refactoring of AuthorisationService

2019-02-14 22:46:17 +01:00 · 2019-02-14 22:46:17 +01:00 · 285290d93d
commit 285290d93d
parent 64f10c6455
20 changed files with 539 additions and 812 deletions
--- a/src/main/java/ch/ethz/seb/sebserver/gbl/authorization/Privilege.java
+++ b/src/main/java/ch/ethz/seb/sebserver/gbl/authorization/Privilege.java
@ -75,6 +75,22 @@ public final class Privilege {
        return this.ownershipPrivilege.hasImplicit(privilegeType);
    }
    public final boolean hasGrant(
            final String userId,
            final Long userInstitutionId,
            final PrivilegeType privilegeType,
            final Long institutionId,
            final String ownerId) {
        return this.hasBasePrivilege(privilegeType)
                || ((institutionId != null) &&
                        (this.hasInstitutionalPrivilege(privilegeType)
                                && userInstitutionId.longValue() == institutionId
                                        .longValue())
                        || (this.hasOwnershipPrivilege(privilegeType)
                                && userId.equals(ownerId)));
    }
    @Override
    public String toString() {
        return "Privilege [privilegeType=" + this.basePrivilege + ", institutionalPrivilege="
--- a/src/main/java/ch/ethz/seb/sebserver/gui/service/page/form/FormBuilder.java
+++ b/src/main/java/ch/ethz/seb/sebserver/gui/service/page/form/FormBuilder.java
@ -207,13 +207,8 @@ public class FormBuilder {
                this.formParent,
                value,
                new LocTextKey("sebserver.overall.upload"),
-                span, 1);
+                span, 1, this.readonly);
        if (this.readonly) {
            imageUpload.setReadonly();
        this.form.putField(name, lab, imageUpload);
        } else {
            this.form.putField(name, lab, imageUpload);
        }
        return this;
    }
--- a/src/main/java/ch/ethz/seb/sebserver/gui/service/remote/webservice/auth/CurrentUser.java
+++ b/src/main/java/ch/ethz/seb/sebserver/gui/service/remote/webservice/auth/CurrentUser.java
@ -12,7 +12,6 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@ -78,12 +77,17 @@ public class CurrentUser {
    public boolean hasPrivilege(final PrivilegeType privilegeType, final EntityType entityType) {
        if (loadPrivileges()) {
            try {
-                return get().getRoles()
+                final UserInfo userInfo = get();
                return userInfo.getRoles()
                        .stream()
                        .map(roleName -> UserRole.valueOf(roleName))
                        .map(role -> new RoleTypeKey(entityType, role))
                        .map(key -> this.privileges.get(key))
-                        .filter(checkPrivilege(get(), privilegeType, null))
+                        .filter(priv -> (priv != null) && priv.hasGrant(
                                userInfo.uuid,
                                userInfo.institutionId,
                                privilegeType,
                                null, null))
                        .findFirst()
                        .isPresent();
            } catch (final Exception e) {
@ -102,12 +106,18 @@ public class CurrentUser {
        if (loadPrivileges()) {
            final EntityType entityType = grantEntity.entityType();
            try {
-                return get().getRoles()
+                final UserInfo userInfo = get();
                return userInfo.getRoles()
                        .stream()
                        .map(roleName -> UserRole.valueOf(roleName))
                        .map(role -> new RoleTypeKey(entityType, role))
                        .map(key -> this.privileges.get(key))
-                        .filter(checkPrivilege(get(), privilegeType, grantEntity))
+                        .filter(priv -> (priv != null) && priv.hasGrant(
                                userInfo.uuid,
                                userInfo.institutionId,
                                privilegeType,
                                grantEntity.getInstitutionId(),
                                grantEntity.getOwnerId()))
                        .findFirst()
                        .isPresent();
            } catch (final Exception e) {
@ -119,20 +129,6 @@ public class CurrentUser {
        return false;
    }
    private Predicate<Privilege> checkPrivilege(
            final UserInfo userInfo,
            final PrivilegeType privilegeType,
            final GrantEntity grantEntity) {
        return priv -> priv.hasBasePrivilege(privilegeType)
                || ((grantEntity != null) &&
                        (priv.hasInstitutionalPrivilege(privilegeType)
                                && get().institutionId.longValue() == grantEntity.getInstitutionId()
                                        .longValue())
                        || (priv.hasOwnershipPrivilege(privilegeType)
                                && get().uuid.equals(grantEntity.getOwnerId())));
    }
    public boolean isAvailable() {
        updateContext();
        return this.authContext != null && this.authContext.isLoggedIn();
--- a/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/ImageUpload.java
+++ b/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/ImageUpload.java
@ -41,26 +41,23 @@ public class ImageUpload extends Composite {
    private final ServerPushService serverPushService;
-    final Composite imageCanvas;
+    private final Composite imageCanvas;
-    final FileUpload fileUpload;
+    private final FileUpload fileUpload;
    private String imageBase64 = null;
    private boolean loadNewImage = false;
    private boolean imageLoaded = false;
-    ImageUpload(final Composite parent, final ServerPushService serverPushService) {
+    ImageUpload(final Composite parent, final ServerPushService serverPushService, final boolean readonly) {
        super(parent, SWT.NONE);
        super.setLayout(new GridLayout(2, false));
        this.serverPushService = serverPushService;
        if (!readonly) {
            this.fileUpload = new FileUpload(this, SWT.NONE);
            this.fileUpload.setText("Select File");
            this.fileUpload.setLayoutData(new GridData(SWT.CENTER, SWT.CENTER, false, false));
        this.imageCanvas = new Composite(this, SWT.NONE);
        final GridData canvas = new GridData(SWT.FILL, SWT.FILL, true, true);
        this.imageCanvas.setLayoutData(canvas);
            final FileUploadHandler uploadHandler = new FileUploadHandler(new FileUploadReceiver() {
                @Override
@ -90,39 +87,25 @@ public class ImageUpload extends Composite {
                    ImageUpload.this.fileUpload.submit(uploadHandler.getUploadUrl());
                    ImageUpload.this.serverPushService.runServerPush(
-                        new ServerPushContext(
+                            new ServerPushContext(ImageUpload.this, ImageUpload::uploadInProgress),
-                                ImageUpload.this,
+                            ImageUpload::wait,
-                                runAgainContext -> {
+                            ImageUpload::update);
                                    final ImageUpload imageUpload = (ImageUpload) runAgainContext.getAnchor();
                                    return imageUpload.loadNewImage && !imageUpload.imageLoaded;
                                }),
                        context -> {
                            try {
                                Thread.sleep(200);
                            } catch (final Exception e) {
                                e.printStackTrace();
                            }
                        },
                        context -> {
                            final ImageUpload imageUpload = (ImageUpload) context.getAnchor();
                            if (imageUpload.imageBase64 != null
                                    && imageUpload.loadNewImage
                                    && imageUpload.imageLoaded) {
                                final Base64InputStream input = new Base64InputStream(
                                        new ByteArrayInputStream(
                                                imageUpload.imageBase64.getBytes(StandardCharsets.UTF_8)),
                                        false);
                                imageUpload.imageCanvas.setData(RWT.CUSTOM_VARIANT, "bgLogoNoImage");
                                imageUpload.imageCanvas.setBackgroundImage(new Image(context.getDisplay(), input));
                                context.layout();
                                imageUpload.layout();
                                imageUpload.loadNewImage = false;
                }
            });
        } else {
            this.fileUpload = null;
        }
        });
        this.imageCanvas = new Composite(this, SWT.NONE);
        final GridData canvas = new GridData(SWT.FILL, SWT.FILL, true, true);
        this.imageCanvas.setLayoutData(canvas);
    }
    public void setSelectionText(final String text) {
        if (this.fileUpload != null) {
            this.fileUpload.setText(text);
        }
    }
    public String getImageBase64() {
@ -141,9 +124,34 @@ public class ImageUpload extends Composite {
        this.imageCanvas.setBackgroundImage(new Image(super.getDisplay(), input));
    }
-    public void setReadonly() {
+    private static final boolean uploadInProgress(final ServerPushContext context) {
-        this.fileUpload.setVisible(false);
+        final ImageUpload imageUpload = (ImageUpload) context.getAnchor();
-        this.fileUpload.setEnabled(false);
+        return imageUpload.loadNewImage && !imageUpload.imageLoaded;
    }
    private static final void wait(final ServerPushContext context) {
        try {
            Thread.sleep(200);
        } catch (final Exception e) {
        }
    }
    private static final void update(final ServerPushContext context) {
        final ImageUpload imageUpload = (ImageUpload) context.getAnchor();
        if (imageUpload.imageBase64 != null
                && imageUpload.loadNewImage
                && imageUpload.imageLoaded) {
            final Base64InputStream input = new Base64InputStream(
