sql/recursive-cte-experiments-for-accessible-uuids.sql

@@ -0,0 +1,148 @@
+-- just a permanent playground to explore optimization of the central recursive CTE query for RBAC
+
+rollback transaction;
+begin transaction;
+SET TRANSACTION READ ONLY;
+call defineContext('performance testing', null, 'superuser-alex@hostsharing.net',
+                   'hs_booking_project#D-1000000-hshdefaultproject:ADMIN');
+--                    'hs_booking_project#D-1000300-mihdefaultproject:ADMIN');
+select count(type) as counter, type from hs_hosting_asset_rv
+    group by type
+    order by counter desc;
+commit transaction;
+
+
+
+
+rollback transaction;
+begin transaction;
+SET TRANSACTION READ ONLY;
+call defineContext('performance testing', null, 'superuser-alex@hostsharing.net',
+     'hs_booking_project#D-1000000-hshdefaultproject:ADMIN');
+--                    'hs_booking_project#D-1000300-mihdefaultproject:ADMIN');
+
+with accessible_hs_hosting_asset_uuids as
+         (with recursive
+              recursive_grants as
+                  (select distinct rbacgrants.descendantuuid,
+                                   rbacgrants.ascendantuuid,
+                                   1 as level,
+                                   true
+                       from rbacgrants
+                       where rbacgrants.assumed
+                         and (rbacgrants.ascendantuuid = any (currentsubjectsuuids()))
+                   union all
+                   select distinct g.descendantuuid,
+                                   g.ascendantuuid,
+                                   grants.level + 1 as level,
+                                   assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level)
+                       from rbacgrants g
+                                join recursive_grants grants on grants.descendantuuid = g.ascendantuuid
+                       where g.assumed),
+              grant_count AS (
+                SELECT COUNT(*) AS grant_count FROM recursive_grants
+              ),
+              count_check as (select assertTrue((select count(*) as grant_count from recursive_grants) < 300000,
+                    'too many grants for current subjects: ' || (select count(*) as grant_count from recursive_grants))
+                                         as valid)
+          select distinct perm.objectuuid
+              from recursive_grants
+                       join rbacpermission perm on recursive_grants.descendantuuid = perm.uuid
+                       join rbacobject obj on obj.uuid = perm.objectuuid
+                       join count_check cc on cc.valid
+              where obj.objecttable::text = 'hs_hosting_asset'::text)
+select type,
+--        count(*) as counter
+       target.uuid,
+--        target.version,
+--        target.bookingitemuuid,
+--        target.type,
+--        target.parentassetuuid,
+--        target.assignedtoassetuuid,
+       target.identifier,
+       target.caption
+--        target.config,
+--        target.alarmcontactuuid
+    from hs_hosting_asset target
+    where (target.uuid in (select accessible_hs_hosting_asset_uuids.objectuuid
+                               from accessible_hs_hosting_asset_uuids))
+        and target.type in ('EMAIL_ADDRESS', 'CLOUD_SERVER', 'MANAGED_SERVER', 'MANAGED_WEBSPACE')
+--         and target.type = 'EMAIL_ADDRESS'
+--     order by target.identifier;
+--     group by type
+--     order by counter desc
+;
+commit transaction;
+
+
+
+
+rollback transaction;
+begin transaction;
+SET TRANSACTION READ ONLY;
+call defineContext('performance testing', null, 'superuser-alex@hostsharing.net',
+                   'hs_booking_project#D-1000000-hshdefaultproject:ADMIN');
+--                    'hs_booking_project#D-1000300-mihdefaultproject:ADMIN');
+
+with one_path as (with recursive path as (
+        -- Base case: Start with the row where ascending equals the starting UUID
+        select ascendantuuid,
+               descendantuuid,
+               array [ascendantuuid] as path_so_far
+            from rbacgrants
+            where ascendantuuid = any (currentsubjectsuuids())
+
+        union all
+
+        -- Recursive case: Find the next step in the path
+        select c.ascendantuuid,
+               c.descendantuuid,
+               p.path_so_far || c.ascendantuuid
+            from rbacgrants c
+                     inner join
+                 path p on c.ascendantuuid = p.descendantuuid
+            where c.ascendantuuid != all (p.path_so_far) -- Prevent cycles
+    )
+      -- Final selection: Output all paths that reach the target UUID
+      select distinct array_length(path_so_far, 1),
+          path_so_far || descendantuuid as full_path
+          from path
+                   join rbacpermission perm on perm.uuid = path.descendantuuid
+                   join hs_hosting_asset ha on ha.uuid = perm.objectuuid
+      --    JOIN rbacrole_ev re on re.uuid = any(path_so_far)
+          where ha.identifier = 'vm1068'
+          order by array_length(path_so_far, 1)
+          limit 1
+  )
+select
+    (
+        SELECT ARRAY_AGG(re.roleidname ORDER BY ord.idx)
+            FROM UNNEST(one_path.full_path) WITH ORDINALITY AS ord(uuid, idx)
+                     JOIN rbacrole_ev re ON ord.uuid = re.uuid
+    ) AS name_array
+    from one_path;
+commit transaction;
+
+
+
+
+select * from
+(
+    select uuid, roleidname as name from rbacrole_ev
+    union all
+    select uuid, p.optablename || ':' || p.objectuuid || ':' || p.op  as name from rbacpermission p
+) united
+         where uuid in (
+             '4157915c-a09b-490c-9430-00005fcfbb4f',
+             '046f2da0-66d5-4e6a-af17-d41fba617b30',
+             '6239ca11-5224-401d-9780-1af7f5cbf35a',
+             '70004958-39c7-4d32-8ba6-d78145f3ad32',
+             '7065fbc1-c605-4da3-97dd-f40fe1b90b4c',
+             'd551551b-b1dd-414a-a0ed-a07712f15e62',
+             'f1f0fc3e-020a-48fe-b9c1-ac495cc21fdf',
+             '63ad71f3-214c-411e-8b0b-a859e54af770',
+             '561bbe75-b8f2-4e4b-86ac-02a72ab9a6e8',
+             '379e99b3-b53f-421d-a53e-2e81c464fbf2',
+             '5cb1ecb2-7962-47e0-b8bf-67974da45208'
+    );
+

