From: Sanjay Dalal <sanjay.dalal@berkeley.edu>
Date: Thu, 27 May 2010 19:20:39 +0000 (+0000)
Subject: CSPACE-1828 service name fixes role name with ROLE_{uppercase role name} if ROLE_... 
X-Git-Url: https://git.aero2k.de/?a=commitdiff_plain;h=cba57c67b56959514a90796ca04ce351d58f3085;p=tmp%2Fjakarta-migration.git

CSPACE-1828 service name fixes role name with ROLE_{uppercase role name} if ROLE_ is not present in the role name
CSPACE-1944 role name in role once set cannot be changed
CSPACE-1945 resource name in permission once set cannot be changed
test: authorization-mgt/client
---

diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
index 303547858..b0cce9f0e 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
@@ -60,7 +60,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
     // Instance variables specific to this test.
     /** The known resource id. */
     private String knownResourceId = null;
-    
+    private String knownResource = "accounts-test";
     /** The add tenant. */
     boolean addTenant = true;
     /*
@@ -80,36 +80,36 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
      */
     @Override
     protected CollectionSpaceClient getClientInstance() {
-    	return new PermissionClient();
+        return new PermissionClient();
     }
-    
+
     /* (non-Javadoc)
      * @see org.collectionspace.services.client.test.BaseServiceTest#getAbstractCommonList(org.jboss.resteasy.client.ClientResponse)
      */
     @Override
-	protected AbstractCommonList getAbstractCommonList(
-			ClientResponse<AbstractCommonList> response) {
-    	//FIXME: http://issues.collectionspace.org/browse/CSPACE-1697
-    	throw new UnsupportedOperationException();
+    protected AbstractCommonList getAbstractCommonList(
+            ClientResponse<AbstractCommonList> response) {
+        //FIXME: http://issues.collectionspace.org/browse/CSPACE-1697
+        throw new UnsupportedOperationException();
     }
-    
-	/* (non-Javadoc)
-	 * @see org.collectionspace.services.client.test.AbstractServiceTestImpl#readPaginatedList(java.lang.String)
-	 */
-	@Test(dataProvider = "testName")
-	@Override
+
+    /* (non-Javadoc)
+     * @see org.collectionspace.services.client.test.AbstractServiceTestImpl#readPaginatedList(java.lang.String)
+     */
+    @Test(dataProvider = "testName")
+    @Override
     public void readPaginatedList(String testName) throws Exception {
-		//FIXME: http://issues.collectionspace.org/browse/CSPACE-1697
-	}    
+        //FIXME: http://issues.collectionspace.org/browse/CSPACE-1697
+    }
 
-	// ---------------------------------------------------------------
+    // ---------------------------------------------------------------
     // CRUD tests : CREATE tests
     // ---------------------------------------------------------------
     // Success outcomes
     /* (non-Javadoc)
-	 * @see org.collectionspace.services.client.test.ServiceTest#create(java.lang.String)
-	 */
-	@Override
+     * @see org.collectionspace.services.client.test.ServiceTest#create(java.lang.String)
+     */
+    @Override
     @Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class)
     public void create(String testName) throws Exception {
 
@@ -120,7 +120,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
 
         // Submit the request to the service and store the response.
         List<PermissionAction> actions = PermissionFactory.createDefaultActions();
-        Permission permission = createPermissionInstance("accounts",
+        Permission permission = createPermissionInstance(knownResource,
                 "default permissions for account",
                 actions,
                 EffectType.PERMIT,
@@ -249,7 +249,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
      */
     @Override
     public void createWithEmptyEntityBody(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
@@ -257,7 +257,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
      */
     @Override
     public void createWithMalformedXml(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
@@ -265,7 +265,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
      */
     @Override
     public void createWithWrongXmlSchema(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     // ---------------------------------------------------------------
@@ -423,8 +423,9 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
 
         Permission permToUpdate = new Permission();
         permToUpdate.setCsid(knownResourceId);
+        permToUpdate.setResourceName(knownResource);
         // Update the content of this resource.
-        permToUpdate.setResourceName("updated-resource");
+        permToUpdate.setDescription("updated description");
         if (logger.isDebugEnabled()) {
             logger.debug("updated object");
             logger.debug(objectAsXmlString(permToUpdate,
@@ -446,11 +447,41 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
         Permission permUpdated = (Permission) res.getEntity();
         Assert.assertNotNull(permUpdated);
 
-        Assert.assertEquals(permUpdated.getResourceName(),
-                permToUpdate.getResourceName(),
+        Assert.assertEquals(permUpdated.getDescription(),
+                permToUpdate.getDescription(),
                 "Data in updated object did not match submitted data.");
     }
 
+    @Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class,
+    dependsOnMethods = {"read", "readList", "readNonExistent"})
+    public void updateNotAllowed(String testName) throws Exception {
+
+        // Perform setup.
+        setupUpdate(testName);
+
+        Permission permToUpdate = new Permission();
+        permToUpdate.setCsid(knownResourceId);
+        // Update the content of this resource.
+        permToUpdate.setResourceName("updated-resource");
+        if (logger.isDebugEnabled()) {
+            logger.debug("updated object");
+            logger.debug(objectAsXmlString(permToUpdate,
+                    Permission.class));
+        }
+        PermissionClient client = new PermissionClient();
+        // Submit the request to the service and store the response.
+        ClientResponse<Permission> res = client.update(knownResourceId, permToUpdate);
+        int statusCode = res.getStatus();
+        // Check the status code of the response: does it match the expected response(s)?
+        if (logger.isDebugEnabled()) {
+            logger.debug(testName + ": status = " + statusCode);
+        }
+        Assert.assertTrue(REQUEST_TYPE.isValidStatusCode(statusCode),
+                invalidStatusCodeMessage(REQUEST_TYPE, statusCode));
+        Assert.assertEquals(statusCode, Response.Status.BAD_REQUEST.getStatusCode());
+
+    }
+
     /**
      * Update actions.
      *
@@ -458,7 +489,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
      * @throws Exception the exception
      */
     @Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class,
-    dependsOnMethods = {"update"})
+    dependsOnMethods = {"updateNotAllowed"})
     public void updateActions(String testName) throws Exception {
 
