From: Sanjay Dalal <sanjay.dalal@berkeley.edu>
Date: Wed, 26 May 2010 17:05:34 +0000 (+0000)
Subject: CSPACE-1364, CSPACE-1365
X-Git-Url: https://git.aero2k.de/?a=commitdiff_plain;h=88d8556aca7ad4f5e5074282867f1db2bd119e57;p=tmp%2Fjakarta-migration.git

CSPACE-1364, CSPACE-1365
Enabled access control for all the services at the record/procedure type level. Permissions are seeded (authorization-mgt/import) for ROLE_ADMINISTRATOR using the tenant bindings. Seeding still happens through a test driver in the import module...would be moved to a Java main class later.
Test do/should not delete the seeded permissions...fixed those tests that were doing the same. These tests now either do not delete permissions
or create permissions for non-functional services.
Wired delete for account role and permission role sub resources.
All alternate URIs with which a service could be accessed shoudl be in service bindings element named uriPath
test: all tests multiple times

!!NOTE!!
cd trunk/services
ant create_db
mvn clean install -DskipTests
ant undeploy deploy
mvn test

If you are not running all the tests, at least seed default permissions using the following
cd trunk/services/authorization-mgt/import
mvn test


M    trunk/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionResource.java
M    trunk/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/AuthorizationDelegate.java
M    trunk/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionRoleSubResource.java
M    trunk/services/authorization-mgt/import/src/test/java/org/collectionspace/services/authorization/importer/AuthorizationSeedTest.java
M    trunk/services/authorization-mgt/import/src/test/resources/applicationContext-authorization-test.xml
M    trunk/services/authorization-mgt/import/src/test/resources/log4j.properties
M    trunk/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationSeed.java
M    trunk/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java
M    trunk/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
M    trunk/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
M    trunk/services/authorization-mgt/import/pom.xml
M    trunk/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
M    trunk/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
M    trunk/services/pom.xml
M    trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionManager.java
M    trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java
M    trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionEvaluator.java
M    trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java
M    trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java
M    trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java
M    trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spi/CSpacePermissionManager.java
M    trunk/services/authorization/service/src/main/resources/applicationContext-authorization.xml
_M   trunk/services/location/jaxb
M    trunk/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java
M    trunk/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaRelationshipStorageClient.java
M    trunk/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
M    trunk/services/common/src/main/config/services/tenant-bindings.xml
M    trunk/services/common/src/main/resources/service.xsd
M    trunk/services/account/service/src/main/java/org/collectionspace/services/account/AccountRoleSubResource.java
M    trunk/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java
_M   trunk/services/note/service
_M   trunk/services/note/jaxb
_M   trunk/services/note/client
M    trunk/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthenticationServiceTest.java
M    trunk/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java
---

diff --git a/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java b/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java
index 1b8ae04b3..052f7115a 100644
--- a/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java
+++ b/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java
@@ -145,13 +145,13 @@ public class AccountResource
             return response;
         } catch (BadRequestException bre) {
             Response response = Response.status(
-                    Response.Status.BAD_REQUEST).entity(ServiceMessages.POST_FAILED +
-                    bre.getErrorReason()).type("text/plain").build();
+                    Response.Status.BAD_REQUEST).entity(ServiceMessages.POST_FAILED
+                    + bre.getErrorReason()).type("text/plain").build();
             throw new WebApplicationException(response);
         } catch (UnauthorizedException ue) {
             Response response = Response.status(
-                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.POST_FAILED +
-                    ue.getErrorReason()).type("text/plain").build();
+                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.POST_FAILED
+                    + ue.getErrorReason()).type("text/plain").build();
             throw new WebApplicationException(response);
         } catch (Exception e) {
             if (logger.isDebugEnabled()) {
@@ -194,8 +194,8 @@ public class AccountResource
             result = (AccountsCommon) ctx.getOutput();
         } catch (UnauthorizedException ue) {
             Response response = Response.status(
-                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.GET_FAILED +
-                    ue.getErrorReason()).type("text/plain").build();
+                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.GET_FAILED
+                    + ue.getErrorReason()).type("text/plain").build();
             throw new WebApplicationException(response);
         } catch (DocumentNotFoundException dnfe) {
             if (logger.isDebugEnabled()) {
@@ -211,8 +211,8 @@ public class AccountResource
             }
             logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
             Response response = Response.status(
-                    Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.GET_FAILED +
-                    ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+                    Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.GET_FAILED
+                    + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
             throw new WebApplicationException(response);
         }
 
@@ -249,8 +249,8 @@ public class AccountResource
             accountList = (AccountsCommonList) handler.getCommonPartList();
         } catch (UnauthorizedException ue) {
             Response response = Response.status(
-                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.LIST_FAILED +
-                    ue.getErrorReason()).type("text/plain").build();
+                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.LIST_FAILED
+                    + ue.getErrorReason()).type("text/plain").build();
             throw new WebApplicationException(response);
 
         } catch (Exception e) {
@@ -259,8 +259,8 @@ public class AccountResource
             }
             logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
             Response response = Response.status(
-                    Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.LIST_FAILED +
-                    ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+                    Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.LIST_FAILED
+                    + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
             throw new WebApplicationException(response);
         }
         return accountList;
@@ -297,13 +297,13 @@ public class AccountResource
             result = (AccountsCommon) ctx.getOutput();
         } catch (BadRequestException bre) {
             Response response = Response.status(
-                    Response.Status.BAD_REQUEST).entity(ServiceMessages.PUT_FAILED +
-                    bre.getErrorReason()).type("text/plain").build();
+                    Response.Status.BAD_REQUEST).entity(ServiceMessages.PUT_FAILED
+                    + bre.getErrorReason()).type("text/plain").build();
             throw new WebApplicationException(response);
         } catch (UnauthorizedException ue) {
             Response response = Response.status(
-                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.PUT_FAILED +
-                    ue.getErrorReason()).type("text/plain").build();
+                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.PUT_FAILED
+                    + ue.getErrorReason()).type("text/plain").build();
             throw new WebApplicationException(response);
         } catch (DocumentNotFoundException dnfe) {
             if (logger.isDebugEnabled()) {
@@ -316,8 +316,8 @@ public class AccountResource
         } catch (Exception e) {
             logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
             Response response = Response.status(
-                    Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.PUT_FAILED +
-                    ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+                    Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.PUT_FAILED
+                    + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
             throw new WebApplicationException(response);
         }
         return result;
@@ -347,7 +347,7 @@ public class AccountResource
         try {
             //FIXME ideally the following two ops shoudl be in the same tx CSPACE-658
             //delete all relationships
-            AccountRoleSubResource subResource = new AccountRoleSubResource();
+            AccountRoleSubResource subResource = new AccountRoleSubResource("accounts/accountroles");
             subResource.deleteAccountRole(csid, SubjectType.ROLE);
             ServiceContext<AccountsCommon, AccountsCommon> ctx = createServiceContext((AccountsCommon) null,
                     AccountsCommon.class);
@@ -355,8 +355,8 @@ public class AccountResource
             return Response.status(HttpResponseCodes.SC_OK).build();
         } catch (UnauthorizedException ue) {
             Response response = Response.status(
-                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.DELETE_FAILED +
-                    ue.getErrorReason()).type("text/plain").build();
+                    Response.Status.UNAUTHORIZED).entity(ServiceMessages.DELETE_FAILED
+                    + ue.getErrorReason()).type("text/plain").build();
             throw new WebApplicationException(response);
 
         } catch (DocumentNotFoundException dnfe) {
@@ -370,8 +370,8 @@ public class AccountResource
         } catch (Exception e) {
             logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
             Response response = Response.status(
-                    Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.DELETE_FAILED +
-                    ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+                    Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.DELETE_FAILED
+                    + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
             throw new WebApplicationException(response);
         }
 
@@ -387,13 +387,14 @@ public class AccountResource
         if (accCsid == null || "".equals(accCsid)) {
             logger.error("createAccountRole: missing accCsid!");
             Response response = Response.status(Response.Status.BAD_REQUEST).entity(
-                    ServiceMessages.POST_FAILED + "accountroles account " + 
-                    ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
+                    ServiceMessages.POST_FAILED + "accountroles account "
+                    + ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
                     "text/plain").build();
             throw new WebApplicationException(response);
         }
         try {
-            AccountRoleSubResource subResource = new AccountRoleSubResource();
+            AccountRoleSubResource subResource =
+                    new AccountRoleSubResource(AccountRoleSubResource.ACCOUNT_ACCOUNTROLE_SERVICE);
             String accrolecsid = subResource.createAccountRole(input, SubjectType.ROLE);
             UriBuilder path = UriBuilder.fromResource(AccountResource.class);
             path.path(accCsid + "/accountroles/" + accrolecsid);
@@ -416,8 +417,8 @@ public class AccountResource
             logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
             Response response = Response.status(
                     Response.Status.INTERNAL_SERVER_ERROR).entity(
-                    ServiceMessages.POST_FAILED +
-                    ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+                    ServiceMessages.POST_FAILED
+                    + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
             throw new WebApplicationException(response);
         }
     }
@@ -433,14 +434,15 @@ public class AccountResource
         if (accCsid == null || "".equals(accCsid)) {
             logger.error("getAccountRole: missing accCsid!");
             Response response = Response.status(Response.Status.BAD_REQUEST).entity(
-                    ServiceMessages.GET_FAILED + "accountroles account " +
-                    ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
+                    ServiceMessages.GET_FAILED + "accountroles account "
+                    + ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
                     "text/plain").build();
             throw new WebApplicationException(response);
         }
         AccountRole result = null;
         try {
-            AccountRoleSubResource subResource = new AccountRoleSubResource();
+            AccountRoleSubResource subResource =
+                    new AccountRoleSubResource(AccountRoleSubResource.ACCOUNT_ACCOUNTROLE_SERVICE);
             //get relationships for an account
             result = subResource.getAccountRole(accCsid, SubjectType.ROLE);
         } catch (UnauthorizedException ue) {
@@ -486,13 +488,14 @@ public class AccountResource
         if (accCsid == null || "".equals(accCsid)) {
             logger.error("deleteAccountRole: missing accCsid!");
             Response response = Response.status(Response.Status.BAD_REQUEST).entity(
-                    ServiceMessages.DELETE_FAILED + "accountroles account " +
-                    ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
+                    ServiceMessages.DELETE_FAILED + "accountroles account "
+                    + ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
                     "text/plain").build();
             throw new WebApplicationException(response);
         }
         try {
-            AccountRoleSubResource subResource = new AccountRoleSubResource();
+            AccountRoleSubResource subResource =
+                    new AccountRoleSubResource(AccountRoleSubResource.ACCOUNT_ACCOUNTROLE_SERVICE);
             //delete all relationships for an account
             subResource.deleteAccountRole(accCsid, SubjectType.ROLE);
             return Response.status(HttpResponseCodes.SC_OK).build();
diff --git a/services/account/service/src/main/java/org/collectionspace/services/account/AccountRoleSubResource.java b/services/account/service/src/main/java/org/collectionspace/services/account/AccountRoleSubResource.java
index 6793b8457..e10c18ea0 100644
--- a/services/account/service/src/main/java/org/collectionspace/services/account/AccountRoleSubResource.java
+++ b/services/account/service/src/main/java/org/collectionspace/services/account/AccountRoleSubResource.java
@@ -46,18 +46,30 @@ import org.slf4j.LoggerFactory;
 public class AccountRoleSubResource
         extends AbstractCollectionSpaceResourceImpl<AccountRole, AccountRole> {
 
+    final public static String ACCOUNT_ACCOUNTROLE_SERVICE = "accounts/accountroles";
+    final public static String ROLE_ACCOUNTROLE_SERVICE = "roles/accountroles";
+    
     //this service is never exposed as standalone RESTful service...just use unique
     //service name to identify binding
     /** The service name. */
-    final private String serviceName = "accounts/accountroles";
+    private String serviceName =  ACCOUNT_ACCOUNTROLE_SERVICE;
     /** The logger. */
     final Logger logger = LoggerFactory.getLogger(AccountRoleSubResource.class);
     /** The storage client. */
     final StorageClient storageClient = new JpaRelationshipStorageClient<AccountRole>();
 
+    /**
+     *
+     * @param serviceName qualified service path
+     */
+    AccountRoleSubResource(String serviceName) {
+        this.serviceName = serviceName;
+    }
+    
     /* (non-Javadoc)
      * @see org.collectionspace.services.common.AbstractCollectionSpaceResourceImpl#getVersionString()
      */
+
     @Override
     protected String getVersionString() {
         /** The last change revision. */
@@ -176,7 +188,6 @@ public class AccountRoleSubResource
             logger.debug("deleteAccountRole with csid=" + csid);
         }
         ServiceContext<AccountRole, AccountRole> ctx = createServiceContext((AccountRole) null, subject);
-        DocumentHandler handler = createDocumentHandler(ctx);
-        getStorageClient(ctx).delete(ctx, csid, handler);
+        getStorageClient(ctx).delete(ctx, csid);
     }
 }
diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
index c2121a313..20a9d810c 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
@@ -73,7 +73,8 @@ public class PermissionRoleServiceTest extends AbstractServiceTestImpl {
     
     /** The all resource ids created. */
     private List<String> allResourceIdsCreated = new ArrayList<String>();
-    
+
+    final private static String TEST_SERVICE_NAME = "fakeservice";
     /** The perm values. */
     private Hashtable<String, PermissionValue> permValues = new Hashtable<String, PermissionValue>();
     
