feat: Define new grants tables

[elimt]

Create new tables for grants:

1. iam_role_global:
   Roles that are placed in the global scope will be persisted in the iam_role_global table. A global role has a grant_scope which must be one of:

• descendants
• children
• individual

This enforces that a global role's grants either apply to:

• All orgs and projects.
• All orgs.
• An individual set of orgs and/or projects.

When the grant_scope is set to individual, entries for the specific set of orgs and/or projects can be added to the
iam_role_global_individual_grant_scope table.

Separately, a global role can be set to also apply its grant to the global scope by setting grant_this_role_scope to true.

2. iam_role_org:
   Roles that are placed in an org scope will be persisted in the iam_role_org table. An org role has a grant_scope which must be one of:

• children
• individual

This enforces that an org role's grants either apply to:

• All projects in the org.
• An individual set of projects in the org.

When the grant_scope is set to individual, entries for the specific set of projects can be added to the
iam_role_org_individual_grant_scope table.
NOTE: The projects must belong to the org's scope

Separately, an org role can be set to also apply its grant to the org by setting grant_this_role_scope to true.

3. resource_enm:
   Contains all boundary resources. This is used by iam_grant to set the resource from a canonical_grant.

4. iam_grant
   Stores the canonical grant string and the resource for filtering on specific grants.

[mgaffney]

Why change the order of the existing tests?

[bosorawis]

I changed it to match the alphabetical order - similar to how these directories show up in the IDEs to try to make it easier to glance if any directory was missed.

[tmessi]

I think we need to have tests for other kinds of valid and invalid grants. Some that come to mind:

• Grants with an ids component, including wildcard, single, multiple ids.
• Grants with output_fields
• Grants with multiple actions.
• Grants with wildcard type.

[elimt]

Okay just added some more test coverage for this

[tmessi]

I think there are still additional combinations of grants to try, some that come to mind are:

• ids=*;type=*;actions=*
• Some with type that includes dashes like host-catalog.
• Some malformed grant strings like ids=*;type;=target;actions=* or ids=*;;type=target;actions=*.

[elimt]

I added some more tests for this

[tmessi]

I think there are still additional combinations of grants to try, some that come to mind are:

• ids=*;type=*;actions=*
• Some with type that includes dashes like host-catalog.
• Some malformed grant strings like ids=*;type;=target;actions=* or ids=*;;type=target;actions=*.

[github-actions]

Database schema diff between llb-normalized-grants and bosorawis-sql-new-grants-tables-and-objects @ 0e24c47

To understand how these diffs are generated and some limitations see the
documentation of the script.

Functions

diff --git a/.schema-diff/funcs_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/_wtt_load_widgets_iam.sql b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/_wtt_load_widgets_iam.sql
index f3b1ebd6c..af2e3aa7a 100644
--- a/.schema-diff/funcs_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/_wtt_load_widgets_iam.sql
+++ b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/_wtt_load_widgets_iam.sql
@@ -70,15 +70,17 @@ create function public._wtt_load_widgets_iam() returns void
       ('g___wb-group', 'u_____warren'),
       ('g___ws-group', 'u_____waylon');
 
-    insert into iam_role
+    insert into iam_role_org
+      (scope_id, public_id, name, grant_scope)
+    values
+      ('o_____widget', 'r_op_sw__eng', 'small widget engineer', 'individual'),
+      ('o_____widget', 'r_oo_____eng', 'widget engineer', 'individual');
+
+    insert into iam_role_project
       (scope_id, public_id, name)
     values
-            -- ('global', 'r_gg_____buy', 'purchaser'),
-            -- ('global', 'r_gg____shop', 'shopper'),
       ('p____bwidget', 'r_pp_bw__bld', 'widget builder'),
-      ('p____swidget', 'r_pp_sw__bld', 'widget builder'),
-      ('o_____widget', 'r_op_sw__eng', 'small widget engineer'),
-      ('o_____widget', 'r_oo_____eng', 'widget engineer');
+      ('p____swidget', 'r_pp_sw__bld', 'widget builder');
 
     insert into iam_role_grant_scope
       (role_id,        scope_id_or_special)
@@ -93,12 +95,12 @@ create function public._wtt_load_widgets_iam() returns void
     values
       -- ('r_gg_____buy', 'type=*;action=purchase',    'purchase anything'),
       -- ('r_gg____shop', 'type=*;action=view',        'view anything'),
-      ('r_oo_____eng', 'type=widget;action=design', 'design widget'),
-      ('r_op_sw__eng', 'type=widget;action=design', 'design widget'),
-      ('r_op_sw__eng', 'type=widget;action=tune',   'tune widget'),
-      ('r_op_sw__eng', 'type=widget;action=clean',  'clean widget'),
-      ('r_pp_bw__bld', 'type=widget;action=build',  'build widget'),
-      ('r_pp_sw__bld', 'type=widget;action=build',  'build widget');
+      ('r_oo_____eng', 'type=target;action=create,update,authorize-session',                                         'type=target;action=create,update,authorize-session'),
+      ('r_op_sw__eng', 'type=target;action=add-credential-sources,remove-credential-sources,set-credential-sources', 'type=target;action=add-credential-sources,remove-credential-sources,set-credential-sources'),
+      ('r_op_sw__eng', 'type=target;action=add-host-sources,remove-host-sources,set-host-sources',                   'type=target;action=add-host-sources,remove-host-sources,set-host-sources'),
+      ('r_op_sw__eng', 'type=target;action=read,list',                                                               'type=target;action=read,list'),
+      ('r_pp_bw__bld', 'type=target;action=create,delete',                                                           'type=target;action=create,delete'),
+      ('r_pp_sw__bld', 'type=target;action=authorize-session',                                                       'type=target;action=authorize-session');
 
