From 897bfa84105bc45352426c03d9c58854e98c5156 Mon Sep 17 00:00:00 2001
From: Jamal Kaabi-Mofrad <jamal.kaabimofrad@alfresco.com>
Date: Fri, 24 May 2024 15:54:10 +0100
Subject: [PATCH 1/6] PRODENG-276: Implemented three distinct service account
 roles with varying access levels.

---
 .../cmr/security/PermissionService.java       |  25 +-
 .../repo/sa/ServiceAccountRegistry.java       |  61 +++
 .../repo/sa/ServiceAccountRegistryImpl.java   | 156 ++++++++
 .../dynamic/ServiceAccountAuthority.java      |  83 ++++
 .../alfresco/authority-services-context.xml   |   4 +
 .../alfresco/model/permissionDefinitions.xml  |  29 +-
 .../public-services-security-context.xml      |  20 +
 .../java/org/alfresco/AllUnitTestsSuite.java  |   3 +-
 .../org/alfresco/AppContext05TestSuite.java   |   1 +
 .../sa/ServiceAccountRegistryImplTest.java    | 157 ++++++++
 .../repo/security/SecurityTestSuite.java      |   2 +
 .../dynamic/ServiceAccountRoleTest.java       | 353 ++++++++++++++++++
 .../impl/PermissionServiceTest.java           |  20 +-
 .../test/resources/alfresco-global.properties |   5 +
 14 files changed, 907 insertions(+), 12 deletions(-)
 create mode 100644 repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistry.java
 create mode 100644 repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java
 create mode 100644 repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java
 create mode 100644 repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java
 create mode 100644 repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java

diff --git a/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java b/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java
index 7e74dcd67d..af619d7e48 100644
--- a/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java
+++ b/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java
@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Data model classes
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -78,6 +78,29 @@ public interface PermissionService
      */
     public static final String GUEST_AUTHORITY = "ROLE_GUEST";
 
+    /**
+     * The dynamic authority for the Admin service account.
+     */
+    String ADMIN_SERVICE_ACCOUNT_AUTHORITY = "ROLE_ADMIN_SERVICE_ACCOUNT";
+
+    /**
+     * The dynamic authority for the Collaborator service account.
+     */
+    String COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY = "ROLE_COLLABORATOR_SERVICE_ACCOUNT";
+
+    /**
+     * The dynamic authority for the Editor service account.
+     */
+    String EDITOR_SERVICE_ACCOUNT_AUTHORITY = "ROLE_EDITOR_SERVICE_ACCOUNT";
+
+    /**
+     * A convenient set of service account authorities to simplify checks
+     * for whether a given authority is a service account authority or not.
+     */
+    Set<String> SERVICE_ACCOUNT_AUTHORITIES_SET = Set.of(ADMIN_SERVICE_ACCOUNT_AUTHORITY,
+                                                         COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY,
+                                                         EDITOR_SERVICE_ACCOUNT_AUTHORITY);
+
     /**
      * The permission for all - not defined in the model. Repsected in the code.
      */
diff --git a/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistry.java b/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistry.java
new file mode 100644
index 0000000000..0a1d1f884e
--- /dev/null
+++ b/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistry.java
@@ -0,0 +1,61 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.sa;
+
+import java.util.Optional;
+import java.util.Set;
+
+/**
+ * A service account registry that allows service accounts to be registered
+ * with their corresponding roles.
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+public interface ServiceAccountRegistry
+{
+    /**
+     * Registers a service account with its corresponding role.
+     *
+     * @param serviceAccountName The name of the service account to be registered.
+     * @param serviceAccountRole The role of the service account to be registered.
+     */
+    void register(String serviceAccountName, String serviceAccountRole);
+
+    /**
+     * Retrieves the role of a specific service account.
+     *
+     * @param serviceAccountName The name of the service account.
+     * @return An Optional containing the role of the service account if it exists, otherwise an empty Optional.
+     */
+    Optional<String> getServiceAccountRole(String serviceAccountName);
+
+    /**
+     * Retrieves the names of all service accounts.
+     *
+     * @return A set of service account names. If no service accounts are present, an empty set is returned.
+     */
+    Set<String> getServiceAccountNames();
+}
diff --git a/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java b/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java
new file mode 100644
index 0000000000..45b3db2d0a
--- /dev/null
+++ b/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java
@@ -0,0 +1,156 @@
+/*
+ * #%L
+ * Alfresco Data model classes
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.sa;
+
+import java.util.Optional;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.util.PropertyCheck;
+
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.InitializingBean;
+
+/**
+ * Processes the <b>alfresco-global</b> properties file and applies a naming convention to distinguish the service
+ * account's name and role.
+ * <p>
+ * The naming convention adheres to the following format:
+ * <p>
+ * <pre>
+ *   {@code
+ *     serviceaccount.role.<service-account-name>=<service-account-role>
+ *   }
+ * </pre>
+ * <p>
+ * Please note, any property with an invalid role value will be disregarded and the corresponding service account
+ * will not be registered.
+ * <p>
+ * For instance, to register a service account named 'custom-app-sa' with the 'Editor' role (which allows it to
+ * update node properties), the following should be defined in the <b>alfresco-global</b> properties file:
+ * <ul>
+ *   <li>serviceaccount.role.custom-app-sa=EDITOR_SERVICE_ACCOUNT</li>
+ *   <li>or</li>
+ *   <li>serviceaccount.role.custom-app-sa=ROLE_EDITOR_SERVICE_ACCOUNT</li>
+ * </ul>
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+public class ServiceAccountRegistryImpl implements ServiceAccountRegistry, InitializingBean
+{
+    private static final Logger LOGGER = LoggerFactory.getLogger(ServiceAccountRegistryImpl.class);
+
+    public static final String KEY_PREFIX = "serviceaccount.role.";
+
+    private Properties globalProperties;
+    private final ConcurrentMap<String, String> saRoleMap = new ConcurrentHashMap<>();
+
+    public void setGlobalProperties(Properties globalProperties)
+    {
+        this.globalProperties = globalProperties;
+    }
+
+    @Override
+    public void register(String serviceAccountName, String serviceAccountRole)
+    {
+        saRoleMap.put(serviceAccountName, serviceAccountRole);
+        LOGGER.info("Service account '{}' is registered with the role '{}'.", serviceAccountName, serviceAccountRole);
+    }
+
+    @Override
+    public Optional<String> getServiceAccountRole(String serviceAccountName)
+    {
+        return Optional.ofNullable(saRoleMap.get(serviceAccountName));
+    }
+
+    @Override
+    public Set<String> getServiceAccountNames()
+    {
+        return Set.copyOf(saRoleMap.keySet());
+    }
+
+    private void init()
+    {
+        globalProperties.stringPropertyNames()
+                .stream()
+                .filter(key -> key.startsWith(KEY_PREFIX))
+                .forEach(key -> {
+                    String name = key.substring(KEY_PREFIX.length());
+                    if (isNotValidProperty(key, name, "name"))
+                    {
+                        return;
+                    }
+                    String role = globalProperties.getProperty(key);
+                    if (isNotValidProperty(key, role, "role"))
+                    {
+                        return;
+                    }
+                    // Ensure the role is in uppercase and has the prefix
+                    role = role.toUpperCase();
+                    role = getRoleWithPrefix(role);
+                    if (!PermissionService.SERVICE_ACCOUNT_AUTHORITIES_SET.contains(role))
+                    {
+                        LOGGER.warn("Invalid service account role '{}'. The role is not recognized.", role);
+                        return;
+                    }
+
+                    // Register the service account name with the corresponding role.
+                    register(name, role);
+                });
+    }
+
+    @Override
+    public void afterPropertiesSet() throws Exception
+    {
+        PropertyCheck.mandatory(this, "globalProperties", globalProperties);
+        init();
+    }
+
+    private String getRoleWithPrefix(String saRole)
+    {
+        if (!saRole.startsWith(PermissionService.ROLE_PREFIX))
+        {
+            saRole = PermissionService.ROLE_PREFIX + saRole;
+        }
+        return saRole;
+    }
+
+    private boolean isNotValidProperty(String key, String value, String valueType)
+    {
+        if (StringUtils.isBlank(value))
+        {
+            LOGGER.warn("Invalid service account {} defined in the property '{}'. The {} cannot be an empty string.",
+                        valueType, key, valueType);
+            return true;
+        }
+        return false;
+    }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java b/repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java
new file mode 100644
index 0000000000..3694876e8b
--- /dev/null
+++ b/repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java
@@ -0,0 +1,83 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.permissions.dynamic;
+
+import java.util.Optional;
+import java.util.Set;
+
+import org.alfresco.repo.sa.ServiceAccountRegistry;
+import org.alfresco.repo.security.permissions.DynamicAuthority;
+import org.alfresco.repo.security.permissions.PermissionReference;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.util.PropertyCheck;
+import org.springframework.beans.factory.InitializingBean;
+
+/**
+ * This class represents a dynamic authority for service accounts in the system.
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+public class ServiceAccountAuthority implements DynamicAuthority, InitializingBean
+{
+    private String authority;
+    private ServiceAccountRegistry serviceAccountRegistry;
+
+    public void setAuthority(String authority)
+    {
+        this.authority = authority;
+    }
+
+    public void setServiceAccountRegistry(ServiceAccountRegistry serviceAccountRegistry)
+    {
+        this.serviceAccountRegistry = serviceAccountRegistry;
+    }
+
+    @Override
+    public void afterPropertiesSet() throws Exception
+    {
+        PropertyCheck.mandatory(this, "authority", authority);
+        PropertyCheck.mandatory(this, "serviceAccountRegistry", serviceAccountRegistry);
+    }
+
+    @Override
+    public boolean hasAuthority(NodeRef nodeRef, String userName)
+    {
+        Optional<String> role = serviceAccountRegistry.getServiceAccountRole(userName);
+        return role.isPresent() && role.get().equals(this.getAuthority());
+    }
+
+    @Override
+    public String getAuthority()
+    {
+        return this.authority;
+    }
+
+    @Override
+    public Set<PermissionReference> requiredFor()
+    {
+        return null;
+    }
+}
diff --git a/repository/src/main/resources/alfresco/authority-services-context.xml b/repository/src/main/resources/alfresco/authority-services-context.xml
index 68a3bf5bda..7e535e42e3 100644
--- a/repository/src/main/resources/alfresco/authority-services-context.xml
+++ b/repository/src/main/resources/alfresco/authority-services-context.xml
@@ -143,4 +143,8 @@
         </property>
     </bean>
 
+    <bean id="serviceAccountRegistry" class="org.alfresco.repo.sa.ServiceAccountRegistryImpl">
+        <property name="globalProperties" ref="global-properties"/>
+    </bean>
+
 </beans>
diff --git a/repository/src/main/resources/alfresco/model/permissionDefinitions.xml b/repository/src/main/resources/alfresco/model/permissionDefinitions.xml
index df0f9c0bc1..70bc5a8776 100644
--- a/repository/src/main/resources/alfresco/model/permissionDefinitions.xml
+++ b/repository/src/main/resources/alfresco/model/permissionDefinitions.xml
@@ -57,7 +57,27 @@
       <!--                                                                                -->
       
       <permissionGroup name="FullControl" expose="true" allowFullControl="true" />
- 
+
+       <permissionGroup name="AdminServiceAccount" expose="false" allowFullControl="false">
+           <includePermissionGroup type="sys:base" permissionGroup="Read"/>
+           <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+           <includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>
+           <includePermissionGroup type="sys:base" permissionGroup="Delete"/>
+           <includePermissionGroup type="sys:base" permissionGroup="ReadAssociations"/>
+           <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
+           <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
+           <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
+       </permissionGroup>
+       <permissionGroup name="CollaboratorServiceAccount" expose="false" allowFullControl="false">
+           <includePermissionGroup type="sys:base" permissionGroup="Read"/>
+           <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+           <includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>
+       </permissionGroup>
+       <permissionGroup name="EditorServiceAccount" expose="false" allowFullControl="false">
+           <includePermissionGroup type="sys:base" permissionGroup="Read"/>
+           <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+       </permissionGroup>
+
       <!-- ============================================= -->
       <!-- Convenient groupings of low level permissions -->
       <!-- ============================================= -->
@@ -470,5 +490,10 @@
    
