Release Notes for 1.7.0-GA

Table of Contents

Change in Default client names for Service to Service communication
- Generating new client credentials
- Overriding Service Client Name
Permission/Role Refactor
New Service Clients
New Permissions

Change in Default client names for Service to Service communication

Previously, Broadleaf used shared service client credentials. For instance, if a service needed to make a Catalog API call, it used the catalog service client. Every service shared this catalog service client, which was confusing and allowed services more permissions than they required.

In response to this, we have moved to service owned clients by default. The old shared client approach can still be used, but will be more difficult to maintain in the future as it requires overriding the service client name manually, and custom permissions will be difficult to keep up with.

As a result, we recommend all clients use the new approach described below and create new service clients.

Affected Broadleaf services:

Cart Operation Service. New default client name cartopsclient - By default, interacts with:
- Campaign Service
- Catalog Service
- Cart Service
- Inventory Service
- Offer Service
- Pricing Service
- Shipping Service
- Payment Transaction Service
Order Operation Service. New default client name orderopsclient - By default, interacts with:
- Order Service
- Cart Service
- Campaign Service
- Payment Transaction Service
Catalog Browse. New default client name catalogbrowseclient - By default, interacts with:
- Offer Service
- Search Service
- Pricing Service
Inventory Service. New default client name inventoryclient - By default, interacts with:
- Cart Service
Indexer Service. New default client name indexerclient - By default, interacts with:
- Inventory Service
- Catalog Service
- Search Service
- Tenant Service
- Customer Service
- Order Service

Excluding new service clients for this release, this cuts the number of service clients down from 10 to 5, which should ease management and allow more granular access control. In addition, adding new permissions to service clients should be much easier.

A complete local configuration of these new clients (other environments must be updated separately) looks like the following:

Example Yaml

spring:
  security:
    oauth2:
      client:
        provider:
          adminuserclient:
            token-uri: 'https://localhost:8443/oauth/token'
          indexerclient:
            token-uri: 'https://localhost:8443/oauth/token'
          catalogbrowseclient:
            token-uri: 'https://localhost:8443/oauth/token'
          orderopsclient:
            token-uri: 'https://localhost:8443/oauth/token'
          cartopsclient:
            token-uri: 'https://localhost:8443/oauth/token'
          inventoryclient:
            token-uri: 'https://localhost:8443/oauth/token'
        registration:
          adminuserclient:
            authorization-grant-type: client_credentials
            client-id: adminuserclient
            client-secret: admin_user_secret
          indexerclient:
            authorization-grant-type: client_credentials
            client-id: indexerclient
            client-secret: indexer_secret
          catalogbrowseclient:
            authorization-grant-type: client_credentials
            client-id: catalogbrowseclient
            client-secret: catalog_browse_secret
          orderopsclient:
            authorization-grant-type: client_credentials
            client-id: orderopsclient
            client-secret: order_ops_secret
          cartopsclient:
            authorization-grant-type: client_credentials
            client-id: cartopsclient
            client-secret: cart_ops_secret
          inventoryclient:
            authorization-grant-type: client_credentials
            client-id: inventoryclient
            client-secret: inventory_secret

Generating new client credentials

Service clients must be inserted into the database manually. We recommend removing the old service clients as step one.

Note: Before executing the below SQL, make note of any customizations you’ve added to your code base around service to service communication! It is up to the user performing the upgrade to determine what these customizations are.