     insert into iam_group_role
       (role_id, principal_id)
diff --git a/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/ensure_project_belongs_to_role_org.sql b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/ensure_project_belongs_to_role_org.sql
new file mode 100644
index 000000000..dfbb1723e
--- /dev/null
+++ b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/ensure_project_belongs_to_role_org.sql
@@ -0,0 +1,51 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: ensure_project_belongs_to_role_org(); type: function; schema: public; owner: -
+--
+
+create function public.ensure_project_belongs_to_role_org() returns trigger
+    language plpgsql
+    as $$
+  begin
+    perform
+       from iam_scope_project
+       join iam_role_org 
+         on iam_role_org.scope_id      = iam_scope_project.parent_id 
+      where iam_scope_project.scope_id = new.scope_id
+        and iam_role_org.public_id     = new.role_id; 
+    if not found then 
+      raise exception 'project scope_id % not found in org', new.scope_id;
+    end if;
+  return new;
+  end;
+  $$;
+
+
+--
+-- name: function ensure_project_belongs_to_role_org(); type: comment; schema: public; owner: -
+--
+
+comment on function public.ensure_project_belongs_to_role_org() is 'ensure_project_belongs_to_role_org ensures the project belongs to the org of the role.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/insert_grant_scope_update_time.sql b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/insert_grant_scope_update_time.sql
new file mode 100644
index 000000000..8812b815c
--- /dev/null
+++ b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/insert_grant_scope_update_time.sql
@@ -0,0 +1,45 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: insert_grant_scope_update_time(); type: function; schema: public; owner: -
+--
+
+create function public.insert_grant_scope_update_time() returns trigger
+    language plpgsql
+    as $$
+  begin
+    if new.grant_scope is distinct from old.grant_scope then
+      new.grant_scope_update_time = now();
+    end if;
+    return new;
+  end;
+  $$;
+
+
+--
+-- name: function insert_grant_scope_update_time(); type: comment; schema: public; owner: -
+--
+
+comment on function public.insert_grant_scope_update_time() is 'insert_grant_scope_update_time is used to automatically update the grant_scope_update_time of the subtype table whenever the grant_scope column is updated';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/insert_grant_this_role_scope_update_time.sql b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/insert_grant_this_role_scope_update_time.sql
new file mode 100644
index 000000000..bed688615
--- /dev/null
+++ b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/insert_grant_this_role_scope_update_time.sql
@@ -0,0 +1,45 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: insert_grant_this_role_scope_update_time(); type: function; schema: public; owner: -
+--
+
+create function public.insert_grant_this_role_scope_update_time() returns trigger
+    language plpgsql
+    as $$
+  begin
+    if new.grant_this_role_scope is distinct from old.grant_this_role_scope then
+      new.grant_this_role_scope_update_time = now();
+    end if;
+    return new;
+  end;
+  $$;
+
+
+--
+-- name: function insert_grant_this_role_scope_update_time(); type: comment; schema: public; owner: -
+--
+
+comment on function public.insert_grant_this_role_scope_update_time() is 'insert_grant_this_role_scope_update_time is used to automatically update the grant_scope_update_time of the subtype table whenever the grant_this_role_scope column is updated';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/insert_role_subtype.sql b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/insert_role_subtype.sql
new file mode 100644
index 000000000..e33cae229
--- /dev/null
+++ b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/insert_role_subtype.sql
@@ -0,0 +1,46 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: insert_role_subtype(); type: function; schema: public; owner: -
+--
+
+create function public.insert_role_subtype() returns trigger
+    language plpgsql
+    as $$
+  begin
+    insert into iam_role
+      (public_id, scope_id)
+    values
+      (new.public_id, new.scope_id);
+    return new;
+  end;
+  $$;
+
+
+--
+-- name: function insert_role_subtype(); type: comment; schema: public; owner: -
+--
+
+comment on function public.insert_role_subtype() is 'insert_role_subtype is used to automatically insert a row into the iam_role table whenever a row is inserted into the subtype table';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/set_resource.sql b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/set_resource.sql
new file mode 100644
index 000000000..ff9f13de5
--- /dev/null
+++ b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/set_resource.sql
@@ -0,0 +1,50 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: set_resource(); type: function; schema: public; owner: -
+--
+
+create function public.set_resource() returns trigger
+    language plpgsql
+    as $$
+  declare resource text[];
+  begin
+    select regexp_matches(new.canonical_grant, 'type=([^;]+);')
+    into resource;
+    if resource is null then
+      new.resource = 'unknown';
+    else
+      new.resource = resource[1];
+    end if;
+    return new;
+  end
+  $$;
+
+
+--
+-- name: function set_resource(); type: comment; schema: public; owner: -
+--
+
+comment on function public.set_resource() is 'set_resource is a trigger function that sets the resource column based on the canonical_grant.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/upsert_canonical_grant.sql b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/upsert_canonical_grant.sql
new file mode 100644
index 000000000..6a32040fe
--- /dev/null
+++ b/.schema-diff/funcs_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/upsert_canonical_grant.sql
@@ -0,0 +1,47 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: upsert_canonical_grant(); type: function; schema: public; owner: -
+--
+
+create function public.upsert_canonical_grant() returns trigger
+    language plpgsql
+    as $$
+  begin
+    insert into iam_grant
+      (canonical_grant)
+    values
+      (new.canonical_grant)
+    on conflict do nothing;
+    return new;
+  end
+  $$;
+
+
+--
+-- name: function upsert_canonical_grant(); type: comment; schema: public; owner: -
+--
+
+comment on function public.upsert_canonical_grant() is 'upsert_canonical_grant is a trigger function that inserts a row into the iam_grant table if the canonical_grant does not exist.';
+
+
+--
+-- postgresql database dump complete
+--
+

