[New] Implemented opt-in audit trail in Strolch

The audit trail has its own map on the Realm and a trail is written by realm at the end of the transaction. You can write your own audit trail using tx.getAuditTrail(). Enable the audit trail by setting the realm configuration value 'enableAuditTrail'.
2014-08-23 20:50:58 +02:00 · 2014-08-23 20:50:58 +02:00 · e82b14f783
parent 07085f8aa0
commit e82b14f783
52 changed files with 1737 additions and 139 deletions
--- a/src/main/java/li/strolch/agent/api/AuditTrail.java
+++ b/src/main/java/li/strolch/agent/api/AuditTrail.java
@ -0,0 +1,68 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.agent.api;
+
+import java.util.List;
+import java.util.Set;
+
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import ch.eitchnet.utils.collections.DateRange;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public interface AuditTrail {
+
+	public boolean isEnabled();
+
+	public boolean hasAudit(StrolchTransaction tx, String type, Long id);
+
+	public long querySize(StrolchTransaction tx, DateRange dateRange);
+
+	public long querySize(StrolchTransaction tx, String type, DateRange dateRange);
+
+	public Set<String> getTypes(StrolchTransaction tx);
+
+	/**
+	 * Retrieves the audit with the given id, or null if it does not exist
+	 * 
+	 * @param tx
+	 *            the open transaction
+	 * @param id
+	 *            the id of the element to retrieve
+	 * 
+	 * @return the element with the type and id, or null if it does not exist
+	 */
+	public Audit getBy(StrolchTransaction tx, String type, Long id);
+
+	public List<Audit> getAllElements(StrolchTransaction tx, String type, DateRange dateRange);
+
+	public void add(StrolchTransaction tx, Audit audit);
+
+	public void addAll(StrolchTransaction tx, List<Audit> audits);
+
+	public Audit update(StrolchTransaction tx, Audit audit);
+
+	public List<Audit> updateAll(StrolchTransaction tx, List<Audit> audits);
+
+	public void remove(StrolchTransaction tx, Audit audit);
+
+	public void removeAll(StrolchTransaction tx, List<Audit> audits);
+
+	public long removeAll(StrolchTransaction tx, String type, DateRange dateRange);
+
+}
--- a/src/main/java/li/strolch/agent/api/ComponentContainer.java
+++ b/src/main/java/li/strolch/agent/api/ComponentContainer.java
@ -19,6 +19,7 @@ import java.util.Set;

 import li.strolch.exception.StrolchException;
 import li.strolch.runtime.StrolchConstants;
+import li.strolch.runtime.privilege.PrivilegeHandler;

 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
@ -33,12 +34,14 @@ public interface ComponentContainer {

 	public abstract <T> T getComponent(Class<T> clazz) throws IllegalArgumentException;

+	public abstract PrivilegeHandler getPrivilegeHandler() throws IllegalArgumentException;
+
 	public abstract Set<Class<?>> getComponentTypes();

 	public abstract Set<String> getRealmNames();

 	/**
-	 * Returns the {@link StrolchRealm} with the given name. To get the default realm, use the constante
+	 * Returns the {@link StrolchRealm} with the given name. To get the default realm, use the constant
 	 * {@link StrolchConstants#DEFAULT_REALM}.
 	 * 
 	 * @param realm
--- a/src/main/java/li/strolch/agent/api/StrolchAgent.java
+++ b/src/main/java/li/strolch/agent/api/StrolchAgent.java
@ -109,6 +109,13 @@ public class StrolchAgent {
 		return StringHelper.getUniqueId();
 	}

+	/**
+	 * @return Returns the pseudo unique Id to be used during object creation from external services.
+	 */
+	public static synchronized Long getUniqueIdLong() {
+		return StringHelper.getUniqueIdLong();
+	}
+
 	private VersionQueryResult versionQueryResult;

 	public VersionQueryResult getVersion() {
--- a/src/main/java/li/strolch/agent/api/StrolchRealm.java
+++ b/src/main/java/li/strolch/agent/api/StrolchRealm.java
@ -30,6 +30,8 @@ import li.strolch.runtime.configuration.ComponentConfiguration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

+import ch.eitchnet.privilege.model.Certificate;
+import ch.eitchnet.privilege.model.PrivilegeContext;
 import ch.eitchnet.utils.dbc.DBC;

 /**
@ -37,8 +39,8 @@ import ch.eitchnet.utils.dbc.DBC;
 */
 public abstract class StrolchRealm {

-	private static final String PROP_TRY_LOCK_TIME_UNIT = "tryLockTimeUnit"; //$NON-NLS-1$
-	private static final String PROP_TRY_LOCK_TIME = "tryLockTime"; //$NON-NLS-1$
+	public static final String PROP_TRY_LOCK_TIME_UNIT = "tryLockTimeUnit"; //$NON-NLS-1$
+	public static final String PROP_TRY_LOCK_TIME = "tryLockTime"; //$NON-NLS-1$
 	protected static final Logger logger = LoggerFactory.getLogger(StrolchRealm.class);
 	private String realm;
 	private LockHandler lockHandler;
@ -78,15 +80,19 @@ public abstract class StrolchRealm {

 	public abstract DataStoreMode getMode();

-	public abstract void start();
+	public abstract void start(PrivilegeContext privilegeContext);

 	public abstract void stop();

 	public abstract void destroy();

