slapos_erp5:

* slapos member user are not allowed anymore to create compute node * no need to create a dedicated local_roles from compute node source_administration Only slapos manager will handle compute nodes * duplicate test_default_scenario to happily break it * drop friend/personal in new scenario test * all members can allocation on all compute nodes * give user security group based on function (to access some module) and project/function (to access documents) * only a project computer manager can create compute nodes * only project computer manager is assignor on compute node * need a project assignment to create a compute node * drop group security on Instance Tree * drop group security from Software Instance * project member only need Auditor role on it * add customer project assignment * remove source_administration interaction workflow on Compute Node and add follow_up instead * Software Installation: move interaction workflow from destination_section to follow_up * give role on Software Installation to Project Compute Node Manager * shadow user do not need access to Compute Node anymore * only project comp manager can create SOftware Installation * project customer can create software instance * project customer can create instance tree * project people can only view the project module * also check PAS plugins which are not supposed to be activated * drop PAS shadow user plugins * drop shadow access from compute node module * drop shadow from compute node module * drop shadow role from computer module * drop shadow role from person* portal types * drop shadow role on project module * Revert "slapos_erp5: drop PAS shadow user plugins" Needed for accounting * Revert "slapos_erp5: drop shadow role from person* portal types"

slapos_erp5:
* slapos member user are not allowed anymore to create compute node * no need to create a dedicated local_roles from compute node source_administration Only slapos manager will handle compute nodes * duplicate test_default_scenario to happily break it * drop friend/personal in new scenario test * all members can allocation on all compute nodes * give user security group based on function (to access some module) and project/function (to access documents) * only a project computer manager can create compute nodes * only project computer manager is assignor on compute node * need a project assignment to create a compute node * drop group security on Instance Tree * drop group security from Software Instance * project member only need Auditor role on it * add customer project assignment * remove source_administration interaction workflow on Compute Node and add follow_up instead * Software Installation: move interaction workflow from destination_section to follow_up * give role on Software Installation to Project Compute Node Manager * shadow user do not need access to Compute Node anymore * only project comp manager can create SOftware Installation * project customer can create software instance * project customer can create instance tree * project people can only view the project module * also check PAS plugins which are not supposed to be activated * drop PAS shadow user plugins * drop shadow access from compute node module * drop shadow from compute node module * drop shadow role from computer module * drop shadow role from person* portal types * drop shadow role on project module * Revert "slapos_erp5: drop PAS shadow user plugins" Needed for accounting * Revert "slapos_erp5: drop shadow role from person* portal types"
73aff586 · Romain Courteaud · 4fdb95a2 · 73aff586 · 73aff586 · 73aff586
Commit 73aff586 authored May 23, 2022 by Romain Courteaud 🐙
24 changed files
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/compute_node_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/compute_node_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-COMPUMAN'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-COMPUTER'>
+  <role id='G-COMPANY'>
   <item>Auditor</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='R-COMPUTER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-SHADOW-PERSON'>
+  <role id='R-MEMBER'>
   <item>Auditor</item>
  </role>
 </local_roles>
@@ -21,14 +20,9 @@
  </local_role_group_id>
  <local_role_group_id id='group'>
    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='shadow'>
-    <principal id='R-SHADOW-PERSON'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='user'>
    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/computer_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/computer_module.xml
 <local_roles_item>
 <local_roles>
+  <role id='G-COMPANY'>
+   <item>Auditor</item>
+  </role>
+  <role id='R-COMPUTER'>
+   <item>Auditor</item>
+  </role>
+  <role id='R-MEMBER'>
+   <item>Auditor</item>
+  </role>
 </local_roles>
+ <local_role_group_ids>
+  <local_role_group_id id='computer'>
+    <principal id='R-COMPUTER'>Auditor</principal>
+  </local_role_group_id>
+  <local_role_group_id id='group'>
+    <principal id='G-COMPANY'>Auditor</principal>
+  </local_role_group_id>
+  <local_role_group_id id='user'>
+    <principal id='R-MEMBER'>Auditor</principal>
+  </local_role_group_id>
+ </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/instance_tree_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/instance_tree_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-COMPUTER'>
+  <role id='G-COMPANY'>
   <item>Auditor</item>
  </role>
-  <role id='R-INSTANCE'>
+  <role id='R-COMPUTER'>
   <item>Auditor</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='R-INSTANCE'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
 </local_roles>
 <local_role_group_ids>
  <local_role_group_id id='group'>
    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/project_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/project_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-COMPUMAN'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-COMPUTER'>
-   <item>Auditor</item>
-  </role>
-  <role id='R-MEMBER'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-SHADOW-PERSON'>
+  <role id='R-COMPUTER'>
   <item>Auditor</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='shadow'>
-    <principal id='R-SHADOW-PERSON'>Auditor</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_installation_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_installation_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-COMPUMAN'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-COMPUTER'>
+  <role id='G-COMPANY'>
   <item>Auditor</item>
+   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='R-COMPUTER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
 </local_roles>
 <local_role_group_ids>
@@ -20,9 +20,5 @@
    <principal id='G-COMPANY'>Auditor</principal>
    <principal id='G-COMPANY'>Author</principal>
  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_instance_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_instance_module.xml
 <local_roles_item>
 <local_roles>
+  <role id='F-CUSTOMER'>
+   <item>Auditor</item>
+   <item>Author</item>
+  </role>
  <role id='G-COMPANY'>
   <item>Auditor</item>
   <item>Author</item>
@@ -11,19 +15,11 @@
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
-   <item>Auditor</item>
-   <item>Author</item>
-  </role>
 </local_roles>
 <local_role_group_ids>
  <local_role_group_id id='group'>
    <principal id='G-COMPANY'>Auditor</principal>
    <principal id='G-COMPANY'>Author</principal>
  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node%20Module.xml
@@ -5,22 +5,23 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Author; Auditor'>
+  <role id='Auditor; Author'>
+   <property id='title'>Compute Node Manager</property>
+   <property id='description'>XXX TODO