The following SQL will remove the old service clients. Take care not to remove the anonymous, openapi, or other application specific service clients. The following assumes this is executed in the auth database context:

Remove Service Client SQL

delete from blc_client_grant_types
where id in
('catalog', 'customer', 'search', 'pricing', 'offer', 'campaign', 'cart', 'order', 'inventory', 'tenant');

delete from blc_client_permissions
where id in
('catalog', 'customer', 'search', 'pricing', 'offer', 'campaign', 'cart', 'order', 'inventory', 'tenant');

delete from blc_client
where id in
('catalog', 'customer', 'search', 'pricing', 'offer', 'campaign', 'cart', 'order', 'inventory', 'tenant');

Then, adding the new clients into the auth database:

New Service Client SQL

INSERT INTO blc_client (id, attributes, client_id, friendly_name, client_secret, is_admin, auth_server_id, token_timeout_seconds, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('cartopsclient', '{}', 'cartopsclient', 'Cart Ops Service Client', 'TODO MY SECRET', 'N', '2', 300, 60, 7200);
INSERT INTO blc_client (id, attributes, client_id, friendly_name, client_secret, is_admin, auth_server_id, token_timeout_seconds, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('orderopsclient', '{}', 'orderopsclient', 'Order Ops Service Client', 'TODO MY SECRET', 'N', '2', 300, 60, 7200);
INSERT INTO blc_client (id, attributes, client_id, friendly_name, client_secret, is_admin, auth_server_id, token_timeout_seconds, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('catalogbrowseclient', '{}', 'catalogbrowseclient', 'Catalog Browse Service Client', 'TODO MY SECRET', 'N', '2', 300, 60, 7200);
INSERT INTO blc_client (id, attributes, client_id, friendly_name, client_secret, is_admin, auth_server_id, token_timeout_seconds, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('inventoryclient', '{}', 'inventoryclient', 'Inventory Service Client', 'TODO MY SECRET', 'N', '2', 300, 60, 7200);
INSERT INTO blc_client (id, attributes, client_id, friendly_name, client_secret, is_admin, auth_server_id, token_timeout_seconds, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('indexerclient', '{}', 'indexerclient', 'Indexer Service Client', 'TODO MY SECRET', 'N', '2', 300, 60, 7200);

INSERT INTO blc_client_grant_types (id, grant_type) VALUES ('cartopsclient', 'client_credentials');
INSERT INTO blc_client_grant_types (id, grant_type) VALUES ('orderopsclient', 'client_credentials');
INSERT INTO blc_client_grant_types (id, grant_type) VALUES ('catalogbrowseclient', 'client_credentials');
INSERT INTO blc_client_grant_types (id, grant_type) VALUES ('inventoryclient', 'client_credentials');
INSERT INTO blc_client_grant_types (id, grant_type) VALUES ('indexerclient', 'client_credentials');

INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'PRODUCT');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'CATEGORY');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'DATA_DRIVEN_ENUM');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'CAMPAIGN');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'CAMPAIGN_CODE_AUDIT_DETAIL');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'CART');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'INVENTORY_SUMMARY');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'PRICE_LIST');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'OFFER');

INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'ORDER');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'ORDER_FULFILLMENT');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'CART');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'RETURN_AUTHORIZATION');

INSERT INTO blc_client_scopes (id, "scope") VALUES('catalogbrowseclient', 'OFFER');
INSERT INTO blc_client_scopes (id, "scope") VALUES('catalogbrowseclient', 'PRODUCT');
INSERT INTO blc_client_scopes (id, "scope") VALUES('catalogbrowseclient', 'CATALOG');
INSERT INTO blc_client_scopes (id, "scope") VALUES('catalogbrowseclient', 'PRICE_LIST');

INSERT INTO blc_client_scopes (id, "scope") VALUES('inventoryclient', 'CART');

INSERT INTO blc_client_scopes (id, "scope") VALUES('indexerclient', 'CONSOLIDATED_INVENTORY_AVAILABILITY');
INSERT INTO blc_client_scopes (id, "scope") VALUES('indexerclient', 'PRODUCT_IGNORE_NARROWING');
INSERT INTO blc_client_scopes (id, "scope") VALUES('indexerclient', 'FIELD');
INSERT INTO blc_client_scopes (id, "scope") VALUES('indexerclient', 'CUSTOMER_IGNORE_NARROWING');
INSERT INTO blc_client_scopes (id, "scope") VALUES('indexerclient', 'TENANT');
INSERT INTO blc_client_scopes (id, "scope") VALUES('indexerclient', 'ORDER_IGNORE_NARROWING');
INSERT INTO blc_client_scopes (id, "scope") VALUES('indexerclient', 'ORDER_FULFILLMENT_IGNORE_NARROWING');

INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'READ_PRODUCT');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'ALL_INVENTORY_SUMMARY');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'READ_OFFER');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'READ_CAMPAIGN_CODE_AUDIT_DETAIL');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'ALL_PRICE_LIST');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'READ_TENANT_CART');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'READ_DATA_DRIVEN_ENUM');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'READ_CAMPAIGN');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'ALL_INVENTORY_RESERVATION');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'READ_CATEGORY');
INSERT INTO blc_client_permissions (id, permission) VALUES ('cartopsclient', 'ALL_CART');
INSERT INTO blc_client_permissions (id, permission) VALUES ('orderopsclient', 'ALL_ORDER_FULFILLMENT');
INSERT INTO blc_client_permissions (id, permission) VALUES ('orderopsclient', 'ALL_CAMPAIGN_CODE');
INSERT INTO blc_client_permissions (id, permission) VALUES ('orderopsclient', 'READ_CART');
INSERT INTO blc_client_permissions (id, permission) VALUES ('orderopsclient', 'ALL_RETURN_AUTHORIZATION');
INSERT INTO blc_client_permissions (id, permission) VALUES ('orderopsclient', 'ALL_ORDER');
INSERT INTO blc_client_permissions (id, permission) VALUES ('catalogbrowseclient', 'READ_PRODUCT');
INSERT INTO blc_client_permissions (id, permission) VALUES ('catalogbrowseclient', 'ALL_PRICE_LIST');
INSERT INTO blc_client_permissions (id, permission) VALUES ('catalogbrowseclient', 'ALL_OFFER');
INSERT INTO blc_client_permissions (id, permission) VALUES ('catalogbrowseclient', 'READ_CATALOG');
INSERT INTO blc_client_permissions (id, permission) VALUES ('inventoryclient', 'READ_CART');
INSERT INTO blc_client_permissions (id, permission) VALUES ('indexerclient', 'READ_ORDER_IGNORE_NARROWING');
INSERT INTO blc_client_permissions (id, permission) VALUES ('indexerclient', 'READ_PRODUCT_IGNORE_NARROWING');
INSERT INTO blc_client_permissions (id, permission) VALUES ('indexerclient', 'READ_FIELD');
INSERT INTO blc_client_permissions (id, permission) VALUES ('indexerclient', 'READ_TENANT');
INSERT INTO blc_client_permissions (id, permission) VALUES ('indexerclient', 'READ_CONSOLIDATED_INVENTORY_AVAILABILITY');
INSERT INTO blc_client_permissions (id, permission) VALUES ('indexerclient', 'READ_ORDER_FULFILLMENT_IGNORE_NARROWING');
INSERT INTO blc_client_permissions (id, permission) VALUES ('indexerclient', 'ALL_CUSTOMER_IGNORE_NARROWING');

The pattern used by default for local development is "{service_name}_secret". For instance, indexer_secret or catalog_browse_secret, though you are free to name these however you’d like. See the example YAML file previously mentioned for how to define service client secrets.

To generate secrets for local development to fill in the TODOs above, use the following code:

Create Secret using password encoder

String secret = new org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.encode("inventory_secret");

To update client credentials in non-local environments, a utility class call CredentialsGeneratorUtil will be provided. This will automatically generate the SQL necessary to insert these credentials as well as the necessary environment variables.

