From: Sanjay Dalal <sanjay.dalal@berkeley.edu>
Date: Fri, 4 Jun 2010 21:32:32 +0000 (+0000)
Subject: CSPACE-2003, CSPACE-1969 ImportAuthZ now inserts default roles, permissions and permi... 
X-Git-Url: https://git.aero2k.de/?a=commitdiff_plain;h=5ba90535d6fe672d6e2645193e66908b6070ef68;p=tmp%2Fjakarta-migration.git

CSPACE-2003, CSPACE-1969 ImportAuthZ now inserts default roles, permissions and permission-roles into the database in addtion to inserting ACLs in Spring. These could be retrieved using the respective authz services.
CSPACE-2004, CSPACE-1926 ImportAuthZ now creates a ROLE_TENANT_ADMINISTRATOR for each tenant that has all privileges to all services used by that tenant. It also creates a ROLE_TENANT_READER. This role has only READ, SEARCH privileges for all services used by the tenant
test: ant import, mvn test (service level)
---

diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
index e70def7c7..167e5d41f 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
@@ -413,7 +413,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
         Assert.assertTrue(REQUEST_TYPE.isValidStatusCode(statusCode),
                 invalidStatusCodeMessage(REQUEST_TYPE, statusCode));
         Assert.assertEquals(statusCode, EXPECTED_STATUS_CODE);
-        int EXPECTED_ITEMS = 1;
+        int EXPECTED_ITEMS = 5; //seeded permissions
         if (logger.isDebugEnabled()) {
             logger.debug(testName + ": received = " + list.getPermissions().size()
                     + " expected=" + EXPECTED_ITEMS);
diff --git a/services/authorization-mgt/import/build.xml b/services/authorization-mgt/import/build.xml
index 00a232e9e..c4919c1bc 100644
--- a/services/authorization-mgt/import/build.xml
+++ b/services/authorization-mgt/import/build.xml
@@ -112,7 +112,7 @@
 
     <target name="import" depends="import-unix,import-windows"
             description="import authorization" />
-    <target name="import-unix" if="osfamily-unix">
+    <target name="import-unix" if="osfamily-unix" depends="setup_hibernate.cfg">
         <exec executable="mvn" failonerror="true">
             <arg value="exec:java" />
             <arg value="-f" />
@@ -121,7 +121,7 @@
             <arg value="${mvn.opts}" />
         </exec>
     </target>
-    <target name="import-windows" if="osfamily-windows">
+    <target name="import-windows" if="osfamily-windows" depends="setup_hibernate.cfg">
         <exec executable="cmd" failonerror="true">
             <arg value="/c" />
             <arg value="mvn.bat" />
@@ -134,6 +134,19 @@
     </target>
 
 
+    <target name="setup_hibernate.cfg" description="replace property keywords in hibernate.cfg.xml">
+        <property name="src.hibernate.cfg" value="${basedir}/src/main/resources/hibernate.cfg.xml"/>
+        <property name="dest.hibernate.cfg" value="${basedir}/target/classes/hibernate.cfg.xml"/>
+        <delete file="${dest.hibernate.cfg}" verbose="true" />
+        <filter token="DB_URL" value="${db.jdbc.url}" />
+        <filter token="DB_DRIVER_CLASS" value="${db.jdbc.driver.class}" />
+        <filter token="DB_USER" value="${env.DB_USER}" /> <!-- double-sub from ${db.user} fails -->
+        <filter token="DB_PASSWORD" value="${env.DB_PASSWORD}" /> <!-- double-sub from ${db.user.password} fails -->
+        <filter token="DB_DIALECT" value="${db.dialect}" />
+        <copy tofile="${dest.hibernate.cfg}" file="${src.hibernate.cfg}" filtering="true"/>
+    </target>
+
+    
     <target name="deploy" depends="install"
             description="deploy authorization-mgt import in ${jboss.server.cspace}">
     </target>
diff --git a/services/authorization-mgt/import/pom.xml b/services/authorization-mgt/import/pom.xml
index 186aae227..1e38c7a9a 100644
--- a/services/authorization-mgt/import/pom.xml
+++ b/services/authorization-mgt/import/pom.xml
@@ -43,6 +43,12 @@
             <version>${project.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.collectionspace.services</groupId>
+            <artifactId>org.collectionspace.services.authorization-mgt.service</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.testng</groupId>
             <artifactId>testng</artifactId>
@@ -141,8 +147,6 @@
                         <argument>test</argument>
                         <argument>-b</argument>
                         <argument>${basedir}/../../common/src/main/config/services/tenant-bindings.xml</argument>
-                        <argument>-idir</argument>
-                        <argument>${basedir}/src/main/resources/import-data/</argument>
                         <argument>-edir</argument>
                         <argument>${basedir}/src/main/resources/import-data/</argument>
                     </arguments>
diff --git a/services/authorization-mgt/import/src/main/java/org/collectionspace/ImportAuthz.java b/services/authorization-mgt/import/src/main/java/org/collectionspace/ImportAuthz.java
index 39358525d..9f7730b39 100644
--- a/services/authorization-mgt/import/src/main/java/org/collectionspace/ImportAuthz.java
+++ b/services/authorization-mgt/import/src/main/java/org/collectionspace/ImportAuthz.java
@@ -40,6 +40,13 @@ import org.collectionspace.services.authorization.driver.AuthorizationSeedDriver
  */
 public class ImportAuthz {
 
+    final private static String OPTIONS_USERNAME = "username";
+    final private static String OPTIONS_PASSWORD = "password";
+    final private static String OPTIONS_TENANT_BINDING = "tenant binding file";
+    final private static String OPTIONS_IMPORT_DIR = "importdir";
+    final private static String OPTIONS_EXPORT_DIR = "exportdir";
+    final private static String OPTIONS_HELP = "help";
+
     public static void main(String[] args) {
 
         Options options = createOptions();
@@ -48,33 +55,50 @@ public class ImportAuthz {
         try {
             // parse the command line arguments
             CommandLine line = parser.parse(options, args);
+            if (line.hasOption("h")) {
+                printUsage();
+                System.exit(1);
+            }
             String user = line.getOptionValue("u");
             String password = line.getOptionValue("p");
             String tenantBinding = line.getOptionValue("b");
-            String importDir = line.getOptionValue("idir");
             String exportDir = line.getOptionValue("edir");
             System.out.println("user=" + user
                     + " password=" + password
                     + " tenantBinding=" + tenantBinding
-                    + " importDir=" + importDir
                     + " exportDir=" + exportDir);
             AuthorizationSeedDriver driver = new AuthorizationSeedDriver(
-                    user, password, tenantBinding, importDir, exportDir);
-            driver.seedData();
+                    user, password, tenantBinding, exportDir);
+            driver.generate();
+            driver.seed();
         } catch (ParseException exp) {
             // oops, something went wrong
             System.err.println("Parsing failed.  Reason: " + exp.getMessage());
+        } catch (Exception e) {
+            System.out.println("Error : " + e.getMessage());
+            printUsage();
         }
 
     }
 
     private static Options createOptions() {
         Options options = new Options();
-        options.addOption("u", true, "username");
-        options.addOption("p", true, "password");
-        options.addOption("b", true, "tenant binding file");
-        options.addOption("idir", true, "import dir");
-        options.addOption("edir", true, "export dir");
+        options.addOption("u", true, OPTIONS_USERNAME);
+        options.addOption("p", true, OPTIONS_PASSWORD);
+        options.addOption("b", true, OPTIONS_TENANT_BINDING);
+        options.addOption("edir", true, OPTIONS_EXPORT_DIR);
+        options.addOption("h", true, OPTIONS_HELP);
         return options;
     }
+
+    private static void printUsage() {
+        StringBuilder sb = new StringBuilder();
+        sb.append("\nUsage : java -cp <classpath> " + ImportAuthz.class.getName() + " <options>");
+        sb.append("\nOptions :");
+        sb.append("\n   -u  <" + OPTIONS_USERNAME + "> cspace username");
+        sb.append("\n   -p  <" + OPTIONS_PASSWORD + "> password");
+        sb.append("\n   -b  <" + OPTIONS_TENANT_BINDING + "> tenant binding file (fully qualified path)");
+        sb.append("\n   -edir  <" + OPTIONS_EXPORT_DIR + "> directory to export authz data into");
+        System.out.println(sb.toString());
+    }
 }
diff --git a/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/driver/AuthorizationSeedDriver.java b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/driver/AuthorizationSeedDriver.java
index 34cac1756..1102943bd 100644
--- a/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/driver/AuthorizationSeedDriver.java
+++ b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/driver/AuthorizationSeedDriver.java
@@ -24,10 +24,19 @@
 package org.collectionspace.services.authorization.driver;
 
 import java.io.File;
+import java.util.ArrayList;
 import java.util.HashSet;
+import java.util.List;
 import org.collectionspace.services.authorization.AuthZ;
+import org.collectionspace.services.authorization.Permission;
+import org.collectionspace.services.authorization.PermissionRole;
+import org.collectionspace.services.authorization.PermissionRoleRel;
+import org.collectionspace.services.authorization.Role;
+import org.collectionspace.services.authorization.SubjectType;
 import org.collectionspace.services.authorization.importer.AuthorizationGen;
 import org.collectionspace.services.authorization.importer.AuthorizationSeed;
+import org.collectionspace.services.authorization.importer.AuthorizationStore;
+import org.collectionspace.services.authorization.storage.PermissionRoleUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
@@ -48,13 +57,14 @@ public class AuthorizationSeedDriver {
 
     final Logger logger = LoggerFactory.getLogger(AuthorizationSeedDriver.class);
     final static private String SPRING_SECURITY_METADATA = "applicationContext-authorization-test.xml";
+    final static private String ROLE_FILE = "import-roles.xml";
     final static private String PERMISSION_FILE = "import-permissions.xml";
     final static private String PERMISSION_ROLE_FILE = "import-permissions-roles.xml";
-    private String user = "test";
-    private String password = "test";
+    private String user;
+    private String password;
     private String tenantBindingFile;
-    private String importDir;
     private String exportDir;
+    private AuthorizationGen authzGen;
     private org.springframework.jdbc.datasource.DataSourceTransactionManager txManager;
 
     /**
@@ -68,49 +78,61 @@ public class AuthorizationSeedDriver {
      */
     public AuthorizationSeedDriver(String user, String password,
             String tenantBindingFile,
-            String importDir, String exportDir) {
+            String exportDir) {
         if (user == null || user.isEmpty()) {
-            this.user = user;
+            throw new IllegalArgumentException("username required.");
         }
+        this.user = user;
+
         if (password == null || password.isEmpty()) {
-            this.password = password;
+            throw new IllegalArgumentException("password required.");
         }
+        this.password = password;
+        
         if (tenantBindingFile == null || tenantBindingFile.isEmpty()) {
-            throw new IllegalStateException("tenantbindings are required.");
+            throw new IllegalArgumentException("tenantbinding file are required.");
         }
         this.tenantBindingFile = tenantBindingFile;
         if (exportDir == null || exportDir.isEmpty()) {
-            throw new IllegalStateException("exportdir required.");
+            throw new IllegalArgumentException("exportdir required.");
         }
         this.exportDir = exportDir;
-        if (importDir == null || importDir.isEmpty()) {
-            importDir = exportDir;
-        } else {
-            this.importDir = importDir;
-        }
 