src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectEntity.java

@@ -94,7 +94,7 @@ public class HsBookingProjectEntity implements Stringifyable, BaseEntity<HsBooki
                 .toRole("global", ADMIN).grantPermission(DELETE)
 
                 .createRole(OWNER, (with) -> {
-                    with.incomingSuperRole("debitorRel", AGENT);
+                    with.incomingSuperRole("debitorRel", AGENT).unassumed();
                 })
                 .createSubRole(ADMIN, (with) -> {
                     with.permission(UPDATE);

src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetEntity.java

@@ -192,6 +192,9 @@ public class HsHostingAssetEntity implements HsHostingAsset {
                     with.outgoingSubRole("bookingItem", TENANT);
                     with.outgoingSubRole("parentAsset", TENANT);
                     with.incomingSuperRole("alarmContact", ADMIN);
+                })
+                .createSubRole(REFERRER, (with) -> {
+                    with.incomingSuperRole("assignedToAsset", AGENT);
                     with.permission(SELECT);
                 })
 

src/main/resources/db/changelog/0-basis/008-raise-functions.sql

@@ -1,11 +1,10 @@
 --liquibase formatted sql
 
 -- ============================================================================
--- RAISE-FUNCTIONS
 --changeset RAISE-FUNCTIONS:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
-    Like RAISE EXCEPTION ... just as an expression instead of a statement.
+    Like `RAISE EXCEPTION` ... just as an expression instead of a statement.
  */
 create or replace function raiseException(msg text)
     returns varchar
@@ -14,3 +13,19 @@ begin
     raise exception using message = msg;
 end; $$;
 --//
+
+
+-- ============================================================================
+--changeset ASSERT-FUNCTIONS:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
+/*
+    Like `ASSERT` but as an expression instead of a statement.
+ */
+create or replace function assertTrue(expectedTrue boolean, msg text)
+    returns boolean
+    language plpgsql as $$
+begin
+    assert expectedTrue, msg;
+    return expectedTrue;
+end; $$;
+--//

src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql

@@ -177,26 +177,35 @@ begin
     sql := format($sql$
         create or replace view %1$s_rv as
             with accessible_%1$s_uuids as (
-
+                     with recursive
-                -- TODO.perf: this CTE query makes RBAC-SELECT-permission-queries so slow (~500ms), any idea how to optimize?
+                          recursive_grants as
-                --  My guess is, that the depth of role-grants causes the problem.
+                              (select distinct rbacgrants.descendantuuid,
-                with recursive grants as (
+                                               rbacgrants.ascendantuuid,
-                    select descendantUuid, ascendantUuid, 1 as level
+                                               1 as level,
-                        from RbacGrants
+                                               true
-                        where assumed
+                                   from rbacgrants
-                          and ascendantUuid = any (currentSubjectsuUids())
+                                   where rbacgrants.assumed
+                                     and (rbacgrants.ascendantuuid = any (currentsubjectsuuids()))
                                union all
-                    select g.descendantUuid, g.ascendantUuid, level + 1 as level
+                               select distinct g.descendantuuid,
-                        from RbacGrants g
+                                               g.ascendantuuid,
-                                 inner join grants on grants.descendantUuid = g.ascendantUuid
+                                               grants.level + 1 as level,
-                        where g.assumed and level<10
+                                               assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level)
-                )
+                                   from rbacgrants g
-                select distinct perm.objectUuid as objectUuid
+                                            join recursive_grants grants on grants.descendantuuid = g.ascendantuuid
-                    from grants
+                                   where g.assumed),
-                             join RbacPermission perm on grants.descendantUuid = perm.uuid
+                          grant_count AS (
-                             join RbacObject obj on obj.uuid = perm.objectUuid
+                            SELECT COUNT(*) AS grant_count FROM recursive_grants
+                          ),
+                          count_check as (select assertTrue((select count(*) as grant_count from recursive_grants) < 400000,
+                                'too many grants for current subjects: ' || (select count(*) as grant_count from recursive_grants))
+                                                     as valid)
+                      select distinct perm.objectuuid
+                          from recursive_grants
+                                   join rbacpermission perm on recursive_grants.descendantuuid = perm.uuid
+                                   join rbacobject obj on obj.uuid = perm.objectuuid
+                                   join count_check cc on cc.valid
                           where obj.objectTable = '%1$s' -- 'SELECT' permission is included in all other permissions
-                    limit 8001
             )
             select target.*
                 from %1$s as target

