src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java

@@ -150,11 +150,7 @@ public class HsOfficeDebitorEntity implements HasUuid, Stringifyable {
                 .toRole("global", ADMIN).grantPermission(INSERT)
 
                 .importRootEntityAliasProxy("debitorRel", HsOfficeRelationEntity.class,
-                        fetchedBySql("""
+                        directlyFetchedByDependsOnColumn(),
-                                SELECT *
-                                    FROM hs_office_relation AS r
-                                    WHERE r.type = 'DEBITOR' AND r.uuid = ${REF}.debitorRelUuid
-                                """),
                         dependsOnColumn("debitorRelUuid"))
                 .createPermission(DELETE).grantedTo("debitorRel", OWNER)
                 .createPermission(UPDATE).grantedTo("debitorRel", ADMIN)
@@ -170,7 +166,7 @@ public class HsOfficeDebitorEntity implements HasUuid, Stringifyable {
                 .importEntityAlias("partnerRel", HsOfficeRelationEntity.class,
                         dependsOnColumn("debitorRelUuid"),
                         fetchedBySql("""
-                                SELECT partnerRel.*
+                                SELECT ${columns}
                                     FROM hs_office_relation AS partnerRel
                                     JOIN hs_office_relation AS debitorRel
                                         ON debitorRel.type = 'DEBITOR' AND debitorRel.anchorUuid = partnerRel.holderUuid

src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java

@@ -132,10 +132,10 @@ public class HsOfficeMembershipEntity implements HasUuid, Stringifyable {
                 .importEntityAlias("partnerRel", HsOfficeRelationEntity.class,
                         dependsOnColumn("partnerUuid"),
                         fetchedBySql("""
-                                SELECT r.*
+                                SELECT ${columns}
-                                    FROM hs_office_partner AS p
+                                    FROM hs_office_partner AS partner
-                                    JOIN hs_office_relation AS r ON r.uuid = p.partnerRelUuid
+                                    JOIN hs_office_relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid
-                                    WHERE p.uuid = ${REF}.partnerUuid
+                                    WHERE partner.uuid = ${REF}.partnerUuid
                                 """),
                         NOT_NULL)
                 .toRole("partnerRel", ADMIN).grantPermission(INSERT)

src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java

@@ -32,7 +32,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnCo
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@@ -98,14 +98,14 @@ public class HsOfficePartnerEntity implements Stringifyable, HasUuid {
                 .toRole("global", ADMIN).grantPermission(INSERT) // FIXME: global -> partnerRel.anchor?
 
                 .importRootEntityAliasProxy("partnerRel", HsOfficeRelationEntity.class,
-                        fetchedBySql("SELECT * FROM hs_office_relation AS r WHERE r.uuid = ${ref}.partnerRelUuid"),
+                        directlyFetchedByDependsOnColumn(),
                         dependsOnColumn("partnerRelUuid"))
                 .createPermission(DELETE).grantedTo("partnerRel", ADMIN)
                 .createPermission(UPDATE).grantedTo("partnerRel", AGENT)
                 .createPermission(SELECT).grantedTo("partnerRel", TENANT)
 
                 .importSubEntityAlias("partnerDetails", HsOfficePartnerDetailsEntity.class,
-                        fetchedBySql("SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = ${ref}.detailsUuid"),
+                        directlyFetchedByDependsOnColumn(),
                         dependsOnColumn("detailsUuid"))
                 .createPermission("partnerDetails", DELETE).grantedTo("partnerRel", ADMIN)
                 .createPermission("partnerDetails", UPDATE).grantedTo("partnerRel", AGENT)