                    new ByteArrayInputStream(
                            imageUpload.imageBase64.getBytes(StandardCharsets.UTF_8)),
                    false);
            imageUpload.imageCanvas.setData(RWT.CUSTOM_VARIANT, "bgLogoNoImage");
            imageUpload.imageCanvas.setBackgroundImage(new Image(context.getDisplay(), input));
            context.layout();
            imageUpload.layout();
            imageUpload.loadNewImage = false;
        }
    }
 }
--- a/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/WidgetFactory.java
+++ b/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/WidgetFactory.java
@ -343,17 +343,23 @@ public class WidgetFactory {
            final Composite parent,
            final String value,
            final LocTextKey locTextKey,
-            final int hspan, final int vspan) {
+            final int hspan,
            final int vspan,
            final boolean readonly) {
-        final ImageUpload imageUpload = imageUploadLocalized(parent, locTextKey);
+        final ImageUpload imageUpload = imageUploadLocalized(parent, locTextKey, readonly);
        final GridData gridData = new GridData(SWT.FILL, SWT.FILL, true, false, hspan, vspan);
        imageUpload.setLayoutData(gridData);
        imageUpload.setImageBase64(value);
        return imageUpload;
    }
-    public ImageUpload imageUploadLocalized(final Composite parent, final LocTextKey locTextKey) {
+    public ImageUpload imageUploadLocalized(
-        final ImageUpload imageUpload = new ImageUpload(parent, this.serverPushService);
+            final Composite parent,
            final LocTextKey locTextKey,
            final boolean readonly) {
        final ImageUpload imageUpload = new ImageUpload(parent, this.serverPushService, readonly);
        injectI18n(imageUpload, locTextKey);
        return imageUpload;
    }
@ -454,7 +460,7 @@ public class WidgetFactory {
        return imageUpload -> {
            if (locTextKey != null) {
-                imageUpload.fileUpload.setText(i18nSupport.getText(locTextKey));
+                imageUpload.setSelectionText(i18nSupport.getText(locTextKey));
            }
        };
    }
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantRule.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantRule.java
@ -1,36 +0,0 @@
 /*
 * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */
 package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
 import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
 import ch.ethz.seb.sebserver.gbl.model.EntityType;
 /** Defines a authorization grant rule for a specified EntityType.
 *
 * If there is the need for a specialized authorization grant rule for a specified EntityType, just
 * create an implementation of this interface for a specified EntityType as a normal Spring Component
 * and the AuthorizationGrantService will automatically collect it on initialization and use it for
 * the specified EntityType instead of the default implementation. */
 public interface AuthorizationGrantRule {
    /** The EntityType of the authorization grant rule implementation.
     * This is used by the AuthorizationGrantService on initialization.
     *
     * @return the authorization grant rule implementation */
    EntityType entityType();
    /** Implements a authorization grant rule check for a given entity, user and grant type.
     *
     * @param entity the GrantEntity instance to check the grant rule on
     * @param user the SEBServerUser instance to check the grant rule on
     * @param grantType the GrantType to check
     * @return true if a given user has a given grant-type on a given entity, false otherwise */
    boolean hasGrant(GrantEntity entity, SEBServerUser user, PrivilegeType grantType);
 }
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantService.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantService.java
@ -1,126 +0,0 @@
 /*
 * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */
 package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
 import java.security.Principal;
 import java.util.Collection;
 import java.util.function.Predicate;
 import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
 import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
 import ch.ethz.seb.sebserver.gbl.model.EntityType;
 import ch.ethz.seb.sebserver.gbl.util.Result;
 /** A service to check authorization grants for a given user for entity-types and -instances
 *
 * If there is one or more GrantEntity objects within an authenticated user-request, this service
 * can be used check the authenticated user access grant within the object. Check if a given user
 * has write, modify or even read-only rights on an entity instance or on an entity type. */
 public interface AuthorizationGrantService {
    /** Gets the UserService that is bundled within the AuthorizationGrantService
     *
     * @return the UserService that is bundled within the AuthorizationGrantService */
    UserService getUserService();
    /** All Privileges in a collection.
     * 
     * @return all registered Privileges */
    Collection<Privilege> getAllPrivileges();
    /** Checks if the current user has any privilege (base or institutional or owner) for the given EntityType and
     * PrivilegeType.
     *
     * @param entityType the EntityType
     * @param privilegeType the PrivilegeType to check on EntityType */
    void checkHasAnyPrivilege(EntityType entityType, PrivilegeType privilegeType);
    void checkPrivilege(EntityType entityType, PrivilegeType privilegeType, Long institutionId);
    void checkPrivilege(EntityType entityType, PrivilegeType privilegeType, Long institutionId, Long ownerId);
    /** Check if current user has grant on a given GrantEntity instance for specified PrivilegeType
     *
     * @param entity The GrantEntity to check specified PrivilegeType for
     * @param privilegeType The PrivilegeType
     * @return a with a Result of the granted entity instance or with a Result of a PermissionDeniedException */
    <E extends GrantEntity> Result<E> checkGrantOnEntity(E entity, PrivilegeType privilegeType);
    /** Checks if the current user has a implicit base privilege for a given entity-type
     *
     * @param entityType the entity type
     * @param privilegeType the privilege type to check
     * @return true if the current user has a implicit base privilege on specified PrivilegeType for a given
     *         EntityType */
    boolean hasBasePrivilege(EntityType entityType, PrivilegeType privilegeType);
    /** Checks if a given user has a implicit base privilege for a given entity-type
     *
     * @param entityType the entity type
     * @param privilegeType the privilege type to check
     * @return true if a given user has a implicit base privilege on specified PrivilegeType for a given EntityType */
    boolean hasBasePrivilege(EntityType entityType, PrivilegeType privilegeType, Principal principal);
    /** Checks if the current user has an implicit institutional privilege on a given EntityType
     *
     * @param entityType the entity type
     * @param privilegeType the privilege type to check
     * @return true if the current user has an implicit institutional privilege on the given EntityType */
    boolean hasInstitutionalPrivilege(EntityType entityType, PrivilegeType privilegeType);
    /** Checks if a given user has an implicit institutional privilege on a given EntityType
     *
     * @param entityType the entity type
     * @param privilegeType the privilege type to check
     * @return true if a given user has an implicit institutional privilege on the given EntityType */
    boolean hasInstitutionalPrivilege(EntityType entityType, PrivilegeType privilegeType, Principal principal);
    /** Checks if the current user has grant on a given entity for a specified PrivilegeType
     *
     * @param entity the entity-instance
     * @param privilegeType the privilege type to check
     * @return true if the current user has a specified grant for a given entity-instance */
    boolean hasGrant(GrantEntity entity, PrivilegeType privilegeType);
    /** Checks if a given user has grant on a given entity for a specified PrivilegeType
     *
     * @param entity the entity-instance
     * @param privilegeType the grant type to check
     * @param principal an authorization Principal instance to extract the user from
     * @return true if the given user has grant on a given entity for a specified PrivilegeType */
    boolean hasGrant(GrantEntity entity, PrivilegeType privilegeType, Principal principal);
    /** Checks if a given user has specified grant for a given entity-instance
     *
     * @param entity the entity-instance
     * @param privilegeType the grant type to check
     * @param user a SEBServerUser instance to check grant for
     * @return true if a given user has a specified grant for a given entity-instance. False otherwise */
    boolean hasGrant(GrantEntity entity, PrivilegeType privilegeType, SEBServerUser user);
    /** Closure to get a grant check predicate for the current user
     * to filter a several entity-instances within the same grant
     *
     * @param entityType the EntityType for the grant check filter
     * @param privilegeType the PrivilegeType for the grant check filter
     * @return A filter predicate working on the given attributes to check user grants */
    <T extends GrantEntity> Predicate<T> getGrantFilter(EntityType entityType, PrivilegeType privilegeType);
    /** Closure to get a grant check predicate to filter a several entity-instances within the same grant
     *
     * @param entityType the EntityType for the grant check filter
     * @param privilegeType the PrivilegeType for the grant check filter
     * @param principal an authorization Principal instance to extract the user from
     * @return A filter predicate working on the given attributes to check user grants */
    <T extends GrantEntity> Predicate<T> getGrantFilter(
            EntityType entityType,
            PrivilegeType privilegeType,
            Principal principal);
 }
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantServiceImpl.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantServiceImpl.java
