slapos_erp5:

* slapos member user are not allowed anymore to create compute node * no need to create a dedicated local_roles from compute node source_administration Only slapos manager will handle compute nodes * duplicate test_default_scenario to happily break it * drop friend/personal in new scenario test * all members can allocation on all compute nodes * give user security group based on function (to access some module) and project/function (to access documents) * only a project computer manager can create compute nodes * only project computer manager is assignor on compute node * need a project assignment to create a compute node * drop group security on Instance Tree * drop group security from Software Instance * project member only need Auditor role on it * add customer project assignment * remove source_administration interaction workflow on Compute Node and add follow_up instead * Software Installation: move interaction workflow from destination_section to follow_up * give role on Software Installation to Project Compute Node Manager * shadow user do not need access to Compute Node anymore * only project comp manager can create SOftware Installation * project customer can create software instance * project customer can create instance tree * project people can only view the project module * also check PAS plugins which are not supposed to be activated * drop PAS shadow user plugins * drop shadow access from compute node module * drop shadow from compute node module * drop shadow role from computer module * drop shadow role from person* portal types * drop shadow role on project module * Revert "slapos_erp5: drop PAS shadow user plugins" Needed for accounting * Revert "slapos_erp5: drop shadow role from person* portal types" * drop Modification permissions if document uses an automated ledger * source_administration is not used anymore on Compute Node * drop transfer from another Project * drop allocation_scope/open categories * drop Item_getSecurityCategoryFromMovementDestinationSection * drop Item_getSecurityCategoryFromMovementDestinationSection * drop Item_getSecurityCategoryFromMovementDestinationProject * drop Item_getSecurityCategoryFromMovementDestination * drop SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject * drop ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation * switch event/ticket roles to virtual master security * drop Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection * drop Event_getSecurityCategoryFromMovementFollowUpAggregateDestination * delete Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementAggregateDestinationSection * drop Item_getSecurityCategoryFromMovementAggregateDestination * drop Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection * drop SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination * drop Item_getSecurityCategoryFromMovementLineAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementLineAggregateDestination * drop Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection * provide access to Compute Node Manager on Upgrade Decision * delivery/movement must use source_project instead of follow_up * delivery/movement must use source_project instead of follow_up * drop query module security * drop Compute Partition roles It must be visible by all project members * instance of the project can access compute nodes * do not make Credit Card readable * drop data set security * only accountant can create/update Account * add function local_role_group * use function local_role_group on Account * use function local_role_group on account * only accountant can read/write accounting transactions. Ledger is used as write condition * accounting period are only readable/writable by accountant * accounting period are only readable/writable by accountant * provide access on compute node to project customer/production * give read access to project production * provide access to production on software installation * switch admin to production manager in tests * no need for group/role in assignment. Use parent function too * provide access to function/production on Instance Tree * provide access to instance for function/production users * provide access to function/production* on support request * provide access to function/production on event module * provide access to regularisation request to function/production * drop roles for DMS portal types It does not seem used. * provide read/write access to function/production to Computer Network * provide access to function/is to System Event * provide access to function/is on Assignment * provide access to person module * provide read only access to project/customer on software product * provide readonly access to project/customer on software release * test set server allocation_scope to open * provide readonly access for project/customer on accounting module * provide readonly access for project/customer on compute node module * use source/destination_project on event/ticket/delivery * security for Subscription Request * production agent/manager can not create Software Instance * drop slap_add_compute_node page * drop slap_project_list page * drop drop slap_transfer_compute_node (and project_view) * drop slap_compute_node_view page

slapos_erp5:
* slapos member user are not allowed anymore to create compute node * no need to create a dedicated local_roles from compute node source_administration Only slapos manager will handle compute nodes * duplicate test_default_scenario to happily break it * drop friend/personal in new scenario test * all members can allocation on all compute nodes * give user security group based on function (to access some module) and project/function (to access documents) * only a project computer manager can create compute nodes * only project computer manager is assignor on compute node * need a project assignment to create a compute node * drop group security on Instance Tree * drop group security from Software Instance * project member only need Auditor role on it * add customer project assignment * remove source_administration interaction workflow on Compute Node and add follow_up instead * Software Installation: move interaction workflow from destination_section to follow_up * give role on Software Installation to Project Compute Node Manager * shadow user do not need access to Compute Node anymore * only project comp manager can create SOftware Installation * project customer can create software instance * project customer can create instance tree * project people can only view the project module * also check PAS plugins which are not supposed to be activated * drop PAS shadow user plugins * drop shadow access from compute node module * drop shadow from compute node module * drop shadow role from computer module * drop shadow role from person* portal types * drop shadow role on project module * Revert "slapos_erp5: drop PAS shadow user plugins" Needed for accounting * Revert "slapos_erp5: drop shadow role from person* portal types" * drop Modification permissions if document uses an automated ledger * source_administration is not used anymore on Compute Node * drop transfer from another Project * drop allocation_scope/open categories * drop Item_getSecurityCategoryFromMovementDestinationSection * drop Item_getSecurityCategoryFromMovementDestinationSection * drop Item_getSecurityCategoryFromMovementDestinationProject * drop Item_getSecurityCategoryFromMovementDestination * drop SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject * drop ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation * switch event/ticket roles to virtual master security * drop Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection * drop Event_getSecurityCategoryFromMovementFollowUpAggregateDestination * delete Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementAggregateDestinationSection * drop Item_getSecurityCategoryFromMovementAggregateDestination * drop Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection * drop SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination * drop Item_getSecurityCategoryFromMovementLineAggregateDestinationProject * drop Item_getSecurityCategoryFromMovementLineAggregateDestination * drop Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection * provide access to Compute Node Manager on Upgrade Decision * delivery/movement must use source_project instead of follow_up * delivery/movement must use source_project instead of follow_up * drop query module security * drop Compute Partition roles It must be visible by all project members * instance of the project can access compute nodes * do not make Credit Card readable * drop data set security * only accountant can create/update Account * add function local_role_group * use function local_role_group on Account * use function local_role_group on account * only accountant can read/write accounting transactions. Ledger is used as write condition * accounting period are only readable/writable by accountant * accounting period are only readable/writable by accountant * provide access on compute node to project customer/production * give read access to project production * provide access to production on software installation * switch admin to production manager in tests * no need for group/role in assignment. Use parent function too * provide access to function/production on Instance Tree * provide access to instance for function/production users * provide access to function/production* on support request * provide access to function/production on event module * provide access to regularisation request to function/production * drop roles for DMS portal types It does not seem used. * provide read/write access to function/production to Computer Network * provide access to function/is to System Event * provide access to function/is on Assignment * provide access to person module * provide read only access to project/customer on software product * provide readonly access to project/customer on software release * test set server allocation_scope to open * provide readonly access for project/customer on accounting module * provide readonly access for project/customer on compute node module * use source/destination_project on event/ticket/delivery * security for Subscription Request * production agent/manager can not create Software Instance * drop slap_add_compute_node page * drop slap_project_list page * drop drop slap_transfer_compute_node (and project_view) * drop slap_compute_node_view page
056125d1 · Romain Courteaud · 6b28c897 · 056125d1 · 056125d1 · 056125d1
Commit 056125d1 authored May 23, 2022 by Romain Courteaud
146 changed files
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
@@ -9,9 +9,9 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
+    <principal id='F-ACCOUNTING'>Author</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/bank.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/bank.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/capital.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/capital.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/coll_vat.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/coll_vat.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/equipments.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/equipments.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/inventories.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/inventories.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/payable.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/payable.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/payment_to_encash.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/payment_to_encash.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/profit_loss.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/profit_loss.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/purchase.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/purchase.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/receivable.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/receivable.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/refundable_vat.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/refundable_vat.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/sales.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/account_module/sales.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Assignor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -8,8 +8,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Assignor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-ACCOUNTING'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-CUSTOMER'>
+   <item>Auditor</item>
+  </role>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -12,15 +15,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignor</principal>
  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/slapos_pre_payment_template.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/slapos_pre_payment_template.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
-   <item>Assignor</item>
+  <role id='F-ACCOUNTING'>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/slapos_wechat_pre_payment_template.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/slapos_wechat_pre_payment_template.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
-   <item>Assignor</item>
+  <role id='F-ACCOUNTING'>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_contract_sale_invoice_transaction.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_contract_sale_invoice_transaction.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
-   <item>Assignor</item>
+  <role id='F-ACCOUNTING'>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_pre_payment_subscription_sale_invoice_transaction.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_pre_payment_subscription_sale_invoice_transaction.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
-   <item>Assignor</item>
+  <role id='F-ACCOUNTING'>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_sale_invoice_transaction.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_sale_invoice_transaction.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
-   <item>Assignor</item>
+  <role id='F-ACCOUNTING'>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_wechat_pre_payment_subscription_sale_invoice_transaction.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/accounting_module/template_wechat_pre_payment_subscription_sale_invoice_transaction.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
-   <item>Assignor</item>
+  <role id='F-ACCOUNTING'>
+   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Assignee</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Assignor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-ACCOUNTING'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Assignee</principal>