         // Perform setup.
@@ -466,6 +497,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
 
         Permission permToUpdate = new Permission();
         permToUpdate.setCsid(knownResourceId);
+        permToUpdate.setResourceName(knownResource);
         // Update the content of this resource.
         List<PermissionAction> actions = PermissionFactory.createDefaultActions();
         int default_actions = actions.size();
@@ -513,7 +545,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
      */
     @Override
     public void updateWithEmptyEntityBody(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
@@ -521,7 +553,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
      */
     @Override
     public void updateWithMalformedXml(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
@@ -529,7 +561,7 @@ public class PermissionServiceTest extends AbstractServiceTestImpl {
      */
     @Override
     public void updateWithWrongXmlSchema(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java
index 507d6e7ce..3e3c0d847 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java
@@ -57,9 +57,12 @@ public class RoleServiceTest extends AbstractServiceTestImpl {
     // Instance variables specific to this test.
     /** The known resource id. */
     private String knownResourceId = null;
+    private String knownRoleName = "ROLE_USERS_TEST";
+    private String verifyResourceId = null;
+    private String verifyRoleName = "collections_manager_test";
 //    private List<String> allResourceIdsCreated = new ArrayList<String>();
     /** The add tenant. */
-boolean addTenant = true;
+    boolean addTenant = true;
     /*
      * This method is called only by the parent class, AbstractServiceTestImpl
      */
@@ -77,28 +80,28 @@ boolean addTenant = true;
      */
     @Override
     protected CollectionSpaceClient getClientInstance() {
-    	return new RoleClient();
+        return new RoleClient();
     }
-    
+
     /* (non-Javadoc)
      * @see org.collectionspace.services.client.test.BaseServiceTest#getAbstractCommonList(org.jboss.resteasy.client.ClientResponse)
      */
     @Override
-	protected AbstractCommonList getAbstractCommonList(
-			ClientResponse<AbstractCommonList> response) {
-    	//FIXME: http://issues.collectionspace.org/browse/CSPACE-1697
-    	throw new UnsupportedOperationException();
+    protected AbstractCommonList getAbstractCommonList(
+            ClientResponse<AbstractCommonList> response) {
+        //FIXME: http://issues.collectionspace.org/browse/CSPACE-1697
+        throw new UnsupportedOperationException();
     }
-    
-	/* (non-Javadoc)
-	 * @see org.collectionspace.services.client.test.AbstractServiceTestImpl#readPaginatedList(java.lang.String)
-	 */
-	@Test(dataProvider = "testName")
-	@Override
+
+    /* (non-Javadoc)
+     * @see org.collectionspace.services.client.test.AbstractServiceTestImpl#readPaginatedList(java.lang.String)
+     */
+    @Test(dataProvider = "testName")
+    @Override
     public void readPaginatedList(String testName) throws Exception {
-			//FIXME: http://issues.collectionspace.org/browse/CSPACE-1697
-	}    
- 
+        //FIXME: http://issues.collectionspace.org/browse/CSPACE-1697
+    }
+
     // ---------------------------------------------------------------
     // CRUD tests : CREATE tests
     // ---------------------------------------------------------------
@@ -117,7 +120,7 @@ boolean addTenant = true;
 
         // Submit the request to the service and store the response.
         RoleClient client = new RoleClient();
-        Role role = createRoleInstance("ROLE_USERS_TEST",
+        Role role = createRoleInstance(knownRoleName,
                 "all users are required to be in this role",
                 true);
         ClientResponse<Response> res = client.create(role);
@@ -212,8 +215,10 @@ boolean addTenant = true;
         setupCreate(testName);
 
         // Submit the request to the service and store the response.
-         RoleClient client = new RoleClient();
-       Role role1 = createRoleInstance("ROLE_COLLECTIONS_MANGER_TEST",
+        RoleClient client = new RoleClient();
+        //create a role with lowercase role name without role prefix
+        //the service should make it upper case and add the role prefix
+        Role role1 = createRoleInstance(verifyRoleName,
                 "collection manager",
                 true);
         ClientResponse<Response> res = client.create(role1);
@@ -221,7 +226,8 @@ boolean addTenant = true;
         Assert.assertTrue(REQUEST_TYPE.isValidStatusCode(statusCode),
                 invalidStatusCodeMessage(REQUEST_TYPE, statusCode));
         Assert.assertEquals(statusCode, EXPECTED_STATUS_CODE);
-        allResourceIdsCreated.add(extractId(res));
+        verifyResourceId = extractId(res);
+        allResourceIdsCreated.add(verifyResourceId);
 
         Role role2 = createRoleInstance("ROLE_COLLECTIONS_CURATOR_TEST",
                 "collections curator",
@@ -254,7 +260,7 @@ boolean addTenant = true;
      */
     @Override
     public void createWithEmptyEntityBody(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
@@ -262,7 +268,7 @@ boolean addTenant = true;
      */
     @Override
     public void createWithMalformedXml(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
@@ -270,7 +276,7 @@ boolean addTenant = true;
      */
     @Override
     public void createWithWrongXmlSchema(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     // ---------------------------------------------------------------
@@ -306,10 +312,39 @@ boolean addTenant = true;
         Assert.assertNotNull(output);
     }
 
+    @Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class,
+    dependsOnMethods = {"createList"})
+    public void readToVerify(String testName) throws Exception {
+
+        // Perform setup.
+        setupRead(testName);
+
+        // Submit the request to the service and store the response.
+        RoleClient client = new RoleClient();
+        ClientResponse<Role> res = client.read(verifyResourceId);
+        int statusCode = res.getStatus();
+
+        // Check the status code of the response: does it match
+        // the expected response(s)?
+        if (logger.isDebugEnabled()) {
+            logger.debug(testName + ": status = " + statusCode);
+        }
+        Assert.assertTrue(REQUEST_TYPE.isValidStatusCode(statusCode),
+                invalidStatusCodeMessage(REQUEST_TYPE, statusCode));
+        Assert.assertEquals(statusCode, EXPECTED_STATUS_CODE);
+
+        Role output = (Role) res.getEntity();
+        Assert.assertNotNull(output);
+
+        String roleNameToVerify = "ROLE_" + verifyRoleName.toUpperCase();
+        Assert.assertEquals(output.getRoleName(), roleNameToVerify,
+                "RoleName fix did not work!");
+    }
     // Failure outcomes
     /* (non-Javadoc)
      * @see org.collectionspace.services.client.test.AbstractServiceTestImpl#readNonExistent(java.lang.String)
      */
+
     @Override
     @Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class,
     dependsOnMethods = {"read"})
@@ -428,9 +463,10 @@ boolean addTenant = true;
 
