From 5a86021633082e38230533c66941aec369262bb5 Mon Sep 17 00:00:00 2001
From: pieterlukasse <pieterlukasse@gmail.com>
Date: Fri, 5 Jun 2026 17:24:27 -0400
Subject: [PATCH] feat: migration script to have cohort generation permission
 limited to team role

---
 ...00000__custom_ctds_restricted_cohort_generation.sql | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 src/main/resources/db/migration/postgresql/V2.15.0.20260605000000__custom_ctds_restricted_cohort_generation.sql

diff --git a/src/main/resources/db/migration/postgresql/V2.15.0.20260605000000__custom_ctds_restricted_cohort_generation.sql b/src/main/resources/db/migration/postgresql/V2.15.0.20260605000000__custom_ctds_restricted_cohort_generation.sql
new file mode 100644
index 000000000..fc2c97352
--- /dev/null
+++ b/src/main/resources/db/migration/postgresql/V2.15.0.20260605000000__custom_ctds_restricted_cohort_generation.sql
@@ -0,0 +1,10 @@
+-- Delete all sec_role_permission entries tied to permission 'cohortdefinition:%:generate:%:get'.
+-- This will give us a clean slate to start assigning this permission to only the "teamproject" roles:
+-- TODO - note that this assumes the whole system is running in "teamproject" mode... i.e. it is not configurable now.
+DELETE from ${ohdsiSchema}.sec_role_permission where sec_role_permission.permission_id in 
+(
+SELECT ${ohdsiSchema}.sec_permission.id
+FROM ${ohdsiSchema}.sec_permission
+where
+ sec_permission.value like 'cohortdefinition:%:generate:%:get'
+ );