src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationEntity.java

@@ -20,7 +20,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
 
@@ -91,15 +91,15 @@ public class HsOfficeRelationEntity implements HasUuid, Stringifyable {
                 .withUpdatableColumns("contactUuid")
                 .importEntityAlias("anchorPerson", HsOfficePersonEntity.class,
                         dependsOnColumn("anchorUuid"),
-                        fetchedBySql("select * from hs_office_person as p where p.uuid = ${REF}.anchorUuid"),
+                        directlyFetchedByDependsOnColumn(),
                         NOT_NULL)
                 .importEntityAlias("holderPerson", HsOfficePersonEntity.class,
                         dependsOnColumn("holderUuid"),
-                        fetchedBySql("select * from hs_office_person as p where p.uuid = ${REF}.holderUuid"),
+                        directlyFetchedByDependsOnColumn(),
                         NOT_NULL)
                 .importEntityAlias("contact", HsOfficeContactEntity.class,
                         dependsOnColumn("contactUuid"),
-                        fetchedBySql("select * from hs_office_contact as c where c.uuid = ${REF}.contactUuid"),
+                        directlyFetchedByDependsOnColumn(),
                         NOT_NULL)
                 .createRole(OWNER, (with) -> {
                     with.owningUser(CREATOR);

src/main/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateEntity.java

@@ -107,7 +107,7 @@ public class HsOfficeSepaMandateEntity implements Stringifyable, HasUuid {
                 .importEntityAlias("debitorRel", HsOfficeRelationEntity.class,
                         dependsOnColumn("debitorUuid"),
                         fetchedBySql("""
-                                SELECT debitorRel.*
+                                SELECT ${columns}
                                     FROM hs_office_relation debitorRel
                                     JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
                                     WHERE debitor.uuid = ${REF}.debitorUuid

src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java

@@ -114,8 +114,7 @@ public class InsertTriggerGenerator {
                     }
                 }
             } else {
-                final var superRoleEntityAlias = g.getSuperRoleDef().getEntityAlias();
+                if (g.getSuperRoleDef().getEntityAlias().isFetchedByDirectForeignKey()) {
-                if (superRoleEntityAlias.fetchSql().part == RbacView.SQL.Part.AUTO_FETCH) {
                     generateInsertPermissionTriggerAllowByRoleOfDirectForeignKey(plPgSql, g);
                 } else {
                     generateInsertPermissionTriggerAllowByRoleOfIndirectForeignKey(plPgSql, g);
@@ -164,24 +163,27 @@ public class InsertTriggerGenerator {
                     
                     An indirect role is a role FIXME.
                 */
-                create or replace function ${rawSubTable}_insert_permission_missing_tf()
+                create or replace function ${rawSubTable}_insert_permission_check_tf()
                     returns trigger
                     language plpgsql as $$
+
+                declare
+                    superRoleObjectUuid uuid;
+
                 begin
-                    if ( not hasInsertPermission(
-                        ( SELECT ${varName}.uuid FROM
                 """,
-                with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
+                with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
-                with("varName", g.getSuperRoleDef().getEntityAlias().aliasName()));
+        plPgSql.chopEmptyLines();
-        plPgSql.indented(3, () ->  {
+        plPgSql.indented(2, () ->  {
             plPgSql.writeLn(
-                    "(" + g.getSuperRoleDef().getEntityAlias().fetchSql().sql + ") AS ${varName}",
+                    "superRoleObjectUuid := (" + g.getSuperRoleDef().getEntityAlias().fetchSql().sql + ");\n" +
-                    with("varName", g.getSuperRoleDef().getEntityAlias().aliasName()),
+                    "assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';",
+                    with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
                     with("ref", NEW.name()));
         });
+        plPgSql.writeLn();
         plPgSql.writeLn("""
-
+                        if ( not hasInsertPermission(superRoleObjectUuid, 'INSERT', '${rawSubTable}') ) then
-                        ), 'INSERT', '${rawSubTable}') ) then
                             raise exception
                                 '[403] insert into ${rawSubTable} not allowed for current subjects % (%)',
                                 currentSubjects(), currentSubjectsUuids();
@@ -192,7 +194,7 @@ public class InsertTriggerGenerator {
                 create trigger ${rawSubTable}_insert_permission_check_tg
                     before insert on ${rawSubTable}
                     for each row
-                        execute procedure ${rawSubTable}_insert_permission_missing_tf();
+                        execute procedure ${rawSubTable}_insert_permission_check_tf();
                     
                 """,
                 with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));

src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacIdentityViewGenerator.java