     }
 
-    public void seedData() {
-        setup();
-        TransactionStatus status = null;
+    public void generate() {
         try {
-            AuthorizationGen authzGen = new AuthorizationGen();
+            authzGen = new AuthorizationGen();
             authzGen.initialize(tenantBindingFile);
-            authzGen.createDefaultServicePermissions();
-            //create default role(s) for the tenant and assign permissions
-            authzGen.createDefaultPermissionsRoles();
-            authzGen.exportPermissions(exportDir + File.separator + PERMISSION_FILE);
-            authzGen.exportPermissionRoles(exportDir + File.separator + PERMISSION_ROLE_FILE);
+            authzGen.createDefaultRoles();
+            authzGen.createDefaultPermissions();
+            authzGen.associateDefaultPermissionsRoles();
+            authzGen.exportDefaultRoles(exportDir + File.separator + ROLE_FILE);
+            authzGen.exportDefaultPermissions(exportDir + File.separator + PERMISSION_FILE);
+            authzGen.exportDefaultPermissionRoles(exportDir + File.separator + PERMISSION_ROLE_FILE);
             if (logger.isDebugEnabled()) {
                 logger.debug("authroization generation completed ");
             }
+        } catch (Exception ex) {
+            if (logger.isDebugEnabled()) {
+                ex.printStackTrace();
+            }
+            throw new RuntimeException(ex);
+        }
+    }
+
+    public void seed() {
+        TransactionStatus status = null;
+        try {
+            store();
+
+            setupSpring();
             status = beginTransaction("seedData");
             AuthorizationSeed authzSeed = new AuthorizationSeed();
-            authzSeed.seedPermissions(importDir + File.separator + PERMISSION_FILE,
-                    importDir + File.separator + PERMISSION_ROLE_FILE);
+            authzSeed.seedPermissions(exportDir + File.separator + PERMISSION_FILE,
+                    exportDir + File.separator + PERMISSION_ROLE_FILE);
             if (logger.isDebugEnabled()) {
-                logger.debug("authroization seeding completed ");
+                logger.debug("authorization seeding completed ");
             }
         } catch (Exception ex) {
             if (status != null) {
@@ -128,7 +150,7 @@ public class AuthorizationSeedDriver {
         }
     }
 
-    private void setup() {
+    private void setupSpring() {
 
         ClassPathXmlApplicationContext appContext = new ClassPathXmlApplicationContext(
                 new String[]{SPRING_SECURITY_METADATA});
@@ -136,6 +158,9 @@ public class AuthorizationSeedDriver {
         System.setProperty("spring-beans-config", SPRING_SECURITY_METADATA);
         AuthZ authZ = AuthZ.get();
         txManager = (org.springframework.jdbc.datasource.DataSourceTransactionManager) appContext.getBean("transactionManager");
+        if (logger.isDebugEnabled()) {
+            logger.debug("spring setup complete");
+        }
     }
 
     private void login() {
@@ -144,10 +169,40 @@ public class AuthorizationSeedDriver {
         gauths.add(gauth);
         Authentication authRequest = new UsernamePasswordAuthenticationToken(user, password, gauths);
         SecurityContextHolder.getContext().setAuthentication(authRequest);
+        if (logger.isDebugEnabled()) {
+            logger.debug("login successful for user=" + user);
+        }
     }
 
     private void logout() {
         SecurityContextHolder.getContext().setAuthentication(null);
+        if (logger.isDebugEnabled()) {
+            logger.debug("logged out user=" + user);
+        }
+    }
+
+    private void store() throws Exception {
+        AuthorizationStore authzStore = new AuthorizationStore();
+        for (Role role : authzGen.getDefaultRoles()) {
+            authzStore.store(role);
+        }
+
+        for (Permission perm : authzGen.getDefaultPermissions()) {
+            authzStore.store(perm);
+        }
+
+        List<PermissionRoleRel> permRoleRels = new ArrayList<PermissionRoleRel>();
+        for (PermissionRole pr : authzGen.getDefaultPermissionRoles()) {
+            PermissionRoleUtil.buildPermissionRoleRel(pr, SubjectType.ROLE, permRoleRels);
+        }
+        for (PermissionRoleRel permRoleRel : permRoleRels) {
+            authzStore.store(permRoleRel);
+        }
+
+        if (logger.isDebugEnabled()) {
+            logger.debug("authroization storage completed ");
+        }
+
     }
 
     private TransactionStatus beginTransaction(String name) {
diff --git a/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java
index 4b3164421..e73f9b913 100644
--- a/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java
+++ b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java
@@ -27,12 +27,12 @@ import java.io.File;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.Hashtable;
 import java.util.List;
 import java.util.UUID;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Marshaller;
-import org.collectionspace.services.authorization.AccountRole;
 import org.collectionspace.services.authorization.ActionType;
 import org.collectionspace.services.authorization.Permission;
 import org.collectionspace.services.authorization.EffectType;
@@ -43,6 +43,7 @@ import org.collectionspace.services.authorization.PermissionsList;
 import org.collectionspace.services.authorization.PermissionsRolesList;
 import org.collectionspace.services.authorization.Role;
 import org.collectionspace.services.authorization.RoleValue;
+import org.collectionspace.services.authorization.RolesList;
 import org.collectionspace.services.authorization.SubjectType;
 import org.collectionspace.services.common.config.TenantBindingConfigReaderImpl;
 import org.collectionspace.services.common.service.ServiceBindingType;
@@ -55,44 +56,69 @@ import org.collectionspace.services.common.tenant.TenantBindingType;
  */
 public class AuthorizationGen {
 
+    final public static String ROLE_ADMINISTRATOR = "ROLE_ADMINISTRATOR";
+    final public static String ROLE_TENANT_ADMINISTRATOR = "ROLE_TENANT_ADMINISTRATOR";
+    final public static String ROLE_TENANT_READER = "ROLE_TENANT_READER";
+    final public static String ROLE_ADMINISTRATOR_ID = "0";
     final Logger logger = LoggerFactory.getLogger(AuthorizationGen.class);
-    private List<Permission> permList = new ArrayList<Permission>();
-    private List<PermissionRole> permRoleList = new ArrayList<PermissionRole>();
+    private List<Permission> adminPermList = new ArrayList<Permission>();
+    private List<PermissionRole> adminPermRoleList = new ArrayList<PermissionRole>();
+    private List<Permission> readerPermList = new ArrayList<Permission>();
+    private List<PermissionRole> readerPermRoleList = new ArrayList<PermissionRole>();
+    private List<Role> adminRoles = new ArrayList<Role>();
+    private List<Role> readerRoles = new ArrayList<Role>();
+    private Role cspaceAdminRole;
     private Hashtable<String, TenantBindingType> tenantBindings =
             new Hashtable<String, TenantBindingType>();
-    final public static String ROLE_ADMINISTRATOR = "ROLE_ADMINISTRATOR";
 
     public void initialize(String tenantBindingFileName) throws Exception {
         TenantBindingConfigReaderImpl tenantBindingConfigReader =
                 new TenantBindingConfigReaderImpl(null);
         tenantBindingConfigReader.read(tenantBindingFileName);
         tenantBindings = tenantBindingConfigReader.getTenantBindings();
+        cspaceAdminRole = buildCSpaceAdminRole();
+
         if (logger.isDebugEnabled()) {
             logger.debug("initialized with tenant bindings from " + tenantBindingFileName);
         }
     }
 
-    public void createDefaultServicePermissions() {
+    /**
+     * createDefaultPermissions creates default admin and reader permissions
+     * for each tenant found in the given tenant binding file
+     * @see initialize
+     * @return
+     */
+    public void createDefaultPermissions() {
         for (String tenantId : tenantBindings.keySet()) {
-            List<Permission> perms = createDefaultServicePermissions(tenantId);
-            permList.addAll(perms);
+            List<Permission> adminPerms = createDefaultAdminPermissions(tenantId);
+            adminPermList.addAll(adminPerms);
+
+            List<Permission> readerPerms = createDefaultReaderPermissions(tenantId);
+            readerPermList.addAll(readerPerms);
         }
     }
 
-    public List<Permission> createDefaultServicePermissions(String tenantId) {
+    /**
+     * createDefaultAdminPermissions creates default admin permissions for all services
+     * used by the given tenant
+     * @param tenantId
+     * @return
+     */
+    public List<Permission> createDefaultAdminPermissions(String tenantId) {
         ArrayList<Permission> apcList = new ArrayList<Permission>();
         TenantBindingType tbinding = tenantBindings.get(tenantId);
         for (ServiceBindingType sbinding : tbinding.getServiceBindings()) {
 
             //add permissions for the main path
-            Permission perm = buildCommonPermission(tbinding.getId(),
+            Permission perm = buildAdminPermission(tbinding.getId(),
                     sbinding.getName().toLowerCase());
             apcList.add(perm);
 
             //add permissions for alternate paths
             List<String> uriPaths = sbinding.getUriPath();
             for (String uriPath : uriPaths) {
-                perm = buildCommonPermission(tbinding.getId(),
+                perm = buildAdminPermission(tbinding.getId(),
                         uriPath.toLowerCase());
                 apcList.add(perm);
             }
@@ -102,10 +128,12 @@ public class AuthorizationGen {
 
     }
 
-    private Permission buildCommonPermission(String tenantId, String resourceName) {
+    private Permission buildAdminPermission(String tenantId, String resourceName) {
         String id = UUID.randomUUID().toString();
         Permission perm = new Permission();
         perm.setCsid(id);
+        perm.setDescription("generated admin permission");
+        perm.setCreatedAtItem(new Date());
         perm.setResourceName(resourceName.toLowerCase());
         perm.setEffect(EffectType.PERMIT);
         perm.setTenantId(tenantId);
@@ -130,75 +158,209 @@ public class AuthorizationGen {
         return perm;
     }
 
-    public List<Permission> getDefaultServicePermissions() {
-        return permList;
+    /**
+     * createDefaultReaderPermissions creates read only permissions for all services
+     * used by the given tenant
+     * @param tenantId
+     * @return
+     */
+    public List<Permission> createDefaultReaderPermissions(String tenantId) {
+        ArrayList<Permission> apcList = new ArrayList<Permission>();
+        TenantBindingType tbinding = tenantBindings.get(tenantId);
+        for (ServiceBindingType sbinding : tbinding.getServiceBindings()) {
+
+            //add permissions for the main path
+            Permission perm = buildReaderPermission(tbinding.getId(),
+                    sbinding.getName().toLowerCase());
+            apcList.add(perm);
+
+            //add permissions for alternate paths
+            List<String> uriPaths = sbinding.getUriPath();
+            for (String uriPath : uriPaths) {
+                perm = buildReaderPermission(tbinding.getId(),
+                        uriPath.toLowerCase());
+                apcList.add(perm);
+            }
+
+        }
+        return apcList;
+
+    }
+
+    private Permission buildReaderPermission(String tenantId, String resourceName) {
+        String id = UUID.randomUUID().toString();
+        Permission perm = new Permission();
+        perm.setCsid(id);
+        perm.setCreatedAtItem(new Date());
+        perm.setDescription("generated readonly permission");
+        perm.setResourceName(resourceName.toLowerCase());
+        perm.setEffect(EffectType.PERMIT);
+        perm.setTenantId(tenantId);
+        ArrayList<PermissionAction> pas = new ArrayList<PermissionAction>();
+        perm.setActions(pas);
+
+        PermissionAction pa1 = new PermissionAction();
+        pa1.setName(ActionType.READ);
+        pas.add(pa1);
+
+        PermissionAction pa4 = new PermissionAction();
+        pa4.setName(ActionType.SEARCH);
+        pas.add(pa4);
+        return perm;
+    }
+
+    public List<Permission> getDefaultPermissions() {
+        List<Permission> allPermList = new ArrayList<Permission>();
+        allPermList.addAll(adminPermList);
+        allPermList.addAll(readerPermList);
+        return allPermList;
+    }
+
+    public List<Permission> getDefaultAdminPermissions() {
+        return adminPermList;
+    }
+
+    public List<Permission> getDefaultReaderPermissions() {
+        return readerPermList;
+    }
+
+    /**
+     * createDefaultRoles creates default admin and reader roles
+     * for each tenant found in the given tenant binding file
+     */
+    public void createDefaultRoles() {
+        for (String tenantId : tenantBindings.keySet()) {
+
+            Role arole = buildTenantAdminRole(tenantId);
+            adminRoles.add(arole);
+
+            Role rrole = buildTenantReaderRole(tenantId);
+            readerRoles.add(rrole);
+
+        }
+    }
+
+    private Role buildTenantAdminRole(String tenantId) {
+        Role role = new Role();
+        role.setCreatedAtItem(new Date());
+        role.setRoleName(ROLE_TENANT_ADMINISTRATOR);
+        String id = UUID.randomUUID().toString();
+        role.setCsid(id);
+        role.setDescription("generated tenant admin role");
+        role.setTenantId(tenantId);
+        return role;
+    }
+
+    private Role buildTenantReaderRole(String tenantId) {
+        Role role = new Role();
+        role.setCreatedAtItem(new Date());
+        role.setRoleName(ROLE_TENANT_READER);
+        String id = UUID.randomUUID().toString();
+        role.setCsid(id);
+        role.setDescription("generated tenant read only role");
+        role.setTenantId(tenantId);
+        return role;
     }
 