--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/compute_node_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/compute_node_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
-   <item>Auditor</item>
-   <item>Author</item>
-  </role>
-  <role id='R-COMPUTER'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-SHADOW-PERSON'>
+  <role id='R-COMPUTER'>
   <item>Auditor</item>
  </role>
 </local_roles>
@@ -19,16 +15,5 @@
  <local_role_group_id id='computer'>
    <principal id='R-COMPUTER'>Auditor</principal>
  </local_role_group_id>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='shadow'>
-    <principal id='R-SHADOW-PERSON'>Auditor</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/computer_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/computer_module.xml
 <local_roles_item>
 <local_roles>
+  <role id='G-COMPANY'>
+   <item>Auditor</item>
+  </role>
+  <role id='R-COMPUTER'>
+   <item>Auditor</item>
+  </role>
+  <role id='R-MEMBER'>
+   <item>Auditor</item>
+  </role>
 </local_roles>
+ <local_role_group_ids>
+  <local_role_group_id id='computer'>
+    <principal id='R-COMPUTER'>Auditor</principal>
+  </local_role_group_id>
+  <local_role_group_id id='group'>
+    <principal id='G-COMPANY'>Auditor</principal>
+  </local_role_group_id>
+  <local_role_group_id id='user'>
+    <principal id='R-MEMBER'>Auditor</principal>
+  </local_role_group_id>
+ </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/computer_network_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/computer_network_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
@@ -13,16 +12,11 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-CUSTOMER'>Auditor</principal>
  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>
  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/data_set_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/data_set_module.xml
-<local_roles_item>
- <local_roles>
-  <role id='G-COMPANY'>
-   <item>Auditor</item>
-   <item>Author</item>
-  </role>
- </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
-</local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/event_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/event_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-CUSTOMER'>Auditor</principal>
+    <principal id='F-CUSTOMER'>Author</principal>
  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/instance_tree_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/instance_tree_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-COMPUTER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
-  <role id='R-INSTANCE'>
+  <role id='R-COMPUTER'>
   <item>Auditor</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='R-INSTANCE'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/person_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/person_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
  <role id='R-SHADOW-PERSON'>
@@ -12,15 +11,8 @@
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Auditor</principal>
  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/project_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/project_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-COMPUTER'>
-   <item>Auditor</item>
-  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-SHADOW-PERSON'>
+  <role id='R-COMPUTER'>
   <item>Auditor</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='shadow'>
-    <principal id='R-SHADOW-PERSON'>Auditor</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/regularisation_request_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/regularisation_request_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-CUSTOMER'>Auditor</principal>
  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_installation_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_installation_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
  <role id='R-COMPUTER'>
   <item>Auditor</item>
  </role>
-  <role id='R-MEMBER'>
-   <item>Auditor</item>
-   <item>Author</item>
-  </role>
 </local_roles>
 <local_role_group_ids>
  <local_role_group_id id='computer'>
    <principal id='R-COMPUTER'>Auditor</principal>
  </local_role_group_id>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_instance_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_instance_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-COMPUTER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
-  <role id='R-INSTANCE'>
+  <role id='R-COMPUTER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='R-INSTANCE'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_product_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_product_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_release_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/software_release_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
-   <item>Author</item>
-  </role>
-  <role id='R-MEMBER'>
-   <item>Auditor</item>
-   <item>Author</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/subscription_request_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/subscription_request_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
 </local_roles>
- <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
- </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/support_request_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/support_request_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-CUSTOMER'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
-  <role id='R-MEMBER'>
+  <role id='F-PRODUCTION*'>
   <item>Auditor</item>
   <item>Author</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
-  <local_role_group_id id='user'>
-    <principal id='R-MEMBER'>Auditor</principal>
-    <principal id='R-MEMBER'>Author</principal>
+  <local_role_group_id id='function'>
+    <principal id='F-CUSTOMER'>Auditor</principal>
+    <principal id='F-CUSTOMER'>Author</principal>
  </local_role_group_id>
 </local_role_group_ids>
 </local_roles_item>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/LocalRolesTemplateItem/system_event_module.xml
+++ b/master/bt5/slapos_erp5/LocalRolesTemplateItem/system_event_module.xml
 <local_roles_item>
 <local_roles>
-  <role id='G-COMPANY'>
+  <role id='F-IS*'>
   <item>Auditor</item>
-   <item>Author</item>
  </role>
  <role id='R-SHADOW-PERSON'>
   <item>Author</item>
  </role>
 </local_roles>
 <local_role_group_ids>
-  <local_role_group_id id='group'>
-    <principal id='G-COMPANY'>Auditor</principal>
-    <principal id='G-COMPANY'>Author</principal>
-  </local_role_group_id>
  <local_role_group_id id='shadow'>
    <principal id='R-SHADOW-PERSON'>Author</principal>
  </local_role_group_id>

