From: remillet <remillet@yahoo.com>
Date: Thu, 7 Dec 2017 19:55:38 +0000 (-0800)
Subject: DRYD-186: POSTs to the Role resource can now declare a set of permissions to associat... 
X-Git-Url: https://git.aero2k.de/?a=commitdiff_plain;h=d12c82f713fd145579a7b9bc477a48c9493bbccb;p=tmp%2Fjakarta-migration.git

DRYD-186: POSTs to the Role resource can now declare a set of permissions to associate with the new role.  If the permissions don't exist, the Services will create them.  The permissions MUST include values for the actionGroup and resource.
---

diff --git a/services/IntegrationTests/src/main/java/org/collectionspace/services/IntegrationTests/xmlreplay/XmlReplay.java b/services/IntegrationTests/src/main/java/org/collectionspace/services/IntegrationTests/xmlreplay/XmlReplay.java
index 76217e33b..865ffd49a 100644
--- a/services/IntegrationTests/src/main/java/org/collectionspace/services/IntegrationTests/xmlreplay/XmlReplay.java
+++ b/services/IntegrationTests/src/main/java/org/collectionspace/services/IntegrationTests/xmlreplay/XmlReplay.java
@@ -656,8 +656,8 @@ public class XmlReplay {
                         fullURL = fixupFullURL(fullURL, protoHostPort, uri);
                     } else if (method.equalsIgnoreCase("DELETE")){
                         String fromTestID = testNode.valueOf("fromTestID");
-                        ServiceResult pr = serviceResultsMap.get(fromTestID);
-                        if (pr!=null){
+                        ServiceResult pr = Tools.notBlank(fromTestID) ? serviceResultsMap.get(fromTestID) : null;
+                        if (pr != null) {
                             serviceResult = XmlReplayTransport.doDELETE(pr.deleteURL, authForTest, testIDLabel, fromTestID);
                             serviceResult.fromTestID = fromTestID;
                             if (expectedCodes.size()>0){
diff --git a/services/IntegrationTests/src/main/java/org/collectionspace/services/IntegrationTests/xmlreplay/XmlReplayTransport.java b/services/IntegrationTests/src/main/java/org/collectionspace/services/IntegrationTests/xmlreplay/XmlReplayTransport.java
index efd9cbed4..31dd26038 100644
--- a/services/IntegrationTests/src/main/java/org/collectionspace/services/IntegrationTests/xmlreplay/XmlReplayTransport.java
+++ b/services/IntegrationTests/src/main/java/org/collectionspace/services/IntegrationTests/xmlreplay/XmlReplayTransport.java
@@ -110,7 +110,9 @@ public class XmlReplayTransport {
         deleteMethod.setRequestHeader("Accept", "multipart/mixed");
         deleteMethod.addRequestHeader("Accept", "application/xml");
         deleteMethod.setRequestHeader("Authorization", formatAuth(authForTest));
-        deleteMethod.setRequestHeader("X-XmlReplay-fromTestID", fromTestID);
+        if (Tools.notBlank(fromTestID)) {
+        	deleteMethod.setRequestHeader("X-XmlReplay-fromTestID", fromTestID);
+        }
         int statusCode1 = 0;
         String res = "";
         try {
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security.xml
index 013d72b5c..5946eca88 100644
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security.xml
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security.xml
@@ -184,7 +184,7 @@
             <filename>dimension/1.xml</filename>
         </test>
         <test ID="dimensionBigbirdPUTAfterPermrolesDeleted">
-            <expectedCodes>404</expectedCodes>
+            <expectedCodes>403</expectedCodes>
             <method>PUT</method>
             <uri>/cspace-services/dimensions/${dimension1.CSID}</uri>
             <filename>dimension/2-put.xml</filename>
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/3-role-test-cm.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/3-role-test-cm.xml
index 8575b3a78..ccd7034d6 100644
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/3-role-test-cm.xml
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/3-role-test-cm.xml
@@ -1,6 +1,29 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<ns2:role
-xmlns:ns2="http://collectionspace.org/services/authorization">
-  <roleName>ROLE_TEST_CM</roleName>
-  <description>role for ROLE_TEST_CM</description>
+<ns2:role xmlns:ns2="http://collectionspace.org/services/authorization">
+    <roleName>ROLE_TEST_CM</roleName>
+    <description>role for ROLE_TEST_CM</description>
+    <permission>
+        <permRelationshipId>4381</permRelationshipId>
+        <permissionId>1-vocabularies-RL</permissionId>
+        <resourceName>vocabularies</resourceName>
+        <actionGroup>RL</actionGroup>
+    </permission>
+    <permission>
+        <permRelationshipId>4382</permRelationshipId>
+        <permissionId>1-groups-RL</permissionId>
+        <resourceName>groups</resourceName>
+        <actionGroup>RL</actionGroup>
+    </permission>
+    <permission>
+        <permRelationshipId>4381</permRelationshipId>
+        <permissionId>1-vocabularies-CRUL</permissionId>
+        <resourceName>vocabularies</resourceName>
+        <actionGroup>CRUL</actionGroup>
+    </permission>
+    <permission>
+        <permRelationshipId>4382</permRelationshipId>
+        <permissionId>1-groups-CRUL</permissionId>
+        <resourceName>groups</resourceName>
+        <actionGroup>CRUL</actionGroup>
+    </permission>
 </ns2:role>
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/4-role-intern.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/4-role-intern.xml
index d74115ed2..b16fc0503 100644
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/4-role-intern.xml
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/4-role-intern.xml
@@ -1,5 +1,17 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <ns2:role xmlns:ns2="http://collectionspace.org/services/authorization">
-  <roleName>ROLE_TEST_INTERN</roleName>
-  <description>role for ROLE_TEST_INTERN</description>
+    <roleName>ROLE_TEST_INTERN</roleName>
+    <description>role for ROLE_TEST_INTERN</description>
+    <permission>
+        <permRelationshipId>4381</permRelationshipId>
+        <permissionId>1-vocabularies-RL</permissionId>
+        <resourceName>vocabularies</resourceName>
+        <actionGroup>RL</actionGroup>
+    </permission>
+    <permission>
+        <permRelationshipId>4382</permRelationshipId>
+        <permissionId>1-groups-RL</permissionId>
+        <resourceName>groups</resourceName>
+        <actionGroup>RL</actionGroup>
+    </permission>
 </ns2:role>
diff --git a/services/account/client/src/test/java/org/collectionspace/services/account/client/test/AccountRoleServiceTest.java b/services/account/client/src/test/java/org/collectionspace/services/account/client/test/AccountRoleServiceTest.java
index 2fba8111e..a6b7b8a2f 100644
--- a/services/account/client/src/test/java/org/collectionspace/services/account/client/test/AccountRoleServiceTest.java
+++ b/services/account/client/src/test/java/org/collectionspace/services/account/client/test/AccountRoleServiceTest.java
@@ -573,7 +573,7 @@ public class AccountRoleServiceTest extends AbstractServiceTestImpl<AccountRole,
         RoleClient roleClient = new RoleClient();
         Role role = RoleFactory.createRoleInstance(roleName,
         		roleName, //the display name
-                "role for " + roleName, true);
+                "role for " + roleName, true, RoleFactory.EMPTY_PERMVALUE_LIST);
         setupCreate();
         Response res = roleClient.create(role);
         try {
diff --git a/services/authorization-mgt/client/pom.xml b/services/authorization-mgt/client/pom.xml
index 781c576dd..58d3f70f9 100644
--- a/services/authorization-mgt/client/pom.xml
+++ b/services/authorization-mgt/client/pom.xml
@@ -39,6 +39,11 @@
             <artifactId>org.collectionspace.services.authorization.jaxb</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.collectionspace.services</groupId>
+            <artifactId>org.collectionspace.services.hyperjaxb</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.collectionspace.services</groupId>
             <artifactId>org.collectionspace.services.client</artifactId>
diff --git a/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionClient.java b/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionClient.java
index 9ff74c0ec..49d4f627b 100644
--- a/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionClient.java
+++ b/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionClient.java
@@ -31,8 +31,8 @@ import java.util.HashMap;
 import java.util.List;
 