         Role roleToUpdate = new Role();
         roleToUpdate.setCsid(knownResourceId);
-
+        roleToUpdate.setRoleName(knownRoleName);
+        
         // Update the content of this resource.
-        roleToUpdate.setRoleName("updated-role");
+        roleToUpdate.setDescription("updated role description");
         if (logger.isDebugEnabled()) {
             logger.debug("updated object");
             logger.debug(objectAsXmlString(roleToUpdate,
@@ -452,11 +488,41 @@ boolean addTenant = true;
         Role roleUpdated = (Role) res.getEntity();
         Assert.assertNotNull(roleUpdated);
 
-        Assert.assertEquals(roleUpdated.getRoleName(),
-                roleToUpdate.getRoleName(),
+        Assert.assertEquals(roleUpdated.getDescription(),
+                roleToUpdate.getDescription(),
                 "Data in updated object did not match submitted data.");
     }
 
+    @Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class,
+    dependsOnMethods = {"read", "readList", "readNonExistent"})
+    public void updateNotAllowed(String testName) throws Exception {
+
+        // Perform setup.
+        setupUpdate(testName);
+
+        Role roleToUpdate = new Role();
+        roleToUpdate.setCsid(knownResourceId);
+        // Update the content of this resource.
+        roleToUpdate.setRoleName("UPDATED-ROLE_USERS_TEST");
+        if (logger.isDebugEnabled()) {
+            logger.debug("updated object");
+            logger.debug(objectAsXmlString(roleToUpdate,
+                    Role.class));
+        }
+        RoleClient client = new RoleClient();
+        // Submit the request to the service and store the response.
+        ClientResponse<Role> res = client.update(knownResourceId, roleToUpdate);
+        int statusCode = res.getStatus();
+        // Check the status code of the response: does it match the expected response(s)?
+        if (logger.isDebugEnabled()) {
+            logger.debug(testName + ": status = " + statusCode);
+        }
+        Assert.assertTrue(REQUEST_TYPE.isValidStatusCode(statusCode),
+                invalidStatusCodeMessage(REQUEST_TYPE, statusCode));
+        Assert.assertEquals(statusCode, Response.Status.BAD_REQUEST.getStatusCode());
+
+    }
+
     // Failure outcomes
     // Placeholders until the three tests below can be uncommented.
     // See Issue CSPACE-401.
@@ -465,7 +531,7 @@ boolean addTenant = true;
      */
     @Override
     public void updateWithEmptyEntityBody(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
@@ -473,7 +539,7 @@ boolean addTenant = true;
      */
     @Override
     public void updateWithMalformedXml(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
@@ -481,7 +547,7 @@ boolean addTenant = true;
      */
     @Override
     public void updateWithWrongXmlSchema(String testName) throws Exception {
-    	//FIXME: Should this test really be empty?  If so, please comment accordingly.
+        //FIXME: Should this test really be empty?  If so, please comment accordingly.
     }
 
     /* (non-Javadoc)
@@ -526,7 +592,7 @@ boolean addTenant = true;
      */
     @Override
     @Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class,
-    dependsOnMethods = {"update"})
+    dependsOnMethods = {"updateNotAllowed"})
     public void delete(String testName) throws Exception {
 
