slapos_erp5:

* drop transfer from another Project * drop allocation_scope/open categories * drop Item_getSecurityCategoryFromMovementDestinationSection * drop Item_getSecurityCategoryFromMovementDestinationSection * drop Item_getSecurityCategoryFromMovementDestinationProject * drop Item_getSecurityCategoryFromMovementDestination * drop SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject * drop ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation * switch event/ticket roles to virtual master security * drop Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection * drop Event_getSecurityCategoryFromMovementFollowUpAggregateDestination * delete Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementAggregateDestinationSection * drop Item_getSecurityCategoryFromMovementAggregateDestination * drop Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection * drop SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination * drop Item_getSecurityCategoryFromMovementLineAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementLineAggregateDestination * drop Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection * provide access to Compute Node Manager on Upgrade Decision * delivery/movement must use source_project instead of follow_up * delivery/movement must use source_project instead of follow_up * drop query module security * drop Compute Partition roles It must be visible by all project members * instance of the project can access compute nodes * do not make Credit Card readable * drop data set security * only accountant can create/update Account * add function local_role_group * use function local_role_group on Account * use function local_role_group on account * only accountant can read/write accounting transactions. Ledger is used as write condition * accounting period are only readable/writable by accountant * accounting period are only readable/writable by accountant * provide access on compute node to project customer/production * give read access to project production * provide access to production on software installation * switch admin to production manager in tests * no need for group/role in assignment. Use parent function too * provide access to function/production on Instance Tree * provide access to instance for function/production users * provide access to function/production* on support request * provide access to function/production on event module * provide access to regularisation request to function/production * drop roles for DMS portal types It does not seem used. * provide read/write access to function/production to Computer Network * provide access to function/is to System Event * provide access to function/is on Assignment * provide access to person module * provide read only access to project/customer on software product * provide readonly access to project/customer on software release * test set server allocation_scope to open * provide readonly access for project/customer on accounting module * provide readonly access for project/customer on compute node module

slapos_erp5:
* drop transfer from another Project * drop allocation_scope/open categories * drop Item_getSecurityCategoryFromMovementDestinationSection * drop Item_getSecurityCategoryFromMovementDestinationSection * drop Item_getSecurityCategoryFromMovementDestinationProject * drop Item_getSecurityCategoryFromMovementDestination * drop SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject * drop ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation * switch event/ticket roles to virtual master security * drop Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection * drop Event_getSecurityCategoryFromMovementFollowUpAggregateDestination * delete Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementAggregateDestinationSection * drop Item_getSecurityCategoryFromMovementAggregateDestination * drop Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection * drop SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination * drop Item_getSecurityCategoryFromMovementLineAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementLineAggregateDestination * drop Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection * provide access to Compute Node Manager on Upgrade Decision * delivery/movement must use source_project instead of follow_up * delivery/movement must use source_project instead of follow_up * drop query module security * drop Compute Partition roles It must be visible by all project members * instance of the project can access compute nodes * do not make Credit Card readable * drop data set security * only accountant can create/update Account * add function local_role_group * use function local_role_group on Account * use function local_role_group on account * only accountant can read/write accounting transactions. Ledger is used as write condition * accounting period are only readable/writable by accountant * accounting period are only readable/writable by accountant * provide access on compute node to project customer/production * give read access to project production * provide access to production on software installation * switch admin to production manager in tests * no need for group/role in assignment. Use parent function too * provide access to function/production on Instance Tree * provide access to instance for function/production users * provide access to function/production* on support request * provide access to function/production on event module * provide access to regularisation request to function/production * drop roles for DMS portal types It does not seem used. * provide read/write access to function/production to Computer Network * provide access to function/is to System Event * provide access to function/is on Assignment * provide access to person module * provide read only access to project/customer on software product * provide readonly access to project/customer on software release * test set server allocation_scope to open * provide readonly access for project/customer on accounting module * provide readonly access for project/customer on compute node module
62c7a799 · Romain Courteaud · ab229f2e · 62c7a799 · 62c7a799 · 62c7a799
Commit 62c7a799 authored Jun 15, 2022 by Romain Courteaud 🐙
133 changed files
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
@@ -9,9 +9,9 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Auditor</principal>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
+    <principal id='F-ACCOUNTING'>Author</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/bank.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/bank.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/capital.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/capital.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/coll_vat.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/coll_vat.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/equipments.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/equipments.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/inventories.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/inventories.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/payable.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/payable.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/payment_to_encash.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/payment_to_encash.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/profit_loss.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/profit_loss.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/purchase.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/purchase.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/receivable.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/receivable.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/refundable_vat.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/refundable_vat.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/sales.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/sales.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-CUSTOMER'>