 import javax.ws.rs.core.Response;
-
 import org.apache.http.HttpStatus;
+
 import org.collectionspace.services.authorization.perms.ActionType;
 import org.collectionspace.services.authorization.perms.Permission;
 import org.collectionspace.services.authorization.perms.PermissionAction;
@@ -96,7 +96,6 @@ public class PermissionClient extends AbstractServiceClientImpl<PermissionsList,
 
     public Response readSearchList(String resourceName) {
         return getProxy().readSearchList(resourceName);
-
     }
 
     /**
@@ -108,6 +107,30 @@ public class PermissionClient extends AbstractServiceClientImpl<PermissionsList,
     public Response read(String csid) {
         return getProxy().read(csid);
     }
+    
+    /*
+     * We expect a single result.  An resourceName/actionGroup tuple should uniquely identify the permission resource
+     */
+    public Permission read(String resourceName, String actionGroup) {
+    	Permission result = null;
+    	
+    	Response res = getProxy().read(resourceName, actionGroup);
+    	try {
+	    	if (res != null && res.getStatus() == Response.Status.OK.getStatusCode()) {
+		    	PermissionsList permsListElement = res.readEntity(PermissionsList.class);
+		    	if (permsListElement != null && permsListElement.getPermission() != null) {
+		    		List<Permission> permsList = permsListElement.getPermission();
+		    		if (permsList.size() == 1) {
+		    			result = permsList.get(0);
+		    		}
+		    	}
+	    	}
+    	} finally {
+    		res.close();
+    	}
+    	
+    	return result;
+    }
 
     /**
      * @param permission
diff --git a/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionProxy.java b/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionProxy.java
index 1341263df..a67f3270e 100644
--- a/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionProxy.java
+++ b/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionProxy.java
@@ -47,7 +47,8 @@ import org.collectionspace.services.authorization.perms.PermissionsList;
 @Consumes({"application/xml"})
 public interface PermissionProxy extends CollectionSpaceProxy<PermissionsList> {
 
-    @GET
+    @Override
+	@GET
     @Produces({"application/xml"})
     Response readList();
 
@@ -62,7 +63,11 @@ public interface PermissionProxy extends CollectionSpaceProxy<PermissionsList> {
     @GET
     @Path("/{csid}")
     Response read(@PathParam("csid") String csid);
-
+    
+    //(R)read
+    @GET
+    Response read(@QueryParam("res") String resourceName, @QueryParam("actGrp") String actionGroup);
+    
     //(U)pdate
     @PUT
     @Path("/{csid}")
diff --git a/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionRoleFactory.java b/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionRoleFactory.java
index 94563b5f4..a04c5fe28 100644
--- a/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionRoleFactory.java
+++ b/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/PermissionRoleFactory.java
@@ -29,6 +29,7 @@ import java.util.List;
 import org.collectionspace.services.authorization.PermissionRole;
 import org.collectionspace.services.authorization.PermissionValue;
 import org.collectionspace.services.authorization.RoleValue;
+import org.collectionspace.services.authorization.SubjectType;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -84,18 +85,28 @@ public class PermissionRoleFactory {
             boolean useRoleId) {
 
         PermissionRole permRole = new PermissionRole();
-        //service consume is not required to provide subject as it is determined
-        //from URI used
-//        permRole.setSubject(SubjectType.ROLE);
         if (useRoleId) {
             ArrayList<RoleValue> rvs = new ArrayList<RoleValue>();
             rvs.add(rv);
             permRole.setRole(rvs);
         }
+        
         if (usePermId) {
             permRole.setPermission(pvs);
         }
 
         return permRole;
     }
+    
+    public static PermissionRole createPermissionRoleInstance(SubjectType subjectType,
+    		RoleValue rv,
+            List<PermissionValue> pvs,
+            boolean usePermId,
+            boolean useRoleId) {
+
+        PermissionRole permRole = createPermissionRoleInstance(rv, pvs, usePermId, useRoleId);
+        permRole.setSubject(subjectType);
+        return permRole;
+    }
+    
 }
diff --git a/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/RoleFactory.java b/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/RoleFactory.java
index 05a902886..d5f912823 100644
--- a/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/RoleFactory.java
+++ b/services/authorization-mgt/client/src/main/java/org/collectionspace/services/client/RoleFactory.java
@@ -50,7 +50,11 @@
 package org.collectionspace.services.client;
 