Tables

diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant.sql
new file mode 100644
index 000000000..19ed0651b
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant.sql
@@ -0,0 +1,43 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: iam_grant; type: table; schema: public; owner: -
+--
+
+create table public.iam_grant (
+    canonical_grant text not null,
+    resource text not null
+);
+
+
+--
+-- name: table iam_grant; type: comment; schema: public; owner: -
+--
+
+comment on table public.iam_grant is 'iam_grant is the root table for a grant value object. a grant can only reference a single resource, including the special strings "*" to indicate "all" resources, and "unknown" when no resource is set.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_enm.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_enm.sql
new file mode 100644
index 000000000..3c001c302
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_enm.sql
@@ -0,0 +1,43 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: iam_grant_resource_enm; type: table; schema: public; owner: -
+--
+
+create table public.iam_grant_resource_enm (
+    name text not null,
+    constraint only_predefined_resource_types_allowed check ((name = any (array['*'::text, 'alias'::text, 'auth-method'::text, 'auth-token'::text, 'account'::text, 'billing'::text, 'controller'::text, 'credential'::text, 'credential-library'::text, 'credential-store'::text, 'group'::text, 'host'::text, 'host-catalog'::text, 'host-set'::text, 'managed-group'::text, 'policy'::text, 'role'::text, 'scope'::text, 'session'::text, 'session-recording'::text, 'storage-bucket'::text, 'target'::text, 'unknown'::text, 'user'::text, 'worker'::text])))
+);
+
+
+--
+-- name: table iam_grant_resource_enm; type: comment; schema: public; owner: -
+--
+
+comment on table public.iam_grant_resource_enm is 'iam_grant_resource_enm is an enumeration table for resource types.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global.sql
new file mode 100644
index 000000000..0482305d7
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global.sql
@@ -0,0 +1,52 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: iam_role_global; type: table; schema: public; owner: -
+--
+
+create table public.iam_role_global (
+    public_id public.wt_role_id not null,
+    scope_id public.wt_scope_id not null,
+    name text,
+    description text,
+    grant_this_role_scope boolean default false not null,
+    grant_scope text not null,
+    version public.wt_version,
+    grant_this_role_scope_update_time public.wt_timestamp,
+    grant_scope_update_time public.wt_timestamp,
+    create_time public.wt_timestamp,
+    update_time public.wt_timestamp
+);
+
+
+--
+-- name: table iam_role_global; type: comment; schema: public; owner: -
+--
+
+comment on table public.iam_role_global is 'iam_role_global is the subtype table for the global role. grant_this_role_scope_update_time and grant_scope_update_time are used to track the last time the grant_this_role_scope and grant_scope columns were updated.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_enm.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_enm.sql
new file mode 100644
index 000000000..c7bd2de55
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_enm.sql
@@ -0,0 +1,43 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: iam_role_global_grant_scope_enm; type: table; schema: public; owner: -
+--
+
+create table public.iam_role_global_grant_scope_enm (
+    name text not null,
+    constraint only_predefined_scope_types_allowed check ((name = any (array['descendants'::text, 'children'::text, 'individual'::text])))
+);
+
+
+--
+-- name: table iam_role_global_grant_scope_enm; type: comment; schema: public; owner: -
+--
+
+comment on table public.iam_role_global_grant_scope_enm is 'iam_role_global_grant_scope_enm is an enumeration table for role grant scope types for the iam_role_global table.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_individual_grant_scope.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_individual_grant_scope.sql
new file mode 100644
index 000000000..71e65b865
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_individual_grant_scope.sql
@@ -0,0 +1,47 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: iam_role_global_individual_grant_scope; type: table; schema: public; owner: -
+--
+
+create table public.iam_role_global_individual_grant_scope (
+    role_id public.wt_role_id,
+    grant_scope text not null,
+    scope_id public.wt_scope_id not null,
+    create_time public.wt_timestamp,
+    constraint only_individual_grant_scope_allowed check ((grant_scope = 'individual'::text)),
+    constraint scope_id_is_not_global check (((scope_id)::text <> 'global'::text))
+);
+
+
+--
+-- name: table iam_role_global_individual_grant_scope; type: comment; schema: public; owner: -
+--
+
+comment on table public.iam_role_global_individual_grant_scope is 'iam_role_global_individual_grant_scope is the subtype table for the global role with grant_scope as individual.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org.sql
new file mode 100644
index 000000000..83a60b4a7
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org.sql
@@ -0,0 +1,52 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: iam_role_org; type: table; schema: public; owner: -
+--
+
+create table public.iam_role_org (
+    public_id public.wt_role_id not null,
+    scope_id public.wt_scope_id not null,
+    name text,
+    description text,
+    grant_this_role_scope boolean default false not null,