@@ -26,18 +26,20 @@ public class RbacIdentityViewGenerator {
         plPgSql.writeLn(
             switch (rbacDef.getIdentityViewSqlQuery().part) {
             case SQL_PROJECTION -> """
-                    call generateRbacIdentityViewFromProjection('${rawTableName}', $idName$
+                    call generateRbacIdentityViewFromProjection('${rawTableName}', 
+                        $idName$
                     ${identityViewSqlPart}
                         $idName$);
                     """;
             case SQL_QUERY -> """
-                    call generateRbacIdentityViewFromQuery('${rawTableName}', $idName$
+                    call generateRbacIdentityViewFromQuery('${rawTableName}', 
+                        $idName$
                     ${identityViewSqlPart}
                         $idName$);
                 """;
             default -> throw new IllegalStateException("illegal SQL part given");
             },
-            with("identityViewSqlPart", rbacDef.getIdentityViewSqlQuery().sql),
+            with("identityViewSqlPart", StringWriter.indented(2, rbacDef.getIdentityViewSqlQuery().sql)),
             with("rawTableName", rawTableName));
 
         plPgSql.writeLn("--//");

src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRestrictedViewGenerator.java

@@ -32,10 +32,10 @@ public class RbacRestrictedViewGenerator {
 
                 """,
                 with("liquibaseTagPrefix", liquibaseTagPrefix),
-                with("orderBy", indented(rbacDef.getOrderBySqlExpression().sql, 2)),
+                with("orderBy", indented(2, rbacDef.getOrderBySqlExpression().sql)),
-                with("updates", indented(rbacDef.getUpdatableColumns().stream()
+                with("updates", indented(2, rbacDef.getUpdatableColumns().stream()
                         .map(c -> c + " = new." + c)
-                        .collect(joining(",\n")), 2)),
+                        .collect(joining(",\n")))),
                 with("rawTableName", rawTableName));
     }
 }

src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java

@@ -34,6 +34,7 @@ import static java.util.Arrays.stream;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.Part.AUTO_FETCH;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static org.apache.commons.lang3.StringUtils.uncapitalize;
 
@@ -839,8 +840,8 @@ public class RbacView {
             };
         }
 
-        public boolean hasFetchSql() {
+        boolean isFetchedByDirectForeignKey() {
-            return fetchSql != null;
+            return fetchSql != null && fetchSql.part == AUTO_FETCH;
         }
 
         private String withoutEntitySuffix(final String simpleEntityName) {
@@ -909,14 +910,25 @@ public class RbacView {
 
         /**
          * DSL method to specify an SQL SELECT expression which fetches the related entity,
-         * using the reference `${ref}` of the root entity.
+         * using the reference `${ref}` of the root entity and `${columns}` for the projection.
-         * `${ref}` is going to be replaced by either `NEW` or `OLD` of the trigger function.
+         *
-         * `into ...` will be added with a variable name prefixed with either `new` or `old`.
+         * <p>The query <strong>must define</strong> the entity alias name of the fetched table
+         * as its alias for, so it can be used in the generated projection (the columns between
+         * `SELECT` and `FROM`.</p>
+         *
+         * <p>`${ref}` is going to be replaced by either `NEW` or `OLD` of the trigger function.
+         * `into ...` will be added with a variable name prefixed with either `new` or `old`.</p>
+         *
+         * <p>`${columns}` is going to be replaced by the columns which are needed for the query,
+         * e.g. `*` or `uuid`.</p>
          *
          * @param sql an SQL SELECT expression (not ending with ';)
          * @return the wrapped SQL expression
          */
         public static SQL fetchedBySql(final String sql) {
+            if ( !sql.startsWith("SELECT ${columns}") ) {
+                throw new IllegalArgumentException("SQL SELECT expression must start with 'SELECT ${columns}', but is: " + sql);
+            }
             validateExpression(sql);
             return new SQL(sql, Part.SQL_QUERY);
         }
@@ -929,7 +941,7 @@ public class RbacView {
          * @return the wrapped SQL definition object
          */
         public static SQL directlyFetchedByDependsOnColumn() {
-            return new SQL(null, Part.AUTO_FETCH);
+            return new SQL(null, AUTO_FETCH);
         }
 