@ -1,450 +0,0 @@
 /*
 * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */
 package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
 import java.security.Principal;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.EnumMap;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.function.Predicate;
 import javax.annotation.PostConstruct;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Service;
 import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
 import ch.ethz.seb.sebserver.gbl.authorization.Privilege.RoleTypeKey;
 import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
 import ch.ethz.seb.sebserver.gbl.model.EntityType;
 import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
 import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
 import ch.ethz.seb.sebserver.gbl.util.Result;
@Lazy
@Service
@WebServiceProfile
 public class AuthorizationGrantServiceImpl implements AuthorizationGrantService {
    /** Map of role based grants for specified entity types. */
    private final Map<Privilege.RoleTypeKey, Privilege> privileges = new HashMap<>();
    /** Map of collected AuthorizationGrantRule exceptions */
    private final Map<EntityType, AuthorizationGrantRule> exceptionalRules =
            new EnumMap<>(EntityType.class);
    private final UserService userService;
    public AuthorizationGrantServiceImpl(
            final Collection<AuthorizationGrantRule> exceptionalGrantRules,
            final UserService userService) {
        this.userService = userService;
        if (exceptionalGrantRules != null) {
            exceptionalGrantRules.stream()
                    .forEach(r -> this.exceptionalRules.put(r.entityType(), r));
        }
    }
    @Override
    public UserService getUserService() {
        return this.userService;
    }
    @Override
    public Collection<Privilege> getAllPrivileges() {
        return Collections.unmodifiableCollection(this.privileges.values());
    }
    /** Initialize the (hard-coded) grants */
    @PostConstruct
    public void init() {
        // grants for institution
        addPrivilege(EntityType.INSTITUTION)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.MODIFY)
                .andForRole(UserRole.EXAM_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .andForRole(UserRole.EXAM_SUPPORTER)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .create();
        // grants for lms setup
        addPrivilege(EntityType.LMS_SETUP)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.EXAM_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.MODIFY)
                .andForRole(UserRole.EXAM_SUPPORTER)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .create();
        // grants for user account
        addPrivilege(EntityType.USER)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.EXAM_ADMIN)
                .withOwnerPrivilege(PrivilegeType.MODIFY)
                .andForRole(UserRole.EXAM_SUPPORTER)
                .withOwnerPrivilege(PrivilegeType.MODIFY)
                .create();
        // grants for user activity logs
        addPrivilege(EntityType.USER_ACTIVITY_LOG)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.READ_ONLY)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .create();
        // grants for exam
        addPrivilege(EntityType.EXAM)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.READ_ONLY)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .andForRole(UserRole.EXAM_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .withOwnerPrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.EXAM_SUPPORTER)
                .withOwnerPrivilege(PrivilegeType.MODIFY)
                .create();
        // TODO other entities
    }
    @Override
    public void checkHasAnyPrivilege(final EntityType entityType, final PrivilegeType privilegeType) {
        final SEBServerUser currentUser = this.userService.getCurrentUser();
        if (hasBasePrivilege(entityType, privilegeType, currentUser) ||
                hasInstitutionalPrivilege(entityType, privilegeType, currentUser)) {
            return;
        }
        throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid);
    }
    @Override
    public void checkPrivilege(
            final EntityType entityType,
            final PrivilegeType privilegeType,
            final Long institutionId) {
        final SEBServerUser currentUser = this.userService.getCurrentUser();
        if (hasBasePrivilege(entityType, privilegeType, currentUser)) {
            return;
        }
        if (institutionId == null) {
            throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid);
        }
        if (hasInstitutionalPrivilege(entityType, privilegeType, currentUser) &&
                currentUser.institutionId().longValue() == institutionId.longValue()) {
            return;
        }
        throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid);
    }
    @Override
    public void checkPrivilege(
            final EntityType entityType,
            final PrivilegeType privilegeType,
            final Long institutionId,
            final Long ownerId) {
        final SEBServerUser currentUser = this.userService.getCurrentUser();
        // TODO Auto-generated method stub
        throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid);
    }
    @Override
    public <E extends GrantEntity> Result<E> checkGrantOnEntity(final E entity, final PrivilegeType privilegeType) {
        final SEBServerUser currentUser = this.userService.getCurrentUser();
        if (hasGrant(entity, privilegeType, currentUser)) {
            return Result.of(entity);
        } else {
            return Result.ofError(new PermissionDeniedException(entity, privilegeType, currentUser.getUserInfo().uuid));
        }
    }
    @Override
    public boolean hasBasePrivilege(final EntityType entityType, final PrivilegeType privilegeType) {
        return hasBasePrivilege(entityType, privilegeType, this.userService.getCurrentUser());
    }
    @Override
    public boolean hasBasePrivilege(
            final EntityType entityType,
            final PrivilegeType privilegeType,
            final Principal principal) {
        return hasBasePrivilege(entityType, privilegeType, this.userService.extractFromPrincipal(principal));
    }
    private boolean hasBasePrivilege(
            final EntityType entityType,
            final PrivilegeType privilegeType,
            final SEBServerUser user) {
        for (final UserRole role : user.getUserRoles()) {
            final Privilege roleTypeGrant = this.privileges.get(new RoleTypeKey(entityType, role));
            if (roleTypeGrant != null && roleTypeGrant.hasBasePrivilege(privilegeType)) {
                return true;
            }
        }
        return false;
    }
    @Override
    public boolean hasInstitutionalPrivilege(
            final EntityType entityType,
            final PrivilegeType privilegeType) {
        return hasInstitutionalPrivilege(
                entityType,
                privilegeType,
                this.userService.getCurrentUser());
    }
    @Override
    public boolean hasInstitutionalPrivilege(
            final EntityType entityType,
            final PrivilegeType privilegeType,
            final Principal principal) {
        return hasInstitutionalPrivilege(
                entityType,
                privilegeType,
                this.userService.extractFromPrincipal(principal));
    }
    private boolean hasInstitutionalPrivilege(
            final EntityType entityType,
            final PrivilegeType privilegeType,
            final SEBServerUser user) {
        for (final UserRole role : user.getUserRoles()) {
            final Privilege roleTypeGrant = this.privileges.get(new RoleTypeKey(entityType, role));
            if (roleTypeGrant != null && roleTypeGrant.hasInstitutionalPrivilege(privilegeType)) {
                return true;
            }
        }
        return false;
    }
    @Override
    public boolean hasGrant(final GrantEntity entity, final PrivilegeType grantType) {
        return hasGrant(entity, grantType, this.userService.getCurrentUser());
    }
    @Override
    public boolean hasGrant(final GrantEntity entity, final PrivilegeType grantType, final Principal principal) {
        return hasGrant(entity, grantType, this.userService.extractFromPrincipal(principal));
    }
    @Override
    public boolean hasGrant(final GrantEntity entity, final PrivilegeType grantType, final SEBServerUser user) {
        final AuthorizationGrantRule authorizationGrantRule = getGrantRule(entity.entityType());
        if (authorizationGrantRule == null) {
            return false;
        }
        return authorizationGrantRule.hasGrant(entity, user, grantType);
    }
    @Override
    public <T extends GrantEntity> Predicate<T> getGrantFilter(
            final EntityType entityType,
            final PrivilegeType grantType) {
        return getGrantFilter(entityType, grantType, this.userService.getCurrentUser());
    }
    @Override
    public <T extends GrantEntity> Predicate<T> getGrantFilter(
            final EntityType entityType,
            final PrivilegeType grantType,
            final Principal principal) {
        return getGrantFilter(entityType, grantType, this.userService.extractFromPrincipal(principal));
    }
    private <T extends GrantEntity> Predicate<T> getGrantFilter(
            final EntityType entityType,
            final PrivilegeType grantType,
            final SEBServerUser user) {
        final AuthorizationGrantRule authorizationGrantRule = getGrantRule(entityType);
        if (authorizationGrantRule == null)
            return entity -> false;
        return entity -> authorizationGrantRule.hasGrant(entity, user, grantType);
    }
    private AuthorizationGrantRule getGrantRule(final EntityType type) {
        return this.exceptionalRules.computeIfAbsent(
                type,
                entityType -> new BaseTypeGrantRule(entityType, this));
    }
    private PrivilegeBuilder addPrivilege(final EntityType entityType) {
        return new PrivilegeBuilder(entityType);
    }
    /** This is the default (or base) implementation of a AuthorizationGrantRule.