@@ -96,7 +97,7 @@ public class PermissionRoleServiceTest extends AbstractServiceTestImpl {
      */
     @BeforeClass(alwaysRun = true)
     public void seedData() {
-        String ra = "accounts";
+        String ra = TEST_SERVICE_NAME;
         String accPermId = createPermission(ra, EffectType.PERMIT);
         PermissionValue pva = new PermissionValue();
         pva.setResourceName(ra);
@@ -175,7 +176,7 @@ public class PermissionRoleServiceTest extends AbstractServiceTestImpl {
         setupCreate(testName);
 
         // Submit the request to the service and store the response.
-        PermissionValue pv = permValues.get("accounts");
+        PermissionValue pv = permValues.get(TEST_SERVICE_NAME);
         PermissionRole permRole = createPermissionRoleInstance(pv,
                 roleValues.values(), true, true);
         PermissionRoleClient client = new PermissionRoleClient();
@@ -254,7 +255,7 @@ public class PermissionRoleServiceTest extends AbstractServiceTestImpl {
         // Submit the request to the service and store the response.
         PermissionRoleClient client = new PermissionRoleClient();
         ClientResponse<PermissionRole> res = client.read(
-                permValues.get("accounts").getPermissionId(), "123");
+                permValues.get(TEST_SERVICE_NAME).getPermissionId(), "123");
         int statusCode = res.getStatus();
 
         // Check the status code of the response: does it match
@@ -383,7 +384,7 @@ public class PermissionRoleServiceTest extends AbstractServiceTestImpl {
         // Submit the request to the service and store the response.
         PermissionRoleClient client = new PermissionRoleClient();
         ClientResponse<Response> res = client.delete(
-                permValues.get("accounts").getPermissionId(), "123");
+                permValues.get(TEST_SERVICE_NAME).getPermissionId(), "123");
         int statusCode = res.getStatus();
 
         // Check the status code of the response: does it match
@@ -424,7 +425,7 @@ public class PermissionRoleServiceTest extends AbstractServiceTestImpl {
 
         // Submit the request to the service and store the response.
         String method = ServiceRequestType.READ.httpMethodName();
-        String url = getResourceURL(permValues.get("accounts").getPermissionId());
+        String url = getResourceURL(permValues.get(TEST_SERVICE_NAME).getPermissionId());
         int statusCode = submitRequest(method, url);
 
         // Check the status code of the response: does it match
diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
index 06cafd955..303547858 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
@@ -197,8 +197,8 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
         setupCreate(testName);
         // Submit the request to the service and store the response.
         List<PermissionAction> actions = PermissionFactory.createDefaultActions();
-        Permission permission1 = createPermissionInstance("collectionobjects",
-                "default permissions for collectionobjects",
+        Permission permission1 = createPermissionInstance("test-objects",
+                "default permissions for test-objects",
                 actions,
                 EffectType.PERMIT,
                 true,
@@ -212,8 +212,8 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
         Assert.assertEquals(statusCode, EXPECTED_STATUS_CODE);
         allResourceIdsCreated.add(extractId(res));
 
-        Permission permission2 = createPermissionInstance("acquisitions",
-                "default permissions for acquisitions",
+        Permission permission2 = createPermissionInstance("test-acquisitions",
+                "default permissions for test-acquisitions",
                 actions,
                 EffectType.PERMIT,
                 true,
@@ -226,7 +226,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
         Assert.assertEquals(statusCode, EXPECTED_STATUS_CODE);
         allResourceIdsCreated.add(extractId(res));
 
-        Permission permission3 = createPermissionInstance("ids",
+        Permission permission3 = createPermissionInstance("test-ids",
                 "default permissions for id service",
                 actions,
                 EffectType.PERMIT,
@@ -549,8 +549,8 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
         // The only relevant ID may be the one used in updatePermission(), below.
         PermissionClient client = new PermissionClient();
         List<PermissionAction> actions = PermissionFactory.createDefaultActions();
-        Permission permission = createPermissionInstance("acquisitions",
-                "default permissions for acquisitions",
+        Permission permission = createPermissionInstance("test-acquisitions",
+                "default permissions for test-acquisitions",
                 actions,
                 EffectType.PERMIT,
                 true,
diff --git a/services/authorization-mgt/import/pom.xml b/services/authorization-mgt/import/pom.xml
index 56da2d481..afaff3a63 100644
--- a/services/authorization-mgt/import/pom.xml
+++ b/services/authorization-mgt/import/pom.xml
@@ -116,40 +116,45 @@
             <scope>test</scope>
         </dependency>
     </dependencies>
-
-    <build>
-        <finalName>cspace-services-authorization-mgt-import</finalName>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <configuration>
-                    <systemProperties>
-                        <property>
-                            <name>log4j.configuration</name>
-                            <value>file:${project.build.directory}/test-classes/log4j.properties</value>
-                        </property>
-                        <property>
-                            <name>importdir</name>
-                            <value>${basedir}/src/main/resources/import-data/</value>
-                        </property>
-                        <property>
-                            <name>exportdir</name>
-                            <value>${basedir}/src/main/resources/import-data/</value>
-                        </property>
-                        <property>
-                            <name>tenantbindings</name>
-                            <value>${basedir}/../../common/src/main/config/services/tenant-bindings.xml</value>
-                        </property>
-                        <property>
-                            <name>spring-beans-config</name>
-                            <value>applicationContext-authorization-test.xml</value>
-                        </property>
-                    </systemProperties>
-                </configuration>
-            </plugin>
-        </plugins>
-    </build>
+    <!-- use profile as this task is not needed for every build and test -->
+    <!--profiles>
+        <profile>
+            <id>import</id-->
+            <build>
+                <finalName>cspace-services-authorization-mgt-import</finalName>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-surefire-plugin</artifactId>
+                        <configuration>
+                            <systemProperties>
+                                <property>
+                                    <name>log4j.configuration</name>
+                                    <value>file:${project.build.directory}/test-classes/log4j.properties</value>
+                                </property>
+                                <property>
+                                    <name>importdir</name>
+                                    <value>${basedir}/src/main/resources/import-data/</value>
+                                </property>
+                                <property>
+                                    <name>exportdir</name>
+                                    <value>${basedir}/src/main/resources/import-data/</value>
+                                </property>
+                                <property>
+                                    <name>tenantbindings</name>
+                                    <value>${basedir}/../../common/src/main/config/services/tenant-bindings.xml</value>
+                                </property>
+                                <property>
+                                    <name>spring-beans-config</name>
+                                    <value>applicationContext-authorization-test.xml</value>
+                                </property>
+                            </systemProperties>
+                        </configuration>
+                    </plugin>
+                </plugins>
+            </build>
+        <!--/profile>
+    </profiles-->
 
 </project>
 
diff --git a/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java
index 0d48a2704..4b3164421 100644
--- a/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java
+++ b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java
@@ -60,6 +60,7 @@ public class AuthorizationGen {
     private List<PermissionRole> permRoleList = new ArrayList<PermissionRole>();
     private Hashtable<String, TenantBindingType> tenantBindings =
             new Hashtable<String, TenantBindingType>();
+    final public static String ROLE_ADMINISTRATOR = "ROLE_ADMINISTRATOR";
 
     public void initialize(String tenantBindingFileName) throws Exception {
         TenantBindingConfigReaderImpl tenantBindingConfigReader =
@@ -71,7 +72,6 @@ public class AuthorizationGen {
         }
     }
 
-
     public void createDefaultServicePermissions() {
         for (String tenantId : tenantBindings.keySet()) {
             List<Permission> perms = createDefaultServicePermissions(tenantId);
@@ -83,15 +83,25 @@ public class AuthorizationGen {
         ArrayList<Permission> apcList = new ArrayList<Permission>();
         TenantBindingType tbinding = tenantBindings.get(tenantId);
         for (ServiceBindingType sbinding : tbinding.getServiceBindings()) {
-            Permission accPerm = buildCommonPermission(tbinding.getId(),
-                    sbinding.getName());
-            apcList.add(accPerm);
+
+            //add permissions for the main path
+            Permission perm = buildCommonPermission(tbinding.getId(),
+                    sbinding.getName().toLowerCase());
+            apcList.add(perm);
+
+            //add permissions for alternate paths
+            List<String> uriPaths = sbinding.getUriPath();
+            for (String uriPath : uriPaths) {
+                perm = buildCommonPermission(tbinding.getId(),
+                        uriPath.toLowerCase());
+                apcList.add(perm);
+            }
+
         }
         return apcList;
 
     }
 
-
     private Permission buildCommonPermission(String tenantId, String resourceName) {
         String id = UUID.randomUUID().toString();
         Permission perm = new Permission();
@@ -124,26 +134,33 @@ public class AuthorizationGen {
         return permList;
     }
 
-    public void createDefaultPermissionsRoles(String roleName) {
+    public void createDefaultPermissionsRoles() {
         for (Permission p : permList) {
-            PermissionRole permRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
-                    p.getResourceName(), roleName);
-            permRoleList.add(permRole);
+            TenantBindingType tbinding = tenantBindings.get(p.getTenantId());
+//            String tenantAdminRole = getTenantAdminRole(tbinding.getName());
+//            PermissionRole permRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
+//                    p.getResourceName(), tenantAdminRole, "999");
+//            permRoleList.add(permRole);
+
+            //CSpace Administrator has all access
+            PermissionRole permAdmRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
+                    p.getResourceName(), ROLE_ADMINISTRATOR, "1");
+            permRoleList.add(permAdmRole);
         }
     }
 
-    public List<PermissionRole> createPermissionsRoles(List<Permission> perms, String roleName) {
+    public List<PermissionRole> createPermissionsRoles(List<Permission> perms, String roleName, String roleId) {
         List<PermissionRole> permRoles = new ArrayList<PermissionRole>();
         for (Permission p : perms) {
             PermissionRole permRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
-                    p.getResourceName(), roleName);
+                    p.getResourceName(), roleName, roleId);
             permRoles.add(permRole);
         }
         return permRoles;
     }
 
     private PermissionRole buildCommonPermissionRoles(String tenantId, String permId,
-            String resName, String roleName) {
+            String resName, String roleName, String roleId) {
 
         PermissionRole pr = new PermissionRole();
         pr.setSubject(SubjectType.ROLE);
@@ -157,13 +174,24 @@ public class AuthorizationGen {
         List<RoleValue> roleValues = new ArrayList<RoleValue>();
         RoleValue radmin = new RoleValue();
         radmin.setRoleName(roleName.toUpperCase());
-        radmin.setRoleId(tenantId);
+        radmin.setRoleId(roleId);
         roleValues.add(radmin);
         pr.setRoles(roleValues);
 
         return pr;
     }
 
+    /**
+     * getTenantAdminRole generates role for tenant administrator
+     * @param tenantName
+     * @return
+     */
+    private String getTenantAdminRole(String tenantName) {
+        tenantName = tenantName.toUpperCase();
+        tenantName = tenantName.replace(' ', '_');
+        return ROLE_ADMINISTRATOR + "_" + tenantName;
+    }
+
     public List<PermissionRole> getDefaultServicePermissionRoles() {
         return permRoleList;
     }
diff --git a/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationSeed.java b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationSeed.java
index 4ef03369a..8954b3e87 100644
--- a/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationSeed.java
+++ b/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationSeed.java
@@ -34,6 +34,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.collectionspace.services.authorization.AuthZ;
 import org.collectionspace.services.authorization.CSpaceAction;
+import org.collectionspace.services.authorization.EffectType;
 import org.collectionspace.services.authorization.Permission;
 import org.collectionspace.services.authorization.PermissionAction;
 import org.collectionspace.services.authorization.PermissionException;
@@ -117,7 +118,8 @@ public class AuthorizationSeed {
             CSpaceAction action = getAction(permAction.getName());
             URIResourceImpl uriRes = new URIResourceImpl(perm.getTenantId(),
                     perm.getResourceName(), action);
-            AuthZ.get().addPermissions(uriRes, principals.toArray(new String[0]));
+            boolean grant = perm.getEffect().equals(EffectType.PERMIT) ? true : false;
+            AuthZ.get().addPermissions(uriRes, principals.toArray(new String[0]), grant);
         }
     }
 