src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.md

@@ -48,7 +48,7 @@ role:global:ADMIN -.-> role:debitorRel:OWNER
 role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
 role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
 role:debitorRel:AGENT -.-> role:debitorRel:TENANT
-role:debitorRel:AGENT ==> role:project:OWNER
+role:debitorRel:AGENT ==>|XX| role:project:OWNER
 role:project:OWNER ==> role:project:ADMIN
 role:project:ADMIN ==> role:project:AGENT
 role:project:AGENT ==> role:project:TENANT

src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql

@@ -49,7 +49,7 @@ begin
 
     perform createRoleWithGrants(
         hsBookingProjectOWNER(NEW),
-            incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel)]
+            incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())]
     );
 
     perform createRoleWithGrants(

src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md

@@ -30,6 +30,7 @@ subgraph asset["`**asset**`"]
         role:asset:ADMIN[[asset:ADMIN]]
         role:asset:AGENT[[asset:AGENT]]
         role:asset:TENANT[[asset:TENANT]]
+        role:asset:REFERRER[[asset:REFERRER]]
     end
 
     subgraph asset:permissions[ ]
@@ -50,6 +51,7 @@ subgraph assignedToAsset["`**assignedToAsset**`"]
         style assignedToAsset:roles fill:#99bcdb,stroke:white
 
         role:assignedToAsset:TENANT[[assignedToAsset:TENANT]]
+        role:assignedToAsset:AGENT[[assignedToAsset:AGENT]]
     end
 end
 
@@ -103,6 +105,8 @@ role:asset:AGENT ==> role:asset:TENANT
 role:asset:TENANT ==> role:bookingItem:TENANT
 role:asset:TENANT ==> role:parentAsset:TENANT
 role:alarmContact:ADMIN ==> role:asset:TENANT
+role:asset:TENANT ==> role:asset:REFERRER
+role:assignedToAsset:AGENT ==> role:asset:REFERRER
 
