--liquibase formatted sql -- ============================================================================ --changeset test-package-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- call generateRelatedRbacObject('test_package'); --// -- ============================================================================ --changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- call generateRbacRoleDescriptors('testPackage', 'test_package'); --// -- ============================================================================ --changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER. */ create or replace function createRbacRolesForTestPackage() returns trigger language plpgsql strict as $$ declare parentCustomer test_customer; packageOwnerRoleUuid uuid; packageAdminRoleUuid uuid; begin if TG_OP <> 'INSERT' then raise exception 'invalid usage of TRIGGER AFTER INSERT'; end if; select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer; -- an owner role is created and assigned to the customer's admin role perform createRoleWithGrants( testPackageOwner(NEW), permissions => array ['*'], incomingSuperRoles => array[testCustomerAdmin(parentCustomer)] ); -- an owner role is created and assigned to the package owner role perform createRoleWithGrants( testPackageAdmin(NEW), permissions => array ['add-domain'], incomingSuperRoles => array[testPackageOwner(NEW)] ); -- and a package tenant role is created and assigned to the package admin as well perform createRoleWithGrants( testPackageTenant(NEW), permissions => array['view'], incomingsuperroles => array[testPackageAdmin(NEW)], outgoingSubRoles => array[testCustomerTenant(parentCustomer)] ); return NEW; end; $$; /* An AFTER INSERT TRIGGER which creates the role structure for a new package. */ create trigger createRbacRolesForTestPackage_Trigger after insert on test_package for each row execute procedure createRbacRolesForTestPackage(); --// -- ============================================================================ --changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- call generateRbacIdentityView('test_package', 'target.name'); --// -- ============================================================================ --changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates a view to the customer main table which maps the identifying name (in this case, the prefix) to the objectUuid. */ -- drop view if exists test_package_rv; -- create or replace view test_package_rv as -- select target.* -- from test_package as target -- where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids())) -- order by target.name; -- grant all privileges on test_package_rv to restricted; call generateRbacRestrictedView('test_package', 'target.name', $updates$ version = new.version, customerUuid = new.customerUuid, name = new.name, description = new.description $updates$); --//