diff --git a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
index 5b1f5fe91..ba1894f87 100644
--- a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
+++ b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
@@ -3,7 +3,42 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>c254348f-e5d0-4db9-8634-ed0b47887826</permissionId>
+            <permissionId>6d0904e3-1c2a-4944-ad0a-af81137ad241</permissionId>
+            <resourceName>idgenerators</resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>7ca72d08-8540-406f-a209-635260a3e2e3</permissionId>
+            <resourceName>id</resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>98df1810-145f-4366-9f38-8081daf99aba</permissionId>
+            <resourceName>
+                /idgenerators/*/ids
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>1ceb338a-be76-4913-86dc-bb51f29228c9</permissionId>
             <resourceName>collectionobjects</resourceName>
         </permission>
         <role>
@@ -14,7 +49,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>964b5187-fda0-4e2d-8873-0c235acf1796</permissionId>
+            <permissionId>43ebe549-645a-4c0a-9b77-630d26120a6a</permissionId>
+            <resourceName>
+                /collectionobjects/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>447f0bbf-9025-4fbf-bc1e-e94b33e4fab4</permissionId>
             <resourceName>intakes</resourceName>
         </permission>
         <role>
@@ -25,7 +73,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>e1eff972-65f0-4213-9d91-e5eaad58fd5d</permissionId>
+            <permissionId>6ae8ba20-9d5c-4022-82fb-2147aaad5db5</permissionId>
+            <resourceName>
+                /intakes/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>457959c6-26b4-4c27-9ef2-702b46388322</permissionId>
             <resourceName>loansin</resourceName>
         </permission>
         <role>
@@ -36,7 +97,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>ded1f92e-6b57-43ee-bc94-19e32bae9822</permissionId>
+            <permissionId>b6cf71bc-f0f9-429e-b1f8-2179174c26b4</permissionId>
+            <resourceName>
+                /loansin/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>5ed1e42d-ac29-457e-b120-4e90ae64e5c0</permissionId>
             <resourceName>loansout</resourceName>
         </permission>
         <role>
@@ -47,7 +121,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>428a7c8c-a3cf-4616-a439-65ce41566fba</permissionId>
+            <permissionId>51398d80-c7cb-42bc-ae19-f8785e760d8a</permissionId>
+            <resourceName>
+                /loansout/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>f243161f-b4f7-49d3-a677-011aff503e4b</permissionId>
             <resourceName>movements</resourceName>
         </permission>
         <role>
@@ -58,7 +145,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>e2189ea7-1710-443a-a2a9-0c3d8ee256b1</permissionId>
+            <permissionId>a4c44ee5-a2e4-4ae1-96f2-d518b52c671d</permissionId>
+            <resourceName>
+                /movements/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>05683f59-425c-4905-a409-afc431575f00</permissionId>
             <resourceName>vocabularies</resourceName>
         </permission>
         <role>
@@ -69,7 +169,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>9d132fbd-0f5a-42cb-bae3-117b2f71dff8</permissionId>
+            <permissionId>871a2940-e0f5-4b1e-883f-5c82f8b54bc1</permissionId>
             <resourceName>vocabularyitems</resourceName>
         </permission>
         <role>
@@ -80,7 +180,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>293a5a44-4e91-4bee-b85e-ceacd6e213bb</permissionId>
+            <permissionId>59308529-1b27-4b64-a416-0e7c4111298d</permissionId>
+            <resourceName>
+                /vocabularies/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>ba1e62dc-a307-43ac-9bf4-c5ebd5b2c5a9</permissionId>
             <resourceName>orgauthorities</resourceName>
         </permission>
         <role>
@@ -91,7 +204,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>c1a81f3f-e95d-4e04-bbdd-54b9f5c8ff86</permissionId>
+            <permissionId>ea432445-4b14-4f95-8c7c-9df78aca1014</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>eb0fcb27-0fa4-4bef-926a-4d2c61fab1ae</permissionId>
             <resourceName>organizations</resourceName>
         </permission>
         <role>
@@ -102,7 +228,33 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>986a2192-13cf-4985-a1ce-bf38337a1d2c</permissionId>
+            <permissionId>c1dd9142-3b30-4eda-a0ad-1500363d46f8</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>96f95210-28ab-4afc-bac9-60f36fac7f62</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/*/refobjs
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>7edd3f7a-5c1a-49fa-8637-a3a6060f774c</permissionId>
             <resourceName>personauthorities</resourceName>
         </permission>
         <role>
@@ -113,7 +265,33 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>a82b6feb-6dce-4029-9046-f2830f8b64fc</permissionId>
+            <permissionId>b349723a-b280-4529-9aec-65cc2c27ff7e</permissionId>
+            <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>d984acd2-ece2-4237-9e09-a9338c8911dd</permissionId>
+            <resourceName>
+                /personauthorities/*/items/*/refobjs
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>3f497baa-d97f-433b-8a01-b01e8b5a583e</permissionId>
             <resourceName>persons</resourceName>
         </permission>
         <role>
@@ -124,7 +302,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>314b45b4-b3d0-4b0c-bd9b-c9d4f41bf963</permissionId>
+            <permissionId>cc6ed459-a4c9-4126-8753-ebdef3f6ab56</permissionId>
+            <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>a045f459-84e0-4f1d-ba4d-33b976b58dac</permissionId>
             <resourceName>locationauthorities</resourceName>
         </permission>
         <role>
@@ -135,7 +326,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>fd66abf5-6022-4e21-8f83-750ba5dc79be</permissionId>
+            <permissionId>da805588-5f6d-4ae5-8626-8c3d4fcbd6c2</permissionId>
+            <resourceName>
+                /locationauthorities/*/items/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>3521bf00-a2b9-4a61-98c6-f46157bd70e5</permissionId>
             <resourceName>locations</resourceName>
         </permission>
         <role>
@@ -146,7 +350,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>10b20df4-d9bc-4b51-88bb-9051342c05c9</permissionId>
+            <permissionId>29bbddcd-64e3-4c72-8d4e-c7d2686ee30f</permissionId>
             <resourceName>acquisitions</resourceName>
         </permission>
         <role>
@@ -157,7 +361,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>0f606175-cf1f-4c8b-9216-8fac556db213</permissionId>
+            <permissionId>a497fed0-b2f9-49f1-aeac-e3a148ce8cde</permissionId>
+            <resourceName>
+                /acquisitions/*/authorityrefs/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>3203c248-2ad3-4b5c-8c9f-04d3608e2370</permissionId>
             <resourceName>relations</resourceName>
         </permission>
         <role>
@@ -168,7 +385,20 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>2537caa4-4859-43f4-a92b-630b38336f62</permissionId>
+            <permissionId>78ee728f-35e0-41d1-ae87-af1a84846bc8</permissionId>
+            <resourceName>
+                relations/subject/*/type/*/object/*
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>749e6ff2-db57-40a2-8888-922c516a66db</permissionId>
             <resourceName>accounts</resourceName>
         </permission>
         <role>
@@ -179,7 +409,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>a1c13748-f404-4a72-a7b2-e0599316828c</permissionId>
+            <permissionId>75c36eaa-ccf5-4122-b3cd-5a4b9a071a15</permissionId>
             <resourceName>dimensions</resourceName>
         </permission>
         <role>
@@ -190,7 +420,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>ab6d047b-a685-4f7d-b708-846a155f1fea</permissionId>
+            <permissionId>3d1b9ce5-2ad7-4e6a-a7d8-a125bdf2c8b6</permissionId>
             <resourceName>contacts</resourceName>
         </permission>
         <role>
@@ -201,7 +431,33 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>d5f1cb1e-1aa7-48a2-a32b-4b9cca3b3169</permissionId>
+            <permissionId>c0937cac-e60d-4d61-b1cc-6ba119e40faa</permissionId>
+            <resourceName>
+                /personauthorities/*/items/*/contacts
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>3c04ae32-03ff-4ef5-a6ed-13af7394417b</permissionId>
+            <resourceName>
+                /orgauthorities/*/items/*/contacts
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>6fc381f7-3220-4fab-a382-76bd1e56d8bf</permissionId>
             <resourceName>notes</resourceName>
         </permission>
         <role>
@@ -212,7 +468,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>eea3a150-0eb7-4061-937d-d35fbe11f55a</permissionId>
+            <permissionId>b9a7f2b4-443e-4b9c-8a0c-f21885001e10</permissionId>
             <resourceName>authorization/roles</resourceName>
         </permission>
         <role>
@@ -223,7 +479,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>d694674b-fe0c-4769-8615-9e7f482bbbdc</permissionId>
+            <permissionId>3978c246-704e-4a13-83f7-90c8f8c0e677</permissionId>
             <resourceName>authorization/permissions</resourceName>
         </permission>
         <role>
@@ -234,8 +490,21 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>d712beb5-bd4c-435f-a631-ab5eccae0462</permissionId>
-            <resourceName>authorization/permroles</resourceName>
+            <permissionId>09a1e617-e852-4f42-a4c5-0c30388cd1f2</permissionId>
+            <resourceName>authorization/permissions/permroles</resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>e8260135-bd04-472b-b19b-0a2859ce4710</permissionId>
+            <resourceName>
+                /authorization/permissions/*/permroles/
+            </resourceName>
         </permission>
         <role>
             <roleId>1</roleId>
@@ -245,7 +514,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>85a25c1b-0cb7-4df1-a447-eee665e693f9</permissionId>
+            <permissionId>fa6547b0-9539-4cee-b4e0-0110da144f47</permissionId>
             <resourceName>accounts/accountroles</resourceName>
         </permission>
         <role>
@@ -253,4 +522,17 @@
             <roleName>ROLE_ADMINISTRATOR</roleName>
         </role>
     </permissionRole>
+    <permissionRole>
+        <subject>ROLE</subject>
+        <permission>
+            <permissionId>9c3fdc8d-907b-4de9-99fd-3b3fe6e20296</permissionId>
+            <resourceName>
+                /accounts/*/accountroles/
+            </resourceName>
+        </permission>
+        <role>
+            <roleId>1</roleId>
+            <roleName>ROLE_ADMINISTRATOR</roleName>
+        </role>
+    </permissionRole>
 </ns2:permissions_roles_list>
diff --git a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
index f4b8757f0..afa860c8d 100644
--- a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
+++ b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
@@ -1,6 +1,68 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <ns2:permissions_list xmlns:ns2="http://collectionspace.org/services/authorization">
-    <permission csid="c254348f-e5d0-4db9-8634-ed0b47887826">
+    <permission csid="6d0904e3-1c2a-4944-ad0a-af81137ad241">
+        <resourceName>idgenerators</resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="7ca72d08-8540-406f-a209-635260a3e2e3">
+        <resourceName>id</resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="98df1810-145f-4366-9f38-8081daf99aba">
+        <resourceName>
+                /idgenerators/*/ids
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="1ceb338a-be76-4913-86dc-bb51f29228c9">
         <resourceName>collectionobjects</resourceName>
         <action>
             <name>CREATE</name>
@@ -20,7 +82,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="964b5187-fda0-4e2d-8873-0c235acf1796">
+    <permission csid="43ebe549-645a-4c0a-9b77-630d26120a6a">
+        <resourceName>
+                /collectionobjects/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="447f0bbf-9025-4fbf-bc1e-e94b33e4fab4">
         <resourceName>intakes</resourceName>
         <action>
             <name>CREATE</name>
@@ -40,7 +124,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="e1eff972-65f0-4213-9d91-e5eaad58fd5d">
+    <permission csid="6ae8ba20-9d5c-4022-82fb-2147aaad5db5">
+        <resourceName>
+                /intakes/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="457959c6-26b4-4c27-9ef2-702b46388322">
         <resourceName>loansin</resourceName>
         <action>
             <name>CREATE</name>
@@ -60,7 +166,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="ded1f92e-6b57-43ee-bc94-19e32bae9822">
+    <permission csid="b6cf71bc-f0f9-429e-b1f8-2179174c26b4">
+        <resourceName>
+                /loansin/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="5ed1e42d-ac29-457e-b120-4e90ae64e5c0">
         <resourceName>loansout</resourceName>
         <action>
             <name>CREATE</name>
@@ -80,7 +208,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="428a7c8c-a3cf-4616-a439-65ce41566fba">
+    <permission csid="51398d80-c7cb-42bc-ae19-f8785e760d8a">
+        <resourceName>
+                /loansout/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="f243161f-b4f7-49d3-a677-011aff503e4b">
         <resourceName>movements</resourceName>
         <action>
             <name>CREATE</name>
@@ -100,7 +250,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="e2189ea7-1710-443a-a2a9-0c3d8ee256b1">
+    <permission csid="a4c44ee5-a2e4-4ae1-96f2-d518b52c671d">
+        <resourceName>
+                /movements/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="05683f59-425c-4905-a409-afc431575f00">
         <resourceName>vocabularies</resourceName>
         <action>
             <name>CREATE</name>
@@ -120,7 +292,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="9d132fbd-0f5a-42cb-bae3-117b2f71dff8">
+    <permission csid="871a2940-e0f5-4b1e-883f-5c82f8b54bc1">
         <resourceName>vocabularyitems</resourceName>
         <action>
             <name>CREATE</name>
@@ -140,7 +312,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="293a5a44-4e91-4bee-b85e-ceacd6e213bb">
+    <permission csid="59308529-1b27-4b64-a416-0e7c4111298d">
+        <resourceName>
+                /vocabularies/*/items/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="ba1e62dc-a307-43ac-9bf4-c5ebd5b2c5a9">
         <resourceName>orgauthorities</resourceName>
         <action>
             <name>CREATE</name>
@@ -160,7 +354,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="c1a81f3f-e95d-4e04-bbdd-54b9f5c8ff86">
+    <permission csid="ea432445-4b14-4f95-8c7c-9df78aca1014">
+        <resourceName>
+                /orgauthorities/*/items/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="eb0fcb27-0fa4-4bef-926a-4d2c61fab1ae">
         <resourceName>organizations</resourceName>
         <action>
             <name>CREATE</name>
@@ -180,7 +396,51 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="986a2192-13cf-4985-a1ce-bf38337a1d2c">
+    <permission csid="c1dd9142-3b30-4eda-a0ad-1500363d46f8">
+        <resourceName>
+                /orgauthorities/*/items/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="96f95210-28ab-4afc-bac9-60f36fac7f62">
+        <resourceName>
+                /orgauthorities/*/items/*/refobjs
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="7edd3f7a-5c1a-49fa-8637-a3a6060f774c">
         <resourceName>personauthorities</resourceName>
         <action>
             <name>CREATE</name>
@@ -200,7 +460,51 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="a82b6feb-6dce-4029-9046-f2830f8b64fc">
+    <permission csid="b349723a-b280-4529-9aec-65cc2c27ff7e">
+        <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="d984acd2-ece2-4237-9e09-a9338c8911dd">
+        <resourceName>
+                /personauthorities/*/items/*/refobjs
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="3f497baa-d97f-433b-8a01-b01e8b5a583e">
         <resourceName>persons</resourceName>
         <action>
             <name>CREATE</name>
@@ -220,7 +524,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="314b45b4-b3d0-4b0c-bd9b-c9d4f41bf963">
+    <permission csid="cc6ed459-a4c9-4126-8753-ebdef3f6ab56">
+        <resourceName>
+                /personauthorities/*/items/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="a045f459-84e0-4f1d-ba4d-33b976b58dac">
         <resourceName>locationauthorities</resourceName>
         <action>
             <name>CREATE</name>
@@ -240,7 +566,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="fd66abf5-6022-4e21-8f83-750ba5dc79be">
+    <permission csid="da805588-5f6d-4ae5-8626-8c3d4fcbd6c2">
+        <resourceName>
+                /locationauthorities/*/items/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="3521bf00-a2b9-4a61-98c6-f46157bd70e5">
         <resourceName>locations</resourceName>
         <action>
             <name>CREATE</name>
@@ -260,7 +608,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="10b20df4-d9bc-4b51-88bb-9051342c05c9">
+    <permission csid="29bbddcd-64e3-4c72-8d4e-c7d2686ee30f">
         <resourceName>acquisitions</resourceName>
         <action>
             <name>CREATE</name>
@@ -280,7 +628,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="0f606175-cf1f-4c8b-9216-8fac556db213">
+    <permission csid="a497fed0-b2f9-49f1-aeac-e3a148ce8cde">
+        <resourceName>
+                /acquisitions/*/authorityrefs/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="3203c248-2ad3-4b5c-8c9f-04d3608e2370">
         <resourceName>relations</resourceName>
         <action>
             <name>CREATE</name>
@@ -300,7 +670,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="2537caa4-4859-43f4-a92b-630b38336f62">
+    <permission csid="78ee728f-35e0-41d1-ae87-af1a84846bc8">
+        <resourceName>
+                relations/subject/*/type/*/object/*
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="749e6ff2-db57-40a2-8888-922c516a66db">
         <resourceName>accounts</resourceName>
         <action>
             <name>CREATE</name>
@@ -320,7 +712,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="a1c13748-f404-4a72-a7b2-e0599316828c">
+    <permission csid="75c36eaa-ccf5-4122-b3cd-5a4b9a071a15">
         <resourceName>dimensions</resourceName>
         <action>
             <name>CREATE</name>
@@ -340,7 +732,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="ab6d047b-a685-4f7d-b708-846a155f1fea">
+    <permission csid="3d1b9ce5-2ad7-4e6a-a7d8-a125bdf2c8b6">
         <resourceName>contacts</resourceName>
         <action>
             <name>CREATE</name>
@@ -360,7 +752,51 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="d5f1cb1e-1aa7-48a2-a32b-4b9cca3b3169">
+    <permission csid="c0937cac-e60d-4d61-b1cc-6ba119e40faa">
+        <resourceName>
+                /personauthorities/*/items/*/contacts
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="3c04ae32-03ff-4ef5-a6ed-13af7394417b">
+        <resourceName>
+                /orgauthorities/*/items/*/contacts
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="6fc381f7-3220-4fab-a382-76bd1e56d8bf">
         <resourceName>notes</resourceName>
         <action>
             <name>CREATE</name>
@@ -380,7 +816,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="eea3a150-0eb7-4061-937d-d35fbe11f55a">
+    <permission csid="b9a7f2b4-443e-4b9c-8a0c-f21885001e10">
         <resourceName>authorization/roles</resourceName>
         <action>
             <name>CREATE</name>
@@ -400,7 +836,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="d694674b-fe0c-4769-8615-9e7f482bbbdc">
+    <permission csid="3978c246-704e-4a13-83f7-90c8f8c0e677">
         <resourceName>authorization/permissions</resourceName>
         <action>
             <name>CREATE</name>
@@ -420,8 +856,8 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="d712beb5-bd4c-435f-a631-ab5eccae0462">
-        <resourceName>authorization/permroles</resourceName>
+    <permission csid="09a1e617-e852-4f42-a4c5-0c30388cd1f2">
+        <resourceName>authorization/permissions/permroles</resourceName>
         <action>
             <name>CREATE</name>
         </action>
@@ -440,7 +876,29 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="85a25c1b-0cb7-4df1-a447-eee665e693f9">
+    <permission csid="e8260135-bd04-472b-b19b-0a2859ce4710">
+        <resourceName>
+                /authorization/permissions/*/permroles/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
+    <permission csid="fa6547b0-9539-4cee-b4e0-0110da144f47">
         <resourceName>accounts/accountroles</resourceName>
         <action>
             <name>CREATE</name>
@@ -460,4 +918,26 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
+    <permission csid="9c3fdc8d-907b-4de9-99fd-3b3fe6e20296">
+        <resourceName>
+                /accounts/*/accountroles/
+            </resourceName>
+        <action>
+            <name>CREATE</name>
+        </action>
+        <action>
+            <name>READ</name>
+        </action>
+        <action>
+            <name>UPDATE</name>
+        </action>
+        <action>
+            <name>DELETE</name>
+        </action>
+        <action>
+            <name>SEARCH</name>
+        </action>
+        <effect>PERMIT</effect>
+        <tenant_id>1</tenant_id>
+    </permission>
 </ns2:permissions_list>
diff --git a/services/authorization-mgt/import/src/test/java/org/collectionspace/services/authorization/importer/AuthorizationSeedTest.java b/services/authorization-mgt/import/src/test/java/org/collectionspace/services/authorization/importer/AuthorizationSeedTest.java
index d1e45006a..fdbef7311 100644
--- a/services/authorization-mgt/import/src/test/java/org/collectionspace/services/authorization/importer/AuthorizationSeedTest.java
+++ b/services/authorization-mgt/import/src/test/java/org/collectionspace/services/authorization/importer/AuthorizationSeedTest.java
@@ -48,7 +48,8 @@ public class AuthorizationSeedTest extends AbstractAuthorizationTestImpl {
             String tenantBindingFile = getTenantBindingFile();
             authzGen.initialize(tenantBindingFile);
             authzGen.createDefaultServicePermissions();
-            authzGen.createDefaultPermissionsRoles("ROLE_ADMINISTRATOR");
+            //create default role(s) for the tenant and assign permissions
+            authzGen.createDefaultPermissionsRoles();
             String exportDir = getExportDir();
             authzGen.exportPermissions(exportDir + PERMISSION_FILE);
             authzGen.exportPermissionRoles(exportDir + PERMISSION_ROLE_FILE);
diff --git a/services/authorization-mgt/import/src/test/resources/applicationContext-authorization-test.xml b/services/authorization-mgt/import/src/test/resources/applicationContext-authorization-test.xml
index 856c38d94..d313fbc05 100644
--- a/services/authorization-mgt/import/src/test/resources/applicationContext-authorization-test.xml
+++ b/services/authorization-mgt/import/src/test/resources/applicationContext-authorization-test.xml
@@ -45,25 +45,25 @@
     <bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
         <constructor-arg ref="dataSource"/>
         <constructor-arg ref="aclCache"/>
+        <constructor-arg ref="aclAuthorizationStrategy"/>
         <constructor-arg>
-            <bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
-                <constructor-arg>
-                    <list>
-                        <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
-                            <constructor-arg value="ROLE_ADMINISTRATOR"/>
-                        </bean>
-                        <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
-                            <constructor-arg value="ROLE_ADMINISTRATOR"/>
-                        </bean>
-                        <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
-                            <constructor-arg value="ROLE_ADMINISTRATOR"/>
-                        </bean>
-                    </list>
-                </constructor-arg>
-            </bean>
+            <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
         </constructor-arg>
+    </bean>
+
+    <bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
         <constructor-arg>
-            <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
+            <list>
+                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+                    <constructor-arg value="ROLE_ADMINISTRATOR"/>
+                </bean>
+                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+                    <constructor-arg value="ROLE_ADMINISTRATOR"/>
+                </bean>
+                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+                    <constructor-arg value="ROLE_ADMINISTRATOR"/>
+                </bean>
+            </list>
         </constructor-arg>
     </bean>
 
