User from 'writer' role can't create class

[PhantomYdn]

According to the following snippet from OSecurityShared: it's assumed that "writer" should be able to create classes and modify them.

    final ORole writerRole = createRole("writer", ORole.ALLOW_MODES.DENY_ALL_BUT);
    writerRole.addRule(ORule.ResourceGeneric.DATABASE, null, ORole.PERMISSION_READ);
    writerRole.addRule(ORule.ResourceGeneric.SCHEMA, null, ORole.PERMISSION_READ + ORole.PERMISSION_CREATE
        + ORole.PERMISSION_UPDATE);
    writerRole.addRule(ORule.ResourceGeneric.CLUSTER, OMetadataDefault.CLUSTER_INTERNAL_NAME, ORole.PERMISSION_READ);
    writerRole.addRule(ORule.ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ);
    writerRole.addRule(ORule.ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ);
    writerRole.addRule(ORule.ResourceGeneric.CLASS, null, ORole.PERMISSION_ALL);
    writerRole.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole.PERMISSION_ALL);
    writerRole.addRule(ORule.ResourceGeneric.COMMAND, null, ORole.PERMISSION_ALL);
    writerRole.addRule(ORule.ResourceGeneric.RECORD_HOOK, null, ORole.PERMISSION_ALL);
    readerRole.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole.PERMISSION_READ);
    writerRole.save();

but in fact during class creation you will have following:

User 'writer' has no the permission to execute the operation 'Update' against the resource: ResourceGeneric [name=CLUSTER, legacyName=database.cluster].internal

And btw, as you can see: there is misspelling in code: on last but one line 'readerRole' has bean used instead of writerRole.

P.S. OrientDB 2.0.5

[lvca]

Since writer role can't write into internal, it's not allowed. This is the default, but you're free to create your own roles. About the typo with readerRole was fixed weeks ago. Thanks @PhantomYdn .