 
+import java.util.List;
+
+import org.collectionspace.services.authorization.PermissionValue;
 import org.collectionspace.services.authorization.Role;
+import org.collectionspace.services.authorization.RoleValue;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -61,6 +65,9 @@ import org.slf4j.LoggerFactory;
 public class RoleFactory {
 
     static private final Logger logger = LoggerFactory.getLogger(RoleFactory.class);
+    
+	public static final List<PermissionValue> EMPTY_PERMVALUE_LIST = null;
+
     /**
      * create role instance
      * @param roleName
@@ -71,7 +78,8 @@ public class RoleFactory {
     public static Role createRoleInstance(String roleName,
     		String displayName,
             String description,
-            boolean useRoleName) {
+            boolean useRoleName,
+            List<PermissionValue> permValueList) {
 
         Role role = new Role();
         if (useRoleName == true) {
@@ -79,7 +87,20 @@ public class RoleFactory {
         }
         role.setDisplayName(displayName);
         role.setDescription(description);
+        role.setPermission(permValueList);
+        
         return role;
 
     }
+    
+    public static RoleValue createRoleValueInstance(Role role) {
+    	RoleValue result = new RoleValue();
+    	
+    	result.setDisplayName(role.getDisplayName());
+    	result.setRoleId(role.getCsid());
+    	result.setRoleName(role.getRoleName());
+    	result.setTenantId(role.getTenantId());
+    	
+    	return result;
+    }
 }
diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
index b2a81d262..d0c8f260a 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
@@ -650,7 +650,7 @@ public class PermissionRoleServiceTest extends AbstractServiceTestImpl<Permissio
 
         Role role = RoleFactory.createRoleInstance(roleName,
         		roleName, //the display name
-                "role for " + roleName, true);
+                "role for " + roleName, true, RoleFactory.EMPTY_PERMVALUE_LIST);
         Response res = null;
         String id = null;
         try {
diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RolePermissionServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RolePermissionServiceTest.java
index 7ed710e04..b92fc8a3e 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RolePermissionServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RolePermissionServiceTest.java
@@ -668,7 +668,7 @@ public class RolePermissionServiceTest extends AbstractServiceTestImpl<Permissio
 
         Role role = RoleFactory.createRoleInstance(roleName,
         		roleName, //the display name
-                "role for " + roleName, true);
+                "role for " + roleName, true, RoleFactory.EMPTY_PERMVALUE_LIST);
         role.setRoleGroup("something");
         Response res = null;
         String id = null;
diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java
index 5d37e19cd..b6a9b0c6f 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java
@@ -22,20 +22,26 @@
  */
 package org.collectionspace.services.authorization.client.test;
 
-//import java.util.ArrayList;
-//import java.util.List;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.Random;
-
 import javax.ws.rs.core.Response;
 
 import org.collectionspace.services.client.CollectionSpaceClient;
+import org.collectionspace.services.client.PermissionClient;
 import org.collectionspace.services.client.RoleClient;
+import org.collectionspace.services.authorization.PermissionValue;
 import org.collectionspace.services.authorization.Role;
 import org.collectionspace.services.authorization.RolesList;
+import org.collectionspace.services.authorization.perms.Permission;
 import org.collectionspace.services.client.RoleFactory;
 import org.collectionspace.services.client.test.AbstractServiceTestImpl;
+
 import org.testng.Assert;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
 import org.testng.annotations.Test;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -54,6 +60,14 @@ public class RoleServiceTest extends AbstractServiceTestImpl<RolesList, Role, Ro
 
     // Used to create unique identifiers
     static private final Random random = new Random(System.currentTimeMillis());
+    
+	private static final String PERM_1_RL_RESOURCE = "ROLE_TEST_PERMVALUE_RESOURCE_1";
+	private static final String PERM_1_RL_ACTIONGROUP = "RL";
+	private static final String PERM_2_RL_RESOURCE = "ROLE_TEST_PERMVALUE_RESOURCE_2";
+	private static final String PERM_2_RL_ACTIONGROUP = "CRUL";
+	private static final String PERM_3_RL_RESOURCE = "ROLE_TEST_PERMVALUE_RESOURCE_3";
+	private static final String PERM_3_RL_ACTIONGROUP = "CRUDL";
+
 
     // Instance variables specific to this test.
     /** The known resource id. */
@@ -61,7 +75,10 @@ public class RoleServiceTest extends AbstractServiceTestImpl<RolesList, Role, Ro
     private String knownRoleDisplayName = "ROLE_DISPLAYNAME_USERS_MOCK-1";
     private String verifyResourceId = null;
     private String verifyRoleName = "collections_manager_mock-1";
-//    private List<String> allResourceIdsCreated = new ArrayList<String>();
+    //
+    // Permission values
+    //
+    private List<PermissionValue> permissionValues = RoleFactory.EMPTY_PERMVALUE_LIST;
 
     @Override
     public String getServiceName() { 
@@ -91,9 +108,87 @@ public class RoleServiceTest extends AbstractServiceTestImpl<RolesList, Role, Ro
 	@Override
 	protected CollectionSpaceClient getClientInstance(String clientPropertiesFilename) throws Exception {
         return new RoleClient(clientPropertiesFilename);
-	}	
+	}
+	
+    /**
+     * Seed data.
+     * @throws Exception 
+     */
+    @BeforeClass(alwaysRun = true)
+    public void seedData() throws Exception {
+    	permissionValues = new ArrayList<PermissionValue>();
+    	permissionValues.add(createPermissionValueInstance(PERM_1_RL_RESOURCE, PERM_1_RL_ACTIONGROUP));
+    	permissionValues.add(createPermissionValueInstance(PERM_2_RL_RESOURCE, PERM_2_RL_ACTIONGROUP));
+    	permissionValues.add(createPermissionValueInstance(PERM_3_RL_RESOURCE, PERM_3_RL_ACTIONGROUP));
+    }
     
