From d73f1b103aebbd52c0ea800352c795ccc9779041 Mon Sep 17 00:00:00 2001
From: Joseph Doherty <dohejw01@gmail.com>
Date: Thu, 28 May 2026 10:11:21 -0400
Subject: [PATCH] fix(seed): grant Design + Deployment to multi-role in primary
 seed-sites.sh

A fresh ScadaBridgeConfig has only the Admin LdapGroupMappings row
(InitialSchema migration ships one row, SecurityConfiguration.HasData
declares four). docker-env2/seed-sites.sh already inserts the missing
three idempotently; docker/seed-sites.sh did not, so multi-role got
Admin only on a primary cutover. Mirror the env2 insert block.
---
 docker-env2/seed-sites.sh |  3 +--
 docker/seed-sites.sh      | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/docker-env2/seed-sites.sh b/docker-env2/seed-sites.sh
index 3f3fe163..26d449a5 100755
--- a/docker-env2/seed-sites.sh
+++ b/docker-env2/seed-sites.sh
@@ -37,8 +37,7 @@ echo "Seeding LDAP group mappings (Design + Deployment)..."
 # SecurityConfiguration.HasData declares 4 mappings but the InitialSchema
 # migration only inserts the Admin row, so a fresh ScadaBridgeConfig2 starts
 # with multi-role getting Admin only -- no Design and no Deployment access.
-# Insert the missing three idempotently. (Same divergence exists on the
-# primary, but primary's database has the rows from earlier history.)
+# Insert the missing three idempotently. (Mirror of docker/seed-sites.sh.)
 docker exec -i scadabridge-mssql /opt/mssql-tools18/bin/sqlcmd \
     -S localhost -U sa -P 'ScadaBridge_Dev1#' -C \
     -d ScadaBridgeConfig2 -Q "
diff --git a/docker/seed-sites.sh b/docker/seed-sites.sh
index f14f7237..ac06bd74 100755
--- a/docker/seed-sites.sh
+++ b/docker/seed-sites.sh
@@ -56,7 +56,28 @@ $CLI $URL $AUTH site create \
     --grpc-node-b-address "http://scadabridge-site-c-b:8083" \
 || echo "  (Site-C may already exist)"
 
+echo ""
+echo "Seeding LDAP group mappings (Design + Deployment)..."
+# SecurityConfiguration.HasData declares 4 mappings but the InitialSchema
+# migration only inserts the Admin row, so a fresh ScadaBridgeConfig starts
+# with multi-role getting Admin only -- no Design and no Deployment access.
+# Insert the missing three idempotently.
+docker exec -i scadabridge-mssql /opt/mssql-tools18/bin/sqlcmd \
+    -S localhost -U sa -P 'ScadaBridge_Dev1#' -C \
+    -d ScadaBridgeConfig -Q "
+SET IDENTITY_INSERT LdapGroupMappings ON;
+IF NOT EXISTS (SELECT 1 FROM LdapGroupMappings WHERE Id = 2)
+    INSERT INTO LdapGroupMappings (Id, LdapGroupName, Role) VALUES (2, 'SCADA-Designers', 'Design');
+IF NOT EXISTS (SELECT 1 FROM LdapGroupMappings WHERE Id = 3)
+    INSERT INTO LdapGroupMappings (Id, LdapGroupName, Role) VALUES (3, 'SCADA-Deploy-All', 'Deployment');
+IF NOT EXISTS (SELECT 1 FROM LdapGroupMappings WHERE Id = 4)
+    INSERT INTO LdapGroupMappings (Id, LdapGroupName, Role) VALUES (4, 'SCADA-Deploy-SiteA', 'Deployment');
+SET IDENTITY_INSERT LdapGroupMappings OFF;
+"
+
 echo ""
 echo "=== Site seeding complete ==="
 echo ""
 echo "Verify with: $CLI $URL $AUTH site list"
+echo "Multi-role test user has Admin + Design + Deployment."
+echo "Sign out and back in to refresh session role claims."