<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:11:13 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-1153] Permissions consistency enforcement breaks CI builds</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-1153</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description></description>
                <environment></environment>
        <key id="80555">FOLIO-1153</key>
            <summary>Permissions consistency enforcement breaks CI builds</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10000" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p1.svg">P1</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5c706fbb47a54a6728e59df2">Wayne Schneider</assignee>
                                                                <reporter accountid="5c706fbb47a54a6728e59df2">Wayne Schneider</reporter>
                                    <labels>
                            <label>ci</label>
                            <label>sprint34</label>
                    </labels>
                <created>Wed, 21 Mar 2018 13:57:11 +0000</created>
                <updated>Mon, 12 Nov 2018 14:24:16 +0000</updated>
                            <resolved>Tue, 27 Mar 2018 13:50:42 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>5</watches>
                                                    <timespent seconds="55800">1 day, 7 hours, 30 minutes</timespent>
                                <comments>
                                                            <comment id="192695" author="5c706fbb47a54a6728e59df2" created="Wed, 21 Mar 2018 14:11:26 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=63e2a2771b13d42998e4e706&quot; class=&quot;user-hover&quot; rel=&quot;63e2a2771b13d42998e4e706&quot; data-account-id=&quot;63e2a2771b13d42998e4e706&quot; accountid=&quot;63e2a2771b13d42998e4e706&quot; rel=&quot;noreferrer&quot;&gt;Marc Johnson&lt;/a&gt; reported:&lt;br/&gt;
Overnight, the builds for folio-testing-backend (&lt;a href=&quot;https://jenkins-aws.indexdata.com/job/Automation/job/folio-testing-backend01/298/consoleFull&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://jenkins-aws.indexdata.com/job/Automation/job/folio-testing-backend01/298/consoleFull&lt;/a&gt; and hence also the UI) folio-snapshot (&lt;a href=&quot;https://jenkins-aws.indexdata.com/job/Automation/job/folio-snapshot/156/console&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://jenkins-aws.indexdata.com/job/Automation/job/folio-snapshot/156/console&lt;/a&gt;) and folio-blackbox (&lt;a href=&quot;https://jenkins-aws.indexdata.com/job/Automation/job/folio-blackbox/501/consoleFull&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://jenkins-aws.indexdata.com/job/Automation/job/folio-blackbox/501/consoleFull&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Symptoms&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;Most of the builds failed with an error similar to:&lt;/p&gt;

&lt;div class=&quot;preformatted panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;preformattedContent panelContent&quot;&gt;
&lt;pre&gt;failed: [10.36.1.243] (item=ui-users.settings.permsets) =&amp;gt; {&quot;accept&quot;: &quot;application/json&quot;, &quot;accept_encoding&quot;: &quot;identity&quot;, &quot;changed&quot;: false, &quot;connection&quot;: &quot;close&quot;, &quot;content&quot;: &quot;Error attempting to update permissions metadata: Attempting to add non-existent permissions to user&quot;, &quot;content_type&quot;: &quot;text/plain&quot;, &quot;failed&quot;: true, &quot;host&quot;: &quot;10.36.1.243:9130&quot;, &quot;item&quot;: &quot;ui-users.settings.permsets&quot;, &quot;msg&quot;: &quot;Status code was not [200, 422]: HTTP Error 500: Internal Server Error&quot;, &quot;redirected&quot;: false, &quot;status&quot;: 500, &quot;transfer_encoding&quot;: &quot;chunked&quot;, &quot;url&quot;: &quot;http://10.36.1.243:9130/perms/users/2408ae64-56ad-4177-9024-1e35fe5d895c/permissions&quot;, &quot;user_agent&quot;: &quot;ansible-httpget&quot;, &quot;x_okapi_permissions&quot;: &quot;[\&quot;perms.users.item.post\&quot;]&quot;, &quot;x_okapi_request_id&quot;: &quot;863699/perms&quot;, &quot;x_okapi_tenant&quot;: &quot;diku&quot;, &quot;x_okapi_token&quot;: &quot;eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJkaWt1X2FkbWluIiwidXNlcl9pZCI6IjFhZDczN2IwLWQ4NDctMTFlNi1iZjI2LWNlYzBjOTMyY2UwMSIsInRlbmFudCI6ImRpa3UifQ.vrW69kPTGFlyAT6YJeddG8fP174wI-UH6mx3eWO70v4-D-Y0pQGTn1VegLoD5m6-caOY8jmMR74uUo_f1qTx3Q&quot;, &quot;x_okapi_trace&quot;: &quot;POST mod-authtoken-1.4.1-SNAPSHOT.20 http://10.36.1.243:9131/perms/users/2408ae64-56ad-4177-9024-1e35fe5d895c/permissions : 202 3580us, POST mod-permissions-5.1.0-SNAPSHOT.12 http://10.36.1.243:9132/perms/users/2408ae64-56ad-4177-9024-1e35fe5d895c/permissions : 500 8058us&quot;, &quot;x_okapi_url&quot;: &quot;http://10.36.1.243:9130&quot;, &quot;x_okapi_user_id&quot;: &quot;1ad737b0-d847-11e6-bf26-cec0c932ce01&quot;}&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;folio-snapshot failed with a different error:&lt;/p&gt;