-	public abstract StrolchTransaction openTx();
+	public abstract StrolchTransaction openTx(Certificate certificate, Class<?> clazz);
+
+	public abstract StrolchTransaction openTx(Certificate certificate, String action);

 	public abstract ResourceMap getResourceMap();

 	public abstract OrderMap getOrderMap();
+
+	public abstract AuditTrail getAuditTrail();
 }
--- a/src/main/java/li/strolch/agent/impl/CachedAuditTrail.java
+++ b/src/main/java/li/strolch/agent/impl/CachedAuditTrail.java
@ -0,0 +1,199 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.agent.impl;
+
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import li.strolch.agent.api.AuditTrail;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.AuditDao;
+import li.strolch.persistence.api.StrolchTransaction;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import ch.eitchnet.utils.collections.DateRange;
+import ch.eitchnet.utils.collections.MapOfMaps;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class CachedAuditTrail implements AuditTrail {
+
+	private static final Logger logger = LoggerFactory.getLogger(CachedAuditTrail.class);
+
+	private MapOfMaps<String, Long, Audit> auditMap;
+
+	public CachedAuditTrail() {
+		this.auditMap = new MapOfMaps<>();
+	}
+
+	@Override
+	public boolean isEnabled() {
+		return true;
+	}
+
+	protected AuditDao getDao(StrolchTransaction tx) {
+		return tx.getPersistenceHandler().getAuditDao(tx);
+	}
+
+	@Override
+	public boolean hasAudit(StrolchTransaction tx, String type, Long id) {
+		return this.auditMap.containsElement(type, id);
+	}
+
+	@Override
+	public long querySize(StrolchTransaction tx, DateRange dateRange) {
+		long size = 0;
+
+		for (Audit audit : this.auditMap.getAllElements()) {
+			if (dateRange.contains(audit.getDate()))
+				size++;
+		}
+
+		return size;
+	}
+
+	@Override
+	public long querySize(StrolchTransaction tx, String type, DateRange dateRange) {
+		long size = 0;
+
+		Map<Long, Audit> byType = this.auditMap.getMap(type);
+		if (byType == null)
+			return size;
+
+		for (Audit audit : byType.values()) {
+			if (dateRange.contains(audit.getDate()))
+				size++;
+		}
+
+		return size;
+	}
+
+	@Override
+	public Set<String> getTypes(StrolchTransaction tx) {
+		return new HashSet<>(this.auditMap.keySet());
+	}
+
+	@Override
+	public Audit getBy(StrolchTransaction tx, String type, Long id) {
+		return this.auditMap.getElement(type, id);
+	}
+
+	@Override
+	public List<Audit> getAllElements(StrolchTransaction tx, String type, DateRange dateRange) {
+		List<Audit> elements = new ArrayList<>();
+
+		Map<Long, Audit> byType = this.auditMap.getMap(type);
+		if (byType == null)
+			return elements;
+
+		for (Audit audit : byType.values()) {
+			if (dateRange.contains(audit.getDate()))
+				elements.add(audit);
+		}
+
+		return elements;
+	}
+
+	@Override
+	public void add(StrolchTransaction tx, Audit audit) {
+		this.auditMap.addElement(audit.getElementType(), audit.getId(), audit);
+		// last is to perform DB changes
+		getDao(tx).save(audit);
+	}
+
+	@Override
+	public void addAll(StrolchTransaction tx, List<Audit> audits) {
+		for (Audit audit : audits) {
+			this.auditMap.addElement(audit.getElementType(), audit.getId(), audit);
+		}
+		// last is to perform DB changes
+		getDao(tx).saveAll(audits);
+	}
+
+	@Override
+	public Audit update(StrolchTransaction tx, Audit audit) {
+		Audit replacedAudit = this.auditMap.addElement(audit.getElementType(), audit.getId(), audit);
+		// last is to perform DB changes
+		getDao(tx).update(audit);
+		return replacedAudit;
+	}
+
+	@Override
+	public List<Audit> updateAll(StrolchTransaction tx, List<Audit> audits) {
+		List<Audit> replacedAudits = new ArrayList<>();
+		for (Audit audit : audits) {
+			Audit replacedAudit = this.auditMap.addElement(audit.getElementType(), audit.getId(), audit);
+			if (replacedAudit != null)
+				replacedAudits.add(replacedAudit);
+		}
+		// last is to perform DB changes
+		getDao(tx).updateAll(audits);
+		return replacedAudits;
+	}
+
+	@Override
+	public void remove(StrolchTransaction tx, Audit audit) {
+		this.auditMap.removeElement(audit.getElementType(), audit.getId());
+		// last is to perform DB changes
+		getDao(tx).remove(audit);
+	}
+
+	@Override
+	public void removeAll(StrolchTransaction tx, List<Audit> audits) {
+		for (Audit audit : audits) {
+			this.auditMap.removeElement(audit.getElementType(), audit.getId());
+		}
+
+		// last is to perform DB changes
+		getDao(tx).removeAll(audits);
+	}
+
+	@Override
+	public long removeAll(StrolchTransaction tx, String type, DateRange dateRange) {
+
+		Map<Long, Audit> byType = this.auditMap.getMap(type);
+		if (byType == null)
+			return 0L;
+
+		List<Audit> toRemoveList = new ArrayList<>();
+
+		for (Audit audit : byType.values()) {
+			if (dateRange.contains(audit.getDate())) {
+				toRemoveList.add(audit);
+			}
+		}
+
+		for (Audit toRemove : toRemoveList) {
+			this.auditMap.removeElement(type, toRemove.getId());
+		}
+		long removed = toRemoveList.size();
+
+		// last is to perform DB changes
+		long daoRemoved = getDao(tx).removeAll(type, dateRange);
+		if (removed != daoRemoved) {
+			String msg = "Removed {0} elements from cached map, but dao removed {1} elements!"; //$NON-NLS-1$
+			logger.error(MessageFormat.format(msg, removed, daoRemoved));
+		}
+		return removed;
+	}
+}
--- a/src/main/java/li/strolch/agent/impl/CachedElementMap.java
+++ b/src/main/java/li/strolch/agent/impl/CachedElementMap.java
@ -24,15 +24,16 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;