         // Perform setup.
diff --git a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
index e13af6a5e..fa4292edc 100644
--- a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
+++ b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
@@ -3,7 +3,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>2bfb81c6-6d08-4928-aa56-1b3c22f52af1</permissionId>
+            <permissionId>5a0bad92-cac6-4694-84d6-d393a52aafd9</permissionId>
             <resourceName>idgenerators</resourceName>
         </permission>
         <role>
@@ -14,7 +14,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>69302e5e-2600-45e3-937b-b18cd1a1009d</permissionId>
+            <permissionId>3e0a37ab-4ca3-4659-bef6-ff7e7c3ce590</permissionId>
             <resourceName>id</resourceName>
         </permission>
         <role>
@@ -25,7 +25,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>cd9da6b0-672a-445a-8c91-8eb60790c163</permissionId>
+            <permissionId>0d8826df-d61a-448e-8d8a-9e41bf178582</permissionId>
             <resourceName>
                 /idgenerators/*/ids
             </resourceName>
@@ -38,7 +38,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>5a39680a-a76c-4c35-88ce-01ce78f70866</permissionId>
+            <permissionId>f872859a-7f05-4d0a-b898-ef8f1b7745ba</permissionId>
             <resourceName>collectionobjects</resourceName>
         </permission>
         <role>
@@ -49,7 +49,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>c7adacd4-d663-4979-af33-309cff3c1d5b</permissionId>
+            <permissionId>cca70419-20ce-4bf7-ad9f-cb5d8c542577</permissionId>
             <resourceName>
                 /collectionobjects/*/authorityrefs/
             </resourceName>
@@ -62,7 +62,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>026c638d-7b59-4e07-9ac8-55f4cf5bcf88</permissionId>
+            <permissionId>ca89d98e-7fc4-44e5-9e5f-fea49bdb7e89</permissionId>
             <resourceName>intakes</resourceName>
         </permission>
         <role>
@@ -73,7 +73,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>afd64e21-5e85-4103-a005-ebdd1768689e</permissionId>
+            <permissionId>c3e6c0c6-b6c0-4bb1-a03d-2e86857b74b4</permissionId>
             <resourceName>
                 /intakes/*/authorityrefs/
             </resourceName>
@@ -86,7 +86,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>2e9ceeeb-df32-4f8a-94ad-064b2e56c35e</permissionId>
+            <permissionId>cea2e847-0944-49c0-8746-4622c1169a65</permissionId>
             <resourceName>loansin</resourceName>
         </permission>
         <role>
@@ -97,7 +97,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>74e0498d-86ff-4e2e-812f-7f894c7a0842</permissionId>
+            <permissionId>b163f821-5791-4044-be1c-ddbd3738a4b4</permissionId>
             <resourceName>
                 /loansin/*/authorityrefs/
             </resourceName>
@@ -110,7 +110,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>6b1dd0f9-6eb4-40fb-b8d4-c68f85d992fc</permissionId>
+            <permissionId>3a77ffcf-8052-466c-99d7-61fff28d9f88</permissionId>
             <resourceName>loansout</resourceName>
         </permission>
         <role>
@@ -121,7 +121,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>835ddebc-ab0c-46ca-9bed-7cd65901fec9</permissionId>
+            <permissionId>859d46be-9bf6-4bce-9950-3e07fd35fc91</permissionId>
             <resourceName>
                 /loansout/*/authorityrefs/
             </resourceName>
@@ -134,7 +134,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>cb18affd-0c86-4c80-85ab-cd01fc0169e4</permissionId>
+            <permissionId>f079772b-b15a-45b9-9e30-ba93ec62886b</permissionId>
             <resourceName>movements</resourceName>
         </permission>
         <role>
@@ -145,7 +145,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>73c7c7e1-d652-4b1b-8c2f-a0f6d31e861d</permissionId>
+            <permissionId>05a0e8d6-c623-470f-8562-e1ebaa8661a0</permissionId>
             <resourceName>
                 /movements/*/authorityrefs/
             </resourceName>
@@ -158,7 +158,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>75d80adc-5dc5-4044-b463-ca549f920d12</permissionId>
+            <permissionId>72115711-331e-4e6d-a4d7-2d9ad22bb2e3</permissionId>
             <resourceName>vocabularies</resourceName>
         </permission>
         <role>
@@ -169,7 +169,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>7ed9eb73-fe3c-4f34-be69-40c7dd4c8cfe</permissionId>
+            <permissionId>401d9a19-add1-475b-97c6-715d18001fed</permissionId>
             <resourceName>vocabularyitems</resourceName>
         </permission>
         <role>
@@ -180,7 +180,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>ba430b16-d4c2-455d-a5f0-a006c56fba40</permissionId>
+            <permissionId>862e5aa7-40e0-433c-b918-025a649543e0</permissionId>
             <resourceName>
                 /vocabularies/*/items/
             </resourceName>
@@ -193,7 +193,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>e51f2c07-8cec-423e-909d-f7e26b708250</permissionId>
+            <permissionId>b8fbde29-bb5a-4d88-88c9-01881b4953a7</permissionId>
             <resourceName>orgauthorities</resourceName>
         </permission>
         <role>
@@ -204,7 +204,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>6057bcf9-6130-42fb-9a39-6912fa337861</permissionId>
+            <permissionId>458a330f-1b4d-4e52-950c-f2aacf9a4870</permissionId>
             <resourceName>
                 /orgauthorities/*/items/*/authorityrefs/
             </resourceName>
@@ -217,7 +217,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>719809d0-3afb-48b2-bd35-76690eb409d4</permissionId>
+            <permissionId>3552c6ca-c830-4aa0-a940-00296e87ba3d</permissionId>
             <resourceName>organizations</resourceName>
         </permission>
         <role>
@@ -228,7 +228,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>fd8483fb-8ddc-432f-88fe-6f1f858f5b8d</permissionId>
+            <permissionId>821f288c-4958-405c-bc73-b34f47411066</permissionId>
             <resourceName>
                 /orgauthorities/*/items/
             </resourceName>
@@ -241,7 +241,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>20fad09b-86b3-4fc4-9f77-e6f0c83e3b4f</permissionId>
+            <permissionId>5a99cd36-768a-4001-b855-d75899fcb19b</permissionId>
             <resourceName>
                 /orgauthorities/*/items/*/refobjs
             </resourceName>
@@ -254,7 +254,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>0f5f7073-6ad7-4149-9c7d-522759d08619</permissionId>
+            <permissionId>75127a9c-d433-419e-b2b8-fb3368dc2fd3</permissionId>
             <resourceName>personauthorities</resourceName>
         </permission>
         <role>
@@ -265,7 +265,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>0bbcae28-a9f8-4093-b797-ec61f4777243</permissionId>
+            <permissionId>33af3708-d5ab-4668-be8f-535de4845150</permissionId>
             <resourceName>
                 /personauthorities/*/items/
             </resourceName>
@@ -278,7 +278,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>30e5b4c8-853d-406e-9053-7b3689f38e13</permissionId>
+            <permissionId>b918c0ec-7005-4f51-ac6b-62daf86560b1</permissionId>
             <resourceName>
                 /personauthorities/*/items/*/refobjs
             </resourceName>
@@ -291,7 +291,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>cee68b4a-5d74-4c7b-99b5-79ea1d6d84e6</permissionId>
+            <permissionId>026f957b-763f-4e31-8a5c-90c6f4c1017d</permissionId>
             <resourceName>persons</resourceName>
         </permission>
         <role>
@@ -302,7 +302,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>e6166551-917f-4802-bb8f-33e9a26897a6</permissionId>
+            <permissionId>96749d08-3320-408d-b812-815fb0702562</permissionId>
             <resourceName>
                 /personauthorities/*/items/
             </resourceName>
@@ -315,7 +315,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>cd071fb9-93ab-4d84-9a48-2763cb5505d2</permissionId>
+            <permissionId>6da6f72b-ecf0-4f08-a220-223a2f0e0b16</permissionId>
             <resourceName>locationauthorities</resourceName>
         </permission>
         <role>
@@ -326,7 +326,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>e66aca29-4fb6-4800-a776-93988d5ae16a</permissionId>
+            <permissionId>454c4a67-e21d-4402-9d13-5f0eb05e6028</permissionId>
             <resourceName>
                 /locationauthorities/*/items/
             </resourceName>
@@ -339,7 +339,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>6b961b0d-1cb6-4358-a469-4c3b058fee3f</permissionId>
+            <permissionId>8b04ac84-968d-476d-8cac-fc0fd507f8d7</permissionId>
             <resourceName>locations</resourceName>
         </permission>
         <role>
