity> result = rbacRoleRepository.findAll();
 
         return ResponseEntity.ok(mapper.mapList(result, RbacRoleResource.class));
     }

src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleEntity.java

@@ -15,7 +15,7 @@ import java.util.UUID;
 @Immutable
 @NoArgsConstructor
 @AllArgsConstructor
-public class RbacRoleRvEntity {
+public class RbacRoleEntity {
 
     @Id
     @GeneratedValue

src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepository.java

@@ -5,7 +5,7 @@ import org.springframework.data.repository.Repository;
 import java.util.List;
 import java.util.UUID;
 
-public interface RbacRoleRepository extends Repository<RbacRoleRvEntity, UUID> {
+public interface RbacRoleRepository extends Repository<RbacRoleEntity, UUID> {
 
     /**
      * @return the number of persistent RbacRoleEntity instances, mostly for testing purposes.
@@ -15,7 +15,7 @@ public interface RbacRoleRepository extends Repository<RbacRoleRvEntity, UUID> {
     /**
      * @return all persistent RbacRoleEntity instances, assigned to the current subject (user or assumed roles)
      */
-    List<RbacRoleRvEntity> findAll();
+    List<RbacRoleEntity> findAll();
 
-    RbacRoleRvEntity findByRoleName(String roleName);
+    RbacRoleEntity findByRoleName(String roleName);
 }

src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql

@@ -139,7 +139,7 @@ select 'global', (select uuid from RbacObject where objectTable = 'global'), 'GU
 $$;
 
 begin transaction;
-    call defineContext('creating role:global#loba:guest', null, null, null);
+    call defineContext('creating role:global#globa:guest', null, null, null);
     select createRole(globalGuest());
 commit;
 --//

src/main/resources/db/changelog/133-test-domain-rbac.md

@@ -0,0 +1,75 @@
+### rbac domain
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph package.customer["`**package.customer**`"]
+    direction TB
+    style package.customer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph package.customer:roles[ ]
+        style package.customer:roles fill:#99bcdb,stroke:white
+
+        role:package.customer:OWNER[[package.customer:OWNER]]
+        role:package.customer:ADMIN[[package.customer:ADMIN]]
+        role:package.customer:TENANT[[package.customer:TENANT]]
+    end
+end
+
+subgraph package["`**package**`"]
+    direction TB
+    style package fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph package:roles[ ]
+        style package:roles fill:#99bcdb,stroke:white
+
+        role:package:OWNER[[package:OWNER]]
+        role:package:ADMIN[[package:ADMIN]]
+        role:package:TENANT[[package:TENANT]]
+    end
+end
+
+subgraph domain["`**domain**`"]
+    direction TB
+    style domain fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph domain:roles[ ]
+        style domain:roles fill:#dd4901,stroke:white
+
+        role:domain:OWNER[[domain:OWNER]]
+        role:domain:ADMIN[[domain:ADMIN]]
+    end
+
+    subgraph domain:permissions[ ]
+        style domain:permissions fill:#dd4901,stroke:white
+
+        perm:domain:INSERT{{domain:INSERT}}
+        perm:domain:DELETE{{domain:DELETE}}
+        perm:domain:UPDATE{{domain:UPDATE}}
+        perm:domain:SELECT{{domain:SELECT}}
+    end
+end
+
+%% granting roles to roles
+role:global:ADMIN -.->|XX| role:package.customer:OWNER
+role:package.customer:OWNER -.-> role:package.customer:ADMIN
+role:package.customer:ADMIN -.-> role:package.customer:TENANT
+role:package.customer:ADMIN -.-> role:package:OWNER
+role:package:OWNER -.-> role:package:ADMIN
+role:package:ADMIN -.-> role:package:TENANT
+role:package:TENANT -.-> role:package.customer:TENANT
+role:package:ADMIN ==> role:domain:OWNER
+role:domain:OWNER ==> role:package:TENANT
+role:domain:OWNER ==> role:domain:ADMIN
+role:domain:ADMIN ==> role:package:TENANT
+
+%% granting permissions to roles
+role:package:ADMIN ==> perm:domain:INSERT
+role:domain:OWNER ==> perm:domain:DELETE
+role:domain:OWNER ==> perm:domain:UPDATE
+role:domain:ADMIN ==> perm:domain:SELECT
+
+```

src/main/resources/db/changelog/223-hs-office-relation-rbac.md

@@ -0,0 +1,102 @@
+### rbac relation
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph holderPerson["`**holderPerson**`"]
+    direction TB
+    style holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph holderPerson:roles[ ]
+        style holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:holderPerson:OWNER[[holderPerson:OWNER]]
+        role:holderPerson:ADMIN[[holderPerson:ADMIN]]
+        role:holderPerson:REFERRER[[holderPerson:REFERRER]]
+    end
+end
+
+subgraph anchorPerson["`**anchorPerson**`"]
+    direction TB
+    style anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph anchorPerson:roles[ ]
+        style anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:anchorPerson:OWNER[[anchorPerson:OWNER]]
+        role:anchorPerson:ADMIN[[anchorPerson:ADMIN]]
+        role:anchorPerson:REFERRER[[anchorPerson:REFERRER]]
+    end
+end
+
+subgraph contact["`**contact**`"]
+    direction TB
+    style contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph contact:roles[ ]
+        style contact:roles fill:#99bcdb,stroke:white
+
+        role:contact:OWNER[[contact:OWNER]]
+        role:contact:ADMIN[[contact:ADMIN]]
+        role:contact:REFERRER[[contact:REFERRER]]
+    end
+end
+
+subgraph relation["`**relation**`"]
+    direction TB
+    style relation fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph relation:roles[ ]
+        style relation:roles fill:#dd4901,stroke:white
+
+        role:relation:OWNER[[relation:OWNER]]
+        role:relation:ADMIN[[relation:ADMIN]]
+        role:relation:AGENT[[relation:AGENT]]
+        role:relation:TENANT[[relation:TENANT]]
+    end
+
+    subgraph relation:permissions[ ]
+        style relation:permissions fill:#dd4901,stroke:white
+
+        perm:relation:DELETE{{relation:DELETE}}
+        perm:relation:UPDATE{{relation:UPDATE}}
+        perm:relation:SELECT{{relation:SELECT}}
+        perm:relation:INSERT{{relation:INSERT}}
+    end
+end
+
+%% granting roles to users
+user:creator ==> role:relation:OWNER
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:anchorPerson:OWNER
+role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
+role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
+role:global:ADMIN -.-> role:holderPerson:OWNER
+role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
+role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
+role:global:ADMIN -.-> role:contact:OWNER
+role:contact:OWNER -.-> role:contact:ADMIN
+role:contact:ADMIN -.-> role:contact:REFERRER
+role:global:ADMIN ==> role:relation:OWNER
+role:relation:OWNER ==> role:relation:ADMIN
+role:anchorPerson:ADMIN ==> role:relation:ADMIN
+role:relation:ADMIN ==> role:relation:AGENT
+role:holderPerson:ADMIN ==> role:relation:AGENT
+role:relation:AGENT ==> role:relation:TENANT
+role:holderPerson:ADMIN ==> role:relation:TENANT
+role:contact:ADMIN ==> role:relation:TENANT
+role:relation:TENANT ==> role:anchorPerson:REFERRER
+role:relation:TENANT ==> role:holderPerson:REFERRER
+role:relation:TENANT ==> role:contact:REFERRER
+
+%% granting permissions to roles
+role:relation:OWNER ==> perm:relation:DELETE
+role:relation:ADMIN ==> perm:relation:UPDATE
+role:relation:TENANT ==> perm:relation:SELECT
+role:anchorPerson:ADMIN ==> perm:relation:INSERT
+
+```