+    grant_scope text not null,
+    version public.wt_version,
+    grant_this_role_scope_update_time public.wt_timestamp,
+    grant_scope_update_time public.wt_timestamp,
+    create_time public.wt_timestamp,
+    update_time public.wt_timestamp
+);
+
+
+--
+-- name: table iam_role_org; type: comment; schema: public; owner: -
+--
+
+comment on table public.iam_role_org is 'iam_role_org is a subtype table of the iam_role table. it is used to store roles that are scoped to an org.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_enm.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_enm.sql
new file mode 100644
index 000000000..f4aec7274
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_enm.sql
@@ -0,0 +1,43 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: iam_role_org_grant_scope_enm; type: table; schema: public; owner: -
+--
+
+create table public.iam_role_org_grant_scope_enm (
+    name text not null,
+    constraint only_predefined_scope_types_allowed check ((name = any (array['children'::text, 'individual'::text])))
+);
+
+
+--
+-- name: table iam_role_org_grant_scope_enm; type: comment; schema: public; owner: -
+--
+
+comment on table public.iam_role_org_grant_scope_enm is 'iam_role_org_grant_scope_enm is an enumeration table for role grant scope types for the iam_role_org table.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope.sql
new file mode 100644
index 000000000..f88b14c5a
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope.sql
@@ -0,0 +1,46 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: iam_role_org_individual_grant_scope; type: table; schema: public; owner: -
+--
+
+create table public.iam_role_org_individual_grant_scope (
+    role_id public.wt_role_id,
+    grant_scope text not null,
+    scope_id public.wt_scope_id not null,
+    create_time public.wt_timestamp,
+    constraint only_individual_grant_scope_allowed check ((grant_scope = 'individual'::text))
+);
+
+
+--
+-- name: table iam_role_org_individual_grant_scope; type: comment; schema: public; owner: -
+--
+
+comment on table public.iam_role_org_individual_grant_scope is 'iam_role_global_individual_grant_scope is the subtype table for the org role with grant_scope as individual.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project.sql
new file mode 100644
index 000000000..54d5a63ec
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project.sql
@@ -0,0 +1,48 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: iam_role_project; type: table; schema: public; owner: -
+--
+
+create table public.iam_role_project (
+    public_id public.wt_role_id not null,
+    scope_id public.wt_scope_id not null,
+    name text,
+    description text,
+    version public.wt_version,
+    create_time public.wt_timestamp,
+    update_time public.wt_timestamp
+);
+
+
+--
+-- name: table iam_role_project; type: comment; schema: public; owner: -
+--
+
+comment on table public.iam_role_project is 'iam_role_project is a subtype table of the iam_role table. it is used to store roles that are scoped to a project.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_grant.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_grant.sql
new file mode 100644
index 000000000..cafbbade1
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_grant.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_grant_resource_enm.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_grant_resource_enm.sql
new file mode 100644
index 000000000..cafbbade1
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_grant_resource_enm.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_global.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_global.sql
new file mode 100644
index 000000000..cafbbade1
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_global.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_global_grant_scope_enm.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_global_grant_scope_enm.sql
new file mode 100644
index 000000000..cafbbade1
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_global_grant_scope_enm.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_global_individual_grant_scope.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_global_individual_grant_scope.sql
new file mode 100644
index 000000000..cafbbade1
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_global_individual_grant_scope.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_org.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_org.sql
new file mode 100644
index 000000000..cafbbade1
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_org.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_org_grant_scope_enm.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_org_grant_scope_enm.sql
new file mode 100644
index 000000000..cafbbade1
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_org_grant_scope_enm.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_org_individual_grant_scope.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_org_individual_grant_scope.sql
new file mode 100644
index 000000000..cafbbade1
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_org_individual_grant_scope.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_project.sql b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_project.sql
new file mode 100644
index 000000000..cafbbade1
--- /dev/null
+++ b/.schema-diff/tables_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/public iam_role_project.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+