+add local roles group</property>
+   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
+  <role id='Auditor'>
   <property id='title'>Group company</property>
   <multi_property id='categories'>local_role_group/group</multi_property>
   <multi_property id='category'>group/company</multi_property>
   <multi_property id='base_category'>group</multi_property>
  </role>
-  <role id='Auditor; Author'>
+  <role id='Auditor'>
   <property id='title'>Member</property>
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='category'>role/member</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Person Shadow</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='category'>role/shadow/person</multi_property>
-   <multi_property id='base_category'>role</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node.xml
 <type_roles>
-  <role id='Auditor'>
-   <property id='title'>Allocation scope</property>
-   <property id='condition'>python: here.getAllocationScope('').startswith('open')</property>
-   <property id='base_category_script'>ComputeNode_getSecurityCategoryFromAllocationScope</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='base_category'>aggregate</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Compute Node Agent</property>
-   <property id='description'>Monovalued role</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>source_administration</multi_property>
-  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Organisation Member</property>
   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationSection</property>
   <multi_property id='categories'>local_role_group/organisation</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
+  <role id='Assignor'>
+   <property id='title'>Project Compute Node Manager</property>
+   <property id='description'>XXX project local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
  <role id='Assignee'>
   <property id='title'>Project Member</property>
   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationProject</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Module.xml
@@ -17,10 +17,4 @@
   <multi_property id='category'>role/member</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Person Shadow</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='category'>role/shadow/person</multi_property>
-   <multi_property id='base_category'>role</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree%20Module.xml
@@ -4,8 +4,9 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Author; Auditor'>
+  <role id='Auditor'>
   <property id='title'>Group Company</property>
+   <property id='description'>Author</property>
   <multi_property id='categories'>local_role_group/group</multi_property>
   <multi_property id='category'>group/company</multi_property>
   <multi_property id='base_category'>group</multi_property>
@@ -16,9 +17,8 @@
   <multi_property id='base_category'>role</multi_property>
  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <property id='title'>Project Customer</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree.xml
@@ -5,12 +5,6 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group Company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Organisation Member</property>
   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestination</property>
@@ -23,6 +17,13 @@
   <multi_property id='categories'>local_role_group/project</multi_property>
   <multi_property id='base_category'>destination_project</multi_property>
  </role>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
  <role id='Assignee'>
   <property id='title'>Related Software Instance Group</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromSelf</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project%20Module.xml
@@ -4,22 +4,16 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Auditor; Author'>
-   <property id='title'>Customer</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
-  </role>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Auditor'>
+   <property id='title'>Project Compute Node Manager</property>
+   <property id='description'>XXX TODO
+add local roles group</property>
+   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
-   <property id='title'>Person Shadow</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='category'>role/shadow/person</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <property id='title'>Project Customer</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Person Owner</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>destination_decision</multi_property>
-  </role>
  <role id='Auditor'>
-   <property id='title'>Person Shadow</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='category'>role/shadow/person</multi_property>
-   <multi_property id='base_category'>role</multi_property>
-  </role>
-  <role id='Assignee'>
   <property id='title'>Project Member</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromSelf</property>
   <multi_property id='categories'>local_role_group/project</multi_property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation%20Module.xml
@@ -5,16 +5,17 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor; Author'>
+   <property id='title'>Compute Node Manager</property>
+   <property id='description'>XXX TODO
+add local roles group</property>
+   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Author; Auditor'>
   <property id='title'>Group company</property>
   <multi_property id='categories'>local_role_group/group</multi_property>
   <multi_property id='category'>group/company</multi_property>
   <multi_property id='base_category'>group</multi_property>
  </role>
-  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation.xml
@@ -18,15 +18,11 @@
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Provider of the Installation</property>
+   <property id='title'>Project Compute Node Manager</property>
+   <property id='description'>XXX project local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance%20Module.xml
@@ -16,9 +16,8 @@
   <multi_property id='base_category'>role</multi_property>
  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <property id='title'>Project Customer</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance.xml
@@ -11,12 +11,6 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Instance related by Instance Tree</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
@@ -35,4 +29,11 @@
   <multi_property id='categories'>local_role_group/project</multi_property>
   <multi_property id='base_category'>destination_project</multi_property>
  </role>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromValidationState.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromValidationState.py
+# XXX For now, this script requires proxy manager
+
+# base_category_list : list of category values we need to retrieve
+# user_name : string obtained from getSecurityManager().getUser().getUserName() [NuxUserGroup]
+#             or from getSecurityManager().getUser().getId() [PluggableAuthService with ERP5GroupManager]
+# object : object which we want to assign roles to.
+# portal_type : portal type of object
+
+# must always return a list of dicts
+
+if obj is None:
+  return []
+
+compute_node = obj
+
+if compute_node.getValidationState() == 'validated':
+  return {"Auditor": ["R-SHADOW-PERSON"]}
+
+return []
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromValidationState.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromValidationState.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ComputeNode_getSecurityCategoryFromValidationState</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.py
@@ -8,9 +8,12 @@ deprecated ERP5Type_asSecurityGroupIdList