 %% granting permissions to roles
 role:global:ADMIN ==> perm:asset:INSERT
@@ -110,6 +114,6 @@ role:parentAsset:ADMIN ==> perm:asset:INSERT
 role:global:GUEST ==> perm:asset:INSERT
 role:asset:OWNER ==> perm:asset:DELETE
 role:asset:ADMIN ==> perm:asset:UPDATE
-role:asset:TENANT ==> perm:asset:SELECT
+role:asset:REFERRER ==> perm:asset:SELECT
 
 ```

src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql

@@ -75,7 +75,6 @@ begin
 
     perform createRoleWithGrants(
         hsHostingAssetTENANT(NEW),
-            permissions => array['SELECT'],
             incomingSuperRoles => array[
             	hsHostingAssetAGENT(NEW),
             	hsOfficeContactADMIN(newAlarmContact)],
@@ -84,6 +83,14 @@ begin
             	hsHostingAssetTENANT(newParentAsset)]
     );
 
+    perform createRoleWithGrants(
+        hsHostingAssetREFERRER(NEW),
+            permissions => array['SELECT'],
+            incomingSuperRoles => array[
+            	hsHostingAssetAGENT(newAssignedToAsset),
+            	hsHostingAssetTENANT(NEW)]
+    );
+
     IF NEW.type = 'DOMAIN_SETUP' THEN
     END IF;
 

src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemControllerAcceptanceTest.java

@@ -287,7 +287,7 @@ class HsBookingItemControllerAcceptanceTest extends ContextBasedTestWithCleanup
     class PatchBookingItem {
 
         @Test
-        void globalAdmin_canPatchAllUpdatablePropertiesOfBookingItem() {
+        void projectAgent_canPatchAllUpdatablePropertiesOfBookingItem() {
 
             final var givenBookingItem = givenSomeNewBookingItem("D-1000111 default project", MANAGED_WEBSPACE,
                     resource("HDD", 100), resource("SSD", 50), resource("Traffic", 250));
@@ -295,6 +295,7 @@ class HsBookingItemControllerAcceptanceTest extends ContextBasedTestWithCleanup
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "superuser-alex@hostsharing.net")
+                    .header("assumed-roles", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT")
                     .contentType(ContentType.JSON)
                     .body("""
                         {

src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java

@@ -182,7 +182,9 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
         public void normalUser_canViewOnlyRelatedBookingItems() {
             // given:
             context("person-FirbySusan@example.com");
-            final var projectUuid = debitorRepo.findDebitorByDebitorNumber(1000111).stream()
+            final var debitor = debitorRepo.findDebitorByDebitorNumber(1000111);
+            context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:OWNER");
+            final var projectUuid = debitor.stream()
                     .map(d -> projectRepo.findAllByDebitorUuid(d.getUuid()))
                     .flatMap(List::stream)
                     .findAny().orElseThrow().getUuid();
@@ -209,7 +211,7 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("superuser-alex@hostsharing.net");
+                context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT");
                 final var foundBookingItem = em.find(HsBookingItemEntity.class, givenBookingItemUuid);
                 foundBookingItem.getResources().put("CPU", 2);
                 foundBookingItem.getResources().remove("SSD-storage");
@@ -262,12 +264,12 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
         @Test
         public void nonGlobalAdmin_canNotDeleteTheirRelatedBookingItem() {
             // given
-            context("superuser-alex@hostsharing.net", null);
+            context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT");
             final var givenBookingItem = givenSomeTemporaryBookingItem("D-1000111 default project");
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("person-FirbySusan@example.com");
+                context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT");
                 assertThat(bookingItemRepo.findByUuid(givenBookingItem.getUuid())).isPresent();
 
                 bookingItemRepo.deleteByUuid(givenBookingItem.getUuid());
@@ -286,7 +288,7 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
         @Test
         public void deletingABookingItemAlsoDeletesRelatedRolesAndGrants() {
             // given
-            context("superuser-alex@hostsharing.net");
+            context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT");
             final var initialRoleNames = Array.from(distinctRoleNamesOf(rawRoleRepo.findAll()));
             final var initialGrantNames = Array.from(distinctGrantDisplaysOf(rawGrantRepo.findAll()));
             final var givenBookingItem = givenSomeTemporaryBookingItem("D-1000111 default project");

src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectControllerAcceptanceTest.java

@@ -163,7 +163,7 @@ class HsBookingProjectControllerAcceptanceTest extends ContextBasedTestWithClean
         }
 
         @Test
-        void debitorAgentUser_canGetRelatedBookingProject() {
+        void projectAgentUser_canGetRelatedBookingProject() {
             context.define("superuser-alex@hostsharing.net");
             final var givenBookingProjectUuid = bookingProjectRepo.findByCaption("D-1000313 default project").stream()
                     .findAny().orElseThrow().getUuid();
@@ -171,6 +171,7 @@ class HsBookingProjectControllerAcceptanceTest extends ContextBasedTestWithClean