-    public void createDefaultPermissionsRoles() {
-        for (Permission p : permList) {
-            TenantBindingType tbinding = tenantBindings.get(p.getTenantId());
-//            String tenantAdminRole = getTenantAdminRole(tbinding.getName());
-//            PermissionRole permRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
-//                    p.getResourceName(), tenantAdminRole, "999");
-//            permRoleList.add(permRole);
+    public List<Role> getDefaultRoles() {
+        List<Role> allRoleList = new ArrayList<Role>();
+        allRoleList.addAll(adminRoles);
+        allRoleList.addAll(readerRoles);
+        return allRoleList;
+    }
+
+    public void associateDefaultPermissionsRoles() {
+        List<Role> roles = new ArrayList<Role>();
+        roles.add(cspaceAdminRole);
+        for (Permission p : adminPermList) {
+            PermissionRole permAdmRole = associatePermissionRoles(p, adminRoles);
+            adminPermRoleList.add(permAdmRole);
 
             //CSpace Administrator has all access
-            PermissionRole permAdmRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
-                    p.getResourceName(), ROLE_ADMINISTRATOR, "1");
-            permRoleList.add(permAdmRole);
+            PermissionRole permCAdmRole = associatePermissionRoles(p, roles);
+            adminPermRoleList.add(permCAdmRole);
+        }
+
+        for (Permission p : readerPermList) {
+            PermissionRole permRdrRole = associatePermissionRoles(p, readerRoles);
+            readerPermRoleList.add(permRdrRole);
         }
     }
 
-    public List<PermissionRole> createPermissionsRoles(List<Permission> perms, String roleName, String roleId) {
+    public List<PermissionRole> associatePermissionsRoles(List<Permission> perms, List<Role> roles) {
         List<PermissionRole> permRoles = new ArrayList<PermissionRole>();
-        for (Permission p : perms) {
-            PermissionRole permRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
-                    p.getResourceName(), roleName, roleId);
+        for (Permission perm : perms) {
+            PermissionRole permRole = associatePermissionRoles(perm, roles);
             permRoles.add(permRole);
         }
         return permRoles;
     }
 
-    private PermissionRole buildCommonPermissionRoles(String tenantId, String permId,
-            String resName, String roleName, String roleId) {
+    private PermissionRole associatePermissionRoles(Permission perm,
+            List<Role> roles) {
 
         PermissionRole pr = new PermissionRole();
         pr.setSubject(SubjectType.ROLE);
         List<PermissionValue> permValues = new ArrayList<PermissionValue>();
         pr.setPermissions(permValues);
         PermissionValue permValue = new PermissionValue();
-        permValue.setPermissionId(permId);
-        permValue.setResourceName(resName.toLowerCase());
+        permValue.setPermissionId(perm.getCsid());
+        permValue.setResourceName(perm.getResourceName().toLowerCase());
         permValues.add(permValue);
 
         List<RoleValue> roleValues = new ArrayList<RoleValue>();
-        RoleValue radmin = new RoleValue();
-        radmin.setRoleName(roleName.toUpperCase());
-        radmin.setRoleId(roleId);
-        roleValues.add(radmin);
+        for (Role role : roles) {
+            RoleValue rv = new RoleValue();
+            rv.setRoleName(role.getRoleName().toUpperCase());
+            rv.setRoleId(role.getCsid());
+            roleValues.add(rv);
+        }
         pr.setRoles(roleValues);
 
         return pr;
     }
 
-    /**
-     * getTenantAdminRole generates role for tenant administrator
-     * @param tenantName
-     * @return
-     */
-    private String getTenantAdminRole(String tenantName) {
-        tenantName = tenantName.toUpperCase();
-        tenantName = tenantName.replace(' ', '_');
-        return ROLE_ADMINISTRATOR + "_" + tenantName;
+    public List<PermissionRole> getDefaultPermissionRoles() {
+        List<PermissionRole> allPermRoleList = new ArrayList<PermissionRole>();
+        allPermRoleList.addAll(adminPermRoleList);
+        allPermRoleList.addAll(readerPermRoleList);
+        return allPermRoleList;
+    }
+
+    public List<PermissionRole> getDefaultAdminPermissionRoles() {
+        return adminPermRoleList;
+    }
+
+    public List<PermissionRole> getDefaultReaderPermissionRoles() {
+        return readerPermRoleList;
     }
 
-    public List<PermissionRole> getDefaultServicePermissionRoles() {
-        return permRoleList;
+    private Role buildCSpaceAdminRole() {
+        Role role = new Role();
+        role.setRoleName(ROLE_ADMINISTRATOR);
+        role.setCsid(ROLE_ADMINISTRATOR_ID);
+        return role;
+    }
+
+    public void exportDefaultRoles(String fileName) {
+        RolesList rList = new RolesList();
+        List<Role> allRoleList = new ArrayList<Role>();
+        allRoleList.addAll(adminRoles);
+        allRoleList.addAll(readerRoles);
+        rList.setRoles(allRoleList);
+        toFile(rList, RolesList.class,
+                fileName);
+        if (logger.isDebugEnabled()) {
+            logger.debug("exported roles to " + fileName);
+        }
     }
 
-    public void exportPermissions(String fileName) {
+    public void exportDefaultPermissions(String fileName) {
         PermissionsList pcList = new PermissionsList();
-        pcList.setPermissions(permList);
+        List<Permission> allPermList = new ArrayList<Permission>();
+        allPermList.addAll(adminPermList);
+        allPermList.addAll(readerPermList);
+        pcList.setPermissions(allPermList);
         toFile(pcList, PermissionsList.class,
                 fileName);
         if (logger.isDebugEnabled()) {
@@ -206,9 +368,12 @@ public class AuthorizationGen {
         }
     }
 