src/main/resources/db/changelog/233-hs-office-partner-rbac.md

@@ -0,0 +1,120 @@
+### rbac partner
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph partnerRel.contact["`**partnerRel.contact**`"]
+    direction TB
+    style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel.contact:roles[ ]
+        style partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]]
+        role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]]
+        role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]]
+    end
+end
+
+subgraph partner["`**partner**`"]
+    direction TB
+    style partner fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph partner:permissions[ ]
+        style partner:permissions fill:#dd4901,stroke:white
+
+        perm:partner:INSERT{{partner:INSERT}}
+        perm:partner:DELETE{{partner:DELETE}}
+        perm:partner:UPDATE{{partner:UPDATE}}
+        perm:partner:SELECT{{partner:SELECT}}
+    end
+
+    subgraph partnerRel["`**partnerRel**`"]
+        direction TB
+        style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph partnerRel:roles[ ]
+            style partnerRel:roles fill:#99bcdb,stroke:white
+
+            role:partnerRel:OWNER[[partnerRel:OWNER]]
+            role:partnerRel:ADMIN[[partnerRel:ADMIN]]
+            role:partnerRel:AGENT[[partnerRel:AGENT]]
+            role:partnerRel:TENANT[[partnerRel:TENANT]]
+        end
+    end
+end
+
+subgraph partnerDetails["`**partnerDetails**`"]
+    direction TB
+    style partnerDetails fill:#feb28c,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerDetails:permissions[ ]
+        style partnerDetails:permissions fill:#feb28c,stroke:white
+
+        perm:partnerDetails:DELETE{{partnerDetails:DELETE}}
+        perm:partnerDetails:UPDATE{{partnerDetails:UPDATE}}
+        perm:partnerDetails:SELECT{{partnerDetails:SELECT}}
+    end
+end
+
+subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
+    direction TB
+    style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel.anchorPerson:roles[ ]
+        style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]]
+        role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]]
+        role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
+    direction TB
+    style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel.holderPerson:roles[ ]
+        style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]]
+        role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]]
+        role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
+role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
+role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.contact:OWNER
+role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
+role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
+role:global:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
+role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel:AGENT -.-> role:partnerRel:TENANT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
+
+%% granting permissions to roles
+role:global:ADMIN ==> perm:partner:INSERT
+role:partnerRel:ADMIN ==> perm:partner:DELETE
+role:partnerRel:AGENT ==> perm:partner:UPDATE
+role:partnerRel:TENANT ==> perm:partner:SELECT
+role:partnerRel:ADMIN ==> perm:partnerDetails:DELETE
+role:partnerRel:AGENT ==> perm:partnerDetails:UPDATE
+role:partnerRel:AGENT ==> perm:partnerDetails:SELECT
+
+```

src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md

@@ -0,0 +1,141 @@
+### rbac sepaMandate
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph bankAccount["`**bankAccount**`"]
+    direction TB
+    style bankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph bankAccount:roles[ ]
+        style bankAccount:roles fill:#99bcdb,stroke:white
+
+        role:bankAccount:OWNER[[bankAccount:OWNER]]
+        role:bankAccount:ADMIN[[bankAccount:ADMIN]]
+        role:bankAccount:REFERRER[[bankAccount:REFERRER]]
+    end
+end
+
+subgraph debitorRel.contact["`**debitorRel.contact**`"]
+    direction TB
+    style debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph debitorRel.contact:roles[ ]
+        style debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:debitorRel.contact:OWNER[[debitorRel.contact:OWNER]]
+        role:debitorRel.contact:ADMIN[[debitorRel.contact:ADMIN]]
+        role:debitorRel.contact:REFERRER[[debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"]
+    direction TB
+    style debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph debitorRel.anchorPerson:roles[ ]
+        style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:debitorRel.anchorPerson:OWNER[[debitorRel.anchorPerson:OWNER]]
+        role:debitorRel.anchorPerson:ADMIN[[debitorRel.anchorPerson:ADMIN]]
+        role:debitorRel.anchorPerson:REFERRER[[debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"]
+    direction TB
+    style debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph debitorRel.holderPerson:roles[ ]
+        style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:debitorRel.holderPerson:OWNER[[debitorRel.holderPerson:OWNER]]
+        role:debitorRel.holderPerson:ADMIN[[debitorRel.holderPerson:ADMIN]]
+        role:debitorRel.holderPerson:REFERRER[[debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph sepaMandate["`**sepaMandate**`"]
+    direction TB
+    style sepaMandate fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph sepaMandate:roles[ ]
+        style sepaMandate:roles fill:#dd4901,stroke:white
+
+        role:sepaMandate:OWNER[[sepaMandate:OWNER]]
+        role:sepaMandate:ADMIN[[sepaMandate:ADMIN]]
+        role:sepaMandate:AGENT[[sepaMandate:AGENT]]
+        role:sepaMandate:REFERRER[[sepaMandate:REFERRER]]
+    end
+
+    subgraph sepaMandate:permissions[ ]
+        style sepaMandate:permissions fill:#dd4901,stroke:white
+
+        perm:sepaMandate:DELETE{{sepaMandate:DELETE}}
+        perm:sepaMandate:UPDATE{{sepaMandate:UPDATE}}
+        perm:sepaMandate:SELECT{{sepaMandate:SELECT}}
+        perm:sepaMandate:INSERT{{sepaMandate:INSERT}}
+    end
+end
+
+subgraph debitorRel["`**debitorRel**`"]
+    direction TB
+    style debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph debitorRel:roles[ ]
+        style debitorRel:roles fill:#99bcdb,stroke:white
+
+        role:debitorRel:OWNER[[debitorRel:OWNER]]
+        role:debitorRel:ADMIN[[debitorRel:ADMIN]]
+        role:debitorRel:AGENT[[debitorRel:AGENT]]
+        role:debitorRel:TENANT[[debitorRel:TENANT]]
+    end
+end
+
+%% granting roles to users
+user:creator ==> role:sepaMandate:OWNER
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
+role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
+role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
+role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:debitorRel.contact:OWNER
+role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
+role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:debitorRel:OWNER
+role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
+role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
+role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
+role:debitorRel:AGENT -.-> role:debitorRel:TENANT
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
+role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
+role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
+role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
+role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:bankAccount:OWNER
+role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
+role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER
+role:global:ADMIN ==> role:sepaMandate:OWNER
+role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN
+role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT
+role:sepaMandate:AGENT ==> role:bankAccount:REFERRER
+role:sepaMandate:AGENT ==> role:debitorRel:AGENT
+role:sepaMandate:AGENT ==> role:sepaMandate:REFERRER
+role:bankAccount:ADMIN ==> role:sepaMandate:REFERRER
+role:debitorRel:AGENT ==> role:sepaMandate:REFERRER
+role:sepaMandate:REFERRER ==> role:debitorRel:TENANT
+
+%% granting permissions to roles
+role:sepaMandate:OWNER ==> perm:sepaMandate:DELETE
+role:sepaMandate:ADMIN ==> perm:sepaMandate:UPDATE
+role:sepaMandate:REFERRER ==> perm:sepaMandate:SELECT
+role:debitorRel:ADMIN ==> perm:sepaMandate:INSERT
+
+```