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "person-TuckerJack@example.com")
+                    .header("assumed-roles", "hs_booking_project#D-1000313-D-1000313defaultproject:AGENT")
                     .port(port)
                 .when()
                     .get("http://localhost/api/hs/booking/projects/" + givenBookingProjectUuid)

src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRepositoryIntegrationTest.java

@@ -125,7 +125,7 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea
                             "{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:INSERT>hs_booking_item to role:hs_booking_project#D-1000111-somenewbookingproject:ADMIN by system and assume }",
 
                             // agent
-                            "{ grant role:hs_booking_project#D-1000111-somenewbookingproject:OWNER to role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:AGENT by system and assume }",
+                            "{ grant role:hs_booking_project#D-1000111-somenewbookingproject:OWNER to role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:AGENT by system }",
                             "{ grant role:hs_booking_project#D-1000111-somenewbookingproject:TENANT to role:hs_booking_project#D-1000111-somenewbookingproject:AGENT by system and assume }",
 
                             // tenant
@@ -161,9 +161,10 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea
         }
 
         @Test
-        public void normalUser_canViewOnlyRelatedBookingProjects() {
+        public void packetAgent_canViewOnlyRelatedBookingProjects() {
+
             // given:
-            context("person-FirbySusan@example.com");
+            context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT");
             final var debitorUuid = debitorRepo.findByDebitorNumber(1000111).stream()
                     .findAny().orElseThrow().getUuid();
 
@@ -233,12 +234,11 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea
         @Test
         public void nonGlobalAdmin_canNotDeleteTheirRelatedBookingProject() {
             // given
-            context("superuser-alex@hostsharing.net", null);
             final var givenBookingProject = givenSomeTemporaryBookingProject(1000111);
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("person-FirbySusan@example.com");
+                context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-sometempproject:AGENT");
                 assertThat(bookingProjectRepo.findByUuid(givenBookingProject.getUuid())).isPresent();
 
                 bookingProjectRepo.deleteByUuid(givenBookingProject.getUuid());

src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerAcceptanceTest.java

@@ -413,7 +413,7 @@ class HsHostingAssetControllerAcceptanceTest extends ContextBasedTestWithCleanup
         }
 
         @Test
-        void debitorAgentUser_canGetRelatedAsset() {
+        void projectAgentUser_canGetRelatedAsset() {
             context.define("superuser-alex@hostsharing.net");
             final var givenAssetUuid = assetRepo.findByIdentifier("vm1013").stream()
                     .filter(bi -> bi.getBookingItem().getProject().getCaption().equals("D-1000313 default project"))
@@ -422,6 +422,7 @@ class HsHostingAssetControllerAcceptanceTest extends ContextBasedTestWithCleanup
             RestAssured // @formatter:off
                 .given()
                     .header("current-user", "person-TuckerJack@example.com")
+                    .header("assumed-roles", "hs_booking_project#D-1000313-D-1000313defaultproject:AGENT")
                     .port(port)
                 .when()
                     .get("http://localhost/api/hs/hosting/assets/" + givenAssetUuid)

src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java

@@ -98,7 +98,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
         @Test
         public void createsAndGrantsRoles() {
             // given
-            context("superuser-alex@hostsharing.net");
+            context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT");
             final var givenManagedServer = givenHostingAsset("D-1000111 default project", MANAGED_SERVER);
             final var newWebspaceBookingItem = newBookingItem(givenManagedServer.getBookingItem(), HsBookingItemType.MANAGED_WEBSPACE, "fir01");
             em.flush();
@@ -125,7 +125,8 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
                     "hs_hosting_asset#fir00:ADMIN",
                     "hs_hosting_asset#fir00:AGENT",
                     "hs_hosting_asset#fir00:OWNER",
-                    "hs_hosting_asset#fir00:TENANT"));
+                    "hs_hosting_asset#fir00:TENANT",
+                    "hs_hosting_asset#fir00:REFERRER"));
             assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                     .containsExactlyInAnyOrder(fromFormatted(
                             initialGrantNames,
@@ -152,7 +153,10 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
                             "{ grant role:hs_booking_item#fir01:TENANT to role:hs_hosting_asset#fir00:TENANT by system and assume }",
                             "{ grant role:hs_hosting_asset#fir00:TENANT to role:hs_hosting_asset#fir00:AGENT by system and assume }",
                             "{ grant role:hs_hosting_asset#vm1011:TENANT to role:hs_hosting_asset#fir00:TENANT by system and assume }",