-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import li.strolch.agent.api.ElementMap;
 import li.strolch.model.StrolchElement;
 import li.strolch.persistence.api.StrolchDao;
 import li.strolch.persistence.api.StrolchPersistenceException;
 import li.strolch.persistence.api.StrolchTransaction;
 import li.strolch.runtime.StrolchConstants;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import ch.eitchnet.utils.dbc.DBC;

 /**
@ -67,12 +68,22 @@ public abstract class CachedElementMap<T extends StrolchElement> implements Elem

 	@Override
 	public long querySize(StrolchTransaction tx) {
-		return getAllKeys(tx).size();
+		long size = 0L;
+
+		for (String type : this.elementMap.keySet()) {
+			Map<String, T> byType = this.elementMap.get(type);
+			size += byType.size();
+		}
+
+		return size;
 	}

 	@Override
 	public long querySize(StrolchTransaction tx, String type) {
-		return getKeysBy(tx, type).size();
+		Map<String, T> byType = this.elementMap.get(type);
+		if (byType == null)
+			return 0L;
+		return byType.size();
 	}

 	@Override
--- a/src/main/java/li/strolch/agent/impl/CachedRealm.java
+++ b/src/main/java/li/strolch/agent/impl/CachedRealm.java
@ -19,6 +19,7 @@ import java.text.MessageFormat;
 import java.util.List;
 import java.util.Set;

+import li.strolch.agent.api.AuditTrail;
 import li.strolch.agent.api.ComponentContainer;
 import li.strolch.agent.api.OrderMap;
 import li.strolch.agent.api.ResourceMap;
@ -30,6 +31,9 @@ import li.strolch.persistence.api.PersistenceHandler;
 import li.strolch.persistence.api.ResourceDao;
 import li.strolch.persistence.api.StrolchTransaction;
 import li.strolch.runtime.configuration.ComponentConfiguration;
+import ch.eitchnet.privilege.model.Certificate;
+import ch.eitchnet.privilege.model.PrivilegeContext;
+import ch.eitchnet.utils.dbc.DBC;
 import ch.eitchnet.utils.helper.StringHelper;

 /**
@ -40,19 +44,27 @@ public class CachedRealm extends StrolchRealm {
 	private PersistenceHandler persistenceHandler;
 	private CachedResourceMap resourceMap;
 	private CachedOrderMap orderMap;
+	private AuditTrail auditTrail;

 	public CachedRealm(String realm) {
 		super(realm);
 	}
-	
+
 	@Override
 	public DataStoreMode getMode() {
 		return DataStoreMode.CACHED;
 	}

 	@Override
-	public StrolchTransaction openTx() {
-		return this.persistenceHandler.openTx(this);
+	public StrolchTransaction openTx(Certificate certificate, String action) {
+		DBC.PRE.assertNotNull("Certificate must be set!", certificate);
+		return this.persistenceHandler.openTx(this, certificate, action);
+	}
+
+	@Override
+	public StrolchTransaction openTx(Certificate certificate, Class<?> clazz) {
+		DBC.PRE.assertNotNull("Certificate must be set!", certificate);
+		return this.persistenceHandler.openTx(this, certificate, clazz.getName());
 	}

 	@Override
@ -65,22 +77,37 @@ public class CachedRealm extends StrolchRealm {
 		return this.orderMap;
 	}

+	@Override
+	public AuditTrail getAuditTrail() {
+		return this.auditTrail;
+	}
+
 	@Override
 	public void initialize(ComponentContainer container, ComponentConfiguration configuration) {
 		super.initialize(container, configuration);
 		this.persistenceHandler = container.getComponent(PersistenceHandler.class);
 		this.resourceMap = new CachedResourceMap();
 		this.orderMap = new CachedOrderMap();
+
+		String enableAuditKey = DefaultRealmHandler.makeRealmKey(getRealm(),
+				DefaultRealmHandler.PROP_ENABLE_AUDIT_TRAIL);
+		if (configuration.getBoolean(enableAuditKey, Boolean.FALSE)) {
+			this.auditTrail = new CachedAuditTrail();
+			logger.info("Enabling AuditTrail for realm " + getRealm());
+		} else {
+			this.auditTrail = new NoStrategyAuditTrail();
+			logger.info("AuditTrail is disabled for realm " + getRealm());
+		}
 	}

 	@Override
-	public void start() {
+	public void start(PrivilegeContext privilegeContext) {

 		long start = System.nanoTime();
 		int nrOfOrders = 0;
 		int nrOfResources = 0;

