From 9768b494e4d81c07ee14063a37ca0f8cf990e0e9 Mon Sep 17 00:00:00 2001
From: Chi Cho <chi.cho@hmcts.net>
Date: Thu, 12 Mar 2026 14:52:55 +0000
Subject: [PATCH 1/2] PO-2827 - Populate test roles and user role assignments
 for Opal domain

---
 ...late_test_roles_from_user_entitlements.sql | 57 +++++++++++++++++++
 ...populate_test_business_unit_user_roles.sql | 55 ++++++++++++++++++
 2 files changed, 112 insertions(+)
 create mode 100644 src/main/resources/db/migration/V20260310_050__populate_test_roles_from_user_entitlements.sql
 create mode 100644 src/main/resources/db/migration/V20260310_051__populate_test_business_unit_user_roles.sql

diff --git a/src/main/resources/db/migration/V20260310_050__populate_test_roles_from_user_entitlements.sql b/src/main/resources/db/migration/V20260310_050__populate_test_roles_from_user_entitlements.sql
new file mode 100644
index 00000000..395ee0f6
--- /dev/null
+++ b/src/main/resources/db/migration/V20260310_050__populate_test_roles_from_user_entitlements.sql
@@ -0,0 +1,57 @@
+/**
+* CGI OPAL Program
+*
+* MODULE      : populate_test_roles_from_user_entitlements.sql
+*
+* DESCRIPTION : Populates ROLES records for test-only user permissions per Opal domain.
+*
+* VERSION HISTORY:
+*
+* Date          Author      Version     Nature of Change
+* ----------    -------     --------    ----------------------------------------------------------------------------
+* 10/03/2026    C Cho       1.0         PO-2827 Populate test-only roles from obsoleted USER_ENTITLEMENTS/APPLICATION_FUNCTIONS data.
+*
+**/
+
+WITH test_permissions_by_domain AS (
+    SELECT DISTINCT bu.opal_domain_id,
+                    af.function_name
+      FROM users u
+      JOIN business_unit_users buu
+        ON buu.user_id = u.user_id
+      JOIN business_units bu
+        ON bu.business_unit_id = buu.business_unit_id
+      JOIN user_entitlements ue
+        ON ue.business_unit_user_id = buu.business_unit_user_id
+      JOIN application_functions af
+        ON af.application_function_id = ue.application_function_id
+     WHERE bu.opal_domain_id IS NOT NULL
+       AND (
+            UPPER(u.token_preferred_username) LIKE 'OPAL-TEST%@HMCTS.NET'
+            OR UPPER(u.token_preferred_username) LIKE 'OPAL-DEMO-%@HMCTS.NET'
+       )
+)
+INSERT INTO roles
+(
+ role_id
+,version_number
+,opal_domain_id
+,role_name
+,is_active
+,application_function_list
+)
+SELECT nextval('role_id_seq')
+     , 1 AS version_number
+     , t.opal_domain_id
+     , LEFT('TEST ONLY - ' || t.function_name, 100) AS role_name
+     , true AS is_active
+     , ARRAY[t.function_name]::varchar(200)[] AS application_function_list
+  FROM test_permissions_by_domain t
+ WHERE NOT EXISTS
+       (
+           SELECT 1
+             FROM roles r
+            WHERE r.opal_domain_id = t.opal_domain_id
+              AND r.version_number = 1
+              AND r.role_name = LEFT('TEST ONLY - ' || t.function_name, 100)
+       );
diff --git a/src/main/resources/db/migration/V20260310_051__populate_test_business_unit_user_roles.sql b/src/main/resources/db/migration/V20260310_051__populate_test_business_unit_user_roles.sql
new file mode 100644
index 00000000..2c62c73c
--- /dev/null
+++ b/src/main/resources/db/migration/V20260310_051__populate_test_business_unit_user_roles.sql
@@ -0,0 +1,55 @@
+/**
+* CGI OPAL Program
+*
+* MODULE      : populate_test_business_unit_user_roles.sql
+*
+* DESCRIPTION : Populates BUSINESS_UNIT_USER_ROLES records for test-only user role assignments.
+*
+* VERSION HISTORY:
+*
+* Date          Author      Version     Nature of Change
+* ----------    -------     --------    ----------------------------------------------------------------------------
+* 10/03/2026    C Cho       1.0         PO-2827 Assign test-only BU users to domain-consistent roles based on obsoleted USER_ENTITLEMENTS data.
+*
+**/
+
+WITH test_user_role_pairs AS (
+    SELECT DISTINCT buu.business_unit_user_id,
+                    r.role_id
+      FROM users u
+      JOIN business_unit_users buu
+        ON buu.user_id = u.user_id
+      JOIN business_units bu
+        ON bu.business_unit_id = buu.business_unit_id
+      JOIN user_entitlements ue
+        ON ue.business_unit_user_id = buu.business_unit_user_id
+      JOIN application_functions af
+        ON af.application_function_id = ue.application_function_id
+      JOIN roles r
+        ON r.opal_domain_id = bu.opal_domain_id
+       AND r.version_number = 1
+       AND r.is_active = true
+       AND r.role_name = LEFT('TEST ONLY - ' || af.function_name, 100)
+     WHERE bu.opal_domain_id IS NOT NULL
+       AND (
+            UPPER(u.token_preferred_username) LIKE 'OPAL-TEST%@HMCTS.NET'
+            OR UPPER(u.token_preferred_username) LIKE 'OPAL-DEMO-%@HMCTS.NET'
+       )
+)
+INSERT INTO business_unit_user_roles
+(
+ business_unit_user_role_id
+,business_unit_user_id
+,role_id
+)
+SELECT nextval('business_unit_user_role_id_seq')
+     , t.business_unit_user_id
+     , t.role_id
+  FROM test_user_role_pairs t
+ WHERE NOT EXISTS
+       (
+           SELECT 1
+             FROM business_unit_user_roles bur
+            WHERE bur.business_unit_user_id = t.business_unit_user_id
+              AND bur.role_id = t.role_id
+       );