+   <item>Auditor</item>
+  </role>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -12,15 +15,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignor</principal>
  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/slapos_pre_payment_template.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/slapos_pre_payment_template.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
-   <item>Assignor</item>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/slapos_wechat_pre_payment_template.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/slapos_wechat_pre_payment_template.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
-   <item>Assignor</item>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_contract_sale_invoice_transaction.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_contract_sale_invoice_transaction.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
-   <item>Assignor</item>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_pre_payment_subscription_sale_invoice_transaction.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_pre_payment_subscription_sale_invoice_transaction.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
-   <item>Assignor</item>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_sale_invoice_transaction.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_sale_invoice_transaction.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
-   <item>Assignor</item>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_wechat_pre_payment_subscription_sale_invoice_transaction.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_wechat_pre_payment_subscription_sale_invoice_transaction.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
-   <item>Assignor</item>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Assignor</principal>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/compute_node_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/compute_node_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='F-COMPUMAN'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='G-COMPANY'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
+   <item>Author</item>
  </role>
  <role id='R-COMPUTER'>
   <item>Auditor</item>
  </role>
-  <role id='R-MEMBER'>
-   <item>Auditor</item>
-  </role>
 </local_roles>
 <local_role_group_ids>
  <local_role_group_id id='computer'>
    <principal id='R-COMPUTER'>Auditor</principal>
  </local_role_group_id>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/computer_network_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/computer_network_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
@@ -13,16 +12,11 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Auditor</principal>
+    <principal id='F-CUSTOMER'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>
  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/data_set_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/data_set_module.xml
-<local_roles_item>
- <local_roles>
-  <role id='G-COMPANY'>
-   <item>Auditor</item>
-   <item>Author</item>
-  </role>
- </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
-</local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/event_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/event_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Auditor</principal>
+    <principal id='F-CUSTOMER'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
+    <principal id='F-CUSTOMER'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/instance_tree_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/instance_tree_module.xml
@@ -4,7 +4,7 @@
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='G-COMPANY'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
  <role id='R-COMPUTER'>
@@ -14,9 +14,4 @@
   <item>Auditor</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/person_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/person_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -12,15 +11,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>
  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/project_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/project_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='F-COMPUMAN'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
  </role>
-  <role id='F-CUSTOMER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
  <role id='R-COMPUTER'>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/regularisation_request_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/regularisation_request_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Auditor</principal>
+    <principal id='F-CUSTOMER'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_installation_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_installation_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='F-COMPUMAN'>
+  <role id='F-PRODUCTION*'>
-   <item>Auditor</item>
-   <item>Author</item>
-  </role>
-  <role id='G-COMPANY'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
@@ -16,9 +12,5 @@
  <local_role_group_id id='computer'>
    <principal id='R-COMPUTER'>Auditor</principal>
  </local_role_group_id>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_instance_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_instance_module.xml
@@ -4,7 +4,7 @@
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='G-COMPANY'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
@@ -16,10 +16,4 @@
   <item>Author</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_product_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_product_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_release_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_release_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
-  </role>
-  <role id='R-MEMBER'>
-   <item>Auditor</item>
-   <item>Author</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/support_request_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/support_request_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
+  <local_role_group_id id='function'>
-    <principal id='G-COMPANY'>Auditor</principal>
+    <principal id='F-CUSTOMER'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
+    <principal id='F-CUSTOMER'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/system_event_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/system_event_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-IS*'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Author</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Author</principal>
  </local_role_group_id>

--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_InternalPackingListLine_setAggregate.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_InternalPackingListLine_setAggregate.xml
