src/main/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionEntity.java

@@ -1,11 +1,7 @@
 
 package net.hostsharing.hsadminng.hs.office.coopassets;
 
-import lombok.AllArgsConstructor;
+import lombok.*;
-import lombok.Builder;
-import lombok.Getter;
-import lombok.NoArgsConstructor;
-import lombok.Setter;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.membership.HsOfficeMembershipEntity;
 import net.hostsharing.hsadminng.persistence.HasUuid;
@@ -14,16 +10,7 @@ import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
 import org.hibernate.annotations.GenericGenerator;
 
-import jakarta.persistence.Column;
+import jakarta.persistence.*;
-import jakarta.persistence.Entity;
-import jakarta.persistence.EnumType;
-import jakarta.persistence.Enumerated;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.Id;
-import jakarta.persistence.JoinColumn;
-import jakarta.persistence.ManyToOne;
-import jakarta.persistence.Table;
-import java.io.IOException;
 import java.io.IOException;
 import java.math.BigDecimal;
 import java.time.LocalDate;
@@ -33,11 +20,8 @@ import java.util.UUID;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@@ -125,7 +109,7 @@ public class HsOfficeCoopAssetsTransactionEntity implements Stringifyable, HasUu
 
                 .toRole("membership", ADMIN).grantPermission(INSERT)
                 .toRole("membership", ADMIN).grantPermission(UPDATE)
-                .toRole("membership", AGENT).grantPermission(SELECT);
+                .toRole("membership", ADMIN).grantPermission(SELECT);
     }
 
     public static void main(String[] args) throws IOException {

src/main/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionEntity.java

@@ -1,10 +1,6 @@
 package net.hostsharing.hsadminng.hs.office.coopshares;
 
-import lombok.AllArgsConstructor;
+import lombok.*;
-import lombok.Builder;
-import lombok.Getter;
-import lombok.NoArgsConstructor;
-import lombok.Setter;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.membership.HsOfficeMembershipEntity;
 import net.hostsharing.hsadminng.persistence.HasUuid;
@@ -13,16 +9,7 @@ import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL;
 import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
 
-import jakarta.persistence.Column;
+import jakarta.persistence.*;
-import jakarta.persistence.Entity;
-import jakarta.persistence.EnumType;
-import jakarta.persistence.Enumerated;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.Id;
-import jakarta.persistence.JoinColumn;
-import jakarta.persistence.ManyToOne;
-import jakarta.persistence.Table;
-import java.io.IOException;
 import java.io.IOException;
 import java.time.LocalDate;
 import java.util.UUID;
@@ -30,11 +17,9 @@ import java.util.UUID;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@@ -120,7 +105,7 @@ public class HsOfficeCoopSharesTransactionEntity implements Stringifyable, HasUu
 
                 .toRole("membership", ADMIN).grantPermission(INSERT)
                 .toRole("membership", ADMIN).grantPermission(UPDATE)
-                .toRole("membership", AGENT).grantPermission(SELECT);
+                .toRole("membership", ADMIN).grantPermission(SELECT);
     }
 
     public static void main(String[] args) throws IOException {

src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java

@@ -27,6 +27,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.REFERRER;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
@@ -144,14 +145,14 @@ public class HsOfficeMembershipEntity implements HasUuid, Stringifyable {
 
                 .createRole(OWNER, (with) -> {
                     with.owningUser(CREATOR);
-                })
-                .createSubRole(ADMIN, (with) -> {
                     with.incomingSuperRole("partnerRel", ADMIN);
                     with.permission(DELETE);
+                })
+                .createSubRole(ADMIN, (with) -> {
+                    with.incomingSuperRole("partnerRel", AGENT);
                     with.permission(UPDATE);
                 })
-                .createSubRole(AGENT, (with) -> {
+                .createSubRole(REFERRER, (with) -> {
-                    with.incomingSuperRole("partnerRel", AGENT);
                     with.outgoingSubRole("partnerRel", TENANT);
                     with.permission(SELECT);
                 });

