2024-03-11 12:30:44 +01:00
7 changed files with 231 additions and 125 deletions
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountEntity.java
@ -3,8 +3,6 @@ package net.hostsharing.hsadminng.hs.office.bankaccount;
 import lombok.*;
 import lombok.experimental.FieldNameConstants;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.debitor.HsOfficeDebitorEntity;
 import net.hostsharing.hsadminng.hs.office.relationship.HsOfficeRelationshipEntity;
 import net.hostsharing.hsadminng.persistence.HasUuid;
 import net.hostsharing.hsadminng.rbac.rbacdef.RbacView;
 import net.hostsharing.hsadminng.stringify.Stringify;
@ -17,10 +15,8 @@ import jakarta.persistence.Table;
 import java.util.UUID;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@Entity
@ -59,7 +55,7 @@ public class HsOfficeBankAccountEntity implements HasUuid, Stringifyable {
        return holder;
    }
-    public static RbacView hsOfficeBankAccount() {
+    public static RbacView rbac() {
        // @formatter:off
        return rbacViewFor("bankAccount", HsOfficeBankAccountEntity.class)
                .withIdentityView(SQL.query("target.iban || ':' || target.holder"))
@ -75,69 +71,4 @@ public class HsOfficeBankAccountEntity implements HasUuid, Stringifyable {
                    .pop();
        // @formatter:on
    }
    public static RbacView hsOfficeDebitor() {
        // @formatter:off
        return rbacViewFor("debitor", HsOfficeDebitorEntity.class)
                .withIdentityView(SQL.query("""
                    SELECT debitor.uuid,
                                'D-' || (SELECT partner.partnerNumber
                                        FROM hs_office_partner partner
                                        JOIN hs_office_relationship partnerRel
                                            ON partnerRel.uuid = partner.partnerRoleUUid AND partnerRel.relType = 'PARTNER'
                                        JOIN hs_office_relationship debitorRel
                                            ON debitorRel.relAnchorUuid = partnerRel.relHolderUuid AND partnerRel.relType = 'ACCOUNTING'
                                        WHERE debitorRel.uuid = debitor.debitorRelUuid)
                                     || to_char(debitorNumberSuffix, 'fm00')
                        from hs_office_debitor as debitor;
                """))
                .withUpdatableColumns(
                        "debitorRel",
                        "billable",
                        "billingContactUuid",
                        "refundBankAccountUuid",
                        "vatId",
                        "vatCountryCode",
                        "vatBusiness",
                        "vatreversecharge",
                        "defaultPrefix" /* TODO: do we want that updatable? */ )
                .createPermission(custom("new-debitor")).grantedTo("global", ADMIN).pop()
                .defineProxyEntityAlias("debitorRel", HsOfficeRelationshipEntity.class, fetchedBySql("""
                        SELECT *
                            FROM hs_office_relationship AS r
                            WHERE r.relType = 'ACCOUNTING' AND r.relHolderUuid = ${REF}.debitorRelUuid;
                        """),
                        dependsOnColumn("debitorRelUuid"))
                .createPermission(ALL).grantedTo("debitorRel", OWNER).pop()
                .createPermission(EDIT).grantedTo("debitorRel", ADMIN).pop()
                .createPermission(VIEW).grantedTo("debitorRel", TENANT).pop()
                .defineEntityAlias("refundBankAccount", HsOfficeBankAccountEntity.class, fetchedBySql("""
                        SELECT *
                            FROM hs_office_relationship AS r
                            WHERE r.relType = 'ACCOUNTING' AND r.relHolderUuid = ${REF}.debitorRelUuid;
                        """),
                        dependsOnColumn("bankAccountUuid"))
                .importRbacViewAs("refundBankAccount", HsOfficeBankAccountEntity.hsOfficeBankAccount())
                .toRole("refundBankAccount", ADMIN).grantRole("debitorRel", AGENT)
                .toRole("debitorRel", AGENT).grantRole("refundBankAccount", REFERRER)