         /**

src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java

@@ -233,6 +233,7 @@ class RolesGrantsAndPermissionsGenerator {
             final PostgresTriggerReference old) {
         plPgSql.writeLn(
                 ea.fetchSql().sql + "    INTO " + entityRefVar(old, ea) + ";",
+                with("columns", ea.aliasName() + ".*"),
                 with("ref", old.name()));
         if (ea.nullable() == RbacView.Nullable.NOT_NULL) {
             plPgSql.writeLn(

src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/StringWriter.java

@@ -82,7 +82,7 @@ public class StringWriter {
         return string.toString();
     }
 
-    public static String indented(final String text, final int indentLevel) {
+    public static String indented(final int indentLevel, final String text) {
         final var indentation = StringUtils.repeat("    ", indentLevel);
         final var indented = stream(text.split("\n"))
                 .map(line -> line.trim().isBlank() ? "" : indentation + line)
@@ -94,7 +94,7 @@ public class StringWriter {
         if ( indentLevel == 0) {
             return text;
         }
-        return indented(text, indentLevel);
+        return indented(indentLevel, text);
     }
 
     record VarDef(String name, String value){}

src/main/resources/db/changelog/113-test-customer-rbac.sql

@@ -143,7 +143,8 @@ create trigger test_customer_insert_permission_check_tg
 --changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-call generateRbacIdentityViewFromProjection('test_customer', $idName$
+call generateRbacIdentityViewFromProjection('test_customer',
+    $idName$
         prefix
     $idName$);
 --//

src/main/resources/db/changelog/123-test-package-rbac.sql

@@ -189,30 +189,22 @@ execute procedure test_package_test_customer_insert_tf();
 
 /**
     Checks if the user or assumed roles are allowed to insert a row to test_package,
-    where the check is performed by an indirect role.
+    where the check is performed by a direct role.
 
-    An indirect role is a role FIXME.
+    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
 create or replace function test_package_insert_permission_missing_tf()
     returns trigger
     language plpgsql as $$
 begin
-    if ( not hasInsertPermission(
+    raise exception '[403] insert into test_package not allowed for current subjects % (%)',
-        ( SELECT customer.uuid FROM
-
-            (SELECT * FROM test_customer WHERE uuid = NEW.customerUuid) AS customer
-
-        ), 'INSERT', 'test_package') ) then
-            raise exception
-                '[403] insert into test_package not allowed for current subjects % (%)',
         currentSubjects(), currentSubjectsUuids();
-    end if;
-    return NEW;
 end; $$;
 
 create trigger test_package_insert_permission_check_tg
     before insert on test_package
     for each row
+    when ( not hasInsertPermission(NEW.customerUuid, 'INSERT', 'test_package') )
         execute procedure test_package_insert_permission_missing_tf();
 --//
 
@@ -220,7 +212,8 @@ create trigger test_package_insert_permission_check_tg
 --changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-call generateRbacIdentityViewFromProjection('test_package', $idName$
+call generateRbacIdentityViewFromProjection('test_package',
+    $idName$
         name
     $idName$);
 --//

src/main/resources/db/changelog/133-test-domain-rbac.sql

@@ -188,30 +188,22 @@ execute procedure test_domain_test_package_insert_tf();
 
 /**
     Checks if the user or assumed roles are allowed to insert a row to test_domain,
-    where the check is performed by an indirect role.
+    where the check is performed by a direct role.
 
-    An indirect role is a role FIXME.
+    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
 create or replace function test_domain_insert_permission_missing_tf()
     returns trigger
     language plpgsql as $$
 begin
-    if ( not hasInsertPermission(
+    raise exception '[403] insert into test_domain not allowed for current subjects % (%)',
-        ( SELECT package.uuid FROM
-
-            (SELECT * FROM test_package WHERE uuid = NEW.packageUuid) AS package
-
-        ), 'INSERT', 'test_domain') ) then
-            raise exception
-                '[403] insert into test_domain not allowed for current subjects % (%)',
         currentSubjects(), currentSubjectsUuids();
-    end if;
-    return NEW;
 end; $$;
 
 create trigger test_domain_insert_permission_check_tg
     before insert on test_domain
     for each row
+    when ( not hasInsertPermission(NEW.packageUuid, 'INSERT', 'test_domain') )
         execute procedure test_domain_insert_permission_missing_tf();
 --//
 