-    public void exportPermissionRoles(String fileName) {
+    public void exportDefaultPermissionRoles(String fileName) {
         PermissionsRolesList psrsl = new PermissionsRolesList();
-        psrsl.setPermissionRoles(permRoleList);
+        List<PermissionRole> allPermRoleList = new ArrayList<PermissionRole>();
+        allPermRoleList.addAll(adminPermRoleList);
+        allPermRoleList.addAll(readerPermRoleList);
+        psrsl.setPermissionRoles(allPermRoleList);
         toFile(psrsl, PermissionsRolesList.class,
                 fileName);
         if (logger.isDebugEnabled()) {
diff --git a/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationStore.java b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationStore.java
new file mode 100644
index 000000000..c6c79bf6f
--- /dev/null
+++ b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationStore.java
@@ -0,0 +1,88 @@
+/**
+ *  This document is a part of the source code and related artifacts
+ *  for CollectionSpace, an open source collections management system
+ *  for museums and related institutions:
+
+ *  http://www.collectionspace.org
+ *  http://wiki.collectionspace.org
+
+ *  Copyright 2010 University of California at Berkeley
+
+ *  Licensed under the Educational Community License (ECL), Version 2.0.
+ *  You may not use this file except in compliance with this License.
+
+ *  You may obtain a copy of the ECL 2.0 License at
+
+ *  https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.services.authorization.importer;
+
+import java.util.Date;
+import javax.persistence.EntityManager;
+import javax.persistence.EntityManagerFactory;
+import org.collectionspace.services.common.document.JaxbUtils;
+import org.collectionspace.services.common.storage.jpa.JpaStorageUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * AuthorizationStore stores persistent entities during import
+ * @author
+ */
+public class AuthorizationStore {
+
+    private final Logger logger = LoggerFactory.getLogger(AuthorizationStore.class);
+    private final static String PERSISTENCE_UNIT = "org.collectionspace.services.authorization";
+
+    /**
+     * store the given entity
+     * @param entity
+     * @return csid of the entity
+     * @throws Exception
+     */
+    public String store(Object entity) throws Exception {
+        EntityManagerFactory emf = null;
+        EntityManager em = null;
+        try {
+            emf = JpaStorageUtils.getEntityManagerFactory(PERSISTENCE_UNIT);
+            em = emf.createEntityManager();
+            //FIXME: more efficient would be to participate in transaction already started
+            //by the caller
+            em.getTransaction().begin();
+            if (JaxbUtils.getValue(entity, "getCreatedAt") == null) {
+                JaxbUtils.setValue(entity, "setCreatedAtItem", Date.class, new Date());
+            }
+            em.persist(entity);
+            em.getTransaction().commit();
+            String id = null;
+            try{
+                id = (String) JaxbUtils.getValue(entity, "getCsid");
+            } catch(NoSuchMethodException nsme) {
+                //do nothing ok, relationship does not have csid
+            }
+            return id;
+        } catch (Exception e) {
+            if (em != null && em.getTransaction().isActive()) {
+                em.getTransaction().rollback();
+            }
+            if (logger.isDebugEnabled()) {
+                logger.debug("Caught exception ", e);
+            }
+            throw e;
+        } finally {
+            if (em != null) {
+                JpaStorageUtils.releaseEntityManagerFactory(emf);
+            }
+        }
+    }
+}
diff --git a/services/authorization-mgt/import/src/main/resources/META-INF/persistence.xml b/services/authorization-mgt/import/src/main/resources/META-INF/persistence.xml
new file mode 100644
index 000000000..ec517f79d
--- /dev/null
+++ b/services/authorization-mgt/import/src/main/resources/META-INF/persistence.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<persistence version="1.0" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd
+             http://java.sun.com/xml/ns/persistence/orm http://java.sun.com/xml/ns/persistence/orm_1_0.xsd" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:orm="http://java.sun.com/xml/ns/persistence/orm" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <persistence-unit name="org.collectionspace.services.authorization">
+        <class>org.collectionspace.services.authorization.Permission</class>
+        <class>org.collectionspace.services.authorization.PermissionAction</class>
+        <class>org.collectionspace.services.authorization.PermissionRoleRel</class>
+        <class>org.collectionspace.services.authorization.Role</class>
+        <class>org.collectionspace.services.authorization.AccountRoleRel</class>
+        <properties>
+            <property name="hibernate.ejb.cfgfile" value="hibernate.cfg.xml"/>
+
+            <!--property name="hibernate.dialect" value="org.hibernate.dialect.MySQLDialect"/>
+            <property name="hibernate.max_fetch_depth" value="3"/>
+            <property name="hibernate.connection.driver_class" value="com.mysql.jdbc.Driver"/>
+            <property name="hibernate.connection.username" value="test"/>
+            <property name="hibernate.connection.password" value="test"/>
+            <property name="hibernate.connection.url" value="jdbc:mysql://localhost:3306/cspace"/-->
+        </properties>
+    </persistence-unit>
+</persistence>
diff --git a/services/authorization-mgt/import/src/main/resources/hibernate.cfg.xml b/services/authorization-mgt/import/src/main/resources/hibernate.cfg.xml
new file mode 100644
index 000000000..8296399cf
--- /dev/null
+++ b/services/authorization-mgt/import/src/main/resources/hibernate.cfg.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+    Document   : hibernate.cfg.xml
+    Created on : 
+    Author     : 
+    Description:
+        Hibernate configuration file for testing and tools
+-->
+<!DOCTYPE hibernate-configuration PUBLIC
+          "-//Hibernate/Hibernate Configuration DTD 3.0//EN"
+          "http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
+<hibernate-configuration>
+    <session-factory>
+        <property name="connection.url">@DB_URL@</property>
+        <property name="connection.driver_class">@DB_DRIVER_CLASS@</property>
+        <property name="connection.username">@DB_USER@</property>
+        <property name="connection.password">@DB_PASSWORD@</property>
+        <property name="dialect">@DB_DIALECT@</property>
+        <property name="transaction.factory_class">org.hibernate.transaction.JDBCTransactionFactory</property>
+        <property name="current_session_context_class">thread</property>
+        <property name="hibernate.show_sql">true</property>
+    </session-factory>
+</hibernate-configuration>
diff --git a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
index edf8aef0f..5f10e8ba1 100644
--- a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
+++ b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
@@ -3,560 +3,1678 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>68eea582-e5b0-4aab-a01b-e45126ce1924</permissionId>
+            <permissionId>de3657a1-99f8-46b6-b4bb-2e28f9def87f</permissionId>
             <resourceName>idgenerators</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>de3657a1-99f8-46b6-b4bb-2e28f9def87f</permissionId>
+            <resourceName>idgenerators</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>b6644980-aeef-4d8f-a048-338057f9d973</permissionId>
+            <resourceName>id</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>b6644980-aeef-4d8f-a048-338057f9d973</permissionId>
+            <resourceName>id</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ddcdcc15-7f5a-49d8-8354-82c2e52d4727</permissionId>
+            <resourceName>
+                /idgenerators/*/ids
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ddcdcc15-7f5a-49d8-8354-82c2e52d4727</permissionId>
+            <resourceName>
+                /idgenerators/*/ids
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>b203fb49-56c3-4662-b4bd-4008a6462364</permissionId>
+            <resourceName>collectionobjects</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>b203fb49-56c3-4662-b4bd-4008a6462364</permissionId>
+            <resourceName>collectionobjects</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>2dde10d0-2ce9-471b-9c66-c67a6e7c511f</permissionId>
+            <resourceName>
+                /collectionobjects/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>2dde10d0-2ce9-471b-9c66-c67a6e7c511f</permissionId>
+            <resourceName>
+                /collectionobjects/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>b8323642-cd0a-491f-a952-cf36d2b32134</permissionId>
+            <resourceName>intakes</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>b8323642-cd0a-491f-a952-cf36d2b32134</permissionId>
+            <resourceName>intakes</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>3c3e7ff6-7ecd-4643-b662-3fcb54e62abe</permissionId>
+            <resourceName>
+                /intakes/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>3c3e7ff6-7ecd-4643-b662-3fcb54e62abe</permissionId>
+            <resourceName>
+                /intakes/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>e248b5af-6eb3-4063-8816-6c2b0c55537c</permissionId>
+            <resourceName>loansin</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>e248b5af-6eb3-4063-8816-6c2b0c55537c</permissionId>
+            <resourceName>loansin</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>6529cf6d-34ae-4bab-a6e2-ab19973620fb</permissionId>
+            <resourceName>
+                /loansin/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>6529cf6d-34ae-4bab-a6e2-ab19973620fb</permissionId>
+            <resourceName>
+                /loansin/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>1145d28d-269a-41fd-806f-b0d6511cf273</permissionId>
+            <resourceName>loansout</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>1145d28d-269a-41fd-806f-b0d6511cf273</permissionId>
+            <resourceName>loansout</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>8773ed3b-9432-44e8-900e-1bc3908e7911</permissionId>
+            <resourceName>
+                /loansout/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>8773ed3b-9432-44e8-900e-1bc3908e7911</permissionId>
+            <resourceName>
+                /loansout/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>21786a64-02e0-4359-9c61-47cf821f2362</permissionId>
+            <resourceName>movements</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>21786a64-02e0-4359-9c61-47cf821f2362</permissionId>
+            <resourceName>movements</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>d501423e-9425-4c99-bf6f-478a2a9f971e</permissionId>
+            <resourceName>
+                /movements/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>d501423e-9425-4c99-bf6f-478a2a9f971e</permissionId>
+            <resourceName>
+                /movements/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>88075c4c-d5ed-420a-a767-1ab662066feb</permissionId>
+            <resourceName>vocabularies</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>88075c4c-d5ed-420a-a767-1ab662066feb</permissionId>
+            <resourceName>vocabularies</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>2444d28d-883f-4566-a378-f03b95d100b9</permissionId>
+            <resourceName>vocabularyitems</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>2444d28d-883f-4566-a378-f03b95d100b9</permissionId>
+            <resourceName>vocabularyitems</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>80a57584-6438-4df3-95df-bba1d7d9a275</permissionId>
+            <resourceName>
+                /vocabularies/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>80a57584-6438-4df3-95df-bba1d7d9a275</permissionId>
+            <resourceName>
+                /vocabularies/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>812a71ed-0dfe-4371-a390-4776ab5519f2</permissionId>
+            <resourceName>orgauthorities</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>812a71ed-0dfe-4371-a390-4776ab5519f2</permissionId>
+            <resourceName>orgauthorities</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>a9aeff96-179f-4b1d-8e74-25358185fdae</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>a9aeff96-179f-4b1d-8e74-25358185fdae</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>23897bf4-c727-4737-a70c-dc446519e1d5</permissionId>
+            <resourceName>organizations</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>23897bf4-c727-4737-a70c-dc446519e1d5</permissionId>
+            <resourceName>organizations</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>64f48448-c5ed-4096-acc8-17daebf2924f</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>64f48448-c5ed-4096-acc8-17daebf2924f</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>90bea796-bf38-46a6-8a9e-fc9a1eed157d</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/*/refobjs
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>90bea796-bf38-46a6-8a9e-fc9a1eed157d</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/*/refobjs
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>e61b8b12-3db0-499a-b074-79afec3f141a</permissionId>
+            <resourceName>personauthorities</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>e61b8b12-3db0-499a-b074-79afec3f141a</permissionId>
+            <resourceName>personauthorities</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ce34076c-83b0-409c-b2b8-2d3805af9056</permissionId>
+            <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ce34076c-83b0-409c-b2b8-2d3805af9056</permissionId>
+            <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>acac0886-627b-43e6-810c-f62c928b99bf</permissionId>
+            <resourceName>
+                /personauthorities/*/items/*/refobjs
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>acac0886-627b-43e6-810c-f62c928b99bf</permissionId>
+            <resourceName>
+                /personauthorities/*/items/*/refobjs
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>1aa13e33-4b21-4e6f-b670-2fc13f8fd2b4</permissionId>
+            <resourceName>persons</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>1aa13e33-4b21-4e6f-b670-2fc13f8fd2b4</permissionId>
+            <resourceName>persons</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>cbb98b91-25ed-4e8b-af4d-48f11e981e19</permissionId>
+            <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>cbb98b91-25ed-4e8b-af4d-48f11e981e19</permissionId>
+            <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>7c9e5c9a-8eb7-4579-ad94-e6d4f90c9ae8</permissionId>
+            <resourceName>locationauthorities</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>7c9e5c9a-8eb7-4579-ad94-e6d4f90c9ae8</permissionId>
+            <resourceName>locationauthorities</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ce653183-2722-46c9-8f19-2e719c9cb06c</permissionId>
+            <resourceName>
+                /locationauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ce653183-2722-46c9-8f19-2e719c9cb06c</permissionId>
+            <resourceName>
+                /locationauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>59b8de3a-9b1d-4e82-9aa5-0d28dd5a46ac</permissionId>
+            <resourceName>locations</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>59b8de3a-9b1d-4e82-9aa5-0d28dd5a46ac</permissionId>
+            <resourceName>locations</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>37e00906-0fa5-4d20-be21-739f66bcac52</permissionId>
+            <resourceName>acquisitions</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>37e00906-0fa5-4d20-be21-739f66bcac52</permissionId>
+            <resourceName>acquisitions</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>1ebea466-ab70-4368-8965-aa9305661d50</permissionId>
+            <resourceName>
+                /acquisitions/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>1ebea466-ab70-4368-8965-aa9305661d50</permissionId>
+            <resourceName>
+                /acquisitions/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>c48e8d4a-7972-469f-a2bc-1bca201cd772</permissionId>
+            <resourceName>relations</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>c48e8d4a-7972-469f-a2bc-1bca201cd772</permissionId>
+            <resourceName>relations</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>b2f182cb-61d7-4016-a2e2-075c13afefd0</permissionId>
+            <resourceName>
+                relations/subject/*/type/*/object/*
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>b2f182cb-61d7-4016-a2e2-075c13afefd0</permissionId>
+            <resourceName>
+                relations/subject/*/type/*/object/*
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>6ba014c0-80e1-456f-9c3c-de339391d254</permissionId>
+            <resourceName>accounts</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>6ba014c0-80e1-456f-9c3c-de339391d254</permissionId>
+            <resourceName>accounts</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ee04f607-8e32-46dd-b5c9-b7657cdd290c</permissionId>
+            <resourceName>dimensions</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ee04f607-8e32-46dd-b5c9-b7657cdd290c</permissionId>
+            <resourceName>dimensions</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>828327fc-7b3d-4bde-b6d6-e48c74c3f4fd</permissionId>
+            <resourceName>contacts</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>828327fc-7b3d-4bde-b6d6-e48c74c3f4fd</permissionId>
+            <resourceName>contacts</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>2d48d7a3-faba-4e8d-93a3-0863de7d92da</permissionId>
+            <resourceName>
+                /personauthorities/*/items/*/contacts
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>2d48d7a3-faba-4e8d-93a3-0863de7d92da</permissionId>
+            <resourceName>
+                /personauthorities/*/items/*/contacts
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
             <roleName>ROLE_ADMINISTRATOR</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>150c809f-ffd6-4b23-b86b-a6533feeda29</permissionId>
-            <resourceName>id</resourceName>
+            <permissionId>7d8f835d-d9c0-4508-b279-eef890db247a</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/*/contacts
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>7d8f835d-d9c0-4508-b279-eef890db247a</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/*/contacts
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ab92d994-29eb-4d64-bd49-b3cafd8f0a5b</permissionId>
+            <resourceName>notes</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ab92d994-29eb-4d64-bd49-b3cafd8f0a5b</permissionId>
+            <resourceName>notes</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>db65825c-50c3-49a8-af5f-68115f16537b</permissionId>
+            <resourceName>authorization/roles</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>db65825c-50c3-49a8-af5f-68115f16537b</permissionId>
+            <resourceName>authorization/roles</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
+            <roleId>0</roleId>
             <roleName>ROLE_ADMINISTRATOR</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>30f13249-56c6-428e-9f9b-be092520ca30</permissionId>
+            <permissionId>f7f41db6-f85f-4cd3-a2d6-d9185b6dd8e9</permissionId>
+            <resourceName>authorization/permissions</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>f7f41db6-f85f-4cd3-a2d6-d9185b6dd8e9</permissionId>
+            <resourceName>authorization/permissions</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>074e7f98-2580-48d3-969d-4043f156eaa2</permissionId>
+            <resourceName>authorization/permissions/permroles</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>074e7f98-2580-48d3-969d-4043f156eaa2</permissionId>
+            <resourceName>authorization/permissions/permroles</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>0cdd6f4e-58b6-4c11-bbbd-0984c30d6dbd</permissionId>
             <resourceName>
-                /idgenerators/*/ids
+                /authorization/permissions/*/permroles/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>0cdd6f4e-58b6-4c11-bbbd-0984c30d6dbd</permissionId>
+            <resourceName>
+                /authorization/permissions/*/permroles/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
+            <roleId>0</roleId>
             <roleName>ROLE_ADMINISTRATOR</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>e5005679-b03a-4911-9081-741dced66508</permissionId>
-            <resourceName>collectionobjects</resourceName>
+            <permissionId>361c4bed-bd81-4f22-82df-f462111663a9</permissionId>
+            <resourceName>accounts/accountroles</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>361c4bed-bd81-4f22-82df-f462111663a9</permissionId>
+            <resourceName>accounts/accountroles</resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
             <roleName>ROLE_ADMINISTRATOR</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>676a2ce3-f65a-445e-bc0f-cce5dc056eac</permissionId>
+            <permissionId>e272da20-719c-49d1-9584-c21cedcd3a65</permissionId>
             <resourceName>
-                /collectionobjects/*/authorityrefs/
+                /accounts/*/accountroles/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>e272da20-719c-49d1-9584-c21cedcd3a65</permissionId>
+            <resourceName>
+                /accounts/*/accountroles/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
+            <roleId>0</roleId>
             <roleName>ROLE_ADMINISTRATOR</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>200f1961-8910-4170-8f7b-32fcf7eef047</permissionId>
-            <resourceName>intakes</resourceName>
+            <permissionId>d7618a4f-d8be-45f6-b0f3-2816ecdca341</permissionId>
+            <resourceName>authorization/roles/permroles</resourceName>
+        </permission>
+        <role>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>d7618a4f-d8be-45f6-b0f3-2816ecdca341</permissionId>
+            <resourceName>authorization/roles/permroles</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
+            <roleId>0</roleId>
             <roleName>ROLE_ADMINISTRATOR</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>aa534e0f-6979-4c52-873c-d58bd0151f9c</permissionId>
+            <permissionId>3b6b0755-9044-46ee-8a85-4e44ac68dd0a</permissionId>
             <resourceName>
-                /intakes/*/authorityrefs/
+                /authorization/roles/*/permroles/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
+            <roleId>ad3a2b4c-ef74-47f0-bdb0-f6a906acd370</roleId>
+            <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>3b6b0755-9044-46ee-8a85-4e44ac68dd0a</permissionId>
+            <resourceName>
+                /authorization/roles/*/permroles/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>0</roleId>
             <roleName>ROLE_ADMINISTRATOR</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>0a3692cd-94f6-44dd-854a-1fb0b19fe71d</permissionId>
+            <permissionId>da5253a4-471f-4ada-9d7d-8f1a9a747647</permissionId>
+            <resourceName>idgenerators</resourceName>
+        </permission>
+        <role>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>4d524373-a5df-45e2-aec6-2e214f08431e</permissionId>
+            <resourceName>id</resourceName>
+        </permission>
+        <role>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>c757f1c4-3282-4055-b0e1-2c818fec709b</permissionId>
+            <resourceName>
+                /idgenerators/*/ids
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>e383a971-0335-41da-88e6-f7625303f186</permissionId>
+            <resourceName>collectionobjects</resourceName>
+        </permission>
+        <role>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>b2c49fb3-fb34-4425-86c7-73c48873a983</permissionId>
+            <resourceName>
+                /collectionobjects/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>2ac4ace4-20f8-4a5f-b984-4753e5452a87</permissionId>
+            <resourceName>intakes</resourceName>
+        </permission>
+        <role>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>64af5fcc-a57d-4fa6-820c-4ab857a46590</permissionId>
+            <resourceName>
+                /intakes/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>0258eabe-02d3-494c-b405-30e3463a2feb</permissionId>
             <resourceName>loansin</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>f56deb15-81a5-47ad-89c7-ea4738451b8c</permissionId>
+            <permissionId>ae5f5fab-7205-4b92-932f-857b68c5d4b5</permissionId>
             <resourceName>
                 /loansin/*/authorityrefs/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>1628fe32-a657-4577-a6cd-87bcf942d56d</permissionId>
+            <permissionId>9e8b0907-e262-42f9-a4da-6e0bf6493e5a</permissionId>
             <resourceName>loansout</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>d38171bb-62b2-402b-a8e9-329433f7092c</permissionId>
+            <permissionId>b46b29bc-1795-4e3e-a247-59e23742b705</permissionId>
             <resourceName>
                 /loansout/*/authorityrefs/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>bf39f493-8e5b-4ca1-baaf-67dd8283b299</permissionId>
+            <permissionId>f90c5454-58e9-4b32-a8e4-03b80ed6f58e</permissionId>
             <resourceName>movements</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>30130f70-6122-478c-9425-428815c0006c</permissionId>
+            <permissionId>e7c31362-9bb7-48a4-a324-63e84401df30</permissionId>
             <resourceName>
                 /movements/*/authorityrefs/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>61dc8d8b-8d2e-4d0b-a76f-87d5be9a583c</permissionId>
+            <permissionId>90f3a12c-0ac1-417b-942e-88f2b11383b7</permissionId>
             <resourceName>vocabularies</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>cdff0a6a-ca8a-4651-a291-d7e4e9e531ba</permissionId>
+            <permissionId>c961fc05-1a2c-4890-88b4-42757378e323</permissionId>
             <resourceName>vocabularyitems</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>2bbbbe30-9562-4686-8237-00422e24e1d6</permissionId>
+            <permissionId>4d13ef59-1443-40ee-8e45-9892c83ec9a1</permissionId>
             <resourceName>
                 /vocabularies/*/items/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>60e310d8-8d49-4ced-bdff-d1bc82d8cabd</permissionId>
+            <permissionId>6caa049b-25cc-486c-935f-bf215d550bcd</permissionId>
             <resourceName>orgauthorities</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>0562b8c3-1883-4491-b77f-d8437c1433d6</permissionId>
+            <permissionId>08c36f8b-2432-44c4-a1dd-cba8c8ea53e5</permissionId>
             <resourceName>
                 /orgauthorities/*/items/*/authorityrefs/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>44cba976-171b-408e-b3ed-3bd5b18e95e1</permissionId>
+            <permissionId>c0149cbb-a984-4e32-8302-c045a3e82bf2</permissionId>
             <resourceName>organizations</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>c8e68564-bd16-462d-b191-a4fb4ad6d93a</permissionId>
+            <permissionId>b2e0c247-9e3b-4bf3-a956-8b98a8505263</permissionId>
             <resourceName>
                 /orgauthorities/*/items/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>faf6fdb6-654e-44a3-b7de-e98eb3105e3f</permissionId>
+            <permissionId>35cb8d8b-4309-4177-9c1c-157dbeb36f5d</permissionId>
             <resourceName>
                 /orgauthorities/*/items/*/refobjs
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>fc3845e7-122b-44c6-b46f-756421291994</permissionId>
+            <permissionId>c890f437-7356-4bcd-b5b1-0e36b13e6358</permissionId>
             <resourceName>personauthorities</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>44b6f2f5-2ae5-4f9f-aaf6-21361e38992e</permissionId>
+            <permissionId>778904e1-8b67-4ace-af24-8b756385ce80</permissionId>
             <resourceName>
                 /personauthorities/*/items/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>f488f02a-0107-4991-847f-db811fa843f5</permissionId>
+            <permissionId>d531417d-b61b-471c-90ff-f21969f00e4c</permissionId>
             <resourceName>
                 /personauthorities/*/items/*/refobjs
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>b1236cf3-c8e3-462a-b189-e5bcebdd382e</permissionId>
+            <permissionId>46581f00-1338-417d-9ff5-1250a8eb5e3c</permissionId>
             <resourceName>persons</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>7e329610-aa02-4d66-9a44-f7f5302c2ea4</permissionId>
+            <permissionId>b707073a-6c2f-4bc5-b8b2-800be7cc17ec</permissionId>
             <resourceName>
                 /personauthorities/*/items/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>abee33c0-e304-44e1-ae27-0e518e0ee55b</permissionId>
+            <permissionId>88832e9b-0f62-406e-8a64-ea61d53153ed</permissionId>
             <resourceName>locationauthorities</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>1924cf31-7025-4f43-896e-e6d7a7352788</permissionId>
+            <permissionId>5b8c3d7d-f027-4675-9edf-1f7733ce360d</permissionId>
             <resourceName>
                 /locationauthorities/*/items/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>273e7918-f911-4f54-bc86-122aa539e813</permissionId>
+            <permissionId>a73bebb8-d109-4fbd-aa29-f71766eac61a</permissionId>
             <resourceName>locations</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>934a970c-221e-41b5-92be-6ba22276bd7a</permissionId>
+            <permissionId>7d6dcff6-167f-4634-a35d-ec635e34fc60</permissionId>
             <resourceName>acquisitions</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>61a10a62-4f23-4427-b262-f978a3b03806</permissionId>
+            <permissionId>2007cc99-7208-4238-9792-bceb5df78733</permissionId>
             <resourceName>
                 /acquisitions/*/authorityrefs/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>463dc11d-8324-4fb9-9d07-7c134c68eb47</permissionId>
+            <permissionId>94594f80-9ae2-4f51-b1f1-21e49bca2f5e</permissionId>
             <resourceName>relations</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>3c536b47-b851-4dca-bbd2-12d0fc20f713</permissionId>
+            <permissionId>e75b9dd6-737a-43cd-b847-c8effa3d6055</permissionId>
             <resourceName>
                 relations/subject/*/type/*/object/*
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>87c457d9-3bf4-40d4-a3e1-7a9aae90c5c9</permissionId>
+            <permissionId>da6da169-41d0-4f7f-a246-e7a9c96967de</permissionId>
             <resourceName>accounts</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>5762278c-fceb-4d67-908d-af389ac309ba</permissionId>
+            <permissionId>8b1fc4c6-1610-490d-8972-17ac113b36d9</permissionId>
             <resourceName>dimensions</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>bd9104e1-1931-4d0e-aff4-d06ec78f069f</permissionId>
+            <permissionId>97455f0e-2064-4667-9bfe-540a05b571ae</permissionId>
             <resourceName>contacts</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>aa3c23d7-7d42-43f0-899a-3b8bc0c03c3a</permissionId>
+            <permissionId>10655b0e-d168-4ac5-96fc-5ff88621aaee</permissionId>
             <resourceName>
                 /personauthorities/*/items/*/contacts
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>a0f846e4-343c-4479-831e-04cc40e51902</permissionId>
+            <permissionId>1209a058-b37e-438d-906a-03bc49a4928c</permissionId>
             <resourceName>
                 /orgauthorities/*/items/*/contacts
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>b975509e-d1bd-42a2-98d4-bfde50a342c3</permissionId>
+            <permissionId>eb97ccdf-daaa-436e-bd40-f86e3d7dc8d0</permissionId>
             <resourceName>notes</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>c9524c19-4819-4aea-aab3-341887d83b3f</permissionId>
+            <permissionId>655fb068-d229-47e0-b636-48e53217d070</permissionId>
             <resourceName>authorization/roles</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>eec11401-da9e-4a33-b68d-b3d4906c3329</permissionId>
+            <permissionId>556204b7-df13-40fe-8185-ac4e9924a033</permissionId>
             <resourceName>authorization/permissions</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>975a8e80-8a30-426c-9d5b-aa32f6813f6d</permissionId>
+            <permissionId>3d5ecccd-37a5-4185-88b3-66aa1def43b5</permissionId>
             <resourceName>authorization/permissions/permroles</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>76ae1b26-9c42-4011-8130-178d90ff4c3b</permissionId>
+            <permissionId>049d792a-f1c7-42de-8d88-c09a1143340f</permissionId>
             <resourceName>
                 /authorization/permissions/*/permroles/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>662f9c6c-f8f1-4a78-922e-9c4250237b36</permissionId>
+            <permissionId>b85355db-2c33-4469-bb27-bf4fb1ac4039</permissionId>
             <resourceName>accounts/accountroles</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>e8cca9fb-a6cc-4944-a441-857d661280a9</permissionId>
+            <permissionId>ce37cf6c-a550-49de-9bdf-0ede7cafb617</permissionId>
             <resourceName>
                 /accounts/*/accountroles/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>f771df0b-98c8-4f84-aaf3-ae62c113d4cb</permissionId>