 return (
  # Person security
+  ('ERP5Type_getSecurityCategoryFromAssignment', ['function']),
  ('ERP5Type_getSecurityCategoryFromAssignment', ['group']),
  ('ERP5Type_getSecurityCategoryFromAssignment', ['role']),
+  # XXX TODO check that only validated project are used
  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project']),
+  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project', 'function']),
  ('ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation', ['destination']),
  
  # Compute Node security

--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_erp5/CertificateAuthorityTool_checkSlapOSPASConsistency.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_erp5/CertificateAuthorityTool_checkSlapOSPASConsistency.py
@@ -9,9 +9,12 @@ slapos_plugin_dict = {
    'ERP5 Facebook Extraction Plugin'
  ],
  'IGroupsPlugin': [
+    'ZODB Group Manager',
    'SlapOS Shadow Authentication Plugin',
+    'ERP5 Group Manager'
  ],
  'IUserEnumerationPlugin': [
+    'ZODB User Manager',
    'SlapOS Shadow Authentication Plugin',
    'ERP5 Login User Manager'
  ]
@@ -37,6 +40,18 @@ def mergePASDictDifference(portal, d, fixit):
            error += ' Fixed.'
        error_list.append(error)

+    for activated_plugin in meta_type_list:
+      if activated_plugin not in active_list:
+        error = 'Plugin %s must not be activated %s.' % (plugin, activated_plugin)
+        if fixit:
+          existing = [q for q in portal.acl_users.objectValues() if q.meta_type == activated_plugin]
+          if len(existing) == 0:
+            error_list.append('%s not found' % activated_plugin)
+          else:
+            plugins.deactivatePlugin(plugin_info['interface'], existing[0].getId())
+            error += ' Fixed.'
+        error_list.append(error)
+
  return error_list

 pas_difference = mergePASDictDifference(portal, slapos_plugin_dict, fixit)

--- a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5DefaultScenario.py
+++ b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5DefaultScenario.py
@@ -25,6 +25,227 @@ import re

 class TestSlapOSDefaultScenario(DefaultScenarioMixin):