                .defineEntityAlias("partnerRel", HsOfficeRelationshipEntity.class, fetchedBySql("""
                       SELECT *
                            FROM hs_office_relationship AS partnerRel
                            WHERE ${debitorRel}.relAnchorUuid = partnerRel.relHolderUuid;
                        """),
                        dependsOnColumn("debitorRelUuid"))
                .toRole("partnerRel", ADMIN).grantRole("debitorRel", ADMIN)
                .toRole("partnerRel", AGENT).grantRole("debitorRel", AGENT)
                .toRole("debitorRel", AGENT).grantRole("partnerRel", TENANT)
                .declareEntityAliases("partnerPerson", "operationalPerson")
                .forExampleRole("partnerPerson", ADMIN).wouldBeGrantedTo("partnerRel", ADMIN)
                .forExampleRole("operationalPerson", ADMIN).wouldBeGrantedTo("partnerRel", ADMIN)
                .forExampleRole("partnerRel", TENANT).wouldBeGrantedTo("partnerPerson", REFERRER);
        // @formatter:on
    }
 }
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java
@ -4,8 +4,10 @@ import lombok.*;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.bankaccount.HsOfficeBankAccountEntity;
 import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactEntity;
 import net.hostsharing.hsadminng.hs.office.relationship.HsOfficeRelationshipEntity;
 import net.hostsharing.hsadminng.persistence.HasUuid;
 import net.hostsharing.hsadminng.hs.office.partner.HsOfficePartnerEntity;
 import net.hostsharing.hsadminng.rbac.rbacdef.RbacView;
 import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
 import org.hibernate.annotations.GenericGenerator;
@ -14,6 +16,13 @@ import jakarta.persistence.*;
 import java.util.Optional;
 import java.util.UUID;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.VIEW;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.REFERRER;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@Entity
@ -97,4 +106,69 @@ public class HsOfficeDebitorEntity implements HasUuid, Stringifyable {
    public String toShortString() {
        return DEBITOR_NUMBER_TAG + getDebitorNumberString();
    }
    public static RbacView rbac() {
        // @formatter:off
        return rbacViewFor("debitor", HsOfficeDebitorEntity.class)
                .withIdentityView(RbacView.SQL.query("""
                    SELECT debitor.uuid,
                                'D-' || (SELECT partner.partnerNumber
                                        FROM hs_office_partner partner
                                        JOIN hs_office_relationship partnerRel
                                            ON partnerRel.uuid = partner.partnerRoleUUid AND partnerRel.relType = 'PARTNER'
                                        JOIN hs_office_relationship debitorRel
                                            ON debitorRel.relAnchorUuid = partnerRel.relHolderUuid AND partnerRel.relType = 'ACCOUNTING'
                                        WHERE debitorRel.uuid = debitor.debitorRelUuid)
                                     || to_char(debitorNumberSuffix, 'fm00')
                        from hs_office_debitor as debitor;
                """))
                .withUpdatableColumns(
                        "debitorRel",
                        "billable",
                        "billingContactUuid",
                        "refundBankAccountUuid",
                        "vatId",
                        "vatCountryCode",
                        "vatBusiness",
                        "vatReverseCharge",
                        "defaultPrefix" /* TODO: do we want that updatable? */ )
                .createPermission(custom("new-debitor")).grantedTo("global", ADMIN).pop()
                .importProxyEntity("debitorRel", HsOfficeRelationshipEntity.class,
                        fetchedBySql("""
                            SELECT *
                                FROM hs_office_relationship AS r
                                WHERE r.relType = 'ACCOUNTING' AND r.relHolderUuid = ${REF}.debitorRelUuid;
                            """),
                        dependsOnColumn("debitorRelUuid"))
                .createPermission(ALL).grantedTo("debitorRel", OWNER).pop()