Overriding Service Client Name

It is now possible to override service client names per service provider class using properties. We do not recommend this, but if you do not want to use the new per service client pattern described above, it is possible to re-use your current credentials. The following properties will allow you to do so:

Details

# Cart Ops
broadleaf.cartoperation.campaignprovider.service-client=campaign
broadleaf.cartoperation.cartprovider.service-client=cart
broadleaf.cartoperation.catalogprovider.service-client=catalog
broadleaf.cartoperation.offerprovider.service-client=offer
broadleaf.cartoperation.pricingprovider.service-client=pricing
broadleaf.cartoperation.inventoryprovider.service-client=inventory
broadleaf.cartoperation.paymentprovider.service-client=payment

# Order Ops
broadleaf.orderoperation.orderprovider.service-client=order
broadleaf.orderoperation.cart-provider.service-client=cart

# Catalog Browse
broadleaf.catalogbrowse.catalogprovider.service-client=catalog
broadleaf.catalogbrowse.offerprovider.service-client=offer
broadleaf.catalogbrowse.pricingprovider.service-client=pricing
broadleaf.catalogbrowse.catalogsearchprovider.service-client=catalog

# Inventory
broadleaf.inventory.cartprovider.service-client=cart

# Indexer
broadleaf.indexer.catalog.service.service-client=catalog
broadleaf.indexer.inventory.service.service-client=inventory
broadleaf.indexer.customer.service.service-client=customer
broadleaf.indexer.orderfulfillment.service.service-client=order
broadleaf.indexer.search.service.service-client=search
broadleaf.indexer.tenant.service.service-client=tenant
broadleaf.indexer.order.service.service-client=order

# Payment Transaction
broadleaf.paymenttransaction.customerprovider.service-client=customer

# Customer
broadleaf.customer.paymentprovider.service-client=payment

Permission/Role Refactor

Previously, roles and permissions were duplicated across the admin user service and authentication service. This is no longer the case. Auth is now the sole owner of roles and permissions, and admin users have a soft reference to role and permission IDs.

Therefore, a new client has been introduced to the admin user service. This client communicates with auth to read permissions and roles and its creation is referenced in the New Service Clients section below.

The changes here should work with no manual migration needed on your part.

The following Admin User tables and their related JPA classes have been deprecated:

blc_admin_role
blc_admin_permission
blc_admin_role_admin_permission_xref
blc_admin_user_admin_permission_xref
blc_admin_user_admin_role_xref

Instead, on the blc_admin_user table, there are two new columns: permission_ids and role_ids. These are soft references to roles and permissions in the auth database as a JSON string array.

As of the 1.7.0 release, all of our production clients are using Postgres. The following changelogs should handle this migration seamlessly for you and are in the adminuser.postgresql.changelog-master.xml file. For reference, these are the change sets:

Role and Permission Migration change sets:

    <changeSet author="cschneider (generated)" id="1636052448933-1" labels="version-1.7.0">
        <addColumn tableName="blc_admin_user">
            <column name="permission_ids" type="varchar(255 BYTE)" />
        </addColumn>
    </changeSet>
    <changeSet author="cschneider (generated)" id="1636052448933-2" labels="version-1.7.0">
        <addColumn tableName="blc_admin_user">
            <column name="role_ids" type="varchar(255 BYTE)" />
        </addColumn>
    </changeSet>
    <changeSet author="cschneider" id="migrate_roles" labels="version-1.7.0">
        <sql>
            with role_table as
            (
            select admin_user_id, json_agg(admin_role_id) as roles_json
            from
            blc_admin_user_admin_role_xref
            group by admin_user_id
            )
            update
            blc_admin_user
            admin_user_table
            set role_ids = role_table.roles_json
            from
            role_table
            where
            admin_user_table.id = role_table.admin_user_id;
        </sql>
    </changeSet>
    <changeSet author="cschneider" id="migrate_permissions" labels="version-1.7.0">
        <sql>
            with permission_table as
            (
            select admin_user_id, json_agg(admin_permission_id) as
            perms_json
            from blc_admin_user_admin_permission_xref
            group by admin_user_id
            )
            update
            blc_admin_user admin_user_table
            set permission_ids =
            permission_table.perms_json
            from
            permission_table
            where admin_user_table.id =
            permission_table.admin_user_id;
        </sql>
    </changeSet>
    <changeSet author="cschneider (generated)" id="1636738896835-3" labels="version-1.7.0">
        <dropForeignKeyConstraint
            baseTableName="BLC_ADMIN_USER_ADMIN_ROLE_XREF"
            constraintName="FK25ND3HOYNNIBHMW0NYSH3Y6VM" />
    </changeSet>
    <changeSet author="cschneider (generated)" id="1636738896835-4" labels="version-1.7.0">
        <dropForeignKeyConstraint
            baseTableName="BLC_ADMIN_USER_ADMIN_PERMISSION_XREF"
            constraintName="FKF0PHV6H1TTUKR0FU9NOSJPHQQ" />
    </changeSet>
    <changeSet author="cschneider (generated)" id="1636738896835-5" labels="version-1.7.0">
        <dropForeignKeyConstraint
            baseTableName="BLC_ADMIN_USER_ADMIN_PERMISSION_XREF"
            constraintName="FKI6G9S596PO3NQX17KUG29C4OJ" />
    </changeSet>
    <changeSet author="cschneider (generated)" id="1636738896835-6" labels="version-1.7.0">
        <dropForeignKeyConstraint
            baseTableName="BLC_ADMIN_USER_ADMIN_ROLE_XREF"
            constraintName="FKMRXOEA122JLQW6NYYGRQ0WD0J" />
    </changeSet>
    <changeSet author="cschneider (generated)" id="1637182128965-1" labels="version-1.7.0">
        <dropForeignKeyConstraint
            baseTableName="BLC_ADMIN_USER_RESTRICTED_ROLE"
            constraintName="FKE5P91J56GRF7IXGQCE7RW6NFI" />
    </changeSet>
    <changeSet author="cschneider (generated)" id="1637182128965-2" labels="version-1.7.0">
        <dropForeignKeyConstraint
            baseTableName="BLC_ADMIN_USER_RESTRICTED_PERMISSION"
            constraintName="FKSS92BNWUJG0LDU04E1O7JRD5F" />
    </changeSet>

In summary, the goal here was to simplify role/permission management. What these changes do is removes no longer necessary FK constraints. It then moves all role/permission xrefs defined in the xref tables to the new JSON string array columns in the admin user table.

When defining new roles/permissions, it is no longer be necessary to duplicate the data across both the admin user and auth service tables. It is only required to define roles and permissions in auth moving forward. Admin users still need a soft reference to the roles and permissions they’re assigned to in the blc_admin_user.permission_ids and blc_admin_user.role_ids columns, however.

New Service Clients

New service clients have been added.

Admin User Service. New default client name adminuserclient
- By default, interacts with: Auth Service
Notification Service. New default client name notificationclient
- By default, interacts with: Cart Service
Payment Transaction Service. New default client name paymenttransactionclient
- By default, interacts with: Customer Service
Customer Service. New default client name customerclient
- By default, interacts with: Payment Transaction Service

Use the following to insert them into the auth database:

New Service Client SQL

INSERT INTO blc_client (id, attributes, client_id, friendly_name, client_secret, is_admin, auth_server_id, token_timeout_seconds, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('adminuserclient', '{}', 'adminuserclient', 'Admin User Service Client', 'TODO MY SECRET', 'N', '2', 300, 60, 7200);

INSERT INTO blc_client_grant_types (id, grant_type) VALUES ('adminuserclient', 'client_credentials');

INSERT INTO blc_client_scopes (id, "scope") VALUES('adminuserclient', 'ROLE');
INSERT INTO blc_client_scopes (id, "scope") VALUES('adminuserclient', 'PERMISSION');

INSERT INTO blc_client_permissions (id, permission) VALUES ('adminuserclient', 'READ_ROLE');
INSERT INTO blc_client_permissions (id, permission) VALUES ('adminuserclient', 'READ_PERMISSION');