    <!-- Cancel check out is granted to the lock owner                                   -->
    <globalPermission permission="CancelCheckOut" authority="ROLE_LOCK_OWNER"/>
-   
+
+    <!-- Service Account roles -->
+    <globalPermission permission="AdminServiceAccount" authority="ROLE_ADMIN_SERVICE_ACCOUNT"/>
+    <globalPermission permission="CollaboratorServiceAccount" authority="ROLE_COLLABORATOR_SERVICE_ACCOUNT"/>
+    <globalPermission permission="EditorServiceAccount" authority="ROLE_EDITOR_SERVICE_ACCOUNT"/>
+
 </permissions>
diff --git a/repository/src/main/resources/alfresco/public-services-security-context.xml b/repository/src/main/resources/alfresco/public-services-security-context.xml
index 51e2bab8df..5c29d25ee5 100644
--- a/repository/src/main/resources/alfresco/public-services-security-context.xml
+++ b/repository/src/main/resources/alfresco/public-services-security-context.xml
@@ -102,6 +102,9 @@
             <list>
                 <ref bean="ownerDynamicAuthority" />
                 <ref bean="lockOwnerDynamicAuthority" />
+                <ref bean="adminServiceAccountAuthority"/>
+                <ref bean="collaboratorServiceAccountAuthority"/>
+                <ref bean="editorServiceAccountAuthority"/>
             </list>
         </property>
         <property name="fixedAclUpdater">
@@ -147,6 +150,23 @@
         </property>
     </bean>
 
+    <!-- Service account authority beans -->
+    <bean id="baseServiceAccountAuthority" abstract="true">
+        <property name="serviceAccountRegistry" ref="serviceAccountRegistry"/>
+    </bean>
+    <bean id="adminServiceAccountAuthority" class="org.alfresco.repo.security.permissions.dynamic.ServiceAccountAuthority"
+          parent="baseServiceAccountAuthority">
+        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).ADMIN_SERVICE_ACCOUNT_AUTHORITY}"/>
+    </bean>
+    <bean id="collaboratorServiceAccountAuthority" class="org.alfresco.repo.security.permissions.dynamic.ServiceAccountAuthority"
+          parent="baseServiceAccountAuthority">
+        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY}"/>
+    </bean>
+    <bean id="editorServiceAccountAuthority" class="org.alfresco.repo.security.permissions.dynamic.ServiceAccountAuthority"
+          parent="baseServiceAccountAuthority">
+        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).EDITOR_SERVICE_ACCOUNT_AUTHORITY}"/>
+    </bean>
+
     <!-- =========================== -->
     <!-- Permissions Model Bootstrap -->
     <!-- =========================== -->
diff --git a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
index 61dfdd4a01..cbe6f704a1 100644
--- a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
+++ b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
@@ -261,7 +261,8 @@ import org.junit.runners.Suite;
     org.alfresco.repo.event2.RepoEvent2UnitSuite.class,
 
     org.alfresco.util.schemacomp.SchemaDifferenceHelperUnitTest.class,
-    org.alfresco.repo.tagging.TaggingServiceImplUnitTest.class
+    org.alfresco.repo.tagging.TaggingServiceImplUnitTest.class,
+    org.alfresco.repo.sa.ServiceAccountRegistryImplTest.class
 })
 public class AllUnitTestsSuite
 {
diff --git a/repository/src/test/java/org/alfresco/AppContext05TestSuite.java b/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
index 6e92701079..9092900f2a 100644
--- a/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
+++ b/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
@@ -45,6 +45,7 @@ import org.junit.runners.Suite;
     org.alfresco.repo.security.authority.DuplicateAuthorityTest.class,
     org.alfresco.repo.security.authority.ExtendedPermissionServiceTest.class,
     org.alfresco.repo.security.permissions.dynamic.LockOwnerDynamicAuthorityTest.class,
+    org.alfresco.repo.security.permissions.dynamic.ServiceAccountRoleTest.class,
     org.alfresco.repo.security.permissions.impl.AclDaoComponentTest.class,
     org.alfresco.repo.security.permissions.impl.PermissionServiceTest.class,
     org.alfresco.repo.security.permissions.impl.acegi.ACLEntryAfterInvocationTest.class,
diff --git a/repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java b/repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java
new file mode 100644
index 0000000000..154720c9ee
--- /dev/null
+++ b/repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java
@@ -0,0 +1,157 @@
+/*
+ * #%L
+ * Alfresco Data model classes
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.sa;
+
+import static org.alfresco.service.cmr.security.PermissionService.ADMIN_SERVICE_ACCOUNT_AUTHORITY;
+import static org.alfresco.service.cmr.security.PermissionService.COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY;
+import static org.alfresco.service.cmr.security.PermissionService.EDITOR_SERVICE_ACCOUNT_AUTHORITY;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Optional;
+import java.util.Properties;
+
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * Unit tests for the {@link ServiceAccountRegistryImpl} class.
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+public class ServiceAccountRegistryImplTest
+{
+    private ServiceAccountRegistryImpl serviceAccountService;
+    private Properties globalProperties;
+
+    @Before
+    public void setUp() throws Exception
+    {
+        globalProperties = new Properties();
+        globalProperties.put("system.test.property", "test-prop");
+        globalProperties.put("repo.events.test.someKey", "test-event-value");
+
+        serviceAccountService = new ServiceAccountRegistryImpl();
+        serviceAccountService.setGlobalProperties(globalProperties);
+        serviceAccountService.afterPropertiesSet();
+    }
+
+    @Test
+    public void testNoDefinedServiceAccount()
+    {
+        Optional<String> nonExistentSa = serviceAccountService.getServiceAccountRole("nonExistentServiceAccount");
+        assertTrue(nonExistentSa.isEmpty());
+        assertTrue(serviceAccountService.getServiceAccountNames().isEmpty());
+    }
+
+    @Test
+    public void testInvalidServiceAccountName()
+    {
+        globalProperties.put("serviceaccount.role. ", ADMIN_SERVICE_ACCOUNT_AUTHORITY);
+        assertTrue("Invalid service account name.", serviceAccountService.getServiceAccountNames().isEmpty());
+    }
+
+    @Test
+    public void testInvalidServiceAccountRole() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testServiceAccount", "");
+        serviceAccountService.afterPropertiesSet();
+
+        Optional<String> testServiceAccount = serviceAccountService.getServiceAccountRole("testServiceAccount");
+        assertTrue("Invalid service account role.", testServiceAccount.isEmpty());
+        assertTrue(serviceAccountService.getServiceAccountNames().isEmpty());
+    }
+
+    @Test
+    public void testNotSupportedServiceAccountRole() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testServiceAccount", "testRole");
+        serviceAccountService.afterPropertiesSet();
+
+        Optional<String> testServiceAccount = serviceAccountService.getServiceAccountRole("testServiceAccount");
+        assertTrue("Not supported service account role.", testServiceAccount.isEmpty());
+        assertTrue(serviceAccountService.getServiceAccountNames().isEmpty());
+    }
+
+    @Test
+    public void testValidServiceAccount() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testServiceAccount", ADMIN_SERVICE_ACCOUNT_AUTHORITY);
+        serviceAccountService.afterPropertiesSet();
+
+        Optional<String> testServiceAccount = serviceAccountService.getServiceAccountRole("testServiceAccount");
+        assertFalse("The service account role is not empty.", testServiceAccount.isEmpty());
+        assertEquals(ADMIN_SERVICE_ACCOUNT_AUTHORITY, testServiceAccount.get());
+        assertEquals(1, serviceAccountService.getServiceAccountNames().size());
+    }
+
+    @Test
+    public void testManyServiceAccounts() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testEditorSA", EDITOR_SERVICE_ACCOUNT_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testCollaboratorSA", COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testAdminSA", ADMIN_SERVICE_ACCOUNT_AUTHORITY);
+        serviceAccountService.afterPropertiesSet();
+
+        assertEquals(3, serviceAccountService.getServiceAccountNames().size());
+
+        Optional<String> editorSA = serviceAccountService.getServiceAccountRole("testEditorSA");
+        assertFalse("The service account role is not empty.", editorSA.isEmpty());
+        assertEquals(EDITOR_SERVICE_ACCOUNT_AUTHORITY, editorSA.get());
+
+        Optional<String> collaboratorSA = serviceAccountService.getServiceAccountRole("testCollaboratorSA");
+        assertFalse("The service account role is not empty.", collaboratorSA.isEmpty());
+        assertEquals(COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY, collaboratorSA.get());
+
+        Optional<String> adminSA = serviceAccountService.getServiceAccountRole("testAdminSA");
+        assertFalse("The service account role is not empty.", adminSA.isEmpty());
+        assertEquals(ADMIN_SERVICE_ACCOUNT_AUTHORITY, adminSA.get());
+    }
+
+    @Test
+    public void testValidServiceAccountRoleValues() throws Exception
+    {
+        globalProperties.put("serviceaccount.role.testEditorSA", "EDITOR_SERVICE_ACCOUNT");
+        globalProperties.put("serviceaccount.role.testCollaboratorSA", COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testAdminSA", "ADMIN_SERVICE_ACCOUNT");
+        serviceAccountService.afterPropertiesSet();
+
+        assertEquals(3, serviceAccountService.getServiceAccountNames().size());
+
+        Optional<String> editorSA = serviceAccountService.getServiceAccountRole("testEditorSA");
+        assertFalse("The service account role is not empty.", editorSA.isEmpty());
+        assertEquals(EDITOR_SERVICE_ACCOUNT_AUTHORITY, editorSA.get());
+
+        Optional<String> collaboratorSA = serviceAccountService.getServiceAccountRole("testCollaboratorSA");
+        assertFalse("The service account role is not empty.", collaboratorSA.isEmpty());
+        assertEquals(COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY, collaboratorSA.get());
+
+        Optional<String> adminSA = serviceAccountService.getServiceAccountRole("testAdminSA");
+        assertFalse("The service account role is not empty.", adminSA.isEmpty());
+        assertEquals(ADMIN_SERVICE_ACCOUNT_AUTHORITY, adminSA.get());
+    }
+}
diff --git a/repository/src/test/java/org/alfresco/repo/security/SecurityTestSuite.java b/repository/src/test/java/org/alfresco/repo/security/SecurityTestSuite.java
index 4382fa91cc..8454d1cb83 100644
--- a/repository/src/test/java/org/alfresco/repo/security/SecurityTestSuite.java
+++ b/repository/src/test/java/org/alfresco/repo/security/SecurityTestSuite.java
@@ -45,6 +45,7 @@ import org.alfresco.repo.security.authority.AuthorityServiceTest;
 import org.alfresco.repo.security.authority.DuplicateAuthorityTest;
 import org.alfresco.repo.security.authority.ExtendedPermissionServiceTest;
 import org.alfresco.repo.security.permissions.dynamic.LockOwnerDynamicAuthorityTest;
+import org.alfresco.repo.security.permissions.dynamic.ServiceAccountRoleTest;
 import org.alfresco.repo.security.permissions.impl.AclDaoComponentTest;
 import org.alfresco.repo.security.permissions.impl.PermissionServiceTest;
 import org.alfresco.repo.security.permissions.impl.ReadPermissionTest;
@@ -108,6 +109,7 @@ public class SecurityTestSuite extends TestSuite
 		suite.addTest(new JUnit4TestAdapter(LocalAuthenticationServiceTest.class));
 