-		try (StrolchTransaction tx = openTx()) {
+		try (StrolchTransaction tx = openTx(privilegeContext.getCertificate(), "agent_boot")) {
 			ResourceDao resourceDao = tx.getPersistenceHandler().getResourceDao(tx);
 			Set<String> resourceTypes = resourceDao.queryTypes();
 			for (String type : resourceTypes) {
@ -92,7 +119,7 @@ public class CachedRealm extends StrolchRealm {
 			}
 		}

-		try (StrolchTransaction tx = openTx()) {
+		try (StrolchTransaction tx = openTx(privilegeContext.getCertificate(), "agent_boot")) {
 			OrderDao orderDao = tx.getPersistenceHandler().getOrderDao(tx);
 			Set<String> orderTypes = orderDao.queryTypes();
 			for (String type : orderTypes) {
--- a/src/main/java/li/strolch/agent/impl/ComponentContainerImpl.java
+++ b/src/main/java/li/strolch/agent/impl/ComponentContainerImpl.java
@ -34,6 +34,7 @@ import li.strolch.runtime.configuration.ComponentConfiguration;
 import li.strolch.runtime.configuration.RuntimeConfiguration;
 import li.strolch.runtime.configuration.StrolchConfiguration;
 import li.strolch.runtime.configuration.StrolchConfigurationException;
+import li.strolch.runtime.privilege.PrivilegeHandler;

 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@ -88,6 +89,11 @@ public class ComponentContainerImpl implements ComponentContainer {
 		return component;
 	}

+	@Override
+	public PrivilegeHandler getPrivilegeHandler() throws IllegalArgumentException {
+		return getComponent(PrivilegeHandler.class);
+	}
+
 	@Override
 	public Set<String> getRealmNames() {
 		return getComponent(RealmHandler.class).getRealmNames();
--- a/src/main/java/li/strolch/agent/impl/DefaultRealmHandler.java
+++ b/src/main/java/li/strolch/agent/impl/DefaultRealmHandler.java
@ -30,6 +30,7 @@ import li.strolch.agent.api.StrolchRealm;
 import li.strolch.exception.StrolchException;
 import li.strolch.runtime.StrolchConstants;
 import li.strolch.runtime.configuration.ComponentConfiguration;
+import li.strolch.runtime.privilege.PrivilegeHandler;
 import ch.eitchnet.utils.dbc.DBC;

 /**
@ -37,6 +38,7 @@ import ch.eitchnet.utils.dbc.DBC;
 */
 public class DefaultRealmHandler extends StrolchComponent implements RealmHandler {

+	public static final String PROP_ENABLE_AUDIT_TRAIL = "enableAuditTrail"; //$NON-NLS-1$
 	public static final String PREFIX_DATA_STORE_MODE = "dataStoreMode"; //$NON-NLS-1$
 	public static final String PROP_REALMS = "realms"; //$NON-NLS-1$

@ -73,10 +75,7 @@ public class DefaultRealmHandler extends StrolchComponent implements RealmHandle
 		this.realms = new HashMap<>();
 		String[] realms = configuration.getStringArray(PROP_REALMS, StrolchConstants.DEFAULT_REALM);
 		for (String realmName : realms) {
-			String dataStoreModeKey = PREFIX_DATA_STORE_MODE;
-			if (!realmName.equals(StrolchConstants.DEFAULT_REALM))
-				dataStoreModeKey += DOT + realmName;
-
+			String dataStoreModeKey = makeRealmKey(realmName, PREFIX_DATA_STORE_MODE);
 			String realmMode = configuration.getString(dataStoreModeKey, null);
 			DataStoreMode dataStoreMode = DataStoreMode.parseDataStoreMode(realmMode);
 			StrolchRealm realm = dataStoreMode.createRealm(realmName);
@ -85,6 +84,13 @@ public class DefaultRealmHandler extends StrolchComponent implements RealmHandle
 		super.setup(configuration);
 	}

+	public static String makeRealmKey(String realmName, String key) {
+		String realmKey = key;
+		if (!realmName.equals(StrolchConstants.DEFAULT_REALM))
+			realmKey += DOT + realmName;
+		return realmKey;
+	}
+
 	@Override
 	public void initialize(ComponentConfiguration configuration) {

@ -96,12 +102,16 @@ public class DefaultRealmHandler extends StrolchComponent implements RealmHandle
 		super.initialize(configuration);
 	}

+	Map<String, StrolchRealm> getRealms() {
+		return this.realms;
+	}
+
 	@Override
 	public void start() {
-		for (String realmName : this.realms.keySet()) {
-			StrolchRealm realm = this.realms.get(realmName);
-			realm.start();
-		}
+
+		PrivilegeHandler privilegeHandler = getContainer().getComponent(PrivilegeHandler.class);
+		privilegeHandler.runAsSystem("agent", new StartRealms(this));
+
 		super.start();
 	}

--- a/src/main/java/li/strolch/agent/impl/EmptyRealm.java
+++ b/src/main/java/li/strolch/agent/impl/EmptyRealm.java
@ -17,6 +17,7 @@ package li.strolch.agent.impl;

 import java.text.MessageFormat;