+            <permissionId>e1af00a3-a7c9-441f-a48c-f9698f47298a</permissionId>
             <resourceName>authorization/roles/permroles</resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>937a7ab0-6c26-497b-a901-49f550987320</permissionId>
+            <permissionId>8fc74578-d253-4eb7-a0e3-43bc70a88a62</permissionId>
             <resourceName>
                 /authorization/roles/*/permroles/
             </resourceName>
         </permission>
         <role>
-            <roleId>1</roleId>
-            <roleName>ROLE_ADMINISTRATOR</roleName>
+            <roleId>25f537c9-a213-41de-97f0-18524d5f4eb2</roleId>
+            <roleName>ROLE_TENANT_READER</roleName>
         </role>
     </permissionRole>
 </ns2:permissions_roles_list>
diff --git a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
index 7ff06ee01..29cf9465a 100644
--- a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
+++ b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <ns2:permissions_list xmlns:ns2="http://collectionspace.org/services/authorization">
-    <permission csid="68eea582-e5b0-4aab-a01b-e45126ce1924">
+    <permission csid="de3657a1-99f8-46b6-b4bb-2e28f9def87f">
+        <description>generated admin permission</description>
         <resourceName>idgenerators</resourceName>
         <action>
             <name>CREATE</name>
@@ -19,8 +20,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.388</createdAt>
     </permission>
-    <permission csid="150c809f-ffd6-4b23-b86b-a6533feeda29">
+    <permission csid="b6644980-aeef-4d8f-a048-338057f9d973">
+        <description>generated admin permission</description>
         <resourceName>id</resourceName>
         <action>
             <name>CREATE</name>
@@ -39,8 +42,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.390</createdAt>
     </permission>
-    <permission csid="30f13249-56c6-428e-9f9b-be092520ca30">
+    <permission csid="ddcdcc15-7f5a-49d8-8354-82c2e52d4727">
+        <description>generated admin permission</description>
         <resourceName>
                 /idgenerators/*/ids
             </resourceName>
@@ -61,8 +66,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.390</createdAt>
     </permission>
-    <permission csid="e5005679-b03a-4911-9081-741dced66508">
+    <permission csid="b203fb49-56c3-4662-b4bd-4008a6462364">
+        <description>generated admin permission</description>
         <resourceName>collectionobjects</resourceName>
         <action>
             <name>CREATE</name>
@@ -81,8 +88,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.391</createdAt>
     </permission>
-    <permission csid="676a2ce3-f65a-445e-bc0f-cce5dc056eac">
+    <permission csid="2dde10d0-2ce9-471b-9c66-c67a6e7c511f">
+        <description>generated admin permission</description>
         <resourceName>
                 /collectionobjects/*/authorityrefs/
             </resourceName>
@@ -103,8 +112,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.391</createdAt>
     </permission>
-    <permission csid="200f1961-8910-4170-8f7b-32fcf7eef047">
+    <permission csid="b8323642-cd0a-491f-a952-cf36d2b32134">
+        <description>generated admin permission</description>
         <resourceName>intakes</resourceName>
         <action>
             <name>CREATE</name>
@@ -123,8 +134,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.391</createdAt>
     </permission>
-    <permission csid="aa534e0f-6979-4c52-873c-d58bd0151f9c">
+    <permission csid="3c3e7ff6-7ecd-4643-b662-3fcb54e62abe">
+        <description>generated admin permission</description>
         <resourceName>
                 /intakes/*/authorityrefs/
             </resourceName>
@@ -145,8 +158,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.392</createdAt>
     </permission>
-    <permission csid="0a3692cd-94f6-44dd-854a-1fb0b19fe71d">
+    <permission csid="e248b5af-6eb3-4063-8816-6c2b0c55537c">
+        <description>generated admin permission</description>
         <resourceName>loansin</resourceName>
         <action>
             <name>CREATE</name>
@@ -165,8 +180,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.392</createdAt>
     </permission>
-    <permission csid="f56deb15-81a5-47ad-89c7-ea4738451b8c">
+    <permission csid="6529cf6d-34ae-4bab-a6e2-ab19973620fb">
+        <description>generated admin permission</description>
         <resourceName>
                 /loansin/*/authorityrefs/
             </resourceName>
@@ -187,8 +204,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.393</createdAt>
     </permission>
-    <permission csid="1628fe32-a657-4577-a6cd-87bcf942d56d">
+    <permission csid="1145d28d-269a-41fd-806f-b0d6511cf273">
+        <description>generated admin permission</description>
         <resourceName>loansout</resourceName>
         <action>
             <name>CREATE</name>
@@ -207,8 +226,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.393</createdAt>
     </permission>
-    <permission csid="d38171bb-62b2-402b-a8e9-329433f7092c">
+    <permission csid="8773ed3b-9432-44e8-900e-1bc3908e7911">
+        <description>generated admin permission</description>
         <resourceName>
                 /loansout/*/authorityrefs/
             </resourceName>
@@ -229,8 +250,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.393</createdAt>
     </permission>
-    <permission csid="bf39f493-8e5b-4ca1-baaf-67dd8283b299">
+    <permission csid="21786a64-02e0-4359-9c61-47cf821f2362">
+        <description>generated admin permission</description>
         <resourceName>movements</resourceName>
         <action>
             <name>CREATE</name>
@@ -249,8 +272,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.394</createdAt>
     </permission>
-    <permission csid="30130f70-6122-478c-9425-428815c0006c">
+    <permission csid="d501423e-9425-4c99-bf6f-478a2a9f971e">
+        <description>generated admin permission</description>
         <resourceName>
                 /movements/*/authorityrefs/
             </resourceName>
@@ -271,8 +296,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.394</createdAt>
     </permission>
-    <permission csid="61dc8d8b-8d2e-4d0b-a76f-87d5be9a583c">
+    <permission csid="88075c4c-d5ed-420a-a767-1ab662066feb">
+        <description>generated admin permission</description>
         <resourceName>vocabularies</resourceName>
         <action>
             <name>CREATE</name>
@@ -291,8 +318,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.395</createdAt>
     </permission>
-    <permission csid="cdff0a6a-ca8a-4651-a291-d7e4e9e531ba">
+    <permission csid="2444d28d-883f-4566-a378-f03b95d100b9">
+        <description>generated admin permission</description>
         <resourceName>vocabularyitems</resourceName>
         <action>
             <name>CREATE</name>
@@ -311,8 +340,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.395</createdAt>
     </permission>
-    <permission csid="2bbbbe30-9562-4686-8237-00422e24e1d6">
+    <permission csid="80a57584-6438-4df3-95df-bba1d7d9a275">
+        <description>generated admin permission</description>
         <resourceName>
                 /vocabularies/*/items/
             </resourceName>
@@ -333,8 +364,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.396</createdAt>
     </permission>
-    <permission csid="60e310d8-8d49-4ced-bdff-d1bc82d8cabd">
+    <permission csid="812a71ed-0dfe-4371-a390-4776ab5519f2">
+        <description>generated admin permission</description>
         <resourceName>orgauthorities</resourceName>
         <action>
             <name>CREATE</name>
@@ -353,8 +386,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.396</createdAt>
     </permission>
-    <permission csid="0562b8c3-1883-4491-b77f-d8437c1433d6">
+    <permission csid="a9aeff96-179f-4b1d-8e74-25358185fdae">
+        <description>generated admin permission</description>
         <resourceName>
                 /orgauthorities/*/items/*/authorityrefs/
             </resourceName>
@@ -375,8 +410,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.397</createdAt>
     </permission>
-    <permission csid="44cba976-171b-408e-b3ed-3bd5b18e95e1">
+    <permission csid="23897bf4-c727-4737-a70c-dc446519e1d5">
+        <description>generated admin permission</description>
         <resourceName>organizations</resourceName>
         <action>
             <name>CREATE</name>
@@ -395,8 +432,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.397</createdAt>
     </permission>
-    <permission csid="c8e68564-bd16-462d-b191-a4fb4ad6d93a">
+    <permission csid="64f48448-c5ed-4096-acc8-17daebf2924f">
+        <description>generated admin permission</description>
         <resourceName>
                 /orgauthorities/*/items/
             </resourceName>
@@ -417,8 +456,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.397</createdAt>
     </permission>
-    <permission csid="faf6fdb6-654e-44a3-b7de-e98eb3105e3f">
+    <permission csid="90bea796-bf38-46a6-8a9e-fc9a1eed157d">
+        <description>generated admin permission</description>
         <resourceName>
                 /orgauthorities/*/items/*/refobjs
             </resourceName>
@@ -439,8 +480,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.398</createdAt>
     </permission>
-    <permission csid="fc3845e7-122b-44c6-b46f-756421291994">
+    <permission csid="e61b8b12-3db0-499a-b074-79afec3f141a">
+        <description>generated admin permission</description>
         <resourceName>personauthorities</resourceName>
         <action>
             <name>CREATE</name>
@@ -459,8 +502,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.398</createdAt>
     </permission>
-    <permission csid="44b6f2f5-2ae5-4f9f-aaf6-21361e38992e">
+    <permission csid="ce34076c-83b0-409c-b2b8-2d3805af9056">
+        <description>generated admin permission</description>
         <resourceName>
                 /personauthorities/*/items/
             </resourceName>
@@ -481,8 +526,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.398</createdAt>
     </permission>
-    <permission csid="f488f02a-0107-4991-847f-db811fa843f5">
+    <permission csid="acac0886-627b-43e6-810c-f62c928b99bf">
+        <description>generated admin permission</description>
         <resourceName>
                 /personauthorities/*/items/*/refobjs
             </resourceName>
@@ -503,8 +550,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.399</createdAt>
     </permission>
-    <permission csid="b1236cf3-c8e3-462a-b189-e5bcebdd382e">
+    <permission csid="1aa13e33-4b21-4e6f-b670-2fc13f8fd2b4">
+        <description>generated admin permission</description>
         <resourceName>persons</resourceName>
         <action>
             <name>CREATE</name>
@@ -523,8 +572,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.399</createdAt>
     </permission>
-    <permission csid="7e329610-aa02-4d66-9a44-f7f5302c2ea4">
+    <permission csid="cbb98b91-25ed-4e8b-af4d-48f11e981e19">
+        <description>generated admin permission</description>
         <resourceName>
                 /personauthorities/*/items/
             </resourceName>
@@ -545,8 +596,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.400</createdAt>
     </permission>
-    <permission csid="abee33c0-e304-44e1-ae27-0e518e0ee55b">
+    <permission csid="7c9e5c9a-8eb7-4579-ad94-e6d4f90c9ae8">
+        <description>generated admin permission</description>
         <resourceName>locationauthorities</resourceName>
         <action>
             <name>CREATE</name>
@@ -565,8 +618,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.400</createdAt>
     </permission>
-    <permission csid="1924cf31-7025-4f43-896e-e6d7a7352788">
+    <permission csid="ce653183-2722-46c9-8f19-2e719c9cb06c">
+        <description>generated admin permission</description>
         <resourceName>
                 /locationauthorities/*/items/
             </resourceName>
@@ -587,8 +642,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.401</createdAt>
     </permission>
-    <permission csid="273e7918-f911-4f54-bc86-122aa539e813">
+    <permission csid="59b8de3a-9b1d-4e82-9aa5-0d28dd5a46ac">
+        <description>generated admin permission</description>
         <resourceName>locations</resourceName>
         <action>
             <name>CREATE</name>
@@ -607,8 +664,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.401</createdAt>
     </permission>
-    <permission csid="934a970c-221e-41b5-92be-6ba22276bd7a">
+    <permission csid="37e00906-0fa5-4d20-be21-739f66bcac52">
+        <description>generated admin permission</description>
         <resourceName>acquisitions</resourceName>
         <action>
             <name>CREATE</name>
@@ -627,8 +686,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.401</createdAt>
     </permission>
-    <permission csid="61a10a62-4f23-4427-b262-f978a3b03806">
+    <permission csid="1ebea466-ab70-4368-8965-aa9305661d50">
+        <description>generated admin permission</description>
         <resourceName>
                 /acquisitions/*/authorityrefs/
             </resourceName>
@@ -649,8 +710,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.402</createdAt>
     </permission>
-    <permission csid="463dc11d-8324-4fb9-9d07-7c134c68eb47">
+    <permission csid="c48e8d4a-7972-469f-a2bc-1bca201cd772">
+        <description>generated admin permission</description>
         <resourceName>relations</resourceName>
         <action>
             <name>CREATE</name>
@@ -669,8 +732,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.402</createdAt>
     </permission>
-    <permission csid="3c536b47-b851-4dca-bbd2-12d0fc20f713">
+    <permission csid="b2f182cb-61d7-4016-a2e2-075c13afefd0">
+        <description>generated admin permission</description>
         <resourceName>
                 relations/subject/*/type/*/object/*
             </resourceName>
@@ -691,8 +756,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.402</createdAt>
     </permission>
-    <permission csid="87c457d9-3bf4-40d4-a3e1-7a9aae90c5c9">
+    <permission csid="6ba014c0-80e1-456f-9c3c-de339391d254">
+        <description>generated admin permission</description>
         <resourceName>accounts</resourceName>
         <action>
             <name>CREATE</name>
@@ -711,8 +778,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.403</createdAt>
     </permission>
-    <permission csid="5762278c-fceb-4d67-908d-af389ac309ba">
+    <permission csid="ee04f607-8e32-46dd-b5c9-b7657cdd290c">
+        <description>generated admin permission</description>
         <resourceName>dimensions</resourceName>
         <action>
             <name>CREATE</name>
@@ -731,8 +800,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.403</createdAt>
     </permission>
-    <permission csid="bd9104e1-1931-4d0e-aff4-d06ec78f069f">
+    <permission csid="828327fc-7b3d-4bde-b6d6-e48c74c3f4fd">
+        <description>generated admin permission</description>
         <resourceName>contacts</resourceName>
         <action>
             <name>CREATE</name>
@@ -751,8 +822,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.404</createdAt>
     </permission>
-    <permission csid="aa3c23d7-7d42-43f0-899a-3b8bc0c03c3a">
+    <permission csid="2d48d7a3-faba-4e8d-93a3-0863de7d92da">
+        <description>generated admin permission</description>
         <resourceName>
                 /personauthorities/*/items/*/contacts
             </resourceName>
@@ -773,8 +846,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.404</createdAt>
     </permission>
-    <permission csid="a0f846e4-343c-4479-831e-04cc40e51902">
+    <permission csid="7d8f835d-d9c0-4508-b279-eef890db247a">
+        <description>generated admin permission</description>
         <resourceName>
                 /orgauthorities/*/items/*/contacts
             </resourceName>
@@ -795,8 +870,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.404</createdAt>
     </permission>
-    <permission csid="b975509e-d1bd-42a2-98d4-bfde50a342c3">
+    <permission csid="ab92d994-29eb-4d64-bd49-b3cafd8f0a5b">
+        <description>generated admin permission</description>
         <resourceName>notes</resourceName>
         <action>
             <name>CREATE</name>
@@ -815,8 +892,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.405</createdAt>
     </permission>
-    <permission csid="c9524c19-4819-4aea-aab3-341887d83b3f">
+    <permission csid="db65825c-50c3-49a8-af5f-68115f16537b">
+        <description>generated admin permission</description>
         <resourceName>authorization/roles</resourceName>
         <action>
             <name>CREATE</name>
@@ -835,8 +914,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.405</createdAt>
     </permission>
-    <permission csid="eec11401-da9e-4a33-b68d-b3d4906c3329">
+    <permission csid="f7f41db6-f85f-4cd3-a2d6-d9185b6dd8e9">
+        <description>generated admin permission</description>
         <resourceName>authorization/permissions</resourceName>
         <action>
             <name>CREATE</name>
@@ -855,8 +936,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.405</createdAt>
     </permission>
-    <permission csid="975a8e80-8a30-426c-9d5b-aa32f6813f6d">
+    <permission csid="074e7f98-2580-48d3-969d-4043f156eaa2">
+        <description>generated admin permission</description>
         <resourceName>authorization/permissions/permroles</resourceName>
         <action>
             <name>CREATE</name>
@@ -875,8 +958,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.406</createdAt>
     </permission>
-    <permission csid="76ae1b26-9c42-4011-8130-178d90ff4c3b">
+    <permission csid="0cdd6f4e-58b6-4c11-bbbd-0984c30d6dbd">
+        <description>generated admin permission</description>
         <resourceName>
                 /authorization/permissions/*/permroles/
             </resourceName>
@@ -897,8 +982,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.406</createdAt>
     </permission>
-    <permission csid="662f9c6c-f8f1-4a78-922e-9c4250237b36">
+    <permission csid="361c4bed-bd81-4f22-82df-f462111663a9">
+        <description>generated admin permission</description>
         <resourceName>accounts/accountroles</resourceName>
         <action>
             <name>CREATE</name>
@@ -917,8 +1004,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.407</createdAt>
     </permission>
-    <permission csid="e8cca9fb-a6cc-4944-a441-857d661280a9">
+    <permission csid="e272da20-719c-49d1-9584-c21cedcd3a65">
+        <description>generated admin permission</description>
         <resourceName>
                 /accounts/*/accountroles/
             </resourceName>
@@ -939,8 +1028,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.407</createdAt>
     </permission>
-    <permission csid="f771df0b-98c8-4f84-aaf3-ae62c113d4cb">
+    <permission csid="d7618a4f-d8be-45f6-b0f3-2816ecdca341">
+        <description>generated admin permission</description>
         <resourceName>authorization/roles/permroles</resourceName>
         <action>
             <name>CREATE</name>
@@ -959,8 +1050,10 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.407</createdAt>
     </permission>
-    <permission csid="937a7ab0-6c26-497b-a901-49f550987320">
+    <permission csid="3b6b0755-9044-46ee-8a85-4e44ac68dd0a">
+        <description>generated admin permission</description>
         <resourceName>
                 /authorization/roles/*/permroles/
             </resourceName>
@@ -981,5 +1074,659 @@
         </action>
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.408</createdAt>
+    </permission>
+    <permission csid="da5253a4-471f-4ada-9d7d-8f1a9a747647">
+        <description>generated readonly permission</description>
+        <resourceName>idgenerators</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.408</createdAt>
+    </permission>
+    <permission csid="4d524373-a5df-45e2-aec6-2e214f08431e">
+        <description>generated readonly permission</description>
+        <resourceName>id</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.408</createdAt>
+    </permission>
+    <permission csid="c757f1c4-3282-4055-b0e1-2c818fec709b">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /idgenerators/*/ids
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.409</createdAt>
+    </permission>
+    <permission csid="e383a971-0335-41da-88e6-f7625303f186">
+        <description>generated readonly permission</description>
+        <resourceName>collectionobjects</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.409</createdAt>
+    </permission>
+    <permission csid="b2c49fb3-fb34-4425-86c7-73c48873a983">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /collectionobjects/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.410</createdAt>
+    </permission>
+    <permission csid="2ac4ace4-20f8-4a5f-b984-4753e5452a87">
+        <description>generated readonly permission</description>
+        <resourceName>intakes</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.410</createdAt>
+    </permission>
+    <permission csid="64af5fcc-a57d-4fa6-820c-4ab857a46590">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /intakes/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.410</createdAt>
+    </permission>
+    <permission csid="0258eabe-02d3-494c-b405-30e3463a2feb">
+        <description>generated readonly permission</description>
+        <resourceName>loansin</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.411</createdAt>
+    </permission>
+    <permission csid="ae5f5fab-7205-4b92-932f-857b68c5d4b5">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /loansin/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.411</createdAt>
+    </permission>
+    <permission csid="9e8b0907-e262-42f9-a4da-6e0bf6493e5a">
+        <description>generated readonly permission</description>
+        <resourceName>loansout</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.411</createdAt>
+    </permission>
+    <permission csid="b46b29bc-1795-4e3e-a247-59e23742b705">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /loansout/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.412</createdAt>
+    </permission>
+    <permission csid="f90c5454-58e9-4b32-a8e4-03b80ed6f58e">
+        <description>generated readonly permission</description>
+        <resourceName>movements</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.412</createdAt>
+    </permission>
+    <permission csid="e7c31362-9bb7-48a4-a324-63e84401df30">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /movements/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.412</createdAt>
+    </permission>
+    <permission csid="90f3a12c-0ac1-417b-942e-88f2b11383b7">
+        <description>generated readonly permission</description>
+        <resourceName>vocabularies</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.413</createdAt>
+    </permission>
+    <permission csid="c961fc05-1a2c-4890-88b4-42757378e323">
+        <description>generated readonly permission</description>
+        <resourceName>vocabularyitems</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.413</createdAt>
+    </permission>
+    <permission csid="4d13ef59-1443-40ee-8e45-9892c83ec9a1">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /vocabularies/*/items/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.414</createdAt>
+    </permission>
+    <permission csid="6caa049b-25cc-486c-935f-bf215d550bcd">
+        <description>generated readonly permission</description>
+        <resourceName>orgauthorities</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.414</createdAt>
+    </permission>
+    <permission csid="08c36f8b-2432-44c4-a1dd-cba8c8ea53e5">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /orgauthorities/*/items/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.414</createdAt>
+    </permission>
+    <permission csid="c0149cbb-a984-4e32-8302-c045a3e82bf2">
+        <description>generated readonly permission</description>
+        <resourceName>organizations</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.415</createdAt>
+    </permission>
+    <permission csid="b2e0c247-9e3b-4bf3-a956-8b98a8505263">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /orgauthorities/*/items/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.415</createdAt>
+    </permission>
+    <permission csid="35cb8d8b-4309-4177-9c1c-157dbeb36f5d">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /orgauthorities/*/items/*/refobjs
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.415</createdAt>
+    </permission>
+    <permission csid="c890f437-7356-4bcd-b5b1-0e36b13e6358">
+        <description>generated readonly permission</description>
+        <resourceName>personauthorities</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.416</createdAt>
+    </permission>
+    <permission csid="778904e1-8b67-4ace-af24-8b756385ce80">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.416</createdAt>
+    </permission>
+    <permission csid="d531417d-b61b-471c-90ff-f21969f00e4c">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /personauthorities/*/items/*/refobjs
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.417</createdAt>
+    </permission>
+    <permission csid="46581f00-1338-417d-9ff5-1250a8eb5e3c">
+        <description>generated readonly permission</description>
+        <resourceName>persons</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.417</createdAt>
+    </permission>
+    <permission csid="b707073a-6c2f-4bc5-b8b2-800be7cc17ec">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.417</createdAt>
+    </permission>
+    <permission csid="88832e9b-0f62-406e-8a64-ea61d53153ed">
+        <description>generated readonly permission</description>
+        <resourceName>locationauthorities</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.418</createdAt>
+    </permission>
+    <permission csid="5b8c3d7d-f027-4675-9edf-1f7733ce360d">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /locationauthorities/*/items/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.418</createdAt>
+    </permission>
+    <permission csid="a73bebb8-d109-4fbd-aa29-f71766eac61a">
+        <description>generated readonly permission</description>
+        <resourceName>locations</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.418</createdAt>
+    </permission>
+    <permission csid="7d6dcff6-167f-4634-a35d-ec635e34fc60">
+        <description>generated readonly permission</description>
+        <resourceName>acquisitions</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.419</createdAt>
+    </permission>
+    <permission csid="2007cc99-7208-4238-9792-bceb5df78733">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /acquisitions/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.419</createdAt>
+    </permission>
+    <permission csid="94594f80-9ae2-4f51-b1f1-21e49bca2f5e">
+        <description>generated readonly permission</description>
+        <resourceName>relations</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.419</createdAt>
+    </permission>
+    <permission csid="e75b9dd6-737a-43cd-b847-c8effa3d6055">
+        <description>generated readonly permission</description>
+        <resourceName>
+                relations/subject/*/type/*/object/*
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.420</createdAt>
+    </permission>
+    <permission csid="da6da169-41d0-4f7f-a246-e7a9c96967de">
+        <description>generated readonly permission</description>
+        <resourceName>accounts</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.420</createdAt>
+    </permission>
+    <permission csid="8b1fc4c6-1610-490d-8972-17ac113b36d9">
+        <description>generated readonly permission</description>
+        <resourceName>dimensions</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.421</createdAt>
+    </permission>
+    <permission csid="97455f0e-2064-4667-9bfe-540a05b571ae">
+        <description>generated readonly permission</description>
+        <resourceName>contacts</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.421</createdAt>
+    </permission>
+    <permission csid="10655b0e-d168-4ac5-96fc-5ff88621aaee">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /personauthorities/*/items/*/contacts
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.421</createdAt>
+    </permission>
+    <permission csid="1209a058-b37e-438d-906a-03bc49a4928c">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /orgauthorities/*/items/*/contacts
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.422</createdAt>
+    </permission>
+    <permission csid="eb97ccdf-daaa-436e-bd40-f86e3d7dc8d0">
+        <description>generated readonly permission</description>
+        <resourceName>notes</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.422</createdAt>
+    </permission>
+    <permission csid="655fb068-d229-47e0-b636-48e53217d070">
+        <description>generated readonly permission</description>
+        <resourceName>authorization/roles</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.422</createdAt>
+    </permission>
+    <permission csid="556204b7-df13-40fe-8185-ac4e9924a033">
+        <description>generated readonly permission</description>
+        <resourceName>authorization/permissions</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.423</createdAt>
+    </permission>
+    <permission csid="3d5ecccd-37a5-4185-88b3-66aa1def43b5">
+        <description>generated readonly permission</description>
+        <resourceName>authorization/permissions/permroles</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.423</createdAt>
+    </permission>
+    <permission csid="049d792a-f1c7-42de-8d88-c09a1143340f">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /authorization/permissions/*/permroles/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.423</createdAt>
+    </permission>
+    <permission csid="b85355db-2c33-4469-bb27-bf4fb1ac4039">
+        <description>generated readonly permission</description>
+        <resourceName>accounts/accountroles</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.424</createdAt>
+    </permission>
+    <permission csid="ce37cf6c-a550-49de-9bdf-0ede7cafb617">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /accounts/*/accountroles/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.424</createdAt>
+    </permission>
+    <permission csid="e1af00a3-a7c9-441f-a48c-f9698f47298a">
+        <description>generated readonly permission</description>
+        <resourceName>authorization/roles/permroles</resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.424</createdAt>
+    </permission>
+    <permission csid="8fc74578-d253-4eb7-a0e3-43bc70a88a62">
+        <description>generated readonly permission</description>
+        <resourceName>
+                /authorization/roles/*/permroles/
+            </resourceName>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.424</createdAt>
     </permission>
 </ns2:permissions_list>
diff --git a/services/authorization-mgt/import/src/main/resources/import-data/import-roles.xml b/services/authorization-mgt/import/src/main/resources/import-data/import-roles.xml
new file mode 100644
index 000000000..6f91dec3c
--- /dev/null
+++ b/services/authorization-mgt/import/src/main/resources/import-data/import-roles.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:roles_list xmlns:ns2="http://collectionspace.org/services/authorization">
+    <role csid="ad3a2b4c-ef74-47f0-bdb0-f6a906acd370">
+        <roleName>ROLE_TENANT_ADMINISTRATOR</roleName>
+        <description>generated tenant admin role</description>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.372</createdAt>
+    </role>
+    <role csid="25f537c9-a213-41de-97f0-18524d5f4eb2">
+        <roleName>ROLE_TENANT_READER</roleName>
+        <description>generated tenant read only role</description>
+        <tenant_id>1</tenant_id>
+        <createdAt>2010-06-04T14:14:37.386</createdAt>
+    </role>
+</ns2:roles_list>
diff --git a/services/authorization-mgt/import/src/main/resources/log4j.properties b/services/authorization-mgt/import/src/main/resources/log4j.properties
index f7a8333e9..60709b206 100644
--- a/services/authorization-mgt/import/src/main/resources/log4j.properties
+++ b/services/authorization-mgt/import/src/main/resources/log4j.properties
@@ -21,6 +21,6 @@ log4j.logger.org.collectionspace=DEBUG
 log4j.logger.org.apache=INFO
 log4j.logger.httpclient=INFO
 log4j.logger.org.jboss.resteasy=INFO
-log4j.logger.org.hibernate=INFO
+log4j.logger.org.hibernate=WARN
 log4j.logger.org.hibernate.cfg=WARN
 log4j.logger.org.springframework=INFO
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleDocumentHandler.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleDocumentHandler.java
index ae4303a80..c863d5449 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleDocumentHandler.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleDocumentHandler.java
@@ -141,21 +141,7 @@ public class PermissionRoleDocumentHandler
         } else {
             //subject mismatch should have been checked during validation
         }
-        if (subject.equals(SubjectType.ROLE)) {
-            //FIXME: potential index out of bounds exception...negative test needed
-            PermissionValue pv = pr.getPermissions().get(0);
-            for (RoleValue rv : pr.getRoles()) {
-                PermissionRoleRel prr = buildPermissonRoleRel(pv, rv);
-                prrl.add(prr);
-            }
-        } else if (SubjectType.PERMISSION.equals(subject)) {
-            //FIXME: potential index out of bounds exception...negative test needed
-            RoleValue rv = pr.getRoles().get(0);
-            for (PermissionValue pv : pr.getPermissions()) {
-                PermissionRoleRel prr = buildPermissonRoleRel(pv, rv);
-                prrl.add(prr);
-            }
-        }
+        PermissionRoleUtil.buildPermissionRoleRel(pr, subject, prrl);
     }
 