         suite.addTest(new JUnit4TestAdapter(ResetPasswordServiceImplTest.class));
+        suite.addTest(new JUnit4TestAdapter(ServiceAccountRoleTest.class));
         return suite;
     }
 }
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
new file mode 100644
index 0000000000..7efba03be5
--- /dev/null
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
@@ -0,0 +1,353 @@
+/*
+ * #%L
+ * Alfresco Data model classes
+ * %%
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.permissions.dynamic;
+
+import static java.lang.System.currentTimeMillis;
+import static org.junit.Assert.assertEquals;
+
+import java.io.Serializable;
+import java.util.Map;
+import java.util.Properties;
+
+import org.alfresco.model.ContentModel;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.cmr.site.SiteInfo;
+import org.alfresco.service.cmr.site.SiteService;
+import org.alfresco.service.cmr.site.SiteVisibility;
+import org.alfresco.service.namespace.QName;
+import org.alfresco.util.test.junitrules.AlfrescoPerson;
+import org.alfresco.util.test.junitrules.ApplicationContextInit;
+import org.alfresco.util.test.junitrules.TemporaryNodes;
+import org.alfresco.util.test.junitrules.TemporarySites;
+import org.junit.After;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.rules.RuleChain;
+import org.springframework.context.ApplicationContext;
+
+/**
+ * This test class demonstrates the permissions of the service account authorities.
+ * The service account authorities are used to grant permissions to service accounts.
+ * <p>
+ * The service account authorities are defined in the <i>alfresco-global.properties</i> file.
+ * Using the following naming convention:
+ * <pre>
+ *   {@code
+ *     serviceaccount.role.<service-account-name>=<service-account-role>
+ *   }
+ * </pre>
+ * The service account roles that currently supported are:
+ * <ul>
+ *   <li>{@link PermissionService#EDITOR_SERVICE_ACCOUNT_AUTHORITY}</li>
+ *   <li>{@link PermissionService#COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY}</li>
+ *   <li>{@link PermissionService#ADMIN_SERVICE_ACCOUNT_AUTHORITY}</li>
+ * </ul>
+ * The test class relies on the following service accounts defined in the <i>alfresco-global.properties</i> file:
+ * <ul>
+ *   <li>serviceaccount.role.test-editor-sa=ROLE_EDITOR_SERVICE_ACCOUNT</li>
+ *   <li>serviceaccount.role.test-collaborator-sa=ROLE_COLLABORATOR_SERVICE_ACCOUNT</li>
+ *   <li>serviceaccount.role.test-admin-sa=ROLE_ADMIN_SERVICE_ACCOUNT</li>
+ * </ul>
+ * <p>
+ * <b>Note:</b> There is no need to use public services (i.e., beans that start with a capital letter, such as NodeService)
+ * to validate roles permissions. This is because the security enforcement of public services (i.e., ACL checks) ultimately relies on
+ * the {@code permissionService.hasPermission()} method. Therefore, we can directly use the {@code permissionService.hasPermission()} method.
+ *
+ * @author Jamal Kaabi-Mofrad
+ */
+public class ServiceAccountRoleTest
+{
+    // Rule to initialise the default Alfresco spring configuration
+    private static final ApplicationContextInit APP_CONTEXT = new ApplicationContextInit();
+
+    // A rule to manage a test site
+    private static final TemporarySites TEST_SITES = new TemporarySites(APP_CONTEXT);
+
+    // A rule to manage test nodes reused across all the test methods
+    private static final TemporaryNodes TEST_NODES = new TemporaryNodes(APP_CONTEXT);
+
+    // Rules to create the users for the tests
+    private static final AlfrescoPerson NORMAL_USER = getAlfrescoPerson("john.doe" + currentTimeMillis());
+    private static final AlfrescoPerson EDITOR_SA = getAlfrescoPerson("test-editor-sa");
+    private static final AlfrescoPerson COLLABORATOR_SA = getAlfrescoPerson("test-collaborator-sa");
+    private static final AlfrescoPerson ADMIN_SA = getAlfrescoPerson("test-admin-sa");
+
+    private static final String TEST_TEXT_FILE_NAME = "testTextFile.txt";
+
+    // Tie them together in a static Rule Chain
+    @ClassRule
+    public static final RuleChain STATIC_RULE_CHAIN = RuleChain.outerRule(APP_CONTEXT)
+            .around(TEST_SITES)
+            .around(TEST_NODES)
+            .around(NORMAL_USER)
+            .around(EDITOR_SA)
+            .around(COLLABORATOR_SA)
+            .around(ADMIN_SA);
+
+    private static NodeService nodeService;
+    private static SiteService siteService;
+    private static PermissionService permissionService;
+    private static Properties globalProperties;
+    private static NodeRef testTextFile;
+
+    @BeforeClass
+    public static void initStaticData() throws Exception
+    {
+        ApplicationContext context = APP_CONTEXT.getApplicationContext();
+        nodeService = context.getBean("NodeService", NodeService.class);
+        siteService = context.getBean("SiteService", SiteService.class);
+        permissionService = context.getBean("permissionService", PermissionService.class);
+        globalProperties = context.getBean("global-properties", Properties.class);
+
+        // Check that the service account roles are defined in the global properties before starting the tests.
+        serviceAccountsShouldExistInGlobalProperties();
+
+        // Create a test site
+        SiteInfo testSite = createTestSite();
+        // Create a test text file in the test site
+        createTestFile(testSite);
+
+        // Clear the current security context to avoid any issues with the test setup
+        AuthenticationUtil.clearCurrentSecurityContext();
+    }
+
+    private static AlfrescoPerson getAlfrescoPerson(String username)
+    {
+        return new AlfrescoPerson(APP_CONTEXT, username);
+    }
+
+    private static SiteInfo createTestSite()
+    {
+        // Create a private test site to make sure no other non-members or
+        // non-site-admins can access the test site.
+        return TEST_SITES.createSite("sitePreset", "saTestSite" + currentTimeMillis(), "SA Test Site",
+                                     "sa test site desc", SiteVisibility.PRIVATE,
+                                     AuthenticationUtil.getAdminUserName());
+    }
+
+    private static void createTestFile(SiteInfo testSite)
+    {
+        // Create a test text file in the test site as the admin user
+        AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
+        final NodeRef docLib = siteService.getContainer(testSite.getShortName(), SiteService.DOCUMENT_LIBRARY);
+
+        final NodeRef testFolder = TEST_NODES.createFolder(docLib, "testFolder", AuthenticationUtil.getAdminUserName());
+        testTextFile = TEST_NODES.createNodeWithTextContent(testFolder, TEST_TEXT_FILE_NAME, ContentModel.TYPE_CONTENT,
+                                                            AuthenticationUtil.getAdminUserName(),
+                                                            "The quick brown fox jumps over the lazy dog.");
+
+        Map<QName, Serializable> props = Map.of(ContentModel.PROP_NAME, TEST_TEXT_FILE_NAME,
+                                                ContentModel.PROP_DESCRIPTION, "Desc added by Admin.");
+        nodeService.setProperties(testTextFile, props);
+    }
+
+    private static void serviceAccountsShouldExistInGlobalProperties()
+    {
+        assertServiceAccountIsDefined(PermissionService.EDITOR_SERVICE_ACCOUNT_AUTHORITY, EDITOR_SA.getUsername());
+        assertServiceAccountIsDefined(PermissionService.COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY, COLLABORATOR_SA.getUsername());
+        assertServiceAccountIsDefined(PermissionService.ADMIN_SERVICE_ACCOUNT_AUTHORITY, ADMIN_SA.getUsername());
+    }
+
+    private static void assertServiceAccountIsDefined(String expectedRole, String username)
+    {
+        assertEquals(expectedRole, globalProperties.getProperty("serviceaccount.role." + username));
+    }
+
+    @After
+    public void tearDown() throws Exception
+    {
+        AuthenticationUtil.clearCurrentSecurityContext();
+    }
+
+    @Test
+    public void normalUserReadAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.READ);
+    }
+
+    @Test
+    public void editorSaReadAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(EDITOR_SA, PermissionService.READ);
+    }
+
+    @Test
+    public void collaboratorSaReadAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(COLLABORATOR_SA, PermissionService.READ);
+    }
+
+    @Test
+    public void adminSaReadAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.READ);
+    }
+
+    @Test
+    public void normalUserWriteAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.WRITE);
+    }
+
+    @Test
+    public void editorSaWriteAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(EDITOR_SA, PermissionService.WRITE);
+    }
+
+    @Test
+    public void collaboratorSaWriteAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(COLLABORATOR_SA, PermissionService.WRITE);
+    }
+
+    @Test
+    public void adminSaWriteAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.WRITE);
+    }
+
+    @Test
+    public void normalUserAddChildrenAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.ADD_CHILDREN);
+    }
+
+    @Test
+    public void editorSaAddChildrenAccessShouldBeDenied()
+    {
+        assertAccessDenied(EDITOR_SA, PermissionService.ADD_CHILDREN);
+    }
+
+    @Test
+    public void collaboratorSaAddChildrenAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(COLLABORATOR_SA, PermissionService.ADD_CHILDREN);
+    }
+
+    @Test
+    public void adminSaAddChildrenAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.ADD_CHILDREN);
+    }
+
+    @Test
+    public void normalUserDeleteAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.DELETE);
+    }
+
+    @Test
+    public void editorSaDeleteAccessShouldBeDenied()
+    {
+        assertAccessDenied(EDITOR_SA, PermissionService.DELETE);
+    }
+
+    @Test
+    public void collaboratorSaDeleteAccessShouldBeDenied()
+    {
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.DELETE);
+    }
+
+    @Test
+    public void adminSaDeleteAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.DELETE);
+    }
+
+    @Test
+    public void normalUserCreateAssociationsAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.READ_ASSOCIATIONS);
+        assertAccessDenied(NORMAL_USER, PermissionService.CREATE_ASSOCIATIONS);
+        assertAccessDenied(NORMAL_USER, PermissionService.DELETE_ASSOCIATIONS);
+    }
+
+    @Test
+    public void editorSaCreateAssociationsAccessShouldBeDenied()
+    {
+        assertAccessDenied(EDITOR_SA, PermissionService.READ_ASSOCIATIONS);
+        assertAccessDenied(EDITOR_SA, PermissionService.CREATE_ASSOCIATIONS);
+        assertAccessDenied(EDITOR_SA, PermissionService.DELETE_ASSOCIATIONS);
+    }
+
+    @Test
+    public void collaboratorSaCreateAssociationsAccessShouldBeDenied()
+    {
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.READ_ASSOCIATIONS);
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.CREATE_ASSOCIATIONS);
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.DELETE_ASSOCIATIONS);
+    }
+
+    @Test
+    public void adminSaCreateAssociationsAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.READ_ASSOCIATIONS);
+        assertAccessAllowed(ADMIN_SA, PermissionService.CREATE_ASSOCIATIONS);
+        assertAccessAllowed(ADMIN_SA, PermissionService.DELETE_ASSOCIATIONS);
+    }
+
+    @Test
+    public void normalUserReadPermissionsAccessShouldBeDenied()
+    {
+        assertAccessDenied(NORMAL_USER, PermissionService.READ_PERMISSIONS);
+    }
+
+    @Test
+    public void editorSaReadPermissionsAccessShouldBeDenied()
+    {
+        assertAccessDenied(EDITOR_SA, PermissionService.READ_PERMISSIONS);
+    }
+
+    @Test
+    public void collaboratorSaReadPermissionsAccessShouldBeDenied()
+    {
+        assertAccessDenied(COLLABORATOR_SA, PermissionService.READ_PERMISSIONS);
+    }
+
+    @Test
+    public void adminSaReadPermissionsAccessShouldBeAllowed()
+    {
+        assertAccessAllowed(ADMIN_SA, PermissionService.READ_PERMISSIONS);
+    }
+
+    private static void assertAccessDenied(AlfrescoPerson user, String permission)
+    {
+        AuthenticationUtil.setFullyAuthenticatedUser(user.getUsername());
+        assertEquals(AccessStatus.DENIED, permissionService.hasPermission(testTextFile, permission));
+    }
+
+    private static void assertAccessAllowed(AlfrescoPerson user, String permission)
+    {
+        AuthenticationUtil.setFullyAuthenticatedUser(user.getUsername());
+        assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(testTextFile, permission));
+    }
+}
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java
index 2400c01fc4..657bcb60bc 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java
@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -73,6 +73,10 @@ import org.junit.runners.MethodSorters;
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class PermissionServiceTest extends AbstractPermissionTest
 {
+    // The number of permissions in the system.
+    // See permissionDefinitions.xml and PermissionService interface
+    private static final int NUM_OF_PERMISSIONS = 39;
+
     private SimplePermissionEntry denyAndyAll;
 
     private SimplePermissionEntry allowAndyAll;
@@ -1764,7 +1768,7 @@ public class PermissionServiceTest extends AbstractPermissionTest
     public void testGetSettablePermissionsForType()
     {
         Set<String> answer = permissionService.getSettablePermissions(QName.createQName("sys", "base", namespacePrefixResolver));
-        assertEquals(36, answer.size());
+        assertEquals(NUM_OF_PERMISSIONS, answer.size());
 
         answer = permissionService.getSettablePermissions(QName.createQName("cm", "ownable", namespacePrefixResolver));
         assertEquals(0, answer.size());
@@ -1784,15 +1788,15 @@ public class PermissionServiceTest extends AbstractPermissionTest
         QName ownable = QName.createQName("cm", "ownable", namespacePrefixResolver);
 
         Set<String> answer = permissionService.getSettablePermissions(rootNodeRef);
-        assertEquals(36, answer.size());
+        assertEquals(NUM_OF_PERMISSIONS, answer.size());
 
         nodeService.addAspect(rootNodeRef, ownable, null);
         answer = permissionService.getSettablePermissions(rootNodeRef);
-        assertEquals(36, answer.size());
+        assertEquals(NUM_OF_PERMISSIONS, answer.size());
 
         nodeService.removeAspect(rootNodeRef, ownable);
         answer = permissionService.getSettablePermissions(rootNodeRef);
-        assertEquals(36, answer.size());
+        assertEquals(NUM_OF_PERMISSIONS, answer.size());
     }
 
 
@@ -1816,7 +1820,7 @@ public class PermissionServiceTest extends AbstractPermissionTest
     {
         runAs("andy");
 
-        assertEquals(36, permissionService.getPermissions(rootNodeRef).size());
+        assertEquals(NUM_OF_PERMISSIONS, permissionService.getPermissions(rootNodeRef).size());
         assertEquals(0, countGranted(permissionService.getPermissions(rootNodeRef)));
         assertEquals(0, permissionService.getAllSetPermissions(rootNodeRef).size());
 