INSERT INTO blc_client (id, attributes, client_id, friendly_name, client_secret, is_admin, auth_server_id, token_timeout_seconds, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('notificationclient', '{}', 'notificationclient', 'Notification Service Client', 'TODO MY SECRET', 'N', '2', 300, 60, 7200);

INSERT INTO blc_client_grant_types (id, grant_type) VALUES ('notificationclient', 'client_credentials');

INSERT INTO blc_client_scopes (id, "scope") VALUES('notificationclient', 'CART');

INSERT INTO blc_client_permissions (id, permission) VALUES ('notificationclient', 'READ_CART');

INSERT INTO blc_client (id, attributes, client_id, friendly_name, client_secret, is_admin, auth_server_id, token_timeout_seconds, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('paymenttransactionclient', '{}', 'paymenttransactionclient', 'Payment Transaction Service Client', 'TODO MY SECRET', 'N', '2', 300, 60, 7200);

INSERT INTO blc_client_grant_types (id, grant_type) VALUES ('paymenttransactionclient', 'client_credentials');

INSERT INTO blc_client_scopes (id, "scope") VALUES('paymenttransactionclient', 'SENSITIVE_CUSTOMER_PAYMENT_ACCOUNT');

INSERT INTO blc_client_permissions (id, permission) VALUES ('paymenttransactionclient', 'READ_SENSITIVE_CUSTOMER_PAYMENT_ACCOUNT');

INSERT INTO blc_client (id, attributes, client_id, friendly_name, client_secret, is_admin, auth_server_id, token_timeout_seconds, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('customerclient', '{}', 'customerclient', 'Customer Service Client', 'TODO MY SECRET', 'N', '2', 300, 60, 7200);

INSERT INTO blc_client_scopes (id, "scope") VALUES('customerclient', 'SENSITIVE_PAYMENT');

INSERT INTO blc_client_grant_types (id, grant_type) VALUES ('customerclient', 'client_credentials');

INSERT INTO blc_client_permissions (id, permission) VALUES ('customerclient', 'READ_SENSITIVE_PAYMENT');

The properties YAML for the above would look like the following:

New Service client YAML

spring:
  security:
    oauth2:
      client:
        provider:
          adminuserclient:
            token-uri: 'https://localhost:8443/oauth/token'
          notificationclient:
            token-uri: 'https://localhost:8443/oauth/token'
          paymenttransactionclient:
            token-uri: 'https://localhost:8443/oauth/token'
          customerclient:
            token-uri: 'https://localhost:8443/oauth/token'
        registration:
          adminuserclient:
            authorization-grant-type: client_credentials
            client-id: adminuserclient
            client-secret: admin_user_secret
          notificationclient:
            authorization-grant-type: client_credentials
            client-id: notificationclient
            client-secret: notification_secret
          paymenttransactionclient:
            authorization-grant-type: client_credentials
            client-id: paymenttransactionclient
            client-secret: payment_transaction_secret
          customerclient:
            authorization-grant-type: client_credentials
            client-id: customerclient
            client-secret: customer_secret

New Permissions

New permissions have been added and should be inserted into the auth database with the following SQL:

New Permissions

INSERT INTO blc_security_scope (id, "name", "open") VALUES('-74', 'CAMPAIGN_CODE', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-75', 'SHIPPING_LABEL', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-76', 'SHIPPING_RATES', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-77', 'CUSTOMER_PAYMENT_MANAGEMENT', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-78', 'SYSTEM_PAYMENT_MANAGEMENT', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-79', 'EXECUTE_AUTHORIZE', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-80', 'EXECUTE_AUTHORIZE_AND_CAPTURE', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-81', 'EXECUTE_REVERSE_AUTHORIZE', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-82', 'EXECUTE_CAPTURE', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-83', 'EXECUTE_REFUND', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-84', 'SENSITIVE_CUSTOMER_PAYMENT_ACCOUNT', 'N');
INSERT INTO blc_security_scope (id, "name", "open") VALUES('-85', 'SENSITIVE_PAYMENT', 'N');