&lt;div class=&quot;preformatted panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;preformattedContent panelContent&quot;&gt;
&lt;pre&gt;fatal: [10.36.1.22]: FAILED! =&amp;gt; {&quot;changed&quot;: false, &quot;connection&quot;: &quot;close&quot;, &quot;content&quot;: &quot;POST request for mod-permissions-5.1.0-SNAPSHOT.12 /_/tenantpermissions failed with Internal Server Error: Unable to satisfy dependencies for permission inventory-storage.all&quot;, &quot;content_length&quot;: &quot;174&quot;, &quot;content_type&quot;: &quot;text/plain&quot;, &quot;failed&quot;: true, &quot;msg&quot;: &quot;Status code was not [200]: HTTP Error 500: Internal Server Error&quot;, &quot;redirected&quot;: false, &quot;status&quot;: 500, &quot;url&quot;: &quot;http://10.36.1.22:9130/_/proxy/tenants/diku/install&quot;}&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;However this looks to be due to a related cause (I haven&#8217;t dug deeply into the code to check this assumption).&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Initial Cause Investigation&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;The first error is produced here: &lt;a href=&quot;https://github.com/folio-org/mod-permissions/blob/8e72f8b525457f6d7be39f925e5f240ec2321250/src/main/java/org/folio/rest/impl/PermsAPI.java#L1652&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-permissions/blob/8e72f8b525457f6d7be39f925e5f240ec2321250/src/main/java/org/folio/rest/impl/PermsAPI.java#L1652&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The second error is produced here: &lt;a href=&quot;https://github.com/folio-org/mod-permissions/blob/8e72f8b525457f6d7be39f925e5f240ec2321250/src/main/java/org/folio/rest/impl/TenantPermsAPI.java#L97&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-permissions/blob/8e72f8b525457f6d7be39f925e5f240ec2321250/src/main/java/org/folio/rest/impl/TenantPermsAPI.java#L97&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Both of which were added in the same commit, which I think was merged yesterday (&lt;a href=&quot;https://github.com/folio-org/mod-permissions/commit/8e72f8b525457f6d7be39f925e5f240ec2321250&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-permissions/commit/8e72f8b525457f6d7be39f925e5f240ec2321250&lt;/a&gt;) - interestingly git blame cites the original commit which makes finding when it changed in master harder) as part of &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODPERMS-29&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/MODPERMS-29&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;It looks like we now reject assignments of permissions to users or permission sets where the permission does not exist. &lt;/p&gt;

&lt;p&gt;&lt;b&gt;Further Investigation&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;I&#8217;m starting to track down the permissions involved (and to confirm my understanding of the cause).&lt;/p&gt;