                .createPermission(EDIT).grantedTo("debitorRel", ADMIN).pop()
                .createPermission(VIEW).grantedTo("debitorRel", TENANT).pop()
                .importEntityAlias("refundBankAccount", HsOfficeBankAccountEntity.class,
                        fetchedBySql("""
                            SELECT *
                                FROM hs_office_relationship AS r
                                WHERE r.relType = 'ACCOUNTING' AND r.relHolderUuid = ${REF}.debitorRelUuid;
                            """),
                        dependsOnColumn("bankAccountUuid"))
                .toRole("refundBankAccount", ADMIN).grantRole("debitorRel", AGENT)
                .toRole("debitorRel", AGENT).grantRole("refundBankAccount", REFERRER)
                .importEntityAlias("partnerRel", HsOfficeRelationshipEntity.class,
                        fetchedBySql("""
                           SELECT *
                                FROM hs_office_relationship AS partnerRel
                                WHERE ${debitorRel}.relAnchorUuid = partnerRel.relHolderUuid;
                            """),
                        dependsOnColumn("debitorRelUuid"))
                .toRole("partnerRel", ADMIN).grantRole("debitorRel", ADMIN)
                .toRole("partnerRel", AGENT).grantRole("debitorRel", AGENT)
                .toRole("debitorRel", AGENT).grantRole("partnerRel", TENANT)
                .declarePlaceholderEntityAliases("partnerPerson", "operationalPerson")
                .forExampleRole("partnerPerson", ADMIN).wouldBeGrantedTo("partnerRel", ADMIN)
                .forExampleRole("operationalPerson", ADMIN).wouldBeGrantedTo("partnerRel", ADMIN)
                .forExampleRole("partnerRel", TENANT).wouldBeGrantedTo("partnerPerson", REFERRER);
        // @formatter:on
    }
 }
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonEntity.java
@ -4,6 +4,7 @@ import lombok.*;
 import lombok.experimental.FieldNameConstants;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.persistence.HasUuid;
 import net.hostsharing.hsadminng.rbac.rbacdef.RbacView;
 import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
 import org.apache.commons.lang3.StringUtils;
@ -11,6 +12,11 @@ import org.apache.commons.lang3.StringUtils;
 import jakarta.persistence.*;
 import java.util.UUID;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.query;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@Entity
@ -56,4 +62,21 @@ public class HsOfficePersonEntity implements HasUuid, Stringifyable {
        return personType + " " +
                (!StringUtils.isEmpty(tradeName) ? tradeName : (familyName + ", " + givenName));
    }
    public static RbacView rbac() {
        // @formatter:off
        return rbacViewFor("person", HsOfficePersonEntity.class)
                .withIdentityView(query("concat(target.tradeName, target.familyName, target.givenName)"))
                .withUpdatableColumns("personType", "tradeName", "givenName", "familyName")
                .createRole(OWNER)
                    .withPermission(ALL)
                    .withCurrentUserAsOwner()
                    .withIncomingSuperRole(GLOBAL, ADMIN)
                .createSubRole(ADMIN)
                    .withPermission(EDIT)
                .createSubRole(REFERRER)
                    .withPermission(VIEW)
                .pop();
        // @formatter:on
    }
 }
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/relationship/HsOfficeRelationshipEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/relationship/HsOfficeRelationshipEntity.java
@ -5,12 +5,20 @@ import lombok.experimental.FieldNameConstants;
 import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactEntity;
 import net.hostsharing.hsadminng.persistence.HasUuid;
 import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonEntity;
 import net.hostsharing.hsadminng.rbac.rbacdef.RbacView;
 import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL;
 import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
 import jakarta.persistence.*;
 import java.util.UUID;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@Entity