+import li.strolch.agent.api.AuditTrail;
 import li.strolch.agent.api.ComponentContainer;
 import li.strolch.agent.api.OrderMap;
 import li.strolch.agent.api.ResourceMap;
@ -25,6 +26,9 @@ import li.strolch.persistence.api.PersistenceHandler;
 import li.strolch.persistence.api.StrolchTransaction;
 import li.strolch.persistence.inmemory.InMemoryPersistence;
 import li.strolch.runtime.configuration.ComponentConfiguration;
+import ch.eitchnet.privilege.model.Certificate;
+import ch.eitchnet.privilege.model.PrivilegeContext;
+import ch.eitchnet.utils.dbc.DBC;

 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
@ -33,6 +37,7 @@ public class EmptyRealm extends StrolchRealm {

 	private ResourceMap resourceMap;
 	private OrderMap orderMap;
+	private AuditTrail auditTrail;
 	private PersistenceHandler persistenceHandler;

 	public EmptyRealm(String realm) {
@ -45,8 +50,15 @@ public class EmptyRealm extends StrolchRealm {
 	}

 	@Override
-	public StrolchTransaction openTx() {
-		return this.persistenceHandler.openTx(this);
+	public StrolchTransaction openTx(Certificate certificate, String action) {
+		DBC.PRE.assertNotNull("Certificate must be set!", certificate);
+		return this.persistenceHandler.openTx(this, certificate, action);
+	}
+
+	@Override
+	public StrolchTransaction openTx(Certificate certificate, Class<?> clazz) {
+		DBC.PRE.assertNotNull("Certificate must be set!", certificate);
+		return this.persistenceHandler.openTx(this, certificate, clazz.getName());
 	}

 	@Override
@ -59,16 +71,31 @@ public class EmptyRealm extends StrolchRealm {
 		return this.orderMap;
 	}

+	@Override
+	public AuditTrail getAuditTrail() {
+		return this.auditTrail;
+	}
+
 	@Override
 	public void initialize(ComponentContainer container, ComponentConfiguration configuration) {
 		super.initialize(container, configuration);
 		this.persistenceHandler = new InMemoryPersistence();
 		this.resourceMap = new TransactionalResourceMap();
 		this.orderMap = new TransactionalOrderMap();
+
+		String enableAuditKey = DefaultRealmHandler.makeRealmKey(getRealm(),
+				DefaultRealmHandler.PROP_ENABLE_AUDIT_TRAIL);
+		if (configuration.getBoolean(enableAuditKey, Boolean.FALSE)) {
+			this.auditTrail = new TransactionalAuditTrail();
+			logger.info("Enabling AuditTrail for realm " + getRealm());
+		} else {
+			this.auditTrail = new NoStrategyAuditTrail();
+			logger.info("AuditTrail is disabled for realm " + getRealm());
+		}
 	}

 	@Override
-	public void start() {
+	public void start(PrivilegeContext privilegeContext) {
 		logger.info(MessageFormat.format("Initialized EMPTY Realm {0}", getRealm())); //$NON-NLS-1$
 	}