+  """
+  def addSlapOSAdministratorAssignment(self, person):
+    person.newContent(
+      portal_type='Assignment',
+      # XXX should be project/function instead
+      group='company'
+    ).open()
+"""
+  def addProjectComputeNodeManagerAssignment(self, person, project):
+    person.newContent(
+      portal_type='Assignment',
+      destination_project_value=project,
+      function='computer/manager'
+    ).open()
+
+  def addProjectCustomerAssignment(self, person, project):
+    person.newContent(
+      portal_type='Assignment',
+      destination_project_value=project,
+      function='customer'
+    ).open()
+
+  def addProject(self):
+    project = self.portal.project_module.newContent(
+      portal_type='Project',
+      title='project-%s' % self.generateNewId()
+    )
+    project.validate()
+    return project
+
+  def test_new_default_scenario(self):
+    # create a default project
+    project = self.addProject()
+
+    # some preparation
+    self.logout()
+    self.web_site = self.portal.web_site_module.hostingjs
+
+    # lets join as slapos administrator, which will own few compute_nodes
+    owner_reference = 'owner-%s' % self.generateNewId()
+    self.joinSlapOS(self.web_site, owner_reference)
+
+    self.login()
+    owner_person = self.portal.portal_catalog.getResultValue(
+      portal_type="ERP5 Login",
+      reference=owner_reference).getParentValue()
+
+    # first slapos administrator assignment can only be created by
+    # the erp5 manager
+    self.addProjectComputeNodeManagerAssignment(owner_person, project)
+    self.tic()
+
+    # hooray, now it is time to create compute_nodes
+    self.login(owner_person.getUserId())
+
+    public_server_title = 'Public Server for %s' % owner_reference
+    public_server_id = self.requestComputeNode(public_server_title, project.getReference())
+    public_server = self.portal.portal_catalog.getResultValue(
+        portal_type='Compute Node', reference=public_server_id)
+    self.setAccessToMemcached(public_server)
+    self.assertNotEqual(None, public_server)
+
+    # and install some software on them
+    public_server_software = self.generateNewSoftwareReleaseUrl()
+    self.supplySoftware(public_server, public_server_software)
+
+    # format the compute_nodes
+    self.formatComputeNode(public_server)
+
+    # join as the another visitor and request software instance on public
+    # compute_node
+    self.logout()
+    public_reference = 'public-%s' % self.generateNewId()
+    self.joinSlapOS(self.web_site, public_reference)
+
+    self.login()
+    public_person = self.portal.portal_catalog.getResultValue(
+      portal_type="ERP5 Login",
+      reference=public_reference).getParentValue()
+    self.addProjectCustomerAssignment(public_person, project)
+
+    public_instance_title = 'Public title %s' % self.generateNewId()
+    public_instance_type = 'public type'
+    self.checkInstanceAllocation(public_person.getUserId(),
+        public_reference, public_instance_title,
+        public_server_software, public_instance_type,
+        public_server, project.getReference())
+
+
+    # turn public guy to a friend and check that he can allocate slave
+    # instance on instance provided by friend
+
+    self.login()
+    public_person = self.portal.portal_catalog.getResultValue(
+      portal_type='ERP5 Login', reference=public_reference).getParentValue()
+    self.login(owner_person.getUserId())
+
+    # and the instances
+    self.checkInstanceUnallocation(public_person.getUserId(),
+        public_reference, public_instance_title,
+        public_server_software, public_instance_type, public_server,
+        project.getReference())
+
+    # and uninstall some software on them
+    self.logout()
+    self.login(owner_person.getUserId())
+    self.supplySoftware(public_server, public_server_software,
+                        state='destroyed')
+
+    self.logout()
+    # Uninstall from compute_node
+    self.login()
+    self.simulateSlapgridSR(public_server)
+
+    # check the Open Sale Order coverage
+    self.stepCallSlaposRequestUpdateInstanceTreeOpenSaleOrderAlarm()
+    self.tic()
+
+    self.logout()
+    self.login()
+
+    self.assertOpenSaleOrderCoverage(public_reference)
+
+    # generate simulation for open order
+    self.stepCallUpdateOpenOrderSimulationAlarm()
+    self.tic()
+
+    # build subscription packing list
+    self.stepCallSlaposTriggerBuildAlarm()
+    self.tic()
+
+    # stabilise build deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # build aggregated packing list
+    self.stepCallSlaposTriggerAggregatedDeliveryOrderBuilderAlarm()
+    self.tic()
+
+    # stabilise aggregated deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # start aggregated deliveries
+    self.stepCallSlaposStartConfirmedAggregatedSalePackingListAlarm(
+        accounting_date=DateTime('2222/01/01'))
+    self.tic()
+
+    # stabilise aggregated deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # deliver aggregated deliveries
+    self.stepCallSlaposDeliverStartedAggregatedSalePackingListAlarm()
+    self.tic()
+
+    # stabilise aggregated deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # build aggregated invoices
+    self.stepCallSlaposTriggerBuildAlarm()
+    self.tic()
+
+    # stabilise aggregated invoices and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # update invoices with their tax & discount
+    self.stepCallSlaposTriggerBuildAlarm()
+    self.tic()
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # update invoices with their tax & discount transaction lines
+    self.stepCallSlaposTriggerBuildAlarm()
+    self.tic()
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # stop the invoices and solve them again
+    self.stepCallSlaposStopConfirmedAggregatedSaleInvoiceTransactionAlarm()
+    self.tic()
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    builder = self.portal.portal_orders.slapos_payment_transaction_builder
+    for _ in range(500):
+      # build the aggregated payment
+      self.stepCallSlaposTriggerPaymentTransactionOrderBuilderAlarm()
+      self.tic()
+      # If there is something unbuild recall alarm.
+      if len(builder.OrderBuilder_generateUnrelatedInvoiceList()):
+        break
+
+    # start the payzen payment
+    self.stepCallSlaposPayzenUpdateConfirmedPaymentAlarm()
+    self.tic()
+
+    # stabilise the payment deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    """
+    self.logout()
+    self.login('ERP5TypeTestCase')
+
+    # trigger the CRM interaction
+    self.stepCallSlaposCrmCreateRegularisationRequestAlarm()
+    self.tic()
+
+    self.logout()
+    self.login()
+
+    # check final document state
+    for person_reference in (owner_reference, ):
+      person = self.portal.portal_catalog.getResultValue(
+        portal_type='ERP5 Login', reference=person_reference).getParentValue()
+      self.assertPersonDocumentCoverage(person)
+"""
+
  def test_default_scenario(self):
    # some preparation
    self.logout()
@@ -43,7 +264,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
    self.login(owner_person.getUserId())