-                            "{ grant perm:hs_hosting_asset#fir00:SELECT to role:hs_hosting_asset#fir00:TENANT by system and assume }", // workaround
+
+                            // referrer
+                            "{ grant perm:hs_hosting_asset#fir00:SELECT to role:hs_hosting_asset#fir00:REFERRER by system and assume }",
+                            "{ grant role:hs_hosting_asset#fir00:REFERRER to role:hs_hosting_asset#fir00:TENANT by system and assume }",
 
                             null));
         }
@@ -216,7 +220,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
         @Test
         public void normalUser_canViewOnlyRelatedAsset() {
             // given:
-            context("person-FirbySusan@example.com");
+            context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT");
             final var projectUuid = projectRepo.findByCaption("D-1000111 default project").stream()
                     .findAny().orElseThrow().getUuid();
 
@@ -310,12 +314,12 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
         @Test
         public void relatedOwner_canDeleteTheirRelatedAsset() {
             // given
-            context("superuser-alex@hostsharing.net", null);
+            context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT");
             final var givenAsset = givenSomeTemporaryAsset("D-1000111 default project", "vm1000");
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("person-FirbySusan@example.com");
+                context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT");
                 assertThat(assetRepo.findByUuid(givenAsset.getUuid())).isPresent();
 
                 assetRepo.deleteByUuid(givenAsset.getUuid());

src/test/java/net/hostsharing/hsadminng/hs/migration/ImportHostingAssets.java

@@ -34,6 +34,7 @@ import org.springframework.test.annotation.DirtiesContext;
 import java.io.Reader;
 import java.net.IDN;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -183,9 +184,9 @@ public class ImportHostingAssets extends ImportOfficeData {
                 {
                    363=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.34),
                    381=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.52),
+                   401=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.72),
                    402=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.73),
-                   433=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.104),
+                   433=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.104)
-                   457=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.128)
                 }
                 """);
     }
@@ -244,7 +245,7 @@ public class ImportHostingAssets extends ImportOfficeData {
                    10978=HsBookingItemEntity(D-1000000:hsh default project, MANAGED_SERVER, [2013-04-01,), BI vm1050),
                    11061=HsBookingItemEntity(D-1000300:mim default project, MANAGED_SERVER, [2013-08-19,), BI vm1068),
                    11094=HsBookingItemEntity(D-1000300:mim default project, MANAGED_WEBSPACE, [2013-09-10,), BI lug00),
-                   11112=HsBookingItemEntity(D-1000300:mim default project, MANAGED_WEBSPACE, [2013-09-17,), BI mim00),
+                   11111=HsBookingItemEntity(D-1000000:vm1068 Monitor, MANAGED_WEBSPACE, [2013-08-19,), BI xyz68),
                    23611=HsBookingItemEntity(D-1101800:wws default project, CLOUD_SERVER, [2022-08-10,), BI vm2097)
                 }
                 """);
@@ -255,10 +256,10 @@ public class ImportHostingAssets extends ImportOfficeData {
                    10978=HsHostingAssetRealEntity(MANAGED_SERVER, vm1050, HA vm1050, D-1000000:hsh default project:BI vm1050),
                    11061=HsHostingAssetRealEntity(MANAGED_SERVER, vm1068, HA vm1068, D-1000300:mim default project:BI vm1068),
                    11094=HsHostingAssetRealEntity(MANAGED_WEBSPACE, lug00, HA lug00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI lug00),
+                   11111=HsHostingAssetRealEntity(MANAGED_WEBSPACE, xyz68, HA xyz68, MANAGED_SERVER:vm1068, D-1000000:vm1068 Monitor:BI xyz68),
                    11112=HsHostingAssetRealEntity(MANAGED_WEBSPACE, mim00, HA mim00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI mim00),
                    11447=HsHostingAssetRealEntity(MANAGED_SERVER, vm1093, HA vm1093, D-1000000:hsh default project:BI vm1093),
-                   19959=HsHostingAssetRealEntity(MANAGED_WEBSPACE, dph00, HA dph00, MANAGED_SERVER:vm1093, D-1101900:dph default project:BI dph00),
+                   19959=HsHostingAssetRealEntity(MANAGED_WEBSPACE, dph00, HA dph00, MANAGED_SERVER:vm1093, D-1101900:dph default project:BI dph00)
-                   23611=HsHostingAssetRealEntity(CLOUD_SERVER, vm2097, HA vm2097, D-1101800:wws default project:BI vm2097)
                 }
                 """);
     }
@@ -287,8 +288,8 @@ public class ImportHostingAssets extends ImportOfficeData {
                            10978=HsHostingAssetRealEntity(MANAGED_SERVER, vm1050, HA vm1050, D-1000000:hsh default project:BI vm1050),
                            11061=HsHostingAssetRealEntity(MANAGED_SERVER, vm1068, HA vm1068, D-1000300:mim default project:BI vm1068),
                            11094=HsHostingAssetRealEntity(MANAGED_WEBSPACE, lug00, HA lug00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI lug00),