@@ -219,7 +211,8 @@ create trigger test_domain_insert_permission_check_tg
 --changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-call generateRbacIdentityViewFromProjection('test_domain', $idName$
+call generateRbacIdentityViewFromProjection('test_domain',
+    $idName$
         name
     $idName$);
 --//

src/main/resources/db/changelog/203-hs-office-contact-rbac.sql

@@ -125,7 +125,8 @@ execute procedure hs_office_contact_global_insert_tf();
 --changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-call generateRbacIdentityViewFromProjection('hs_office_contact', $idName$
+call generateRbacIdentityViewFromProjection('hs_office_contact',
+    $idName$
         label
     $idName$);
 --//

src/main/resources/db/changelog/213-hs-office-person-rbac.sql

@@ -125,7 +125,8 @@ execute procedure hs_office_person_global_insert_tf();
 --changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-call generateRbacIdentityViewFromProjection('hs_office_person', $idName$
+call generateRbacIdentityViewFromProjection('hs_office_person',
+    $idName$
         concat(tradeName, familyName, givenName)
     $idName$);
 --//

src/main/resources/db/changelog/223-hs-office-relation-rbac.sql

@@ -37,13 +37,13 @@ declare
 begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
-    select * from hs_office_person as p where p.uuid = NEW.holderUuid    INTO newHolderPerson;
+    SELECT * FROM hs_office_person WHERE uuid = NEW.holderUuid    INTO newHolderPerson;
     assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s', NEW.holderUuid);
 
-    select * from hs_office_person as p where p.uuid = NEW.anchorUuid    INTO newAnchorPerson;
+    SELECT * FROM hs_office_person WHERE uuid = NEW.anchorUuid    INTO newAnchorPerson;
     assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s', NEW.anchorUuid);
 
-    select * from hs_office_contact as c where c.uuid = NEW.contactUuid    INTO newContact;
+    SELECT * FROM hs_office_contact WHERE uuid = NEW.contactUuid    INTO newContact;
     assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
 
 
@@ -73,13 +73,13 @@ begin
         hsOfficeRelationTenant(NEW),
             permissions => array['SELECT'],
             incomingSuperRoles => array[
+            	hsOfficeContactAdmin(newContact),
             	hsOfficeRelationAgent(NEW),
-            	hsOfficePersonAdmin(newHolderPerson),
+            	hsOfficePersonAdmin(newHolderPerson)],
-            	hsOfficeContactAdmin(newContact)],
             outgoingSubRoles => array[
             	hsOfficePersonReferrer(newAnchorPerson),
-            	hsOfficeContactReferrer(newContact),
+            	hsOfficePersonReferrer(newHolderPerson),
-            	hsOfficePersonReferrer(newHolderPerson)]
+            	hsOfficeContactReferrer(newContact)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
@@ -130,22 +130,22 @@ declare
 begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
-    select * from hs_office_person as p where p.uuid = OLD.holderUuid    INTO oldHolderPerson;
+    SELECT * FROM hs_office_person WHERE uuid = OLD.holderUuid    INTO oldHolderPerson;
     assert oldHolderPerson.uuid is not null, format('oldHolderPerson must not be null for OLD.holderUuid = %s', OLD.holderUuid);
 
-    select * from hs_office_person as p where p.uuid = NEW.holderUuid    INTO newHolderPerson;
+    SELECT * FROM hs_office_person WHERE uuid = NEW.holderUuid    INTO newHolderPerson;
     assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s', NEW.holderUuid);
 
-    select * from hs_office_person as p where p.uuid = OLD.anchorUuid    INTO oldAnchorPerson;
+    SELECT * FROM hs_office_person WHERE uuid = OLD.anchorUuid    INTO oldAnchorPerson;
     assert oldAnchorPerson.uuid is not null, format('oldAnchorPerson must not be null for OLD.anchorUuid = %s', OLD.anchorUuid);
 