INSERT INTO blc_permission_scope (id, permission, is_permission_root, scope_id) VALUES ('-115', 'CAMPAIGN_CODE', 'Y', '-74');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-120', 'SHIPPING_LABEL', 'Y', '-75');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-121', 'SHIPPING_RATES', 'Y', '-76');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-122', 'CUSTOMER_PAYMENT_MANAGEMENT', 'Y', '-100');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-123', 'SYSTEM_PAYMENT_MANAGEMENT', 'Y', '-78');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-124', 'EXECUTE_AUTHORIZE', 'Y', '-79');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-125', 'EXECUTE_AUTHORIZE_AND_CAPTURE', 'Y', '-80');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-126', 'EXECUTE_REVERSE_AUTHORIZE', 'Y', '-81');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-127', 'EXECUTE_CAPTURE', 'Y', '-82');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-128', 'EXECUTE_REFUND', 'Y', '-83');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-129', 'CUSTOMER_PAYMENT_MANAGEMENT', 'Y', '-77');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-130', 'SENSITIVE_CUSTOMER_PAYMENT_ACCOUNT', 'Y', '-84');
INSERT INTO blc_permission_scope (id, "permission", is_permission_root, scope_id) VALUES('-131', 'SENSITIVE_PAYMENT', 'Y', '-85');

INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-231', 'N', '1970-01-01 00:00:00.000', 'ALL_SHIPPING_LABEL');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-232', 'N', '1970-01-01 00:00:00.000', 'READ_SHIPPING_LABEL');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-233', 'N', '1970-01-01 00:00:00.000', 'ALL_SHIPPING_RATES');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-234', 'N', '1970-01-01 00:00:00.000', 'READ_SHIPPING_RATES');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-235', 'N', '1970-01-01 00:00:00.000', 'ALL_CUSTOMER_PAYMENT_MANAGEMENT');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-236', 'N', '1970-01-01 00:00:00.000', 'READ_CUSTOMER_PAYMENT_MANAGEMENT');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-237', 'N', '1970-01-01 00:00:00.000', 'ALL_SYSTEM_PAYMENT_MANAGEMENT');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-238', 'N', '1970-01-01 00:00:00.000', 'READ_SYSTEM_PAYMENT_MANAGEMENT');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-239', 'N', '1970-01-01 00:00:00.000', 'ALL_EXECUTE_AUTHORIZE');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-240', 'N', '1970-01-01 00:00:00.000', 'ALL_EXECUTE_AUTHORIZE_AND_CAPTURE');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-241', 'N', '1970-01-01 00:00:00.000', 'ALL_EXECUTE_REVERSE_AUTHORIZE');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-242', 'N', '1970-01-01 00:00:00.000', 'ALL_EXECUTE_CAPTURE');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-243', 'N', '1970-01-01 00:00:00.000', 'ALL_EXECUTE_REFUND');
INSERT INTO blc_user_permission (id, archived, last_updated, "name") VALUES('-244', 'N', '1970-01-01 00:00:00.000', 'ALL_RECORD_TRANSACTION_RESULTS');

INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'EXECUTE_AUTHORIZE');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'SHIPPING_RATES');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'SYSTEM_PAYMENT_MANAGEMENT');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'EXECUTE_AUTHORIZE_AND_CAPTURE');
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'INVENTORY_RESERVATION');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'EXECUTE_REFUND');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'CAMPAIGN_CODE');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'EXECUTE_AUTHORIZE');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'SYSTEM_PAYMENT_MANAGEMENT');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'EXECUTE_CAPTURE');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'EXECUTE_REVERSE_AUTHORIZE');
INSERT INTO blc_client_scopes (id, "scope") VALUES('orderopsclient', 'EXECUTE_AUTHORIZE_AND_CAPTURE');
INSERT INTO blc_client_scopes (id, "scope") VALUES('paymenttransactionclient', 'SENSITIVE_CUSTOMER_PAYMENT_ACCOUNT');
INSERT INTO blc_client_scopes (id, "scope") VALUES('customerclient', 'SENSITIVE_PAYMENT');
INSERT INTO blc_client_scopes (id, "scope") VALUES('anonymous', 'CUSTOMER_PAYMENT_MANAGEMENT');