diff --git a/services/authorization-mgt/import/src/test/resources/log4j.properties b/services/authorization-mgt/import/src/test/resources/log4j.properties
index f9c47870a..f7a8333e9 100644
--- a/services/authorization-mgt/import/src/test/resources/log4j.properties
+++ b/services/authorization-mgt/import/src/test/resources/log4j.properties
@@ -23,3 +23,4 @@ log4j.logger.httpclient=INFO
 log4j.logger.org.jboss.resteasy=INFO
 log4j.logger.org.hibernate=INFO
 log4j.logger.org.hibernate.cfg=WARN
+log4j.logger.org.springframework=INFO
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionResource.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionResource.java
index d2530a0ce..1cdaedbb5 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionResource.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionResource.java
@@ -185,7 +185,7 @@ public class PermissionResource
         }
         Permission result = null;
         try {
-            ServiceContext<Permission, Permission> ctx = createServiceContext((Permission)null, Permission.class);
+            ServiceContext<Permission, Permission> ctx = createServiceContext((Permission) null, Permission.class);
             DocumentHandler handler = createDocumentHandler(ctx);
             getStorageClient(ctx).get(ctx, csid, handler);
             result = (Permission) ctx.getOutput();
@@ -236,7 +236,7 @@ public class PermissionResource
             @Context UriInfo ui) {
         PermissionsList permissionList = new PermissionsList();
         try {
-            ServiceContext<Permission, Permission> ctx = createServiceContext((Permission)null, Permission.class);
+            ServiceContext<Permission, Permission> ctx = createServiceContext((Permission) null, Permission.class);
             DocumentHandler handler = createDocumentHandler(ctx);
             MultivaluedMap<String, String> queryParams = ui.getQueryParameters();
             DocumentFilter myFilter = handler.createDocumentFilter();
@@ -349,14 +349,15 @@ public class PermissionResource
         try {
             //FIXME ideally the following two ops shoudl be in the same tx CSPACE-658
             //delete all relationships for this permission
-            PermissionRoleSubResource subResource = new PermissionRoleSubResource();
+            PermissionRoleSubResource subResource =
+                    new PermissionRoleSubResource(PermissionRoleSubResource.PERMISSION_PERMROLE_SERVICE);
             subResource.deletePermissionRole(csid, SubjectType.ROLE);
             //delete permissions at the provider too
             //at the PermissionRoleSubResource/DocHandler levels, there is no visibility
             //if permission is deleted
             AuthorizationDelegate.deletePermissions(csid);
-            
-            ServiceContext<Permission, Permission> ctx = createServiceContext((Permission)null, Permission.class);
+
+            ServiceContext<Permission, Permission> ctx = createServiceContext((Permission) null, Permission.class);
             getStorageClient(ctx).delete(ctx, csid);
             return Response.status(HttpResponseCodes.SC_OK).build();
         } catch (UnauthorizedException ue) {
@@ -400,7 +401,8 @@ public class PermissionResource
             throw new WebApplicationException(response);
         }
         try {
-            PermissionRoleSubResource subResource = new PermissionRoleSubResource();
+            PermissionRoleSubResource subResource =
+                    new PermissionRoleSubResource(PermissionRoleSubResource.PERMISSION_PERMROLE_SERVICE);
             String permrolecsid = subResource.createPermissionRole(input, SubjectType.ROLE);
             UriBuilder path = UriBuilder.fromResource(PermissionResource.class);
             path.path(permCsid + "/permroles/" + permrolecsid);
@@ -447,7 +449,8 @@ public class PermissionResource
         }
         PermissionRole result = null;
         try {
-            PermissionRoleSubResource subResource = new PermissionRoleSubResource();
+            PermissionRoleSubResource subResource =
+                    new PermissionRoleSubResource(PermissionRoleSubResource.PERMISSION_PERMROLE_SERVICE);
             //get relationships for a permission
             result = subResource.getPermissionRole(permCsid, SubjectType.ROLE);
         } catch (UnauthorizedException ue) {
@@ -501,7 +504,8 @@ public class PermissionResource
             throw new WebApplicationException(response);
         }
         try {
-            PermissionRoleSubResource subResource = new PermissionRoleSubResource();
+            PermissionRoleSubResource subResource =
+                    new PermissionRoleSubResource(PermissionRoleSubResource.PERMISSION_PERMROLE_SERVICE);
             //delete all relationships for a permission
             subResource.deletePermissionRole(permCsid, SubjectType.ROLE);
             return Response.status(HttpResponseCodes.SC_OK).build();
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionRoleSubResource.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionRoleSubResource.java
index 931849cdb..b265607dc 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionRoleSubResource.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionRoleSubResource.java
@@ -41,15 +41,20 @@ import org.slf4j.LoggerFactory;
 public class PermissionRoleSubResource
         extends AbstractCollectionSpaceResourceImpl<PermissionRole, PermissionRole> {
 
+    public final static String ROLE_PERMROLE_SERVICE = "authorization/roles/permroles";
+    public final static String PERMISSION_PERMROLE_SERVICE = "authorization/permissions/permroles";
     //this service is never exposed as standalone RESTful service...just use unique
     //service name to identify binding
     /** The service name. */
-    final private String serviceName = "authorization/permroles";
+    private String serviceName = "authorization/permroles";
     /** The logger. */
     final Logger logger = LoggerFactory.getLogger(PermissionRoleSubResource.class);
     /** The storage client. */
     final StorageClient storageClient = new JpaRelationshipStorageClient<PermissionRole>();
 