-    /* (non-Javadoc)
+    private PermissionValue createPermissionValueInstance(String resource, String actionGroup) {
+		PermissionValue permValue = new PermissionValue();
+		permValue.setResourceName(resource);
+		permValue.setActionGroup(actionGroup);
+		return permValue;
+	}
+
+	/**
+     * Clean up.
+     * @throws Exception 
+     */
+    @AfterClass(alwaysRun = true)
+    @Override
+    public void cleanUp() throws Exception {
+        String noTest = System.getProperty("noTestCleanup");
+        if (Boolean.TRUE.toString().equalsIgnoreCase(noTest)) {
+            if (logger.isDebugEnabled()) {
+                logger.debug("Skipping Cleanup phase ...");
+            }
+            return;
+        }
+        if (logger.isDebugEnabled()) {
+            logger.debug("Cleaning up temporary resources created for testing ...");
+        }
+        //
+        // Delete the permissions we indirectly created with when we created via the "createRoleWithPerms()" test 
+        //
+        for (PermissionValue pv : permissionValues) {
+            deletePermission(pv);
+        }
+        
+        //
+        // Call our parent cleanup method.
+        //
+        super.cleanUp();
+    }
+    
+
+    /*
+     * Use a resource name and action group value to find and delete a permission record/resource.
+     */
+    private void deletePermission(PermissionValue permissionValue) throws Exception {
+    	int statusCode = Response.Status.OK.getStatusCode();
+        PermissionClient client = new PermissionClient();
+        Permission permission = client.read(permissionValue.getResourceName(), permissionValue.getActionGroup());
+    	if (permission != null) {
+            Response res = client.delete(permission.getCsid());
+            try {
+    	        statusCode = res.getStatus();
+            } finally {
+            	res.close();
+            }
+    	} else {
+    		//
+    		// Something bad happened.
+    		//
+        	statusCode = Response.Status.BAD_REQUEST.getStatusCode();    		
+    	}
+    	
+    	if (statusCode != Response.Status.OK.getStatusCode()) {
+    		String msg = String.format("Could not delete test Permission record: resource name='%s', actionGroup='%s'.",
+    				permissionValue.getResourceName(), permissionValue.getActionGroup());
+    		logger.error(msg);    		
+    	}
+	}
+
+	/* (non-Javadoc)
      * @see org.collectionspace.services.client.test.AbstractServiceTestImpl#readPaginatedList(java.lang.String)
      */
     @Override
@@ -116,7 +211,7 @@ public class RoleServiceTest extends AbstractServiceTestImpl<RolesList, Role, Ro
         // Submit the request to the service and store the response.
         RoleClient client = new RoleClient();
         Role role = createRoleInstance(knownRoleName, "All users are required to be in this role",
-                true);
+                true, RoleFactory.EMPTY_PERMVALUE_LIST);
         Response res = client.create(role);
         try {
 	        int statusCode = res.getStatus();
@@ -145,6 +240,81 @@ public class RoleServiceTest extends AbstractServiceTestImpl<RolesList, Role, Ro
         }
     }
     
+    @Test(dataProvider = "testName", 
+    		dependsOnMethods = {"CRUDTests"})
+    public void createRoleWithPerms(String testName) throws Exception {
+        // Perform setup, such as initializing the type of service request
+        // (e.g. CREATE, DELETE), its valid and expected status codes, and
+        // its associated HTTP method name (e.g. POST, DELETE).
+        setupCreate();
+
+        // Submit the request to the service and store the response.
+        RoleClient client = new RoleClient();
+        Role role = createRoleInstance("CREATE_ROLE_WITH_PERMS" + System.currentTimeMillis(), "A role created with perms.",
+                true, permissionValues);
+        Response res = client.create(role);
+        try {
+	        int statusCode = res.getStatus();
+	        // Check the status code of the response: does it match
+	        // the expected response(s)?
+	        //
+	        // Specifically:
+	        // Does it fall within the set of valid status codes?
+	        // Does it exactly match the expected status code?
+	        if (logger.isDebugEnabled()) {
+	            logger.debug(testName + ": status = " + statusCode);
+	        }
+	        Assert.assertTrue(testRequestType.isValidStatusCode(statusCode),
+	                invalidStatusCodeMessage(testRequestType, statusCode));
+	        Assert.assertEquals(statusCode, testExpectedStatusCode);
+	
+	        // Store the ID returned from this create operation
+	        // for additional tests below.
+	        String csid = extractId(res);
+	        allResourceIdsCreated.add(csid);
+	        if (logger.isDebugEnabled()) {
+	            logger.debug(testName + ": role with perms ID=" + csid);
+	        }
+        } finally {
+        	res.close();
+        }
+    }    
+    
+    @Test(dataProvider = "testName", 
+    		dependsOnMethods = {"CRUDTests"})    
+    public void createDupliateRole(String testName) throws Exception {
+        // Perform setup, such as initializing the type of service request
+        // (e.g. CREATE, DELETE), its valid and expected status codes, and
+        // its associated HTTP method name (e.g. POST, DELETE).
+        setupDuplicate();
+
+        // Submit the request to the service and store the response.
+        RoleClient client = new RoleClient();
+        Role role = createRoleInstance(knownRoleName, "This is a duplicate of an existing role.",
+                true, RoleFactory.EMPTY_PERMVALUE_LIST);
+        Response res = client.create(role);
+        try {
+	        int statusCode = res.getStatus();
+	        if (statusCode == 201) {
+	        	// We expected NOT to create a new role, so if we did then we need to keep track of it and eventually delete it.
+		        String duplicateRole = extractId(res);
+		        allResourceIdsCreated.add(duplicateRole);
+	        }
+	        // Check the status code of the response: does it match
+	        // the expected response(s)?
+	        //
+	        // Specifically:
+	        // Does it exactly match the expected status code?
+	        if (logger.isDebugEnabled()) {
+	            logger.debug(testName + ": status = " + statusCode);
+	        }
+	        Assert.assertEquals(statusCode, testExpectedStatusCode);
+	
+        } finally {        	
+        	res.close();
+        }
+    }
+    
     @Test(dataProvider = "testName", 
     		dependsOnMethods = {"CRUDTests"})
     public void createWithDisplayname(String testName) throws Exception {
@@ -880,22 +1050,31 @@ public class RoleServiceTest extends AbstractServiceTestImpl<RolesList, Role, Ro
      */
     public Role createRoleInstance(String roleName,
             String description,
-            boolean useRoleName) {
+            boolean useRoleName,
+            List<PermissionValue> permValueList) {
 
