WIP: introduce separate database schemas #102

Closed
hsh-michaelhoennig wants to merge 57 commits from introduce-separate-database-schemas into master
25 changed files with 130 additions and 131 deletions
Showing only changes of commit 55c4983509 - Show all commits

View File

@ -26,13 +26,13 @@ public class RbacIdentityViewGenerator {
plPgSql.writeLn( plPgSql.writeLn(
switch (rbacDef.getIdentityViewSqlQuery().part) { switch (rbacDef.getIdentityViewSqlQuery().part) {
case SQL_PROJECTION -> """ case SQL_PROJECTION -> """
call generateRbacIdentityViewFromProjection('${rawTableName}', call rbac.generateRbacIdentityViewFromProjection('${rawTableName}',
$idName$ $idName$
${identityViewSqlPart} ${identityViewSqlPart}
$idName$); $idName$);
"""; """;
case SQL_QUERY -> """ case SQL_QUERY -> """
call generateRbacIdentityViewFromQuery('${rawTableName}', call rbac.generateRbacIdentityViewFromQuery('${rawTableName}',
$idName$ $idName$
${identityViewSqlPart} ${identityViewSqlPart}
$idName$); $idName$);

View File

@ -17,7 +17,7 @@ public class RbacObjectGenerator {
-- ============================================================================ -- ============================================================================
--changeset ${liquibaseTagPrefix}-rbac-OBJECT:1 endDelimiter:--// --changeset ${liquibaseTagPrefix}-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('${rawTableName}'); call rbac.generateRelatedRbacObject('${rawTableName}');
--// --//
""", """,

View File

@ -21,7 +21,7 @@ public class RbacRestrictedViewGenerator {
-- ============================================================================ -- ============================================================================
--changeset ${liquibaseTagPrefix}-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset ${liquibaseTagPrefix}-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('${rawTableName}', call rbac.generateRbacRestrictedView('${rawTableName}',
$orderBy$ $orderBy$
${orderBy} ${orderBy}
$orderBy$, $orderBy$,

View File

@ -19,7 +19,7 @@ public class RbacRoleDescriptorsGenerator {
-- ============================================================================ -- ============================================================================
--changeset ${liquibaseTagPrefix}-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset ${liquibaseTagPrefix}-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('${simpleEntityVarName}', '${rawTableName}'); call rbac.generateRbacRoleDescriptors('${simpleEntityVarName}', '${rawTableName}');
--// --//
""", """,

View File

@ -389,7 +389,7 @@ class RolesGrantsAndPermissionsGenerator {
} }
plPgSql.writeLn(); plPgSql.writeLn();
plPgSql.writeLn("perform createRoleWithGrants("); plPgSql.writeLn("perform rbac.defineRoleWithGrants(");
plPgSql.indented(() -> { plPgSql.indented(() -> {
plPgSql.writeLn("${simpleVarName)${roleSuffix}(NEW)," plPgSql.writeLn("${simpleVarName)${roleSuffix}(NEW),"
.replace("${simpleVarName)", simpleEntityVarName) .replace("${simpleVarName)", simpleEntityVarName)

View File

@ -3,11 +3,10 @@
-- ================================================================= -- =================================================================
-- CREATE ROLE -- CREATE ROLE
--changeset rbac-role-builder-create-role:1 endDelimiter:--// --changeset rbac-role-builder-define-role:1 endDelimiter:--//
-- ----------------------------------------------------------------- -- -----------------------------------------------------------------
-- TODO: rename to defineRoleWithGrants because it does not complain if the role already exists create or replace function rbac.defineRoleWithGrants(
create or replace function createRoleWithGrants(
roleDescriptor RbacRoleDescriptor, roleDescriptor RbacRoleDescriptor,
permissions RbacOp[] = array[]::RbacOp[], permissions RbacOp[] = array[]::RbacOp[],
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],