     @Override
@@ -210,13 +196,4 @@ public class PermissionRoleDocumentHandler
         rv.setRoleName(prr.getRoleName());
         return rv;
     }
-
-    private PermissionRoleRel buildPermissonRoleRel(PermissionValue pv, RoleValue rv) {
-        PermissionRoleRel prr = new PermissionRoleRel();
-        prr.setPermissionId(pv.getPermissionId());
-        prr.setPermissionResource(pv.getResourceName());
-        prr.setRoleId(rv.getRoleId());
-        prr.setRoleName(rv.getRoleName());
-        return prr;
-    }
 }
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleUtil.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleUtil.java
index 77e702128..6af23e53c 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleUtil.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleUtil.java
@@ -23,7 +23,11 @@
  */
 package org.collectionspace.services.authorization.storage;
 
+import java.util.List;
 import org.collectionspace.services.authorization.PermissionRole;
+import org.collectionspace.services.authorization.PermissionRoleRel;
+import org.collectionspace.services.authorization.PermissionValue;
+import org.collectionspace.services.authorization.RoleValue;
 import org.collectionspace.services.authorization.SubjectType;
 import org.collectionspace.services.common.context.ServiceContext;
 import org.collectionspace.services.common.context.ServiceContextProperties;
@@ -37,14 +41,13 @@ public class PermissionRoleUtil {
     static SubjectType getRelationSubject(ServiceContext ctx) {
         Object o = ctx.getProperty(ServiceContextProperties.SUBJECT);
         if (o == null) {
-            throw new IllegalArgumentException(ServiceContextProperties.SUBJECT +
-                    " property is missing in context "
+            throw new IllegalArgumentException(ServiceContextProperties.SUBJECT
+                    + " property is missing in context "
                     + ctx.toString());
         }
         return (SubjectType) o;
     }
 