--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputerModel_edit.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputerModel_edit.xml
@@ -2,65 +2,76 @@
 <ZopeData>
  <record id="1" aka="AAAAAAAAAAE=">
    <pickle>
-      <global name="Interaction Workflow Interaction" module="erp5.portal_type"/>
+      <global name="Category" module="erp5.portal_type"/>
    </pickle>
    <pickle>
      <dictionary>
        <item>
-            <key> <string>categories</string> </key>
+            <key> <string>_Add_portal_content_Permission</string> </key>
            <value>
              <tuple>
-                <string>before_commit_script/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllLocalRoles</string>
+                <string>Assignor</string>
+                <string>Manager</string>
              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>description</string> </key>
+            <key> <string>_Add_portal_folders_Permission</string> </key>
            <value>
-              <none/>
+              <tuple>
+                <string>Assignor</string>
+                <string>Manager</string>
+              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>id</string> </key>
-            <value> <string>interaction_ComputerModel_edit</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type</string> </key>
-            <value> <string>Interaction Workflow Interaction</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type_filter</string> </key>
+            <key> <string>_Copy_or_Move_Permission</string> </key>
            <value>
              <tuple>
-                <string>Computer Model</string>
+                <string>Assignor</string>
+                <string>Manager</string>
              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>portal_type_group_filter</string> </key>
+            <key> <string>_Delete_objects_Permission</string> </key>
            <value>
-              <tuple/>
+              <tuple>
+                <string>Assignor</string>
+                <string>Manager</string>
+              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>temporary_document_disallowed</string> </key>
-            <value> <int>1</int> </value>
-        </item>
-        <item>
-            <key> <string>trigger_method_id</string> </key>
+            <key> <string>_Modify_portal_content_Permission</string> </key>
            <value>
              <tuple>
-                <string>_setSourceAdministration.*</string>
+                <string>Assignee</string>
+                <string>Assignor</string>
+                <string>Manager</string>
+                <string>Owner</string>
              </tuple>
            </value>
        </item>
        <item>
-            <key> <string>trigger_once_per_transaction</string> </key>
-            <value> <int>1</int> </value>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>function</string> </value>
        </item>
        <item>
-            <key> <string>trigger_type</string> </key>
-            <value> <int>2</int> </value>
+            <key> <string>portal_type</string> </key>
+            <value> <string>Category</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value>
+              <none/>
+            </value>
        </item>
      </dictionary>
    </pickle>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Account%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Account%20Module.xml
 <type_roles>
  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Accountant</property>
+   <property id='description'>Any accountant or accountant manager may create accounts and access accounts</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Account.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Account.xml
 <type_roles>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Accountant</property>
+   <property id='description'>Only the accountant can validate new accounts.</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Period.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Period.xml
 <type_roles>
  <role id='Assignor'>
-   <property id='title'>Company group</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Accountant</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Transaction%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Transaction%20Module.xml
 <type_roles>
  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Accountant</property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Assignor'>
   <property id='title'>Person Shadow</property>
@@ -17,4 +15,9 @@
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Accounting%20Transaction.xml
 <type_roles>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Writable for Accountant</property>
+   <property id='condition'>python: context.getLedger("") != "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Acknowledgement.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Acknowledgement.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Assignment.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Assignment.xml
 <type_roles>
-  <role id='Auditor; Assignor'>
-   <property id='title'>Company group</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Auditor'>
+   <property id='title'>Information System</property>
+   <property id='description'>XXX local role group</property>
+   <multi_property id='category'>function/is*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Balance%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Balance%20Transaction.xml
 <type_roles>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Writable for Accountant</property>
+   <property id='condition'>python: context.getLedger("") != "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node%20Module.xml
@@ -5,22 +5,14 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Auditor; Author'>
+  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Person Shadow</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='category'>role/shadow/person</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+  <role id='Auditor; Author'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Node.xml
 <type_roles>
  <role id='Auditor'>
-   <property id='title'>Allocation scope</property>
-   <property id='condition'>python: here.getAllocationScope('').startswith('open')</property>
-   <property id='base_category_script'>ComputeNode_getSecurityCategoryFromAllocationScope</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='base_category'>aggregate</multi_property>
+   <property id='title'>Project Customer</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>Compute Node Agent</property>
-   <property id='description'>Monovalued role</property>
+   <property id='title'>Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>source_administration</multi_property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
  <role id='Assignor'>
   <property id='title'>Self Compute Node</property>
@@ -38,4 +30,11 @@
   <multi_property id='categories'>local_role_group/computer</multi_property>
   <multi_property id='base_category'>destination_decision</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Software Instance</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>role/instance</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Partition.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Compute%20Partition.xml
-<type_roles>
-  <role id='Auditor'>
-   <property id='title'>Customer of the partition</property>
-   <property id='condition'>python: here.getSlapState() == "busy"</property>
-   <property id='base_category_script'>ComputePartition_getSecurityCategoryFromUser</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Software Instance group related to Compute Partition</property>
-   <property id='condition'>python: here.getSlapState() == "busy"</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree</property>
-   <multi_property id='categories'>local_role_group/subscription</multi_property>
-   <multi_property id='base_category'>aggregate</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Module.xml
@@ -17,10 +17,4 @@
   <multi_property id='category'>role/member</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Person Shadow</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='category'>role/shadow/person</multi_property>
-   <multi_property id='base_category'>role</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Network%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Network%20Module.xml
 <type_roles>
-  <role id='Auditor; Author'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Auditor; Author'>
+  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>
@@ -17,4 +11,9 @@
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor; Author'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Network.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Computer%20Network.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Person Owner</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>source_administration</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>
   <multi_property id='categories'>local_role_group/shadow</multi_property>
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Project Customer</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='title'>Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Credit%20Card.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Credit%20Card.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Data%20Set%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Data%20Set%20Module.xml
-<type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Data%20Set.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Data%20Set.xml
-<type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Event%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Event%20Module.xml
 <type_roles>
  <role id='Auditor; Author'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Member</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Fax%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Fax%20Message.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Incident%20Response.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Incident%20Response.xml
 <type_roles>
  <role id='Assignor'>
-   <property id='title'>Company group</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Project Compute Node Manager</property>
+   <property id='description'>XXX project local role group</property>
+   <property id='condition'>python: context.getSourceProject("", portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree%20Module.xml
@@ -4,21 +4,19 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Author; Auditor'>
-   <property id='title'>Group Company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Instance</property>
   <multi_property id='category'>role/instance</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <property id='title'>Project Customer</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Instance%20Tree.xml
@@ -5,23 +5,21 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group Company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+   <property id='title'>Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
-  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
  <role id='Assignee'>
   <property id='title'>Related Software Instance Group</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Letter.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Letter.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Mail%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Mail%20Message.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Note.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Note.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Open%20Sale%20Order.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Open%20Sale%20Order.xml
 <type_roles>
  <role id='Assignor'>
   <property id='title'>Group company</property>
+   <property id='condition'>python: context.getLedger("") != "automated"</property>
   <multi_property id='categories'>local_role_group/group</multi_property>
   <multi_property id='category'>group/company</multi_property>
   <multi_property id='base_category'>group</multi_property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Payment%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Payment%20Transaction.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Person Shadow</property>
   <property id='condition'>python: here.getDestinationSection('', portal_type='Person') == ""</property>
@@ -12,6 +6,13 @@
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Auditor'>
   <property id='title'>Shadow User</property>
   <property id='condition'>python: here.getDestinationSection('', portal_type='Person') != ''</property>
@@ -21,9 +22,16 @@
  </role>
  <role id='Auditor'>
   <property id='title'>User</property>
-   <property id='condition'>python: here.getDestinationSection('', portal_type='Person') != ''</property>
+   <property id='condition'>python: (here.getDestinationSection('', portal_type='Person') != '') and (context.getLedger("") == "automated")</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
+  <role id='Assignor'>
+   <property id='title'>Writable for Accountant</property>
+   <property id='condition'>python: context.getLedger("") != "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Payzen%20Event.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Payzen%20Event.xml
 <type_roles>
  <role id='Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Information System</property>
+   <property id='description'>XXX local role group</property>
+   <multi_property id='category'>function/is*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Assignee'>
   <property id='title'>Shadow User</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Person%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Person%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Person Shadow</property>
@@ -17,4 +10,9 @@
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Phone%20Call.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Phone%20Call.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project%20Module.xml
@@ -4,22 +4,16 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Auditor; Author'>
-   <property id='title'>Customer</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
-  </role>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Auditor'>
+   <property id='title'>Project Compute Node Manager</property>
+   <property id='description'>XXX TODO
+add local roles group</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor'>
-   <property id='title'>Person Shadow</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='category'>role/shadow/person</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <property id='title'>Project Customer</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Person Owner</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>destination_decision</multi_property>
-  </role>
  <role id='Auditor'>
-   <property id='title'>Person Shadow</property>
-   <multi_property id='categories'>local_role_group/shadow</multi_property>
-   <multi_property id='category'>role/shadow/person</multi_property>
-   <multi_property id='base_category'>role</multi_property>
-  </role>
-  <role id='Assignee'>
   <property id='title'>Project Member</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromSelf</property>
   <multi_property id='categories'>local_role_group/project</multi_property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Purchase%20Invoice%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Purchase%20Invoice%20Transaction.xml
 <type_roles>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Writable for Accountant</property>
+   <property id='condition'>python: context.getLedger("") != "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Query.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Query.xml
-<type_roles>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Regularisation%20Request%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Regularisation%20Request%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Regularisation%20Request.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Regularisation%20Request.xml
@@ -6,11 +6,21 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_decision</multi_property>
  </role>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
+  </role>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Member can see template</property>
@@ -19,4 +29,20 @@
   <multi_property id='category'>role/member</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
+  </role>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Sale%20Invoice%20Transaction.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Sale%20Invoice%20Transaction.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Person Shadow</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
   <multi_property id='categories'>local_role_group/shadow</multi_property>
   <multi_property id='category'>role/shadow/person</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>ReadOnly for Accountant</property>
+   <property id='condition'>python: context.getLedger("") == "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Auditor'>
   <property id='title'>User</property>
-   <property id='condition'>python: here.getDestinationSection('', portal_type='Person') != ''</property>
+   <property id='condition'>python: (here.getDestinationSection('', portal_type='Person') != '') and (context.getLedger("") == "automated")</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
+  <role id='Assignor'>
+   <property id='title'>Writable for Accountant</property>
+   <property id='condition'>python: context.getLedger("") != "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Short%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Short%20Message.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Site%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Site%20Message.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Slave%20Instance.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Slave%20Instance.xml
@@ -11,12 +11,6 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Instance related by Instance Tree</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
@@ -24,16 +18,20 @@
   <multi_property id='base_category'>specialise</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
-   <property id='base_category_script'>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+   <property id='title'>Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
-  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
  <role id='Assignor'>
   <property id='title'>Software Instance which provides this Slave Instance</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation%20Module.xml
@@ -5,16 +5,11 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <property id='title'>Project Production</property>
+   <property id='description'>XXX TODO
+add local roles group</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Installation.xml
@@ -5,28 +5,20 @@
   <multi_property id='categories'>local_role_group/computer</multi_property>
   <multi_property id='base_category'>aggregate</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='title'>Project Production Agent</property>
+   <property id='description'>XXX project local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
-  <role id='Assignee'>
-   <property id='title'>Provider of the Installation</property>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX project local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance%20Module.xml
@@ -4,21 +4,19 @@
   <multi_property id='category'>role/computer</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor; Author'>
   <property id='title'>Instance</property>
   <multi_property id='category'>role/instance</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <property id='title'>Project Customer</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance.xml
@@ -11,12 +11,6 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
   <property id='title'>Instance related by Instance Tree</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
@@ -24,15 +18,19 @@
   <multi_property id='base_category'>specialise</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>Organisation Member</property>
-   <property id='base_category_script'>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+   <property id='title'>Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
-  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Product%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Product%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Product.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Product.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Release%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Release%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-  <role id='Auditor; Author'>
+  <role id='Auditor'>
   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Release.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Release.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Subscription%20Request%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Subscription%20Request%20Module.xml
 <type_roles>
-  <role id='Auditor; Author'>
-   <property id='title'>Company group</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Auditor'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Subscription%20Request.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Subscription%20Request.xml
 <type_roles>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
+  </role>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
+  </role>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
+  </role>
  <role id='Assignor'>
-   <property id='title'>Company group</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Support%20Request%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Support%20Request%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Auditor; Author'>
+   <property id='title'>Production</property>
+   <multi_property id='category'>function/production*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor; Author'>
-   <property id='title'>Member</property>
-   <multi_property id='categories'>local_role_group/user</multi_property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
+   <property id='title'>Project Customer</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Support%20Request.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Support%20Request.xml
@@ -6,11 +6,21 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>destination_decision</multi_property>
  </role>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
+  </role>
  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
  <role id='Auditor'>
   <property id='title'>Member can see template</property>
@@ -19,22 +29,20 @@
   <multi_property id='category'>role/member</multi_property>
   <multi_property id='base_category'>role</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
-  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/System%20Event%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/System%20Event%20Module.xml
 <type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Auditor'>
+   <property id='title'>Information System</property>
+   <property id='description'>XXX local role group</property>
+   <multi_property id='category'>function/is*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Author'>
   <property id='title'>Person Shadow</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Upgrade%20Decision%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Upgrade%20Decision%20Module.xml
 <type_roles>
  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
+   <property id='title'>Compute Node Manager</property>
+   <property id='description'>XXX TODO
+add local roles group</property>
   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='category'>function/computer/manager</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Auditor; Author'>
   <property id='title'>Member</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Upgrade%20Decision.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Upgrade%20Decision.xml
 <type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
  <role id='Assignee'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Assignee'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementLineAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Item_getSecurityCategoryFromMovementLineAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
+  </role>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
  <role id='Assignee'>
   <property id='title'>User</property>