View File

@ -5,7 +5,7 @@
--changeset rbac-generators-RELATED-OBJECT:1 endDelimiter:--// --changeset rbac-generators-RELATED-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace procedure generateRelatedRbacObject(targetTable varchar) create or replace procedure rbac.generateRelatedRbacObject(targetTable varchar)
language plpgsql as $$ language plpgsql as $$
declare declare
createInsertTriggerSQL text; createInsertTriggerSQL text;
@ -35,7 +35,7 @@ end; $$;
--changeset rbac-generators-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset rbac-generators-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create procedure generateRbacRoleDescriptors(prefix text, targetTable text) create procedure rbac.generateRbacRoleDescriptors(prefix text, targetTable text)
language plpgsql as $$ language plpgsql as $$
declare declare
sql text; sql text;
@ -100,7 +100,7 @@ end; $$;
--changeset rbac-generators-IDENTITY-VIEW:1 endDelimiter:--// --changeset rbac-generators-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace procedure generateRbacIdentityViewFromQuery(targetTable text, sqlQuery text) create or replace procedure rbac.generateRbacIdentityViewFromQuery(targetTable text, sqlQuery text)
language plpgsql as $$ language plpgsql as $$
declare declare
sql text; sql text;
@ -140,7 +140,7 @@ begin
execute sql; execute sql;
end; $$; end; $$;
create or replace procedure generateRbacIdentityViewFromProjection(targetTable text, sqlProjection text) create or replace procedure rbac.generateRbacIdentityViewFromProjection(targetTable text, sqlProjection text)
language plpgsql as $$ language plpgsql as $$
declare declare
sqlQuery text; sqlQuery text;
@ -151,7 +151,7 @@ begin
select target.uuid, cleanIdentifier(%2$s) as idName select target.uuid, cleanIdentifier(%2$s) as idName
from %1$s as target; from %1$s as target;
$sql$, targetTable, sqlProjection); $sql$, targetTable, sqlProjection);
call generateRbacIdentityViewFromQuery(targetTable, sqlQuery); call rbac.generateRbacIdentityViewFromQuery(targetTable, sqlQuery);
end; $$; end; $$;
--// --//
@ -160,7 +160,7 @@ end; $$;
--changeset rbac-generators-RESTRICTED-VIEW:1 endDelimiter:--// --changeset rbac-generators-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace procedure generateRbacRestrictedView(targetTable text, orderBy text, columnUpdates text = null, columnNames text = '*') create or replace procedure rbac.generateRbacRestrictedView(targetTable text, orderBy text, columnUpdates text = null, columnNames text = '*')
language plpgsql as $$ language plpgsql as $$
declare declare
sql text; sql text;