src/main/resources/db/changelog/273-hs-office-debitor-rbac.md

@@ -0,0 +1,198 @@
+### rbac debitor
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph debitorRel.anchorPerson["`**debitorRel.anchorPerson**`"]
+    direction TB
+    style debitorRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph debitorRel.anchorPerson:roles[ ]
+        style debitorRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:debitorRel.anchorPerson:OWNER[[debitorRel.anchorPerson:OWNER]]
+        role:debitorRel.anchorPerson:ADMIN[[debitorRel.anchorPerson:ADMIN]]
+        role:debitorRel.anchorPerson:REFERRER[[debitorRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph debitorRel.holderPerson["`**debitorRel.holderPerson**`"]
+    direction TB
+    style debitorRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph debitorRel.holderPerson:roles[ ]
+        style debitorRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:debitorRel.holderPerson:OWNER[[debitorRel.holderPerson:OWNER]]
+        role:debitorRel.holderPerson:ADMIN[[debitorRel.holderPerson:ADMIN]]
+        role:debitorRel.holderPerson:REFERRER[[debitorRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
+    direction TB
+    style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel.holderPerson:roles[ ]
+        style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]]
+        role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]]
+        role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph debitor["`**debitor**`"]
+    direction TB
+    style debitor fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph debitor:permissions[ ]
+        style debitor:permissions fill:#dd4901,stroke:white
+
+        perm:debitor:INSERT{{debitor:INSERT}}
+        perm:debitor:DELETE{{debitor:DELETE}}
+        perm:debitor:UPDATE{{debitor:UPDATE}}
+        perm:debitor:SELECT{{debitor:SELECT}}
+    end
+
+    subgraph debitorRel["`**debitorRel**`"]
+        direction TB
+        style debitorRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph debitorRel:roles[ ]
+            style debitorRel:roles fill:#99bcdb,stroke:white
+
+            role:debitorRel:OWNER[[debitorRel:OWNER]]
+            role:debitorRel:ADMIN[[debitorRel:ADMIN]]
+            role:debitorRel:AGENT[[debitorRel:AGENT]]
+            role:debitorRel:TENANT[[debitorRel:TENANT]]
+        end
+    end
+end
+
+subgraph partnerRel["`**partnerRel**`"]
+    direction TB
+    style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel:roles[ ]
+        style partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel:OWNER[[partnerRel:OWNER]]
+        role:partnerRel:ADMIN[[partnerRel:ADMIN]]
+        role:partnerRel:AGENT[[partnerRel:AGENT]]
+        role:partnerRel:TENANT[[partnerRel:TENANT]]
+    end
+end
+
+subgraph partnerRel.contact["`**partnerRel.contact**`"]
+    direction TB
+    style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel.contact:roles[ ]
+        style partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]]
+        role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]]
+        role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]]
+    end
+end
+
+subgraph debitorRel.contact["`**debitorRel.contact**`"]
+    direction TB
+    style debitorRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph debitorRel.contact:roles[ ]
+        style debitorRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:debitorRel.contact:OWNER[[debitorRel.contact:OWNER]]
+        role:debitorRel.contact:ADMIN[[debitorRel.contact:ADMIN]]
+        role:debitorRel.contact:REFERRER[[debitorRel.contact:REFERRER]]
+    end
+end
+
+subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
+    direction TB
+    style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel.anchorPerson:roles[ ]
+        style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]]
+        role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]]
+        role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph refundBankAccount["`**refundBankAccount**`"]
+    direction TB
+    style refundBankAccount fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph refundBankAccount:roles[ ]
+        style refundBankAccount:roles fill:#99bcdb,stroke:white
+
+        role:refundBankAccount:OWNER[[refundBankAccount:OWNER]]
+        role:refundBankAccount:ADMIN[[refundBankAccount:ADMIN]]
+        role:refundBankAccount:REFERRER[[refundBankAccount:REFERRER]]
+    end
+end
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
+role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
+role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
+role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:debitorRel.contact:OWNER
+role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
+role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:debitorRel:OWNER
+role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
+role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
+role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
+role:debitorRel:AGENT -.-> role:debitorRel:TENANT
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
+role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
+role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
+role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
+role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
+role:global:ADMIN -.-> role:refundBankAccount:OWNER
+role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
+role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER
+role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT
+role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER
+role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
+role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
+role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.contact:OWNER
+role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
+role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
+role:global:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
+role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel:AGENT -.-> role:partnerRel:TENANT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
+role:partnerRel:ADMIN ==> role:debitorRel:ADMIN
+role:partnerRel:AGENT ==> role:debitorRel:AGENT
+role:debitorRel:AGENT ==> role:partnerRel:TENANT
+
+%% granting permissions to roles
+role:global:ADMIN ==> perm:debitor:INSERT
+role:debitorRel:OWNER ==> perm:debitor:DELETE
+role:debitorRel:ADMIN ==> perm:debitor:UPDATE
+role:debitorRel:TENANT ==> perm:debitor:SELECT
+
+```