@@ -350,7 +350,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>51a94926-b603-43f8-9e2d-a371c0e42fc4</permissionId>
+            <permissionId>cdeb851e-0f68-43de-8b29-e2e2b9e3faf3</permissionId>
             <resourceName>acquisitions</resourceName>
         </permission>
         <role>
@@ -361,7 +361,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>3387d9e0-f942-436e-8f15-8a2b53d6669c</permissionId>
+            <permissionId>c1ada994-34f7-4a5d-a91f-3414ac872bae</permissionId>
             <resourceName>
                 /acquisitions/*/authorityrefs/
             </resourceName>
@@ -374,7 +374,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>01a98695-da9a-4e94-b94a-f1c18228a520</permissionId>
+            <permissionId>8d4b8274-fc30-4175-b5de-a328d16b898a</permissionId>
             <resourceName>relations</resourceName>
         </permission>
         <role>
@@ -385,7 +385,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>8703dd4c-72b6-46a6-8c35-fb5bf86a6c92</permissionId>
+            <permissionId>6be0be1c-9269-475a-8ac0-e2cd1e38836c</permissionId>
             <resourceName>
                 relations/subject/*/type/*/object/*
             </resourceName>
@@ -398,7 +398,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>97f34c8a-e978-467e-9881-15ebc2d11f05</permissionId>
+            <permissionId>849ece17-b3f6-4792-a7aa-ecf950e76bf5</permissionId>
             <resourceName>accounts</resourceName>
         </permission>
         <role>
@@ -409,7 +409,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>eb0e3f69-96db-4f05-9316-021094bbcfec</permissionId>
+            <permissionId>a7f645ca-e8be-4c76-9b2b-22d154f487a3</permissionId>
             <resourceName>dimensions</resourceName>
         </permission>
         <role>
@@ -420,7 +420,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>10d0cf8b-1759-4692-8553-391e2bb568f3</permissionId>
+            <permissionId>cb815554-aab2-43a9-9f4b-49ecd72b95e7</permissionId>
             <resourceName>contacts</resourceName>
         </permission>
         <role>
@@ -431,7 +431,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>4da515c5-cf33-4eb7-b0ab-3ace1d3192a6</permissionId>
+            <permissionId>3b67af55-4d7a-43b6-aba3-0327aa7f5eb1</permissionId>
             <resourceName>
                 /personauthorities/*/items/*/contacts
             </resourceName>
@@ -444,7 +444,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>7a00e318-ea14-4ebb-906f-8aea1bc9f0c4</permissionId>
+            <permissionId>986483a9-d97d-464a-91d8-992c7653e7fa</permissionId>
             <resourceName>
                 /orgauthorities/*/items/*/contacts
             </resourceName>
@@ -457,7 +457,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>bda263c9-148f-452d-8e87-98b7427fc054</permissionId>
+            <permissionId>5a619a25-91d8-4fa9-808f-05c3bb349506</permissionId>
             <resourceName>notes</resourceName>
         </permission>
         <role>
@@ -468,7 +468,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>180ab379-d045-43f9-8ce0-6e7bbc23ce72</permissionId>
+            <permissionId>37f949ba-bdf5-435f-9649-4301bd29b957</permissionId>
             <resourceName>authorization/roles</resourceName>
         </permission>
         <role>
@@ -479,7 +479,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>1874f2cd-17ce-407a-ae12-31206906ae18</permissionId>
+            <permissionId>dd02ab68-4774-4533-8969-641eca0e0178</permissionId>
             <resourceName>authorization/permissions</resourceName>
         </permission>
         <role>
@@ -490,7 +490,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>cfe9fa81-c846-4025-b212-5c4a1f51298b</permissionId>
+            <permissionId>64d08e83-0a6b-4c0e-bd63-ce20219463c9</permissionId>
             <resourceName>authorization/permissions/permroles</resourceName>
         </permission>
         <role>
@@ -501,7 +501,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>39872df7-2f7b-4f80-859a-ee01e3c5c995</permissionId>
+            <permissionId>8eeb4333-fdf1-4171-bd24-d719b24d1452</permissionId>
             <resourceName>
                 /authorization/permissions/*/permroles/
             </resourceName>
@@ -514,7 +514,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>7376c78f-faef-40f2-a22a-ee1b4790d951</permissionId>
+            <permissionId>a5f3dd1c-66c2-41a3-bbfb-dd2c72162fe5</permissionId>
             <resourceName>accounts/accountroles</resourceName>
         </permission>
         <role>
@@ -525,7 +525,7 @@
     <permissionRole>
         <subject>ROLE</subject>
         <permission>
-            <permissionId>305b230d-f5cf-43c4-bdc4-474c0520aeed</permissionId>
+            <permissionId>56145553-6b17-449c-ae8a-b7ed14f85af1</permissionId>
             <resourceName>
                 /accounts/*/accountroles/
             </resourceName>
diff --git a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
index 2d6f074ef..74d711dc8 100644
--- a/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
+++ b/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <ns2:permissions_list xmlns:ns2="http://collectionspace.org/services/authorization">
-    <permission csid="2bfb81c6-6d08-4928-aa56-1b3c22f52af1">
+    <permission csid="5a0bad92-cac6-4694-84d6-d393a52aafd9">
         <resourceName>idgenerators</resourceName>
         <action>
             <name>CREATE</name>
@@ -20,7 +20,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="69302e5e-2600-45e3-937b-b18cd1a1009d">
+    <permission csid="3e0a37ab-4ca3-4659-bef6-ff7e7c3ce590">
         <resourceName>id</resourceName>
         <action>
             <name>CREATE</name>
@@ -40,7 +40,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="cd9da6b0-672a-445a-8c91-8eb60790c163">
+    <permission csid="0d8826df-d61a-448e-8d8a-9e41bf178582">
         <resourceName>
                 /idgenerators/*/ids
             </resourceName>
@@ -62,7 +62,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="5a39680a-a76c-4c35-88ce-01ce78f70866">
+    <permission csid="f872859a-7f05-4d0a-b898-ef8f1b7745ba">
         <resourceName>collectionobjects</resourceName>
         <action>
             <name>CREATE</name>
@@ -82,7 +82,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="c7adacd4-d663-4979-af33-309cff3c1d5b">
+    <permission csid="cca70419-20ce-4bf7-ad9f-cb5d8c542577">
         <resourceName>
                 /collectionobjects/*/authorityrefs/
             </resourceName>
@@ -104,7 +104,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="026c638d-7b59-4e07-9ac8-55f4cf5bcf88">
+    <permission csid="ca89d98e-7fc4-44e5-9e5f-fea49bdb7e89">
         <resourceName>intakes</resourceName>
         <action>
             <name>CREATE</name>
@@ -124,7 +124,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="afd64e21-5e85-4103-a005-ebdd1768689e">
+    <permission csid="c3e6c0c6-b6c0-4bb1-a03d-2e86857b74b4">
         <resourceName>
                 /intakes/*/authorityrefs/
             </resourceName>
@@ -146,7 +146,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="2e9ceeeb-df32-4f8a-94ad-064b2e56c35e">
+    <permission csid="cea2e847-0944-49c0-8746-4622c1169a65">
         <resourceName>loansin</resourceName>
         <action>
             <name>CREATE</name>
@@ -166,7 +166,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="74e0498d-86ff-4e2e-812f-7f894c7a0842">
+    <permission csid="b163f821-5791-4044-be1c-ddbd3738a4b4">
         <resourceName>
                 /loansin/*/authorityrefs/
             </resourceName>
@@ -188,7 +188,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="6b1dd0f9-6eb4-40fb-b8d4-c68f85d992fc">
+    <permission csid="3a77ffcf-8052-466c-99d7-61fff28d9f88">
         <resourceName>loansout</resourceName>
         <action>
             <name>CREATE</name>
@@ -208,7 +208,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="835ddebc-ab0c-46ca-9bed-7cd65901fec9">
+    <permission csid="859d46be-9bf6-4bce-9950-3e07fd35fc91">
         <resourceName>
                 /loansout/*/authorityrefs/
             </resourceName>
@@ -230,7 +230,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="cb18affd-0c86-4c80-85ab-cd01fc0169e4">
+    <permission csid="f079772b-b15a-45b9-9e30-ba93ec62886b">
         <resourceName>movements</resourceName>
         <action>
             <name>CREATE</name>
@@ -250,7 +250,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="73c7c7e1-d652-4b1b-8c2f-a0f6d31e861d">
+    <permission csid="05a0e8d6-c623-470f-8562-e1ebaa8661a0">
         <resourceName>
                 /movements/*/authorityrefs/
             </resourceName>
@@ -272,7 +272,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="75d80adc-5dc5-4044-b463-ca549f920d12">
+    <permission csid="72115711-331e-4e6d-a4d7-2d9ad22bb2e3">
         <resourceName>vocabularies</resourceName>
         <action>
             <name>CREATE</name>
@@ -292,7 +292,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="7ed9eb73-fe3c-4f34-be69-40c7dd4c8cfe">