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset test-customer-rbac-OBJECT:1 endDelimiter:--// --changeset test-customer-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_customer'); call rbac.generateRelatedRbacObject('test_customer');
--// --//
-- ============================================================================ -- ============================================================================
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testCustomer', 'test_customer'); call rbac.generateRbacRoleDescriptors('testCustomer', 'test_customer');
--// --//
@ -34,20 +34,20 @@ declare
begin begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
testCustomerOWNER(NEW), testCustomerOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN(unassumed())], incomingSuperRoles => array[globalADMIN(unassumed())],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
testCustomerADMIN(NEW), testCustomerADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[testCustomerOWNER(NEW)] incomingSuperRoles => array[testCustomerOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
testCustomerTENANT(NEW), testCustomerTENANT(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[testCustomerADMIN(NEW)] incomingSuperRoles => array[testCustomerADMIN(NEW)]
@ -157,7 +157,7 @@ create trigger test_customer_insert_permission_check_tg
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('test_customer', call rbac.generateRbacIdentityViewFromProjection('test_customer',
$idName$ $idName$
prefix prefix
$idName$); $idName$);
@ -167,7 +167,7 @@ call generateRbacIdentityViewFromProjection('test_customer',
-- ============================================================================ -- ============================================================================
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_customer', call rbac.generateRbacRestrictedView('test_customer',
$orderBy$ $orderBy$
reference reference
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset test-package-rbac-OBJECT:1 endDelimiter:--// --changeset test-package-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_package'); call rbac.generateRelatedRbacObject('test_package');
--// --//
-- ============================================================================ -- ============================================================================
--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testPackage', 'test_package'); call rbac.generateRbacRoleDescriptors('testPackage', 'test_package');
--// --//
@ -39,18 +39,18 @@ begin
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s', NEW.customerUuid); assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s', NEW.customerUuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
testPackageOWNER(NEW), testPackageOWNER(NEW),
permissions => array['DELETE', 'UPDATE'], permissions => array['DELETE', 'UPDATE'],
incomingSuperRoles => array[testCustomerADMIN(newCustomer)] incomingSuperRoles => array[testCustomerADMIN(newCustomer)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
testPackageADMIN(NEW), testPackageADMIN(NEW),
incomingSuperRoles => array[testPackageOWNER(NEW)] incomingSuperRoles => array[testPackageOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
testPackageTENANT(NEW), testPackageTENANT(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[testPackageADMIN(NEW)], incomingSuperRoles => array[testPackageADMIN(NEW)],
@ -222,7 +222,7 @@ create trigger test_package_insert_permission_check_tg
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('test_package', call rbac.generateRbacIdentityViewFromProjection('test_package',
$idName$ $idName$
name name
$idName$); $idName$);
@ -232,7 +232,7 @@ call generateRbacIdentityViewFromProjection('test_package',
-- ============================================================================ -- ============================================================================
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_package', call rbac.generateRbacRestrictedView('test_package',
$orderBy$ $orderBy$
name name
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset test-domain-rbac-OBJECT:1 endDelimiter:--// --changeset test-domain-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_domain'); call rbac.generateRelatedRbacObject('test_domain');
--// --//
-- ============================================================================ -- ============================================================================
--changeset test-domain-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset test-domain-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testDomain', 'test_domain'); call rbac.generateRbacRoleDescriptors('testDomain', 'test_domain');
--// --//
@ -39,14 +39,14 @@ begin
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid); assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
testDomainOWNER(NEW), testDomainOWNER(NEW),
permissions => array['DELETE', 'UPDATE'], permissions => array['DELETE', 'UPDATE'],
incomingSuperRoles => array[testPackageADMIN(newPackage)], incomingSuperRoles => array[testPackageADMIN(newPackage)],
outgoingSubRoles => array[testPackageTENANT(newPackage)] outgoingSubRoles => array[testPackageTENANT(newPackage)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
testDomainADMIN(NEW), testDomainADMIN(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[testDomainOWNER(NEW)], incomingSuperRoles => array[testDomainOWNER(NEW)],
@ -221,7 +221,7 @@ create trigger test_domain_insert_permission_check_tg
--changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('test_domain', call rbac.generateRbacIdentityViewFromProjection('test_domain',
$idName$ $idName$
name name
$idName$); $idName$);
@ -231,7 +231,7 @@ call generateRbacIdentityViewFromProjection('test_domain',
-- ============================================================================ -- ============================================================================
--changeset test-domain-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset test-domain-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_domain', call rbac.generateRbacRestrictedView('test_domain',
$orderBy$ $orderBy$
name name