@@ -2,65 +2,76 @@
 <ZopeData>
  <record id="1" aka="AAAAAAAAAAE=">
    <pickle>
-      <global name="Interaction Workflow Interaction" module="erp5.portal_type"/>
+      <global name="Category" module="erp5.portal_type"/>
    </pickle>
    <pickle>
      <dictionary>
        <item>
-            <key> <string>categories</string> </key>
+            <key> <string>_Add_portal_content_Permission</string> </key>
            <value>
              <tuple>
-                <string>before_commit_script/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles</string>
+                <string>Assignor</string>
+                <string>Manager</string>
              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>description</string> </key>
+            <key> <string>_Add_portal_folders_Permission</string> </key>
            <value>
-              <none/>
+              <tuple>
+                <string>Assignor</string>
+                <string>Manager</string>
+              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>id</string> </key>
+            <key> <string>_Copy_or_Move_Permission</string> </key>
-            <value> <string>interaction_InternalPackingListLine_setAggregate</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type</string> </key>
-            <value> <string>Interaction Workflow Interaction</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type_filter</string> </key>
            <value>
              <tuple>
-                <string>Internal Packing List Line</string>
+                <string>Assignor</string>
+                <string>Manager</string>
              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>portal_type_group_filter</string> </key>
+            <key> <string>_Delete_objects_Permission</string> </key>
            <value>
-              <tuple/>
+              <tuple>
+                <string>Assignor</string>
+                <string>Manager</string>
+              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>temporary_document_disallowed</string> </key>
+            <key> <string>_Modify_portal_content_Permission</string> </key>
-            <value> <int>0</int> </value>
-        </item>
-        <item>
-            <key> <string>trigger_method_id</string> </key>
            <value>
              <tuple>
-                <string>_setAggregate.*</string>
+                <string>Assignee</string>
+                <string>Assignor</string>
+                <string>Manager</string>
+                <string>Owner</string>
              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>trigger_once_per_transaction</string> </key>
+            <key> <string>description</string> </key>
-            <value> <int>0</int> </value>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>function</string> </value>
        </item>
        <item>
-            <key> <string>trigger_type</string> </key>
+            <key> <string>portal_type</string> </key>
-            <value> <int>2</int> </value>
+            <value> <string>Category</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value>
+              <none/>
+            </value>
        </item>
      </dictionary>
    </pickle>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Account%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Account%20Module.xml
 <type_roles>
  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Accountant</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>Any accountant or accountant manager may create accounts and access accounts</property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Account.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Account.xml
 <type_roles>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Accountant</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>Only the accountant can validate new accounts.</property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Period.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Period.xml
 <type_roles>
  <role id='Assignor'>
-   <property id='title'>Company group</property>
+   <property id='title'>Accountant</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Transaction%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Transaction%20Module.xml
 <type_roles>
  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Accountant</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='base_category'>function</multi_property>
-   <multi_property id='base_category'>group</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
-   <multi_property id='category'>role/member</multi_property>
+   <multi_property id='base_category'>function</multi_property>
-   <multi_property id='base_category'>role</multi_property>
  </role>
  <role id='Assignor'>
   <property id='title'>Person Shadow</property>
@@ -17,4 +15,9 @@
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Transaction.xml
 <type_roles>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Writable for Accountant</property>
   <property id='condition'>python: context.getLedger("") != "automated"</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Acknowledgement.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Acknowledgement.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Assignment.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Assignment.xml
 <type_roles>
-  <role id='Auditor; Assignor'>
+  <role id='Auditor'>
-   <property id='title'>Company group</property>
+   <property id='title'>Information System</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/is*</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Balance%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Balance%20Transaction.xml
 <type_roles>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Writable for Accountant</property>
   <property id='condition'>python: context.getLedger("") != "automated"</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node%20Module.xml
@@ -5,23 +5,14 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Auditor; Author'>
-   <property id='title'>Compute Node Manager</property>
-   <property id='description'>XXX TODO
-add local roles group</property>
-   <multi_property id='category'>function/computer/manager</multi_property>
-   <multi_property id='base_category'>function</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
-   <multi_property id='category'>role/member</multi_property>
+   <multi_property id='base_category'>function</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+  </role>
+  <role id='Auditor; Author'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node.xml
 <type_roles>
+  <role id='Auditor'>
+   <property id='title'>Project Customer</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
+   <property id='title'>Project Production Agent</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationSection</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_section</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
  <role id='Assignor'>
-   <property id='title'>Project Compute Node Manager</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='description'>XXX project local role group</property>
+   <property id='description'>XXX add local role group</property>
   <property id='condition'>python: context.getFollowUp("") != ""</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='category'>function/production/manager</multi_property>