--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Visit.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Visit.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Message.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Message.xml
@@ -15,28 +15,36 @@
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>source</multi_property>
  </role>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Destination Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (Compute Node)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination_section</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Destination Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getDestinationProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Organisation Member (HS)</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</property>
-   <multi_property id='categories'>local_role_group/organisation</multi_property>
-   <multi_property id='base_category'>destination</multi_property>
+  <role id='Assignee'>
+   <property id='title'>Source Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
-  <role id='Auditor'>
-   <property id='title'>Project Member</property>
-   <property id='base_category_script'>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</property>
-   <multi_property id='categories'>local_role_group/project</multi_property>
-   <multi_property id='base_category'>destination_project</multi_property>
+  <role id='Assignor'>
+   <property id='title'>Source Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getSourceProject('', portal_type='Project') != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Page%20Module.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Page%20Module.xml
-<type_roles>
-  <role id='Author; Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Page.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Web%20Page.xml
-<type_roles>
-  <role id='Assignor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
-  </role>
-</type_roles>
\ No newline at end of file
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Wechat%20Event.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Wechat%20Event.xml
 <type_roles>
  <role id='Auditor'>
-   <property id='title'>Group company</property>
-   <multi_property id='categories'>local_role_group/group</multi_property>
-   <multi_property id='category'>group/company</multi_property>
-   <multi_property id='base_category'>group</multi_property>
+   <property id='title'>Information System</property>
+   <property id='description'>XXX local role group</property>
+   <multi_property id='category'>function/is*</multi_property>
+   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Assignee'>
   <property id='title'>Shadow User</property>