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-contact-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-contact-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_contact'); call rbac.generateRelatedRbacObject('hs_office_contact');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-contact-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-contact-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact'); call rbac.generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact');
--// --//
@ -34,20 +34,20 @@ declare
begin begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeContactOWNER(NEW), hsOfficeContactOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeContactADMIN(NEW), hsOfficeContactADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeContactOWNER(NEW)] incomingSuperRoles => array[hsOfficeContactOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeContactREFERRER(NEW), hsOfficeContactREFERRER(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[hsOfficeContactADMIN(NEW)] incomingSuperRoles => array[hsOfficeContactADMIN(NEW)]
@ -80,7 +80,7 @@ execute procedure insertTriggerForHsOfficeContact_tf();
--changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_contact', call rbac.generateRbacIdentityViewFromProjection('hs_office_contact',
$idName$ $idName$
caption caption
$idName$); $idName$);
@ -90,7 +90,7 @@ call generateRbacIdentityViewFromProjection('hs_office_contact',
-- ============================================================================ -- ============================================================================
--changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_contact', call rbac.generateRbacRestrictedView('hs_office_contact',
$orderBy$ $orderBy$
caption caption
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-person-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-person-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_person'); call rbac.generateRelatedRbacObject('hs_office_person');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-person-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-person-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person'); call rbac.generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person');
--// --//
@ -34,20 +34,20 @@ declare
begin begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficePersonOWNER(NEW), hsOfficePersonOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficePersonADMIN(NEW), hsOfficePersonADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficePersonOWNER(NEW)] incomingSuperRoles => array[hsOfficePersonOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficePersonREFERRER(NEW), hsOfficePersonREFERRER(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[hsOfficePersonADMIN(NEW)] incomingSuperRoles => array[hsOfficePersonADMIN(NEW)]
@ -80,7 +80,7 @@ execute procedure insertTriggerForHsOfficePerson_tf();
--changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_person', call rbac.generateRbacIdentityViewFromProjection('hs_office_person',
$idName$ $idName$
concat(tradeName, familyName, givenName) concat(tradeName, familyName, givenName)
$idName$); $idName$);
@ -90,7 +90,7 @@ call generateRbacIdentityViewFromProjection('hs_office_person',
-- ============================================================================ -- ============================================================================
--changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_person', call rbac.generateRbacRestrictedView('hs_office_person',
$orderBy$ $orderBy$
concat(tradeName, familyName, givenName) concat(tradeName, familyName, givenName)
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-relation-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-relation-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_relation'); call rbac.generateRelatedRbacObject('hs_office_relation');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-relation-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-relation-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation'); call rbac.generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation');
--// --//
@ -47,25 +47,25 @@ begin
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid); assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeRelationOWNER(NEW), hsOfficeRelationOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeRelationADMIN(NEW), hsOfficeRelationADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeRelationOWNER(NEW)] incomingSuperRoles => array[hsOfficeRelationOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeRelationAGENT(NEW), hsOfficeRelationAGENT(NEW),
incomingSuperRoles => array[hsOfficeRelationADMIN(NEW)] incomingSuperRoles => array[hsOfficeRelationADMIN(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeRelationTENANT(NEW), hsOfficeRelationTENANT(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[ incomingSuperRoles => array[
@ -231,7 +231,7 @@ create trigger hs_office_relation_insert_permission_check_tg
--changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_relation', call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
$idName$ $idName$
(select idName from hs_office_person_iv p where p.uuid = anchorUuid) (select idName from hs_office_person_iv p where p.uuid = anchorUuid)
|| '-with-' || target.type || '-' || '-with-' || target.type || '-'
@ -243,7 +243,7 @@ call generateRbacIdentityViewFromProjection('hs_office_relation',
-- ============================================================================ -- ============================================================================
--changeset hs-office-relation-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-relation-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_relation', call rbac.generateRbacRestrictedView('hs_office_relation',
$orderBy$ $orderBy$
(select idName from hs_office_person_iv p where p.uuid = target.holderUuid) (select idName from hs_office_person_iv p where p.uuid = target.holderUuid)
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-partner-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-partner-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_partner'); call rbac.generateRelatedRbacObject('hs_office_partner');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-partner-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-partner-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner'); call rbac.generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner');
--// --//
@ -234,7 +234,7 @@ create trigger hs_office_partner_insert_permission_check_tg
--changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_partner', call rbac.generateRbacIdentityViewFromProjection('hs_office_partner',
$idName$ $idName$
'P-' || partnerNumber 'P-' || partnerNumber
$idName$); $idName$);
@ -244,7 +244,7 @@ call generateRbacIdentityViewFromProjection('hs_office_partner',
-- ============================================================================ -- ============================================================================
--changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_partner', call rbac.generateRbacRestrictedView('hs_office_partner',
$orderBy$ $orderBy$
'P-' || partnerNumber 'P-' || partnerNumber
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-partner-details-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-partner-details-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_partner_details'); call rbac.generateRelatedRbacObject('hs_office_partner_details');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-partner-details-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-partner-details-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficePartnerDetails', 'hs_office_partner_details'); call rbac.generateRbacRoleDescriptors('hsOfficePartnerDetails', 'hs_office_partner_details');
--// --//
@ -138,7 +138,7 @@ create trigger hs_office_partner_details_insert_permission_check_tg
--changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_partner_details', call rbac.generateRbacIdentityViewFromQuery('hs_office_partner_details',
$idName$ $idName$
SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName
FROM hs_office_partner_details AS partnerDetails FROM hs_office_partner_details AS partnerDetails
@ -151,7 +151,7 @@ call generateRbacIdentityViewFromQuery('hs_office_partner_details',
-- ============================================================================ -- ============================================================================
--changeset hs-office-partner-details-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-partner-details-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_partner_details', call rbac.generateRbacRestrictedView('hs_office_partner_details',
$orderBy$ $orderBy$
uuid uuid
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-bankaccount-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-bankaccount-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_bankaccount'); call rbac.generateRelatedRbacObject('hs_office_bankaccount');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-bankaccount-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-bankaccount-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeBankAccount', 'hs_office_bankaccount'); call rbac.generateRbacRoleDescriptors('hsOfficeBankAccount', 'hs_office_bankaccount');
--// --//
@ -34,20 +34,20 @@ declare
begin begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeBankAccountOWNER(NEW), hsOfficeBankAccountOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeBankAccountADMIN(NEW), hsOfficeBankAccountADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeBankAccountOWNER(NEW)] incomingSuperRoles => array[hsOfficeBankAccountOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeBankAccountREFERRER(NEW), hsOfficeBankAccountREFERRER(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[hsOfficeBankAccountADMIN(NEW)] incomingSuperRoles => array[hsOfficeBankAccountADMIN(NEW)]
@ -80,7 +80,7 @@ execute procedure insertTriggerForHsOfficeBankAccount_tf();
--changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_bankaccount', call rbac.generateRbacIdentityViewFromProjection('hs_office_bankaccount',
$idName$ $idName$
iban iban
$idName$); $idName$);
@ -90,7 +90,7 @@ call generateRbacIdentityViewFromProjection('hs_office_bankaccount',
-- ============================================================================ -- ============================================================================
--changeset hs-office-bankaccount-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-bankaccount-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_bankaccount', call rbac.generateRbacRestrictedView('hs_office_bankaccount',
$orderBy$ $orderBy$
iban iban
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-debitor-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-debitor-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_debitor'); call rbac.generateRelatedRbacObject('hs_office_debitor');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-debitor-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-debitor-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor'); call rbac.generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor');
--// --//
@ -207,7 +207,7 @@ create trigger hs_office_debitor_insert_permission_check_tg
--changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_debitor', call rbac.generateRbacIdentityViewFromQuery('hs_office_debitor',
$idName$ $idName$
SELECT debitor.uuid AS uuid, SELECT debitor.uuid AS uuid,
'D-' || (SELECT partner.partnerNumber 'D-' || (SELECT partner.partnerNumber
@ -226,7 +226,7 @@ call generateRbacIdentityViewFromQuery('hs_office_debitor',
-- ============================================================================ -- ============================================================================
--changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_debitor', call rbac.generateRbacRestrictedView('hs_office_debitor',
$orderBy$ $orderBy$
defaultPrefix defaultPrefix
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-sepamandate-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-sepamandate-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_sepamandate'); call rbac.generateRelatedRbacObject('hs_office_sepamandate');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-sepamandate-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-sepamandate-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeSepaMandate', 'hs_office_sepamandate'); call rbac.generateRbacRoleDescriptors('hsOfficeSepaMandate', 'hs_office_sepamandate');
--// --//
@ -47,20 +47,20 @@ begin
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid); assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateOWNER(NEW), hsOfficeSepaMandateOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateADMIN(NEW), hsOfficeSepaMandateADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeSepaMandateOWNER(NEW)] incomingSuperRoles => array[hsOfficeSepaMandateOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateAGENT(NEW), hsOfficeSepaMandateAGENT(NEW),