@ -67,4 +75,34 @@ public class HsOfficeRelationshipEntity implements HasUuid, Stringifyable {
    public String toShortString() {
        return toShortString.apply(this);
    }
    public static RbacView rbac() {
        // @formatter:off
        return rbacViewFor("relationship", HsOfficeRelationshipEntity.class)
                .withIdentityView(SQL.query("""
                     (select idName from hs_office_person_iv p where p.uuid = target.relAnchorUuid)
                     || '-with-' || target.relType || '-'
                     || (select idName from hs_office_person_iv p where p.uuid = target.relHolderUuid)
                """))
                .withUpdatableColumns("contactUuid")
                .importEntityAlias("anchorPerson", HsOfficePersonEntity.class,
                        fetchedBySql("select * from hs_office_person as p where p.uuid = ${REF}.relAnchorUuid"),
                        dependsOnColumn("relAnchorUuid"))
                .importEntityAlias("holderPerson", HsOfficePersonEntity.class,
                        fetchedBySql("select * from hs_office_person as p where p.uuid = ${REF}.relHolderUuid"),
                        dependsOnColumn("relHolderUuid"))
                .createRole(OWNER)
                    .withCurrentUserAsOwner()
                    .withPermission(ALL)
                    .withIncomingSuperRole(GLOBAL, ADMIN)
                    .withIncomingSuperRole("anchorPerson", ADMIN)
                .createSubRole(ADMIN)
                    .withPermission(EDIT)
                .createSubRole(AGENT)
                    .withIncomingSuperRole("holderPerson", ADMIN)
                .createSubRole(TENANT)
                    .withPermission(VIEW)
                    .pop();
        // @formatter:on
    }
 }
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
@ -6,6 +6,7 @@ import net.hostsharing.hsadminng.hs.office.relationship.HsOfficeRelationshipEnti
 import net.hostsharing.hsadminng.persistence.HasUuid;
 import jakarta.validation.constraints.NotNull;
 import java.lang.reflect.InvocationTargetException;
 import java.util.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
@ -36,11 +37,11 @@ public class RbacView {
    private SQL identityViewSqlQuery;
    private EntityAlias entityAliasProxy;
-    public static <E extends HasUuid> RbacView rbacViewFor(final String alias, final Class entityClass) {
+    public static <E extends HasUuid> RbacView rbacViewFor(final String alias, final Class<? extends HasUuid> entityClass) {
        return new RbacView(alias, entityClass);
    }
-    RbacView(final String alias, final Class entityClass) {
+    RbacView(final String alias, final Class<? extends HasUuid> entityClass) {
        entityAlias = new EntityAlias(alias, entityClass);
        entityAliases.put(alias, entityAlias);
        new RbacUserReference(CREATOR);
@ -71,31 +72,53 @@ public class RbacView {
        return permDef;
    }
-    public <EC extends HasUuid> RbacView declareEntityAliases(final String... aliasNames) {
+    public <EC extends HasUuid> RbacView declarePlaceholderEntityAliases(final String... aliasNames) {
        for ( String alias: aliasNames ) {
            entityAliases.put(alias, new EntityAlias(alias));
        }
        return this;
    }
-    public <EC extends HasUuid> RbacView defineProxyEntityAlias(
+    public <EC extends HasUuid> RbacView importProxyEntity(
            final String aliasName, final Class entityClass, final SQL fetchSql, final Column dependsOnColum) {
-        entityAliasProxy = new EntityAlias(aliasName, entityClass, fetchSql, dependsOnColum);
+        if ( entityAliasProxy != null ) {
-        entityAliases.put(aliasName, entityAliasProxy);
+            throw new IllegalStateException("there is already an entityAliasProxy: " + entityAliasProxy);
        }
        entityAliasProxy = importEntityAliasImpl(aliasName, entityClass, fetchSql, dependsOnColum);
        return this;
    }
-    public <EC extends HasUuid> RbacView defineEntityAlias(
+    public RbacView importEntityAlias(
            final String aliasName, final Class entityClass, final SQL fetchSql, final Column dependsOnColum) {