         Role role = RoleFactory.createRoleInstance(roleName,
         		roleName, //the display name
         		description,
-                useRoleName);
+                useRoleName,
+                permValueList);
+        
         if (logger.isDebugEnabled()) {
             logger.debug("to be created, role");
             org.collectionspace.services.authorization.ObjectFactory objectFactory = new org.collectionspace.services.authorization.ObjectFactory();            
             logger.debug(objectAsXmlString(objectFactory.createRole(role),
                     Role.class));
         }
+        
         return role;
-
     }
-
+    
+    public Role createRoleInstance(String roleName,
+            String description,
+            boolean useRoleName) {
+    	return this.createRoleInstance(roleName, description, useRoleName, RoleFactory.EMPTY_PERMVALUE_LIST);
+    }
+    
     /**
      * Prints the list.
      *
diff --git a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleDocumentHandler.java b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleDocumentHandler.java
index a7f2b2fc1..13637c652 100644
--- a/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleDocumentHandler.java
+++ b/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/RoleDocumentHandler.java
@@ -27,10 +27,18 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.UUID;
 
+import org.collectionspace.services.authorization.PermissionRole;
+import org.collectionspace.services.authorization.PermissionRoleSubResource;
+import org.collectionspace.services.authorization.PermissionValue;
 import org.collectionspace.services.authorization.Role;
+import org.collectionspace.services.authorization.RoleValue;
 import org.collectionspace.services.authorization.RolesList;
+import org.collectionspace.services.authorization.SubjectType;
 
+import org.collectionspace.services.client.PermissionRoleFactory;
 import org.collectionspace.services.client.RoleClient;
+import org.collectionspace.services.client.RoleFactory;
+
 import org.collectionspace.services.common.document.BadRequestException;
 import org.collectionspace.services.common.document.DocumentFilter;
 import org.collectionspace.services.common.document.DocumentWrapper;
@@ -73,6 +81,22 @@ public class RoleDocumentHandler
         role.setMetadataProtection(null);
         role.setPermsProtection(null);
     }
+    
+    @Override
+    public void completeCreate(DocumentWrapper<Role> wrapDoc) throws Exception {
+    	Role role = wrapDoc.getWrappedObject();
+    	List<PermissionValue> permValueList = role.getPermission();
+    	if (permValueList != null && permValueList.size() > 0) {
+    		// create and persist a permrole instance
+    		// The caller of this method needs to ensure a valid and active EM (EntityManager) instance is in the Service context
+    		RoleValue roleValue = RoleFactory.createRoleValueInstance(role);
+    		PermissionRole permRole = PermissionRoleFactory.createPermissionRoleInstance(SubjectType.PERMISSION, roleValue,
+    				permValueList, true, true);
+            PermissionRoleSubResource subResource =
+                    new PermissionRoleSubResource(PermissionRoleSubResource.ROLE_PERMROLE_SERVICE);
+            String permrolecsid = subResource.createPermissionRole(permRole, SubjectType.PERMISSION);
+    	}
+    }
 
     @Override
     public void handleUpdate(DocumentWrapper<Role> wrapDoc) throws Exception {
diff --git a/services/authorization/jaxb/src/main/resources/roles.xsd b/services/authorization/jaxb/src/main/resources/roles.xsd
index e9d9492ab..ddeffd3d3 100644
--- a/services/authorization/jaxb/src/main/resources/roles.xsd
+++ b/services/authorization/jaxb/src/main/resources/roles.xsd
@@ -13,6 +13,8 @@
 		jaxb:extensionBindingPrefixes="hj orm xjc"
     >
 
+    <xs:include schemaLocation="authorization_common.xsd"/>
+
     <!--
     see http://weblogs.java.net/blog/2006/03/03/why-does-jaxb-put-xmlrootelement-sometimes-not-always
     for more details behind xjc:simple
@@ -109,24 +111,24 @@
                     </xs:appinfo>
                 </xs:annotation>
             </xs:element>
-						<xs:element name="metadataProtection" type="xs:string" minOccurs="0" maxOccurs="1">
-								<xs:annotation>
-										<xs:appinfo>
-												<hj:basic>
-														<orm:column name="metadata_protection"  nullable="true"/>
-												</hj:basic>
-										</xs:appinfo>
-								</xs:annotation>
-						</xs:element>
-						<xs:element name="permsProtection" type="xs:string" minOccurs="0" maxOccurs="1">
-								<xs:annotation>
-										<xs:appinfo>
-												<hj:basic>
-														<orm:column name="perms_protection"  nullable="true"/>
-												</hj:basic>
-										</xs:appinfo>
-								</xs:annotation>
-						</xs:element>
+			<xs:element name="metadataProtection" type="xs:string" minOccurs="0" maxOccurs="1">
+					<xs:annotation>
+							<xs:appinfo>
+									<hj:basic>
+											<orm:column name="metadata_protection"  nullable="true"/>
+									</hj:basic>
+							</xs:appinfo>
+					</xs:annotation>
+			</xs:element>
+			<xs:element name="permsProtection" type="xs:string" minOccurs="0" maxOccurs="1">
+					<xs:annotation>
+							<xs:appinfo>
+									<hj:basic>
+											<orm:column name="perms_protection"  nullable="true"/>
+									</hj:basic>
+							</xs:appinfo>
+					</xs:annotation>
+			</xs:element>
             <xs:element name="createdAt" type="xs:dateTime">
                 <xs:annotation>
                     <xs:appinfo>
@@ -145,6 +147,7 @@
                     </xs:appinfo>
                 </xs:annotation>
             </xs:element>
+            <xs:element name="permission" type="ns:permission_value" minOccurs="1" maxOccurs="unbounded"/>
         </xs:sequence>
         <xs:attribute name="csid" type="xs:string">
             <xs:annotation>
@@ -155,6 +158,7 @@
                 </xs:appinfo>
             </xs:annotation>
         </xs:attribute>
+        
     </xs:complexType>
 </xs:schema>
 
diff --git a/services/client/src/main/java/org/collectionspace/services/client/test/BaseServiceTest.java b/services/client/src/main/java/org/collectionspace/services/client/test/BaseServiceTest.java
index e4b41f4bb..035f164cf 100644
--- a/services/client/src/main/java/org/collectionspace/services/client/test/BaseServiceTest.java
+++ b/services/client/src/main/java/org/collectionspace/services/client/test/BaseServiceTest.java
@@ -290,6 +290,15 @@ public abstract class BaseServiceTest<CLT> {
         testSetup(testExpectedStatusCode, testRequestType);
     }
     