Views

Unchanged

Triggers

diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant set_resource.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant set_resource.sql
new file mode 100644
index 000000000..f9e3663cc
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant set_resource.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_grant set_resource; type: trigger; schema: public; owner: -
+--
+
+create trigger set_resource before insert on public.iam_grant for each row execute function public.set_resource();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global default_create_time_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global default_create_time_column.sql
new file mode 100644
index 000000000..38fc17d83
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.iam_role_global for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global immutable_columns.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global immutable_columns.sql
new file mode 100644
index 000000000..e48c8aa04
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.iam_role_global for each row execute function public.immutable_columns('scope_id', 'create_time');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global insert_grant_scope_update_time.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global insert_grant_scope_update_time.sql
new file mode 100644
index 000000000..3b4a7aa6f
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global insert_grant_scope_update_time.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global insert_grant_scope_update_time; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_grant_scope_update_time before insert on public.iam_role_global for each row execute function public.insert_grant_scope_update_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global insert_grant_this_role_scope_update_time.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global insert_grant_this_role_scope_update_time.sql
new file mode 100644
index 000000000..270011ff2
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global insert_grant_this_role_scope_update_time.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global insert_grant_this_role_scope_update_time; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_grant_this_role_scope_update_time before insert on public.iam_role_global for each row execute function public.insert_grant_this_role_scope_update_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global insert_role_subtype.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global insert_role_subtype.sql
new file mode 100644
index 000000000..2916aab53
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global insert_role_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global insert_role_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_role_subtype before insert on public.iam_role_global for each row execute function public.insert_role_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_iam_role_global_grant_scope_update_time.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_iam_role_global_grant_scope_update_time.sql
new file mode 100644
index 000000000..10a636720
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_iam_role_global_grant_scope_update_time.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global update_iam_role_global_grant_scope_update_time; type: trigger; schema: public; owner: -
+--
+
+create trigger update_iam_role_global_grant_scope_update_time before update on public.iam_role_global for each row execute function public.insert_grant_scope_update_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_iam_role_global_grant_this_role_scope_update_time.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_iam_role_global_grant_this_role_scope_update_time.sql
new file mode 100644
index 000000000..ac9804c1f
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_iam_role_global_grant_this_role_scope_update_time.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global update_iam_role_global_grant_this_role_scope_update_time; type: trigger; schema: public; owner: -
+--
+
+create trigger update_iam_role_global_grant_this_role_scope_update_time before update on public.iam_role_global for each row execute function public.insert_grant_this_role_scope_update_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_time_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_time_column.sql
new file mode 100644
index 000000000..36908e0f1
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global update_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_time_column before update on public.iam_role_global for each row execute function public.update_time_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_version_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_version_column.sql
new file mode 100644
index 000000000..a90c44b01
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global update_version_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global update_version_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_version_column after update on public.iam_role_global for each row execute function public.update_version_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_individual_grant_scope default_create_time_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_individual_grant_scope default_create_time_column.sql
new file mode 100644
index 000000000..e8bb29812
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_individual_grant_scope default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global_individual_grant_scope default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.iam_role_global_individual_grant_scope for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_individual_grant_scope immutable_columns.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_individual_grant_scope immutable_columns.sql
new file mode 100644
index 000000000..387dc9895
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_individual_grant_scope immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_global_individual_grant_scope immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.iam_role_global_individual_grant_scope for each row execute function public.immutable_columns('role_id', 'grant_scope', 'scope_id', 'create_time');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_grant upsert_canonical_grant.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_grant upsert_canonical_grant.sql
new file mode 100644
index 000000000..298f7f781
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_grant upsert_canonical_grant.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_grant upsert_canonical_grant; type: trigger; schema: public; owner: -
+--
+
+create trigger upsert_canonical_grant before insert on public.iam_role_grant for each row execute function public.upsert_canonical_grant();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org default_create_time_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org default_create_time_column.sql
new file mode 100644
index 000000000..d22704c1f
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.iam_role_org for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org immutable_columns.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org immutable_columns.sql
new file mode 100644
index 000000000..93fbf622c
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.iam_role_org for each row execute function public.immutable_columns('scope_id', 'create_time');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org insert_iam_role_org_grant_scope_update_time.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org insert_iam_role_org_grant_scope_update_time.sql
new file mode 100644
index 000000000..278c70618