src/main/resources/db/changelog/303-hs-office-membership-rbac.md

@@ -42,7 +42,7 @@ subgraph membership["`**membership**`"]
 
         role:membership:OWNER[[membership:OWNER]]
         role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:AGENT[[membership:AGENT]]
+        role:membership:REFERRER[[membership:REFERRER]]
     end
 
     subgraph membership:permissions[ ]
@@ -105,16 +105,16 @@ role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
+role:partnerRel:ADMIN ==> role:membership:OWNER
 role:membership:OWNER ==> role:membership:ADMIN
-role:partnerRel:ADMIN ==> role:membership:ADMIN
+role:partnerRel:AGENT ==> role:membership:ADMIN
-role:membership:ADMIN ==> role:membership:AGENT
+role:membership:ADMIN ==> role:membership:REFERRER
-role:partnerRel:AGENT ==> role:membership:AGENT
+role:membership:REFERRER ==> role:partnerRel:TENANT
-role:membership:AGENT ==> role:partnerRel:TENANT
 
 %% granting permissions to roles
 role:global:ADMIN ==> perm:membership:INSERT
-role:membership:ADMIN ==> perm:membership:DELETE
+role:membership:OWNER ==> perm:membership:DELETE
 role:membership:ADMIN ==> perm:membership:UPDATE
-role:membership:AGENT ==> perm:membership:SELECT
+role:membership:REFERRER ==> perm:membership:SELECT
 
 ```

src/main/resources/db/changelog/303-hs-office-membership-rbac.sql

@@ -45,23 +45,23 @@ begin
 
     perform createRoleWithGrants(
         hsOfficeMembershipOWNER(NEW),
+            permissions => array['DELETE'],
+            incomingSuperRoles => array[hsOfficeRelationADMIN(newPartnerRel)],
             userUuids => array[currentUserUuid()]
     );
 
     perform createRoleWithGrants(
         hsOfficeMembershipADMIN(NEW),
-            permissions => array['DELETE', 'UPDATE'],
+            permissions => array['UPDATE'],
             incomingSuperRoles => array[
             	hsOfficeMembershipOWNER(NEW),
-            	hsOfficeRelationADMIN(newPartnerRel)]
+            	hsOfficeRelationAGENT(newPartnerRel)]
     );
 
     perform createRoleWithGrants(
-        hsOfficeMembershipAGENT(NEW),
+        hsOfficeMembershipREFERRER(NEW),
             permissions => array['SELECT'],
-            incomingSuperRoles => array[
+            incomingSuperRoles => array[hsOfficeMembershipADMIN(NEW)],
-            	hsOfficeMembershipADMIN(NEW),
-            	hsOfficeRelationAGENT(newPartnerRel)],
             outgoingSubRoles => array[hsOfficeRelationTENANT(newPartnerRel)]
     );
 

src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md

@@ -13,9 +13,9 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
     subgraph membership.partnerRel.holderPerson:roles[ ]
         style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]]
+        role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]]
-        role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]]
+        role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]]
-        role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]]
+        role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]]
     end
 end
 
@@ -26,9 +26,9 @@ subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPers
     subgraph membership.partnerRel.anchorPerson:roles[ ]
         style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
 
-        role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]]
+        role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]]
-        role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]]
+        role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]]
-        role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]]
+        role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]]
     end
 end
 
@@ -49,26 +49,58 @@ subgraph membership["`**membership**`"]
     direction TB
     style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-    subgraph membership:roles[ ]
+    subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
-        style membership:roles fill:#99bcdb,stroke:white
+        direction TB
+        style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-        role:membership:OWNER[[membership:OWNER]]
+        subgraph membership.partnerRel.holderPerson:roles[ ]
-        role:membership:ADMIN[[membership:ADMIN]]
+            style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
-        role:membership:AGENT[[membership:AGENT]]
+
+            role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]]
+            role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]]
+            role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]]
+        end
+    end
+
+    subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
+        direction TB
+        style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.anchorPerson:roles[ ]
+            style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]]
+            role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]]
+            role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]]
         end
     end
 
     subgraph membership.partnerRel["`**membership.partnerRel**`"]
         direction TB
         style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+        subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
+            direction TB
+            style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-    subgraph membership.partnerRel:roles[ ]
+            subgraph membership.partnerRel.holderPerson:roles[ ]
-        style membership.partnerRel:roles fill:#99bcdb,stroke:white
+                style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]]
+                role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]]
-        role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]]
+                role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]]
-        role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]]
+                role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]]
-        role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]]
+            end
+        end
+
+        subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
+            direction TB
+            style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+            subgraph membership.partnerRel.anchorPerson:roles[ ]
+                style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+                role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]]
+                role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]]
+                role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]]
             end
         end
 
@@ -79,42 +111,140 @@ subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
             subgraph membership.partnerRel.contact:roles[ ]
                 style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
 
-        role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]]
+                role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]]
-        role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]]