--- a/src/main/java/li/strolch/agent/impl/NoStrategyAuditTrail.java
+++ b/src/main/java/li/strolch/agent/impl/NoStrategyAuditTrail.java
@ -0,0 +1,100 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.agent.impl;
+
+import java.util.List;
+import java.util.Set;
+
+import li.strolch.agent.api.AuditTrail;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.StrolchTransaction;
+import ch.eitchnet.utils.collections.DateRange;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class NoStrategyAuditTrail implements AuditTrail {
+
+	@Override
+	public boolean isEnabled() {
+		return false;
+	}
+
+	@Override
+	public boolean hasAudit(StrolchTransaction tx, String type, Long id) {
+		return false;
+	}
+
+	@Override
+	public long querySize(StrolchTransaction tx, DateRange dateRange) {
+		return 0;
+	}
+
+	@Override
+	public long querySize(StrolchTransaction tx, String type, DateRange dateRange) {
+		return 0;
+	}
+
+	@Override
+	public Set<String> getTypes(StrolchTransaction tx) {
+		return null;
+	}
+
+	@Override
+	public Audit getBy(StrolchTransaction tx, String type, Long id) {
+		return null;
+	}
+
+	@Override
+	public List<Audit> getAllElements(StrolchTransaction tx, String type, DateRange dateRange) {
+		return null;
+	}
+
+	@Override
+	public void add(StrolchTransaction tx, Audit audit) {
+		//
+	}
+
+	@Override
+	public void addAll(StrolchTransaction tx, List<Audit> audits) {
+		//
+	}
+
+	@Override
+	public Audit update(StrolchTransaction tx, Audit audit) {
+		return null;
+	}
+
+	@Override
+	public List<Audit> updateAll(StrolchTransaction tx, List<Audit> audits) {
+		return null;
+	}
+
+	@Override
+	public void remove(StrolchTransaction tx, Audit audit) {
+		//
+	}
+
+	@Override
+	public void removeAll(StrolchTransaction tx, List<Audit> audits) {
+		//
+	}
+
+	@Override
+	public long removeAll(StrolchTransaction tx, String type, DateRange dateRange) {
+		return 0;
+	}
+}
--- a/src/main/java/li/strolch/agent/impl/StartRealms.java
+++ b/src/main/java/li/strolch/agent/impl/StartRealms.java
@ -0,0 +1,44 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.agent.impl;
+
+import li.strolch.agent.api.StrolchRealm;
+import ch.eitchnet.privilege.handler.SystemUserAction;
+import ch.eitchnet.privilege.model.PrivilegeContext;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class StartRealms implements SystemUserAction {
+
+	private final DefaultRealmHandler defaultRealmHandler;
+
+	/**
+	 * @param defaultRealmHandler
+	 */
+	StartRealms(DefaultRealmHandler defaultRealmHandler) {
+		this.defaultRealmHandler = defaultRealmHandler;
+	}
+
+	@Override
+	public void execute(PrivilegeContext privilegeContext) {
+		for (String realmName : this.defaultRealmHandler.getRealms().keySet()) {
+			StrolchRealm realm = this.defaultRealmHandler.getRealms().get(realmName);
+
+			realm.start(privilegeContext);
+		}
+	}
+}
--- a/src/main/java/li/strolch/agent/impl/TransactionalAuditTrail.java
+++ b/src/main/java/li/strolch/agent/impl/TransactionalAuditTrail.java
@ -0,0 +1,107 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.agent.impl;
+
+import java.util.List;
+import java.util.Set;
+
+import li.strolch.agent.api.AuditTrail;
+import li.strolch.model.audit.Audit;
+import li.strolch.persistence.api.AuditDao;
+import li.strolch.persistence.api.StrolchTransaction;
+import ch.eitchnet.utils.collections.DateRange;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class TransactionalAuditTrail implements AuditTrail {
+
+	protected AuditDao getDao(StrolchTransaction tx) {
+		return tx.getPersistenceHandler().getAuditDao(tx);
+	}
+
+	@Override
+	public boolean isEnabled() {
+		return true;
+	}
+
+	@Override
+	public boolean hasAudit(StrolchTransaction tx, String type, Long id) {
+		return getDao(tx).hasElement(type, id);
+	}
+
+	@Override
+	public long querySize(StrolchTransaction tx, DateRange dateRange) {
+		return getDao(tx).querySize(dateRange);
+	}
+
+	@Override
+	public long querySize(StrolchTransaction tx, String type, DateRange dateRange) {
+		return getDao(tx).querySize(type, dateRange);
+	}
+	
+	@Override
+	public Set<String> getTypes(StrolchTransaction tx) {
+		return getDao(tx).queryTypes();
+	}
+
+	@Override
+	public Audit getBy(StrolchTransaction tx, String type, Long id) {
+		return getDao(tx).queryBy(type, id);
+	}
+
+	@Override
+	public List<Audit> getAllElements(StrolchTransaction tx, String type, DateRange dateRange) {
+		return getDao(tx).queryAll(type, dateRange);
+	}
+
+	@Override
+	public void add(StrolchTransaction tx, Audit audit) {
+		getDao(tx).save(audit);
+	}
+
+	@Override
+	public void addAll(StrolchTransaction tx, List<Audit> audits) {
+		getDao(tx).saveAll(audits);
+	}
+
+	@Override
+	public Audit update(StrolchTransaction tx, Audit audit) {
+		getDao(tx).update(audit);
+		return audit;
+	}
+
+	@Override
+	public List<Audit> updateAll(StrolchTransaction tx, List<Audit> audits) {
+		getDao(tx).updateAll(audits);
+		return audits;
+	}
+
+	@Override
+	public void remove(StrolchTransaction tx, Audit audit) {
+		getDao(tx).remove(audit);
+	}
+
+	@Override
+	public void removeAll(StrolchTransaction tx, List<Audit> audits) {
+		getDao(tx).removeAll(audits);
+	}
+
+	@Override
+	public long removeAll(StrolchTransaction tx, String type, DateRange dateRange) {
+		return getDao(tx).removeAll(type, dateRange);
+	}
+}
--- a/src/main/java/li/strolch/agent/impl/TransactionalRealm.java
+++ b/src/main/java/li/strolch/agent/impl/TransactionalRealm.java
@ -17,6 +17,7 @@ package li.strolch.agent.impl;

 import java.text.MessageFormat;

+import li.strolch.agent.api.AuditTrail;
 import li.strolch.agent.api.ComponentContainer;
 import li.strolch.agent.api.OrderMap;
 import li.strolch.agent.api.ResourceMap;
@ -24,6 +25,9 @@ import li.strolch.agent.api.StrolchRealm;
 import li.strolch.persistence.api.PersistenceHandler;
 import li.strolch.persistence.api.StrolchTransaction;
 import li.strolch.runtime.configuration.ComponentConfiguration;
+import ch.eitchnet.privilege.model.Certificate;
+import ch.eitchnet.privilege.model.PrivilegeContext;
+import ch.eitchnet.utils.dbc.DBC;
 import ch.eitchnet.utils.helper.StringHelper;

 /**
@ -33,6 +37,7 @@ public class TransactionalRealm extends StrolchRealm {

 	private ResourceMap resourceMap;
 	private OrderMap orderMap;
+	private AuditTrail auditTrail;
 	private PersistenceHandler persistenceHandler;

 	public TransactionalRealm(String realm) {
@ -45,8 +50,15 @@ public class TransactionalRealm extends StrolchRealm {
 	}