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org insert_iam_role_org_grant_scope_update_time.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org insert_iam_role_org_grant_scope_update_time; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_iam_role_org_grant_scope_update_time before insert on public.iam_role_org for each row execute function public.insert_grant_scope_update_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org insert_iam_role_org_grant_this_role_scope_update_time.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org insert_iam_role_org_grant_this_role_scope_update_time.sql
new file mode 100644
index 000000000..677714355
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org insert_iam_role_org_grant_this_role_scope_update_time.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org insert_iam_role_org_grant_this_role_scope_update_time; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_iam_role_org_grant_this_role_scope_update_time before insert on public.iam_role_org for each row execute function public.insert_grant_this_role_scope_update_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org insert_role_subtype.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org insert_role_subtype.sql
new file mode 100644
index 000000000..9f9eae3ca
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org insert_role_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org insert_role_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_role_subtype before insert on public.iam_role_org for each row execute function public.insert_role_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_iam_role_org_grant_scope_update_time.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_iam_role_org_grant_scope_update_time.sql
new file mode 100644
index 000000000..06fb336ec
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_iam_role_org_grant_scope_update_time.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org update_iam_role_org_grant_scope_update_time; type: trigger; schema: public; owner: -
+--
+
+create trigger update_iam_role_org_grant_scope_update_time before update on public.iam_role_org for each row execute function public.insert_grant_scope_update_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_iam_role_org_grant_this_role_scope_update_time.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_iam_role_org_grant_this_role_scope_update_time.sql
new file mode 100644
index 000000000..c640b969b
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_iam_role_org_grant_this_role_scope_update_time.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org update_iam_role_org_grant_this_role_scope_update_time; type: trigger; schema: public; owner: -
+--
+
+create trigger update_iam_role_org_grant_this_role_scope_update_time before update on public.iam_role_org for each row execute function public.insert_grant_this_role_scope_update_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_time_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_time_column.sql
new file mode 100644
index 000000000..bca6f1fa4
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org update_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_time_column before update on public.iam_role_org for each row execute function public.update_time_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_version_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_version_column.sql
new file mode 100644
index 000000000..ac183ffc0
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org update_version_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org update_version_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_version_column after update on public.iam_role_org for each row execute function public.update_version_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope default_create_time_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope default_create_time_column.sql
new file mode 100644
index 000000000..549c82d41
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org_individual_grant_scope default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.iam_role_org_individual_grant_scope for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope ensure_project_belongs_to_role_org.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope ensure_project_belongs_to_role_org.sql
new file mode 100644
index 000000000..767781c04
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope ensure_project_belongs_to_role_org.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org_individual_grant_scope ensure_project_belongs_to_role_org; type: trigger; schema: public; owner: -
+--
+
+create trigger ensure_project_belongs_to_role_org before insert or update on public.iam_role_org_individual_grant_scope for each row execute function public.ensure_project_belongs_to_role_org();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope immutable_columns.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope immutable_columns.sql
new file mode 100644
index 000000000..888e12e1d
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_individual_grant_scope immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_org_individual_grant_scope immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.iam_role_org_individual_grant_scope for each row execute function public.immutable_columns('role_id', 'grant_scope', 'scope_id', 'create_time');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project default_create_time_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project default_create_time_column.sql
new file mode 100644
index 000000000..dc5cbf322
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_project default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.iam_role_project for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project immutable_columns.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project immutable_columns.sql
new file mode 100644
index 000000000..a1d0efe3a
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_project immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.iam_role_project for each row execute function public.immutable_columns('scope_id', 'create_time');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project insert_role_subtype.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project insert_role_subtype.sql
new file mode 100644
index 000000000..881b81811
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project insert_role_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_project insert_role_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_role_subtype before insert on public.iam_role_project for each row execute function public.insert_role_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project update_time_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project update_time_column.sql
new file mode 100644
index 000000000..f840af869
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project update_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_project update_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_time_column before update on public.iam_role_project for each row execute function public.update_time_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project update_version_column.sql b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project update_version_column.sql
new file mode 100644
index 000000000..926c5f152
--- /dev/null
+++ b/.schema-diff/triggers_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project update_version_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: iam_role_project update_version_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_version_column after update on public.iam_role_project for each row execute function public.update_version_column();
+
+
+--
+-- postgresql database dump complete
+--
+