+                role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]]
-        role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]]
+                role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]]
+            end
+        end
+
+        subgraph membership.partnerRel:roles[ ]
+            style membership.partnerRel:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel:owner[[membership.partnerRel:owner]]
+            role:membership.partnerRel:admin[[membership.partnerRel:admin]]
+            role:membership.partnerRel:agent[[membership.partnerRel:agent]]
+            role:membership.partnerRel:tenant[[membership.partnerRel:tenant]]
+        end
+    end
+
+    subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
+        direction TB
+        style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.contact:roles[ ]
+            style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]]
+            role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]]
+            role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]]
+        end
+    end
+
+    subgraph membership:roles[ ]
+        style membership:roles fill:#99bcdb,stroke:white
+
+        role:membership:owner[[membership:owner]]
+        role:membership:admin[[membership:admin]]
+        role:membership:referrer[[membership:referrer]]
+    end
+end
+
+subgraph membership.partnerRel["`**membership.partnerRel**`"]
+    direction TB
+    style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
+        direction TB
+        style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.holderPerson:roles[ ]
+            style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]]
+            role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]]
+            role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]]
+        end
+    end
+
+    subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
+        direction TB
+        style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.anchorPerson:roles[ ]
+            style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]]
+            role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]]
+            role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]]
+        end
+    end
+
+    subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
+        direction TB
+        style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.contact:roles[ ]
+            style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]]
+            role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]]
+            role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]]
+        end
+    end
+
+    subgraph membership.partnerRel:roles[ ]
+        style membership.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel:owner[[membership.partnerRel:owner]]
+        role:membership.partnerRel:admin[[membership.partnerRel:admin]]
+        role:membership.partnerRel:agent[[membership.partnerRel:agent]]
+        role:membership.partnerRel:tenant[[membership.partnerRel:tenant]]
+    end
+end
+
+subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
+    direction TB
+    style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.contact:roles[ ]
+        style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]]
+        role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]]
+        role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]]
     end
 end
 
 %% granting roles to roles
-role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
+role:global:admin -.-> role:membership.partnerRel.anchorPerson:owner
-role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
+role:membership.partnerRel.anchorPerson:owner -.-> role:membership.partnerRel.anchorPerson:admin
-role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
+role:membership.partnerRel.anchorPerson:admin -.-> role:membership.partnerRel.anchorPerson:referrer
-role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
+role:global:admin -.-> role:membership.partnerRel.holderPerson:owner
-role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
+role:membership.partnerRel.holderPerson:owner -.-> role:membership.partnerRel.holderPerson:admin
-role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
+role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel.holderPerson:referrer
-role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
+role:global:admin -.-> role:membership.partnerRel.contact:owner
-role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
+role:membership.partnerRel.contact:owner -.-> role:membership.partnerRel.contact:admin
-role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
+role:membership.partnerRel.contact:admin -.-> role:membership.partnerRel.contact:referrer
-role:global:ADMIN -.-> role:membership.partnerRel:OWNER
+role:global:admin -.-> role:membership.partnerRel:owner
-role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel:owner -.-> role:membership.partnerRel:admin
-role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel.anchorPerson:admin -.-> role:membership.partnerRel:admin
-role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
+role:membership.partnerRel:admin -.-> role:membership.partnerRel:agent
-role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
+role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel:agent
-role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel:agent -.-> role:membership.partnerRel:tenant
-role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel:tenant
-role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel.contact:admin -.-> role:membership.partnerRel:tenant
-role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
+role:membership.partnerRel:tenant -.-> role:membership.partnerRel.anchorPerson:referrer
-role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
+role:membership.partnerRel:tenant -.-> role:membership.partnerRel.holderPerson:referrer
-role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
+role:membership.partnerRel:tenant -.-> role:membership.partnerRel.contact:referrer
-role:membership:OWNER -.-> role:membership:ADMIN
+role:membership.partnerRel:admin -.-> role:membership:owner
-role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
+role:membership:owner -.-> role:membership:admin
-role:membership:ADMIN -.-> role:membership:AGENT
+role:membership.partnerRel:agent -.-> role:membership:admin
-role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:admin -.-> role:membership:referrer
-role:membership:AGENT -.-> role:membership.partnerRel:TENANT
+role:membership:referrer -.-> role:membership.partnerRel:tenant
 
 %% granting permissions to roles
-role:membership:ADMIN ==> perm:coopSharesTransaction:INSERT
+role:membership:admin ==> perm:coopSharesTransaction:INSERT
-role:membership:ADMIN ==> perm:coopSharesTransaction:UPDATE
+role:membership:admin ==> perm:coopSharesTransaction:UPDATE
-role:membership:AGENT ==> perm:coopSharesTransaction:SELECT
+role:membership:admin ==> perm:coopSharesTransaction:SELECT
 