   <multi_property id='base_category'>follow_up</multi_property>
  </role>
-  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
-  </role>
  <role id='Assignor'>
   <property id='title'>Self Compute Node</property>
   <property id='condition'>python: context.getUserId("") != ""</property>
@@ -26,4 +30,11 @@
   <multi_property id='categories'>local_role_group/computer</multi_property>
   <multi_property id='base_category'>destination_decision</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Software Instance</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>role/instance</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Partition.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Partition.xml
-<type_roles>
-  <role id='Auditor'>
-   <property id='title'>Customer of the partition</property>
-   <property id='condition'>python: here.getSlapState() == "busy"</property>
-   <property id='base_category_script'>ComputePartition_getSecurityCategoryFromUser</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Software Instance group related to Compute Partition</property>
-   <property id='condition'>python: here.getSlapState() == "busy"</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree</property>
-   <multi_property id='categories'>local_role_group/subscription</multi_property>
-   <multi_property id='base_category'>aggregate</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Network%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Network%20Module.xml
 <type_roles>
-  <role id='Auditor; Author'>
+  <role id='Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Auditor; Author'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>role/member</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>
@@ -17,4 +11,9 @@
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor; Author'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Network.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Network.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Person Owner</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>source_administration</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>
   <multi_property id='categories'>local_role_group/shadow</multi_property>
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Project Customer</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
  <role id='Assignee'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Agent</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Credit%20Card.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Credit%20Card.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Data%20Set%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Data%20Set%20Module.xml
-<type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Data%20Set.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Data%20Set.xml
-<type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Event%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Event%20Module.xml
 <type_roles>
  <role id='Auditor; Author'>
-   <property id='title'>Group company</property>
+   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
+   <property id='title'>Production</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='category'>function/production*</multi_property>
-   <multi_property id='category'>role/member</multi_property>
+   <multi_property id='base_category'>function</multi_property>
-   <multi_property id='base_category'>role</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Fax%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Fax%20Message.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Incident%20Response.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Incident%20Response.xml
 <type_roles>
  <role id='Assignor'>
-   <property id='title'>Company group</property>
+   <property id='title'>Project Compute Node Manager</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX project local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getSourceProject("", portal_type='Project') != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree%20Module.xml
@@ -4,18 +4,16 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Group Company</property>
-   <property id='description'>Author</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Instance</property>
   <multi_property id='category'>role/instance</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Auditor; Author'>
   <property id='title'>Project Customer</property>
   <multi_property id='category'>function/customer</multi_property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree.xml
@@ -6,19 +6,16 @@
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
+   <property id='title'>Project Production Agent</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestination</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Assignee'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
  </role>
  <role id='Assignor'>
   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
   <property id='condition'>python: context.getFollowUp("") != ""</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
   <multi_property id='category'>function/production/manager</multi_property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Letter.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Letter.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Mail%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Mail%20Message.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Note.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Note.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Payment%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Payment%20Transaction.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <property id='condition'>python: context.getLedger("") != "automated"</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Person Shadow</property>
   <property id='condition'>python: here.getDestinationSection('', portal_type='Person') == ""</property>
@@ -13,6 +6,13 @@
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Auditor'>
   <property id='title'>Shadow User</property>
   <property id='condition'>python: here.getDestinationSection('', portal_type='Person') != ''</property>
@@ -27,4 +27,11 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
+  <role id='Assignor'>
+   <property id='title'>Writable for Accountant</property>
+   <property id='condition'>python: context.getLedger("") != "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Payzen%20Event.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Payzen%20Event.xml
 <type_roles>
  <role id='Auditor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Information System</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/is*</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Assignee'>
   <property id='title'>Shadow User</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Person%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Person%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
-   <multi_property id='category'>role/member</multi_property>
+   <multi_property id='base_category'>function</multi_property>
-   <multi_property id='base_category'>role</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>
@@ -17,4 +10,9 @@
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Phone%20Call.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Phone%20Call.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project%20Module.xml
