From 2a1154f087a3b62e644bc84bd67e02990584df7f Mon Sep 17 00:00:00 2001
From: Ben Morrow <b.morrow@amrc.co.uk>
Date: Thu, 26 Mar 2026 10:25:28 +0000
Subject: [PATCH] Move composite grants into service-accounts

The Auth service now treats Auth dumps as authoritative; all other
grants to the given principals are removed. So we must make all grants
to a given principal in the same place.
---
 acs-service-setup/dumps/composite.yaml        | 10 ----------
 acs-service-setup/dumps/service-accounts.yaml |  6 ++++++
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/acs-service-setup/dumps/composite.yaml b/acs-service-setup/dumps/composite.yaml
index db198f6ab..ba6b36531 100644
--- a/acs-service-setup/dumps/composite.yaml
+++ b/acs-service-setup/dumps/composite.yaml
@@ -61,13 +61,3 @@ objects:
         # Unimplemented
         #- !u ConfigDB.Perm.ReadMemberships
         #- !u ConfigDB.Perm.ReadSuperclasses
-
----
-service: !u UUIDs.Service.Authentication
-version: 2
-grants:
-# XXX These should be replaced with individual grants.
-  !u ACS.ServiceAccount.CmdEsc:
-    !u ACS.Perm.Composite.CmdEsc: null
-  !u ACS.ServiceAccount.Warehouse:
-    !u ACS.Perm.Composite.Warehouse: null
diff --git a/acs-service-setup/dumps/service-accounts.yaml b/acs-service-setup/dumps/service-accounts.yaml
index 07561c316..050502fbe 100644
--- a/acs-service-setup/dumps/service-accounts.yaml
+++ b/acs-service-setup/dumps/service-accounts.yaml
@@ -120,3 +120,9 @@ grants:
       !u UUIDs.App.SparkplugAddress: false
     !u UUIDs.Permission.Auth.ReadACL:
       !u ACS.PermGroup.CmdEsc: true
+    # XXX This should be replaced by a service role
+    !u ACS.Perm.Composite.CmdEsc: null
+
+  !u ACS.ServiceAccount.Warehouse:
+    # XXX This should be replaced by a service role
+    !u ACS.Perm.Composite.Warehouse: null