     *
     * The rule is: go over all user-roles of the given user and for each user-role check
     * if there is base-privilege on the given entity-type for the given grant type.
     * if true return true
     * if false; check if there is a given institutional-privilege on the given
     * entity-instance for the given grant type.
     * if true return true
     * if false; check if there is a given ownership-privilege on the given
     * entity-instance for the given grant type.
     * if true return true
     * if false return false */
    private static class BaseTypeGrantRule implements AuthorizationGrantRule {
        private final EntityType type;
        private final Map<UserRole, Privilege> grants;
        public BaseTypeGrantRule(final EntityType type, final AuthorizationGrantServiceImpl service) {
            this.type = type;
            this.grants = new EnumMap<>(UserRole.class);
            for (final UserRole role : UserRole.values()) {
                this.grants.put(role,
                        service.privileges.get(new RoleTypeKey(type, role)));
            }
        }
        @Override
        public EntityType entityType() {
            return this.type;
        }
        @Override
        public boolean hasGrant(final GrantEntity entity, final SEBServerUser user, final PrivilegeType grantType) {
            for (final UserRole role : user.getUserRoles()) {
                final Privilege roleTypeGrant = this.grants.get(role);
                if (roleTypeGrant != null && hasGrant(roleTypeGrant, user, entity, grantType)) {
                    return true;
                }
            }
            return false;
        }
        public boolean hasGrant(
                final Privilege roleTypeGrant,
                final SEBServerUser user,
                final GrantEntity entity,
                final PrivilegeType grantType) {
            return roleTypeGrant.hasBasePrivilege(grantType) ||
                    hasInstitutionalGrant(roleTypeGrant, user, entity, grantType) ||
                    hasOwnershipGrant(roleTypeGrant, user, entity, grantType);
        }
        private boolean hasInstitutionalGrant(
                final Privilege roleTypeGrant,
                final SEBServerUser user,
                final GrantEntity entity,
                final PrivilegeType grantType) {
            if (entity.getInstitutionId() == null) {
                return false;
            }
            return roleTypeGrant.hasInstitutionalPrivilege(grantType) &&
                    user.institutionId().longValue() == entity.getInstitutionId().longValue();
        }
        private boolean hasOwnershipGrant(
                final Privilege roleTypeGrant,
                final SEBServerUser user,
                final GrantEntity entity,
                final PrivilegeType grantType) {
            if (entity.getOwnerId() == null) {
                return false;
            }
            return roleTypeGrant.hasOwnershipPrivilege(grantType) &&
                    user.uuid().equals(entity.getOwnerId());
        }
    }
    /** Implements a GrantRuleBuilder for internal use and to make the code more readable.
     * See init (PostConstruct) */
    private final class PrivilegeBuilder {
        private final EntityType entityType;
        private UserRole userRole;
        private PrivilegeType basePrivilege = PrivilegeType.NONE;
        private PrivilegeType institutionalPrivilege = PrivilegeType.NONE;
        private PrivilegeType ownerPrivilege = PrivilegeType.NONE;
        public PrivilegeBuilder(final EntityType entityType) {
            super();
            this.entityType = entityType;
        }
        public PrivilegeBuilder forRole(final UserRole userRole) {
            this.userRole = userRole;
            return this;
        }
        public PrivilegeBuilder withBasePrivilege(final PrivilegeType basePrivilege) {
            this.basePrivilege = basePrivilege;
            return this;
        }
        public PrivilegeBuilder withInstitutionalPrivilege(final PrivilegeType institutionalPrivilege) {
            this.institutionalPrivilege = institutionalPrivilege;
            return this;
        }
        public PrivilegeBuilder withOwnerPrivilege(final PrivilegeType ownerPrivilege) {
            this.ownerPrivilege = ownerPrivilege;
            return this;
        }
        public PrivilegeBuilder andForRole(final UserRole userRole) {
            create();
            return new PrivilegeBuilder(this.entityType)
                    .forRole(userRole);
        }
        public void create() {
            final RoleTypeKey roleTypeKey = new RoleTypeKey(this.entityType, this.userRole);
            final Privilege roleTypeGrant = new Privilege(
                    roleTypeKey,
                    this.basePrivilege,
                    this.institutionalPrivilege,
                    this.ownerPrivilege);
            AuthorizationGrantServiceImpl.this.privileges.put(roleTypeKey, roleTypeGrant);
        }
    }
 }
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java
@ -0,0 +1,124 @@
 /*
 * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */
 package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
 import java.util.Collection;
 import java.util.Set;
 import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
 import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
 import ch.ethz.seb.sebserver.gbl.model.EntityType;
 import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
 import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
 import ch.ethz.seb.sebserver.gbl.util.Result;
 /** A service to check authorization grants for a given user for entity-types and -instances
 *
 * If there is one or more GrantEntity objects within an authenticated user-request, this service
 * can be used check the authenticated user access grant within the object. Check if a given user
 * has write, modify or even read-only rights on an entity instance or on an entity type. */
 public interface AuthorizationService {
    /** Gets the UserService that is bundled within the AuthorizationGrantService
     *
     * @return the UserService that is bundled within the AuthorizationGrantService */
    UserService getUserService();
    /** All Privileges in a collection.