+    /**
+     * Sets up create duplicate request.
+     */
+    protected void setupDuplicate() {
+        testExpectedStatusCode = STATUS_BAD_REQUEST;
+        testRequestType = ServiceRequestType.CREATE;
+        testSetup(testExpectedStatusCode, testRequestType);
+    }    
+    
     /**
      * Initializes setup values for a given test.
      *
diff --git a/services/common/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleDocumentHandler.java b/services/common/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleDocumentHandler.java
index c394a0eee..990c73201 100644
--- a/services/common/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleDocumentHandler.java
+++ b/services/common/src/main/java/org/collectionspace/services/authorization/storage/PermissionRoleDocumentHandler.java
@@ -26,19 +26,24 @@ package org.collectionspace.services.authorization.storage;
 import java.util.ArrayList;
 import java.util.List;
 
+import javax.persistence.EntityManager;
+import javax.persistence.EntityManagerFactory;
+import javax.persistence.NoResultException;
+
 import org.collectionspace.services.authorization.PermissionRole;
 import org.collectionspace.services.authorization.PermissionRoleRel;
 import org.collectionspace.services.authorization.PermissionValue;
 import org.collectionspace.services.authorization.PermissionsRolesList;
 import org.collectionspace.services.authorization.RoleValue;
 import org.collectionspace.services.authorization.SubjectType;
-
+import org.collectionspace.services.authorization.perms.Permission;
 import org.collectionspace.services.common.authorization_mgt.AuthorizationRoleRel;
 import org.collectionspace.services.common.authorization_mgt.PermissionRoleUtil;
 import org.collectionspace.services.common.document.DocumentFilter;
 import org.collectionspace.services.common.document.DocumentWrapper;
 import org.collectionspace.services.common.storage.jpa.JpaDocumentFilter;
 import org.collectionspace.services.common.storage.jpa.JpaDocumentHandler;
+import org.collectionspace.services.common.storage.jpa.JpaStorageUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -79,6 +84,69 @@ public class PermissionRoleDocumentHandler
     @Override
     public void handleCreate(DocumentWrapper<List<PermissionRoleRel>> wrapDoc) throws Exception {
         fillCommonPart(getCommonPart(), wrapDoc);
+        filterOutExisting(wrapDoc);
+    }
+    
+    private boolean permRoleRelExists(EntityManager em, PermissionRoleRel permRoleRel) {
+    	boolean result = false;
+    	
+    	PermissionRoleRel queryResult = null;
+    	try {
+	    	queryResult = (PermissionRoleRel) JpaStorageUtils.getEntityByDualKeys(em, 
+	    			PermissionRoleRel.class.getName(),
+	    			PermissionStorageConstants.PERMREL_ROLE_ID, permRoleRel.getRoleId(), 
+	    			PermissionStorageConstants.PERMREL_PERM_ID, permRoleRel.getPermissionId());
+    	} catch (NoResultException e) {
+    		// Ignore exception.  Just means the permission hasn't been stored/persisted yet.
+    	}
+    	
+    	if (queryResult != null) {
+    		result = true;
+    	}
+    	
+    	return result;
+    }
+    
+    /**
+     * Find the existing (already persisted) 
+     * @param wrapDoc
+     * @throws Exception
+     */
+    private void filterOutExisting(DocumentWrapper<List<PermissionRoleRel>> wrapDoc) throws Exception {
+    	List<PermissionRoleRel> permRoleRelList = wrapDoc.getWrappedObject();
+    	
+        EntityManagerFactory emf = null;
+        EntityManager em = null;
+        try {
+            emf = JpaStorageUtils.getEntityManagerFactory(JpaStorageUtils.CS_PERSISTENCE_UNIT);
+            em = emf.createEntityManager();
+            em.getTransaction().begin();
+            
+            for (PermissionRoleRel permRoleRel : permRoleRelList) {
+            	if (permRoleRelExists(em, permRoleRel) == true) {
+            		//
+            		// Remove the item from the list since it already exists
+            		//
+            		permRoleRelList.remove(permRoleRel);
+            	}
+            }
+            
+            em.getTransaction().commit();
+        	em.close();            
+        } catch (Exception e) {
+            if (em != null && em.getTransaction().isActive()) {
+                em.getTransaction().rollback();
+            }
+            if (logger.isDebugEnabled()) {
+                logger.debug("Caught exception ", e);
+            }
+            throw e;
+        } finally {
+            if (em != null) {
+                JpaStorageUtils.releaseEntityManagerFactory(emf);
+            }
+        }
+
     }
 
     /* (non-Javadoc)
diff --git a/services/common/src/main/java/org/collectionspace/services/authorization/storage/PermissionStorageConstants.java b/services/common/src/main/java/org/collectionspace/services/authorization/storage/PermissionStorageConstants.java
index e3fc393f8..0924ff63d 100644
--- a/services/common/src/main/java/org/collectionspace/services/authorization/storage/PermissionStorageConstants.java
+++ b/services/common/src/main/java/org/collectionspace/services/authorization/storage/PermissionStorageConstants.java
@@ -36,5 +36,7 @@ public class PermissionStorageConstants {
 
     final public static String RESOURCE_NAME = "resourceName";
     final public static String ACTION_GROUP = "actionGroup";
+	public static final String PERMREL_ROLE_ID = "roleId";
+	public static final String PERMREL_PERM_ID = "permissionId";
 
 }
diff --git a/services/common/src/main/java/org/collectionspace/services/common/authorization_mgt/PermissionRoleUtil.java b/services/common/src/main/java/org/collectionspace/services/common/authorization_mgt/PermissionRoleUtil.java
index 125662130..27c374cdb 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/authorization_mgt/PermissionRoleUtil.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/authorization_mgt/PermissionRoleUtil.java
@@ -244,6 +244,14 @@ public class PermissionRoleUtil {
     		}
     	}
     	