src/main/resources/db/changelog/303-hs-office-membership-rbac.md

@@ -0,0 +1,120 @@
+### rbac membership
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph partnerRel["`**partnerRel**`"]
+    direction TB
+    style partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel:roles[ ]
+        style partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel:OWNER[[partnerRel:OWNER]]
+        role:partnerRel:ADMIN[[partnerRel:ADMIN]]
+        role:partnerRel:AGENT[[partnerRel:AGENT]]
+        role:partnerRel:TENANT[[partnerRel:TENANT]]
+    end
+end
+
+subgraph partnerRel.contact["`**partnerRel.contact**`"]
+    direction TB
+    style partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel.contact:roles[ ]
+        style partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel.contact:OWNER[[partnerRel.contact:OWNER]]
+        role:partnerRel.contact:ADMIN[[partnerRel.contact:ADMIN]]
+        role:partnerRel.contact:REFERRER[[partnerRel.contact:REFERRER]]
+    end
+end
+
+subgraph membership["`**membership**`"]
+    direction TB
+    style membership fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership:roles[ ]
+        style membership:roles fill:#dd4901,stroke:white
+
+        role:membership:OWNER[[membership:OWNER]]
+        role:membership:ADMIN[[membership:ADMIN]]
+        role:membership:AGENT[[membership:AGENT]]
+    end
+
+    subgraph membership:permissions[ ]
+        style membership:permissions fill:#dd4901,stroke:white
+
+        perm:membership:INSERT{{membership:INSERT}}
+        perm:membership:DELETE{{membership:DELETE}}
+        perm:membership:UPDATE{{membership:UPDATE}}
+        perm:membership:SELECT{{membership:SELECT}}
+    end
+end
+
+subgraph partnerRel.anchorPerson["`**partnerRel.anchorPerson**`"]
+    direction TB
+    style partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel.anchorPerson:roles[ ]
+        style partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel.anchorPerson:OWNER[[partnerRel.anchorPerson:OWNER]]
+        role:partnerRel.anchorPerson:ADMIN[[partnerRel.anchorPerson:ADMIN]]
+        role:partnerRel.anchorPerson:REFERRER[[partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
+    direction TB
+    style partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph partnerRel.holderPerson:roles[ ]
+        style partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:partnerRel.holderPerson:OWNER[[partnerRel.holderPerson:OWNER]]
+        role:partnerRel.holderPerson:ADMIN[[partnerRel.holderPerson:ADMIN]]
+        role:partnerRel.holderPerson:REFERRER[[partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+%% granting roles to users
+user:creator ==> role:membership:OWNER
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
+role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
+role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:partnerRel.contact:OWNER
+role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
+role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
+role:global:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
+role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
+role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
+role:partnerRel:AGENT -.-> role:partnerRel:TENANT
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
+role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
+role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
+role:membership:OWNER ==> role:membership:ADMIN
+role:partnerRel:ADMIN ==> role:membership:ADMIN
+role:membership:ADMIN ==> role:membership:AGENT
+role:partnerRel:AGENT ==> role:membership:AGENT
+role:membership:AGENT ==> role:partnerRel:TENANT
+
+%% granting permissions to roles
+role:global:ADMIN ==> perm:membership:INSERT
+role:membership:ADMIN ==> perm:membership:DELETE
+role:membership:ADMIN ==> perm:membership:UPDATE
+role:membership:AGENT ==> perm:membership:SELECT
+
+```

src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md

@@ -0,0 +1,120 @@
+### rbac coopSharesTransaction
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
+    direction TB
+    style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.holderPerson:roles[ ]
+        style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]]
+        role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]]
+        role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
+    direction TB
+    style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.anchorPerson:roles[ ]
+        style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]]
+        role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]]
+        role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph coopSharesTransaction["`**coopSharesTransaction**`"]
+    direction TB
+    style coopSharesTransaction fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph coopSharesTransaction:permissions[ ]
+        style coopSharesTransaction:permissions fill:#dd4901,stroke:white
+
+        perm:coopSharesTransaction:INSERT{{coopSharesTransaction:INSERT}}
+        perm:coopSharesTransaction:UPDATE{{coopSharesTransaction:UPDATE}}
+        perm:coopSharesTransaction:SELECT{{coopSharesTransaction:SELECT}}
+    end
+end
+
+subgraph membership["`**membership**`"]
+    direction TB
+    style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership:roles[ ]
+        style membership:roles fill:#99bcdb,stroke:white
+
+        role:membership:OWNER[[membership:OWNER]]
+        role:membership:ADMIN[[membership:ADMIN]]
+        role:membership:AGENT[[membership:AGENT]]
+    end
+end
+
+subgraph membership.partnerRel["`**membership.partnerRel**`"]
+    direction TB
+    style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel:roles[ ]
+        style membership.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]]
+        role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]]
+        role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]]
+        role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]]
+    end
+end
+
+subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
+    direction TB
+    style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.contact:roles[ ]
+        style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]]
+        role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]]
+        role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]]
+    end
+end
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
+role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
+role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
+role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
+role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
+role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
+role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
+role:global:ADMIN -.-> role:membership.partnerRel:OWNER
+role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
+role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
+role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
+role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
+role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
+role:membership:OWNER -.-> role:membership:ADMIN
+role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
+role:membership:ADMIN -.-> role:membership:AGENT
+role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:AGENT -.-> role:membership.partnerRel:TENANT
+
+%% granting permissions to roles
+role:membership:ADMIN ==> perm:coopSharesTransaction:INSERT
+role:membership:ADMIN ==> perm:coopSharesTransaction:UPDATE
+role:membership:AGENT ==> perm:coopSharesTransaction:SELECT
+
+```