-    select * from hs_office_person as p where p.uuid = NEW.anchorUuid    INTO newAnchorPerson;
+    SELECT * FROM hs_office_person WHERE uuid = NEW.anchorUuid    INTO newAnchorPerson;
     assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s', NEW.anchorUuid);
 
-    select * from hs_office_contact as c where c.uuid = OLD.contactUuid    INTO oldContact;
+    SELECT * FROM hs_office_contact WHERE uuid = OLD.contactUuid    INTO oldContact;
     assert oldContact.uuid is not null, format('oldContact must not be null for OLD.contactUuid = %s', OLD.contactUuid);
 
-    select * from hs_office_contact as c where c.uuid = NEW.contactUuid    INTO newContact;
+    SELECT * FROM hs_office_contact WHERE uuid = NEW.contactUuid    INTO newContact;
     assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
 
 
@@ -228,30 +228,22 @@ execute procedure hs_office_relation_hs_office_person_insert_tf();
 
 /**
     Checks if the user or assumed roles are allowed to insert a row to hs_office_relation,
-    where the check is performed by an indirect role.
+    where the check is performed by a direct role.
 
-    An indirect role is a role FIXME.
+    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
 create or replace function hs_office_relation_insert_permission_missing_tf()
     returns trigger
     language plpgsql as $$
 begin
-    if ( not hasInsertPermission(
+    raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
-        ( SELECT anchorPerson.uuid FROM
-
-            (select * from hs_office_person as p where p.uuid = NEW.anchorUuid) AS anchorPerson
-
-        ), 'INSERT', 'hs_office_relation') ) then
-            raise exception
-                '[403] insert into hs_office_relation not allowed for current subjects % (%)',
         currentSubjects(), currentSubjectsUuids();
-    end if;
-    return NEW;
 end; $$;
 
 create trigger hs_office_relation_insert_permission_check_tg
     before insert on hs_office_relation
     for each row
+    when ( not hasInsertPermission(NEW.anchorUuid, 'INSERT', 'hs_office_relation') )
         execute procedure hs_office_relation_insert_permission_missing_tf();
 --//
 
@@ -259,11 +251,11 @@ create trigger hs_office_relation_insert_permission_check_tg
 --changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-call generateRbacIdentityViewFromProjection('hs_office_relation', $idName$
+call generateRbacIdentityViewFromProjection('hs_office_relation',
+    $idName$
              (select idName from hs_office_person_iv p where p.uuid = anchorUuid)
              || '-with-' || target.type || '-'
              || (select idName from hs_office_person_iv p where p.uuid = holderUuid)
-
     $idName$);
 --//
 

src/main/resources/db/changelog/233-hs-office-partner-rbac.sql

@@ -36,10 +36,10 @@ declare
 begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
-    SELECT * FROM hs_office_relation AS r WHERE r.uuid = NEW.partnerRelUuid    INTO newPartnerRel;
+    SELECT * FROM hs_office_relation WHERE uuid = NEW.partnerRelUuid    INTO newPartnerRel;
     assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s', NEW.partnerRelUuid);
 
-    SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = NEW.detailsUuid    INTO newPartnerDetails;
+    SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid    INTO newPartnerDetails;
     assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
 
     call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationAdmin(newPartnerRel));
@@ -95,16 +95,16 @@ declare
 begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
-    SELECT * FROM hs_office_relation AS r WHERE r.uuid = OLD.partnerRelUuid    INTO oldPartnerRel;
+    SELECT * FROM hs_office_relation WHERE uuid = OLD.partnerRelUuid    INTO oldPartnerRel;
     assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s', OLD.partnerRelUuid);
 
-    SELECT * FROM hs_office_relation AS r WHERE r.uuid = NEW.partnerRelUuid    INTO newPartnerRel;
+    SELECT * FROM hs_office_relation WHERE uuid = NEW.partnerRelUuid    INTO newPartnerRel;
     assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s', NEW.partnerRelUuid);
 