@@ -1828,7 +1832,7 @@ public class PermissionServiceTest extends AbstractPermissionTest
         assertEquals(1, permissionService.getAllSetPermissions(rootNodeRef).size());
         runAs("andy");
 
-        assertEquals(36, permissionService.getPermissions(rootNodeRef).size());
+        assertEquals(NUM_OF_PERMISSIONS, permissionService.getPermissions(rootNodeRef).size());
         assertEquals(2, countGranted(permissionService.getPermissions(rootNodeRef)));
 
         assertTrue(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
@@ -1933,7 +1937,7 @@ public class PermissionServiceTest extends AbstractPermissionTest
         permissionService.setPermission(allowAndyRead);
         runAs("andy");
 
-        assertEquals(36, permissionService.getPermissions(rootNodeRef).size());
+        assertEquals(NUM_OF_PERMISSIONS, permissionService.getPermissions(rootNodeRef).size());
         assertEquals(7, countGranted(permissionService.getPermissions(rootNodeRef)));
         assertEquals(1, permissionService.getAllSetPermissions(rootNodeRef).size());
 
diff --git a/repository/src/test/resources/alfresco-global.properties b/repository/src/test/resources/alfresco-global.properties
index bdbec71ca8..7aa761cf7b 100644
--- a/repository/src/test/resources/alfresco-global.properties
+++ b/repository/src/test/resources/alfresco-global.properties
@@ -61,3 +61,8 @@ encryption.keystore.backup.type=JCEKS
 
 # For CI override the default hashing algorithm for password storage to save build time.
 system.preferred.password.encoding=sha256
+
+# Test service accounts
+serviceaccount.role.test-editor-sa=ROLE_EDITOR_SERVICE_ACCOUNT
+serviceaccount.role.test-collaborator-sa=ROLE_COLLABORATOR_SERVICE_ACCOUNT
+serviceaccount.role.test-admin-sa=ROLE_ADMIN_SERVICE_ACCOUNT

From d999558b3359036688b5d4dbe720258ccfa7fdc5 Mon Sep 17 00:00:00 2001
From: Jamal Kaabi-Mofrad <jamal.kaabimofrad@alfresco.com>
Date: Fri, 24 May 2024 16:04:49 +0100
Subject: [PATCH 2/6] PRODENG-276: Cleanup - Fixed inconsistent spacing issues.

---
 .../alfresco/model/permissionDefinitions.xml  | 930 +++++++++---------
 1 file changed, 465 insertions(+), 465 deletions(-)

diff --git a/repository/src/main/resources/alfresco/model/permissionDefinitions.xml b/repository/src/main/resources/alfresco/model/permissionDefinitions.xml
index 70bc5a8776..1678cc8cf0 100644
--- a/repository/src/main/resources/alfresco/model/permissionDefinitions.xml
+++ b/repository/src/main/resources/alfresco/model/permissionDefinitions.xml
@@ -13,483 +13,483 @@
 
 
 <permissions>
-    
+
     <!-- Namespaces used in type references -->
-    
-   <namespaces>
-      <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
-      <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>
-   </namespaces>
 
-   <!--                                                                                   -->
-   <!-- Permission sets link permissions and groups of permissions to types and aspects   -->
-   <!-- defined in the model. Permissions defined against a type apply to all objects     -->
-   <!-- that inherit from that type. Permissions defined against aspects apply to all     -->
-   <!-- objects or only objects that have the aspect applied. For example, the permission -->
-   <!-- to lock an object could apply to any object but the permission to unlock an       -->
-   <!-- object would only apply to objects that have the lockable aspect.                -->
-   <!--                                                                                   -->
-    
-   <!-- =============================================== -->
-   <!-- Base permissions available on all types of node -->
-   <!-- =============================================== -->
-    
-   <permissionSet type="sys:base" expose="all" >
-    
-      <!-- ================= -->
-      <!-- Permission groups -->
-      <!-- ================= -->
-      
-      <!--                                                                                -->
-      <!-- Permission groups are convenient groups of permissions. They may be used in    -->
-      <!-- their own right or as the effective set of permissions. If an authority has    -->
-      <!-- all the permissions that make up a permission group they also have that        -->
-      <!-- permission group even though it has not been explicitly granted.               -->
-      <!--                                                                                -->
+    <namespaces>
+        <namespace uri="http://www.alfresco.org/model/system/1.0" prefix="sys"/>
+        <namespace uri="http://www.alfresco.org/model/content/1.0" prefix="cm"/>
+    </namespaces>
 
-      <!-- =========== -->    
-      <!-- Full access -->
-      <!-- =========== -->
-    
-      <!--                                                                                -->  
-      <!-- By default this is exposed for all objects unless inherited objects choose to  -->
-      <!-- expose only selected objects at the object level.                              -->
-      <!--                                                                                -->
-      
-      <permissionGroup name="FullControl" expose="true" allowFullControl="true" />
+    <!--                                                                                   -->
+    <!-- Permission sets link permissions and groups of permissions to types and aspects   -->
+    <!-- defined in the model. Permissions defined against a type apply to all objects     -->
+    <!-- that inherit from that type. Permissions defined against aspects apply to all     -->
+    <!-- objects or only objects that have the aspect applied. For example, the permission -->
+    <!-- to lock an object could apply to any object but the permission to unlock an       -->
+    <!-- object would only apply to objects that have the lockable aspect.                -->
+    <!--                                                                                   -->
 
-       <permissionGroup name="AdminServiceAccount" expose="false" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="Read"/>
-           <includePermissionGroup type="sys:base" permissionGroup="Write"/>
-           <includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>
-           <includePermissionGroup type="sys:base" permissionGroup="Delete"/>
-           <includePermissionGroup type="sys:base" permissionGroup="ReadAssociations"/>
-           <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
-           <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
-           <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
-       </permissionGroup>
-       <permissionGroup name="CollaboratorServiceAccount" expose="false" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="Read"/>
-           <includePermissionGroup type="sys:base" permissionGroup="Write"/>
-           <includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>
-       </permissionGroup>
-       <permissionGroup name="EditorServiceAccount" expose="false" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="Read"/>
-           <includePermissionGroup type="sys:base" permissionGroup="Write"/>
-       </permissionGroup>
+    <!-- =============================================== -->
+    <!-- Base permissions available on all types of node -->
+    <!-- =============================================== -->
 