INSERT INTO blc_client_permissions (id, "permission") VALUES('cartopsclient', 'ALL_EXECUTE_AUTHORIZE_AND_CAPTURE');
INSERT INTO blc_client_permissions (id, "permission") VALUES('cartopsclient', 'READ_SHIPPING_RATES');
INSERT INTO blc_client_permissions (id, "permission") VALUES('cartopsclient', 'ALL_SYSTEM_PAYMENT_MANAGEMENT');
INSERT INTO blc_client_permissions (id, "permission") VALUES('cartopsclient', 'ALL_INVENTORY_RESERVATION');
INSERT INTO blc_client_permissions (id, "permission") VALUES('cartopsclient', 'ALL_EXECUTE_AUTHORIZE');
INSERT INTO blc_client_permissions (id, "permission") VALUES('orderopsclient', 'ALL_CAMPAIGN_CODE');
INSERT INTO blc_client_permissions (id, "permission") VALUES('orderopsclient', 'ALL_EXECUTE_AUTHORIZE');
INSERT INTO blc_client_permissions (id, "permission") VALUES('orderopsclient', 'ALL_EXECUTE_REVERSE_AUTHORIZE');
INSERT INTO blc_client_permissions (id, "permission") VALUES('orderopsclient', 'ALL_EXECUTE_REFUND');
INSERT INTO blc_client_permissions (id, "permission") VALUES('orderopsclient', 'ALL_EXECUTE_CAPTURE');
INSERT INTO blc_client_permissions (id, "permission") VALUES('orderopsclient', 'ALL_EXECUTE_AUTHORIZE_AND_CAPTURE');
INSERT INTO blc_client_permissions (id, "permission") VALUES('orderopsclient', 'ALL_SYSTEM_PAYMENT_MANAGEMENT');
INSERT INTO blc_client_permissions (id, "permission") VALUES('paymenttransactionclient', 'READ_SENSITIVE_CUSTOMER_PAYMENT_ACCOUNT');
INSERT INTO blc_client_permissions (id, "permission") VALUES('customerclient', 'READ_SENSITIVE_PAYMENT');
INSERT INTO blc_client_permissions (id, "permission") VALUES('anonymous', 'ALL_CUSTOMER_PAYMENT_MANAGEMENT');

-- PRICE_LIST permission scope for customer security scope
DELETE FROM blc_permission_scope WHERE id = '-102';
-- CAMPAIGN permission scope for customer security scope
DELETE FROM blc_permission_scope WHERE id = '-103';
-- OFFER permission scope for customer security scope
DELETE FROM blc_permission_scope WHERE id = '-105';

-- DEFAULT ROLE UPDATES

-- REQUIRED. Customer user role changes
-- READ_SHIPPING_RATES permission
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id) VALUES ('-100', '-234');
-- ALL_CUSTOMER_PAYMENT_MANAGEMENT permission
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id) VALUES ('-100', '-235');

-- These role updates may or may not be necessary depending on if you are using out of box roles.

-- "PARTIAL" role adds read shipping label permission
INSERT INTO blc_role_permission_xref (role_id, permission_id) VALUES ('-1', '-232');

-- "FULL_ACCESS" role adds all shipping label permission
INSERT INTO blc_role_permission_xref (role_id, permission_id) VALUES ('-2', '-231');

-- "ROLE_MARKETPLACE_OPERATOR" role adds all shipping label permission
INSERT INTO blc_role_permission_xref (role_id, permission_id) VALUES ('-200', '-231');

-- "ROLE_VENDOR_ADMIN" role adds all shipping label permission
INSERT INTO blc_role_permission_xref (role_id, permission_id) VALUES ('-201', '-231');