+    public PermissionRoleSubResource(String serviceName) {
+        this.serviceName = serviceName;
+    }
     /* (non-Javadoc)
      * @see org.collectionspace.services.common.AbstractCollectionSpaceResourceImpl#getVersionString()
      */
@@ -177,7 +182,6 @@ public class PermissionRoleSubResource
             logger.debug("deletePermissionRole with csid=" + csid);
         }
         ServiceContext<PermissionRole, PermissionRole> ctx = createServiceContext((PermissionRole) null, subject);
-        DocumentHandler handler = createDocumentHandler(ctx);
-        getStorageClient(ctx).delete(ctx, csid, handler);
+        getStorageClient(ctx).delete(ctx, csid);
     }
 }
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/AuthorizationDelegate.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/AuthorizationDelegate.java
index a4d7deabb..b103b552a 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/AuthorizationDelegate.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/AuthorizationDelegate.java
@@ -29,16 +29,17 @@ import org.collectionspace.services.authorization.ActionType;
 import org.collectionspace.services.authorization.AuthZ;
 import org.collectionspace.services.authorization.CSpaceAction;
 import org.collectionspace.services.authorization.CSpaceResource;
+import org.collectionspace.services.authorization.EffectType;
 import org.collectionspace.services.authorization.Permission;
 import org.collectionspace.services.authorization.PermissionAction;
 import org.collectionspace.services.authorization.PermissionException;
-import org.collectionspace.services.authorization.PermissionNotFoundException;
 import org.collectionspace.services.authorization.PermissionRole;
 import org.collectionspace.services.authorization.PermissionValue;
 import org.collectionspace.services.authorization.RoleValue;
 import org.collectionspace.services.authorization.SubjectType;
 import org.collectionspace.services.authorization.URIResourceImpl;
 import org.collectionspace.services.common.context.ServiceContext;
+import org.collectionspace.services.common.document.DocumentNotFoundException;
 import org.collectionspace.services.common.storage.jpa.JpaStorageUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -65,18 +66,32 @@ public class AuthorizationDelegate {
         AuthZ authz = AuthZ.get();
         if (subject.equals(SubjectType.ROLE)) {
             PermissionValue pv = pr.getPermissions().get(0);
-            CSpaceResource[] resources = getResources(pv.getPermissionId());
+            Permission p = getPermission(pv.getPermissionId());
+            if (p == null) {
+                String msg = "addPermissions: No permission found for id=" + pv.getPermissionId();
+                logger.error(msg);
+                throw new DocumentNotFoundException(msg);
+            }
+            CSpaceResource[] resources = getResources(p);
             String[] roles = getRoles(pr.getRoles());
             for (CSpaceResource res : resources) {
-                authz.addPermissions(res, roles);
+                boolean grant = p.getEffect().equals(EffectType.PERMIT) ? true : false;
+                authz.addPermissions(res, roles, grant);
             }
         } else if (SubjectType.PERMISSION.equals(subject)) {
             RoleValue rv = pr.getRoles().get(0);
             String[] roles = {rv.getRoleName()};
             for (PermissionValue pv : pr.getPermissions()) {
-                CSpaceResource[] resources = getResources(pv.getPermissionId());
+                Permission p = getPermission(pv.getPermissionId());
+                if (p == null) {
+                    String msg = "addPermissions: No permission found for id=" + pv.getPermissionId();
+                    logger.error(msg);
+                    continue;
+                }
+                CSpaceResource[] resources = getResources(p);
                 for (CSpaceResource res : resources) {
-                    authz.addPermissions(res, roles);
+                    boolean grant = p.getEffect().equals(EffectType.PERMIT) ? true : false;
+                    authz.addPermissions(res, roles, grant);
                 }
             }
         }
@@ -111,7 +126,13 @@ public class AuthorizationDelegate {
      * @throws Exception
      */
     static public void deletePermissions(String permCsid) throws Exception {
-        CSpaceResource[] resources = getResources(permCsid);
+        Permission p = getPermission(permCsid);
+        if (p == null) {
+            String msg = "deletePermissions: No permission found for id=" + permCsid;
+            logger.error(msg);
+            throw new DocumentNotFoundException(msg);
+        }
+        CSpaceResource[] resources = getResources(p);
         AuthZ authz = AuthZ.get();
 
         for (CSpaceResource res : resources) {
@@ -119,14 +140,12 @@ public class AuthorizationDelegate {
                 authz.deletePermissions(res);
             } catch (PermissionException pe) {
                 //perms are created downthere only if roles are related to the permissions
-                logger.info("no permissions found in authz service provider for " +
-                        "permCsid=" + permCsid + " res=" + res.getId());
+                logger.info("no permissions found in authz service provider for "
+                        + "permCsid=" + permCsid + " res=" + res.getId());
             }
         }
     }
 
-
-
     /**
      * getRoles get roles (string) array from given RoleValue list
      * @param rvl rolevalue list
@@ -151,21 +170,24 @@ public class AuthorizationDelegate {
      * @see PermissionValue
      * @see CSpaceResource
      */
-    private static CSpaceResource[] getResources(String permCsid) {
+    private static CSpaceResource[] getResources(Permission p) {
         List<CSpaceResource> rl = new ArrayList<CSpaceResource>();
-        Permission p = (Permission) JpaStorageUtils.getEntity(permCsid,
-                Permission.class);
-        if (p != null) {
-            for (PermissionAction pa : p.getActions()) {
 
-                CSpaceResource res = new URIResourceImpl(p.getResourceName(),
-                        getAction(pa.getName()));
-                rl.add(res);
-            }
+        for (PermissionAction pa : p.getActions()) {
+
+            CSpaceResource res = new URIResourceImpl(p.getResourceName(),
+                    getAction(pa.getName()));
+            rl.add(res);
         }
         return rl.toArray(new CSpaceResource[0]);
     }
 
+    private static Permission getPermission(String permCsid) {
+        Permission p = (Permission) JpaStorageUtils.getEntity(permCsid,
+                Permission.class);
+        return p;
+    }
+
     /**
      * getAction is a convenience method to get corresponding action for
      * given ActionType
diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java
index 8253d1641..a4a416bff 100644
--- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java
+++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java
@@ -79,10 +79,11 @@ public class AuthZ {
      * -action info is retrieved from the resource
      * @param res
      * @param principals
+     *      * @param grant true to grant false to deny
      */
-    public void addPermissions(CSpaceResource res, String[] principals) throws PermissionException {
+    public void addPermissions(CSpaceResource res, String[] principals, boolean grant) throws PermissionException {
         CSpaceAction action = res.getAction();
-        addPermissions(res, action, principals);
+        addPermissions(res, action, principals, grant);
     }
 
     /**
@@ -90,10 +91,11 @@ public class AuthZ {
      * @param res
      * @parm action
      * @param principals
+     * @param grant true to grant false to deny
      */
-    public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals)
+    public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals, boolean grant)
             throws PermissionException {
-        provider.getPermissionManager().addPermissions(res, action, principals);
+        provider.getPermissionManager().addPermissions(res, action, principals, grant);
     }
 
     /**
@@ -163,7 +165,6 @@ public class AuthZ {
         return isAccessAllowed(res, action);
     }
 
-
     /**
      * isAccessAllowed check if authenticated principal is allowed to invoke
      * given action on given resource
diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java
index 5ebf0ac7c..ac1780fce 100644
--- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java
+++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java
@@ -71,7 +71,7 @@ public abstract class CSpaceResourceImpl implements CSpaceResource {
         if (id == null || id.isEmpty()) {
             throw new IllegalArgumentException("id cannot be null or empty");
         }
-        this.id = id;
+        this.id = id.toLowerCase();
         if (type == null) {
             throw new IllegalArgumentException("type cannot be null");
         }
diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java
index 793a32696..c1cb1496b 100644
--- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java
+++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java
@@ -41,7 +41,7 @@ public class URIResourceImpl extends CSpaceResourceImpl {
      * @param method an http method
      */
     public URIResourceImpl(String uri, String method) {
-        super(buildId(getParent(uri), getAction(method)),
+        super(buildId(uri, getAction(method)),
                 getAction(method), TYPE.URI);
         this.uri = uri;
         this.method = method;
@@ -54,7 +54,7 @@ public class URIResourceImpl extends CSpaceResourceImpl {
      * @param method an http method
      */
     public URIResourceImpl(String tenantId, String uri, String method) {
-        super(tenantId, buildId(getParent(uri), getAction(method)),
+        super(tenantId, buildId(uri, getAction(method)),
                 getAction(method), TYPE.URI);
         this.uri = uri;
         this.method = method;
@@ -63,7 +63,7 @@ public class URIResourceImpl extends CSpaceResourceImpl {
     /**
      * constructor that is usually called from administrative interface
      * uses current tenant id from the context
-     * @param resourceName
+     * @param resourceName no leading / and no trailing / needed
      * @param actionType
      */
     public URIResourceImpl(String resourceName, CSpaceAction action) {
@@ -75,7 +75,7 @@ public class URIResourceImpl extends CSpaceResourceImpl {
     /**
      * constructor that is usually called from administrative interface
      * @param tenantId id of the tenant to which this resource is associated
-     * @param resourceName
+     * @param resourceName no leading / and no trailing / needed
      * @param actionType
      */
     public URIResourceImpl(String tenantId, String resourceName, CSpaceAction action) {
@@ -98,7 +98,7 @@ public class URIResourceImpl extends CSpaceResourceImpl {
     }
 
     private static String buildId(String resourceName, CSpaceAction action) {
-        return resourceName + SEPARATOR_HASH + action.toString();
+        return sanitize(resourceName) + SEPARATOR_HASH + action.toString();
     }
 
     private static String getParent(String uri) {
@@ -107,6 +107,20 @@ public class URIResourceImpl extends CSpaceResourceImpl {
         return stz.nextToken();
     }
 
+    private static String sanitize(String uri) {
+        uri = uri.trim();
+        if (uri.startsWith("/")) {
+            uri = uri.substring(1);
+        }
+        if (uri.endsWith("/")) {
+            uri = uri.substring(0, uri.length() - 1);
+        }
+        if (uri.endsWith("/*")) {
+            uri = uri.substring(0, uri.length() - 2);
+        }
+        return uri;
+    }
+
     /**
      * getAction is a conveneniece method to get action
      * for given HTTP method invoked on the resource
@@ -123,8 +137,10 @@ public class URIResourceImpl extends CSpaceResourceImpl {
             return CSpaceAction.UPDATE;
         } else if ("DELETE".equalsIgnoreCase(method)) {
             return CSpaceAction.DELETE;
+        } else {
+            //for HEAD, OPTIONS, etc. return READ
+            return CSpaceAction.READ;
         }
-        throw new IllegalStateException("no method found!");
     }
 
     @Override
diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spi/CSpacePermissionManager.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spi/CSpacePermissionManager.java
index f281f4c6d..2b3a086e3 100644
--- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spi/CSpacePermissionManager.java
+++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spi/CSpacePermissionManager.java
@@ -39,11 +39,12 @@ public interface CSpacePermissionManager {
      * @param res resource
      * @param principals an array of principal names
      * @action action on the resource
+     * @grant true to grant, false to deny
      * @throws PermissionException
      * @see CSpaceResource
      * @see CSpaceAction
      */
-    public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals)
+    public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals, boolean grant)
             throws PermissionException;
 
     /**
diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java
index be2c8afac..996e879e8 100644
--- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java
+++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java
@@ -109,12 +109,20 @@ public class SpringAuthorizationProvider implements CSpaceAuthorizationProvider
         return permissionManager;
     }
 
-    static ObjectIdentity mapResource(CSpaceResource res) {
-        return new ObjectIdentityImpl(res.getType().toString(),
-                Long.valueOf(res.getId().hashCode()));
+    static Long getObjectIdentityIdentifier(CSpaceResource res) {
+        return Long.valueOf(res.getId().hashCode());
     }
 
-    static Sid[] mapPrincipal(String[] principals) {
+    static String getObjectIdentityType(CSpaceResource res) {
+        return res.getType().toString();
+    }
+
+    static ObjectIdentity getObjectIdentity(CSpaceResource res) {
+        return new ObjectIdentityImpl(getObjectIdentityType(res),
+                getObjectIdentityIdentifier(res));
+    }
+
+    static Sid[] getSids(String[] principals) {
         ArrayList<Sid> sids = new ArrayList<Sid>();
         for (String principal : principals) {
             sids.add(new GrantedAuthoritySid(principal));
@@ -122,7 +130,7 @@ public class SpringAuthorizationProvider implements CSpaceAuthorizationProvider
         return sids.toArray(new Sid[0]);
     }
 
-    static Permission mapAction(CSpaceAction perm) {
+    static Permission getPermission(CSpaceAction perm) {
         switch (perm) {
             case ADMIN:
                 return BasePermission.ADMINISTRATION;
diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionEvaluator.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionEvaluator.java
index 3f238693d..c13baf681 100644
--- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionEvaluator.java
+++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionEvaluator.java
@@ -23,6 +23,7 @@
  */
 package org.collectionspace.services.authorization.spring;
 
+import java.io.Serializable;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.collectionspace.services.authorization.CSpaceAction;
@@ -48,13 +49,13 @@ public class SpringPermissionEvaluator implements CSpacePermissionEvaluator {
     }
 