-      <!-- ============================================= -->
-      <!-- Convenient groupings of low level permissions -->
-      <!-- ============================================= -->
-      
-      <permissionGroup name="Read"  expose="true" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
-           <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
-           <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
-      </permissionGroup>
-       
-      <permissionGroup name="Write" expose="true" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
-           <includePermissionGroup type="sys:base" permissionGroup="WriteContent"/>
-      </permissionGroup>  
-       
-      <permissionGroup name="Delete" expose="true" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="DeleteNode"/>
-           <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
-      </permissionGroup>
-       
-      <permissionGroup name="AddChildren" expose="true" allowFullControl="false">
-           <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
-           <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
-      </permissionGroup>
-       
-      <permissionGroup name="Execute" allowFullControl="false" expose="false">
-          <includePermissionGroup type="sys:base" permissionGroup="ExecuteContent"/>
-      </permissionGroup>
-       
-      <!-- Groups for low level permissions -->
-       
-      <permissionGroup name="ReadProperties" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ReadChildren" expose="true" allowFullControl="false" />  
-      <permissionGroup name="WriteProperties" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ReadContent" expose="false" allowFullControl="false" />  
-      <permissionGroup name="WriteContent" expose="false" allowFullControl="false" />  
-      <permissionGroup name="ExecuteContent" expose="false" allowFullControl="false" />  
-      <permissionGroup name="DeleteNode" expose="true" allowFullControl="false" />  
-      <permissionGroup name="DeleteChildren" expose="true" allowFullControl="false" />  
-      <permissionGroup name="CreateChildren" expose="true" allowFullControl="false" />  
-      <permissionGroup name="LinkChildren" expose="true" allowFullControl="false" />  
-      <permissionGroup name="DeleteAssociations" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ReadAssociations" expose="true" allowFullControl="false" />  
-      <permissionGroup name="CreateAssociations" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ReadPermissions" expose="true" allowFullControl="false" />  
-      <permissionGroup name="ChangePermissions" expose="true" allowFullControl="false" />  
-    
-      <!-- =========== -->
-      <!-- Permissions -->
-      <!-- =========== -->
-    
-      <!-- The permission to read properties on a node                                    -->
-      <!--                                                                                -->
-      <!-- The properties of a node may ony be read if there is read access to the parent -->
-      <!-- node. ReadChildren access to the parent node is recursive for all nodes from   -->
-      <!-- which the node inherits permissions. Access is required down the permission    -->
-      <!-- tree at all points.                                                           -->
-      <!--                                                                                -->
-      
-      <permission name="_ReadProperties" expose="false" >
-         <grantedToGroup permissionGroup="ReadProperties" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- The permission to read the children of a node                                 -->
-      <!--                                                                               -->
-      <!-- This permission is recursive. It requires the same permission is granted to   -->
-      <!-- all of the parent nodes from which this node inherits permissions             -->
-      <!--                                                                               -->
-      
-      <permission name="_ReadChildren" expose="false" >
-         <grantedToGroup permissionGroup="ReadChildren" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- The permission to write to the properties of a node                           -->
-      <!--                                                                               -->
-      <!-- This permission includes adding aspects to a node as they are stored as       -->
-      <!-- a property.                                                                   -->
-      <!--                                                                               -->
-      
-      <permission name="_WriteProperties" expose="false" >
-         <grantedToGroup permissionGroup="WriteProperties" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- The permission to delete a node                                               -->
-      <!--                                                                               -->
-      <!-- A node can only be deleted if there is delete permission on the node, if the  -->
-      <!-- node is accessible via its parent, and if the node can be deleted from its     -->
-      <!-- parent. Currently, there is no check that all the children can be deleted.    -->
-      <!-- This check can be added but requires more work so the UI is not checking this -->
-      <!-- permission just to show the delete icon.                                      -->
-      <!--                                                                               -->
-      
-      <!-- The permission to read content.                                               -->
-      
-      <permission name="_ReadContent" expose="false">
-         <grantedToGroup permissionGroup="ReadContent"/>
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
+    <permissionSet type="sys:base" expose="all">
+
+        <!-- ================= -->
+        <!-- Permission groups -->
+        <!-- ================= -->
+
+        <!--                                                                                -->
+        <!-- Permission groups are convenient groups of permissions. They may be used in    -->
+        <!-- their own right or as the effective set of permissions. If an authority has    -->
+        <!-- all the permissions that make up a permission group they also have that        -->
+        <!-- permission group even though it has not been explicitly granted.               -->
+        <!--                                                                                -->
+
+        <!-- =========== -->
+        <!-- Full access -->
+        <!-- =========== -->
+
+        <!--                                                                                -->
+        <!-- By default this is exposed for all objects unless inherited objects choose to  -->
+        <!-- expose only selected objects at the object level.                              -->
+        <!--                                                                                -->
+
+        <permissionGroup name="FullControl" expose="true" allowFullControl="true"/>
+
+        <permissionGroup name="AdminServiceAccount" expose="false" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="Read"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+            <includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Delete"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadAssociations"/>
+            <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
+        </permissionGroup>
+        <permissionGroup name="CollaboratorServiceAccount" expose="false" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="Read"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+            <includePermissionGroup type="sys:base" permissionGroup="AddChildren"/>
+        </permissionGroup>
+        <permissionGroup name="EditorServiceAccount" expose="false" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="Read"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+        </permissionGroup>
+
+        <!-- ============================================= -->
+        <!-- Convenient groupings of low level permissions -->
+        <!-- ============================================= -->
+
+        <permissionGroup name="Read" expose="true" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
+        </permissionGroup>
+
+        <permissionGroup name="Write" expose="true" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
+            <includePermissionGroup type="sys:base" permissionGroup="WriteContent"/>
+        </permissionGroup>
+
+        <permissionGroup name="Delete" expose="true" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteNode"/>
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
+        </permissionGroup>
+
+        <permissionGroup name="AddChildren" expose="true" allowFullControl="false">
+            <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
+        </permissionGroup>
+
+        <permissionGroup name="Execute" allowFullControl="false" expose="false">
+            <includePermissionGroup type="sys:base" permissionGroup="ExecuteContent"/>
+        </permissionGroup>
+
+        <!-- Groups for low level permissions -->
+
+        <permissionGroup name="ReadProperties" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ReadChildren" expose="true" allowFullControl="false"/>
+        <permissionGroup name="WriteProperties" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ReadContent" expose="false" allowFullControl="false"/>
+        <permissionGroup name="WriteContent" expose="false" allowFullControl="false"/>
+        <permissionGroup name="ExecuteContent" expose="false" allowFullControl="false"/>
+        <permissionGroup name="DeleteNode" expose="true" allowFullControl="false"/>
+        <permissionGroup name="DeleteChildren" expose="true" allowFullControl="false"/>
+        <permissionGroup name="CreateChildren" expose="true" allowFullControl="false"/>
+        <permissionGroup name="LinkChildren" expose="true" allowFullControl="false"/>
+        <permissionGroup name="DeleteAssociations" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ReadAssociations" expose="true" allowFullControl="false"/>
+        <permissionGroup name="CreateAssociations" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ReadPermissions" expose="true" allowFullControl="false"/>
+        <permissionGroup name="ChangePermissions" expose="true" allowFullControl="false"/>
+
+        <!-- =========== -->
+        <!-- Permissions -->
+        <!-- =========== -->
+
+        <!-- The permission to read properties on a node                                    -->
+        <!--                                                                                -->
+        <!-- The properties of a node may ony be read if there is read access to the parent -->
+        <!-- node. ReadChildren access to the parent node is recursive for all nodes from   -->
+        <!-- which the node inherits permissions. Access is required down the permission    -->
+        <!-- tree at all points.                                                           -->
+        <!--                                                                                -->
+
+        <permission name="_ReadProperties" expose="false">
+            <grantedToGroup permissionGroup="ReadProperties"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to read the children of a node                                 -->
+        <!--                                                                               -->
+        <!-- This permission is recursive. It requires the same permission is granted to   -->
+        <!-- all of the parent nodes from which this node inherits permissions             -->
+        <!--                                                                               -->
+
+        <permission name="_ReadChildren" expose="false">
+            <grantedToGroup permissionGroup="ReadChildren"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to write to the properties of a node                           -->
+        <!--                                                                               -->
+        <!-- This permission includes adding aspects to a node as they are stored as       -->
+        <!-- a property.                                                                   -->
+        <!--                                                                               -->
+
+        <permission name="_WriteProperties" expose="false">
+            <grantedToGroup permissionGroup="WriteProperties"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to delete a node                                               -->
+        <!--                                                                               -->
+        <!-- A node can only be deleted if there is delete permission on the node, if the  -->
+        <!-- node is accessible via its parent, and if the node can be deleted from its     -->
+        <!-- parent. Currently, there is no check that all the children can be deleted.    -->
+        <!-- This check can be added but requires more work so the UI is not checking this -->
+        <!-- permission just to show the delete icon.                                      -->
+        <!--                                                                               -->
+
+        <!-- The permission to read content.                                               -->
+
+        <permission name="_ReadContent" expose="false">
+            <grantedToGroup permissionGroup="ReadContent"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to write content.                                              -->
+
+        <permission name="_WriteContent" expose="false">
+            <grantedToGroup permissionGroup="WriteContent"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- Execute permission on content.                                                -->
+
+        <permission name="_ExecuteContent" expose="false">
+            <grantedToGroup permissionGroup="ExecuteContent"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <permission name="_DeleteNode" expose="false">
+            <grantedToGroup permissionGroup="DeleteNode"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            <requiredPermission on="parent" name="_DeleteChildren" implies="false"/>
+            <requiredPermission on="node" name="_DeleteChildren" implies="false"/>
+            -->
+            <!-- Remove the recursive check for now for performance -->
+            <!-- TODO: have one permission to check for delete on an item and one to check  -->
+            <!--       child permissions when delete is called on the node service          -->
+            <!--  <requiredPermission on="children" name="_DeleteNode" implies="false"/>     -->
+        </permission>
+
+
+        <!-- The permission to delete children of a node                                   -->
+        <!--                                                                               -->
+        <!-- At the moment this includes both unlink and delete                            -->
+        <!--                                                                               -->
+        <permission name="_DeleteChildren" expose="false">
+            <grantedToGroup permissionGroup="DeleteChildren"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to create new nodes                                            -->
+
+        <permission name="_CreateChildren" expose="false">
+            <grantedToGroup permissionGroup="CreateChildren"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false" />
+            -->
+        </permission>
+
+        <!-- The permission to link nodes                                                  -->
+
+        <permission name="_LinkChildren" expose="false">
+            <grantedToGroup permissionGroup="LinkChildren"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to delete associations between nodes (not children)              -->
+
+        <permission name="_DeleteAssociations" expose="false">
+            <grantedToGroup permissionGroup="DeleteAssociations"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to read associations                                           -->
+
+        <permission name="_ReadAssociations" expose="false">
+            <grantedToGroup permissionGroup="ReadAssociations"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false" />
+            -->
+        </permission>
+
+        <!-- The permission to create associations                                         -->
+
+        <permission name="_CreateAssociations" expose="false">
+            <grantedToGroup permissionGroup="CreateAssociations"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false" />
+            -->
+        </permission>
+
+        <!-- ==================================================== -->
+        <!-- Permissions related to the management of permissions -->
+        <!-- ==================================================== -->
+
+        <!-- The permission to read the permissions on a node                              -->
+
+        <permission name="_ReadPermissions" expose="false">
+            <grantedToGroup permissionGroup="ReadPermissions"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+        <!-- The permission to the change the permissions associated with a node           -->
+
+        <permission name="_ChangePermissions" expose="false">
+            <grantedToGroup permissionGroup="ChangePermissions"/>
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
+            -->
+        </permission>
+
+    </permissionSet>
+
+    <!-- ================================================ -->
+    <!-- Permissions available to all content and folders -->
+    <!-- ================================================ -->
+
+    <permissionSet type="cm:cmobject" expose="selected">
+
+        <!-- Kept for backward compatibility - the administrator permission has   -->
+        <!-- been removed to avoid confusion -->
+        <permissionGroup name="Administrator" allowFullControl="true" expose="false"/>
+
+        <!-- A coordinator can do anything to the object or its children unless the     -->
+        <!-- permissions are set not to inherit or permission is denied.                 -->
+        <permissionGroup name="Coordinator" allowFullControl="true" expose="true"/>
+
+        <!-- A collaborator can do anything that an editor and a contributor can do -->
+        <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
+            <includePermissionGroup permissionGroup="Editor" type="cm:cmobject"/>
+            <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject"/>
+        </permissionGroup>
+
+        <!-- A contributor can create content and then they have full permission on what -->
+        <!-- they have created - via the permissions assigned to the owner.              -->
+        <permissionGroup name="Contributor" allowFullControl="false" expose="true">
+            <!-- Contributor is a consumer who can add content, and then can modify via the -->
+            <!-- owner permissions.                                                      -->
+            <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
+            <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
+            <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base"/>
+        </permissionGroup>
+
+        <!-- An editor can read and write to the object; they can not create    -->
+        <!-- new nodes. They can check out content into a space to which they have       -->
+        <!-- create permission.                                                          -->
+        <permissionGroup name="Editor" expose="true" allowFullControl="false">
+            <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
+            <includePermissionGroup type="sys:base" permissionGroup="Write"/>
+            <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
+        </permissionGroup>
+
+        <!-- The Consumer permission allows read to everything by default.                  -->
+        <permissionGroup name="Consumer" allowFullControl="false" expose="true">
+            <includePermissionGroup permissionGroup="Read" type="sys:base"/>
+        </permissionGroup>
+
+        <!-- records permission -->
+        <!-- Should be tied to the aspect -->
+        <!-- ownership should be removed when using this permission -->
+        <permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
+            <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
+            <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
+            <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
+            <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
+        </permissionGroup>
+
+    </permissionSet>
+
+    <!-- =============================== -->
+    <!-- Permissions specific to content -->
+    <!-- =============================== -->
+
+    <permissionSet type="cm:content" expose="selected">
+
+        <!-- Content specific roles.                                                       -->
+
+        <permissionGroup name="Coordinator" extends="true" expose="true"/>
+        <permissionGroup name="Collaborator" extends="true" expose="true"/>
+        <permissionGroup name="Contributor" extends="true" expose="true"/>
+        <permissionGroup name="Editor" extends="true" expose="true"/>
+        <permissionGroup name="Consumer" extends="true" expose="true"/>
+        <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
+
+    </permissionSet>
 
-      <!-- The permission to write content.                                              -->
-      
-      <permission name="_WriteContent" expose="false">
-         <grantedToGroup permissionGroup="WriteContent" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- Execute permission on content.                                                -->
-      
-      <permission name="_ExecuteContent" expose="false">
-         <grantedToGroup permissionGroup="ExecuteContent" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <permission name="_DeleteNode" expose="false" >
-         <grantedToGroup permissionGroup="DeleteNode" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         <requiredPermission on="parent" name="_DeleteChildren" implies="false"/>
-         <requiredPermission on="node" name="_DeleteChildren" implies="false"/>
-         -->
-         <!-- Remove the recursive check for now for performance -->
-         <!-- TODO: have one permission to check for delete on an item and one to check  -->
-         <!--       child permissions when delete is called on the node service          --> 
-         <!--  <requiredPermission on="children" name="_DeleteNode" implies="false"/>     -->
-      </permission>
-      
-      
-      <!-- The permission to delete children of a node                                   -->
-      <!--                                                                               -->
-      <!-- At the moment this includes both unlink and delete                            -->
-      <!--                                                                               -->
-      <permission name="_DeleteChildren" expose="false" >
-         <grantedToGroup permissionGroup="DeleteChildren" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-      
-      <!-- The permission to create new nodes                                            -->
-      
-      <permission name="_CreateChildren" expose="false" >
-         <grantedToGroup permissionGroup="CreateChildren" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false" />
-         -->
-      </permission>
-      
-      <!-- The permission to link nodes                                                  -->
-      
-      <permission name="_LinkChildren" expose="false" >
-         <grantedToGroup permissionGroup="LinkChildren" />
-         <!-- Commented out parent permission check ...
-         <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-         -->
-      </permission>
-     
-     <!-- The permission to delete associations between nodes (not children)              -->
-     
-      <permission name="_DeleteAssociations" expose="false" >
-        <grantedToGroup permissionGroup="DeleteAssociations" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-        -->
-      </permission>
-      
-      <!-- The permission to read associations                                           -->
-      
-      <permission name="_ReadAssociations" expose="false" >
-        <grantedToGroup permissionGroup="ReadAssociations" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false" />
-        -->
-      </permission>
-      
-      <!-- The permission to create associations                                         -->
-      
-      <permission name="_CreateAssociations" expose="false" >
-        <grantedToGroup permissionGroup="CreateAssociations" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false" />
-        -->
-      </permission>
-      
-      <!-- ==================================================== -->
-      <!-- Permissions related to the management of permissions -->
-      <!-- ==================================================== -->
-      
-      <!-- The permission to read the permissions on a node                              -->
-      
-      <permission name="_ReadPermissions" expose="false" >
-        <grantedToGroup permissionGroup="ReadPermissions" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-        -->
-      </permission>
-      
-      <!-- The permission to the change the permissions associated with a node           -->
-      
-      <permission name="_ChangePermissions" expose="false" >
-        <grantedToGroup permissionGroup="ChangePermissions" />
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" implies="false"/>
-        -->
-      </permission>
-       
-   </permissionSet>
-   
-   <!-- ================================================ -->
-   <!-- Permissions available to all content and folders -->
-   <!-- ================================================ -->
-   
-   <permissionSet type="cm:cmobject" expose="selected">
-       
-       <!-- Kept for backward compatibility - the administrator permission has   -->
-      <!-- been removed to avoid confusion --> 
-      <permissionGroup name="Administrator" allowFullControl="true" expose="false" />
-      
-      <!-- A coordinator can do anything to the object or its children unless the     -->
-      <!-- permissions are set not to inherit or permission is denied.                 -->
-      <permissionGroup name="Coordinator" allowFullControl="true" expose="true" />
-      
-      <!-- A collaborator can do anything that an editor and a contributor can do -->
-      <permissionGroup name="Collaborator" allowFullControl="false" expose="true">
-         <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" />
-         <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" />
-      </permissionGroup>
-      
-      <!-- A contributor can create content and then they have full permission on what -->
-      <!-- they have created - via the permissions assigned to the owner.              -->
-      <permissionGroup name="Contributor" allowFullControl="false" expose="true" >
-          <!-- Contributor is a consumer who can add content, and then can modify via the -->
-          <!-- owner permissions.                                                      -->
-          <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/>
-          <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/>
-          <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" />
-      </permissionGroup>
-      
-      <!-- An editor can read and write to the object; they can not create    -->
-      <!-- new nodes. They can check out content into a space to which they have       -->
-      <!-- create permission.                                                          -->
-      <permissionGroup name="Editor"  expose="true" allowFullControl="false" >
-          <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/>
-          <includePermissionGroup type="sys:base" permissionGroup="Write"/>
-          <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/>
-          <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/>
-      </permissionGroup>
-      
-      <!-- The Consumer permission allows read to everything by default.                  -->
-      <permissionGroup name="Consumer" allowFullControl="false" expose="true" >
-          <includePermissionGroup permissionGroup="Read" type="sys:base" />
-      </permissionGroup>
-      
-      <!-- records permission -->
-      <!-- Should be tied to the aspect -->
-      <!-- ownership should be removed when using this permission --> 
-      <permissionGroup name="RecordAdministrator" allowFullControl="false" expose="false">
-          <includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
-          <includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
-          <includePermissionGroup type="sys:base" permissionGroup="WriteProperties"/>
-          <includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
-          <includePermissionGroup type="sys:base" permissionGroup="DeleteChildren"/>
-          <includePermissionGroup type="sys:base" permissionGroup="CreateChildren"/>
-          <includePermissionGroup type="sys:base" permissionGroup="LinkChildren"/>
-          <includePermissionGroup type="sys:base" permissionGroup="DeleteAssociations"/>
-          <includePermissionGroup type="sys:base" permissionGroup="CreateAssociations"/>
-      </permissionGroup>
-       
-   </permissionSet>
-   
-   <!-- =============================== -->
-   <!-- Permissions specific to content -->
-   <!-- =============================== -->
-   
-   <permissionSet type="cm:content" expose="selected">
 