-
     static SubjectType getRelationSubject(ServiceContext ctx, PermissionRole pr) {
         SubjectType subject = pr.getSubject();
         if (subject == null) {
@@ -53,4 +56,39 @@ public class PermissionRoleUtil {
         }
         return subject;
     }
+
+    /**
+     * buildPermissionRoleRel builds persistent relationship entities from given
+     * permissionrole
+     * @param pr permissionrole
+     * @param subject
+     * @param prrl persistent entities built are inserted into this list
+     */
+    static public void buildPermissionRoleRel(PermissionRole pr, SubjectType subject, List<PermissionRoleRel> prrl) {
+
+        if (subject.equals(SubjectType.ROLE)) {
+            //FIXME: potential index out of bounds exception...negative test needed
+            PermissionValue pv = pr.getPermissions().get(0);
+            for (RoleValue rv : pr.getRoles()) {
+                PermissionRoleRel prr = buildPermissonRoleRel(pv, rv);
+                prrl.add(prr);
+            }
+        } else if (SubjectType.PERMISSION.equals(subject)) {
+            //FIXME: potential index out of bounds exception...negative test needed
+            RoleValue rv = pr.getRoles().get(0);
+            for (PermissionValue pv : pr.getPermissions()) {
+                PermissionRoleRel prr = buildPermissonRoleRel(pv, rv);
+                prrl.add(prr);
+            }
+        }
+    }
+    
+    static private PermissionRoleRel buildPermissonRoleRel(PermissionValue pv, RoleValue rv) {
+        PermissionRoleRel prr = new PermissionRoleRel();
+        prr.setPermissionId(pv.getPermissionId());
+        prr.setPermissionResource(pv.getResourceName());
+        prr.setRoleId(rv.getRoleId());
+        prr.setRoleName(rv.getRoleName());
+        return prr;
+    }
 }
diff --git a/services/authorization/pstore/src/main/resources/db/mysql/test_authorization.sql b/services/authorization/pstore/src/main/resources/db/mysql/test_authorization.sql
index de65dd610..8648e1fd4 100644
--- a/services/authorization/pstore/src/main/resources/db/mysql/test_authorization.sql
+++ b/services/authorization/pstore/src/main/resources/db/mysql/test_authorization.sql
@@ -5,20 +5,15 @@
 --
 use cspace;
 