src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql

@@ -0,0 +1,151 @@
+--liquibase formatted sql
+-- This code generated was by RbacViewPostgresGenerator, do not amend manually.
+
+
+-- ============================================================================
+--changeset hs-office-coopsharestransaction-rbac-OBJECT:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+call generateRelatedRbacObject('hs_office_coopsharestransaction');
+--//
+
+
+-- ============================================================================
+--changeset hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+call generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction');
+--//
+
+
+-- ============================================================================
+--changeset hs-office-coopsharestransaction-rbac-insert-trigger:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+/*
+    Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
+ */
+
+create or replace procedure buildRbacSystemForHsOfficeCoopSharesTransaction(
+    NEW hs_office_coopsharestransaction
+)
+    language plpgsql as $$
+
+declare
+    newMembership hs_office_membership;
+
+begin
+    call enterTriggerForObjectUuid(NEW.uuid);
+
+    SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
+    assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
+
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
+
+    call leaveTriggerForObjectUuid(NEW.uuid);
+end; $$;
+
+/*
+    AFTER INSERT TRIGGER to create the role+grant structure for a new hs_office_coopsharestransaction row.
+ */
+
+create or replace function insertTriggerForHsOfficeCoopSharesTransaction_tf()
+    returns trigger
+    language plpgsql
+    strict as $$
+begin
+    call buildRbacSystemForHsOfficeCoopSharesTransaction(NEW);
+    return NEW;
+end; $$;
+
+create trigger insertTriggerForHsOfficeCoopSharesTransaction_tg
+    after insert on hs_office_coopsharestransaction
+    for each row
+execute procedure insertTriggerForHsOfficeCoopSharesTransaction_tf();
+--//
+
+
+-- ============================================================================
+--changeset hs-office-coopsharestransaction-rbac-INSERT:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+/*
+    Creates INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows.
+ */
+do language plpgsql $$
+    declare
+        row hs_office_membership;
+    begin
+        call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows');
+
+        FOR row IN SELECT * FROM hs_office_membership
+            LOOP
+                call grantPermissionToRole(
+                    createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
+                    hsOfficeMembershipADMIN(row));
+            END LOOP;
+    END;
+$$;
+
+/**
+    Adds hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
+*/
+create or replace function hs_office_coopsharestransaction_hs_office_membership_insert_tf()
+    returns trigger
+    language plpgsql
+    strict as $$
+begin
+    call grantPermissionToRole(
+            createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
+            hsOfficeMembershipADMIN(NEW));
+    return NEW;
+end; $$;
+
+-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
+create trigger z_hs_office_coopsharestransaction_hs_office_membership_insert_tg
+    after insert on hs_office_membership
+    for each row
+execute procedure hs_office_coopsharestransaction_hs_office_membership_insert_tf();
+
+/**
+    Checks if the user or assumed roles are allowed to insert a row to hs_office_coopsharestransaction,
+    where the check is performed by a direct role.
+
+    A direct role is a role depending on a foreign key directly available in the NEW row.
+*/
+create or replace function hs_office_coopsharestransaction_insert_permission_missing_tf()
+    returns trigger
+    language plpgsql as $$
+begin
+    raise exception '[403] insert into hs_office_coopsharestransaction not allowed for current subjects % (%)',
+        currentSubjects(), currentSubjectsUuids();
+end; $$;
+
+create trigger hs_office_coopsharestransaction_insert_permission_check_tg
+    before insert on hs_office_coopsharestransaction
+    for each row
+    when ( not hasInsertPermission(NEW.membershipUuid, 'INSERT', 'hs_office_coopsharestransaction') )
+        execute procedure hs_office_coopsharestransaction_insert_permission_missing_tf();
+--//
+
+-- ============================================================================
+--changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
+    $idName$
+        reference
+    $idName$);
+--//
+
+-- ============================================================================
+--changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+call generateRbacRestrictedView('hs_office_coopsharestransaction',
+    $orderBy$
+        reference
+    $orderBy$,
+    $updates$
+        comment = new.comment
+    $updates$);
+--//
+

src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md

@@ -0,0 +1,120 @@
+### rbac coopAssetsTransaction
+
+This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
+
+```mermaid
+%%{init:{'flowchart':{'htmlLabels':false}}}%%
+flowchart TB
+
+subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
+    direction TB
+    style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.holderPerson:roles[ ]
+        style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]]
+        role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]]
+        role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]]
+    end
+end
+
+subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
+    direction TB
+    style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.anchorPerson:roles[ ]
+        style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]]
+        role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]]
+        role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]]
+    end
+end
+
+subgraph coopAssetsTransaction["`**coopAssetsTransaction**`"]
+    direction TB
+    style coopAssetsTransaction fill:#dd4901,stroke:#274d6e,stroke-width:8px
+
+    subgraph coopAssetsTransaction:permissions[ ]
+        style coopAssetsTransaction:permissions fill:#dd4901,stroke:white
+
+        perm:coopAssetsTransaction:INSERT{{coopAssetsTransaction:INSERT}}
+        perm:coopAssetsTransaction:UPDATE{{coopAssetsTransaction:UPDATE}}
+        perm:coopAssetsTransaction:SELECT{{coopAssetsTransaction:SELECT}}
+    end
+end
+
+subgraph membership["`**membership**`"]
+    direction TB
+    style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership:roles[ ]
+        style membership:roles fill:#99bcdb,stroke:white
+
+        role:membership:OWNER[[membership:OWNER]]
+        role:membership:ADMIN[[membership:ADMIN]]
+        role:membership:AGENT[[membership:AGENT]]
+    end
+end
+
+subgraph membership.partnerRel["`**membership.partnerRel**`"]
+    direction TB
+    style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel:roles[ ]
+        style membership.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]]
+        role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]]
+        role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]]
+        role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]]
+    end
+end
+
+subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
+    direction TB
+    style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.contact:roles[ ]
+        style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]]
+        role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]]
+        role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]]
+    end
+end
+
+%% granting roles to roles
+role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
+role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
+role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
+role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
+role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
+role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
+role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
+role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
+role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
+role:global:ADMIN -.-> role:membership.partnerRel:OWNER
+role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
+role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
+role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
+role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
+role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
+role:membership:OWNER -.-> role:membership:ADMIN
+role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
+role:membership:ADMIN -.-> role:membership:AGENT
+role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:AGENT -.-> role:membership.partnerRel:TENANT
+
+%% granting permissions to roles
+role:membership:ADMIN ==> perm:coopAssetsTransaction:INSERT
+role:membership:ADMIN ==> perm:coopAssetsTransaction:UPDATE
+role:membership:AGENT ==> perm:coopAssetsTransaction:SELECT
+
+```