-    SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = OLD.detailsUuid    INTO oldPartnerDetails;
+    SELECT * FROM hs_office_partner_details WHERE uuid = OLD.detailsUuid    INTO oldPartnerDetails;
     assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s', OLD.detailsUuid);
 
-    SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = NEW.detailsUuid    INTO newPartnerDetails;
+    SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid    INTO newPartnerDetails;
     assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
 
 
@@ -220,7 +220,8 @@ create trigger hs_office_partner_insert_permission_check_tg
 --changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-call generateRbacIdentityViewFromProjection('hs_office_partner', $idName$
+call generateRbacIdentityViewFromProjection('hs_office_partner',
+    $idName$
         'P-' || partnerNumber
     $idName$);
 --//

src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql

@@ -124,12 +124,12 @@ create trigger hs_office_partner_details_insert_permission_check_tg
 --changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-    call generateRbacIdentityViewFromQuery('hs_office_partner_details', $idName$
+    call generateRbacIdentityViewFromQuery('hs_office_partner_details',
+        $idName$
             SELECT partnerDetails.uuid as uuid, partner_iv.idName || '-details' as idName
             FROM hs_office_partner_details AS partnerDetails
             JOIN hs_office_partner partner ON partner.detailsUuid = partnerDetails.uuid
             JOIN hs_office_partner_iv partner_iv ON partner_iv.uuid = partner.uuid
-
         $idName$);
 --//
 

src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql

@@ -125,7 +125,8 @@ execute procedure hs_office_bankaccount_global_insert_tf();
 --changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-call generateRbacIdentityViewFromProjection('hs_office_bankaccount', $idName$
+call generateRbacIdentityViewFromProjection('hs_office_bankaccount',
+    $idName$
         iban
     $idName$);
 --//

src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql

@@ -64,8 +64,8 @@ begin
         hsOfficeSepaMandateAgent(NEW),
             incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)],
             outgoingSubRoles => array[
-            	hsOfficeBankAccountReferrer(newBankAccount),
+            	hsOfficeRelationAgent(newDebitorRel),
-            	hsOfficeRelationAgent(newDebitorRel)]
+            	hsOfficeBankAccountReferrer(newBankAccount)]
     );
 
     perform createRoleWithGrants(
@@ -151,20 +151,22 @@ execute procedure hs_office_sepamandate_hs_office_relation_insert_tf();
 
     An indirect role is a role FIXME.
 */
-create or replace function hs_office_sepamandate_insert_permission_missing_tf()
+create or replace function hs_office_sepamandate_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
-begin
-    if ( not hasInsertPermission(
-        ( SELECT debitorRel.uuid FROM
 
-            (SELECT debitorRel.*
+declare
+    superRoleObjectUuid uuid;
+
+begin
+        superRoleObjectUuid := (SELECT debitorRel.uuid
             FROM hs_office_relation debitorRel
             JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
             WHERE debitor.uuid = NEW.debitorUuid
-            ) AS debitorRel
+        );
+        assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';
 
-        ), 'INSERT', 'hs_office_sepamandate') ) then
+        if ( not hasInsertPermission(superRoleObjectUuid, 'INSERT', 'hs_office_sepamandate') ) then
             raise exception
                 '[403] insert into hs_office_sepamandate not allowed for current subjects % (%)',
                 currentSubjects(), currentSubjectsUuids();
@@ -175,18 +177,18 @@ end; $$;
 create trigger hs_office_sepamandate_insert_permission_check_tg
     before insert on hs_office_sepamandate
     for each row
-        execute procedure hs_office_sepamandate_insert_permission_missing_tf();
+        execute procedure hs_office_sepamandate_insert_permission_check_tf();
 --//
 
 -- ============================================================================
 --changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-    call generateRbacIdentityViewFromQuery('hs_office_sepamandate', $idName$
+    call generateRbacIdentityViewFromQuery('hs_office_sepamandate',
+        $idName$
             select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName
             from hs_office_sepamandate sm
             join hs_office_bankaccount ba on ba.uuid = sm.bankAccountUuid
-
         $idName$);
 --//
 

src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql

@@ -46,10 +46,7 @@ begin
         INTO newPartnerRel;
     assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.debitorRelUuid = %s', NEW.debitorRelUuid);
 