--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_base/WebSection_getHostingJSPrecacheManifestList.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_base/WebSection_getHostingJSPrecacheManifestList.py
@@ -12,8 +12,6 @@ url_list = [
  "gadget_slapos_login_page.css",
  "gadget_erp5_page_slap_accept_upgrade_decision.html",
  "gadget_erp5_page_slap_accept_upgrade_decision.js",
-  "gadget_erp5_page_slap_add_compute_node.html",
-  "gadget_erp5_page_slap_add_compute_node.js",
  "gadget_erp5_page_slap_add_instance_tree.html",
  "gadget_erp5_page_slap_add_instance_tree.js",
  "gadget_erp5_page_slap_add_network.html",
@@ -56,8 +54,6 @@ url_list = [
  "gadget_erp5_page_slap_compute_node_request_certificate.js",
  "gadget_erp5_page_slap_compute_node_revoke_certificate.html",
  "gadget_erp5_page_slap_compute_node_revoke_certificate.js",
-  "gadget_erp5_page_slap_compute_node_view.html",
-  "gadget_erp5_page_slap_compute_node_view.js",
  "gadget_erp5_page_slap_cloud_contract_view.js",
  "gadget_erp5_page_slap_cloud_contract_view.html",
  "gadget_erp5_page_slap_request_contract_activation.js",
@@ -105,10 +101,6 @@ url_list = [
  "gadget_erp5_page_slap_person_request_certificate.js",
  "gadget_erp5_page_slap_person_view.html",
  "gadget_erp5_page_slap_person_view.js",
-  "gadget_erp5_page_slap_project_list.html",
-  "gadget_erp5_page_slap_project_list.js",
-  "gadget_erp5_page_slap_project_view.html",
-  "gadget_erp5_page_slap_project_view.js",
  "gadget_erp5_page_slap_regularisation_request_view.html",
  "gadget_erp5_page_slap_regularisation_request_view.js",
  "gadget_erp5_page_slap_rss_ticket.html",
@@ -138,8 +130,6 @@ url_list = [
  "gadget_erp5_page_slap_ticket_list.html",
  "gadget_erp5_page_slap_ticket_list.js",
  "gadget_erp5_page_slap_ticket_view.js",
-  "gadget_erp5_page_slap_transfer_compute_node.html",
-  "gadget_erp5_page_slap_transfer_compute_node.js",
  "gadget_erp5_page_slap_transfer_instance_tree.html",
  "gadget_erp5_page_slap_transfer_instance_tree.js",
  "gadget_erp5_page_slap_transfer_computer_network.html",

--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromAllocationScope.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromAllocationScope.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ComputeNode_getSecurityCategoryFromAllocationScope</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromAllocationScope.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputeNode_getSecurityCategoryFromAllocationScope.py
@@ -13,12 +13,7 @@ if obj is None:

 compute_node = obj

-category_list = []
-
-scope = compute_node.getAllocationScope()
-if scope == 'open/public':
-  return {"Auditor": ["R-SHADOW-PERSON"]}
-elif scope == 'open/subscription':
+if compute_node.getValidationState() == 'validated':
  return {"Auditor": ["R-SHADOW-PERSON"]}

-return category_list
+return []
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputePartition_getSecurityCategoryFromUser.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputePartition_getSecurityCategoryFromUser.xml
@@ -6,18 +6,18 @@
    </pickle>
    <pickle>
      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
        <item>
            <key> <string>_bind_names</string> </key>
            <value>
              <object>
                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
+                </klass>
+                <tuple/>
                <state>
                  <dictionary>
                    <item>
@@ -62,7 +62,7 @@
        </item>
        <item>
            <key> <string>id</string> </key>
-            <value> <string>ComputePartition_getSecurityCategoryFromUser</string> </value>
+            <value> <string>ComputeNode_getSecurityCategoryFromValidationState</string> </value>
        </item>
      </dictionary>
    </pickle>

--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputePartition_getSecurityCategoryFromUser.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ComputePartition_getSecurityCategoryFromUser.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-partition = obj
-for instance in partition.getPortalObject().portal_catalog(
-    portal_type=["Software Instance", "Slave Instance"],
-    validation_state="validated",
-    default_aggregate_uid=partition.getUid()):
-  if instance is not None:
-    instance_tree = instance.getSpecialiseValue(portal_type="Instance Tree")
-    if instance_tree is not None:
-      person = instance_tree.getDestinationSectionValue(portal_type="Person")
-      if person is not None:
-        for base_category in base_category_list:
-          category_list.append({base_category: [person.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree.py
-"""This scripts set ups role of aggregate related Software Instance
-
-This is simple implementation, instead of generic related category with portal type,
-which would not be configurable in Role Definition anyway."""
-
-category_list = []
-
-if obj is None:
-  return []
-
-software_instance_list = obj.getPortalObject().portal_catalog(
-  portal_type='Software Instance',
-  default_aggregate_uid=obj.getUid(),
-  limit=2
-)
-
-if len(software_instance_list) == 1:
-  instance_tree = software_instance_list[0].getSpecialise(portal_type='Instance Tree')
-  for base_category in base_category_list:
-    category_list.append({base_category: instance_tree})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Assignee</string>
-                <string>Assignor</string>
-                <string>Associate</string>
-                <string>Auditor</string>
-                <string>Authenticated</string>
-                <string>Author</string>
-                <string>Manager</string>
-                <string>Member</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_function</string> </key>
-            <value> <string>getSecurityCategoryFromAssignmentDestinationClientOrganisation</string> </value>
-        </item>
-        <item>
-            <key> <string>_module</string> </key>
-            <value> <string>SlapOSSecurity</string> </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation</string> </value>
-        </item>
-        <item>
-            <key> <string>title</string> </key>
-            <value> <string></string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.py
@@ -8,16 +8,18 @@ deprecated ERP5Type_asSecurityGroupIdList

 return (
  # Person security
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['group']),
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['role']),
+  ('ERP5Type_getSecurityCategoryFromAssignment', ['function']),
+  ('ERP5Type_getSecurityCategoryFromAssignmentParent', ['function']),
+  # XXX TODO check that only validated project are used
  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project']),
-  ('ERP5Type_getSecurityCategoryFromAssignmentDestinationClientOrganisation', ['destination']),
+  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project', 'function']),
  
  # Compute Node security
  ('ERP5Type_getComputeNodeSecurityCategory', ['role']),

  # Instance security
  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['role']),
+  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['destination_project', 'role']),
  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['aggregate']),