-      <!-- Content specific roles.                                                       -->
-      
-      <permissionGroup name="Coordinator" extends="true" expose="true"/>
-      <permissionGroup name="Collaborator" extends="true" expose="true"/>
-      <permissionGroup name="Contributor" extends="true" expose="true"/>
-      <permissionGroup name="Editor" extends="true" expose="true"/>
-      <permissionGroup name="Consumer" extends="true" expose="true"/>
-      <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
-      
-   </permissionSet>
-    
-    
     <permissionSet type="cm:folder" expose="selected">
 
-      <!-- Content folder specific roles.                                                       -->
-      
-      <permissionGroup name="Coordinator" extends="true" expose="true"/>
-      <permissionGroup name="Collaborator" extends="true" expose="true"/>
-      <permissionGroup name="Contributor" extends="true" expose="true"/>
-      <permissionGroup name="Editor" extends="true" expose="true"/>
-      <permissionGroup name="Consumer" extends="true" expose="true"/>
-      <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
-      
-   </permissionSet>
-   
-   <!-- ============================================== -->
-   <!-- Permissions associated with the Ownable aspect -->
-   <!-- ============================================== -->
-   
-   <permissionSet type="cm:ownable" expose="selected">
-      
-      <!-- Permission control to allow ownership of the node to be taken from others     -->
-      <permissionGroup name="TakeOwnership" requiresType="false" expose="false">
-           <includePermissionGroup permissionGroup="SetOwner" type="cm:ownable" />
-      </permissionGroup>
-       
-      <permissionGroup name="SetOwner" requiresType="false" expose="false"/>
-      
-      <!-- The low level permission to control setting the owner of a node               -->
-      <permission name="_SetOwner" expose="false" requiresType="false">
-        <grantedToGroup permissionGroup="SetOwner" />
-        <!-- require to be able to reach the node and set properties in the node         -->
-        <!-- Commented out parent permission check ...
-        <requiredPermission on="parent" name="_ReadChildren" />
-        -->
-        <requiredPermission on="node" type="sys:base" name="_WriteProperties" />
-      </permission>
-      
-   </permissionSet>
-   
-   <!-- =================================================== -->
-   <!-- Permission related to check in and cancel check out. -->
-   <!-- =================================================== -->
+        <!-- Content folder specific roles.                                                       -->
 
-      <permissionSet type="cm:workingcopy" expose="selected">
+        <permissionGroup name="Coordinator" extends="true" expose="true"/>
+        <permissionGroup name="Collaborator" extends="true" expose="true"/>
+        <permissionGroup name="Contributor" extends="true" expose="true"/>
+        <permissionGroup name="Editor" extends="true" expose="true"/>
+        <permissionGroup name="Consumer" extends="true" expose="true"/>
+        <permissionGroup name="RecordAdministrator" extends="true" expose="false"/>
 
-         <!-- Cancel Check Out permission - only exposed for the workingcopy aspect is present -->
-         <permissionGroup name="CancelCheckOut" requiresType="true" expose="false">
-            <includePermissionGroup permissionGroup="Unlock" type="cm:lockable" />
-         </permissionGroup>
+    </permissionSet>
 
-         <!-- Check In permission - only exposed when the workingcopy aspect is present        -->
-         <permissionGroup name="CheckIn" requiresType="true" expose="false">
-            <includePermissionGroup permissionGroup="Unlock" type="cm:lockable" />
-         </permissionGroup>
-			
-      </permissionSet>
-   
-   <!-- =================================================== -->
-   <!-- Permission related to lock, check out and check in. -->
-   <!-- =================================================== -->
-   
-   <permissionSet type="cm:lockable" expose="selected">
-    
-      <!-- At the moment these permissions are hidden so they do not appear in the list  -->
-      <!-- of permissions.                                                               -->
-    
-      <!-- Check Out permission - exposed for all object types                           -->
-      <permissionGroup name="CheckOut" requiresType="false" expose="false">
-          <includePermissionGroup permissionGroup="Lock" type="cm:lockable" />
-      </permissionGroup>
-      
-      <permissionGroup name="Lock" requiresType="false" expose="false"/>
-      <permissionGroup name="Unlock" requiresType="true" expose="false"/>
-       
-    
-      <!-- Low level lock permission                                                     -->
-      <permission name="_Lock" requiresType="false" expose="false">
-        <grantedToGroup permissionGroup="Lock" />
-        <requiredPermission on="node" type="sys:base"  name="Write"/>
-      </permission>
-      
-      <!-- Low level unlock permission                                                   -->
-      <permission name="_Unlock" requiresType="true" expose="false">
-        <grantedToGroup permissionGroup="Unlock" />
-      </permission>      
-      
-   </permissionSet>
-   
-   <!-- ================== -->
-   <!-- Global permissions -->
-   <!-- ================== -->
-   
-   <!--                                                                                  -->
-   <!-- Global permissions apply regardless of any particular node context.              -->
-   <!-- They can not be denied by the permissions set on any node.                       -->
-   <!--                                                                                  --> 
-      
-   <!-- Admin can do anything to any node                                                -->
-   <globalPermission permission="FullControl" authority="ROLE_ADMINISTRATOR"/>
-   
-   <!-- For now, owners can always see, find and manipulate their stuff                  -->
-   <globalPermission permission="FullControl" authority="ROLE_OWNER"/>
-   
-   <!-- Unlock is granted to the lock owner                                              -->
-   <globalPermission permission="Unlock" authority="ROLE_LOCK_OWNER"/>
-   
-   <!-- Check in is granted to the lock owner                                            -->
-   <globalPermission permission="CheckIn" authority="ROLE_LOCK_OWNER"/>
-   
-   <!-- Cancel check out is granted to the lock owner                                   -->
-   <globalPermission permission="CancelCheckOut" authority="ROLE_LOCK_OWNER"/>
+    <!-- ============================================== -->
+    <!-- Permissions associated with the Ownable aspect -->
+    <!-- ============================================== -->
+
+    <permissionSet type="cm:ownable" expose="selected">
+
+        <!-- Permission control to allow ownership of the node to be taken from others     -->
+        <permissionGroup name="TakeOwnership" requiresType="false" expose="false">
+            <includePermissionGroup permissionGroup="SetOwner" type="cm:ownable"/>
+        </permissionGroup>
+
+        <permissionGroup name="SetOwner" requiresType="false" expose="false"/>
+
+        <!-- The low level permission to control setting the owner of a node               -->
+        <permission name="_SetOwner" expose="false" requiresType="false">
+            <grantedToGroup permissionGroup="SetOwner"/>
+            <!-- require to be able to reach the node and set properties in the node         -->
+            <!-- Commented out parent permission check ...
+            <requiredPermission on="parent" name="_ReadChildren" />
+            -->
+            <requiredPermission on="node" type="sys:base" name="_WriteProperties"/>
+        </permission>
+
+    </permissionSet>
+
+    <!-- =================================================== -->
+    <!-- Permission related to check in and cancel check out. -->
+    <!-- =================================================== -->
+
+    <permissionSet type="cm:workingcopy" expose="selected">
+
+        <!-- Cancel Check Out permission - only exposed for the workingcopy aspect is present -->
+        <permissionGroup name="CancelCheckOut" requiresType="true" expose="false">
+            <includePermissionGroup permissionGroup="Unlock" type="cm:lockable"/>
+        </permissionGroup>
+
+        <!-- Check In permission - only exposed when the workingcopy aspect is present        -->
+        <permissionGroup name="CheckIn" requiresType="true" expose="false">
+            <includePermissionGroup permissionGroup="Unlock" type="cm:lockable"/>
+        </permissionGroup>
+
+    </permissionSet>
+
+    <!-- =================================================== -->
+    <!-- Permission related to lock, check out and check in. -->
+    <!-- =================================================== -->
+
+    <permissionSet type="cm:lockable" expose="selected">
+
+        <!-- At the moment these permissions are hidden so they do not appear in the list  -->
+        <!-- of permissions.                                                               -->
+
+        <!-- Check Out permission - exposed for all object types                           -->
+        <permissionGroup name="CheckOut" requiresType="false" expose="false">
+            <includePermissionGroup permissionGroup="Lock" type="cm:lockable"/>
+        </permissionGroup>
+
+        <permissionGroup name="Lock" requiresType="false" expose="false"/>
+        <permissionGroup name="Unlock" requiresType="true" expose="false"/>
+
+
+        <!-- Low level lock permission                                                     -->
+        <permission name="_Lock" requiresType="false" expose="false">
+            <grantedToGroup permissionGroup="Lock"/>
+            <requiredPermission on="node" type="sys:base" name="Write"/>
+        </permission>
+
+        <!-- Low level unlock permission                                                   -->
+        <permission name="_Unlock" requiresType="true" expose="false">
+            <grantedToGroup permissionGroup="Unlock"/>
+        </permission>
+
+    </permissionSet>
+
+    <!-- ================== -->
+    <!-- Global permissions -->
+    <!-- ================== -->
+
+    <!--                                                                                  -->
+    <!-- Global permissions apply regardless of any particular node context.              -->
+    <!-- They can not be denied by the permissions set on any node.                       -->
+    <!--                                                                                  -->
+
+    <!-- Admin can do anything to any node                                                -->
+    <globalPermission permission="FullControl" authority="ROLE_ADMINISTRATOR"/>
+
+    <!-- For now, owners can always see, find and manipulate their stuff                  -->
+    <globalPermission permission="FullControl" authority="ROLE_OWNER"/>
+
+    <!-- Unlock is granted to the lock owner                                              -->
+    <globalPermission permission="Unlock" authority="ROLE_LOCK_OWNER"/>
+
+    <!-- Check in is granted to the lock owner                                            -->
+    <globalPermission permission="CheckIn" authority="ROLE_LOCK_OWNER"/>
+
+    <!-- Cancel check out is granted to the lock owner                                   -->
+    <globalPermission permission="CancelCheckOut" authority="ROLE_LOCK_OWNER"/>
 
     <!-- Service Account roles -->
     <globalPermission permission="AdminServiceAccount" authority="ROLE_ADMIN_SERVICE_ACCOUNT"/>

From e59bb3261c43adf268441ac5c2d59c24d2a7ae6d Mon Sep 17 00:00:00 2001
From: Jamal Kaabi-Mofrad <jamal.kaabimofrad@alfresco.com>
Date: Thu, 30 May 2024 15:57:46 +0100
Subject: [PATCH 3/6] PRODENG-276: Fixed test failures.