-                           11112=HsHostingAssetRealEntity(MANAGED_WEBSPACE, mim00, HA mim00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI mim00),
+                           11111=HsHostingAssetRealEntity(MANAGED_WEBSPACE, xyz68, HA xyz68, MANAGED_SERVER:vm1068, D-1000000:vm1068 Monitor:BI xyz68),
-                           11447=HsHostingAssetRealEntity(MANAGED_SERVER, vm1093, HA vm1093, D-1000000:hsh default project:BI vm1093)
+                           11112=HsHostingAssetRealEntity(MANAGED_WEBSPACE, mim00, HA mim00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI mim00)
                         }
                         """);
         assertThat(firstOfEachType(
@@ -303,6 +304,7 @@ public class ImportHostingAssets extends ImportOfficeData {
                            10978=HsBookingItemEntity(D-1000000:hsh default project, MANAGED_SERVER, [2013-04-01,), BI vm1050, {"CPU": 4, "HDD": 250, "RAM": 32, "SLA-EMail": true, "SLA-Maria": true, "SLA-Office": true, "SLA-PgSQL": true, "SLA-Platform": "EXT4H", "SLA-Web": true, "SSD": 150, "Traffic": 250}),
                            11061=HsBookingItemEntity(D-1000300:mim default project, MANAGED_SERVER, [2013-08-19,), BI vm1068, {"CPU": 2, "HDD": 250, "RAM": 4, "SLA-EMail": true, "SLA-Maria": true, "SLA-Office": true, "SLA-PgSQL": true, "SLA-Platform": "EXT2H", "SLA-Web": true, "Traffic": 250}),
                            11094=HsBookingItemEntity(D-1000300:mim default project, MANAGED_WEBSPACE, [2013-09-10,), BI lug00, {"Multi": 5, "SLA-Platform": "EXT24H", "SSD": 1, "Traffic": 10}),
+                           11111=HsBookingItemEntity(D-1000000:vm1068 Monitor, MANAGED_WEBSPACE, [2013-08-19,), BI xyz68, {"SSD": 3}),
                            11112=HsBookingItemEntity(D-1000300:mim default project, MANAGED_WEBSPACE, [2013-09-17,), BI mim00, {"Multi": 5, "SLA-Platform": "EXT24H", "SSD": 3, "Traffic": 20}),
                            11447=HsBookingItemEntity(D-1000000:hsh default project, MANAGED_SERVER, [2014-11-28,), BI vm1093, {"CPU": 6, "HDD": 500, "RAM": 16, "SLA-EMail": true, "SLA-Maria": true, "SLA-Office": true, "SLA-PgSQL": true, "SLA-Platform": "EXT4H", "SLA-Web": true, "SSD": 300, "Traffic": 250}),
                            19959=HsBookingItemEntity(D-1101900:dph default project, MANAGED_WEBSPACE, [2021-06-02,), BI dph00, {"Multi": 1, "SLA-Platform": "EXT24H", "SSD": 25, "Traffic": 20}),
@@ -335,6 +337,7 @@ public class ImportHostingAssets extends ImportOfficeData {
                    5811=HsHostingAssetRealEntity(UNIX_USER, lug00-ola.a, LUG OLA - POP a, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/usr/bin/passwd", "userid": 102094}),
                    5813=HsHostingAssetRealEntity(UNIX_USER, lug00-ola.b, LUG OLA - POP b, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/usr/bin/passwd", "userid": 102095}),
                    5835=HsHostingAssetRealEntity(UNIX_USER, lug00-test, Test, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 1024, "SSD soft quota": 1024, "locked": false, "shell": "/usr/bin/passwd", "userid": 102106}),
+                   5961=HsHostingAssetRealEntity(UNIX_USER, xyz68, Monitoring h68, MANAGED_WEBSPACE:xyz68, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/bin/bash", "userid": 102141}),
                    5964=HsHostingAssetRealEntity(UNIX_USER, mim00, Michael Mellis, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/bin/bash", "userid": 102147}),
                    5966=HsHostingAssetRealEntity(UNIX_USER, mim00-1981, Jahrgangstreffen 1981, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 256, "SSD soft quota": 128, "locked": false, "shell": "/bin/bash", "userid": 102148}),
                    5990=HsHostingAssetRealEntity(UNIX_USER, mim00-mail, Mailbox, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/bin/bash", "userid": 102160}),
@@ -880,6 +883,7 @@ public class ImportHostingAssets extends ImportOfficeData {
                    5811=HsHostingAssetRealEntity(UNIX_USER, lug00-ola.a, LUG OLA - POP a, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/usr/bin/passwd", "userid": 102094}),
                    5813=HsHostingAssetRealEntity(UNIX_USER, lug00-ola.b, LUG OLA - POP b, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/usr/bin/passwd", "userid": 102095}),
                    5835=HsHostingAssetRealEntity(UNIX_USER, lug00-test, Test, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 1024, "SSD soft quota": 1024, "locked": false, "password": null, "shell": "/usr/bin/passwd", "userid": 102106}),
+                   5961=HsHostingAssetRealEntity(UNIX_USER, xyz68, Monitoring h68, MANAGED_WEBSPACE:xyz68, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/bin/bash", "userid": 102141}),
                    5964=HsHostingAssetRealEntity(UNIX_USER, mim00, Michael Mellis, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/bin/bash", "userid": 102147}),
                    5966=HsHostingAssetRealEntity(UNIX_USER, mim00-1981, Jahrgangstreffen 1981, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 256, "SSD soft quota": 128, "locked": false, "password": null, "shell": "/bin/bash", "userid": 102148}),
                    5990=HsHostingAssetRealEntity(UNIX_USER, mim00-mail, Mailbox, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/bin/bash", "userid": 102160}),
@@ -909,8 +913,8 @@ public class ImportHostingAssets extends ImportOfficeData {
 