-insert into `roles` (`csid`, `rolename`, `rolegroup`, `created_at`, `tenant_id`) values ('1', 'ROLE_ADMINISTRATOR', 'admin', '2010-02-17 16:31:48', '0');
-insert into `roles` (`csid`, `rolename`, `rolegroup`, `created_at`, `tenant_id`) values ('2', 'ROLE_USERS', 'collections', '2010-02-17 16:31:48', '1');
-insert into `roles` (`csid`, `rolename`, `rolegroup`, `created_at`, `tenant_id`) values ('3', 'ROLE_COLLECTIONS_MANAGER', 'collections', '2010-02-17 16:31:48', '1');
-insert into `roles` (`csid`, `rolename`, `rolegroup`, `created_at`, `tenant_id`) values ('4', 'ROLE_COLLECTIONS_REGISTRAR', 'collections', '2010-02-17 16:31:48', '1');
+insert into `roles` (`csid`, `rolename`, `rolegroup`, `created_at`, `tenant_id`) values ('1', 'ROLE_ADMINISTRATOR', 'CollectionSpace Administrator', '2010-02-17 16:31:48', '0');
+insert into `roles` (`csid`, `rolename`, `rolegroup`, `created_at`, `tenant_id`) values ('2', 'ROLE_USERS', 'a role for security testing', '2010-02-17 16:31:48', '1');
 
 insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('eeca40d7-dc77-4cc5-b489-16a53c75525a', 'test', '1', 'ROLE_ADMINISTRATOR', '2010-02-17 16:31:48');
 insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('eeca40d7-dc77-4cc5-b489-16a53c75525a', 'test', '2', 'ROLE_USERS', '2010-02-17 16:31:48');
-insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('eeca40d7-dc77-4cc5-b489-16a53c75525a', 'test', '3', 'ROLE_COLLECTIONS_MANAGER', '2010-02-17 16:31:48');
 
 -- Additional account introduced during integration on release 0.6, and currently relied upon by the Application Layer.
 insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('251f98f3-0292-4f3e-aa95-455314050e1b', 'test@collectionspace.org', '1', 'ROLE_ADMINISTRATOR', '2010-05-03 12:35:00');
-insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('251f98f3-0292-4f3e-aa95-455314050e1b', 'test@collectionspace.org', '2', 'ROLE_USERS', '2010-05-03 12:35:00');
-insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('251f98f3-0292-4f3e-aa95-455314050e1b', 'test@collectionspace.org', '3', 'ROLE_COLLECTIONS_MANAGER', '2010-05-03 12:35:00');
 
 -- todo: barney is created in security test but accountrole is not yet created there, so add fake account id
 insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('1', 'barney', '2', 'ROLE_USERS', '2010-02-17 16:31:48');
-insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('1', 'barney', '3', 'ROLE_COLLECTIONS_MANAGER', '2010-02-17 16:31:48');
+