 ```

src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql

@@ -38,8 +38,8 @@ begin
     SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
     assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAdmin(newMembership));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipAdmin(newMembership));
 
     call leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -81,7 +81,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
-                    hsOfficeMembershipADMIN(row));
+                    hsOfficeMembershipAdmin(row));
             END LOOP;
     END;
 $$;
@@ -96,7 +96,7 @@ create or replace function hs_office_coopsharestransaction_hs_office_membership_
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
-            hsOfficeMembershipADMIN(NEW));
+            hsOfficeMembershipAdmin(NEW));
     return NEW;
 end; $$;
 

src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md

@@ -13,9 +13,9 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
     subgraph membership.partnerRel.holderPerson:roles[ ]
         style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]]
+        role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]]
-        role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]]
+        role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]]
-        role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]]
+        role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]]
     end
 end
 
@@ -26,9 +26,9 @@ subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPers
     subgraph membership.partnerRel.anchorPerson:roles[ ]
         style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
 
-        role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]]
+        role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]]
-        role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]]
+        role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]]
-        role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]]
+        role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]]
     end
 end
 
@@ -49,26 +49,58 @@ subgraph membership["`**membership**`"]
     direction TB
     style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-    subgraph membership:roles[ ]
+    subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
-        style membership:roles fill:#99bcdb,stroke:white
+        direction TB
+        style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-        role:membership:OWNER[[membership:OWNER]]
+        subgraph membership.partnerRel.holderPerson:roles[ ]
-        role:membership:ADMIN[[membership:ADMIN]]
+            style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
-        role:membership:AGENT[[membership:AGENT]]
+
+            role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]]
+            role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]]
+            role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]]
+        end
+    end
+
+    subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
+        direction TB
+        style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.anchorPerson:roles[ ]
+            style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]]
+            role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]]
+            role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]]
         end
     end
 
     subgraph membership.partnerRel["`**membership.partnerRel**`"]
         direction TB
         style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+        subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
+            direction TB
+            style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
 
-    subgraph membership.partnerRel:roles[ ]
+            subgraph membership.partnerRel.holderPerson:roles[ ]
-        style membership.partnerRel:roles fill:#99bcdb,stroke:white
+                style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
 
-        role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]]
+                role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]]
-        role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]]
+                role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]]
-        role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]]
+                role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]]
-        role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]]
+            end
+        end
+
+        subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
+            direction TB
+            style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+            subgraph membership.partnerRel.anchorPerson:roles[ ]
+                style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+                role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]]
+                role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]]
+                role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]]
             end
         end
 