+    	//
+    	// Since our permissionValue may not have been supplied by the client with an ID, we need
+    	// to add it now.
+    	//
+    	if (permissionValue.getPermissionId() == null || permissionValue.getPermissionId().trim().isEmpty()) {
+    		permissionValue.setPermissionId(permission.getCsid());
+    	}
+    	
     	//
     	// Create the permission-role to persist
     	//
diff --git a/services/common/src/main/java/org/collectionspace/services/common/context/RemoteServiceContextImpl.java b/services/common/src/main/java/org/collectionspace/services/common/context/RemoteServiceContextImpl.java
index 0b1a66a5b..a1c1ebd7c 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/context/RemoteServiceContextImpl.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/context/RemoteServiceContextImpl.java
@@ -32,9 +32,14 @@ import org.collectionspace.services.common.ResourceMap;
 import org.collectionspace.services.common.ServiceMain;
 import org.collectionspace.services.common.config.ConfigUtils;
 import org.collectionspace.services.common.config.TenantBindingConfigReaderImpl;
+import org.collectionspace.services.common.document.TransactionException;
 import org.collectionspace.services.common.security.UnauthorizedException;
+import org.collectionspace.services.common.storage.StorageClient;
+import org.collectionspace.services.common.storage.TransactionContext;
+import org.collectionspace.services.common.storage.jpa.JPATransactionContext;
 import org.collectionspace.services.config.service.ServiceBindingType;
 import org.collectionspace.services.config.tenant.TenantBindingType;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -245,4 +250,71 @@ public class RemoteServiceContextImpl<IT, OT>
 		// TODO Auto-generated method stub
 		throw new RuntimeException("Unimplemented method.");
 	}
+	
+	//
+	// Transaction management methods
+	//
+	
+	private TransactionContext getCurrentTransactionContext() {
+		return (TransactionContext) this.getProperty(StorageClient.SC_TRANSACTION_CONTEXT_KEY);
+	}
+
+	@Override
+	public void releaseConnection() throws TransactionException {
+		if (isTransactionContextShared() == true) {
+			throw new TransactionException("Attempted to release a shared storage connection.  Only the originator can release the connection");
+		}
+		
+		TransactionContext transactionCtx = getCurrentTransactionContext();		
+		if (transactionCtx != null) {
+			transactionCtx.close();
+	        this.setProperty(StorageClient.SC_TRANSACTION_CONTEXT_KEY, null);
+		} else {
+			throw new TransactionException("Attempted to release a non-existent storage connection.  Transaction context missing from service context.");
+		}
+	}
+
+	@Override
+	public TransactionContext openConnection() throws TransactionException {
+		TransactionContext result = getCurrentTransactionContext();
+		if (result != null) {
+			throw new TransactionException("Attempted to open a new connection when a current connection is still part of the current service context.  The current connection must be closed with the releaseConnection() method.");
+		}
+
+		result = new JPATransactionContext(this);
+        this.setProperty(StorageClient.SC_TRANSACTION_CONTEXT_KEY, result);
+
+		return result;
+	}
+
+	@Override
+	public void setTransactionContext(TransactionContext transactionCtx) {
+		// TODO Auto-generated method stub
+		
+	}
+
+	/**
+	 * Returns true if the TransactionContext is shared with another ServiceContext instance
+	 * @throws TransactionException 
+	 */
+	@Override
+	public boolean isTransactionContextShared() throws TransactionException {
+		boolean result = true;
+		
+		TransactionContext transactionCtx = getCurrentTransactionContext();
+		if (transactionCtx != null) {
+			if (transactionCtx.getServiceContext() == this) {  // check to see if the service context used to create the connection is the same as the current service context
+				result = false;
+			}
+		} else {
+			throw new TransactionException("Transaction context missing from service context.");
+		}
+		
+		return result;
+	}
+
+	@Override
+	public boolean hasActiveConnection() {
+		return getCurrentTransactionContext() != null;
+	}
 }
diff --git a/services/common/src/main/java/org/collectionspace/services/common/context/ServiceContext.java b/services/common/src/main/java/org/collectionspace/services/common/context/ServiceContext.java
index 5027ac75e..ccdf5c3b8 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/context/ServiceContext.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/context/ServiceContext.java
@@ -34,8 +34,11 @@ import org.collectionspace.services.client.CollectionSpaceClient;
 import org.collectionspace.services.common.CollectionSpaceResource;
 import org.collectionspace.services.common.ResourceMap;
 import org.collectionspace.services.common.document.DocumentHandler;
+import org.collectionspace.services.common.document.TransactionException;
 import org.collectionspace.services.common.document.ValidatorHandler;
 import org.collectionspace.services.common.security.SecurityContext;
+import org.collectionspace.services.common.storage.TransactionContext;
+import org.collectionspace.services.common.storage.jpa.JPATransactionContext;
 import org.collectionspace.services.config.ClientType;
 import org.collectionspace.services.config.service.ObjectPartType;
 import org.collectionspace.services.config.service.ServiceBindingType;
@@ -406,6 +409,31 @@ public interface ServiceContext<IT, OT> {
 	 * @return The JAX-RS request information
 	 */
 	Request getRequestInfo();
+	
+	/**
+	 * 
+	 */
+	public TransactionContext openConnection() throws TransactionException; // Only 1 active connection at a time
+	
+	/**
+	 * 
+	 */
+	public boolean hasActiveConnection();
+	
+	/**
+	 * 
+	 */
+	public void releaseConnection() throws TransactionException; // Assumes there's been a call to getConnection.
+	
+	/**
+	 * 
+	 */
+	public void setTransactionContext(TransactionContext transactionCtx); // For sharing a transaction context with another service context.
+	
+	/**
+	 * 
+	 */
+	public boolean isTransactionContextShared() throws TransactionException;
 }
 
 
diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/StorageClient.java b/services/common/src/main/java/org/collectionspace/services/common/storage/StorageClient.java
index 6b9e51aaf..d39fbb970 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/storage/StorageClient.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/StorageClient.java
@@ -35,6 +35,8 @@ import org.collectionspace.services.lifecycle.TransitionDef;
  */
 public interface StorageClient {
 