incomingSuperRoles => array[hsOfficeSepaMandateADMIN(NEW)], incomingSuperRoles => array[hsOfficeSepaMandateADMIN(NEW)],
outgoingSubRoles => array[ outgoingSubRoles => array[
@ -68,7 +68,7 @@ begin
hsOfficeRelationAGENT(newDebitorRel)] hsOfficeRelationAGENT(newDebitorRel)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateREFERRER(NEW), hsOfficeSepaMandateREFERRER(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[ incomingSuperRoles => array[
@ -188,7 +188,7 @@ create trigger hs_office_sepamandate_insert_permission_check_tg
--changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_sepamandate', call rbac.generateRbacIdentityViewFromQuery('hs_office_sepamandate',
$idName$ $idName$
select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName
from hs_office_sepamandate sm from hs_office_sepamandate sm
@ -200,7 +200,7 @@ call generateRbacIdentityViewFromQuery('hs_office_sepamandate',
-- ============================================================================ -- ============================================================================
--changeset hs-office-sepamandate-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-sepamandate-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_sepamandate', call rbac.generateRbacRestrictedView('hs_office_sepamandate',
$orderBy$ $orderBy$
validity validity
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-membership-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-membership-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_membership'); call rbac.generateRelatedRbacObject('hs_office_membership');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-membership-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-membership-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership'); call rbac.generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership');
--// --//
@ -43,12 +43,12 @@ begin
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s', NEW.partnerUuid); assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s', NEW.partnerUuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeMembershipOWNER(NEW), hsOfficeMembershipOWNER(NEW),
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeMembershipADMIN(NEW), hsOfficeMembershipADMIN(NEW),
permissions => array['DELETE', 'UPDATE'], permissions => array['DELETE', 'UPDATE'],
incomingSuperRoles => array[ incomingSuperRoles => array[
@ -56,7 +56,7 @@ begin
hsOfficeRelationADMIN(newPartnerRel)] hsOfficeRelationADMIN(newPartnerRel)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeMembershipAGENT(NEW), hsOfficeMembershipAGENT(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[ incomingSuperRoles => array[
@ -169,7 +169,7 @@ create trigger hs_office_membership_insert_permission_check_tg
--changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_membership', call rbac.generateRbacIdentityViewFromQuery('hs_office_membership',
$idName$ $idName$
SELECT m.uuid AS uuid, SELECT m.uuid AS uuid,
'M-' || p.partnerNumber || m.memberNumberSuffix as idName 'M-' || p.partnerNumber || m.memberNumberSuffix as idName
@ -182,7 +182,7 @@ call generateRbacIdentityViewFromQuery('hs_office_membership',
-- ============================================================================ -- ============================================================================
--changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_membership', call rbac.generateRbacRestrictedView('hs_office_membership',
$orderBy$ $orderBy$
validity validity
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-coopsharestransaction-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_coopsharestransaction'); call rbac.generateRelatedRbacObject('hs_office_coopsharestransaction');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction'); call rbac.generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction');
--// --//
@ -145,7 +145,7 @@ create trigger hs_office_coopsharestransaction_insert_permission_check_tg
--changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction', call rbac.generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
$idName$ $idName$
reference reference
$idName$); $idName$);
@ -155,7 +155,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
-- ============================================================================ -- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_coopsharestransaction', call rbac.generateRbacRestrictedView('hs_office_coopsharestransaction',
$orderBy$ $orderBy$
reference reference
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-OBJECT:1 endDelimiter:--// --changeset hs-office-coopassetstransaction-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_coopassetstransaction'); call rbac.generateRelatedRbacObject('hs_office_coopassetstransaction');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction'); call rbac.generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction');
--// --//
@ -145,7 +145,7 @@ create trigger hs_office_coopassetstransaction_insert_permission_check_tg
--changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction', call rbac.generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
$idName$ $idName$
reference reference
$idName$); $idName$);
@ -155,7 +155,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
-- ============================================================================ -- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_coopassetstransaction', call rbac.generateRbacRestrictedView('hs_office_coopassetstransaction',
$orderBy$ $orderBy$
reference reference
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-booking-project-rbac-OBJECT:1 endDelimiter:--// --changeset hs-booking-project-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_booking_project'); call rbac.generateRelatedRbacObject('hs_booking_project');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-booking-project-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-booking-project-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsBookingProject', 'hs_booking_project'); call rbac.generateRbacRoleDescriptors('hsBookingProject', 'hs_booking_project');
--// --//
@ -47,23 +47,23 @@ begin
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid); assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid);
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingProjectOWNER(NEW), hsBookingProjectOWNER(NEW),