---
 .../org/alfresco/AppContext05TestSuite.java   |  2 +-
 .../dynamic/ServiceAccountRoleTest.java       |  2 +
 .../impl/AbstractPermissionTest.java          |  2 +
 .../impl/model/PermissionModelTest.java       | 58 +++++++++----------
 4 files changed, 34 insertions(+), 30 deletions(-)

diff --git a/repository/src/test/java/org/alfresco/AppContext05TestSuite.java b/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
index 9092900f2a..d8aebf7940 100644
--- a/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
+++ b/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
@@ -45,7 +45,6 @@ import org.junit.runners.Suite;
     org.alfresco.repo.security.authority.DuplicateAuthorityTest.class,
     org.alfresco.repo.security.authority.ExtendedPermissionServiceTest.class,
     org.alfresco.repo.security.permissions.dynamic.LockOwnerDynamicAuthorityTest.class,
-    org.alfresco.repo.security.permissions.dynamic.ServiceAccountRoleTest.class,
     org.alfresco.repo.security.permissions.impl.AclDaoComponentTest.class,
     org.alfresco.repo.security.permissions.impl.PermissionServiceTest.class,
     org.alfresco.repo.security.permissions.impl.acegi.ACLEntryAfterInvocationTest.class,
@@ -86,6 +85,7 @@ import org.junit.runners.Suite;
     org.alfresco.repo.model.ModelTestSuite.class,
     org.alfresco.repo.tenant.MultiTNodeServiceInterceptorTest.class,
     org.alfresco.repo.transfer.RepoTransferReceiverImplTest.class,
+    org.alfresco.repo.security.permissions.dynamic.ServiceAccountRoleTest.class
 })
 public class AppContext05TestSuite
 {
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
index 7efba03be5..7ac12a8bd8 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
@@ -83,6 +83,8 @@ import org.springframework.context.ApplicationContext;
  *
  * @author Jamal Kaabi-Mofrad
  */
+// Ignore the PMD warning about having too many test methods in this class; it makes the tests easier to read and maintain.
+@SuppressWarnings("PMD.TooManyMethods")
 public class ServiceAccountRoleTest
 {
     // Rule to initialise the default Alfresco spring configuration
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
index 0bcbe57dab..0b81987e36 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
@@ -66,6 +66,8 @@ import org.springframework.context.ApplicationContext;
 
 public abstract class AbstractPermissionTest extends TestCase
 {
+    public static final int NUMBER_OF_GLOBAL_PERMISSIONS = 8;
+
     protected static final String USER2_LEMUR = "lemur";
 
     protected static final String USER1_ANDY = "andy";
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java
index ff4f4ce40e..0fd216f022 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java
@@ -1,28 +1,28 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
 package org.alfresco.repo.security.permissions.impl.model;
 
 import java.util.Collections;
@@ -94,7 +94,7 @@ public class PermissionModelTest extends AbstractPermissionTest
         Set<PermissionReference> grantees = permissionModelDAO.getGranteePermissions(SimplePermissionReference.getPermissionReference(QName.createQName("cm", "cmobject",
                 namespacePrefixResolver), "Coordinator"));
 
-        assertEquals(69, grantees.size());
+        assertEquals(72, grantees.size());
     }
 
     public void testIncludePermissionGroups6()
@@ -109,17 +109,17 @@ public class PermissionModelTest extends AbstractPermissionTest
     {
         Set<PermissionReference> granters = permissionModelDAO.getGrantingPermissions(SimplePermissionReference.getPermissionReference(QName.createQName("sys", "base",
                 namespacePrefixResolver), "ReadProperties"));
-        assertEquals(14, granters.size());
+        assertEquals(17, granters.size());
 
         granters = permissionModelDAO.getGrantingPermissions(SimplePermissionReference.getPermissionReference(QName.createQName("sys", "base", namespacePrefixResolver),
                 "_ReadProperties"));
-        assertEquals(15, granters.size());
+        assertEquals(18, granters.size());
     }
 
     public void testGlobalPermissions()
     {
         Set<? extends PermissionEntry> globalPermissions = permissionModelDAO.getGlobalPermissionEntries();
-        assertEquals(5, globalPermissions.size());
+        assertEquals(NUMBER_OF_GLOBAL_PERMISSIONS, globalPermissions.size());
     }
 
     public void testRequiredPermissions()

From a9a911e77f4dbaedc111c573bbf1a3cba2385fce Mon Sep 17 00:00:00 2001
From: Jamal Kaabi-Mofrad <jamal.kaabimofrad@alfresco.com>
Date: Thu, 30 May 2024 17:06:24 +0100
Subject: [PATCH 4/6] PRODENG-276: Resolved PMD issues.

---
 .../cmr/security/PermissionService.java       | 11 +++----
 .../repo/sa/ServiceAccountRegistryImpl.java   |  5 +--
 .../public-services-security-context.xml      |  6 ++--
 .../sa/ServiceAccountRegistryImplTest.java    | 32 +++++++++----------
 .../dynamic/ServiceAccountRoleTest.java       | 12 +++----
 5 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java b/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java
index af619d7e48..40592d7d23 100644
--- a/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java
+++ b/data-model/src/main/java/org/alfresco/service/cmr/security/PermissionService.java
@@ -81,25 +81,24 @@ public interface PermissionService
     /**
      * The dynamic authority for the Admin service account.
      */
-    String ADMIN_SERVICE_ACCOUNT_AUTHORITY = "ROLE_ADMIN_SERVICE_ACCOUNT";
+    String ADMIN_SVC_AUTHORITY = "ROLE_ADMIN_SERVICE_ACCOUNT";
 
     /**
      * The dynamic authority for the Collaborator service account.
      */
-    String COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY = "ROLE_COLLABORATOR_SERVICE_ACCOUNT";
+    String COLLABORATOR_SVC_AUTHORITY = "ROLE_COLLABORATOR_SERVICE_ACCOUNT";
 
     /**
      * The dynamic authority for the Editor service account.
      */
-    String EDITOR_SERVICE_ACCOUNT_AUTHORITY = "ROLE_EDITOR_SERVICE_ACCOUNT";
+    String EDITOR_SVC_AUTHORITY = "ROLE_EDITOR_SERVICE_ACCOUNT";
 
     /**
      * A convenient set of service account authorities to simplify checks
      * for whether a given authority is a service account authority or not.
      */
-    Set<String> SERVICE_ACCOUNT_AUTHORITIES_SET = Set.of(ADMIN_SERVICE_ACCOUNT_AUTHORITY,
-                                                         COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY,
-                                                         EDITOR_SERVICE_ACCOUNT_AUTHORITY);
+    Set<String> SVC_AUTHORITIES_SET = Set.of(ADMIN_SVC_AUTHORITY, COLLABORATOR_SVC_AUTHORITY,
+                                             EDITOR_SVC_AUTHORITY);
 
     /**
      * The permission for all - not defined in the model. Repsected in the code.
diff --git a/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java b/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java
index 45b3db2d0a..bac4edb742 100644
--- a/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java
+++ b/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java
@@ -25,6 +25,7 @@
  */
 package org.alfresco.repo.sa;
 
+import java.util.Locale;
 import java.util.Optional;
 import java.util.Properties;
 import java.util.Set;
@@ -114,9 +115,9 @@ public class ServiceAccountRegistryImpl implements ServiceAccountRegistry, Initi
                         return;
                     }
                     // Ensure the role is in uppercase and has the prefix
-                    role = role.toUpperCase();
+                    role = role.toUpperCase(Locale.ENGLISH);
                     role = getRoleWithPrefix(role);
-                    if (!PermissionService.SERVICE_ACCOUNT_AUTHORITIES_SET.contains(role))
+                    if (!PermissionService.SVC_AUTHORITIES_SET.contains(role))
                     {
                         LOGGER.warn("Invalid service account role '{}'. The role is not recognized.", role);
                         return;
diff --git a/repository/src/main/resources/alfresco/public-services-security-context.xml b/repository/src/main/resources/alfresco/public-services-security-context.xml
index 5c29d25ee5..8f8769493e 100644
--- a/repository/src/main/resources/alfresco/public-services-security-context.xml
+++ b/repository/src/main/resources/alfresco/public-services-security-context.xml
@@ -156,15 +156,15 @@
     </bean>
     <bean id="adminServiceAccountAuthority" class="org.alfresco.repo.security.permissions.dynamic.ServiceAccountAuthority"
           parent="baseServiceAccountAuthority">
-        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).ADMIN_SERVICE_ACCOUNT_AUTHORITY}"/>
+        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).ADMIN_SVC_AUTHORITY}"/>
     </bean>
     <bean id="collaboratorServiceAccountAuthority" class="org.alfresco.repo.security.permissions.dynamic.ServiceAccountAuthority"
           parent="baseServiceAccountAuthority">
-        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY}"/>
+        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).COLLABORATOR_SVC_AUTHORITY}"/>
     </bean>
     <bean id="editorServiceAccountAuthority" class="org.alfresco.repo.security.permissions.dynamic.ServiceAccountAuthority"
           parent="baseServiceAccountAuthority">
-        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).EDITOR_SERVICE_ACCOUNT_AUTHORITY}"/>
+        <property name="authority" value="#{T(org.alfresco.service.cmr.security.PermissionService).EDITOR_SVC_AUTHORITY}"/>
     </bean>
 
     <!-- =========================== -->
diff --git a/repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java b/repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java
index 154720c9ee..05048ad647 100644
--- a/repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java
+++ b/repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java
@@ -25,9 +25,9 @@
  */
 package org.alfresco.repo.sa;
 
-import static org.alfresco.service.cmr.security.PermissionService.ADMIN_SERVICE_ACCOUNT_AUTHORITY;
-import static org.alfresco.service.cmr.security.PermissionService.COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY;
-import static org.alfresco.service.cmr.security.PermissionService.EDITOR_SERVICE_ACCOUNT_AUTHORITY;
+import static org.alfresco.service.cmr.security.PermissionService.ADMIN_SVC_AUTHORITY;
+import static org.alfresco.service.cmr.security.PermissionService.COLLABORATOR_SVC_AUTHORITY;
+import static org.alfresco.service.cmr.security.PermissionService.EDITOR_SVC_AUTHORITY;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
@@ -71,7 +71,7 @@ public class ServiceAccountRegistryImplTest
     @Test
     public void testInvalidServiceAccountName()
     {
-        globalProperties.put("serviceaccount.role. ", ADMIN_SERVICE_ACCOUNT_AUTHORITY);
+        globalProperties.put("serviceaccount.role. ", ADMIN_SVC_AUTHORITY);
         assertTrue("Invalid service account name.", serviceAccountService.getServiceAccountNames().isEmpty());
     }
 
@@ -100,43 +100,43 @@ public class ServiceAccountRegistryImplTest
     @Test
     public void testValidServiceAccount() throws Exception
     {
-        globalProperties.put("serviceaccount.role.testServiceAccount", ADMIN_SERVICE_ACCOUNT_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testServiceAccount", ADMIN_SVC_AUTHORITY);
         serviceAccountService.afterPropertiesSet();
 
         Optional<String> testServiceAccount = serviceAccountService.getServiceAccountRole("testServiceAccount");
         assertFalse("The service account role is not empty.", testServiceAccount.isEmpty());
-        assertEquals(ADMIN_SERVICE_ACCOUNT_AUTHORITY, testServiceAccount.get());
+        assertEquals(ADMIN_SVC_AUTHORITY, testServiceAccount.get());
         assertEquals(1, serviceAccountService.getServiceAccountNames().size());
     }
 
     @Test
     public void testManyServiceAccounts() throws Exception
     {
-        globalProperties.put("serviceaccount.role.testEditorSA", EDITOR_SERVICE_ACCOUNT_AUTHORITY);
-        globalProperties.put("serviceaccount.role.testCollaboratorSA", COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY);
-        globalProperties.put("serviceaccount.role.testAdminSA", ADMIN_SERVICE_ACCOUNT_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testEditorSA", EDITOR_SVC_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testCollaboratorSA", COLLABORATOR_SVC_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testAdminSA", ADMIN_SVC_AUTHORITY);
         serviceAccountService.afterPropertiesSet();
 
         assertEquals(3, serviceAccountService.getServiceAccountNames().size());
 
         Optional<String> editorSA = serviceAccountService.getServiceAccountRole("testEditorSA");
         assertFalse("The service account role is not empty.", editorSA.isEmpty());
-        assertEquals(EDITOR_SERVICE_ACCOUNT_AUTHORITY, editorSA.get());
+        assertEquals(EDITOR_SVC_AUTHORITY, editorSA.get());
 
         Optional<String> collaboratorSA = serviceAccountService.getServiceAccountRole("testCollaboratorSA");
         assertFalse("The service account role is not empty.", collaboratorSA.isEmpty());
-        assertEquals(COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY, collaboratorSA.get());
+        assertEquals(COLLABORATOR_SVC_AUTHORITY, collaboratorSA.get());
 
         Optional<String> adminSA = serviceAccountService.getServiceAccountRole("testAdminSA");
         assertFalse("The service account role is not empty.", adminSA.isEmpty());
-        assertEquals(ADMIN_SERVICE_ACCOUNT_AUTHORITY, adminSA.get());
+        assertEquals(ADMIN_SVC_AUTHORITY, adminSA.get());
     }
 
     @Test
     public void testValidServiceAccountRoleValues() throws Exception
     {
         globalProperties.put("serviceaccount.role.testEditorSA", "EDITOR_SERVICE_ACCOUNT");
-        globalProperties.put("serviceaccount.role.testCollaboratorSA", COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testCollaboratorSA", COLLABORATOR_SVC_AUTHORITY);
         globalProperties.put("serviceaccount.role.testAdminSA", "ADMIN_SERVICE_ACCOUNT");
         serviceAccountService.afterPropertiesSet();
 
@@ -144,14 +144,14 @@ public class ServiceAccountRegistryImplTest
 
         Optional<String> editorSA = serviceAccountService.getServiceAccountRole("testEditorSA");
         assertFalse("The service account role is not empty.", editorSA.isEmpty());
-        assertEquals(EDITOR_SERVICE_ACCOUNT_AUTHORITY, editorSA.get());
+        assertEquals(EDITOR_SVC_AUTHORITY, editorSA.get());
 
