/* ============================================================================
   META – SECURITY BASELINE
   Ziel: Direkte DML auf Konfigurationstabellen unterbinden,
         Zugriff über freigegebene Prozeduren steuern.
   ============================================================================ */

USE [DD_IIM];
GO

IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name = N'RL_META_CFG_EXEC')
BEGIN
    CREATE ROLE [RL_META_CFG_EXEC] AUTHORIZATION [dbo];
END;
GO

DENY INSERT, UPDATE, DELETE ON OBJECT::[_meta].[TBDD_CFG_SYSTEM_INFO] TO [public];
DENY INSERT, UPDATE, DELETE ON OBJECT::[_meta].[TBDD_CFG_FUNCTION_MODULE] TO [public];
GO

GRANT EXECUTE ON OBJECT::[_meta].[PRDD_UPSERT_SYSTEM_INFO] TO [RL_META_CFG_EXEC];
GRANT EXECUTE ON OBJECT::[_meta].[PRDD_DELETE_SYSTEM_INFO] TO [RL_META_CFG_EXEC];
GRANT EXECUTE ON OBJECT::[_meta].[PRDD_UPSERT_FUNCTION_MODULE] TO [RL_META_CFG_EXEC];
GRANT EXECUTE ON OBJECT::[_meta].[PRDD_DELETE_FUNCTION_MODULE] TO [RL_META_CFG_EXEC];
GO

/* Mitgliedschaften projektspezifisch vergeben, z. B.:
ALTER ROLE [RL_META_CFG_EXEC] ADD MEMBER [<AppUserOderRole>];
*/