     *
     * @return all registered Privileges */
    Collection<Privilege> getAllPrivileges();
    boolean hasPrivilege(
            PrivilegeType privilegeType,
            EntityType entityType,
            Long institutionId,
            String userId,
            Long userInstitutionId,
            Set<UserRole> userRoles);
    boolean hasPrivilege(PrivilegeType privilegeType, GrantEntity grantEntity);
    default boolean hasPrivilege(final PrivilegeType privilegeType, final EntityType entityType) {
        final SEBServerUser currentUser = getUserService().getCurrentUser();
        final UserInfo userInfo = currentUser.getUserInfo();
        return hasPrivilege(
                privilegeType,
                entityType,
                null,
                userInfo.uuid,
                userInfo.institutionId,
                currentUser.getUserRoles());
    }
    default boolean hasPrivilege(
            final PrivilegeType privilegeType,
            final EntityType entityType,
            final Long institutionId) {
        final SEBServerUser currentUser = getUserService().getCurrentUser();
        final UserInfo userInfo = currentUser.getUserInfo();
        return hasPrivilege(
                privilegeType,
                entityType,
                institutionId,
                userInfo.uuid,
                userInfo.institutionId,
                currentUser.getUserRoles());
    }
    default boolean hasReadonlyPrivilege(final GrantEntity grantEntity) {
        return hasPrivilege(PrivilegeType.READ_ONLY, grantEntity);
    }
    default boolean hasModifyPrivilege(final GrantEntity grantEntity) {
        return hasPrivilege(PrivilegeType.MODIFY, grantEntity);
    }
    default boolean hasWritePrivilege(final GrantEntity grantEntity) {
        return hasPrivilege(PrivilegeType.WRITE, grantEntity);
    }
    default void check(final PrivilegeType privilegeType, final EntityType entityType) {
        check(privilegeType, entityType, null);
    }
    default void check(final PrivilegeType privilegeType, final EntityType entityType, final Long institutionId) {
        if (!hasPrivilege(privilegeType, entityType, institutionId)) {
            throw new PermissionDeniedException(
                    entityType,
                    privilegeType,
                    getUserService().getCurrentUser().getUserInfo().uuid);
        }
    }
    default <E extends GrantEntity> Result<E> check(final PrivilegeType privilegeType, final E grantEntity) {
        if (!hasPrivilege(privilegeType, grantEntity)) {
            throw new PermissionDeniedException(
                    grantEntity,
                    privilegeType,
                    getUserService().getCurrentUser().getUserInfo().uuid);
        }
        return Result.of(grantEntity);
    }
    default <E extends GrantEntity> Result<E> checkReadonly(final E grantEntity) {
        return check(PrivilegeType.READ_ONLY, grantEntity);
    }
    default <E extends GrantEntity> Result<E> checkModify(final E grantEntity) {
        return check(PrivilegeType.MODIFY, grantEntity);
    }
    default <E extends GrantEntity> Result<E> checkWrite(final E grantEntity) {
        return check(PrivilegeType.WRITE, grantEntity);
    }
 }
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationServiceImpl.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationServiceImpl.java
@ -0,0 +1,214 @@
 /*
 * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */
 package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 import javax.annotation.PostConstruct;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Service;
 import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
 import ch.ethz.seb.sebserver.gbl.authorization.Privilege.RoleTypeKey;
 import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
 import ch.ethz.seb.sebserver.gbl.model.EntityType;
 import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
 import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
 import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
@Lazy
@Service
@WebServiceProfile
 public class AuthorizationServiceImpl implements AuthorizationService {
    private final UserService userService;
    /** Map of role based grants for specified entity types. */
    private final Map<Privilege.RoleTypeKey, Privilege> privileges = new HashMap<>();
    public AuthorizationServiceImpl(final UserService userService) {
        this.userService = userService;
    }
    @Override
    public UserService getUserService() {
        return this.userService;
    }
    @Override
    public Collection<Privilege> getAllPrivileges() {
        return Collections.unmodifiableCollection(this.privileges.values());
    }
    /** Initialize the (hard-coded) grants */
    @PostConstruct
    public void init() {
        // grants for institution
        addPrivilege(EntityType.INSTITUTION)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.MODIFY)
                .andForRole(UserRole.EXAM_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .andForRole(UserRole.EXAM_SUPPORTER)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .create();
        // grants for lms setup
        addPrivilege(EntityType.LMS_SETUP)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.EXAM_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.MODIFY)
                .andForRole(UserRole.EXAM_SUPPORTER)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .create();
        // grants for user account
        addPrivilege(EntityType.USER)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.EXAM_ADMIN)
                .withOwnerPrivilege(PrivilegeType.MODIFY)
                .andForRole(UserRole.EXAM_SUPPORTER)
                .withOwnerPrivilege(PrivilegeType.MODIFY)
                .create();
        // grants for user activity logs
        addPrivilege(EntityType.USER_ACTIVITY_LOG)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.READ_ONLY)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .create();
        // grants for exam
        addPrivilege(EntityType.EXAM)
                .forRole(UserRole.SEB_SERVER_ADMIN)
                .withBasePrivilege(PrivilegeType.READ_ONLY)
                .andForRole(UserRole.INSTITUTIONAL_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .andForRole(UserRole.EXAM_ADMIN)
                .withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
                .withOwnerPrivilege(PrivilegeType.WRITE)
                .andForRole(UserRole.EXAM_SUPPORTER)
                .withOwnerPrivilege(PrivilegeType.MODIFY)
                .create();
        // TODO other entities
    }
    @Override
    public boolean hasPrivilege(
            final PrivilegeType privilegeType,
            final EntityType entityType,
            final Long institutionId,
            final String userId,
            final Long userInstitutionId,
            final Set<UserRole> userRoles) {
        return userRoles
                .stream()
                .map(role -> new RoleTypeKey(entityType, role))
                .map(key -> this.privileges.get(key))
                .filter(priv -> (priv != null) && priv.hasGrant(
                        userId,
                        userInstitutionId,
                        privilegeType,
                        institutionId,
                        null))
                .findFirst()
                .isPresent();
    }
    @Override
    public boolean hasPrivilege(final PrivilegeType privilegeType, final GrantEntity grantEntity) {
        final UserInfo userInfo = this.userService.getCurrentUser().getUserInfo();
        return userInfo.getRoles()
                .stream()
                .map(roleName -> UserRole.valueOf(roleName))
                .map(role -> new RoleTypeKey(grantEntity.entityType(), role))
                .map(key -> this.privileges.get(key))
                .filter(priv -> (priv != null) && priv.hasGrant(
                        userInfo.uuid,
                        userInfo.institutionId,
                        privilegeType,
                        grantEntity.getInstitutionId(),
                        grantEntity.getOwnerId()))
                .findFirst()
                .isPresent();
    }
    private PrivilegeBuilder addPrivilege(final EntityType entityType) {
        return new PrivilegeBuilder(entityType);
    }
    /** Implements a GrantRuleBuilder for internal use and to make the code more readable.