    public_server_title = 'Public Server for %s' % owner_reference
-    public_server_id = self.requestComputeNode(public_server_title)
+    public_server_id = self.requestComputeNode(public_server_title, 'XXX')
    public_server = self.portal.portal_catalog.getResultValue(
        portal_type='Compute Node', reference=public_server_id)
    self.setAccessToMemcached(public_server)
@@ -52,7 +273,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
    public_server.generateCertificate()

    personal_server_title = 'Personal Server for %s' % owner_reference
-    personal_server_id = self.requestComputeNode(personal_server_title)
+    personal_server_id = self.requestComputeNode(personal_server_title, 'XXX')
    personal_server = self.portal.portal_catalog.getResultValue(
        portal_type='Compute Node', reference=personal_server_id)
    self.setAccessToMemcached(personal_server)
@@ -87,7 +308,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
    self.checkInstanceAllocation(public_person.getUserId(),
        public_reference, public_instance_title,
        public_server_software, public_instance_type,
-        public_server)
+        public_server, 'XXX')

    # join as other person and request a software instance on compute_node
    # configured by owner
@@ -132,7 +353,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
    # and the instances
    self.checkInstanceUnallocation(public_person.getUserId(),
        public_reference, public_instance_title,
-        public_server_software, public_instance_type, public_server)
+        public_server_software, public_instance_type, public_server, 'XXX')

    self.checkInstanceUnallocation(other_person.getUserId(),
       other_reference, other_instance_title,
@@ -363,7 +584,7 @@ class TestSlapOSDefaultCRMEscalation(DefaultScenarioMixin):
    public_instance_type = 'public type'
    public_server_software = self.generateNewSoftwareReleaseUrl()
    self.requestInstance(person.getUserId(), public_instance_title,
-        public_server_software, public_instance_type)
+        public_server_software, public_instance_type, 'XXX')

    # check the Open Sale Order coverage
    self.stepCallSlaposRequestUpdateInstanceTreeOpenSaleOrderAlarm()
@@ -551,4 +772,4 @@ class TestSlapOSDefaultCRMEscalation(DefaultScenarioMixin):
    self.tic()

    # check final document state
-    self.assertPersonDocumentCoverage(person)
\ No newline at end of file
+    self.assertPersonDocumentCoverage(person)
--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputeNode_edit.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputeNode_edit.xml
@@ -51,9 +51,11 @@
            <value>
              <tuple>
                <string>_setUserId.*</string>
-                <string>_setSourceAdministration.*</string>
+                <string>_setFollowUp.*</string>
                <string>_setAllocationScope.*</string>
                <string>_setDestinationSection.*</string>
+                <string>validate</string>
+                <string>invalidate</string>
              </tuple>
            </value>
        </item>

--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_SoftwareInstallation_edit.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_SoftwareInstallation_edit.xml
@@ -51,7 +51,7 @@
            <value>
              <tuple>
                <string>_setAggregate.*</string>
-                <string>_setDestinationSection.*</string>
+                <string>_setFollowUp.*</string>
              </tuple>
            </value>
        </item>