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())] incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingProjectADMIN(NEW), hsBookingProjectADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[hsBookingProjectOWNER(NEW)] incomingSuperRoles => array[hsBookingProjectOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingProjectAGENT(NEW), hsBookingProjectAGENT(NEW),
incomingSuperRoles => array[hsBookingProjectADMIN(NEW)] incomingSuperRoles => array[hsBookingProjectADMIN(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingProjectTENANT(NEW), hsBookingProjectTENANT(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[hsBookingProjectAGENT(NEW)], incomingSuperRoles => array[hsBookingProjectAGENT(NEW)],
@ -182,7 +182,7 @@ create trigger hs_booking_project_insert_permission_check_tg
--changeset hs-booking-project-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-booking-project-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_booking_project', call rbac.generateRbacIdentityViewFromQuery('hs_booking_project',
$idName$ $idName$
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName
FROM hs_booking_project bookingProject FROM hs_booking_project bookingProject
@ -194,7 +194,7 @@ call generateRbacIdentityViewFromQuery('hs_booking_project',
-- ============================================================================ -- ============================================================================
--changeset hs-booking-project-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-booking-project-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_booking_project', call rbac.generateRbacRestrictedView('hs_booking_project',
$orderBy$ $orderBy$
caption caption
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-booking-item-rbac-OBJECT:1 endDelimiter:--// --changeset hs-booking-item-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_booking_item'); call rbac.generateRelatedRbacObject('hs_booking_item');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-booking-item-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-booking-item-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item'); call rbac.generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item');
--// --//
@ -40,25 +40,25 @@ begin
SELECT * FROM hs_booking_item WHERE uuid = NEW.parentItemUuid INTO newParentItem; SELECT * FROM hs_booking_item WHERE uuid = NEW.parentItemUuid INTO newParentItem;
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingItemOWNER(NEW), hsBookingItemOWNER(NEW),
incomingSuperRoles => array[ incomingSuperRoles => array[
hsBookingItemAGENT(newParentItem), hsBookingItemAGENT(newParentItem),
hsBookingProjectAGENT(newProject)] hsBookingProjectAGENT(newProject)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingItemADMIN(NEW), hsBookingItemADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[hsBookingItemOWNER(NEW)] incomingSuperRoles => array[hsBookingItemOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingItemAGENT(NEW), hsBookingItemAGENT(NEW),
incomingSuperRoles => array[hsBookingItemADMIN(NEW)] incomingSuperRoles => array[hsBookingItemADMIN(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingItemTENANT(NEW), hsBookingItemTENANT(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[hsBookingItemAGENT(NEW)], incomingSuperRoles => array[hsBookingItemAGENT(NEW)],
@ -253,7 +253,7 @@ create trigger hs_booking_item_insert_permission_check_tg
--changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_booking_item', call rbac.generateRbacIdentityViewFromProjection('hs_booking_item',
$idName$ $idName$
caption caption
$idName$); $idName$);
@ -263,7 +263,7 @@ call generateRbacIdentityViewFromProjection('hs_booking_item',
-- ============================================================================ -- ============================================================================
--changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_booking_item', call rbac.generateRbacRestrictedView('hs_booking_item',
$orderBy$ $orderBy$
validity validity
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-booking-item-rbac-OBJECT:1 endDelimiter:--// --changeset hs-booking-item-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_booking_item'); call rbac.generateRelatedRbacObject('hs_booking_item');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-booking-item-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-booking-item-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item'); call rbac.generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item');
--// --//
@ -40,25 +40,25 @@ begin
SELECT * FROM hs_booking_item WHERE uuid = NEW.parentItemUuid INTO newParentItem; SELECT * FROM hs_booking_item WHERE uuid = NEW.parentItemUuid INTO newParentItem;
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingItemOWNER(NEW), hsBookingItemOWNER(NEW),
incomingSuperRoles => array[ incomingSuperRoles => array[
hsBookingItemAGENT(newParentItem), hsBookingItemAGENT(newParentItem),
hsBookingProjectAGENT(newProject)] hsBookingProjectAGENT(newProject)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingItemADMIN(NEW), hsBookingItemADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[hsBookingItemOWNER(NEW)] incomingSuperRoles => array[hsBookingItemOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingItemAGENT(NEW), hsBookingItemAGENT(NEW),
incomingSuperRoles => array[hsBookingItemADMIN(NEW)] incomingSuperRoles => array[hsBookingItemADMIN(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingItemTENANT(NEW), hsBookingItemTENANT(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[hsBookingItemAGENT(NEW)], incomingSuperRoles => array[hsBookingItemAGENT(NEW)],
@ -253,7 +253,7 @@ create trigger hs_booking_item_insert_permission_check_tg
--changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_booking_item', call rbac.generateRbacIdentityViewFromProjection('hs_booking_item',
$idName$ $idName$
caption caption
$idName$); $idName$);
@ -263,7 +263,7 @@ call generateRbacIdentityViewFromProjection('hs_booking_item',
-- ============================================================================ -- ============================================================================
--changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_booking_item', call rbac.generateRbacRestrictedView('hs_booking_item',
$orderBy$ $orderBy$
validity validity
$orderBy$, $orderBy$,