-        entityAliases.put(aliasName, new EntityAlias(aliasName, entityClass, fetchSql, dependsOnColum));
+        importEntityAliasImpl(aliasName, entityClass, fetchSql, dependsOnColum);
        return this;
    }
-    public RbacView importRbacViewAs(final String aliasName, final RbacView importedRbacView) {
+    private EntityAlias importEntityAliasImpl(final String aliasName, final Class entityClass, final SQL fetchSql, final Column dependsOnColum) {
        final var entityAlias = new EntityAlias(aliasName, entityClass, fetchSql, dependsOnColum);
        entityAliases.put(aliasName, entityAlias);
        try {
            importAsAlias(aliasName, rbacDefinition(entityClass));
        } catch ( final Exception exc) {
            new RuntimeException("cannot import entity: " + entityClass, exc);
        }
        return entityAlias;
    }
    private static RbacView rbacDefinition(final Class<? extends HasUuid> entityClass)
            throws IllegalAccessException, InvocationTargetException, NoSuchMethodException {
        return (RbacView) entityClass.getMethod("rbac").invoke(null);
    }
    private RbacView importAsAlias(final String aliasName, final RbacView importedRbacView) {
        final var mapper = new AliasNameMapper(importedRbacView, aliasName);
-        importedRbacView.getEntityAliases().values().forEach(entityAlias -> {
+        importedRbacView.getEntityAliases().values().stream()
-            new EntityAlias( mapper.map(entityAlias.aliasName), entityAlias.entityClass);
+                .filter(entityAlias -> !importedRbacView.isMainEntityAlias(entityAlias))
-        });
+                .filter(entityAlias -> !entityAlias.isGlobal())
                .forEach(entityAlias -> {
                    final String mappedAliasName = mapper.map(entityAlias.aliasName);
                    entityAliases.put(mappedAliasName, new EntityAlias(mappedAliasName, entityAlias.entityClass));
                });
        importedRbacView.getRoleDefs().forEach(roleDef -> {
            new RbacRoleDefinition( findEntityAlias(mapper.map(roleDef.entityAlias.aliasName)), roleDef.role);
        });
@ -120,15 +143,15 @@ public class RbacView {
    private  RbacGrantDefinition grantRoleToCurrentUser(final RbacRoleDefinition roleDefinition) {
-        return new RbacGrantDefinition(roleDefinition, currentUser());
+        return new RbacGrantDefinition(roleDefinition, currentUser()).toCreate();
    }
    private  RbacGrantDefinition grantPermissionToRole(final RbacPermissionDefinition permDef , final RbacRoleDefinition roleDef) {
-        return new RbacGrantDefinition(permDef, roleDef);
+        return new RbacGrantDefinition(permDef, roleDef).toCreate();
    }
    private  RbacGrantDefinition grantSubRoleToSuperRole(final RbacRoleDefinition subRoleDefinition, final RbacRoleDefinition superRoleDefinition) {
-        return new RbacGrantDefinition(subRoleDefinition, superRoleDefinition);
+        return new RbacGrantDefinition(subRoleDefinition, superRoleDefinition).toCreate();
    }
    boolean isMainEntityAlias(final EntityAlias entityAlias) {
@ -148,7 +171,7 @@ public class RbacView {
        }
        public RbacView grantRole(final String entityAlias, final Role role) {
-            new RbacGrantDefinition(findRbacRole(entityAlias, role), superRoleDef);
+            new RbacGrantDefinition(findRbacRole(entityAlias, role), superRoleDef).toCreate();
            return RbacView.this;
        }
@ -161,6 +184,7 @@ public class RbacView {
        private final RbacRoleDefinition superRoleDef;
        private final RbacRoleDefinition subRoleDef;
        private final RbacPermissionDefinition permDef;
        private boolean toCreate;
        @Override
        public String toString() {
@ -203,7 +227,16 @@ public class RbacView {
        boolean isAssumed() {
            // TODO: not implemented yet
-            return false;
+            return true;
        }
        boolean isToCreate() {
            return toCreate;
        }
        RbacGrantDefinition toCreate() {
            toCreate = true;
            return this;
        }
        public enum GrantType {
@ -262,7 +295,7 @@ public class RbacView {
        }