     * See init (PostConstruct) */
    private final class PrivilegeBuilder {
        private final EntityType entityType;
        private UserRole userRole;
        private PrivilegeType basePrivilege = PrivilegeType.NONE;
        private PrivilegeType institutionalPrivilege = PrivilegeType.NONE;
        private PrivilegeType ownerPrivilege = PrivilegeType.NONE;
        public PrivilegeBuilder(final EntityType entityType) {
            super();
            this.entityType = entityType;
        }
        public PrivilegeBuilder forRole(final UserRole userRole) {
            this.userRole = userRole;
            return this;
        }
        public PrivilegeBuilder withBasePrivilege(final PrivilegeType basePrivilege) {
            this.basePrivilege = basePrivilege;
            return this;
        }
        public PrivilegeBuilder withInstitutionalPrivilege(final PrivilegeType institutionalPrivilege) {
            this.institutionalPrivilege = institutionalPrivilege;
            return this;
        }
        public PrivilegeBuilder withOwnerPrivilege(final PrivilegeType ownerPrivilege) {
            this.ownerPrivilege = ownerPrivilege;
            return this;
        }
        public PrivilegeBuilder andForRole(final UserRole userRole) {
            create();
            return new PrivilegeBuilder(this.entityType)
                    .forRole(userRole);
        }
        public void create() {
            final RoleTypeKey roleTypeKey = new RoleTypeKey(this.entityType, this.userRole);
            final Privilege roleTypeGrant = new Privilege(
                    roleTypeKey,
                    this.basePrivilege,
                    this.institutionalPrivilege,
                    this.ownerPrivilege);
            AuthorizationServiceImpl.this.privileges.put(roleTypeKey, roleTypeGrant);
        }
    }
 }
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ActivatableEntityController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ActivatableEntityController.java
@ -15,7 +15,6 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import ch.ethz.seb.sebserver.gbl.api.API;
 import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
 import ch.ethz.seb.sebserver.gbl.model.Entity;
 import ch.ethz.seb.sebserver.gbl.model.EntityKey;
 import ch.ethz.seb.sebserver.gbl.model.EntityProcessingReport;
@ -24,7 +23,7 @@ import ch.ethz.seb.sebserver.gbl.model.Page;
 import ch.ethz.seb.sebserver.gbl.util.Result;
 import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport;
 import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
-import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
+import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.GrantEntity;
 import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkAction;
@ -40,7 +39,7 @@ public abstract class ActivatableEntityController<T extends GrantEntity, M exten
    private final ActivatableEntityDAO<T, M> activatableEntityDAO;
    public ActivatableEntityController(
-            final AuthorizationGrantService authorizationGrantService,
+            final AuthorizationService authorizationGrantService,
            final BulkActionService bulkActionService,
            final ActivatableEntityDAO<T, M> entityDAO,
            final UserActivityLogDAO userActivityLogDAO,
@ -130,9 +129,7 @@ public abstract class ActivatableEntityController<T extends GrantEntity, M exten
                new EntityKey(id, entityType));
        return this.entityDAO.byModelId(id)
-                .flatMap(entity -> this.authorizationGrantService.checkGrantOnEntity(
+                .flatMap(this.authorization::checkWrite)
                        entity,
                        PrivilegeType.WRITE))
                .flatMap(entity -> this.bulkActionService.createReport(bulkAction));
    }
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/EntityController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/EntityController.java
@ -10,7 +10,6 @@ package ch.ethz.seb.sebserver.webservice.weblayer.api;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import javax.validation.Valid;
@ -39,7 +38,7 @@ import ch.ethz.seb.sebserver.gbl.model.EntityType;
 import ch.ethz.seb.sebserver.gbl.model.Page;
 import ch.ethz.seb.sebserver.gbl.util.Result;
 import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
-import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
+import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.GrantEntity;
 import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkAction;
@ -53,7 +52,7 @@ import ch.ethz.seb.sebserver.webservice.servicelayer.validation.BeanValidationSe
 public abstract class EntityController<T extends GrantEntity, M extends GrantEntity> {
-    protected final AuthorizationGrantService authorizationGrantService;
+    protected final AuthorizationService authorization;
    protected final BulkActionService bulkActionService;
    protected final EntityDAO<T, M> entityDAO;
    protected final UserActivityLogDAO userActivityLogDAO;
@ -61,14 +60,14 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
    protected final BeanValidationService beanValidationService;
    protected EntityController(
-            final AuthorizationGrantService authorizationGrantService,
+            final AuthorizationService authorization,
            final BulkActionService bulkActionService,
            final EntityDAO<T, M> entityDAO,
            final UserActivityLogDAO userActivityLogDAO,
            final PaginationService paginationService,
            final BeanValidationService beanValidationService) {
-        this.authorizationGrantService = authorizationGrantService;
+        this.authorization = authorization;
        this.bulkActionService = bulkActionService;
        this.entityDAO = entityDAO;
        this.userActivityLogDAO = userActivityLogDAO;
@ -78,7 +77,7 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
    @InitBinder
    public void initBinder(final WebDataBinder binder) throws Exception {
-        this.authorizationGrantService
+        this.authorization
                .getUserService()
                .addUsersInstitutionDefaultPropertySupport(binder);
    }
@ -153,9 +152,7 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
        return this.entityDAO
                .byModelId(modelId)
-                .flatMap(entity -> this.authorizationGrantService.checkGrantOnEntity(
+                .flatMap(this.authorization::checkReadonly)
                        entity,
                        PrivilegeType.READ_ONLY))
                .getOrThrow();
    }
@ -181,7 +178,7 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
                .flatMap(this.entityDAO::loadEntities)
                .getOrThrow()
                .stream()
-                .filter(entity -> this.authorizationGrantService.hasGrant(entity, PrivilegeType.READ_ONLY))
+                .filter(this.authorization::hasReadonlyPrivilege)
                .collect(Collectors.toList());
    }
@ -201,9 +198,9 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
                    defaultValue = UserService.USERS_INSTITUTION_AS_DEFAULT) final Long institutionId) {
        // check write privilege for requested institution and concrete entityType
-        this.authorizationGrantService.checkPrivilege(
+        this.authorization.check(
                this.entityDAO.entityType(),
                PrivilegeType.WRITE,
                this.entityDAO.entityType(),
                institutionId);
        final POSTMapper postMap = new POSTMapper(allRequestParams)
@ -232,7 +229,7 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
            @Valid @RequestBody final M modifyData) {
        return this.beanValidationService.validateBean(modifyData)
-                .flatMap(m -> this.authorizationGrantService.checkGrantOnEntity(m, PrivilegeType.MODIFY))
+                .flatMap(this.authorization::checkModify)
                .flatMap(m -> this.entityDAO.save(modelId, m))
                .flatMap(e -> this.userActivityLogDAO.log(ActivityType.MODIFY, e))
                .flatMap(e -> notifySaved(modifyData, e))
@ -284,26 +281,22 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
                new EntityKey(modelId, entityType));
        return this.entityDAO.byModelId(modelId)
-                .flatMap(entity -> this.authorizationGrantService.checkGrantOnEntity(
+                .flatMap(this.authorization::checkWrite)
                        entity,
                        PrivilegeType.WRITE))
                .flatMap(entity -> this.bulkActionService.createReport(bulkAction))
                .getOrThrow();
    }
    protected void checkReadPrivilege(final Long institutionId) {
-        this.authorizationGrantService.checkPrivilege(
+        this.authorization.check(
                this.entityDAO.entityType(),
                PrivilegeType.READ_ONLY,
                this.entityDAO.entityType(),
                institutionId);
    }
    protected Result<Collection<T>> getAll(final FilterMap filterMap) {
-        final Predicate<T> grantFilter = this.authorizationGrantService.getGrantFilter(
+        return this.entityDAO.allMatching(
-                this.entityDAO.entityType(),
+                filterMap,
-                PrivilegeType.READ_ONLY);
+                this.authorization::hasReadonlyPrivilege);
        return this.entityDAO.allMatching(filterMap, grantFilter);
    }
    protected Result<T> notifySaved(final M modifyData, final T entity) {
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ExamAdministrationController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ExamAdministrationController.java
@ -45,7 +45,7 @@ import ch.ethz.seb.sebserver.gbl.util.Utils;
 import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.ExamRecordDynamicSqlSupport;
 import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService.SortOrder;