From a6892907cb4ce7a18c668b65c09d086032a32e37 Mon Sep 17 00:00:00 2001
From: Chi Cho <chi.cho@hmcts.net>
Date: Mon, 30 Mar 2026 16:37:58 +0100
Subject: [PATCH 2/2] Update test role population SQL to use
 DEV.PLATFORM.HMCTS.NET domain(PO-3559)

---
 ...260310_050__populate_test_roles_from_user_entitlements.sql | 4 ++--
 .../V20260310_051__populate_test_business_unit_user_roles.sql | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/main/resources/db/migration/V20260310_050__populate_test_roles_from_user_entitlements.sql b/src/main/resources/db/migration/V20260310_050__populate_test_roles_from_user_entitlements.sql
index 395ee0f6..6ce6ee7e 100644
--- a/src/main/resources/db/migration/V20260310_050__populate_test_roles_from_user_entitlements.sql
+++ b/src/main/resources/db/migration/V20260310_050__populate_test_roles_from_user_entitlements.sql
@@ -27,8 +27,8 @@ WITH test_permissions_by_domain AS (
         ON af.application_function_id = ue.application_function_id
      WHERE bu.opal_domain_id IS NOT NULL
        AND (
-            UPPER(u.token_preferred_username) LIKE 'OPAL-TEST%@HMCTS.NET'
-            OR UPPER(u.token_preferred_username) LIKE 'OPAL-DEMO-%@HMCTS.NET'
+            UPPER(u.token_preferred_username) LIKE 'OPAL-TEST%@DEV.PLATFORM.HMCTS.NET'
+            OR UPPER(u.token_preferred_username) LIKE 'OPAL-DEMO-%@DEV.PLATFORM.HMCTS.NET'
        )
 )
 INSERT INTO roles
diff --git a/src/main/resources/db/migration/V20260310_051__populate_test_business_unit_user_roles.sql b/src/main/resources/db/migration/V20260310_051__populate_test_business_unit_user_roles.sql
index 2c62c73c..a816da4b 100644
--- a/src/main/resources/db/migration/V20260310_051__populate_test_business_unit_user_roles.sql
+++ b/src/main/resources/db/migration/V20260310_051__populate_test_business_unit_user_roles.sql
@@ -32,8 +32,8 @@ WITH test_user_role_pairs AS (
        AND r.role_name = LEFT('TEST ONLY - ' || af.function_name, 100)
      WHERE bu.opal_domain_id IS NOT NULL
        AND (
-            UPPER(u.token_preferred_username) LIKE 'OPAL-TEST%@HMCTS.NET'
-            OR UPPER(u.token_preferred_username) LIKE 'OPAL-DEMO-%@HMCTS.NET'
+            UPPER(u.token_preferred_username) LIKE 'OPAL-TEST%@DEV.PLATFORM.HMCTS.NET'
+            OR UPPER(u.token_preferred_username) LIKE 'OPAL-DEMO-%@DEV.PLATFORM.HMCTS.NET'
        )
 )
 INSERT INTO business_unit_user_roles