View File

@ -5,14 +5,14 @@
-- ============================================================================ -- ============================================================================
--changeset hs-hosting-asset-rbac-OBJECT:1 endDelimiter:--// --changeset hs-hosting-asset-rbac-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_hosting_asset'); call rbac.generateRelatedRbacObject('hs_hosting_asset');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-hosting-asset-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset hs-hosting-asset-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsHostingAsset', 'hs_hosting_asset'); call rbac.generateRbacRoleDescriptors('hsHostingAsset', 'hs_hosting_asset');
--// --//
@ -46,7 +46,7 @@ begin
SELECT * FROM hs_hosting_asset WHERE uuid = NEW.parentAssetUuid INTO newParentAsset; SELECT * FROM hs_hosting_asset WHERE uuid = NEW.parentAssetUuid INTO newParentAsset;
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsHostingAssetOWNER(NEW), hsHostingAssetOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[ incomingSuperRoles => array[
@ -56,7 +56,7 @@ begin
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsHostingAssetADMIN(NEW), hsHostingAssetADMIN(NEW),
permissions => array['UPDATE'], permissions => array['UPDATE'],
incomingSuperRoles => array[ incomingSuperRoles => array[
@ -65,7 +65,7 @@ begin
hsHostingAssetOWNER(NEW)] hsHostingAssetOWNER(NEW)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsHostingAssetAGENT(NEW), hsHostingAssetAGENT(NEW),
incomingSuperRoles => array[ incomingSuperRoles => array[
hsHostingAssetADMIN(NEW), hsHostingAssetADMIN(NEW),
@ -75,7 +75,7 @@ begin
hsOfficeContactREFERRER(newAlarmContact)] hsOfficeContactREFERRER(newAlarmContact)]
); );
perform createRoleWithGrants( perform rbac.defineRoleWithGrants(
hsHostingAssetTENANT(NEW), hsHostingAssetTENANT(NEW),
permissions => array['SELECT'], permissions => array['SELECT'],
incomingSuperRoles => array[ incomingSuperRoles => array[
@ -158,7 +158,7 @@ execute procedure updateTriggerForHsHostingAsset_tf();
--changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_hosting_asset', call rbac.generateRbacIdentityViewFromProjection('hs_hosting_asset',
$idName$ $idName$
identifier identifier
$idName$); $idName$);
@ -168,7 +168,7 @@ call generateRbacIdentityViewFromProjection('hs_hosting_asset',
-- ============================================================================ -- ============================================================================
--changeset hs-hosting-asset-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset hs-hosting-asset-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_hosting_asset', call rbac.generateRbacRestrictedView('hs_hosting_asset',
$orderBy$ $orderBy$
identifier identifier
$orderBy$, $orderBy$,