+    <permission csid="401d9a19-add1-475b-97c6-715d18001fed">
         <resourceName>vocabularyitems</resourceName>
         <action>
             <name>CREATE</name>
@@ -312,7 +312,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="ba430b16-d4c2-455d-a5f0-a006c56fba40">
+    <permission csid="862e5aa7-40e0-433c-b918-025a649543e0">
         <resourceName>
                 /vocabularies/*/items/
             </resourceName>
@@ -334,7 +334,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="e51f2c07-8cec-423e-909d-f7e26b708250">
+    <permission csid="b8fbde29-bb5a-4d88-88c9-01881b4953a7">
         <resourceName>orgauthorities</resourceName>
         <action>
             <name>CREATE</name>
@@ -354,7 +354,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="6057bcf9-6130-42fb-9a39-6912fa337861">
+    <permission csid="458a330f-1b4d-4e52-950c-f2aacf9a4870">
         <resourceName>
                 /orgauthorities/*/items/*/authorityrefs/
             </resourceName>
@@ -376,7 +376,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="719809d0-3afb-48b2-bd35-76690eb409d4">
+    <permission csid="3552c6ca-c830-4aa0-a940-00296e87ba3d">
         <resourceName>organizations</resourceName>
         <action>
             <name>CREATE</name>
@@ -396,7 +396,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="fd8483fb-8ddc-432f-88fe-6f1f858f5b8d">
+    <permission csid="821f288c-4958-405c-bc73-b34f47411066">
         <resourceName>
                 /orgauthorities/*/items/
             </resourceName>
@@ -418,7 +418,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="20fad09b-86b3-4fc4-9f77-e6f0c83e3b4f">
+    <permission csid="5a99cd36-768a-4001-b855-d75899fcb19b">
         <resourceName>
                 /orgauthorities/*/items/*/refobjs
             </resourceName>
@@ -440,7 +440,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="0f5f7073-6ad7-4149-9c7d-522759d08619">
+    <permission csid="75127a9c-d433-419e-b2b8-fb3368dc2fd3">
         <resourceName>personauthorities</resourceName>
         <action>
             <name>CREATE</name>
@@ -460,7 +460,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="0bbcae28-a9f8-4093-b797-ec61f4777243">
+    <permission csid="33af3708-d5ab-4668-be8f-535de4845150">
         <resourceName>
                 /personauthorities/*/items/
             </resourceName>
@@ -482,7 +482,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="30e5b4c8-853d-406e-9053-7b3689f38e13">
+    <permission csid="b918c0ec-7005-4f51-ac6b-62daf86560b1">
         <resourceName>
                 /personauthorities/*/items/*/refobjs
             </resourceName>
@@ -504,7 +504,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="cee68b4a-5d74-4c7b-99b5-79ea1d6d84e6">
+    <permission csid="026f957b-763f-4e31-8a5c-90c6f4c1017d">
         <resourceName>persons</resourceName>
         <action>
             <name>CREATE</name>
@@ -524,7 +524,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="e6166551-917f-4802-bb8f-33e9a26897a6">
+    <permission csid="96749d08-3320-408d-b812-815fb0702562">
         <resourceName>
                 /personauthorities/*/items/
             </resourceName>
@@ -546,7 +546,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="cd071fb9-93ab-4d84-9a48-2763cb5505d2">
+    <permission csid="6da6f72b-ecf0-4f08-a220-223a2f0e0b16">
         <resourceName>locationauthorities</resourceName>
         <action>
             <name>CREATE</name>
@@ -566,7 +566,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="e66aca29-4fb6-4800-a776-93988d5ae16a">
+    <permission csid="454c4a67-e21d-4402-9d13-5f0eb05e6028">
         <resourceName>
                 /locationauthorities/*/items/
             </resourceName>
@@ -588,7 +588,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="6b961b0d-1cb6-4358-a469-4c3b058fee3f">
+    <permission csid="8b04ac84-968d-476d-8cac-fc0fd507f8d7">
         <resourceName>locations</resourceName>
         <action>
             <name>CREATE</name>
@@ -608,7 +608,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="51a94926-b603-43f8-9e2d-a371c0e42fc4">
+    <permission csid="cdeb851e-0f68-43de-8b29-e2e2b9e3faf3">
         <resourceName>acquisitions</resourceName>
         <action>
             <name>CREATE</name>
@@ -628,7 +628,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="3387d9e0-f942-436e-8f15-8a2b53d6669c">
+    <permission csid="c1ada994-34f7-4a5d-a91f-3414ac872bae">
         <resourceName>
                 /acquisitions/*/authorityrefs/
             </resourceName>
@@ -650,7 +650,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="01a98695-da9a-4e94-b94a-f1c18228a520">
+    <permission csid="8d4b8274-fc30-4175-b5de-a328d16b898a">
         <resourceName>relations</resourceName>
         <action>
             <name>CREATE</name>
@@ -670,7 +670,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="8703dd4c-72b6-46a6-8c35-fb5bf86a6c92">
+    <permission csid="6be0be1c-9269-475a-8ac0-e2cd1e38836c">
         <resourceName>
                 relations/subject/*/type/*/object/*
             </resourceName>
@@ -692,7 +692,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="97f34c8a-e978-467e-9881-15ebc2d11f05">
+    <permission csid="849ece17-b3f6-4792-a7aa-ecf950e76bf5">
         <resourceName>accounts</resourceName>
         <action>
             <name>CREATE</name>
@@ -712,7 +712,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="eb0e3f69-96db-4f05-9316-021094bbcfec">
+    <permission csid="a7f645ca-e8be-4c76-9b2b-22d154f487a3">
         <resourceName>dimensions</resourceName>
         <action>
             <name>CREATE</name>
@@ -732,7 +732,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="10d0cf8b-1759-4692-8553-391e2bb568f3">
+    <permission csid="cb815554-aab2-43a9-9f4b-49ecd72b95e7">
         <resourceName>contacts</resourceName>
         <action>
             <name>CREATE</name>
@@ -752,7 +752,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="4da515c5-cf33-4eb7-b0ab-3ace1d3192a6">
+    <permission csid="3b67af55-4d7a-43b6-aba3-0327aa7f5eb1">
         <resourceName>
                 /personauthorities/*/items/*/contacts
             </resourceName>
@@ -774,7 +774,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="7a00e318-ea14-4ebb-906f-8aea1bc9f0c4">
+    <permission csid="986483a9-d97d-464a-91d8-992c7653e7fa">
         <resourceName>
                 /orgauthorities/*/items/*/contacts
             </resourceName>
@@ -796,7 +796,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="bda263c9-148f-452d-8e87-98b7427fc054">
+    <permission csid="5a619a25-91d8-4fa9-808f-05c3bb349506">
         <resourceName>notes</resourceName>
         <action>
             <name>CREATE</name>
@@ -816,7 +816,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="180ab379-d045-43f9-8ce0-6e7bbc23ce72">
+    <permission csid="37f949ba-bdf5-435f-9649-4301bd29b957">
         <resourceName>authorization/roles</resourceName>
         <action>
             <name>CREATE</name>
@@ -836,7 +836,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="1874f2cd-17ce-407a-ae12-31206906ae18">
+    <permission csid="dd02ab68-4774-4533-8969-641eca0e0178">
         <resourceName>authorization/permissions</resourceName>
         <action>
             <name>CREATE</name>
@@ -856,7 +856,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="cfe9fa81-c846-4025-b212-5c4a1f51298b">
+    <permission csid="64d08e83-0a6b-4c0e-bd63-ce20219463c9">
         <resourceName>authorization/permissions/permroles</resourceName>
         <action>
             <name>CREATE</name>
@@ -876,7 +876,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="39872df7-2f7b-4f80-859a-ee01e3c5c995">
+    <permission csid="8eeb4333-fdf1-4171-bd24-d719b24d1452">
         <resourceName>
                 /authorization/permissions/*/permroles/
             </resourceName>
@@ -898,7 +898,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="7376c78f-faef-40f2-a22a-ee1b4790d951">
+    <permission csid="a5f3dd1c-66c2-41a3-bbfb-dd2c72162fe5">
         <resourceName>accounts/accountroles</resourceName>
         <action>
             <name>CREATE</name>
@@ -918,7 +918,7 @@
         <effect>PERMIT</effect>
         <tenant_id>1</tenant_id>
     </permission>
-    <permission csid="305b230d-f5cf-43c4-bdc4-474c0520aeed">
+    <permission csid="56145553-6b17-449c-ae8a-b7ed14f85af1">
         <resourceName>
                 /accounts/*/accountroles/
             </resourceName>
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionDocumentHandler.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionDocumentHandler.java
index f15f8c877..fd80d8cd6 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionDocumentHandler.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionDocumentHandler.java
@@ -24,7 +24,6 @@
 package org.collectionspace.services.authorization.storage;
 