-import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
+import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.dao.ExamDAO;
@ -66,7 +66,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
    private final LmsAPIService lmsAPIService;
    public ExamAdministrationController(
-            final AuthorizationGrantService authorizationGrantService,
+            final AuthorizationService authorization,
            final UserActivityLogDAO userActivityLogDAO,
            final ExamDAO examDAO,
            final PaginationService paginationService,
@ -75,7 +75,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
            final IndicatorDAO indicatorDAO,
            final LmsAPIService lmsAPIService) {
-        super(authorizationGrantService,
+        super(authorization,
                bulkActionService,
                examDAO,
                userActivityLogDAO,
@ -124,9 +124,9 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
        } else {
-            this.authorizationGrantService.checkPrivilege(
+            this.authorization.check(
                    EntityType.EXAM,
                    PrivilegeType.READ_ONLY,
                    EntityType.EXAM,
                    institutionId);
            final int pageNum = this.paginationService.getPageNumber(pageNumber);
@ -161,7 +161,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
    public Collection<Indicator> getIndicatorOfExam(@PathVariable final Long examId) {
        // check read-only grant on Exam
        this.examDAO.byPK(examId)
-                .map(exam -> this.authorizationGrantService.checkGrantOnEntity(exam, PrivilegeType.READ_ONLY))
+                .map(this.authorization::checkReadonly)
                .getOrThrow();
        return this.indicatorDAO.allForExam(examId)
@ -175,7 +175,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
        // check write grant on Exam
        this.examDAO.byPK(examId)
-                .map(exam -> this.authorizationGrantService.checkGrantOnEntity(exam, PrivilegeType.WRITE))
+                .map(this.authorization::checkWrite)
                .getOrThrow();
        final Set<EntityKey> toDelete = (indicatorId != null)
@ -199,7 +199,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
        // check write grant on Exam
        this.examDAO.byPK(examId)
-                .flatMap(exam -> this.authorizationGrantService.checkGrantOnEntity(exam, PrivilegeType.WRITE))
+                .flatMap(this.authorization::checkWrite)
                .getOrThrow();
        if (indicator.id != null) {
@ -219,7 +219,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
        // check modify grant on Exam
        this.examDAO.byPK(indicator.examId)
-                .flatMap(e -> this.authorizationGrantService.checkGrantOnEntity(e, PrivilegeType.MODIFY))
+                .flatMap(this.authorization::checkModify)
                .getOrThrow();
        return this.indicatorDAO
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InfoController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InfoController.java
@ -19,7 +19,7 @@ import org.springframework.web.bind.annotation.RestController;
 import ch.ethz.seb.sebserver.gbl.api.API;
 import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
 import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
-import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
+import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO;
@WebServiceProfile
@ -28,11 +28,11 @@ import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO;
 public class InfoController {
    private final InstitutionDAO institutionDAO;
-    private final AuthorizationGrantService authorizationGrantService;
+    private final AuthorizationService authorizationGrantService;
    protected InfoController(
            final InstitutionDAO institutionDAO,
-            final AuthorizationGrantService authorizationGrantService) {
+            final AuthorizationService authorizationGrantService) {
        this.institutionDAO = institutionDAO;
        this.authorizationGrantService = authorizationGrantService;
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InstitutionController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InstitutionController.java
@ -19,7 +19,7 @@ import ch.ethz.seb.sebserver.gbl.model.institution.Institution;
 import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
 import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.InstitutionRecordDynamicSqlSupport;
 import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
-import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
+import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.SEBServerUser;
 import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO;
@ -35,13 +35,13 @@ public class InstitutionController extends ActivatableEntityController<Instituti
    public InstitutionController(
            final InstitutionDAO institutionDAO,
-            final AuthorizationGrantService authorizationGrantService,
+            final AuthorizationService authorization,
            final UserActivityLogDAO userActivityLogDAO,
            final BulkActionService bulkActionService,
            final PaginationService paginationService,
            final BeanValidationService beanValidationService) {
-        super(authorizationGrantService,
+        super(authorization,
                bulkActionService,
                institutionDAO,
                userActivityLogDAO,
@ -63,7 +63,7 @@ public class InstitutionController extends ActivatableEntityController<Instituti
    @RequestMapping(path = API.SELF_PATH_SEGMENT, method = RequestMethod.GET)
    public Institution getOwn() {
-        final SEBServerUser currentUser = this.authorizationGrantService
+        final SEBServerUser currentUser = this.authorization
                .getUserService()
                .getCurrentUser();
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/LmsSetupController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/LmsSetupController.java
@ -30,7 +30,7 @@ import ch.ethz.seb.sebserver.gbl.model.institution.LmsSetupTestResult;
 import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
 import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.LmsSetupRecordDynamicSqlSupport;
 import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
-import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
+import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.dao.LmsSetupDAO;
 import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
@ -46,14 +46,14 @@ public class LmsSetupController extends ActivatableEntityController<LmsSetup, Lm
    public LmsSetupController(
            final LmsSetupDAO lmsSetupDAO,
-            final AuthorizationGrantService authorizationGrantService,
+            final AuthorizationService authorization,
            final UserActivityLogDAO userActivityLogDAO,
            final BulkActionService bulkActionService,
            final LmsAPIService lmsAPIService,
            final PaginationService paginationService,
            final BeanValidationService beanValidationService) {
-        super(authorizationGrantService,
+        super(authorization,
                bulkActionService,
                lmsSetupDAO,
                userActivityLogDAO,
@ -81,9 +81,7 @@ public class LmsSetupController extends ActivatableEntityController<LmsSetup, Lm
            @PathVariable final Long modelId,
            final HttpServletResponse response) {
-        this.authorizationGrantService.checkHasAnyPrivilege(
+        this.authorization.check(PrivilegeType.WRITE, EntityType.LMS_SETUP);
                EntityType.LMS_SETUP,
                PrivilegeType.WRITE);
        response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);
        response.setStatus(HttpStatus.OK.value());
@ -107,9 +105,7 @@ public class LmsSetupController extends ActivatableEntityController<LmsSetup, Lm
            produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
    public LmsSetupTestResult connectionReport(@PathVariable final Long modelId) {
-        this.authorizationGrantService.checkHasAnyPrivilege(
+        this.authorization.check(PrivilegeType.MODIFY, EntityType.LMS_SETUP);
                EntityType.LMS_SETUP,
                PrivilegeType.MODIFY);
        return this.lmsAPIService.createLmsAPITemplate(modelId)
                .map(template -> template.testLmsSetup())
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/QuizImportController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/QuizImportController.java
@ -23,7 +23,7 @@ import ch.ethz.seb.sebserver.gbl.model.Page;
 import ch.ethz.seb.sebserver.gbl.model.exam.QuizData;
 import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
 import ch.ethz.seb.sebserver.gbl.util.Utils;
-import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
+import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.lms.LmsAPIService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.lms.LmsAPITemplate;
@ -37,18 +37,18 @@ public class QuizImportController {
    private final int maxPageSize;
    private final LmsAPIService lmsAPIService;
-    private final AuthorizationGrantService authorizationGrantService;
+    private final AuthorizationService authorization;
    public QuizImportController(
            @Value("${sebserver.webservice.api.pagination.defaultPageSize:10}") final int defaultPageSize,
            @Value("${sebserver.webservice.api.pagination.maxPageSize:500}") final int maxPageSize,
            final LmsAPIService lmsAPIService,
-            final AuthorizationGrantService authorizationGrantService) {
+            final AuthorizationService authorization) {
        this.defaultPageSize = defaultPageSize;
        this.maxPageSize = maxPageSize;
        this.lmsAPIService = lmsAPIService;