@@ -79,42 +111,140 @@ subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
             subgraph membership.partnerRel.contact:roles[ ]
                 style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
 
-        role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]]
+                role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]]
-        role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]]
+                role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]]
-        role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]]
+                role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]]
+            end
+        end
+
+        subgraph membership.partnerRel:roles[ ]
+            style membership.partnerRel:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel:owner[[membership.partnerRel:owner]]
+            role:membership.partnerRel:admin[[membership.partnerRel:admin]]
+            role:membership.partnerRel:agent[[membership.partnerRel:agent]]
+            role:membership.partnerRel:tenant[[membership.partnerRel:tenant]]
+        end
+    end
+
+    subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
+        direction TB
+        style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.contact:roles[ ]
+            style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]]
+            role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]]
+            role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]]
+        end
+    end
+
+    subgraph membership:roles[ ]
+        style membership:roles fill:#99bcdb,stroke:white
+
+        role:membership:owner[[membership:owner]]
+        role:membership:admin[[membership:admin]]
+        role:membership:referrer[[membership:referrer]]
+    end
+end
+
+subgraph membership.partnerRel["`**membership.partnerRel**`"]
+    direction TB
+    style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"]
+        direction TB
+        style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.holderPerson:roles[ ]
+            style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]]
+            role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]]
+            role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]]
+        end
+    end
+
+    subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"]
+        direction TB
+        style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.anchorPerson:roles[ ]
+            style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]]
+            role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]]
+            role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]]
+        end
+    end
+
+    subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
+        direction TB
+        style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+        subgraph membership.partnerRel.contact:roles[ ]
+            style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+            role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]]
+            role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]]
+            role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]]
+        end
+    end
+
+    subgraph membership.partnerRel:roles[ ]
+        style membership.partnerRel:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel:owner[[membership.partnerRel:owner]]
+        role:membership.partnerRel:admin[[membership.partnerRel:admin]]
+        role:membership.partnerRel:agent[[membership.partnerRel:agent]]
+        role:membership.partnerRel:tenant[[membership.partnerRel:tenant]]
+    end
+end
+
+subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"]
+    direction TB
+    style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px
+
+    subgraph membership.partnerRel.contact:roles[ ]
+        style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white
+
+        role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]]
+        role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]]
+        role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]]
     end
 end
 
 %% granting roles to roles
-role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
+role:global:admin -.-> role:membership.partnerRel.anchorPerson:owner
-role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
+role:membership.partnerRel.anchorPerson:owner -.-> role:membership.partnerRel.anchorPerson:admin
-role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
+role:membership.partnerRel.anchorPerson:admin -.-> role:membership.partnerRel.anchorPerson:referrer
-role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
+role:global:admin -.-> role:membership.partnerRel.holderPerson:owner
-role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
+role:membership.partnerRel.holderPerson:owner -.-> role:membership.partnerRel.holderPerson:admin
-role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
+role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel.holderPerson:referrer
-role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
+role:global:admin -.-> role:membership.partnerRel.contact:owner
-role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
+role:membership.partnerRel.contact:owner -.-> role:membership.partnerRel.contact:admin
-role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
+role:membership.partnerRel.contact:admin -.-> role:membership.partnerRel.contact:referrer
-role:global:ADMIN -.-> role:membership.partnerRel:OWNER
+role:global:admin -.-> role:membership.partnerRel:owner
-role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel:owner -.-> role:membership.partnerRel:admin
-role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel.anchorPerson:admin -.-> role:membership.partnerRel:admin
-role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
+role:membership.partnerRel:admin -.-> role:membership.partnerRel:agent
-role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
+role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel:agent
-role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel:agent -.-> role:membership.partnerRel:tenant
-role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel:tenant
-role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel.contact:admin -.-> role:membership.partnerRel:tenant
-role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
+role:membership.partnerRel:tenant -.-> role:membership.partnerRel.anchorPerson:referrer
-role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
+role:membership.partnerRel:tenant -.-> role:membership.partnerRel.holderPerson:referrer
-role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
+role:membership.partnerRel:tenant -.-> role:membership.partnerRel.contact:referrer
-role:membership:OWNER -.-> role:membership:ADMIN
+role:membership.partnerRel:admin -.-> role:membership:owner
-role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
+role:membership:owner -.-> role:membership:admin
-role:membership:ADMIN -.-> role:membership:AGENT
+role:membership.partnerRel:agent -.-> role:membership:admin
-role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:admin -.-> role:membership:referrer
-role:membership:AGENT -.-> role:membership.partnerRel:TENANT
+role:membership:referrer -.-> role:membership.partnerRel:tenant
 