&lt;p&gt;I had a quick look at trying to add which permission(s) caused the failure, or were involved in the activity. I don&#8217;t think I&#8217;m familiar enough with the code to make those changes without risking introducing other issues.&lt;/p&gt;

&lt;p&gt;Kurt, I reckon you might be better placed to potentially do this, if you think it makes sense?&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Possible Interim Mitigation&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;A tweak to mod-permissions to change the errors to be a 422 response should mean that folio-ansible marks these responses as success in some circumstances (the testing environment but not snapshot I think) which might temporarily mitigate some of the impact.&lt;/p&gt;

&lt;p&gt;A consequence of that could be to mask the underlying issue of having undefined permissions which are attempted to be being granted.&lt;/p&gt;</comment>
                                                            <comment id="192704" author="5c706fbb47a54a6728e59df2" created="Wed, 21 Mar 2018 14:13:48 +0000"  >&lt;p&gt;Also from &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=63e2a2771b13d42998e4e706&quot; class=&quot;user-hover&quot; rel=&quot;63e2a2771b13d42998e4e706&quot; data-account-id=&quot;63e2a2771b13d42998e4e706&quot; accountid=&quot;63e2a2771b13d42998e4e706&quot; rel=&quot;noreferrer&quot;&gt;Marc Johnson&lt;/a&gt;:&lt;br/&gt;
&lt;b&gt;Inventory Storage Investigation&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;I thought I&#8217;d start with the folio-snapshot build error message as this gave me an immediate hint at where to look (and it is an area I am familiar with):&lt;br/&gt;
&lt;tt&gt;Unable to satisfy dependencies for permission inventory-storage.all&lt;/tt&gt;&lt;/p&gt;

&lt;p&gt;I&#8217;ve found a typo in one of the permission names (see &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODINVSTOR-91&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/MODINVSTOR-91&lt;/a&gt;) and am pushing a fix for that.&lt;/p&gt;

&lt;p&gt;Will run the folio-snapshot (and then folio-testing) build to see if that is the only discrepancy.&lt;/p&gt;

&lt;p&gt;(As an aside, I wrote a python script to help determine the discrepancies, with the help of a quick diff - &lt;a href=&quot;https://github.com/k-int/mod-inventory-storage/blob/check-permissions/check-permission-discrepancies.py&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/k-int/mod-inventory-storage/blob/check-permissions/check-permission-discrepancies.py&lt;/a&gt;) &lt;/p&gt;</comment>
                                                            <comment id="192708" author="5c706fbb47a54a6728e59df2" created="Wed, 21 Mar 2018 14:15:02 +0000"  >&lt;p&gt;See &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODPERMS-29?focusedCommentId=76802&amp;amp;page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/MODPERMS-29?focusedCommentId=76802&amp;amp;page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&lt;/a&gt; for an explanation of the effects of the change.&lt;/p&gt;</comment>
                                                            <comment id="192711" author="5c706fbb47a54a6728e59df2" created="Wed, 21 Mar 2018 14:18:42 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f9abc1eb45b2e007453f423&quot; class=&quot;user-hover&quot; rel=&quot;5f9abc1eb45b2e007453f423&quot; data-account-id=&quot;5f9abc1eb45b2e007453f423&quot; accountid=&quot;5f9abc1eb45b2e007453f423&quot; rel=&quot;noreferrer&quot;&gt;John Malconian&lt;/a&gt; has work on branch folio-1051a of folio-ansible that may take care of the issue of assigning permissions.&lt;/p&gt;</comment>
                                                            <comment id="192714" author="5c706fbb47a54a6728e59df2" created="Thu, 22 Mar 2018 20:52:01 +0000"  >&lt;p&gt;Temporary workaround: pinned the folio-testing and folio-snapshot builds to mod-permissions-5.0.1-SNAPSHOT.11.&lt;/p&gt;