         Optional<String> collaboratorSA = serviceAccountService.getServiceAccountRole("testCollaboratorSA");
         assertFalse("The service account role is not empty.", collaboratorSA.isEmpty());
-        assertEquals(COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY, collaboratorSA.get());
+        assertEquals(COLLABORATOR_SVC_AUTHORITY, collaboratorSA.get());
 
         Optional<String> adminSA = serviceAccountService.getServiceAccountRole("testAdminSA");
         assertFalse("The service account role is not empty.", adminSA.isEmpty());
-        assertEquals(ADMIN_SERVICE_ACCOUNT_AUTHORITY, adminSA.get());
+        assertEquals(ADMIN_SVC_AUTHORITY, adminSA.get());
     }
 }
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
index 7ac12a8bd8..7ad2a0f630 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
@@ -66,9 +66,9 @@ import org.springframework.context.ApplicationContext;
  * </pre>
  * The service account roles that currently supported are:
  * <ul>
- *   <li>{@link PermissionService#EDITOR_SERVICE_ACCOUNT_AUTHORITY}</li>
- *   <li>{@link PermissionService#COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY}</li>
- *   <li>{@link PermissionService#ADMIN_SERVICE_ACCOUNT_AUTHORITY}</li>
+ *   <li>{@link PermissionService#EDITOR_SVC_AUTHORITY}</li>
+ *   <li>{@link PermissionService#COLLABORATOR_SVC_AUTHORITY}</li>
+ *   <li>{@link PermissionService#ADMIN_SVC_AUTHORITY}</li>
  * </ul>
  * The test class relies on the following service accounts defined in the <i>alfresco-global.properties</i> file:
  * <ul>
@@ -173,9 +173,9 @@ public class ServiceAccountRoleTest
 
     private static void serviceAccountsShouldExistInGlobalProperties()
     {
-        assertServiceAccountIsDefined(PermissionService.EDITOR_SERVICE_ACCOUNT_AUTHORITY, EDITOR_SA.getUsername());
-        assertServiceAccountIsDefined(PermissionService.COLLABORATOR_SERVICE_ACCOUNT_AUTHORITY, COLLABORATOR_SA.getUsername());
-        assertServiceAccountIsDefined(PermissionService.ADMIN_SERVICE_ACCOUNT_AUTHORITY, ADMIN_SA.getUsername());
+        assertServiceAccountIsDefined(PermissionService.EDITOR_SVC_AUTHORITY, EDITOR_SA.getUsername());
+        assertServiceAccountIsDefined(PermissionService.COLLABORATOR_SVC_AUTHORITY, COLLABORATOR_SA.getUsername());
+        assertServiceAccountIsDefined(PermissionService.ADMIN_SVC_AUTHORITY, ADMIN_SA.getUsername());
     }
 
     private static void assertServiceAccountIsDefined(String expectedRole, String username)

From c82e8d652adfc4d90f1d8c188075586edf098b9f Mon Sep 17 00:00:00 2001
From: Jamal Kaabi-Mofrad <jamal.kaabimofrad@alfresco.com>
Date: Thu, 30 May 2024 17:29:04 +0100
Subject: [PATCH 5/6] PRODENG-276: Resolved peer review comments.

---
 .../permissions/dynamic/ServiceAccountAuthority.java      | 2 +-
 .../{sa => serviceaccount}/ServiceAccountRegistry.java    | 2 +-
 .../ServiceAccountRegistryImpl.java                       | 2 +-
 .../resources/alfresco/authority-services-context.xml     | 2 +-
 .../src/test/java/org/alfresco/AllUnitTestsSuite.java     | 2 +-
 .../permissions/dynamic/ServiceAccountRoleTest.java       | 8 ++++----
 .../ServiceAccountRegistryImplTest.java                   | 2 +-
 7 files changed, 10 insertions(+), 10 deletions(-)
 rename repository/src/main/java/org/alfresco/repo/{sa => serviceaccount}/ServiceAccountRegistry.java (98%)
 rename repository/src/main/java/org/alfresco/repo/{sa => serviceaccount}/ServiceAccountRegistryImpl.java (99%)
 rename repository/src/test/java/org/alfresco/repo/{sa => serviceaccount}/ServiceAccountRegistryImplTest.java (99%)

diff --git a/repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java b/repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java
index 3694876e8b..245667da5e 100644
--- a/repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java
+++ b/repository/src/main/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountAuthority.java
@@ -28,7 +28,7 @@ package org.alfresco.repo.security.permissions.dynamic;
 import java.util.Optional;
 import java.util.Set;
 
-import org.alfresco.repo.sa.ServiceAccountRegistry;
+import org.alfresco.repo.serviceaccount.ServiceAccountRegistry;
 import org.alfresco.repo.security.permissions.DynamicAuthority;
 import org.alfresco.repo.security.permissions.PermissionReference;
 import org.alfresco.service.cmr.repository.NodeRef;
diff --git a/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistry.java b/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistry.java
similarity index 98%
rename from repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistry.java
rename to repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistry.java
index 0a1d1f884e..29af0027b0 100644
--- a/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistry.java
+++ b/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistry.java
@@ -23,7 +23,7 @@
  * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
  * #L%
  */
-package org.alfresco.repo.sa;
+package org.alfresco.repo.serviceaccount;
 
 import java.util.Optional;
 import java.util.Set;
diff --git a/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java b/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImpl.java
similarity index 99%
rename from repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java
rename to repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImpl.java
index bac4edb742..247e048f54 100644
--- a/repository/src/main/java/org/alfresco/repo/sa/ServiceAccountRegistryImpl.java
+++ b/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImpl.java
@@ -23,7 +23,7 @@
  * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
  * #L%
  */
-package org.alfresco.repo.sa;
+package org.alfresco.repo.serviceaccount;
 
 import java.util.Locale;
 import java.util.Optional;
diff --git a/repository/src/main/resources/alfresco/authority-services-context.xml b/repository/src/main/resources/alfresco/authority-services-context.xml
index 7e535e42e3..97b5eb16b4 100644
--- a/repository/src/main/resources/alfresco/authority-services-context.xml
+++ b/repository/src/main/resources/alfresco/authority-services-context.xml
@@ -143,7 +143,7 @@
         </property>
     </bean>
 
-    <bean id="serviceAccountRegistry" class="org.alfresco.repo.sa.ServiceAccountRegistryImpl">
+    <bean id="serviceAccountRegistry" class="org.alfresco.repo.serviceaccount.ServiceAccountRegistryImpl">
         <property name="globalProperties" ref="global-properties"/>
     </bean>
 
diff --git a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
index cbe6f704a1..8f5dc5b937 100644
--- a/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
+++ b/repository/src/test/java/org/alfresco/AllUnitTestsSuite.java
@@ -262,7 +262,7 @@ import org.junit.runners.Suite;
 
     org.alfresco.util.schemacomp.SchemaDifferenceHelperUnitTest.class,
     org.alfresco.repo.tagging.TaggingServiceImplUnitTest.class,
-    org.alfresco.repo.sa.ServiceAccountRegistryImplTest.class
+    org.alfresco.repo.serviceaccount.ServiceAccountRegistryImplTest.class
 })
 public class AllUnitTestsSuite
 {
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
index 7ad2a0f630..66a26b7ae2 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/dynamic/ServiceAccountRoleTest.java
@@ -286,7 +286,7 @@ public class ServiceAccountRoleTest
     }
 
     @Test
-    public void normalUserCreateAssociationsAccessShouldBeDenied()
+    public void normalUserAssociationAccessShouldBeDenied()
     {
         assertAccessDenied(NORMAL_USER, PermissionService.READ_ASSOCIATIONS);
         assertAccessDenied(NORMAL_USER, PermissionService.CREATE_ASSOCIATIONS);
@@ -294,7 +294,7 @@ public class ServiceAccountRoleTest
     }
 
     @Test
-    public void editorSaCreateAssociationsAccessShouldBeDenied()
+    public void editorSaAssociationAccessShouldBeDenied()
     {
         assertAccessDenied(EDITOR_SA, PermissionService.READ_ASSOCIATIONS);
         assertAccessDenied(EDITOR_SA, PermissionService.CREATE_ASSOCIATIONS);
@@ -302,7 +302,7 @@ public class ServiceAccountRoleTest
     }
 
     @Test
-    public void collaboratorSaCreateAssociationsAccessShouldBeDenied()
+    public void collaboratorSaAssociationAccessShouldBeDenied()
     {
         assertAccessDenied(COLLABORATOR_SA, PermissionService.READ_ASSOCIATIONS);
         assertAccessDenied(COLLABORATOR_SA, PermissionService.CREATE_ASSOCIATIONS);
@@ -310,7 +310,7 @@ public class ServiceAccountRoleTest
     }
 
     @Test
-    public void adminSaCreateAssociationsAccessShouldBeAllowed()
+    public void adminSaAssociationAccessShouldBeAllowed()
     {
         assertAccessAllowed(ADMIN_SA, PermissionService.READ_ASSOCIATIONS);
         assertAccessAllowed(ADMIN_SA, PermissionService.CREATE_ASSOCIATIONS);
diff --git a/repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java b/repository/src/test/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImplTest.java
similarity index 99%
rename from repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java
rename to repository/src/test/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImplTest.java
index 05048ad647..351fb77d85 100644
--- a/repository/src/test/java/org/alfresco/repo/sa/ServiceAccountRegistryImplTest.java
+++ b/repository/src/test/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImplTest.java
@@ -23,7 +23,7 @@
  * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
  * #L%
  */
-package org.alfresco.repo.sa;
+package org.alfresco.repo.serviceaccount;
 
 import static org.alfresco.service.cmr.security.PermissionService.ADMIN_SVC_AUTHORITY;
 import static org.alfresco.service.cmr.security.PermissionService.COLLABORATOR_SVC_AUTHORITY;

From 89dd6f7b35ded08e9c4fa6282cbfbf4b393ee6cb Mon Sep 17 00:00:00 2001
From: Jamal Kaabi-Mofrad <jamal.kaabimofrad@alfresco.com>
Date: Fri, 31 May 2024 14:49:44 +0100
Subject: [PATCH 6/6] PRODENG-276: Addressed minor comments from peer review.

---
 .../repo/serviceaccount/ServiceAccountRegistryImpl.java       | 2 +-
 .../src/test/java/org/alfresco/AppContext05TestSuite.java     | 2 +-
 .../security/permissions/impl/AbstractPermissionTest.java     | 2 +-
 .../security/permissions/impl/model/PermissionModelTest.java  | 2 +-
 .../repo/serviceaccount/ServiceAccountRegistryImplTest.java   | 4 ++--
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImpl.java b/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImpl.java
index 247e048f54..b8fe8377b7 100644
--- a/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImpl.java
+++ b/repository/src/main/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImpl.java
@@ -1,6 +1,6 @@
 /*
  * #%L
- * Alfresco Data model classes
+ * Alfresco Repository
  * %%
  * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
diff --git a/repository/src/test/java/org/alfresco/AppContext05TestSuite.java b/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
index d8aebf7940..18fafbbe50 100644
--- a/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
+++ b/repository/src/test/java/org/alfresco/AppContext05TestSuite.java
@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2023 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
index 0b81987e36..b3bd0d94c2 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2023 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
diff --git a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java
index 0fd216f022..bca9bb1c80 100644
--- a/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java
+++ b/repository/src/test/java/org/alfresco/repo/security/permissions/impl/model/PermissionModelTest.java
@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
diff --git a/repository/src/test/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImplTest.java b/repository/src/test/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImplTest.java
index 351fb77d85..1afcdb7565 100644
--- a/repository/src/test/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImplTest.java
+++ b/repository/src/test/java/org/alfresco/repo/serviceaccount/ServiceAccountRegistryImplTest.java
@@ -1,6 +1,6 @@
 /*
  * #%L
- * Alfresco Data model classes
+ * Alfresco Repository
  * %%
  * Copyright (C) 2005 - 2024 Alfresco Software Limited
  * %%
@@ -136,7 +136,7 @@ public class ServiceAccountRegistryImplTest
     public void testValidServiceAccountRoleValues() throws Exception
     {
         globalProperties.put("serviceaccount.role.testEditorSA", "EDITOR_SERVICE_ACCOUNT");
-        globalProperties.put("serviceaccount.role.testCollaboratorSA", COLLABORATOR_SVC_AUTHORITY);
+        globalProperties.put("serviceaccount.role.testCollaboratorSA", "COLLABORATOR_SERVICE_ACCOUNT");
         globalProperties.put("serviceaccount.role.testAdminSA", "ADMIN_SERVICE_ACCOUNT");
         serviceAccountService.afterPropertiesSet();