@@ -8,7 +8,7 @@
   <property id='title'>Project Compute Node Manager</property>
   <property id='description'>XXX TODO
 add local roles group</property>
-   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='category'>function/production*</multi_property>
   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Purchase%20Invoice%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Purchase%20Invoice%20Transaction.xml
 <type_roles>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Writable for Accountant</property>
   <property id='condition'>python: context.getLedger("") != "automated"</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Query.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Query.xml
-<type_roles>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Regularisation%20Request%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Regularisation%20Request%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>role/member</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Regularisation%20Request.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Regularisation%20Request.xml
@@ -6,12 +6,6 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_decision</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Member can see template</property>
   <property id='condition'>python: here.getRelativeUrl() == here.getPortalObject().portal_preferences.getPreferredRegularisationRequestTemplate()</property>
@@ -19,4 +13,20 @@
   <multi_property id='category'>role/member</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Assignee'>
+   <property id='title'>Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Sale%20Invoice%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Sale%20Invoice%20Transaction.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <property id='condition'>python: context.getLedger("") != "automated"</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Person Shadow</property>
   <property id='condition'>python: context.getLedger("") == "automated"</property>
@@ -13,6 +6,13 @@
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Auditor'>
   <property id='title'>User</property>
   <property id='condition'>python: (here.getDestinationSection('', portal_type='Person') != '') and (context.getLedger("") == "automated")</property>
@@ -20,4 +20,11 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
+  <role id='Assignor'>
+   <property id='title'>Writable for Accountant</property>
+   <property id='condition'>python: context.getLedger("") != "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Short%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Short%20Message.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Site%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Site%20Message.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Slave%20Instance.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Slave%20Instance.xml
@@ -11,12 +11,6 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Instance related by Instance Tree</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
@@ -24,16 +18,20 @@
   <multi_property id='base_category'>specialise</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
+   <property id='title'>Project Production Agent</property>
-   <property id='base_category_script'>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
-  <role id='Assignee'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
  <role id='Assignor'>
   <property id='title'>Software Instance which provides this Slave Instance</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation%20Module.xml
@@ -6,16 +6,10 @@
   <multi_property id='base_category'>role</multi_property>
  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Compute Node Manager</property>
+   <property id='title'>Project Production</property>
   <property id='description'>XXX TODO
 add local roles group</property>
-   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='category'>function/production*</multi_property>
   <multi_property id='base_category'>function</multi_property>
  </role>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation.xml
@@ -5,24 +5,20 @@
   <multi_property id='categories'>local_role_group/computer</multi_property>
   <multi_property id='base_category'>aggregate</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
+   <property id='title'>Project Production Agent</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestinationSection</property>
+   <property id='description'>XXX project local role group</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_section</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
-  <role id='Assignee'>
+  <role id='Assignor'>
-   <property id='title'>Project Compute Node Manager</property>
+   <property id='title'>Project Production Manager</property>
   <property id='description'>XXX project local role group</property>
   <property id='condition'>python: context.getFollowUp("") != ""</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='category'>function/production/manager</multi_property>
   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance%20Module.xml
@@ -4,17 +4,16 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor; Author'>
   <property id='title'>Instance</property>
   <multi_property id='category'>role/instance</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor; Author'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Auditor; Author'>
   <property id='title'>Project Customer</property>
   <multi_property id='category'>function/customer</multi_property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance.xml
@@ -18,19 +18,16 @@
   <multi_property id='base_category'>specialise</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
+   <property id='title'>Project Production Agent</property>
-   <property id='base_category_script'>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Assignee'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
  </role>
  <role id='Assignor'>
   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
   <property id='condition'>python: context.getFollowUp("") != ""</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
   <multi_property id='category'>function/production/manager</multi_property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Product%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Product%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
-   <multi_property id='category'>role/member</multi_property>
+   <multi_property id='base_category'>function</multi_property>
-   <multi_property id='base_category'>role</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Product.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Product.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Release%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Release%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
+  <role id='Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Auditor; Author'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
-   <multi_property id='category'>role/member</multi_property>
+   <multi_property id='base_category'>function</multi_property>