         verifyActuallyPersistedHostingAssetCount(CLOUD_SERVER, 1, 50);
         verifyActuallyPersistedHostingAssetCount(MANAGED_SERVER, 4, 100);
-        verifyActuallyPersistedHostingAssetCount(MANAGED_WEBSPACE, 4, 100);
+        verifyActuallyPersistedHostingAssetCount(MANAGED_WEBSPACE, 5, 100);
-        verifyActuallyPersistedHostingAssetCount(UNIX_USER, 14, 100);
+        verifyActuallyPersistedHostingAssetCount(UNIX_USER, 15, 100);
         verifyActuallyPersistedHostingAssetCount(EMAIL_ALIAS, 9, 1400);
         verifyActuallyPersistedHostingAssetCount(PGSQL_DATABASE, 8, 100);
         verifyActuallyPersistedHostingAssetCount(MARIADB_DATABASE, 8, 100);
@@ -918,6 +922,25 @@ public class ImportHostingAssets extends ImportOfficeData {
         verifyActuallyPersistedHostingAssetCount(EMAIL_ADDRESS, 71, 30000);
     }
 
+    @Test
+    @Order(19930)
+    void verifyProjectAgentsCanViewEmailAddresses() {
+        assumeThatWeAreImportingControlledTestData();
+
+        final var haCount = jpaAttempt.transacted(() -> {
+                    context(rbacSuperuser);
+                    // final var roles = em.createNativeQuery("select * from rbacrole_ev where roleidname like 'hs_office_relation%with-DEBITOR%'").getResultList();
+                    final var roles = em.createNativeQuery("select * from rbacrole_ev where roleidname like 'hs_booking_project#D-10003%'").getResultList();
+                    //context(rbacSuperuser, "hs_booking_project#D-1000300-mimdefaultproject:ADMIN");
+                    context(rbacSuperuser, "hs_booking_project#D-1000300-mimdefaultproject:AGENT");
+                    final var result = em.createNativeQuery("select * from hs_hosting_asset where type='EMAIL_ADDRESS'")
+                    .getResultList();
+                    return (Integer) em.createNativeQuery("select count(*) from hs_hosting_asset where type='EMAIL_ADDRESS'", Integer.class)
+                            .getSingleResult();
+                }).assertSuccessful().returnedValue();
+        assertThat(haCount).isEqualTo(71);
+    }
+
     // ============================================================================================
 
     @Test
@@ -1095,8 +1118,21 @@ public class ImportHostingAssets extends ImportOfficeData {
                         final var managedWebspace = pac(packet_id);
                         final var parentAsset = hive(hive_id).serverRef.get();
                         managedWebspace.setParentAsset(parentAsset);
+
+                        if (parentAsset.getRelatedProject() != managedWebspace.getRelatedProject()
+                                && managedWebspace.getRelatedProject().getDebitor().getDebitorNumber() == 10000_00 ) {
+                            assertThat(managedWebspace.getIdentifier()).startsWith("xyz");
+                            final var hshDebitor = managedWebspace.getBookingItem().getProject().getDebitor();
+                            final var newProject = HsBookingProjectEntity.builder()
+                                    .debitor(hshDebitor)
+                                    .caption(parentAsset.getIdentifier() + " Monitor")
+                                    .build();
+                            bookingProjects.put(Collections.max(bookingProjects.keySet())+1, newProject);
+                            managedWebspace.getBookingItem().setProject(newProject);
+                        } else {
                             managedWebspace.getBookingItem().setParentItem(parentAsset.getBookingItem());
                         }
+                    }
                 });
     }
 

src/test/resources/migration/hosting/inet_addr.csv

@@ -1,6 +1,7 @@
 inet_addr_id;inet_addr;description
 363;83.223.95.34;
 381;83.223.95.52;
+401;83.223.95.72;
 402;83.223.95.73;
 433;83.223.95.104;
 457;83.223.95.128;

src/test/resources/migration/hosting/packet.csv

@@ -4,6 +4,7 @@ packet_id;basepacket_code;packet_name;bp_id;hive_id;created;cancelled;cur_inet_a
 10978;SRV/MGD;vm1050;213;1014;2013-04-01;;433;;1
 11061;SRV/MGD;vm1068;100;1037;2013-08-19;;381;;f
 11094;PAC/WEB;lug00;100;1037;2013-09-10;;1168;;1
+11111;PAC/WEB;xyz68;213;1037;2013-08-19;;401;;1
 11112;PAC/WEB;mim00;100;1037;2013-09-17;;402;;1
 11447;SRV/MGD;vm1093;213;1163;2014-11-28;;457;;t
 19959;PAC/WEB;dph00;542;1163;2021-06-02;;574;;0

src/test/resources/migration/hosting/packet_component.csv

@@ -7,6 +7,7 @@ packet_component_id;packet_id;quantity;basecomponent_code;created;cancelled
 46121;11112;20;TRAFFIC;2017-03-27;
 46122;11112;5;MULTI;2017-03-27;
 46123;11112;3072;QUOTA;2017-03-27;
+46124;11111;3072;QUOTA;2017-03-27;
 143133;11094;1;SLABASIC;2017-09-01;
 143483;11112;1;SLABASIC;2017-09-01;
 757383;11112;0;SLAEXT24H;;

src/test/resources/migration/hosting/unixuser.csv

@@ -9,6 +9,7 @@ unixuser_id;name;comment;shell;homedir;locked;packet_id;userid;quota_softlimit;q
 5835;lug00-test;Test;/usr/bin/passwd;/home/pacs/lug00/users/test;0;11094;102106;2000000;4000000;20;0
 
 6705;hsh00-mim;Michael Mellis;/bin/false;/home/pacs/hsh00/users/mi;0;10630;10003;0;0;0;0
+5961;xyz68;Monitoring h68;/bin/bash;/home/pacs/xyz68;0;11111;102141;0;0;0;0
 5964;mim00;Michael Mellis;/bin/bash;/home/pacs/mim00;0;11112;102147;0;0;0;0
 5966;mim00-1981;Jahrgangstreffen 1981;/bin/bash;/home/pacs/mim00/users/1981;0;11112;102148;128;256;0;0
 5990;mim00-mail;Mailbox;/bin/bash;/home/pacs/mim00/users/mail;0;11112;102160;0;0;0;0