 import java.util.ArrayList;
-import java.util.Date;
 import java.util.List;
 import java.util.UUID;
 
@@ -33,6 +32,7 @@ import org.collectionspace.services.authorization.PermissionAction;
 import org.collectionspace.services.authorization.PermissionsList;
 
 import org.collectionspace.services.common.document.AbstractDocumentHandlerImpl;
+import org.collectionspace.services.common.document.BadRequestException;
 import org.collectionspace.services.common.document.DocumentFilter;
 import org.collectionspace.services.common.document.DocumentWrapper;
 import org.collectionspace.services.common.document.JaxbUtils;
@@ -78,15 +78,14 @@ public class PermissionDocumentHandler
      * @param to
      * @return merged permission
      */
-    private Permission merge(Permission from, Permission to) {
-        Date now = new Date();
-        to.setUpdatedAtItem(now);
-        if (from.getResourceName() != null) {
-            to.setResourceName(from.getResourceName());
-        }
-        if (from.getAttributeName() != null) {
-            to.setAttributeName(from.getAttributeName());
+    private Permission merge(Permission from, Permission to) throws Exception {
+        if (!(from.getResourceName().equalsIgnoreCase(to.getResourceName()))) {
+            String msg = "Resource name cannot be changed " + to.getResourceName();
+            logger.error(msg);
+            throw new BadRequestException(msg);
         }
+        //resource name, attribute  cannot be changed
+
         if (from.getDescription() != null) {
             to.setDescription(from.getDescription());
         }
@@ -111,6 +110,9 @@ public class PermissionDocumentHandler
         Permission upAcc = wrapDoc.getWrappedObject();
         getServiceContext().setOutput(permission);
         sanitize(upAcc);
+        //FIXME update lower-layer authorization (acls)
+        //will require deleting old permissions for this resource and adding
+        //new based on new actions and effect
     }
 