&lt;p&gt;Work is in progress on refactoring the Ansible build to use the tenant-admin-permissions role to assign admin permissions. Once the blocking issues are closed, that work should be able to be merged into master and we can remove the pinning for mod-permissions.&lt;/p&gt;</comment>
                                                            <comment id="192717" author="5c706fbb47a54a6728e59df2" created="Thu, 22 Mar 2018 20:54:31 +0000"  >&lt;p&gt;With the workarounds in place, I believe the blocked circ issues can be unblocked &amp;#8211; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=63e2a2771b13d42998e4e706&quot; class=&quot;user-hover&quot; rel=&quot;63e2a2771b13d42998e4e706&quot; data-account-id=&quot;63e2a2771b13d42998e4e706&quot; accountid=&quot;63e2a2771b13d42998e4e706&quot; rel=&quot;noreferrer&quot;&gt;Marc Johnson&lt;/a&gt;, &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt;?&lt;/p&gt;</comment>
                                                            <comment id="192720" author="63e2a2771b13d42998e4e706" created="Fri, 23 Mar 2018 10:20:24 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c706fbb47a54a6728e59df2&quot; class=&quot;user-hover&quot; rel=&quot;5c706fbb47a54a6728e59df2&quot; data-account-id=&quot;5c706fbb47a54a6728e59df2&quot; accountid=&quot;5c706fbb47a54a6728e59df2&quot; rel=&quot;noreferrer&quot;&gt;Wayne Schneider&lt;/a&gt; Yup, I&apos;ll be unblocking and testing them this morning&lt;/p&gt;</comment>
                                                            <comment id="192722" author="5bffed52a1b46046f530c8f7" created="Fri, 23 Mar 2018 10:56:14 +0000"  >&lt;p&gt;I see that one of the blockers, 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;UIREQ-73&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIREQ-73&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Okapi permissionSets contain non-existant subpermission&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            UIREQ-73
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
, has been &quot;fixed&quot; by removing the &lt;tt&gt;notes.domain.requests&lt;/tt&gt; permission from the Requests module; see &lt;a href=&quot;https://github.com/folio-org/ui-requests/pull/58/files&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/ui-requests/pull/58/files&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This can&apos;t be the right solution, can it?. The module &lt;em&gt;needs&lt;/em&gt; &lt;tt&gt;notes.domain.requests&lt;/tt&gt; to make and maintain notes, does it not?&lt;/p&gt;</comment>
                                                            <comment id="192725" author="63e2a2771b13d42998e4e706" created="Fri, 23 Mar 2018 11:21:03 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5bffed52a1b46046f530c8f7&quot; class=&quot;user-hover&quot; rel=&quot;5bffed52a1b46046f530c8f7&quot; data-account-id=&quot;5bffed52a1b46046f530c8f7&quot; accountid=&quot;5bffed52a1b46046f530c8f7&quot; rel=&quot;noreferrer&quot;&gt;Mike Taylor&lt;/a&gt; That is an example of an interesting scenario. (Including &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; class=&quot;user-hover&quot; rel=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; data-account-id=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; accountid=&quot;712020:38d1a08f-86a8-4df2-9191-239b16b0a81a&quot; rel=&quot;noreferrer&quot;&gt;Heikki Levanto&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c38e8d616ac1e4f7cbc660a&quot; class=&quot;user-hover&quot; rel=&quot;5c38e8d616ac1e4f7cbc660a&quot; data-account-id=&quot;5c38e8d616ac1e4f7cbc660a&quot; accountid=&quot;5c38e8d616ac1e4f7cbc660a&quot; rel=&quot;noreferrer&quot;&gt;Kurt Nordstrom&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A63e17413-51f9-4a7c-910b-544728833e0f&quot; class=&quot;user-hover&quot; rel=&quot;557058:63e17413-51f9-4a7c-910b-544728833e0f&quot; data-account-id=&quot;557058:63e17413-51f9-4a7c-910b-544728833e0f&quot; accountid=&quot;557058:63e17413-51f9-4a7c-910b-544728833e0f&quot; rel=&quot;noreferrer&quot;&gt;Matt Connolly&lt;/a&gt; and &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt; as people who might have more knowledge / opinion about this)&lt;/p&gt;