 )
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-# Object here is a event
-ticket = obj.getFollowUpValue()
-if ticket is None:
-  return []
-
-aggregate_value = ticket.getAggregateValue()
-if aggregate_value is None:
-  return []
-
-# Only proceed if aggregate is a Compute Node
-if aggregate_value.getPortalType() != "Compute Node":
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = aggregate_value.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-# Object here is a event
-ticket = obj.getFollowUpValue()
-if ticket is None:
-  return []
-
-aggregate_value = ticket.getAggregateValue()
-if aggregate_value is None:
-  return []
-
-# Limit the scope arround Instance tree otherwise we
-# Leak security on the Compute Nodes placed on the same site.
-if aggregate_value.getPortalType() != "Instance Tree":
-  return []
-
-organisation = aggregate_value.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Event_getSecurityCategoryFromMovementFollowUpAggregateDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-# Object here is a event
-ticket = obj.getFollowUpValue()
-if ticket is None:
-  return []
-
-aggregate_value = ticket.getAggregateValue()
-if aggregate_value is None:
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = aggregate_value.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Event_getSecurityCategoryFromMovementFollowUpAggregateDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-aggregate_value = obj.getAggregateValue()
-if aggregate_value is None:
-  return []
-
-# Only proceed if aggregate is a Compute Node
-if aggregate_value.getPortalType() != "Compute Node":
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = aggregate_value.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementAggregateComputeNodeDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-aggregate_value = obj.getAggregateValue()
-if aggregate_value is None:
-  return []
-
-# Limit the scope arround Instance tree otherwise we
-# Leak security on the Compute Nodes placed on the same site.
-if aggregate_value.getPortalType() != "Instance Tree":
-  return []
-
-organisation = aggregate_value.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementAggregateDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-aggregate_value = obj.getAggregateValue()
-if aggregate_value is None:
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = aggregate_value.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementAggregateDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-aggregate_value = obj.getAggregateValue()
-if aggregate_value is None:
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = aggregate_value.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementAggregateDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementAggregateDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = obj.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = obj.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = obj.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-aggregate_value = None
-for line in obj.objectValues():
-  aggregate_value = line.getAggregateValue()
-  if aggregate_value is not None:
-    break
-    
-if aggregate_value is None:
-  return []
-
-# Only proceed if aggregate is a Compute Node
-if aggregate_value.getPortalType() != "Compute Node":
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = aggregate_value.Item_getCurrentOwnerValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination_section': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementLineAggregateComputeNodeDestinationSection</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-aggregate_value = None
-for line in obj.objectValues():
-  aggregate_value = line.getAggregateValue()
-  if aggregate_value is not None:
-    break
-
-if aggregate_value is None:
-  return []
-
-# Limit the scope arround Instance tree otherwise we
-# Leak security on the Compute Nodes placed on the same site.
-if aggregate_value.getPortalType() != "Instance Tree":
-  return []
-
-organisation = aggregate_value.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementLineAggregateDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-aggregate_value = None
-for line in obj.objectValues():
-  aggregate_value = line.getAggregateValue()
-  if aggregate_value is not None:
-    break
-
-if aggregate_value is None:
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = aggregate_value.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Item_getSecurityCategoryFromMovementLineAggregateDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>Item_getSecurityCategoryFromMovementLineAggregateDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-
-specialise_value = obj.getSpecialiseValue()
-if specialise_value is None:
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-organisation = specialise_value.Item_getCurrentSiteValue()
-if organisation is not None and \
-  organisation.getPortalType() == "Organisation":
-  category_list.append({'destination': [organisation.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestination</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject.py
-"""
-This script returns a list of dictionaries which represent
-the security groups which a person is member of. It extracts
-the categories from the current content. It is useful in the
-following cases:
-
- calculate a security group based on a given
-  category of the current object (ex. group). This
-  is used for example in ERP5 DMS to calculate
-  document security.
-
- assign local roles to a document based on
-  the person which the object related to through
-  a given base category (ex. destination). This
-  is used for example in ERP5 Project to calculate
-  Task / Task Report security.
-
-The parameters are
-
-  base_category_list -- list of category values we need to retrieve
-  user_name          -- string obtained from getSecurityManager().getUser().getId()
-  object             -- object which we want to assign roles to
-  portal_type        -- portal type of object
-
-NOTE: for now, this script requires proxy manager
-"""
-
-category_list = []
-
-if obj is None:
-  return []
-
-specialise_value = obj.getSpecialiseValue()
-if specialise_value is None:
-  return []
-
-# Object on this case can be Instance Tree, Compute Node, or Computer Network
-project = specialise_value.Item_getCurrentProjectValue()
-if project is not None:
-  category_list.append({'destination_project': [project.getRelativeUrl()]})
-
-return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>SoftwareInstance_getSecurityCategoryFromMovementSpecialiseDestinationProject</string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_erp5/CertificateAuthorityTool_checkSlapOSPASConsistency.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_erp5/CertificateAuthorityTool_checkSlapOSPASConsistency.py
@@ -9,9 +9,12 @@ slapos_plugin_dict = {
    'ERP5 Facebook Extraction Plugin'
  ],
  'IGroupsPlugin': [
+    'ZODB Group Manager',
    'SlapOS Shadow Authentication Plugin',
+    'ERP5 Group Manager'
  ],
  'IUserEnumerationPlugin': [
+    'ZODB User Manager',
    'SlapOS Shadow Authentication Plugin',
    'ERP5 Login User Manager'
  ]
@@ -37,6 +40,18 @@ def mergePASDictDifference(portal, d, fixit):
            error += ' Fixed.'
        error_list.append(error)

+    for activated_plugin in meta_type_list:
+      if activated_plugin not in active_list:
+        error = 'Plugin %s must not be activated %s.' % (plugin, activated_plugin)
+        if fixit:
+          existing = [q for q in portal.acl_users.objectValues() if q.meta_type == activated_plugin]
+          if len(existing) == 0:
+            error_list.append('%s not found' % activated_plugin)
+          else:
+            plugins.deactivatePlugin(plugin_info['interface'], existing[0].getId())
+            error += ' Fixed.'
+        error_list.append(error)
+
  return error_list

 pas_difference = mergePASDictDifference(portal, slapos_plugin_dict, fixit)

--- a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5DefaultScenario.py
+++ b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5DefaultScenario.py
@@ -25,6 +25,228 @@ import re

 class TestSlapOSDefaultScenario(DefaultScenarioMixin):