Indexes

diff --git a/.schema-diff/indexes_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_ix.sql b/.schema-diff/indexes_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_ix.sql
new file mode 100644
index 000000000..0130de4db
--- /dev/null
+++ b/.schema-diff/indexes_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_ix.sql
@@ -0,0 +1,31 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+--
+-- name: iam_grant_resource_ix; type: index; schema: public; owner: -
+--
+
+create index iam_grant_resource_ix on public.iam_grant using btree (resource);
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/indexes_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_grant_canonical_grant_ix.sql b/.schema-diff/indexes_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_grant_canonical_grant_ix.sql
new file mode 100644
index 000000000..f4cb1de0f
--- /dev/null
+++ b/.schema-diff/indexes_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_grant_canonical_grant_ix.sql
@@ -0,0 +1,31 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.20
+-- dumped by pg_dump version 16.8 (ubuntu 16.8-1.pgdg24.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+--
+-- name: iam_role_grant_canonical_grant_ix; type: index; schema: public; owner: -
+--
+
+create index iam_role_grant_canonical_grant_ix on public.iam_role_grant using btree (canonical_grant);
+
+
+--
+-- postgresql database dump complete
+--
+

Constraints

diff --git a/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_pkey.sql b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_pkey.sql
new file mode 100644
index 000000000..2fb5122f0
--- /dev/null
+++ b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_pkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_grant iam_grant_pkey; type: constraint; schema: public; owner: -
+    add constraint iam_grant_pkey primary key (canonical_grant);
diff --git a/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_enm_pkey.sql b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_enm_pkey.sql
new file mode 100644
index 000000000..7bfc252fe
--- /dev/null
+++ b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_enm_pkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_grant_resource_enm iam_grant_resource_enm_pkey; type: constraint; schema: public; owner: -
+    add constraint iam_grant_resource_enm_pkey primary key (name);
diff --git a/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_enm_pkey.sql b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_enm_pkey.sql
new file mode 100644
index 000000000..0b5a1b1e4
--- /dev/null
+++ b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_enm_pkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_global_grant_scope_enm iam_role_global_grant_scope_enm_pkey; type: constraint; schema: public; owner: -
+    add constraint iam_role_global_grant_scope_enm_pkey primary key (name);
diff --git a/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_public_id_uq.sql b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_public_id_uq.sql
new file mode 100644
index 000000000..a2e884a11
--- /dev/null
+++ b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_public_id_uq.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_global iam_role_global_grant_scope_public_id_uq; type: constraint; schema: public; owner: -
+    add constraint iam_role_global_grant_scope_public_id_uq unique (grant_scope, public_id);
diff --git a/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_pkey.sql b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_pkey.sql
new file mode 100644
index 000000000..9af128097
--- /dev/null
+++ b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_pkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_global iam_role_global_pkey; type: constraint; schema: public; owner: -
+    add constraint iam_role_global_pkey primary key (public_id);
diff --git a/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_enm_pkey.sql b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_enm_pkey.sql
new file mode 100644
index 000000000..f66c27bf1
--- /dev/null
+++ b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_enm_pkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_org_grant_scope_enm iam_role_org_grant_scope_enm_pkey; type: constraint; schema: public; owner: -
+    add constraint iam_role_org_grant_scope_enm_pkey primary key (name);
diff --git a/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_public_id_uq.sql b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_public_id_uq.sql
new file mode 100644
index 000000000..102e3fac8
--- /dev/null
+++ b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_public_id_uq.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_org iam_role_org_grant_scope_public_id_uq; type: constraint; schema: public; owner: -
+    add constraint iam_role_org_grant_scope_public_id_uq unique (grant_scope, public_id);
diff --git a/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_pkey.sql b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_pkey.sql
new file mode 100644
index 000000000..c44b1d9dc
--- /dev/null
+++ b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_pkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_org iam_role_org_pkey; type: constraint; schema: public; owner: -
+    add constraint iam_role_org_pkey primary key (public_id);
diff --git a/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project_pkey.sql b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project_pkey.sql
new file mode 100644
index 000000000..f0d794e98
--- /dev/null
+++ b/.schema-diff/constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_project_pkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_project iam_role_project_pkey; type: constraint; schema: public; owner: -
+    add constraint iam_role_project_pkey primary key (public_id);