        public RbacPermissionDefinition  grantedTo(final String entityAlias, final Role role) {
-            new RbacGrantDefinition(this, findRbacRole(entityAlias, role) );
+            new RbacGrantDefinition(this, findRbacRole(entityAlias, role) ).toCreate();
            return this;
        }
@ -309,7 +342,7 @@ public class RbacView {
        public RbacRoleDefinition createSubRole(final Role role) {
            final var roleDef = findRbacRole(entityAlias, role).toCreate();
-            new RbacGrantDefinition(roleDef, this);
+            new RbacGrantDefinition(roleDef, this).toCreate();
            return roleDef;
        }
@ -346,7 +379,7 @@ public class RbacView {
        }
    }
-    private EntityAlias findEntityAlias(final String aliasName) {
+    EntityAlias findEntityAlias(final String aliasName) {
        final var found = entityAliases.get(aliasName);
        if ( found == null ) {
            throw new IllegalArgumentException("entityAlias not found: " + aliasName);
@ -354,7 +387,7 @@ public class RbacView {
        return found;
    }
-    public RbacRoleDefinition findRbacRole(final EntityAlias entityAlias, final Role role) {
+    RbacRoleDefinition findRbacRole(final EntityAlias entityAlias, final Role role) {
        return roleDefs.stream()
                .filter(r -> r.getEntityAlias() == entityAlias && r.getRole().equals(role))
                .findFirst()
@ -367,17 +400,21 @@ public class RbacView {
    record EntityAlias(String aliasName, Class<? extends HasUuid> entityClass, SQL fetchSql, Column dependsOnColum) {
-        public EntityAlias(final String aliasName) {
+            public EntityAlias(final String aliasName) {
-            this(aliasName, null, null, null);
+                this(aliasName, null, null, null);
-        }
+            }
-        public EntityAlias(final String aliasName, final Class<? extends HasUuid> entityClass) {
+            public EntityAlias(final String aliasName, final Class<? extends HasUuid> entityClass) {
-            this(aliasName, entityClass, null, null);
+                this(aliasName, entityClass, null, null);
-        }
+            }
        boolean isGlobal() {
            return aliasName().equals("global");
        }
        boolean isPlaceholder() {
                return entityClass == null;
        }
    }
    public record Role(String roleName) {
@ -389,7 +426,7 @@ public class RbacView {
        @Override
        public String toString() {
-            return "." + roleName;
+            return ":" + roleName;
        }
        @Override
@ -409,7 +446,7 @@ public class RbacView {
        @Override
        public String toString() {
-            return "." + permission;
+            return ":" + permission;
        }
    }
@ -457,7 +494,10 @@ public class RbacView {
            if (originalAliasName.equals(importedRbacView.entityAlias.aliasName) ) {
                return outerAliasName;
            }
-            return originalAliasName;
+            if (originalAliasName.equals("global") ) {
                return originalAliasName;
            }
            return outerAliasName + "." + originalAliasName;
        }
    }
 }
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchart.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchart.java
@ -1,6 +1,6 @@
 package net.hostsharing.hsadminng.rbac.rbacdef;
-import net.hostsharing.hsadminng.hs.office.bankaccount.HsOfficeBankAccountEntity;
+import net.hostsharing.hsadminng.hs.office.debitor.HsOfficeDebitorEntity;
 import org.apache.commons.lang3.StringUtils;
 import java.io.IOException;
@ -11,7 +11,8 @@ import static java.util.stream.Collectors.joining;
 public class RbacViewMermaidFlowchart {
-
+    public static final String HOSTSHARING_ORANGE = "#dd4901";
    public static final String HOSTSHARING_LIGHTBLUE = "#99bcdb";
    private final RbacView rbacDef;
    private final StringBuilder flowchart = new StringBuilder();
@ -21,38 +22,28 @@ public class RbacViewMermaidFlowchart {
                ### rbac %{entityAlias} %{timestamp}
                ```mermaid
                %%{init:{'flowchart':{'htmlLabels':false}}}%%
                flowchart TB
                """