     @Override
-    public boolean hasPermission(CSpaceResource res, CSpaceAction perm) {
-        PermissionEvaluator eval = provider.getProviderPermissionEvaluator();
-        Permission p = SpringAuthorizationProvider.mapAction(perm);
+    public boolean hasPermission(CSpaceResource res, CSpaceAction action) {
+        Permission perm = SpringAuthorizationProvider.getPermission(action);
         Authentication authToken = SecurityContextHolder.getContext().getAuthentication();
+        Serializable objectIdId = SpringAuthorizationProvider.getObjectIdentityIdentifier(res);
+        String objectIdType = SpringAuthorizationProvider.getObjectIdentityType(res);
+        PermissionEvaluator eval = provider.getProviderPermissionEvaluator();
         return eval.hasPermission(authToken,
-                Long.valueOf(res.getId().hashCode()),
-                res.getType().toString(),
-                p);
+                objectIdId, objectIdType, perm);
     }
 }
diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionManager.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionManager.java
index aa1462a82..0eeaa5251 100644
--- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionManager.java
+++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionManager.java
@@ -49,7 +49,7 @@ import org.springframework.transaction.TransactionStatus;
  */
 public class SpringPermissionManager implements CSpacePermissionManager {
 
-    final Log log = LogFactory.getLog(SpringPermissionEvaluator.class);
+    final Log log = LogFactory.getLog(SpringPermissionManager.class);
     private SpringAuthorizationProvider provider;
 
     SpringPermissionManager(SpringAuthorizationProvider provider) {
@@ -57,21 +57,22 @@ public class SpringPermissionManager implements CSpacePermissionManager {
     }
 
     @Override
-    public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals)
+    public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals, boolean grant)
             throws PermissionException {
-        ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
-        Sid[] sids = SpringAuthorizationProvider.mapPrincipal(principals);
-        Permission p = SpringAuthorizationProvider.mapAction(action);
+        ObjectIdentity oid = SpringAuthorizationProvider.getObjectIdentity(res);
+        Sid[] sids = SpringAuthorizationProvider.getSids(principals);
+        Permission p = SpringAuthorizationProvider.getPermission(action);
         TransactionStatus status = provider.beginTransaction("addPermssions");
 
         //add permission for each sid
         for (Sid sid : sids) {
             try {
-                addPermission(oid, p, sid);
+                addPermission(oid, p, sid, grant);
                 if (log.isDebugEnabled()) {
-                    log.debug("addpermissions(res,action,prin[]), success for "
+                    log.debug("addpermissions(res,action,prin[], grant), success for "
                             + " res=" + res.toString()
                             + " action=" + action.toString()
+                            + " grant=" + grant
                             + " oid=" + oid.toString()
                             + " perm=" + p.toString()
                             + " sid=" + sid.toString());
@@ -79,21 +80,23 @@ public class SpringPermissionManager implements CSpacePermissionManager {
 
             } catch (AlreadyExistsException aex) {
                 if (log.isWarnEnabled()) {
-                    log.warn("addpermissions(res,action,prin[]) failed,"
+                    log.warn("addpermissions(res,action,prin[], grant) failed,"
                             + " oid=" + oid.toString()
                             + " res=" + res.toString()
+                            + " grant=" + grant
                             + " action=" + action.toString()
                             + " oid=" + oid.toString()
                             + " perm=" + p.toString(), aex);
                 }
                 //keep going
             } catch (Exception ex) {
-                String msg = "addpermissions(res,action,prin[]) failed,"
+                String msg = "addpermissions(res,action,prin[], grant) failed,"
                         + " oid=" + oid.toString()
                         + " res=" + res.toString()
                         + " action=" + action.toString()
                         + " oid=" + oid.toString()
-                        + " perm=" + p.toString();
+                        + " perm=" + p.toString()
+                        + " grant=" + grant;
                 if (log.isDebugEnabled()) {
                     log.debug(msg, ex);
                 }
@@ -107,9 +110,10 @@ public class SpringPermissionManager implements CSpacePermissionManager {
         }//rof
         provider.commitTransaction(status);
         if (log.isDebugEnabled()) {
-            log.debug("addpermissions(res,action,prin[]), success for "
+            log.debug("addpermissions(res,action,prin[], grant), success for "
                     + " res=" + res.toString()
                     + " action=" + action.toString()
+                    + " grant=" + grant
                     + " oid=" + oid.toString()
                     + " perm=" + p.toString()
                     + " sids=" + sids.toString());
@@ -119,9 +123,9 @@ public class SpringPermissionManager implements CSpacePermissionManager {
     @Override
     public void deletePermissions(CSpaceResource res, CSpaceAction action, String[] principals)
             throws PermissionNotFoundException, PermissionException {
-        ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
-        Sid[] sids = SpringAuthorizationProvider.mapPrincipal(principals);
-        Permission p = SpringAuthorizationProvider.mapAction(action);
+        ObjectIdentity oid = SpringAuthorizationProvider.getObjectIdentity(res);
+        Sid[] sids = SpringAuthorizationProvider.getSids(principals);
+        Permission p = SpringAuthorizationProvider.getPermission(action);
         TransactionStatus status = provider.beginTransaction("deletePermssions");
         //delete permission for each sid
         for (Sid sid : sids) {
@@ -177,8 +181,8 @@ public class SpringPermissionManager implements CSpacePermissionManager {
     @Override
     public void deletePermissions(CSpaceResource res, CSpaceAction action)
             throws PermissionNotFoundException, PermissionException {
-        ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
-        Permission p = SpringAuthorizationProvider.mapAction(action);
+        ObjectIdentity oid = SpringAuthorizationProvider.getObjectIdentity(res);
+        Permission p = SpringAuthorizationProvider.getPermission(action);
         TransactionStatus status = provider.beginTransaction("deletePermssions");
         try {
             deletePermissions(oid, p, null);
@@ -221,7 +225,7 @@ public class SpringPermissionManager implements CSpacePermissionManager {
     @Override
     public void deletePermissions(CSpaceResource res)
             throws PermissionNotFoundException, PermissionException {
-        ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
+        ObjectIdentity oid = SpringAuthorizationProvider.getObjectIdentity(res);
         TransactionStatus status = provider.beginTransaction("deletePermssion");
         try {
             provider.getProviderAclService().deleteAcl(oid, true);
@@ -255,7 +259,7 @@ public class SpringPermissionManager implements CSpacePermissionManager {
     }
 
     private void addPermission(ObjectIdentity oid, Permission permission,
-            Sid sid) throws PermissionException {
+            Sid sid, boolean grant) throws PermissionException {
         MutableAcl acl;
 
         try {
@@ -265,17 +269,19 @@ public class SpringPermissionManager implements CSpacePermissionManager {
                 log.debug("addPermission: acl not found for oid=" + oid.toString()
                         + " perm=" + permission.toString()
                         + " sid=" + sid.toString()
+                        + " grant=" + grant
                         + " adding...");
             }
             acl = provider.getProviderAclService().createAcl(oid);
         }
-        acl.insertAce(acl.getEntries().size(), permission, sid, true);
+        acl.insertAce(acl.getEntries().size(), permission, sid, grant);
         provider.getProviderAclService().updateAcl(acl);
 
         if (log.isDebugEnabled()) {
             log.debug("addPermission: added acl for oid=" + oid.toString()
                     + " perm=" + permission.toString()
-                    + " sid=" + sid.toString());
+                    + " sid=" + sid.toString()
+                    + " grant=" + grant);
         }
     }
 
diff --git a/services/authorization/service/src/main/resources/applicationContext-authorization.xml b/services/authorization/service/src/main/resources/applicationContext-authorization.xml
index 11f91f71e..346c78c36 100644
--- a/services/authorization/service/src/main/resources/applicationContext-authorization.xml
+++ b/services/authorization/service/src/main/resources/applicationContext-authorization.xml
@@ -41,28 +41,28 @@
     <bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
         <constructor-arg ref="dataSource"/>
         <constructor-arg ref="aclCache"/>
-        <constructor-arg>
-            <bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
-                <constructor-arg>
-                    <list>
-                        <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
-                            <constructor-arg value="ROLE_ADMINISTRATOR"/>
-                        </bean>
-                        <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
-                            <constructor-arg value="ROLE_ADMINISTRATOR"/>
-                        </bean>
-                        <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
-                            <constructor-arg value="ROLE_ADMINISTRATOR"/>
-                        </bean>
-                    </list>
-                </constructor-arg>
-            </bean>
-        </constructor-arg>
+        <constructor-arg ref="aclAuthorizationStrategy"/>
         <constructor-arg>
             <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
         </constructor-arg>
     </bean>
 
+    <bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
+        <constructor-arg>
+            <list>
+                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+                    <constructor-arg value="ROLE_ADMINISTRATOR"/>
+                </bean>
+                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+                    <constructor-arg value="ROLE_ADMINISTRATOR"/>
+                </bean>
+                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+                    <constructor-arg value="ROLE_ADMINISTRATOR"/>
+                </bean>
+            </list>
+        </constructor-arg>
+    </bean>
+    
     <bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
         <constructor-arg>
             <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
diff --git a/services/common/src/main/config/services/tenant-bindings.xml b/services/common/src/main/config/services/tenant-bindings.xml
index ce489d328..9505fbdac 100644
--- a/services/common/src/main/config/services/tenant-bindings.xml
+++ b/services/common/src/main/config/services/tenant-bindings.xml
@@ -12,9 +12,26 @@
     >
     <!-- begin movingimages.us tenant meta-data -->
     <tenant:tenantBinding
-        id="1" name="movingimages.us" displayName="Museum of Moving Images" version="0.1" repositoryDomain="default-domain">
+        id="1" name="movingimage.us" displayName="Museum of Moving Images" version="0.1" repositoryDomain="default-domain">
+        <!-- begin idgenerators service meta-data -->
+        <tenant:serviceBindings name="idgenerators" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+
+        </tenant:serviceBindings>
+        <!-- end idgenerator service meta-data -->
+            <!-- begin id service meta-data -->
+        <tenant:serviceBindings name="id" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /idgenerators/*/ids
+            </service:uriPath>
+        </tenant:serviceBindings>
         <tenant:serviceBindings name="CollectionObjects" type="object" version="0.1">
             <!-- begin collectionobject service meta-data -->
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /collectionobjects/*/authorityrefs/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -24,11 +41,12 @@
             <service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.collectionobject.nuxeo.CollectionObjectValidatorHandler
             </service:validatorHandler>
-						<service:properties xmlns:service='http://collectionspace.org/services/common/service'>
-							<types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item>
-							<types:item><types:key>objectNumberProperty</types:key><types:value>objectNumber</types:value></types:item>
-						</service:properties>															
-		<service:object name="CollectionObject" version="0.1"
+            <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
+                <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item>
+                <types:item><types:key>objectNumberProperty</types:key><types:value>objectNumber</types:value></types:item>
+            </service:properties>
+            <!-- end id service meta-data -->
+            <service:object name="CollectionObject" version="0.1"
                             xmlns:service='http://collectionspace.org/services/common/service'>
                 <service:part id="0" control_group="Managed"
                               versionable="true" auditable="false"
@@ -71,6 +89,10 @@
         <!--end collectionobject service meta-data -->
         <!-- begin intake service meta-data -->
         <tenant:serviceBindings name="Intakes" type="procedure" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /intakes/*/authorityrefs/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -80,11 +102,11 @@
             <service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.intake.nuxeo.IntakeValidatorHandler
             </service:validatorHandler>
-						<service:properties xmlns:service='http://collectionspace.org/services/common/service'>
-							<!-- What to use for name??? 
-							<types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
-							<types:item><types:key>objectNumberProperty</types:key><types:value>entryNumber</types:value></types:item>
-						</service:properties>															
+            <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
+                <!-- What to use for name???
+                                                        <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
+                <types:item><types:key>objectNumberProperty</types:key><types:value>entryNumber</types:value></types:item>
+            </service:properties>
             <service:object name="Intake" version="0.1"
                             xmlns:service='http://collectionspace.org/services/common/service'>
                 <service:part id="0" control_group="Managed"
@@ -120,6 +142,10 @@
         <!-- end intake service meta-data -->
         <!-- begin loanin service meta-data -->
         <tenant:serviceBindings name="Loansin" type="procedure" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /loansin/*/authorityrefs/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -129,11 +155,11 @@
             <service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.loanin.nuxeo.LoaninValidatorHandler
             </service:validatorHandler>
-						<service:properties xmlns:service='http://collectionspace.org/services/common/service'>
-							<!-- What to use for name??? 
-							<types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
-							<types:item><types:key>objectNumberProperty</types:key><types:value>loanInNumber</types:value></types:item>
-						</service:properties>															
+            <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
+                <!-- What to use for name???
+                                                        <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
+                <types:item><types:key>objectNumberProperty</types:key><types:value>loanInNumber</types:value></types:item>
+            </service:properties>
             <service:object name="Loanin" version="0.1"
                             xmlns:service='http://collectionspace.org/services/common/service'>
                 <service:part id="0" control_group="Managed"
@@ -167,6 +193,10 @@
         <!-- end loanin service meta-data -->
         <!-- begin loanout service meta-data -->
         <tenant:serviceBindings name="Loansout" type="procedure" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /loansout/*/authorityrefs/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -196,7 +226,7 @@
                         <types:item><types:key>authRef</types:key><types:value>borrowersContact</types:value></types:item>
                         <types:item><types:key>authRef</types:key><types:value>lendersAuthorizer</types:value></types:item>
                         <types:item><types:key>authRef</types:key><types:value>lendersContact</types:value></types:item>
-											</service:properties>
+                    </service:properties>
                     <service:content contentType="application/xml">
                         <service:xmlContent
                             namespaceURI="http://collectionspace.org/services/loanout"
@@ -209,6 +239,10 @@
         <!-- end loanout service meta-data -->
         <!-- begin movement service meta-data -->
         <tenant:serviceBindings name="Movements" type="procedure" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /movements/*/authorityrefs/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -238,7 +272,7 @@
                         <!-- <types:item><types:key>authRef</types:key><types:value>currentLocation</types:value></types:item> -->
                         <!-- <types:item><types:key>authRef</types:key><types:value>normalLocation</types:value></types:item> -->
                         <types:item><types:key>authRef</types:key><types:value>movementContact</types:value></types:item>
-		    </service:properties>
+                    </service:properties>
                     <service:content contentType="application/xml">
                         <service:xmlContent
                             namespaceURI="http://collectionspace.org/services/movement"
@@ -251,6 +285,8 @@
         <!-- end movement service meta-data -->
         <!-- begin vocabulary service meta-data -->
         <tenant:serviceBindings name="Vocabularies" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -288,6 +324,10 @@
                         Repository workspace so we have to configure that.
         -->
         <tenant:serviceBindings name="Vocabularyitems" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /vocabularies/*/items/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -324,6 +364,10 @@
         <!-- end vocabulary service meta-data -->
         <!-- begin orgauthority service meta-data -->
         <tenant:serviceBindings name="Orgauthorities" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /orgauthorities/*/items/*/authorityrefs/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -360,6 +404,13 @@
                         Repository workspace so we have to configure that.
         -->
         <tenant:serviceBindings name="Organizations" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /orgauthorities/*/items/
+            </service:uriPath>
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /orgauthorities/*/items/*/refObjs
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -384,9 +435,9 @@
                 <service:part id="1" control_group="Managed"
                               versionable="true" auditable="false"
                               label="organizations_common" updated="" order="1">
-										<service:properties>
-											<types:item><types:key>authRef</types:key><types:value>contactName</types:value></types:item>
-										</service:properties>
+                    <service:properties>
+                        <types:item><types:key>authRef</types:key><types:value>contactName</types:value></types:item>
+                    </service:properties>
 