 %% granting permissions to roles
-role:membership:ADMIN ==> perm:coopAssetsTransaction:INSERT
+role:membership:admin ==> perm:coopAssetsTransaction:INSERT
-role:membership:ADMIN ==> perm:coopAssetsTransaction:UPDATE
+role:membership:admin ==> perm:coopAssetsTransaction:UPDATE
-role:membership:AGENT ==> perm:coopAssetsTransaction:SELECT
+role:membership:admin ==> perm:coopAssetsTransaction:SELECT
 
 ```

src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql

@@ -38,8 +38,8 @@ begin
     SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
     assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
 
-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAdmin(newMembership));
-    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipAdmin(newMembership));
 
     call leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
@@ -81,7 +81,7 @@ do language plpgsql $$
             LOOP
                 call grantPermissionToRole(
                     createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
-                    hsOfficeMembershipADMIN(row));
+                    hsOfficeMembershipAdmin(row));
             END LOOP;
     END;
 $$;
@@ -96,7 +96,7 @@ create or replace function hs_office_coopassetstransaction_hs_office_membership_
 begin
     call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
-            hsOfficeMembershipADMIN(NEW));
+            hsOfficeMembershipAdmin(NEW));
     return NEW;
 end; $$;
 

src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java

@@ -112,7 +112,7 @@ class HsOfficeCoopAssetsTransactionRepositoryIntegrationTest extends ContextBase
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(Array.fromFormatted(
                             initialGrantNames,
-                            "{ grant perm:coopassetstransaction#temprefB:SELECT to role:membership#M-1000101:AGENT by system and assume }",
+                            "{ grant perm:coopassetstransaction#temprefB:SELECT to role:membership#M-1000101:ADMIN by system and assume }",
                             "{ grant perm:coopassetstransaction#temprefB:UPDATE to role:membership#M-1000101:ADMIN by system and assume }",
                             null));
         }

src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java

@@ -111,7 +111,7 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(Array.fromFormatted(
                             initialGrantNames,
-                            "{ grant perm:coopsharestransaction#temprefB:SELECT to role:membership#M-1000101:AGENT by system and assume }",
+                            "{ grant perm:coopsharestransaction#temprefB:SELECT to role:membership#M-1000101:ADMIN by system and assume }",
                             "{ grant perm:coopsharestransaction#temprefB:UPDATE to role:membership#M-1000101:ADMIN by system and assume }",
                             null));
         }

src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java

@@ -335,18 +335,18 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
         }
 
         @Test
-        void partnerRelAdmin_canPatchValidityOfRelatedMembership() {
+        void partnerRelAgent_canPatchValidityOfRelatedMembership() {
 
             // given
-            final var givenPartnerAdmin = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN";
+            final var givenPartnerAgent = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT";
-            context.define("superuser-alex@hostsharing.net", givenPartnerAdmin);
+            context.define("superuser-alex@hostsharing.net", givenPartnerAgent);
             final var givenMembership = givenSomeTemporaryMembershipBessler("First");
 
             // when
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", givenPartnerAdmin)
+                    .header("assumed-roles", givenPartnerAgent)
                     .contentType(ContentType.JSON)
                     .body("""
                            {

src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java

@@ -110,9 +110,9 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
             final var all = rawRoleRepo.findAll();
             assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
                     initialRoleNames,
-                    "hs_office_membership#M-1000117:OWNER",
                     "hs_office_membership#M-1000117:ADMIN",
-                    "hs_office_membership#M-1000117:AGENT"));
+                    "hs_office_membership#M-1000117:OWNER",
+                    "hs_office_membership#M-1000117:REFERRER"));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                     .map(s -> s.replace("hs_office_", ""))
                     .containsExactlyInAnyOrder(Array.fromFormatted(