                .replace("%{entityAlias}", rbacDef.getEntityAlias().aliasName())
                .replace("%{timestamp}", LocalDateTime.now().toString()));
        renderSubgraphGlobal();
        renderEntitySubgraphs();
        renderGrants();
        flowchart.append("```");
    }
    void renderSubgraphGlobal() {
        flowchart.append("""
                subgraph global
                    style global fill: lightgray
                    role:global.admin[global.admin]
                end
                """);
    }
    private void renderEntitySubgraphs() {
        rbacDef.getEntityAliases().values().stream()
                .filter(entityAlias -> !rbacDef.isEntityAliasProxy(entityAlias))
                .filter(entityAlias -> !entityAlias.isPlaceholder())
                .forEach(this::renderEntitySubgraph);
    }
    private void renderEntitySubgraph(final RbacView.EntityAlias entity) {
-        final var color = rbacDef.isMainEntityAlias(entity) ? "lightgreen" : "lightgray";
+        final var color = rbacDef.isMainEntityAlias(entity) ? HOSTSHARING_ORANGE : HOSTSHARING_LIGHTBLUE;
        flowchart.append("""
-            subgraph %{aliasName}
+            subgraph %{aliasName}["`**%{aliasName}**`"]
                direction TB
                style %{aliasName} fill: %{color}
@ -98,13 +89,16 @@ public class RbacViewMermaidFlowchart {
    }
    private String grantDef(final RbacView.RbacGrantDefinition grant) {
        final var arrow = grant.isToCreate()
                ? grant.isAssumed() ? " ==> " : " == // ==> "
                : grant.isAssumed() ? " -.-> " : " -.- // -.-> ";
        return switch (grant.grantType()) {
            case USER_TO_ROLE ->
                // TODO: other user types not implemented yet
-                    "user:creator" + (grant.isAssumed() ? " -.-> " : " --> ") + roleId(grant.getSubRoleDef());
+                    "user:creator" + arrow + roleId(grant.getSubRoleDef());
            case ROLE_TO_ROLE ->
-                    roleId(grant.getSuperRoleDef()) + (grant.isAssumed() ? " -.-> " : " --> ") + roleId(grant.getSubRoleDef());
+                    roleId(grant.getSuperRoleDef()) + arrow + roleId(grant.getSubRoleDef());
-            case ROLE_TO_PERM -> roleId(grant.getSuperRoleDef()) + " --> " + permId(grant.getPermDef());
+            case ROLE_TO_PERM -> roleId(grant.getSuperRoleDef()) + arrow + permId(grant.getPermDef());
        };
    }
@ -131,14 +125,20 @@ public class RbacViewMermaidFlowchart {
    public static void main(String[] args) throws IOException {
-        Files.writeString(
+//        Files.writeString(
-                Paths.get("doc", "hsOfficeBankAccount.md"),
+//                Paths.get("doc", "hsOfficeRelationship.md"),
-                new RbacViewMermaidFlowchart(HsOfficeBankAccountEntity.hsOfficeBankAccount()).toString(),
+//                new RbacViewMermaidFlowchart(HsOfficeRelationshipEntity.rbac()).toString(),
-                StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
+//                StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
 //
 //
 //        Files.writeString(
 //                Paths.get("doc", "hsOfficeBankAccount.md"),
 //                new RbacViewMermaidFlowchart(HsOfficeBankAccountEntity.rbac()).toString(),
 //                StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
        Files.writeString(
                Paths.get("doc", "hsOfficeDebitor.md"),
-                new RbacViewMermaidFlowchart(HsOfficeBankAccountEntity.hsOfficeDebitor()).toString(),
+                new RbacViewMermaidFlowchart(HsOfficeDebitorEntity.rbac()).toString(),
                StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
    }
 }
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java
@ -41,7 +41,7 @@ public static void main(String[] args) throws IOException {
    Files.writeString(
            Paths.get("doc", "hsOfficeBankAccount.sql"),
-            new RbacViewPostgresGenerator(HsOfficeBankAccountEntity.hsOfficeBankAccount()).toString(),
+            new RbacViewPostgresGenerator(HsOfficeBankAccountEntity.rbac()).toString(),
            StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
    }
 }