+  """
+  def addSlapOSAdministratorAssignment(self, person):
+    person.newContent(
+      portal_type='Assignment',
+      # XXX should be project/function instead
+      group='company'
+    ).open()
+"""
+  def addProjectProductionManagerAssignment(self, person, project):
+    person.newContent(
+      portal_type='Assignment',
+      destination_project_value=project,
+      function='production/manager'
+    ).open()
+
+  def addProjectCustomerAssignment(self, person, project):
+    person.newContent(
+      portal_type='Assignment',
+      destination_project_value=project,
+      function='customer'
+    ).open()
+
+  def addProject(self):
+    project = self.portal.project_module.newContent(
+      portal_type='Project',
+      title='project-%s' % self.generateNewId()
+    )
+    project.validate()
+    return project
+
+  def test_new_default_scenario(self):
+    # create a default project
+    project = self.addProject()
+
+    # some preparation
+    self.logout()
+    self.web_site = self.portal.web_site_module.hostingjs
+
+    # lets join as slapos administrator, which will own few compute_nodes
+    owner_reference = 'owner-%s' % self.generateNewId()
+    self.joinSlapOS(self.web_site, owner_reference)
+
+    self.login()
+    owner_person = self.portal.portal_catalog.getResultValue(
+      portal_type="ERP5 Login",
+      reference=owner_reference).getParentValue()
+
+    # first slapos administrator assignment can only be created by
+    # the erp5 manager
+    self.addProjectProductionManagerAssignment(owner_person, project)
+    self.tic()
+
+    # hooray, now it is time to create compute_nodes
+    self.login(owner_person.getUserId())
+
+    public_server_title = 'Public Server for %s' % owner_reference
+    public_server_id = self.requestComputeNode(public_server_title, project.getReference())
+    public_server = self.portal.portal_catalog.getResultValue(
+        portal_type='Compute Node', reference=public_server_id)
+    self.setAccessToMemcached(public_server)
+    self.assertNotEqual(None, public_server)
+    self.setServerOpenPublic(public_server)
+
+    # and install some software on them
+    public_server_software = self.generateNewSoftwareReleaseUrl()
+    self.supplySoftware(public_server, public_server_software)
+
+    # format the compute_nodes
+    self.formatComputeNode(public_server)
+
+    # join as the another visitor and request software instance on public
+    # compute_node
+    self.logout()
+    public_reference = 'public-%s' % self.generateNewId()
+    self.joinSlapOS(self.web_site, public_reference)
+
+    self.login()
+    public_person = self.portal.portal_catalog.getResultValue(
+      portal_type="ERP5 Login",
+      reference=public_reference).getParentValue()
+    self.addProjectCustomerAssignment(public_person, project)
+
+    public_instance_title = 'Public title %s' % self.generateNewId()
+    public_instance_type = 'public type'
+    self.checkInstanceAllocation(public_person.getUserId(),
+        public_reference, public_instance_title,
+        public_server_software, public_instance_type,
+        public_server, project.getReference())
+
+
+    # turn public guy to a friend and check that he can allocate slave
+    # instance on instance provided by friend
+
+    self.login()
+    public_person = self.portal.portal_catalog.getResultValue(
+      portal_type='ERP5 Login', reference=public_reference).getParentValue()
+    self.login(owner_person.getUserId())
+
+    # and the instances
+    self.checkInstanceUnallocation(public_person.getUserId(),
+        public_reference, public_instance_title,
+        public_server_software, public_instance_type, public_server,
+        project.getReference())
+
+    # and uninstall some software on them
+    self.logout()
+    self.login(owner_person.getUserId())
+    self.supplySoftware(public_server, public_server_software,
+                        state='destroyed')
+
+    self.logout()
+    # Uninstall from compute_node
+    self.login()
+    self.simulateSlapgridSR(public_server)
+
+    # check the Open Sale Order coverage
+    self.stepCallSlaposRequestUpdateInstanceTreeOpenSaleOrderAlarm()
+    self.tic()
+
+    self.logout()
+    self.login()
+
+    self.assertOpenSaleOrderCoverage(public_reference)
+
+    # generate simulation for open order
+    self.stepCallUpdateOpenOrderSimulationAlarm()
+    self.tic()
+
+    # build subscription packing list
+    self.stepCallSlaposTriggerBuildAlarm()
+    self.tic()
+
+    # stabilise build deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # build aggregated packing list
+    self.stepCallSlaposTriggerAggregatedDeliveryOrderBuilderAlarm()
+    self.tic()
+
+    # stabilise aggregated deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # start aggregated deliveries
+    self.stepCallSlaposStartConfirmedAggregatedSalePackingListAlarm(
+        accounting_date=DateTime('2222/01/01'))
+    self.tic()
+
+    # stabilise aggregated deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # deliver aggregated deliveries
+    self.stepCallSlaposDeliverStartedAggregatedSalePackingListAlarm()
+    self.tic()
+
+    # stabilise aggregated deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # build aggregated invoices
+    self.stepCallSlaposTriggerBuildAlarm()
+    self.tic()
+
+    # stabilise aggregated invoices and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # update invoices with their tax & discount
+    self.stepCallSlaposTriggerBuildAlarm()
+    self.tic()
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # update invoices with their tax & discount transaction lines
+    self.stepCallSlaposTriggerBuildAlarm()
+    self.tic()
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    # stop the invoices and solve them again
+    self.stepCallSlaposStopConfirmedAggregatedSaleInvoiceTransactionAlarm()
+    self.tic()
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    builder = self.portal.portal_orders.slapos_payment_transaction_builder
+    for _ in range(500):
+      # build the aggregated payment
+      self.stepCallSlaposTriggerPaymentTransactionOrderBuilderAlarm()
+      self.tic()
+      # If there is something unbuild recall alarm.
+      if len(builder.OrderBuilder_generateUnrelatedInvoiceList()):
+        break
+
+    # start the payzen payment
+    self.stepCallSlaposPayzenUpdateConfirmedPaymentAlarm()
+    self.tic()
+
+    # stabilise the payment deliveries and expand them
+    self.stepCallSlaposManageBuildingCalculatingDeliveryAlarm()
+    self.tic()
+
+    """
+    self.logout()
+    self.login('ERP5TypeTestCase')
+
+    # trigger the CRM interaction
+    self.stepCallSlaposCrmCreateRegularisationRequestAlarm()
+    self.tic()
+
+    self.logout()
+    self.login()
+
+    # check final document state
+    for person_reference in (owner_reference, ):
+      person = self.portal.portal_catalog.getResultValue(
+        portal_type='ERP5 Login', reference=person_reference).getParentValue()
+      self.assertPersonDocumentCoverage(person)
+"""
+
  def test_default_scenario(self):
    # some preparation
    self.logout()
@@ -43,7 +265,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
    self.login(owner_person.getUserId())

    public_server_title = 'Public Server for %s' % owner_reference
-    public_server_id = self.requestComputeNode(public_server_title)
+    public_server_id = self.requestComputeNode(public_server_title, 'XXX')
    public_server = self.portal.portal_catalog.getResultValue(
        portal_type='Compute Node', reference=public_server_id)
    self.setAccessToMemcached(public_server)
@@ -52,7 +274,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
    public_server.generateCertificate()

    personal_server_title = 'Personal Server for %s' % owner_reference
-    personal_server_id = self.requestComputeNode(personal_server_title)
+    personal_server_id = self.requestComputeNode(personal_server_title, 'XXX')
    personal_server = self.portal.portal_catalog.getResultValue(
        portal_type='Compute Node', reference=personal_server_id)
    self.setAccessToMemcached(personal_server)
@@ -87,7 +309,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
    self.checkInstanceAllocation(public_person.getUserId(),
        public_reference, public_instance_title,
        public_server_software, public_instance_type,
-        public_server)
+        public_server, 'XXX')

    # join as other person and request a software instance on compute_node
    # configured by owner
@@ -132,7 +354,7 @@ class TestSlapOSDefaultScenario(DefaultScenarioMixin):
    # and the instances
    self.checkInstanceUnallocation(public_person.getUserId(),
        public_reference, public_instance_title,
-        public_server_software, public_instance_type, public_server)
+        public_server_software, public_instance_type, public_server, 'XXX')

    self.checkInstanceUnallocation(other_person.getUserId(),
       other_reference, other_instance_title,
@@ -363,7 +585,7 @@ class TestSlapOSDefaultCRMEscalation(DefaultScenarioMixin):
    public_instance_type = 'public type'
    public_server_software = self.generateNewSoftwareReleaseUrl()
    self.requestInstance(person.getUserId(), public_instance_title,
-        public_server_software, public_instance_type)
+        public_server_software, public_instance_type, 'XXX')

    # check the Open Sale Order coverage
    self.stepCallSlaposRequestUpdateInstanceTreeOpenSaleOrderAlarm()
@@ -551,4 +773,4 @@ class TestSlapOSDefaultCRMEscalation(DefaultScenarioMixin):
    self.tic()

    # check final document state
-    self.assertPersonDocumentCoverage(person)
\ No newline at end of file
+    self.assertPersonDocumentCoverage(person)
--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputeNode_edit.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputeNode_edit.xml
@@ -51,9 +51,11 @@
            <value>
              <tuple>
                <string>_setUserId.*</string>
-                <string>_setSourceAdministration.*</string>
+                <string>_setFollowUp.*</string>
                <string>_setAllocationScope.*</string>
                <string>_setDestinationSection.*</string>
+                <string>validate</string>
+                <string>invalidate</string>
              </tuple>
            </value>
        </item>