@@ -121,24 +121,22 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
                             "{ grant perm:membership#M-1000117:INSERT>coopassetstransaction to role:membership#M-1000117:ADMIN by system and assume }",
                             "{ grant perm:membership#M-1000117:INSERT>coopsharestransaction to role:membership#M-1000117:ADMIN by system and assume }",
 
-                            // insert
-                            "{ grant perm INSERT into coopassetstransaction with membership#M-1000117 to role membership#M-1000117.admin by system and assume }",
-                            "{ grant perm INSERT into coopsharestransaction with membership#M-1000117 to role membership#M-1000117.admin by system and assume }",
-
                             // owner
-                            "{ grant perm DELETE on membership#M-1000117 to role membership#M-1000117.admin by system and assume }",
+                            "{ grant perm:membership#M-1000117:DELETE       to role:membership#M-1000117:OWNER by system and assume }",
-                            "{ grant role membership#M-1000117.owner to user superuser-alex@hostsharing.net by membership#M-1000117.owner and assume }",
 
                             // admin
-                            "{ grant perm UPDATE on membership#M-1000117 to role membership#M-1000117.admin by system and assume }",
+                            "{ grant perm:membership#M-1000117:UPDATE       to role:membership#M-1000117:ADMIN by system and assume }",
-                            "{ grant role membership#M-1000117.admin to role membership#M-1000117.owner by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN        to role:membership#M-1000117:OWNER by system and assume }",
-                            "{ grant role membership#M-1000117.admin to role relation#HostsharingeG-with-PARTNER-FirstGmbH.admin by system and assume }",
+                            "{ grant role:membership#M-1000117:OWNER        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN by system and assume }",
+                            "{ grant role:membership#M-1000117:OWNER        to user:superuser-alex@hostsharing.net by membership#M-1000117:OWNER and assume }",
 
                             // agent
-                            "{ grant perm SELECT on membership#M-1000117 to role membership#M-1000117.agent by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT by system and assume }",
-                            "{ grant role membership#M-1000117.agent to role membership#M-1000117.admin by system and assume }",
+
-                            "{ grant role membership#M-1000117.agent to role relation#HostsharingeG-with-PARTNER-FirstGmbH.agent by system and assume }",
+                            // referrer
-                            "{ grant role relation#HostsharingeG-with-PARTNER-FirstGmbH.tenant to role membership#M-1000117.agent by system and assume }",
+                            "{ grant perm:membership#M-1000117:SELECT       to role:membership#M-1000117:REFERRER by system and assume }",
+                            "{ grant role:membership#M-1000117:REFERRER     to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-FirstGmbH:TENANT to role:membership#M-1000117:REFERRER by system and assume }",
 
                             null));
         }
@@ -226,20 +224,20 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
         }
 
         @Test
-        public void membershipAgent_canViewButNotUpdateRelatedMembership() {
+        public void membershipReferrer_canViewButNotUpdateRelatedMembership() {
             // given
             context("superuser-alex@hostsharing.net");
             final var givenMembership = givenSomeTemporaryMembership("First", "13");
             assertThatMembershipExistsAndIsAccessibleToCurrentContext(givenMembership);
             assertThatMembershipIsVisibleForRole(
                     givenMembership,
-                    "hs_office_membership#M-1000113:AGENT");
+                    "hs_office_membership#M-1000113:REFERRER");
             final var newValidityEnd = LocalDate.now();
 
             // when
             final var result = jpaAttempt.transacted(() -> {
                 // TODO: we should test with debitor- and partner-admin as well
-                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113:AGENT");
+                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113:REFERRER");
                 givenMembership.setValidity(
                         Range.closedOpen(givenMembership.getValidity().lower(), newValidityEnd));
                 return membershipRepo.save(givenMembership);