                     <service:content contentType="application/xml">
                         <service:xmlContent
@@ -400,6 +451,13 @@
         <!-- end organization service meta-data -->
         <!-- begin personauthority service meta-data -->
         <tenant:serviceBindings name="Personauthorities" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /personauthorities/*/items/
+            </service:uriPath>
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /personauthorities/*/items/*/refObjs
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -436,6 +494,10 @@
                         Repository workspace so we have to configure that.
         -->
         <tenant:serviceBindings name="Persons" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /personauthorities/*/items/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -472,6 +534,10 @@
         <!-- end person service meta-data -->
         <!-- begin locationauthority service meta-data -->
         <tenant:serviceBindings name="Locationauthorities" version="0.1">
+                        <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /locationauthorities/*/items/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -544,6 +610,10 @@
         <!-- end location service meta-data -->
         <!-- begin acquisition service meta-data -->
         <tenant:serviceBindings name="Acquisitions" type="procedure" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /acquisitions/*/authorityrefs/
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -553,11 +623,11 @@
             <service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.acquisition.nuxeo.AcquisitionValidatorHandler
             </service:validatorHandler>
-						<service:properties xmlns:service='http://collectionspace.org/services/common/service'>
-							<!-- What to use for name??? 
-							<types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
-							<types:item><types:key>objectNumberProperty</types:key><types:value>acquisitionReferenceNumber</types:value></types:item>
-						</service:properties>															
+            <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
+                <!-- What to use for name???
+                                                        <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
+                <types:item><types:key>objectNumberProperty</types:key><types:value>acquisitionReferenceNumber</types:value></types:item>
+            </service:properties>
             <service:object name="Acquisition" version="0.1"
                             xmlns:service='http://collectionspace.org/services/common/service'>
                 <service:part id="0" control_group="Managed"
@@ -591,6 +661,10 @@
         <!-- end acquisition service meta-data -->
         <!-- begin relation service meta-data -->
         <tenant:serviceBindings name="Relations" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->'
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                relations/subject/*/type/*/object/*
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -627,6 +701,8 @@
         <!-- end relation service meta-data -->
         <!-- begin account service meta-data -->
         <tenant:serviceBindings name="Accounts" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+
             <service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.account.storage.AccountDocumentHandler
             </service:documentHandler>
@@ -660,6 +736,8 @@
         <!-- end account service meta-data -->
         <!-- begin dimension service meta-data -->
         <tenant:serviceBindings name="Dimensions" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -693,6 +771,13 @@
         <!-- end dimension service meta-data -->
         <!-- begin contact service meta-data -->
         <tenant:serviceBindings name="Contacts" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /personauthorities/*/items/*/contacts
+            </service:uriPath>
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /orgauthorities/*/items/*/contacts
+            </service:uriPath>
             <service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
                 nuxeo-java
             </service:repositoryClient>
@@ -759,6 +844,8 @@
         <!-- end note service meta-data -->
         <!-- begin role service meta-data -->
         <tenant:serviceBindings name="authorization/roles" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+
             <service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.authorization.storage.RoleDocumentHandler
             </service:documentHandler>
@@ -792,6 +879,8 @@
         <!-- end role service meta-data -->
         <!-- begin permission service meta-data -->
         <tenant:serviceBindings name="authorization/permissions" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+
             <service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.authorization.storage.PermissionDocumentHandler
             </service:documentHandler>
@@ -824,7 +913,11 @@
         </tenant:serviceBindings>
         <!-- end permission service meta-data -->
         <!-- begin permission-role service meta-data -->
-        <tenant:serviceBindings name="authorization/permroles" version="0.1">
+        <tenant:serviceBindings name="authorization/permissions/permroles" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /authorization/permissions/*/permroles/
+            </service:uriPath>
             <service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.authorization.storage.PermissionRoleDocumentHandler
             </service:documentHandler>
@@ -858,13 +951,17 @@
         <!-- end permission-role service meta-data -->
         <!-- begin account-role service meta-data -->
         <tenant:serviceBindings name="accounts/accountroles" version="0.1">
+            <!-- other URI paths using which this service could be accessed -->
+            <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+                /accounts/*/accountroles/
+            </service:uriPath>
             <service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.account.storage.AccountRoleDocumentHandler
             </service:documentHandler>
             <!--service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
                 org.collectionspace.services.account.storage.AccountRoleDocumentHandler
             </service:validatorHandler-->
-            <service:object name="PermissionRole" version="0.1"
+            <service:object name="AccountRole" version="0.1"
                             xmlns:service='http://collectionspace.org/services/common/service'>
                 <service:part id="0" control_group="Managed"
                               versionable="true" auditable="false"
diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
index 2e56c89c5..0a40c3f5c 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
@@ -37,7 +37,9 @@ import org.jboss.resteasy.spi.Failure;
 import org.jboss.resteasy.spi.HttpRequest;
 
 import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriInfo;
 import javax.ws.rs.ext.Provider;
 import org.collectionspace.authentication.AuthN;
 import org.collectionspace.services.authorization.AuthZ;
@@ -67,22 +69,23 @@ public class SecurityInterceptor implements PreProcessInterceptor {
         if (logger.isDebugEnabled()) {
             logger.debug("received " + httpMethod + " on " + uriPath);
         }
+        String resName = getResourceName(request.getUri());
         checkActive();
-        if (uriPath.startsWith("dimensions")) {
-             AuthZ authZ = AuthZ.get();
-            CSpaceResource res = new URIResourceImpl(uriPath, httpMethod);
-            if (!authZ.isAccessAllowed(res)) {
-                logger.error("Access to " + res.getId() + " is NOT allowed to "
-                        + " user=" + AuthN.get().getUserId());
-                Response response = Response.status(
-                        Response.Status.FORBIDDEN).entity(uriPath + " " + httpMethod).type("text/plain").build();
-                throw new WebApplicationException(response);
-            }
-            if (logger.isDebugEnabled()) {
-                logger.debug("Access to " + res.getId() + " is allowed to "
-                        + " user=" + AuthN.get().getUserId());
-            }
+//        if (uriPath.startsWith("dimensions")) {
+        AuthZ authZ = AuthZ.get();
+        CSpaceResource res = new URIResourceImpl(resName, httpMethod);
+        if (!authZ.isAccessAllowed(res)) {
+            logger.error("Access to " + res.getId() + " is NOT allowed to "
+                    + " user=" + AuthN.get().getUserId());
+            Response response = Response.status(
+                    Response.Status.FORBIDDEN).entity(uriPath + " " + httpMethod).type("text/plain").build();
+            throw new WebApplicationException(response);
+        }
+        if (logger.isDebugEnabled()) {
+            logger.debug("Access to " + res.getId() + " is allowed to "
+                    + " user=" + AuthN.get().getUserId());
         }
+//        }
         return null;
     }
 
@@ -126,4 +129,28 @@ public class SecurityInterceptor implements PreProcessInterceptor {
             throw new WebApplicationException(response);
         }
     }
+
+    private String getResourceName(UriInfo uriInfo) {
+        String uriPath = uriInfo.getPath();
+        MultivaluedMap<String, String> pathParams = uriInfo.getPathParameters();
+        for (String pathParamName : pathParams.keySet()) {
+            //assumption : path params for csid for any entity has substring csid in name
+            String pathParamValue = pathParams.get(pathParamName).get(0);
+            if ((pathParamName.toLowerCase().indexOf("csid") > -1)) {
+                //replace csids with wildcard
+                uriPath = uriPath.replace(pathParamValue, "*");
+            }
+            if ((pathParamName.toLowerCase().indexOf("predicate") > -1)) {
+                //replace csids with wildcard
+                uriPath = uriPath.replace(pathParamValue, "*");
+            }
+            if (pathParamName.toLowerCase().indexOf("specifier") > -1) {
+                //replace name and specifiers with wildcard
+                uriPath = uriPath.replace("urn:cspace:name(" + pathParamValue
+                        + ")", "*");
+            }
+        }
+        uriPath = uriPath.replace("//", "/");
+        return uriPath;
+    }
 }
diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaRelationshipStorageClient.java b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaRelationshipStorageClient.java
index c041bdda3..264bb173d 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaRelationshipStorageClient.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaRelationshipStorageClient.java
@@ -79,11 +79,11 @@ public class JpaRelationshipStorageClient<T> extends JpaStorageClientImpl {
 
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaRelationshipStorageClient.create : ctx is missing");
+                    "create : ctx is missing");
         }
         if (handler == null) {
             throw new IllegalArgumentException(
-                    "JpaRelationshipStorageClient.create: handler is missing");
+                    "create: handler is missing");
         }
         EntityManagerFactory emf = null;
         EntityManager em = null;
@@ -137,14 +137,14 @@ public class JpaRelationshipStorageClient<T> extends JpaStorageClientImpl {
             throws DocumentNotFoundException, DocumentException {
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaRelationshipStorageClient.get: ctx is missing");
+                    "get: ctx is missing");
         }
         if (handler == null) {
             throw new IllegalArgumentException(
-                    "JpaRelationshipStorageClient.get: handler is missing");
+                    "get: handler is missing");
         }
         if (getObject(ctx, id) == null) {
-            String msg = "JpaRelationshipStorageClient.get: "
+            String msg = "get: "
                     + "could not find the object entity with id=" + id;
             logger.error(msg);
             throw new DocumentNotFoundException(msg);
@@ -188,13 +188,13 @@ public class JpaRelationshipStorageClient<T> extends JpaStorageClientImpl {
                 if (em != null && em.getTransaction().isActive()) {
                     em.getTransaction().rollback();
                 }
-                String msg = "JpaRelationshipStorageClient.get: "
+                String msg = "get: "
                         + " could not find entity with id=" + id;
                 logger.error(msg, nre);
                 throw new DocumentNotFoundException(msg, nre);
             }
             if (rl.size() == 0) {
-                String msg = "JpaRelationshipStorageClient.get: "
+                String msg = "get: "
                         + " could not find entity with id=" + id;
                 logger.error(msg);
                 throw new DocumentNotFoundException(msg);
@@ -232,10 +232,10 @@ public class JpaRelationshipStorageClient<T> extends JpaStorageClientImpl {
 
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaRelationshipStorageClient.delete : ctx is missing");
+                    "delete : ctx is missing");
         }
         if (getObject(ctx, id) == null) {
-            String msg = "JpaRelationshipStorageClient.delete : "
+            String msg = "delete : "
                     + "could not find the object entity with id=" + id;
             logger.error(msg);
             throw new DocumentNotFoundException(msg);
diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java
index 3955d11f1..9c203d097 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java
@@ -96,11 +96,11 @@ public class JpaStorageClientImpl implements StorageClient {
 
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.create: ctx is missing");
+                    "create: ctx is missing");
         }
         if (handler == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.create: handler is missing");
+                    "create: handler is missing");
         }
         EntityManagerFactory emf = null;
         EntityManager em = null;
@@ -160,11 +160,11 @@ public class JpaStorageClientImpl implements StorageClient {
             throws DocumentNotFoundException, DocumentException {
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.get: ctx is missing");
+                    "get: ctx is missing");
         }
         if (handler == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.get: handler is missing");
+                    "get: handler is missing");
         }
         DocumentFilter docFilter = handler.getDocumentFilter();
         if (docFilter == null) {
@@ -217,11 +217,11 @@ public class JpaStorageClientImpl implements StorageClient {
             throws DocumentNotFoundException, DocumentException {
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.getFiltered: ctx is missing");
+                    "getFiltered: ctx is missing");
         }
         if (handler == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.getFiltered: handler is missing");
+                    "getFiltered: handler is missing");
         }
 