&lt;p&gt;The current changes to mod-permissions means that unknown permissions cannot be used, and as far as I can tell &lt;tt&gt;notes.domain.requests&lt;/tt&gt; is not defined in any module.&lt;/p&gt;

&lt;p&gt;What might make this especially interesting is the approach within mod-notes to use a wildcard permission mechanism (&lt;tt&gt;&quot;permissionsDesired&quot;: &lt;span class=&quot;error&quot;&gt;&amp;#91;&amp;quot;notes.domain.*&amp;quot;, &amp;quot;notes.domain.all&amp;quot;&amp;#93;&lt;/span&gt;&lt;/tt&gt;). Which allows different domains of notes to be defined elsewhere to mod-notes.&lt;/p&gt;

&lt;p&gt;Therefore, the initial question might be (assuming we want this late binding of domains for mod-notes and strong references to permissions within mod-permissions) where could / should those domain permissions be defined?&lt;/p&gt;

&lt;p&gt;In this specific case, I guess UI requests could define the permission itself? Or to define the supported domains within mod-notes?&lt;/p&gt;</comment>
                                                            <comment id="192727" author="5bffed52a1b46046f530c8f7" created="Fri, 23 Mar 2018 11:26:56 +0000"  >&lt;p&gt;Thanks, Marc, that&apos;s a nice summary of the problem.&lt;/p&gt;

&lt;p&gt;I &lt;em&gt;think&lt;/em&gt; the best solution is for the server-side module to define the permission for managing notes for that module &amp;#8211; and then the client module can refer to that permission, including it in a higher-level one, if it wants to. For example, mod-users would define &lt;tt&gt;notes.domain.users&lt;/tt&gt;, and ui-users would be at liberty to include this in &lt;tt&gt;ui-users.allPerms&lt;/tt&gt; or something.&lt;/p&gt;</comment>
                                                            <comment id="192731" author="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a" created="Fri, 23 Mar 2018 11:50:46 +0000"  >&lt;p&gt;Yes, I was thinking along those lines when I designed the notes permissions. &lt;/p&gt;</comment>
                                                            <comment id="192734" author="5c706fbb47a54a6728e59df2" created="Fri, 23 Mar 2018 16:04:33 +0000"  >&lt;p&gt;In this particular case, because &lt;tt&gt;ui-requests.all&lt;/tt&gt; contains the subPermission &lt;tt&gt;notes.domain.all&lt;/tt&gt;, removing &lt;tt&gt;notes.domain.requests&lt;/tt&gt; from the permissionSet should not break anything. That said, &lt;tt&gt;ui-requests.all&lt;/tt&gt; probably shouldn&apos;t have &lt;tt&gt;notes.domain.all&lt;/tt&gt; included in it.&lt;/p&gt;

&lt;p&gt;I note that, AFAICT, no other module makes use of &lt;tt&gt;notes.domain.&amp;#42;&lt;/tt&gt; permissions, and no atomic permissionSets for notes domains have been defined in any module that I could find. I have raised issue 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;MODNOTES-36&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODNOTES-36&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Where to create notes.domain.* permissions?&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            MODNOTES-36
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 to continue this conversation, as I think it is only tangentially related to the current issue around the changed behavior in mod-permissions and how it affects the CI builds.&lt;/p&gt;</comment>
                                                            <comment id="192737" author="5c706fbb47a54a6728e59df2" created="Sun, 25 Mar 2018 23:11:36 +0000"  >&lt;p&gt;Changes merged to folio-ansible and folio-infrastructure.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                                                <inwardlinks description="is blocked by">
                                        <issuelink>
            <issuekey id="34203">MODPERMS-32</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="34204">MODPERMS-33</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="46885">UIIN-136</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="25751">UIREQ-73</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="34200">MODPERMS-29</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzyedj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 23 Mar 2018 10:20:24 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>