-        this.authorizationGrantService = authorizationGrantService;
+        this.authorization = authorization;
    }
    @RequestMapping(method = RequestMethod.GET)
@ -68,9 +68,9 @@ public class QuizImportController {
                .createLmsAPITemplate(lmsSetupId)
                .getOrThrow();
-        this.authorizationGrantService.checkPrivilege(
+        this.authorization.check(
                EntityType.EXAM,
                PrivilegeType.READ_ONLY,
                EntityType.EXAM,
                institutionId);
        return lmsAPITemplate.getQuizzes(
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java
@ -14,15 +14,15 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import ch.ethz.seb.sebserver.gbl.api.POSTMapper;
 import ch.ethz.seb.sebserver.gbl.api.API;
 import ch.ethz.seb.sebserver.gbl.api.POSTMapper;
 import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
 import ch.ethz.seb.sebserver.gbl.model.user.UserMod;
 import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
 import ch.ethz.seb.sebserver.gbl.util.Result;
 import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport;
 import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
-import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
+import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
 import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserDAO;
@ -38,14 +38,14 @@ public class UserAccountController extends ActivatableEntityController<UserInfo,
    public UserAccountController(
            final UserDAO userDao,
-            final AuthorizationGrantService authorizationGrantService,
+            final AuthorizationService authorization,
            final UserActivityLogDAO userActivityLogDAO,
            final PaginationService paginationService,
            final BulkActionService bulkActionService,
            final ApplicationEventPublisher applicationEventPublisher,
            final BeanValidationService beanValidationService) {
-        super(authorizationGrantService,
+        super(authorization,
                bulkActionService,
                userDao,
                userActivityLogDAO,
@ -56,7 +56,7 @@ public class UserAccountController extends ActivatableEntityController<UserInfo,
    @RequestMapping(path = "/me", method = RequestMethod.GET)
    public UserInfo loggedInUser() {
-        return this.authorizationGrantService
+        return this.authorization
                .getUserService()
                .getCurrentUser()
                .getUserInfo();
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserActivityLogController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserActivityLogController.java
@ -27,7 +27,7 @@ import ch.ethz.seb.sebserver.gbl.util.Result;
 import ch.ethz.seb.sebserver.gbl.util.Utils;
 import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport;
 import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
-import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
+import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
@ -37,22 +37,22 @@ import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
 public class UserActivityLogController {
    private final UserActivityLogDAO userActivityLogDAO;
-    private final AuthorizationGrantService authorizationGrantService;
+    private final AuthorizationService authorization;
    private final PaginationService paginationService;
    public UserActivityLogController(
            final UserActivityLogDAO userActivityLogDAO,
-            final AuthorizationGrantService authorizationGrantService,
+            final AuthorizationService authorization,
            final PaginationService paginationService) {
        this.userActivityLogDAO = userActivityLogDAO;
-        this.authorizationGrantService = authorizationGrantService;
+        this.authorization = authorization;
        this.paginationService = paginationService;
    }
    @InitBinder
    public void initBinder(final WebDataBinder binder) throws Exception {
-        this.authorizationGrantService
+        this.authorization
                .getUserService()
                .addUsersInstitutionDefaultPropertySupport(binder);
    }
@ -133,9 +133,9 @@ public class UserActivityLogController {
    }
    private void checkBaseReadPrivilege(final Long institutionId) {
-        this.authorizationGrantService.checkPrivilege(
+        this.authorization.check(
                EntityType.USER_ACTIVITY_LOG,
                PrivilegeType.READ_ONLY,
                EntityType.USER_ACTIVITY_LOG,
                institutionId);
    }
--- a/src/test/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantServiceTest.java
+++ b/src/test/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantServiceTest.java
@ -11,7 +11,6 @@ package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import java.security.Principal;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
@ -20,7 +19,6 @@ import java.util.stream.Collectors;
 import org.joda.time.DateTimeZone;
 import org.junit.Test;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
@ -28,45 +26,42 @@ import ch.ethz.seb.sebserver.gbl.model.EntityType;
 import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
 import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
-public class AuthorizationGrantServiceTest {
+public class AuthorizationServiceTest {
    @Mock
    private Principal principal;
    @Test
    public void testInstitutionGrantForSEB_SERVER_ADMIN() {
-        final AuthorizationGrantServiceImpl service = getTestServiceWithUserWithRoles(UserRole.SEB_SERVER_ADMIN);
+        final AuthorizationServiceImpl service = getTestServiceWithUserWithRoles(UserRole.SEB_SERVER_ADMIN);
-        assertTrue(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.READ_ONLY, this.principal));
+        assertTrue(service.hasPrivilege(PrivilegeType.READ_ONLY, EntityType.INSTITUTION));
-        assertTrue(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.MODIFY, this.principal));
+        assertTrue(service.hasPrivilege(PrivilegeType.MODIFY, EntityType.INSTITUTION));
-        assertTrue(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.WRITE, this.principal));
+        assertTrue(service.hasPrivilege(PrivilegeType.WRITE, EntityType.INSTITUTION));
        final GrantEntity institution = entityOf(EntityType.INSTITUTION, 2L, "");
-        assertTrue(service.hasGrant(institution, PrivilegeType.READ_ONLY, this.principal));
+        assertTrue(service.hasReadonlyPrivilege(institution));
-        assertTrue(service.hasGrant(institution, PrivilegeType.MODIFY, this.principal));
+        assertTrue(service.hasModifyPrivilege(institution));
-        assertTrue(service.hasGrant(institution, PrivilegeType.WRITE, this.principal));
+        assertTrue(service.hasWritePrivilege(institution));
    }
    @Test
    public void testInstitutionGrantsForINSTITUTIONAL_ADMIN() {
-        final AuthorizationGrantServiceImpl service = getTestServiceWithUserWithRoles(UserRole.INSTITUTIONAL_ADMIN);
+        final AuthorizationServiceImpl service = getTestServiceWithUserWithRoles(UserRole.INSTITUTIONAL_ADMIN);
-        assertFalse(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.READ_ONLY, this.principal));
+        assertFalse(service.hasPrivilege(PrivilegeType.READ_ONLY, EntityType.INSTITUTION));
-        assertFalse(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.MODIFY, this.principal));
+        assertFalse(service.hasPrivilege(PrivilegeType.MODIFY, EntityType.INSTITUTION));
-        assertFalse(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.WRITE, this.principal));
+        assertFalse(service.hasPrivilege(PrivilegeType.WRITE, EntityType.INSTITUTION));
        final GrantEntity ownInstitution = entityOf(EntityType.INSTITUTION, 1L, "");
-        assertTrue(service.hasGrant(ownInstitution, PrivilegeType.READ_ONLY, this.principal));
+        assertTrue(service.hasReadonlyPrivilege(ownInstitution));
-        assertTrue(service.hasGrant(ownInstitution, PrivilegeType.MODIFY, this.principal));
+        assertTrue(service.hasModifyPrivilege(ownInstitution));
-        assertFalse(service.hasGrant(ownInstitution, PrivilegeType.WRITE, this.principal));
+        assertFalse(service.hasWritePrivilege(ownInstitution));
        final GrantEntity otherInstitution = entityOf(EntityType.INSTITUTION, 2L, "");
-        assertFalse(service.hasGrant(otherInstitution, PrivilegeType.READ_ONLY, this.principal));
+        assertFalse(service.hasReadonlyPrivilege(otherInstitution));
-        assertFalse(service.hasGrant(otherInstitution, PrivilegeType.MODIFY, this.principal));
+        assertFalse(service.hasModifyPrivilege(otherInstitution));
-        assertFalse(service.hasGrant(otherInstitution, PrivilegeType.WRITE, this.principal));
+        assertFalse(service.hasWritePrivilege(otherInstitution));
    }
    private SEBServerUser getUser(final UserRole... roles) {
@ -109,13 +104,12 @@ public class AuthorizationGrantServiceTest {
        };
    }
-    private AuthorizationGrantServiceImpl getTestServiceWithUserWithRoles(final UserRole... roles) {
+    private AuthorizationServiceImpl getTestServiceWithUserWithRoles(final UserRole... roles) {
        final SEBServerUser user = getUser(roles);
        final UserServiceImpl currentUserServiceMock = Mockito.mock(UserServiceImpl.class);
-        Mockito.when(currentUserServiceMock.extractFromPrincipal(this.principal)).thenReturn(user);
+        Mockito.when(currentUserServiceMock.getCurrentUser()).thenReturn(user);
-        final AuthorizationGrantServiceImpl authorizationGrantService = new AuthorizationGrantServiceImpl(
+        final AuthorizationServiceImpl authorizationGrantService = new AuthorizationServiceImpl(
                Collections.emptyList(),
                currentUserServiceMock);
        authorizationGrantService.init();
        return authorizationGrantService;