         DocumentFilter docFilter = handler.getDocumentFilter();
@@ -283,11 +283,11 @@ public class JpaStorageClientImpl implements StorageClient {
             DocumentException {
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.update: ctx is missing");
+                    "update: ctx is missing");
         }
         if (handler == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.update: handler is missing");
+                    "update: handler is missing");
         }
         EntityManagerFactory emf = null;
         EntityManager em = null;
@@ -336,12 +336,12 @@ public class JpaStorageClientImpl implements StorageClient {
             DocumentException {
 
         if (logger.isDebugEnabled()) {
-            logger.debug("deleting entity with id=" + id);
+            logger.debug("delete(ctx, id): deleting entity with id=" + id);
         }
 
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.delete: ctx is missing");
+                    "delete(ctx, id): ctx is missing");
         }
         EntityManagerFactory emf = null;
         EntityManager em = null;
@@ -356,7 +356,7 @@ public class JpaStorageClientImpl implements StorageClient {
                 if (em != null && em.getTransaction().isActive()) {
                     em.getTransaction().rollback();
                 }
-                String msg = "could not find entity with id=" + id;
+                String msg = "delete(ctx, id): could not find entity with id=" + id;
                 logger.error(msg);
                 throw new DocumentNotFoundException(msg);
             }
@@ -370,7 +370,7 @@ public class JpaStorageClientImpl implements StorageClient {
             throw de;
         } catch (Exception e) {
             if (logger.isDebugEnabled()) {
-                logger.debug("Caught exception ", e);
+                logger.debug("delete(ctx, id): Caught exception ", e);
             }
             if (em != null && em.getTransaction().isActive()) {
                 em.getTransaction().rollback();
@@ -397,11 +397,11 @@ public class JpaStorageClientImpl implements StorageClient {
 
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.deleteWhere: ctx is missing");
+                    "deleteWhere(ctx, id) : ctx is missing");
         }
 
         if (logger.isDebugEnabled()) {
-            logger.debug("deleting entity with id=" + id);
+            logger.debug("deleteWhere(ctx, id): deleting entity with id=" + id);
         }
         EntityManagerFactory emf = null;
         EntityManager em = null;
@@ -423,7 +423,7 @@ public class JpaStorageClientImpl implements StorageClient {
                 if (em != null && em.getTransaction().isActive()) {
                     em.getTransaction().rollback();
                 }
-                String msg = "could not find entity with id=" + id;
+                String msg = "deleteWhere(ctx, id) could not find entity with id=" + id;
                 logger.error(msg);
                 throw new DocumentNotFoundException(msg);
             }
@@ -436,7 +436,7 @@ public class JpaStorageClientImpl implements StorageClient {
             throw de;
         } catch (Exception e) {
             if (logger.isDebugEnabled()) {
-                logger.debug("Caught exception ", e);
+                logger.debug("deleteWhere(ctx, id) Caught exception ", e);
             }
             if (em != null && em.getTransaction().isActive()) {
                 em.getTransaction().rollback();
@@ -449,25 +449,45 @@ public class JpaStorageClientImpl implements StorageClient {
         }
     }
 
+    /*
+     * delete removes entity and its child entities but calls back to given handler
+     * cost: a get before delete
+     * @see org.collectionspace.services.common.storage.StorageClient#delete(org.collectionspace.services.common.context.ServiceContext, java.lang.String)
+     */
     @Override
     public void delete(ServiceContext ctx, String id, DocumentHandler handler)
             throws DocumentNotFoundException, DocumentException {
         if (ctx == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.delete: ctx is missing");
+                    "delete(ctx, ix, handler): ctx is missing");
         }
         if (handler == null) {
             throw new IllegalArgumentException(
-                    "JpaStorageClient.delete: handler is missing");
+                    "delete(ctx, ix, handler): handler is missing");
         }
         EntityManagerFactory emf = null;
         EntityManager em = null;
         try {
             handler.prepare(Action.DELETE);
-            Object entity = handler.getCommonPart();
-            DocumentWrapper<Object> wrapDoc = new DocumentWrapperImpl<Object>(entity);
 
+            emf = JpaStorageUtils.getEntityManagerFactory();
+            em = emf.createEntityManager();
+
+            em.getTransaction().begin();
+            Object entityFound = getEntity(ctx, em, id);
+            if (entityFound == null) {
+                if (em != null && em.getTransaction().isActive()) {
+                    em.getTransaction().rollback();
+                }
+                String msg = "delete(ctx, ix, handler) could not find entity with id=" + id;
+                logger.error(msg);
+                throw new DocumentNotFoundException(msg);
+            }
+            DocumentWrapper<Object> wrapDoc = new DocumentWrapperImpl<Object>(entityFound);
             handler.handle(Action.DELETE, wrapDoc);
+            em.remove(entityFound);
+            em.getTransaction().commit();
+
             handler.complete(Action.DELETE, wrapDoc);
         } catch (DocumentException de) {
             if (em != null && em.getTransaction().isActive()) {
@@ -476,7 +496,7 @@ public class JpaStorageClientImpl implements StorageClient {
             throw de;
         } catch (Exception e) {
             if (logger.isDebugEnabled()) {
-                logger.debug("Caught exception ", e);
+                logger.debug("delete(ctx, ix, handler): Caught exception ", e);
             }
             if (em != null && em.getTransaction().isActive()) {
                 em.getTransaction().rollback();
diff --git a/services/common/src/main/resources/service.xsd b/services/common/src/main/resources/service.xsd
index e55c43754..ac21ce735 100644
--- a/services/common/src/main/resources/service.xsd
+++ b/services/common/src/main/resources/service.xsd
@@ -32,6 +32,8 @@
 
     <xs:complexType name="ServiceBindingType">
         <xs:sequence>
+            <!-- other URI paths using which this service binding could be accessed -->
+            <xs:element name="uriPath" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
             <!-- object representation served by the service -->
             <xs:element name="object" type="ServiceObjectType" minOccurs="1" maxOccurs="1"/>
             <!-- document handler to be used to process the content (need to be in classpath) -->
@@ -44,8 +46,9 @@
             <!-- repositoryWorkspaceId could be workspace id -->
             <!-- used only for Nuxeo rest client -->
             <xs:element name="repositoryWorkspaceId" type="xs:string" minOccurs="0" maxOccurs="1"/>
-						<xs:element name="properties" type="types:PropertyType" minOccurs="0" maxOccurs="unbounded"/>
+            <xs:element name="properties" type="types:PropertyType" minOccurs="0" maxOccurs="unbounded"/>
         </xs:sequence>
+        <!-- name of the service, this is also the default URI path to access this service binding -->
         <xs:attribute name="name" type="xs:string" use="required"/>
         <xs:attribute name="type" type="xs:string" use="optional"/>
         <xs:attribute name="version" type="types:VersionType" use="required"/>
diff --git a/services/pom.xml b/services/pom.xml
index fe1d96a67..3ff05b87f 100644
--- a/services/pom.xml
+++ b/services/pom.xml
@@ -12,6 +12,13 @@
     <name>services.main</name>
     <packaging>pom</packaging>
 
+    <!--
+    !!!!!PLEASE READ!!!!!
+    Make sure you add modules below in the order of dependency. Security and
+    infrastructure modules should be built first. For example the authorization-mgt
+    module would also import default permissions. Domain specific services should only
+    be built after the security module and common modules are built
+    -->
     <modules>
         <module>authentication</module>
         <module>authorization</module>
@@ -20,7 +27,7 @@
         <module>common</module>
         <module>authorization-mgt</module> <!-- relies on authorization -->
         <module>common-test</module>
-        <module>account</module> <!-- relies on authorization-mgt.client -->
+        <module>account</module> <!-- relies on authorization-mgt.import -->
         <module>note</module>
         <module>relation</module>
         <!--        <module>query</module> -->
diff --git a/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthenticationServiceTest.java b/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthenticationServiceTest.java
index 79fbbcd84..72bc9429a 100644
--- a/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthenticationServiceTest.java
+++ b/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthenticationServiceTest.java
@@ -199,13 +199,14 @@ public class AuthenticationServiceTest extends AbstractServiceTestImpl {
         if (logger.isDebugEnabled()) {
             logger.debug("create: status = " + res.getStatus());
         }
+        //so it does not have any permissions out-of-the-box to create a
+        //collection object
         Assert.assertEquals(res.getStatus(),
-                Response.Status.CREATED.getStatusCode(), "expected "
-                + Response.Status.CREATED.getStatusCode());
+                Response.Status.FORBIDDEN.getStatusCode(), "expected "
+                + Response.Status.FORBIDDEN.getStatusCode());
 
         // Store the ID returned from this create operation for additional tests
         // below.
-        knownResourceId = extractId(res);
         res.releaseConnection();
 
     }
@@ -354,19 +355,7 @@ public class AuthenticationServiceTest extends AbstractServiceTestImpl {
     dependsOnMethods = {"create"})
     public void delete(String testName) {
         setupDelete(testName);
-        CollectionObjectClient collectionObjectClient = new CollectionObjectClient();
-        collectionObjectClient = new CollectionObjectClient();
-        collectionObjectClient.setAuth(true, "test", true, "test", true);
-        if (logger.isDebugEnabled()) {
-            logger.debug("Calling deleteCollectionObject:" + knownResourceId);
-        }
-        ClientResponse<Response> res = collectionObjectClient.delete(knownResourceId);
-        if (logger.isDebugEnabled()) {
-            logger.debug("deleteCollectionObject: status = " + res.getStatus());
-        }
-        Assert.assertEquals(res.getStatus(),
-                Response.Status.OK.getStatusCode(), "expected " + Response.Status.OK.getStatusCode());
-        res.releaseConnection();
+
     }
 
     @Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class,
diff --git a/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java b/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java
index cf7179ef5..58298e832 100644
--- a/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java
+++ b/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java
@@ -101,6 +101,7 @@ public class AuthorizationServiceTest extends AbstractServiceTestImpl {
     private Hashtable<String, RoleValue> roleValues = new Hashtable<String, RoleValue>();
     private String bigbirdPermId;
     private String elmoPermId;
+    private final static String TEST_SERVICE_NAME = "dimensions";
     /*
      * This method is called only by the parent class, AbstractServiceTestImpl
      */
@@ -120,7 +121,7 @@ public class AuthorizationServiceTest extends AbstractServiceTestImpl {
     }
 
     private void seedPermissions() {
-        String res = "dimensions";
+        String res = TEST_SERVICE_NAME;
 
         PermissionAction pac = new PermissionAction();
         pac.setName(ActionType.CREATE);
@@ -153,14 +154,14 @@ public class AuthorizationServiceTest extends AbstractServiceTestImpl {
     }
 
     private void seedRoles() {
-        String rn1 = "ROLE_MMI_CM";
+        String rn1 = "ROLE_TEST_CM";
         String r1RoleId = createRole(rn1);
         RoleValue rv1 = new RoleValue();
         rv1.setRoleId(r1RoleId);
         rv1.setRoleName(rn1);
         roleValues.put(rv1.getRoleName(), rv1);
 
-        String rn2 = "ROLE_MMI_INTERN";
+        String rn2 = "ROLE_TEST_INTERN";
         String r2RoleId = createRole(rn2);
         RoleValue rv2 = new RoleValue();
         rv2.setRoleId(r2RoleId);
@@ -189,22 +190,22 @@ public class AuthorizationServiceTest extends AbstractServiceTestImpl {
     private void seedAccountRoles() {
 
         List<RoleValue> bigbirdRoleValues = new ArrayList<RoleValue>();
-        bigbirdRoleValues.add(roleValues.get("ROLE_MMI_CM"));
+        bigbirdRoleValues.add(roleValues.get("ROLE_TEST_CM"));
         createAccountRole(accValues.get("bigbird2010"), bigbirdRoleValues);
 
         List<RoleValue> elmoRoleValues = new ArrayList<RoleValue>();
-        elmoRoleValues.add(roleValues.get("ROLE_MMI_INTERN"));
+        elmoRoleValues.add(roleValues.get("ROLE_TEST_INTERN"));
         createAccountRole(accValues.get("elmo2010"), elmoRoleValues);
     }
 
     private void seedPermissionRoles() {
 
         List<RoleValue> bigbirdRoleValues = new ArrayList<RoleValue>();
-        bigbirdRoleValues.add(roleValues.get("ROLE_MMI_CM"));
+        bigbirdRoleValues.add(roleValues.get("ROLE_TEST_CM"));
         createPermissionRole(permValues.get(bigbirdPermId), bigbirdRoleValues);
 
         List<RoleValue> elmoRoleValues = new ArrayList<RoleValue>();
-        elmoRoleValues.add(roleValues.get("ROLE_MMI_INTERN"));
+        elmoRoleValues.add(roleValues.get("ROLE_TEST_INTERN"));
         createPermissionRole(permValues.get(elmoPermId), elmoRoleValues);
 
     }
@@ -502,9 +503,13 @@ public class AuthorizationServiceTest extends AbstractServiceTestImpl {
             logger.debug("Cleaning up temporary resources created for testing ...");
         }
 
-        deletePermissionRoles();
+        //FIXME delete on permission role deletes all roles associated with the permission
+        //this would delete association with ROLE_ADMINISTRATION too
+        //deletePermissionRoles();
         deleteAccountRoles();
-        deletePermissions();
+        //FIXME delete on permission role deletes all roles associated with the permission
+        //this would delete association with ROLE_ADMINISTRATION too
+        //deletePermissions();
         deleteRoles();
         deleteAccounts();
     }