-    SELECT *
+    SELECT * FROM hs_office_relation WHERE uuid = NEW.debitorRelUuid    INTO newDebitorRel;
-        FROM hs_office_relation AS r
-        WHERE r.type = 'DEBITOR' AND r.uuid = NEW.debitorRelUuid
-        INTO newDebitorRel;
     assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s', NEW.debitorRelUuid);
 
     SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.refundBankAccountUuid    INTO newRefundBankAccount;
@@ -196,7 +193,8 @@ create trigger hs_office_debitor_insert_permission_check_tg
 --changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-    call generateRbacIdentityViewFromQuery('hs_office_debitor', $idName$
+    call generateRbacIdentityViewFromQuery('hs_office_debitor',
+        $idName$
             SELECT debitor.uuid AS uuid,
                     'D-' || (SELECT partner.partnerNumber
                             FROM hs_office_partner partner
@@ -207,7 +205,6 @@ create trigger hs_office_debitor_insert_permission_check_tg
                             WHERE debitorRel.uuid = debitor.debitorRelUuid)
                          || to_char(debitorNumberSuffix, 'fm00') as idName
         FROM hs_office_debitor AS debitor
-
         $idName$);
 --//
 

src/main/resources/db/changelog/303-hs-office-membership-rbac.sql

@@ -35,10 +35,10 @@ declare
 begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
-    SELECT r.*
+    SELECT partnerRel.*
-        FROM hs_office_partner AS p
+        FROM hs_office_partner AS partner
-        JOIN hs_office_relation AS r ON r.uuid = p.partnerRelUuid
+        JOIN hs_office_relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid
-        WHERE p.uuid = NEW.partnerUuid
+        WHERE partner.uuid = NEW.partnerUuid
         INTO newPartnerRel;
     assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s', NEW.partnerUuid);
 
@@ -138,20 +138,22 @@ execute procedure hs_office_membership_hs_office_relation_insert_tf();
 
     An indirect role is a role FIXME.
 */
-create or replace function hs_office_membership_insert_permission_missing_tf()
+create or replace function hs_office_membership_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+
+declare
+    superRoleObjectUuid uuid;
+
 begin
-    if ( not hasInsertPermission(
+        superRoleObjectUuid := (SELECT partnerRel.uuid
-        ( SELECT partnerRel.uuid FROM
+            FROM hs_office_partner AS partner
+            JOIN hs_office_relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid
+            WHERE partner.uuid = NEW.partnerUuid
+        );
+        assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';
 
-            (SELECT r.*
+        if ( not hasInsertPermission(superRoleObjectUuid, 'INSERT', 'hs_office_membership') ) then
-                FROM hs_office_partner AS p
-                JOIN hs_office_relation AS r ON r.uuid = p.partnerRelUuid
-                WHERE p.uuid = NEW.partnerUuid
-            ) AS partnerRel
-
-        ), 'INSERT', 'hs_office_membership') ) then
             raise exception
                 '[403] insert into hs_office_membership not allowed for current subjects % (%)',
                 currentSubjects(), currentSubjectsUuids();
@@ -162,19 +164,19 @@ end; $$;
 create trigger hs_office_membership_insert_permission_check_tg
     before insert on hs_office_membership
     for each row
-        execute procedure hs_office_membership_insert_permission_missing_tf();
+        execute procedure hs_office_membership_insert_permission_check_tf();
 --//
 
 -- ============================================================================
 --changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-    call generateRbacIdentityViewFromQuery('hs_office_membership', $idName$
+    call generateRbacIdentityViewFromQuery('hs_office_membership',
+        $idName$
             SELECT m.uuid AS uuid,
                 'M-' || p.partnerNumber || m.memberNumberSuffix as idName
         FROM hs_office_membership AS m
         JOIN hs_office_partner AS p ON p.uuid = m.partnerUuid
-
         $idName$);
 --//