+	public static final String SC_TRANSACTION_CONTEXT_KEY = "SC_ACTIVE_TRANSACTION_KEY";
+	
     /**
      * create entity in the persistence store
      * @param ctx service context under which this method is invoked
diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/TransactionContext.java b/services/common/src/main/java/org/collectionspace/services/common/storage/TransactionContext.java
new file mode 100644
index 000000000..41bf9a3a2
--- /dev/null
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/TransactionContext.java
@@ -0,0 +1,25 @@
+package org.collectionspace.services.common.storage;
+
+import org.collectionspace.services.common.context.ServiceContext;
+import org.collectionspace.services.common.document.TransactionException;
+
+@SuppressWarnings("rawtypes")
+public abstract class TransactionContext {
+
+	protected ServiceContext ctx;
+	
+	public ServiceContext getServiceContext() {
+		// TODO Auto-generated method stub
+		return ctx;
+	}
+
+	abstract public void markForRollback();
+
+	abstract public void close() throws TransactionException;
+	
+	abstract public void beginTransaction() throws TransactionException;
+	
+	abstract public void commitTransaction() throws TransactionException;
+
+	abstract public boolean isTransactionActive() throws TransactionException;
+}
diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JPATransactionContext.java b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JPATransactionContext.java
new file mode 100644
index 000000000..6e747f319
--- /dev/null
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JPATransactionContext.java
@@ -0,0 +1,70 @@
+package org.collectionspace.services.common.storage.jpa;
+
+import javax.persistence.EntityManager;
+import javax.persistence.EntityManagerFactory;
+
+import org.collectionspace.services.common.context.ServiceContext;
+import org.collectionspace.services.common.document.TransactionException;
+import org.collectionspace.services.common.storage.TransactionContext;
+
+@SuppressWarnings("rawtypes")
+public class JPATransactionContext extends TransactionContext {
+	EntityManagerFactory emf;
+	EntityManager em;
+	
+	@SuppressWarnings("unused")
+	private JPATransactionContext() {
+		// Don't allow anyone to create an empty instance
+	}
+	
+	public JPATransactionContext(ServiceContext ctx) {
+        emf = JpaStorageUtils.getEntityManagerFactory();            
+        em = emf.createEntityManager();
+        this.ctx = ctx;
+	}
+
+	protected EntityManagerFactory getEntityManagerFactory() {
+		return emf;
+	}
+	
+	protected EntityManager getEntityManager() {
+		return em;
+	}
+	
+	@Override
+	public ServiceContext getServiceContext() {
+		return ctx;
+	}
+	
+	@Override
+	public void markForRollback() {
+		em.getTransaction().setRollbackOnly();
+	}
+	
+	@Override
+	public void close() throws TransactionException  {
+		if (em.getTransaction().isActive() == true && em.getTransaction().getRollbackOnly() == true) {
+			em.getTransaction().rollback();
+    	} else if (em.getTransaction().isActive() == true) {
+    		throw new JPATransactionException("There is an active transaction.  You must commit the active transaction prior to calling this close method.");
+    	}
+    	
+		em.close();
+        JpaStorageUtils.releaseEntityManagerFactory(emf);
+	}
+
+	@Override
+	public void beginTransaction() {
+        em.getTransaction().begin();    
+	}
+
+	@Override
+	public void commitTransaction() {
+        em.getTransaction().commit();
+	}
+
+	@Override
+	public boolean isTransactionActive() {
+		return em.getTransaction().isActive();
+	}
+}
diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JPATransactionException.java b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JPATransactionException.java
new file mode 100644
index 000000000..2b8e89d63
--- /dev/null
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JPATransactionException.java
@@ -0,0 +1,15 @@
+package org.collectionspace.services.common.storage.jpa;
+
+import org.collectionspace.services.common.document.TransactionException;
+
+public class JPATransactionException extends TransactionException {
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 2018758347488796620L;
+
+    public JPATransactionException(String msg) {
+    	super(msg);
+    }
+}
diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java
index 334ce0650..2e25788be 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java
@@ -135,6 +135,7 @@ public class JpaStorageClientImpl implements StorageClient {
 	            } catch (EntityExistsException ee) {
 	            	//
 	            	// We found an existing matching entity in the store, so we don't need to create one.  Just update the transient 'entity' instance with the existing persisted entity we found.
+	            	// An entity's document handler class will throw this exception only if attempting to create (but not actually creating) duplicate is ok -e.g., Permission records.
 	            	//
 	            	entity = wrapDoc.getWrappedObject(); // the handler should have reset the wrapped transient object with the existing persisted entity we just found.
 	            }
diff --git a/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java b/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java
index f05b7d830..dab407726 100644
--- a/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java
+++ b/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java
@@ -690,7 +690,7 @@ public class AuthorizationServiceTest extends BaseServiceTest<AbstractCommonList
 		Role role = RoleFactory.createRoleInstance(roleName, roleName, // the
 																		// display
 																		// name
-				"role for " + roleName, true);
+				"role for " + roleName, true, RoleFactory.EMPTY_PERMVALUE_LIST);
 		Response res = roleClient.create(role);
 		try {
 			assertStatusCode(res, "CreateRole");
diff --git a/services/security/client/src/test/java/org/collectionspace/services/security/client/test/MultiTenancyTest.java b/services/security/client/src/test/java/org/collectionspace/services/security/client/test/MultiTenancyTest.java
index e9b4efc2c..017b7a832 100644
--- a/services/security/client/src/test/java/org/collectionspace/services/security/client/test/MultiTenancyTest.java
+++ b/services/security/client/src/test/java/org/collectionspace/services/security/client/test/MultiTenancyTest.java
@@ -611,7 +611,7 @@ public class MultiTenancyTest extends BaseServiceTest<AbstractCommonList> {
         roleClient.setAuth(true, ui.userName, true, ui.password, true);
         Role role = RoleFactory.createRoleInstance(roleName,
         		roleName, //the display name
-                "role for " + roleName, true);
+                "role for " + roleName, true, RoleFactory.EMPTY_PERMVALUE_LIST);
         role.setTenantId(tenantId);
         Response res = roleClient.create(role);
         try {