--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputerNetwork_edit.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputerNetwork_edit.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="Interaction Workflow Interaction" module="erp5.portal_type"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>categories</string> </key>
-            <value>
-              <tuple>
-                <string>before_commit_script/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllLocalRoles</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>description</string> </key>
-            <value>
-              <none/>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>interaction_ComputerNetwork_edit</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type</string> </key>
-            <value> <string>Interaction Workflow Interaction</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type_filter</string> </key>
-            <value>
-              <tuple>
-                <string>Computer Network</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>portal_type_group_filter</string> </key>
-            <value>
-              <tuple/>
-            </value>
-        </item>
-        <item>
-            <key> <string>temporary_document_disallowed</string> </key>
-            <value> <int>1</int> </value>
-        </item>
-        <item>
-            <key> <string>trigger_method_id</string> </key>
-            <value>
-              <tuple>
-                <string>_setSourceAdministration.*</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>trigger_once_per_transaction</string> </key>
-            <value> <int>1</int> </value>
-        </item>
-        <item>
-            <key> <string>trigger_type</string> </key>
-            <value> <int>2</int> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_InternalPackingListLine_setAggregate.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_InternalPackingListLine_setAggregate.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="Interaction Workflow Interaction" module="erp5.portal_type"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>categories</string> </key>
-            <value>
-              <tuple>
-                <string>before_commit_script/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>description</string> </key>
-            <value>
-              <none/>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>interaction_InternalPackingListLine_setAggregate</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type</string> </key>
-            <value> <string>Interaction Workflow Interaction</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type_filter</string> </key>
-            <value>
-              <tuple>
-                <string>Internal Packing List Line</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>portal_type_group_filter</string> </key>
-            <value>
-              <tuple/>
-            </value>
-        </item>
-        <item>
-            <key> <string>temporary_document_disallowed</string> </key>
-            <value> <int>0</int> </value>
-        </item>
-        <item>
-            <key> <string>trigger_method_id</string> </key>
-            <value>
-              <tuple>
-                <string>_setAggregate.*</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>trigger_once_per_transaction</string> </key>
-            <value> <int>0</int> </value>
-        </item>
-        <item>
-            <key> <string>trigger_type</string> </key>
-            <value> <int>2</int> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_SoftwareInstallation_edit.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_SoftwareInstallation_edit.xml
@@ -51,7 +51,7 @@
            <value>
              <tuple>
                <string>_setAggregate.*</string>
-                <string>_setDestinationSection.*</string>
+                <string>_setFollowUp.*</string>
              </tuple>
            </value>
        </item>

--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles.py
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles.py
-from Products.ZSQLCatalog.SQLCatalog import SimpleQuery, ComplexQuery
-
-portal_type_list = ['Compute Node', 'Computer Network', 'Instance Tree']
-portal = context.getPortalObject()
-internal_packing_list_line = state_change['object']
-after_tag = (internal_packing_list_line.getPath(), ('immediateReindexObject', 'recursiveImmediateReindexObject'))
-internal_packing_list_line.getParentValue().reindexObject()
-for object_ in internal_packing_list_line.getAggregateValueList(portal_type=portal_type_list):
-  object_.activate(after_path_and_method_id=after_tag).updateLocalRolesOnSecurityGroups()
-  if object_.getPortalType() == "Compute Node":
-    portal.portal_catalog.searchAndActivate(
-      portal_type=["Software Installation", "Support Request","Upgrade Decision Line"],
-      aggregate__uid=object_.getUid(),
-      method_id="Base_updateSlapOSLocalRolesOnSecurityGroups",
-      method_kw=dict(activate_kw={"after_path_and_method_id": after_tag}),
-      activate_kw={"after_path_and_method_id": after_tag}
-    )
-  elif object_.getPortalType() == "Instance Tree":
-    query = ComplexQuery(
-      ComplexQuery(
-        SimpleQuery(portal_type=["Software instance", "Slave Instance"]),
-        SimpleQuery(default_specialise_uid=object_.getUid()),
-        logical_operator="AND"),
-      ComplexQuery(
-        SimpleQuery(portal_type=["Support Request", "Upgrade Decision Line"]),
-        SimpleQuery(aggregate__uid=object_.getUid()),
-        logical_operator="AND"),
-      logical_operator="OR"
-    )
-    portal.portal_catalog.searchAndActivate(
-      query=query,
-      method_id="Base_updateSlapOSLocalRolesOnSecurityGroups",
-      method_kw=dict(activate_kw={"after_path_and_method_id": after_tag}),
-      activate_kw={"after_path_and_method_id": after_tag}
-    )
--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_InternalPackingListLine_updateAggregateLocalRoles.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="Workflow Script" module="erp5.portal_type"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="_reconstructor" module="copy_reg"/>
-                </klass>
-                <tuple>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                  <global name="object" module="__builtin__"/>
-                  <none/>
-                </tuple>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>state_change</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>script_InternalPackingListLine_updateAggregateLocalRoles</string> </value>
-        </item>
-        <item>
-            <key> <string>portal_type</string> </key>
-            <value> <string>Workflow Script</string> </value>
-        </item>
-        <item>
-            <key> <string>title</string> </key>
-            <value>
-              <none/>
-            </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/bt/template_local_role_list
+++ b/master/bt5/slapos_erp5/bt/template_local_role_list
@@ -34,14 +34,6 @@ credential_update_module
 currency_module
 currency_module/CNY
 currency_module/EUR
-data_array_module
-data_ingestion_module
-data_mapping_module
-data_operation_module
-data_set_module
-data_stream_module
-data_supply_module
-data_transformation_module
 document_ingestion_module
 document_module
 event_module
@@ -111,4 +103,4 @@ subscription_request_module
 support_request_module
 support_request_module/slapos_crm_support_request_template
 system_event_module
-upgrade_decision_module
\ No newline at end of file
+upgrade_decision_module
--- a/master/bt5/slapos_erp5/bt/template_portal_type_role_list
+++ b/master/bt5/slapos_erp5/bt/template_portal_type_role_list
@@ -18,7 +18,6 @@ Cloud Contract
 Cloud Contract Module
 Compute Node
 Compute Node Module
-Compute Partition
 Computer Consumption TioXML File
 Computer Model
 Computer Model Module
@@ -31,22 +30,6 @@ Credential Update Module
 Credit Card
 Currency
 Currency Module
-Data Array
-Data Array Module
-Data Ingestion
-Data Ingestion Module
-Data Mapping
-Data Mapping Module
-Data Operation
-Data Operation Module
-Data Set
-Data Set Module
-Data Stream
-Data Stream Module
-Data Supply
-Data Supply Module
-Data Transformation
-Data Transformation Module
 Document Ingestion Module
 Document Module
 ERP5 Login
@@ -82,7 +65,6 @@ Product Module
 Project
 Project Module
 Purchase Invoice Transaction
-Query
 Regularisation Request
 Regularisation Request Module
 Restricted Access Token
@@ -117,7 +99,4 @@ User Consumption HTML File
 Visit
 Web Illustration
 Web Message
-Web Page
-Web Page Module
-Web Table
-Wechat Event
\ No newline at end of file
+Wechat Event