-   <multi_property id='base_category'>role</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Release.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Release.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Support%20Request%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Support%20Request%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
+  <role id='Auditor; Author'>
-   <property id='title'>Group company</property>
+   <property id='title'>Production</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <multi_property id='category'>function/production*</multi_property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='base_category'>function</multi_property>
-   <multi_property id='base_category'>group</multi_property>
  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
+   <property id='title'>Project Customer</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>role/member</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Support%20Request.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Support%20Request.xml
@@ -6,12 +6,6 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_decision</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Member can see template</property>
   <property id='condition'>python: here.getRelativeUrl() == here.getPortalObject().portal_preferences.getPreferredSupportRequestTemplate()</property>
@@ -19,22 +13,20 @@
   <multi_property id='category'>role/member</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignee'>
-   <property id='title'>Organisation Member (Compute Node)</property>
+   <property id='title'>Project Production Agent</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_section</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/System%20Event%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/System%20Event%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
+  <role id='Auditor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Information System</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/is*</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Author'>
   <property id='title'>Person Shadow</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Upgrade%20Decision%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Upgrade%20Decision%20Module.xml
 <type_roles>
  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Compute Node Manager</property>
+   <property id='description'>XXX TODO
+add local roles group</property>
   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/computer/manager</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor; Author'>
   <property id='title'>Member</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Upgrade%20Decision.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Upgrade%20Decision.xml
 <type_roles>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Compute Node Manager</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX project local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/computer/manager</multi_property>
-  <role id='Assignee'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementLineAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementLineAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
  </role>
  <role id='Assignee'>
   <property id='title'>User</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Visit.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Visit.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Message.xml
@@ -15,28 +15,20 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
+  <role id='Assignee'>
-   <property id='title'>Group company</property>
+   <property id='title'>Project Production Agent</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-  </role>
+   <multi_property id='category'>function/production/agent</multi_property>
-  <role id='Auditor'>
+   <multi_property id='base_category'>follow_up</multi_property>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
  </role>
-  <role id='Auditor'>
+  <role id='Assignor'>
-   <property id='title'>Project Member</property>
+   <property id='title'>Project Production Manager</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
+   <property id='description'>XXX add local role group</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Page%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Page%20Module.xml
-<type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Page.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Page.xml
-<type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Wechat%20Event.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Wechat%20Event.xml
 <type_roles>
  <role id='Auditor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Information System</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
+   <property id='description'>XXX local role group</property>
-   <multi_property id='category'>group/company</multi_property>
+   <multi_property id='category'>function/is*</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Assignee'>
   <property id='title'>Shadow User</property>

--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromAllocationScope.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromAllocationScope.py
-# XXX For now, this script requires proxy manager
-# base_category_list : list of category values we need to retrieve
-# user_name : string obtained from getSecurityManager().getUser().getUserName() [NuxUserGroup]
-#             or from getSecurityManager().getUser().getId() [PluggableAuthService with ERP5GroupManager]
-# object : object which we want to assign roles to.
-# portal_type : portal type of object
-# must always return a list of dicts
-if obj is None:
-  return []
-compute_node = obj
-category_list = []
-scope = compute_node.getAllocationScope()
-if scope == 'open/public':
-  return {"Auditor": ["R-SHADOW-PERSON"]}
-elif scope == 'open/subscription':
-  return {"Auditor": ["R-SHADOW-PERSON"]}
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromAllocationScope.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromAllocationScope.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ComputeNode_getSecurityCategoryFromAllocationScope</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputePartition_getSecurityCategoryFromUser.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputePartition_getSecurityCategoryFromUser.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-partition = obj
-for instance in partition.getPortalObject().portal_catalog(
-    portal_type=["Software Instance", "Slave Instance"],
-    validation_state="validated",
-    default_aggregate_uid=partition.getUid()):
-  if instance is not None:
-    instance_tree = instance.getSpecialiseValue(portal_type="Instance Tree")
-    if instance_tree is not None:
-      person = instance_tree.getDestinationSectionValue(portal_type="Person")
-      if person is not None:
-        for base_category in base_category_list:
-          category_list.append({base_category: [person.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputePartition_getSecurityCategoryFromUser.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputePartition_getSecurityCategoryFromUser.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ComputePartition_getSecurityCategoryFromUser</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree.py
-"""This scripts set ups role of aggregate related Software Instance
-This is simple implementation, instead of generic related category with portal type,
-which would not be configurable in Role Definition anyway."""