 	@Override
-	public StrolchTransaction openTx() {
-		return this.persistenceHandler.openTx(this);
+	public StrolchTransaction openTx(Certificate certificate, String action) {
+		DBC.PRE.assertNotNull("Certificate must be set!", certificate);
+		return this.persistenceHandler.openTx(this, certificate, action);
+	}
+
+	@Override
+	public StrolchTransaction openTx(Certificate certificate, Class<?> clazz) {
+		DBC.PRE.assertNotNull("Certificate must be set!", certificate);
+		return this.persistenceHandler.openTx(this, certificate, clazz.getName());
 	}

 	@Override
@ -59,26 +71,43 @@ public class TransactionalRealm extends StrolchRealm {
 		return this.orderMap;
 	}

+	@Override
+	public AuditTrail getAuditTrail() {
+		return this.auditTrail;
+	}
+
 	@Override
 	public void initialize(ComponentContainer container, ComponentConfiguration configuration) {
 		super.initialize(container, configuration);
 		this.resourceMap = new TransactionalResourceMap();
 		this.orderMap = new TransactionalOrderMap();
+
+		String enableAuditKey = DefaultRealmHandler.makeRealmKey(getRealm(),
+				DefaultRealmHandler.PROP_ENABLE_AUDIT_TRAIL);
+
+		if (configuration.getBoolean(enableAuditKey, Boolean.FALSE)) {
+			this.auditTrail = new TransactionalAuditTrail();
+			logger.info("Enabling AuditTrail for realm " + getRealm());
+		} else {
+			this.auditTrail = new NoStrategyAuditTrail();
+			logger.info("AuditTrail is disabled for realm " + getRealm());
+		}
+
 		this.persistenceHandler = container.getComponent(PersistenceHandler.class);
 	}

 	@Override
-	public void start() {
+	public void start(PrivilegeContext privilegeContext) {

 		long start = System.nanoTime();
 		int nrOfOrders = 0;
 		int nrOfResources = 0;

-		try (StrolchTransaction tx = openTx()) {
+		try (StrolchTransaction tx = openTx(privilegeContext.getCertificate(), "agent_boot")) {
 			nrOfOrders = this.orderMap.getAllKeys(tx).size();
 		}

-		try (StrolchTransaction tx = openTx()) {
+		try (StrolchTransaction tx = openTx(privilegeContext.getCertificate(), "agent_boot")) {
 			nrOfResources = this.resourceMap.getAllKeys(tx).size();
 		}

--- a/src/main/java/li/strolch/agent/impl/TransientRealm.java
+++ b/src/main/java/li/strolch/agent/impl/TransientRealm.java
@ -20,6 +20,7 @@ import static ch.eitchnet.utils.helper.StringHelper.DOT;
 import java.io.File;
 import java.text.MessageFormat;

+import li.strolch.agent.api.AuditTrail;
 import li.strolch.agent.api.ComponentContainer;
 import li.strolch.agent.api.OrderMap;
 import li.strolch.agent.api.ResourceMap;
@ -32,6 +33,9 @@ import li.strolch.persistence.inmemory.InMemoryPersistence;
 import li.strolch.runtime.StrolchConstants;
 import li.strolch.runtime.configuration.ComponentConfiguration;
 import li.strolch.runtime.configuration.StrolchConfigurationException;
+import ch.eitchnet.privilege.model.Certificate;
+import ch.eitchnet.privilege.model.PrivilegeContext;
+import ch.eitchnet.utils.dbc.DBC;
 import ch.eitchnet.utils.helper.StringHelper;

 /**
@ -43,6 +47,7 @@ public class TransientRealm extends StrolchRealm {

 	private ResourceMap resourceMap;
 	private OrderMap orderMap;
+	private AuditTrail auditTrail;
 	private PersistenceHandler persistenceHandler;

 	private File modelFile;
@ -57,8 +62,15 @@ public class TransientRealm extends StrolchRealm {
 	}

 	@Override
-	public StrolchTransaction openTx() {
-		return this.persistenceHandler.openTx(this);
+	public StrolchTransaction openTx(Certificate certificate, String action) {
+		DBC.PRE.assertNotNull("Certificate must be set!", certificate);
+		return this.persistenceHandler.openTx(this, certificate, action);
+	}
+
+	@Override
+	public StrolchTransaction openTx(Certificate certificate, Class<?> clazz) {
+		DBC.PRE.assertNotNull("Certificate must be set!", certificate);
+		return this.persistenceHandler.openTx(this, certificate, clazz.getName());
 	}

 	@Override
@ -71,6 +83,11 @@ public class TransientRealm extends StrolchRealm {
 		return this.orderMap;
 	}

+	@Override
+	public AuditTrail getAuditTrail() {
+		return this.auditTrail;
+	}
+
 	@Override
 	public void initialize(ComponentContainer container, ComponentConfiguration configuration) {
 		super.initialize(container, configuration);
@ -90,13 +107,23 @@ public class TransientRealm extends StrolchRealm {
 		this.persistenceHandler = new InMemoryPersistence();
 		this.resourceMap = new TransactionalResourceMap();
 		this.orderMap = new TransactionalOrderMap();
+
+		String enableAuditKey = DefaultRealmHandler.makeRealmKey(getRealm(),
+				DefaultRealmHandler.PROP_ENABLE_AUDIT_TRAIL);
+		if (configuration.getBoolean(enableAuditKey, Boolean.FALSE)) {
+			this.auditTrail = new TransactionalAuditTrail();
+			logger.info("Enabling AuditTrail for realm " + getRealm());
+		} else {
+			this.auditTrail = new NoStrategyAuditTrail();
+			logger.info("AuditTrail is disabled for realm " + getRealm());
+		}
 	}