Foreign Key Constraints

diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_fkey.sql
new file mode 100644
index 000000000..222fc1683
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_fkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_grant iam_grant_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_grant_fkey foreign key (canonical_grant) references public.iam_grant(canonical_grant) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_enm_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_enm_fkey.sql
new file mode 100644
index 000000000..183e649d3
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_grant_resource_enm_fkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_grant iam_grant_resource_enm_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_grant_resource_enm_fkey foreign key (resource) references public.iam_grant_resource_enm(name) on update cascade on delete restrict;
diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_fkey.sql
new file mode 100644
index 000000000..e80c6927f
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_fkey.sql
@@ -0,0 +1,6 @@
+-- name: iam_role_global iam_role_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_role_fkey foreign key (public_id) references public.iam_role(public_id) on update cascade on delete cascade;
+-- name: iam_role_org iam_role_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_role_fkey foreign key (public_id) references public.iam_role(public_id) on update cascade on delete cascade;
+-- name: iam_role_project iam_role_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_role_fkey foreign key (public_id) references public.iam_role(public_id) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_fkey.sql
new file mode 100644
index 000000000..09ebd3861
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_fkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_global_individual_grant_scope iam_role_global_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_role_global_fkey foreign key (role_id) references public.iam_role_global(public_id) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_enm_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_enm_fkey.sql
new file mode 100644
index 000000000..19cb8c5d7
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_enm_fkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_global iam_role_global_grant_scope_enm_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_role_global_grant_scope_enm_fkey foreign key (grant_scope) references public.iam_role_global_grant_scope_enm(name) on update cascade on delete restrict;
diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_fkey.sql
new file mode 100644
index 000000000..d4a6672e3
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_global_grant_scope_fkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_global_individual_grant_scope iam_role_global_grant_scope_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_role_global_grant_scope_fkey foreign key (role_id, grant_scope) references public.iam_role_global(public_id, grant_scope) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_fkey.sql
new file mode 100644
index 000000000..b70dc002a
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_fkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_org_individual_grant_scope iam_role_org_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_role_org_fkey foreign key (role_id) references public.iam_role_org(public_id) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_enm_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_enm_fkey.sql
new file mode 100644
index 000000000..f7b85af15
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_enm_fkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_org iam_role_org_grant_scope_enm_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_role_org_grant_scope_enm_fkey foreign key (grant_scope) references public.iam_role_org_grant_scope_enm(name) on update cascade on delete restrict;
diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_fkey.sql
new file mode 100644
index 000000000..ef0a43d2e
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_role_org_grant_scope_fkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_org_individual_grant_scope iam_role_org_grant_scope_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_role_org_grant_scope_fkey foreign key (role_id, grant_scope) references public.iam_role_org(public_id, grant_scope) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/iam_scope_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_fkey.sql
index 3d4be1d79..83afbb7bf 100644
--- a/.schema-diff/fk_constraints_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/iam_scope_fkey.sql
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_fkey.sql
@@ -4,3 +4,5 @@
     add constraint iam_scope_fkey foreign key (scope_id) references public.iam_scope(public_id) on update cascade on delete cascade;
 -- name: alias_target iam_scope_fkey; type: fk constraint; schema: public; owner: -
     add constraint iam_scope_fkey foreign key (scope_id) references public.iam_scope(public_id) on update cascade on delete cascade;
+-- name: iam_role_global_individual_grant_scope iam_scope_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_scope_fkey foreign key (scope_id) references public.iam_scope(public_id) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/iam_scope_global_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_global_fkey.sql
index 4cbea874c..1a7757aae 100644
--- a/.schema-diff/fk_constraints_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/iam_scope_global_fkey.sql
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_global_fkey.sql
@@ -1,2 +1,4 @@
 -- name: plugin iam_scope_global_fkey; type: fk constraint; schema: public; owner: -
     add constraint iam_scope_global_fkey foreign key (scope_id) references public.iam_scope_global(scope_id) on update cascade on delete cascade;
+-- name: iam_role_global iam_scope_global_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_scope_global_fkey foreign key (scope_id) references public.iam_scope_global(scope_id) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_org_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_org_fkey.sql
new file mode 100644
index 000000000..7a342ff71
--- /dev/null
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_org_fkey.sql
@@ -0,0 +1,2 @@
+-- name: iam_role_org iam_scope_org_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_scope_org_fkey foreign key (scope_id) references public.iam_scope_org(scope_id) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/iam_scope_org_scope_id_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_org_scope_id_fkey.sql
index 6919cd49d..ba173a911 100644
--- a/.schema-diff/fk_constraints_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/iam_scope_org_scope_id_fkey.sql
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_org_scope_id_fkey.sql
@@ -1,2 +1,4 @@
 -- name: iam_scope_org iam_scope_org_scope_id_fkey; type: fk constraint; schema: public; owner: -
     add constraint iam_scope_org_scope_id_fkey foreign key (scope_id) references public.iam_scope(public_id) on update cascade on delete cascade;
+-- name: iam_role_org_individual_grant_scope iam_scope_org_scope_id_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_scope_org_scope_id_fkey foreign key (scope_id) references public.iam_scope_project(scope_id) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/iam_scope_project_fkey.sql b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_project_fkey.sql
index a69ad57f1..fb0667836 100644
--- a/.schema-diff/fk_constraints_5de0c8c1029ed02be9e4322eb7b25b7d739733fc/iam_scope_project_fkey.sql
+++ b/.schema-diff/fk_constraints_3f4e17bc6df9a9d894fb789149953c02fcfc4b27/iam_scope_project_fkey.sql
@@ -6,3 +6,5 @@
     add constraint iam_scope_project_fkey foreign key (project_id) references public.iam_scope_project(scope_id) on update cascade on delete cascade;
 -- name: target iam_scope_project_fkey; type: fk constraint; schema: public; owner: -
     add constraint iam_scope_project_fkey foreign key (project_id) references public.iam_scope_project(scope_id) on update cascade on delete cascade;
+-- name: iam_role_project iam_scope_project_fkey; type: fk constraint; schema: public; owner: -
+    add constraint iam_scope_project_fkey foreign key (scope_id) references public.iam_scope_project(scope_id) on update cascade on delete cascade;