-category_list = []
-if obj is None:
-  return []
-software_instance_list = obj.getPortalObject().portal_catalog(
-  portal_type='Software Instance',
-  default_aggregate_uid=obj.getUid(),
-  limit=2
-)
-if len(software_instance_list) == 1:
-  instance_tree = software_instance_list[0].getSpecialise(portal_type='Instance Tree')
-  for base_category in base_category_list:
-    category_list.append({base_category: instance_tree})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Assignee</string>
-                <string>Assignor</string>
-                <string>Associate</string>
-                <string>Auditor</string>
-                <string>Authenticated</string>
-                <string>Author</string>
-                <string>Manager</string>
-                <string>Member</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_function</string> </key>
-            <value> <string>getSecurityCategoryFromAssignmentDestinationClientOrganisation</string> </value>
-        </item>
-        <item>
-            <key> <string>_module</string> </key>
-            <value> <string>SlapOSSecurity</string> </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation</string> </value>
-        </item>
-        <item>
-            <key> <string>title</string> </key>
-            <value> <string></string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.py
@@ -9,18 +9,17 @@ deprecated ERP5Type_asSecurityGroupIdList
 return (
  # Person security
  ('ERP5Type_getSecurityCategoryFromAssignment', ['function']),
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['group']),
+  ('ERP5Type_getSecurityCategoryFromAssignmentParent', ['function']),
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['role']),
  # XXX TODO check that only validated project are used
  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project']),
  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project', 'function']),
-  ('ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation', ['destination']),
  # Compute Node security
  ('ERP5Type_getComputeNodeSecurityCategory', ['role']),
  # Instance security
  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['role']),
+  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['destination_project', 'role']),
  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['aggregate']),
 )
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-# Object here is a event
-ticket = obj.getFollowUpValue()
-if ticket is None:
-  return []
-aggregate_value = ticket.getAggregateValue()
-if aggregate_value is None:
-  return []
-# Only proceed if aggregate is a Compute Node
-if aggregate_value.getPortalType() != "Compute Node":
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = aggregate_value.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-# Object here is a event
-ticket = obj.getFollowUpValue()
-if ticket is None:
-  return []
-aggregate_value = ticket.getAggregateValue()
-if aggregate_value is None:
-  return []
-# Limit the scope arround Instance tree otherwise we
-# Leak security on the Compute Nodes placed on the same site.
-if aggregate_value.getPortalType() != "Instance Tree":
-  return []
-organisation = aggregate_value.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-# Object here is a event
-ticket = obj.getFollowUpValue()
-if ticket is None:
-  return []
-aggregate_value = ticket.getAggregateValue()
-if aggregate_value is None:
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = aggregate_value.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-aggregate_value = obj.getAggregateValue()
-if aggregate_value is None:
-  return []
-# Only proceed if aggregate is a Compute Node
-if aggregate_value.getPortalType() != "Compute Node":
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = aggregate_value.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-aggregate_value = obj.getAggregateValue()
-if aggregate_value is None:
-  return []
-# Limit the scope arround Instance tree otherwise we
-# Leak security on the Compute Nodes placed on the same site.
-if aggregate_value.getPortalType() != "Instance Tree":
-  return []
-organisation = aggregate_value.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementAggregateDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-aggregate_value = obj.getAggregateValue()
-if aggregate_value is None:
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = aggregate_value.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementAggregateDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-aggregate_value = obj.getAggregateValue()
-if aggregate_value is None:
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = aggregate_value.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementAggregateDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = obj.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = obj.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = obj.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-aggregate_value = None
-for line in obj.objectValues():
-  aggregate_value = line.getAggregateValue()
-  if aggregate_value is not None:
-    break
-if aggregate_value is None:
-  return []
-# Only proceed if aggregate is a Compute Node
-if aggregate_value.getPortalType() != "Compute Node":
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = aggregate_value.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-aggregate_value = None
-for line in obj.objectValues():
-  aggregate_value = line.getAggregateValue()
-  if aggregate_value is not None:
-    break
-if aggregate_value is None:
-  return []
-# Limit the scope arround Instance tree otherwise we
-# Leak security on the Compute Nodes placed on the same site.
-if aggregate_value.getPortalType() != "Instance Tree":
-  return []
-organisation = aggregate_value.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementLineAggregateDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-aggregate_value = None
-for line in obj.objectValues():
-  aggregate_value = line.getAggregateValue()
-  if aggregate_value is not None:
-    break
-if aggregate_value is None:
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = aggregate_value.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementLineAggregateDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-specialise_value = obj.getSpecialiseValue()
-if specialise_value is None:
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = specialise_value.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-The parameters are
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-NOTE: for now, this script requires proxy manager
-"""
-category_list = []
-if obj is None:
-  return []
-specialise_value = obj.getSpecialiseValue()
-if specialise_value is None:
-  return []
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = specialise_value.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5DefaultScenario.py
+++ b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5DefaultScenario.py
@@ -33,11 +33,11 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
      group='company'
    ).open()
 """
-  def addProjectComputeNodeManagerAssignment(self, person, project):
+  def addProjectProductionManagerAssignment(self, person, project):
    person.newContent(
      portal_type='Assignment',
      destination_project_value=project,
-      function='computer/manager'
+      function='production/manager'
    ).open()
  def addProjectCustomerAssignment(self, person, project):
@@ -74,7 +74,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
    # first slapos administrator assignment can only be created by
    # the erp5 manager
-    self.addProjectComputeNodeManagerAssignment(owner_person, project)
+    self.addProjectProductionManagerAssignment(owner_person, project)
    self.tic()
    # hooray, now it is time to create compute_nodes
@@ -86,6 +86,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
        portal_type='Compute Node', reference=public_server_id)
    self.setAccessToMemcached(public_server)
    self.assertNotEqual(None, public_server)
+    self.setServerOpenPublic(public_server)
    # and install some software on them
    public_server_software = self.generateNewSoftwareReleaseUrl()

--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles.py
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles.py
-from Products.ZSQLCatalog.SQLCatalog import SimpleQuery, ComplexQuery
-portal_type_list = ['Compute Node', 'Computer Network', 'Instance Tree']
-portal = context.getPortalObject()
-internal_packing_list_line = state_change['object']
-after_tag = (internal_packing_list_line.getPath(), ('immediateReindexObject', 'recursiveImmediateReindexObject'))
-internal_packing_list_line.getParentValue().reindexObject()
-for object_ in internal_packing_list_line.getAggregateValueList(portal_type=portal_type_list):
-  object_.activate(after_path_and_method_id=after_tag).updateLocalRolesOnSecurityGroups()
-  if object_.getPortalType() == "Compute Node":
-    portal.portal_catalog.searchAndActivate(
-      portal_type=["Software Installation", "Support Request","Upgrade Decision Line"],
-      aggregate__uid=object_.getUid(),
-      method_id="Base_updateSlapOSLocalRolesOnSecurityGroups",
-      method_kw=dict(activate_kw={"after_path_and_method_id": after_tag}),
-      activate_kw={"after_path_and_method_id": after_tag}
-    )
-  elif object_.getPortalType() == "Instance Tree":
-    query = ComplexQuery(
-      ComplexQuery(
-        SimpleQuery(portal_type=["Software instance", "Slave Instance"]),
-        SimpleQuery(default_specialise_uid=object_.getUid()),
-        logical_operator="AND"),
-      ComplexQuery(
-        SimpleQuery(portal_type=["Support Request", "Upgrade Decision Line"]),
-        SimpleQuery(aggregate__uid=object_.getUid()),
-        logical_operator="AND"),
-      logical_operator="OR"
-    )
-    portal.portal_catalog.searchAndActivate(
-      query=query,
-      method_id="Base_updateSlapOSLocalRolesOnSecurityGroups",
-      method_kw=dict(activate_kw={"after_path_and_method_id": after_tag}),
-      activate_kw={"after_path_and_method_id": after_tag}
-    )
--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="Workflow Script" module="erp5.portal_type"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>state_change</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>script_InternalPackingListLine_updateAggregateLocalRoles</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type</string> </key>
-            <value> <string>Workflow Script</string> </value>
-        </item>
-        <item>
-            <key> <string>title</string> </key>
-            <value>
-              <none/>
-            </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/bt/template_local_role_list
+++ b/master/bt5/slapos_erp5/bt/template_local_role_list
@@ -34,14 +34,6 @@ credential_update_module
 currency_module
 currency_module/CNY
 currency_module/EUR
-data_array_module
-data_ingestion_module
-data_mapping_module
-data_operation_module
-data_set_module
-data_stream_module
-data_supply_module
-data_transformation_module
 document_ingestion_module
 document_module
 event_module

--- a/master/bt5/slapos_erp5/bt/template_portal_type_role_list
+++ b/master/bt5/slapos_erp5/bt/template_portal_type_role_list
@@ -18,7 +18,6 @@ Cloud Contract
 Cloud Contract Module
 Compute Node
 Compute Node Module
-Compute Partition
 Computer Consumption TioXML File
 Computer Model
 Computer Model Module
@@ -31,22 +30,6 @@ Credential Update Module
 Credit Card
 Currency
 Currency Module
-Data Array
-Data Array Module
-Data Ingestion
-Data Ingestion Module
-Data Mapping
-Data Mapping Module
-Data Operation
-Data Operation Module
-Data Set
-Data Set Module
-Data Stream
-Data Stream Module
-Data Supply
-Data Supply Module
-Data Transformation
-Data Transformation Module
 Document Ingestion Module
 Document Module
 ERP5 Login
@@ -82,7 +65,6 @@ Product Module
 Project
 Project Module
 Purchase Invoice Transaction
-Query
 Regularisation Request
 Regularisation Request Module
 Restricted Access Token
@@ -117,7 +99,4 @@ User Consumption HTML File
 Visit
 Web Illustration
 Web Message
-Web Page
-Web Page Module
-Web Table
 Wechat Event