src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql

@@ -0,0 +1,151 @@
+--liquibase formatted sql
+-- This code generated was by RbacViewPostgresGenerator, do not amend manually.
+
+
+-- ============================================================================
+--changeset hs-office-coopassetstransaction-rbac-OBJECT:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+call generateRelatedRbacObject('hs_office_coopassetstransaction');
+--//
+
+
+-- ============================================================================
+--changeset hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+call generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction');
+--//
+
+
+-- ============================================================================
+--changeset hs-office-coopassetstransaction-rbac-insert-trigger:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+/*
+    Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
+ */
+
+create or replace procedure buildRbacSystemForHsOfficeCoopAssetsTransaction(
+    NEW hs_office_coopassetstransaction
+)
+    language plpgsql as $$
+
+declare
+    newMembership hs_office_membership;
+
+begin
+    call enterTriggerForObjectUuid(NEW.uuid);
+
+    SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
+    assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
+
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
+
+    call leaveTriggerForObjectUuid(NEW.uuid);
+end; $$;
+
+/*
+    AFTER INSERT TRIGGER to create the role+grant structure for a new hs_office_coopassetstransaction row.
+ */
+
+create or replace function insertTriggerForHsOfficeCoopAssetsTransaction_tf()
+    returns trigger
+    language plpgsql
+    strict as $$
+begin
+    call buildRbacSystemForHsOfficeCoopAssetsTransaction(NEW);
+    return NEW;
+end; $$;
+
+create trigger insertTriggerForHsOfficeCoopAssetsTransaction_tg
+    after insert on hs_office_coopassetstransaction
+    for each row
+execute procedure insertTriggerForHsOfficeCoopAssetsTransaction_tf();
+--//
+
+
+-- ============================================================================
+--changeset hs-office-coopassetstransaction-rbac-INSERT:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+/*
+    Creates INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows.
+ */
+do language plpgsql $$
+    declare
+        row hs_office_membership;
+    begin
+        call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows');
+
+        FOR row IN SELECT * FROM hs_office_membership
+            LOOP
+                call grantPermissionToRole(
+                    createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
+                    hsOfficeMembershipADMIN(row));
+            END LOOP;
+    END;
+$$;
+
+/**
+    Adds hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
+*/
+create or replace function hs_office_coopassetstransaction_hs_office_membership_insert_tf()
+    returns trigger
+    language plpgsql
+    strict as $$
+begin
+    call grantPermissionToRole(
+            createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
+            hsOfficeMembershipADMIN(NEW));
+    return NEW;
+end; $$;
+
+-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
+create trigger z_hs_office_coopassetstransaction_hs_office_membership_insert_tg
+    after insert on hs_office_membership
+    for each row
+execute procedure hs_office_coopassetstransaction_hs_office_membership_insert_tf();
+
+/**
+    Checks if the user or assumed roles are allowed to insert a row to hs_office_coopassetstransaction,
+    where the check is performed by a direct role.
+
+    A direct role is a role depending on a foreign key directly available in the NEW row.
+*/
+create or replace function hs_office_coopassetstransaction_insert_permission_missing_tf()
+    returns trigger
+    language plpgsql as $$
+begin
+    raise exception '[403] insert into hs_office_coopassetstransaction not allowed for current subjects % (%)',
+        currentSubjects(), currentSubjectsUuids();
+end; $$;
+
+create trigger hs_office_coopassetstransaction_insert_permission_check_tg
+    before insert on hs_office_coopassetstransaction
+    for each row
+    when ( not hasInsertPermission(NEW.membershipUuid, 'INSERT', 'hs_office_coopassetstransaction') )
+        execute procedure hs_office_coopassetstransaction_insert_permission_missing_tf();
+--//
+
+-- ============================================================================
+--changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+
+call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
+    $idName$
+        reference
+    $idName$);
+--//
+
+-- ============================================================================
+--changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+call generateRbacRestrictedView('hs_office_coopassetstransaction',
+    $orderBy$
+        reference
+    $orderBy$,
+    $updates$
+        comment = new.comment
+    $updates$);
+--//
+

src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md

@@ -42,7 +42,7 @@ subgraph membership["`**membership**`"]
 
         role:membership:OWNER[[membership:OWNER]]
         role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:REFERRER[[membership:REFERRER]]
+        role:membership:AGENT[[membership:AGENT]]
     end
 
     subgraph membership:permissions[ ]
@@ -105,16 +105,16 @@ role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
-role:partnerRel:ADMIN ==> role:membership:OWNER
 role:membership:OWNER ==> role:membership:ADMIN
-role:partnerRel:AGENT ==> role:membership:ADMIN
+role:partnerRel:ADMIN ==> role:membership:ADMIN
-role:membership:ADMIN ==> role:membership:REFERRER
+role:membership:ADMIN ==> role:membership:AGENT
-role:membership:REFERRER ==> role:partnerRel:TENANT
+role:partnerRel:AGENT ==> role:membership:AGENT
+role:membership:AGENT ==> role:partnerRel:TENANT
 
 %% granting permissions to roles
 role:global:ADMIN ==> perm:membership:INSERT
-role:membership:OWNER ==> perm:membership:DELETE
+role:membership:ADMIN ==> perm:membership:DELETE
 role:membership:ADMIN ==> perm:membership:UPDATE
-role:membership:REFERRER ==> perm:membership:SELECT
+role:membership:AGENT ==> perm:membership:SELECT
 
 ```

src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql

@@ -45,23 +45,23 @@ begin
 
     perform createRoleWithGrants(
         hsOfficeMembershipOWNER(NEW),
-            permissions => array['DELETE'],
-            incomingSuperRoles => array[hsOfficeRelationADMIN(newPartnerRel)],
             userUuids => array[currentUserUuid()]
     );
 
     perform createRoleWithGrants(
         hsOfficeMembershipADMIN(NEW),
-            permissions => array['UPDATE'],
+            permissions => array['DELETE', 'UPDATE'],
             incomingSuperRoles => array[
             	hsOfficeMembershipOWNER(NEW),
-            	hsOfficeRelationAGENT(newPartnerRel)]
+            	hsOfficeRelationADMIN(newPartnerRel)]
     );
 
     perform createRoleWithGrants(
-        hsOfficeMembershipREFERRER(NEW),
+        hsOfficeMembershipAGENT(NEW),
             permissions => array['SELECT'],
-            incomingSuperRoles => array[hsOfficeMembershipADMIN(NEW)],
+            incomingSuperRoles => array[
+            	hsOfficeMembershipADMIN(NEW),
+            	hsOfficeRelationAGENT(newPartnerRel)],
             outgoingSubRoles => array[hsOfficeRelationTENANT(newPartnerRel)]
     );
 

src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md

@@ -54,7 +54,7 @@ subgraph membership["`**membership**`"]
 
         role:membership:OWNER[[membership:OWNER]]
         role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:REFERRER[[membership:REFERRER]]
+        role:membership:AGENT[[membership:AGENT]]
     end
 end
 
@@ -106,15 +106,15 @@ role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
-role:membership.partnerRel:ADMIN -.-> role:membership:OWNER
 role:membership:OWNER -.-> role:membership:ADMIN
-role:membership.partnerRel:AGENT -.-> role:membership:ADMIN
+role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
-role:membership:ADMIN -.-> role:membership:REFERRER
+role:membership:ADMIN -.-> role:membership:AGENT
-role:membership:REFERRER -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:AGENT -.-> role:membership.partnerRel:TENANT
 
 %% granting permissions to roles
 role:membership:ADMIN ==> perm:coopSharesTransaction:INSERT
 role:membership:ADMIN ==> perm:coopSharesTransaction:UPDATE
-role:membership:ADMIN ==> perm:coopSharesTransaction:SELECT
+role:membership:AGENT ==> perm:coopSharesTransaction:SELECT
 