     @Override
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleValidatorHandler.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleValidatorHandler.java
index bfa2e58e5..e1ae9049c 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleValidatorHandler.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleValidatorHandler.java
@@ -69,7 +69,7 @@ public class PermissionRoleValidatorHandler implements ValidatorHandler {
                         invalid = true;
                     }
                 }
-            } 
+                    }
             if (invalid) {
                 String msg = msgBldr.toString();
                 logger.error(msg);
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionValidatorHandler.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionValidatorHandler.java
index 8fc460f12..fd4ee58bf 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionValidatorHandler.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/PermissionValidatorHandler.java
@@ -61,9 +61,9 @@ public class PermissionValidatorHandler implements ValidatorHandler {
                 }
             } else if (action.equals(Action.UPDATE)) {
                 //update specific validation here
-                if (permission.getResourceName() != null && permission.getResourceName().isEmpty()) {
+                if (permission.getResourceName() == null || permission.getResourceName().isEmpty()) {
                     invalid = true;
-                    msgBldr.append("\nresourceName : cannot be empty");
+                    msgBldr.append("\nresourceName : cannot be missing or empty");
                 }
             }
             if (invalid) {
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleDocumentHandler.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleDocumentHandler.java
index 5bc0aef98..871e24327 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleDocumentHandler.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleDocumentHandler.java
@@ -32,6 +32,7 @@ import org.collectionspace.services.authorization.Role;
 import org.collectionspace.services.authorization.RolesList;
 
 import org.collectionspace.services.common.document.AbstractDocumentHandlerImpl;
+import org.collectionspace.services.common.document.BadRequestException;
 import org.collectionspace.services.common.document.DocumentFilter;
 import org.collectionspace.services.common.document.DocumentWrapper;
 import org.collectionspace.services.common.document.JaxbUtils;
@@ -53,6 +54,7 @@ public class RoleDocumentHandler
     public void handleCreate(DocumentWrapper<Role> wrapDoc) throws Exception {
         String id = UUID.randomUUID().toString();
         Role role = wrapDoc.getWrappedObject();
+        role.setRoleName(fixRoleName(role.getRoleName()));
         role.setCsid(id);
         //FIXME: if admin updating the role is a CS admin rather than
         //the tenant admin, tenant id should be retrieved from the request
@@ -63,6 +65,7 @@ public class RoleDocumentHandler
     public void handleUpdate(DocumentWrapper<Role> wrapDoc) throws Exception {
         Role roleFound = wrapDoc.getWrappedObject();
         Role roleReceived = getCommonPart();
+        roleReceived.setRoleName(fixRoleName(roleReceived.getRoleName()));
         merge(roleReceived, roleFound);
     }
 
@@ -73,9 +76,12 @@ public class RoleDocumentHandler
      * @param to
      * @return merged role
      */
-    private Role merge(Role from, Role to) {
-        if (from.getRoleName() != null) {
-            to.setRoleName(from.getRoleName());
+    private Role merge(Role from, Role to) throws Exception {
+        //role name cannot be changed
+        if (!(from.getRoleName().equalsIgnoreCase(to.getRoleName()))) {
+            String msg = "Role name cannot be changed " + to.getRoleName();
+            logger.error(msg);
+            throw new BadRequestException(msg);
         }
         if (from.getRoleGroup() != null) {
             to.setRoleGroup(from.getRoleGroup());
@@ -178,4 +184,13 @@ public class RoleDocumentHandler
     private void sanitize(Role role) {
         role.setTenantId(null);
     }
+
+    private String fixRoleName(String role) {
+        String roleName = role.toUpperCase();
+        String rolePrefix = "ROLE_";
+        if (!roleName.startsWith(rolePrefix)) {
+            roleName = rolePrefix + roleName;
+        }
+        return roleName;
+    }
 }
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleValidatorHandler.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleValidatorHandler.java
index 71533a909..4e239b32d 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleValidatorHandler.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleValidatorHandler.java
@@ -62,9 +62,9 @@ public class RoleValidatorHandler implements ValidatorHandler {
                 }
             } else if (action.equals(Action.UPDATE)) {
                 //update specific validation here
-                if (role.getRoleName() != null && role.getRoleName().isEmpty()) {
+                if (role.getRoleName() == null || role.getRoleName().isEmpty()) {
                     invalid = true;
-                    msgBldr.append("\nroleName : cannot be empty");
+                    msgBldr.append("\nroleName : cannot be missing or empty");
                 }
             }
             if (invalid) {