 ```

src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql

@@ -38,7 +38,7 @@ begin
     SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
     assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipADMIN(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
     call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
 
     call leaveTriggerForObjectUuid(NEW.uuid);

src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md

@@ -54,7 +54,7 @@ subgraph membership["`**membership**`"]
 
         role:membership:OWNER[[membership:OWNER]]
         role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:REFERRER[[membership:REFERRER]]
+        role:membership:AGENT[[membership:AGENT]]
     end
 end
 
@@ -106,15 +106,15 @@ role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
-role:membership.partnerRel:ADMIN -.-> role:membership:OWNER
 role:membership:OWNER -.-> role:membership:ADMIN
-role:membership.partnerRel:AGENT -.-> role:membership:ADMIN
+role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
-role:membership:ADMIN -.-> role:membership:REFERRER
+role:membership:ADMIN -.-> role:membership:AGENT
-role:membership:REFERRER -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:AGENT -.-> role:membership.partnerRel:TENANT
 
 %% granting permissions to roles
 role:membership:ADMIN ==> perm:coopAssetsTransaction:INSERT
 role:membership:ADMIN ==> perm:coopAssetsTransaction:UPDATE
-role:membership:ADMIN ==> perm:coopAssetsTransaction:SELECT
+role:membership:AGENT ==> perm:coopAssetsTransaction:SELECT
 
 ```

src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql

@@ -38,7 +38,7 @@ begin
     SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
     assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipADMIN(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
     call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
 
     call leaveTriggerForObjectUuid(NEW.uuid);

src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java

@@ -112,7 +112,7 @@ class HsOfficeCoopAssetsTransactionRepositoryIntegrationTest extends ContextBase
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(Array.fromFormatted(
                             initialGrantNames,
-                            "{ grant perm:coopassetstransaction#temprefB:SELECT to role:membership#M-1000101:ADMIN by system and assume }",
+                            "{ grant perm:coopassetstransaction#temprefB:SELECT to role:membership#M-1000101:AGENT by system and assume }",
                             "{ grant perm:coopassetstransaction#temprefB:UPDATE to role:membership#M-1000101:ADMIN by system and assume }",
                             null));
         }

src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java

@@ -111,8 +111,8 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(Array.fromFormatted(
                             initialGrantNames,
-                            "{ grant perm:coopsharestransaction#temprefB:SELECT to role:membership#M-1000101.admin by system and assume }",
+                            "{ grant perm:coopsharestransaction#temprefB:SELECT to role:membership#M-1000101:AGENT by system and assume }",
-                            "{ grant perm:coopsharestransaction#temprefB:UPDATE to role:membership#M-1000101.admin by system and assume }",
+                            "{ grant perm:coopsharestransaction#temprefB:UPDATE to role:membership#M-1000101:ADMIN by system and assume }",
                             null));
         }
 

src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java

@@ -335,18 +335,18 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
         }
 
         @Test
-        void partnerRelAgent_canPatchValidityOfRelatedMembership() {
+        void partnerRelAdmin_canPatchValidityOfRelatedMembership() {
 
             // given
-            final var givenPartnerAgent = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT";
+            final var givenPartnerAdmin = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN";
-            context.define("superuser-alex@hostsharing.net", givenPartnerAgent);
+            context.define("superuser-alex@hostsharing.net", givenPartnerAdmin);
             final var givenMembership = givenSomeTemporaryMembershipBessler("First");
 
             // when
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", givenPartnerAgent)
+                    .header("assumed-roles", givenPartnerAdmin)
                     .contentType(ContentType.JSON)
                     .body("""
                            {

src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java

@@ -110,30 +110,32 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
             final var all = rawRoleRepo.findAll();
             assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
                     initialRoleNames,
-                    "hs_office_membership#M-1000117:ADMIN",
                     "hs_office_membership#M-1000117:OWNER",
-                    "hs_office_membership#M-1000117:REFERRER"));
+                    "hs_office_membership#M-1000117:ADMIN",
+                    "hs_office_membership#M-1000117:AGENT"));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(Array.fromFormatted(
                             initialGrantNames,
+                            // insert
+                            "{ grant perm:membership#M-1000117:INSERT>coopassetstransaction to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant perm:membership#M-1000117:INSERT>coopsharestransaction to role:membership#M-1000117:ADMIN by system and assume }",
 
                             // owner
-                            "{ grant perm:membership#M-1000117:DELETE       to role:membership#M-1000117:OWNER by system and assume }",
+                            "{ grant perm:membership#M-1000117:DELETE to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant role:membership#M-1000117:OWNER to user:superuser-alex@hostsharing.net by membership#M-1000117:OWNER and assume }",
 
                             // admin
-                            "{ grant perm:membership#M-1000117:UPDATE       to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant perm:membership#M-1000117:UPDATE to role:membership#M-1000117:ADMIN by system and assume }",
-                            "{ grant role:membership#M-1000117:ADMIN        to role:membership#M-1000117:OWNER by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN to role:membership#M-1000117:OWNER by system and assume }",
-                            "{ grant role:membership#M-1000117:OWNER        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN by system and assume }",
-                            "{ grant role:membership#M-1000117:OWNER        to user:superuser-alex@hostsharing.net by membership#M-1000117:OWNER and assume }",
 
                             // agent
-                            "{ grant role:membership#M-1000117:ADMIN        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT by system and assume }",
+                            "{ grant perm:membership#M-1000117:SELECT to role:membership#M-1000117:AGENT by system and assume }",
+                            "{ grant role:membership#M-1000117:AGENT to role:membership#M-1000117:ADMIN by system and assume }",
 
-                            // referrer
+                            "{ grant role:membership#M-1000117:AGENT to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT by system and assume }",
-                            "{ grant perm:membership#M-1000117:SELECT       to role:membership#M-1000117:REFERRER by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-FirstGmbH:TENANT to role:membership#M-1000117:AGENT by system and assume }",
-                            "{ grant role:membership#M-1000117:REFERRER     to role:membership#M-1000117:ADMIN by system and assume }",
-                            "{ grant role:relation#HostsharingeG-with-PARTNER-FirstGmbH:TENANT to role:membership#M-1000117:REFERRER by system and assume }",
 
                             null));
         }
@@ -221,20 +223,20 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
         }
 
         @Test
-        public void membershipReferrer_canViewButNotUpdateRelatedMembership() {
+        public void membershipAgent_canViewButNotUpdateRelatedMembership() {
             // given
             context("superuser-alex@hostsharing.net");
             final var givenMembership = givenSomeTemporaryMembership("First", "13");
             assertThatMembershipExistsAndIsAccessibleToCurrentContext(givenMembership);
             assertThatMembershipIsVisibleForRole(
                     givenMembership,
-                    "hs_office_membership#M-1000113:REFERRER");
+                    "hs_office_membership#M-1000113:AGENT");
             final var newValidityEnd = LocalDate.now();
 
             // when
             final var result = jpaAttempt.transacted(() -> {
                 // TODO: we should test with debitor- and partner-admin as well
-                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113:REFERRER");
+                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113:AGENT");
                 givenMembership.setValidity(
                         Range.closedOpen(givenMembership.getValidity().lower(), newValidityEnd));
                 return membershipRepo.save(givenMembership);

src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java

@@ -6,7 +6,7 @@ import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantEntity;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantRepository;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantsDiagramService;
 import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
-import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRvEntity;
+import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleEntity;
 import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRepository;
 import net.hostsharing.test.JpaAttempt;
 import org.jetbrains.annotations.NotNull;
@@ -255,7 +255,7 @@ public abstract class ContextBasedTestWithCleanup extends ContextBasedTest {
         return jpaAttempt.transacted(() -> {
             context.define("superuser-alex@hostsharing.net", null);
             return rbacRoleRepo.findAll().stream()
-                    .map(RbacRoleRvEntity::getRoleName)
+                    .map(RbacRoleEntity::getRoleName)
                     .collect(toSet());
         }).assertSuccessful().returnedValue();
     }

src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java

@@ -5,7 +5,7 @@ import io.restassured.http.ContentType;
 import io.restassured.response.ValidatableResponse;
 import net.hostsharing.hsadminng.HsadminNgApplication;
 import net.hostsharing.hsadminng.context.ContextBasedTest;
-import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRvEntity;
+import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleEntity;
 import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRepository;
 import net.hostsharing.hsadminng.rbac.rbacuser.RbacUserEntity;
 import net.hostsharing.hsadminng.rbac.rbacuser.RbacUserRepository;
@@ -361,11 +361,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
             this(currentUser, "");
         }
 
-        GrantFixture grantsRole(final RbacRoleRvEntity givenOwnPackageAdminRole) {
+        GrantFixture grantsRole(final RbacRoleEntity givenOwnPackageAdminRole) {
             return new GrantFixture(givenOwnPackageAdminRole);
         }
 
-        RevokeFixture revokesRole(final RbacRoleRvEntity givenOwnPackageAdminRole) {
+        RevokeFixture revokesRole(final RbacRoleEntity givenOwnPackageAdminRole) {
             return new RevokeFixture(givenOwnPackageAdminRole);
         }
 
@@ -376,11 +376,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
         class GrantFixture {
 
             private Subject grantingSubject = Subject.this;
-            private final RbacRoleRvEntity grantedRole;
+            private final RbacRoleEntity grantedRole;
             private boolean assumed;
             private RbacUserEntity granteeUser;
 
-            public GrantFixture(final RbacRoleRvEntity roleToGrant) {
+            public GrantFixture(final RbacRoleEntity roleToGrant) {
                 this.grantedRole = roleToGrant;
             }
 
@@ -417,11 +417,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
         class RevokeFixture {
 
             private Subject currentSubject = Subject.this;
-            private final RbacRoleRvEntity grantedRole;
+            private final RbacRoleEntity grantedRole;
             private boolean assumed;
             private RbacUserEntity granteeUser;
 
-            public RevokeFixture(final RbacRoleRvEntity roleToGrant) {
+            public RevokeFixture(final RbacRoleEntity roleToGrant) {
                 this.grantedRole = roleToGrant;
             }
 
@@ -455,9 +455,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
         private class GetGrantByIdFixture {
 
             private Subject currentSubject = Subject.this;
-            private RbacRoleRvEntity grantedRole;
+            private RbacRoleEntity grantedRole;
 
-            GetGrantByIdFixture forGrantedRole(final RbacRoleRvEntity grantedRole) {
+            GetGrantByIdFixture forGrantedRole(final RbacRoleEntity grantedRole) {
                 this.grantedRole = grantedRole;
                 return this;
             }
@@ -507,7 +507,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
         }).assertNotNull().returnedValue();
     }
 
-    RbacRoleRvEntity getRbacRoleByName(final String roleName) {
+    RbacRoleEntity getRbacRoleByName(final String roleName) {
         return jpaAttempt.transacted(() -> {
             context("superuser-alex@hostsharing.net", null);
             return rbacRoleRepository.findByRoleName(roleName);

src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java

@@ -175,21 +175,21 @@ class RbacRoleRepositoryIntegrationTest {
         }
     }
 
-    void exactlyTheseRbacRolesAreReturned(final List<RbacRoleRvEntity> actualResult, final String... expectedRoleNames) {
+    void exactlyTheseRbacRolesAreReturned(final List<RbacRoleEntity> actualResult, final String... expectedRoleNames) {
         assertThat(actualResult)
-                .extracting(RbacRoleRvEntity::getRoleName)
+                .extracting(RbacRoleEntity::getRoleName)
                 .containsExactlyInAnyOrder(expectedRoleNames);
     }
 
-    void allTheseRbacRolesAreReturned(final List<RbacRoleRvEntity> actualResult, final String... expectedRoleNames) {
+    void allTheseRbacRolesAreReturned(final List<RbacRoleEntity> actualResult, final String... expectedRoleNames) {
         assertThat(actualResult)
-                .extracting(RbacRoleRvEntity::getRoleName)
+                .extracting(RbacRoleEntity::getRoleName)
                 .contains(expectedRoleNames);
     }
 
-    void noneOfTheseRbacRolesIsReturned(final List<RbacRoleRvEntity> actualResult, final String... unexpectedRoleNames) {
+    void noneOfTheseRbacRolesIsReturned(final List<RbacRoleEntity> actualResult, final String... unexpectedRoleNames) {
         assertThat(actualResult)
-                .extracting(RbacRoleRvEntity::getRoleName)
+                .extracting(RbacRoleEntity::getRoleName)
                 .doesNotContain(unexpectedRoleNames);
     }
 

src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java

@@ -4,11 +4,11 @@ import static java.util.UUID.randomUUID;
 
 public class TestRbacRole {
 
-    public static final RbacRoleRvEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN);
+    public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN);
-    static final RbacRoleRvEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
+    static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
-    static final RbacRoleRvEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
+    static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
 
-    static public RbacRoleRvEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
+    static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
-        return new RbacRoleRvEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+':'+roleType);
+        return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+':'+roleType);
     }
 }