 	@Override
-	public void start() {
+	public void start(PrivilegeContext privilegeContext) {

 		ModelStatistics statistics;
-		try (StrolchTransaction tx = openTx()) {
+		try (StrolchTransaction tx = openTx(privilegeContext.getCertificate(), "agent_boot")) {
 			InMemoryElementListener elementListener = new InMemoryElementListener(tx);
 			XmlModelSaxFileReader handler = new XmlModelSaxFileReader(elementListener, this.modelFile);
 			handler.parseFile();
--- a/src/main/java/li/strolch/persistence/api/AbstractTransaction.java
+++ b/src/main/java/li/strolch/persistence/api/AbstractTransaction.java
@ -22,8 +22,10 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;

+import li.strolch.agent.api.AuditTrail;
 import li.strolch.agent.api.OrderMap;
 import li.strolch.agent.api.ResourceMap;
+import li.strolch.agent.api.StrolchAgent;
 import li.strolch.agent.api.StrolchRealm;
 import li.strolch.exception.StrolchException;
 import li.strolch.model.GroupedParameterizedElement;
@ -36,12 +38,18 @@ import li.strolch.model.ResourceVisitor;
 import li.strolch.model.StrolchElement;
 import li.strolch.model.StrolchRootElement;
 import li.strolch.model.Tags;
+import li.strolch.model.audit.AccessType;
+import li.strolch.model.audit.Audit;
+import li.strolch.model.audit.AuditQuery;
+import li.strolch.model.audit.AuditVisitor;
+import li.strolch.model.audit.NoStrategyAuditVisitor;
 import li.strolch.model.parameter.Parameter;
 import li.strolch.model.parameter.StringParameter;
 import li.strolch.model.query.OrderQuery;
 import li.strolch.model.query.ResourceQuery;
 import li.strolch.model.timedstate.StrolchTimedState;
 import li.strolch.model.timevalue.IValue;
+import li.strolch.model.visitor.ElementTypeVisitor;
 import li.strolch.model.visitor.NoStrategyOrderVisitor;
 import li.strolch.model.visitor.NoStrategyResourceVisitor;
 import li.strolch.persistence.inmemory.InMemoryTransaction;
@ -51,6 +59,8 @@ import li.strolch.service.api.Command;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

+import ch.eitchnet.privilege.model.Certificate;
+import ch.eitchnet.utils.dbc.DBC;
 import ch.eitchnet.utils.helper.StringHelper;

 /**
@ -69,8 +79,18 @@ public abstract class AbstractTransaction implements StrolchTransaction {
 	private List<Command> commands;
 	private Set<StrolchRootElement> lockedElements;

-	public AbstractTransaction(StrolchRealm realm) {
+	private String action;
+	private Certificate certificate;
+
+	public AbstractTransaction(StrolchRealm realm, Certificate certificate, String action) {
+		DBC.PRE.assertNotNull("realm must be set!", realm);
+		DBC.PRE.assertNotNull("certificate must be set!", certificate);
+		DBC.PRE.assertNotNull("action must be set!", action);
+
 		this.realm = realm;
+		this.action = action;
+		this.certificate = certificate;
+
 		this.commands = new ArrayList<>();
 		this.lockedElements = new HashSet<>();
 		this.closeStrategy = TransactionCloseStrategy.COMMIT;
@ -172,6 +192,11 @@ public abstract class AbstractTransaction implements StrolchTransaction {
 		return this.realm.getOrderMap();
 	}

+	@Override
+	public AuditTrail getAuditTrail() {
+		return this.realm.getAuditTrail();
+	}
+
 	@Override
 	public List<Order> doQuery(OrderQuery query) {
 		return getPersistenceHandler().getOrderDao(this).doQuery(query, new NoStrategyOrderVisitor());
@ -192,6 +217,16 @@ public abstract class AbstractTransaction implements StrolchTransaction {
 		return getPersistenceHandler().getResourceDao(this).doQuery(query, resourceVisitor);
 	}

+	@Override
+	public List<Audit> doQuery(AuditQuery query) {
+		return getPersistenceHandler().getAuditDao(this).doQuery(query, new NoStrategyAuditVisitor());
+	}
+
+	@Override
+	public <U> List<U> doQuery(AuditQuery query, AuditVisitor<U> auditVisitor) {
+		return getPersistenceHandler().getAuditDao(this).doQuery(query, auditVisitor);
+	}
+
 	@SuppressWarnings("unchecked")
 	@Override
 	public <T extends StrolchElement> T findElement(Locator locator) {
@ -292,13 +327,15 @@ public abstract class AbstractTransaction implements StrolchTransaction {

 			validateCommands();
 			doCommands();
-			commit(this.txResult);
+			writeChanges(this.txResult);

-			long observerUpdateStart = System.nanoTime();
-			updateObservers();
-			long observerUpdateDuration = System.nanoTime() - observerUpdateStart;
+			long auditTrailDuration = writeAuditTrail();
+			long updateObserversDuration = updateObservers();

-			handleCommit(start, observerUpdateDuration);
+			// commit and close the connection
+			commit();
+
+			handleCommit(start, auditTrailDuration, updateObserversDuration);

 		} catch (Exception e) {
 			this.txResult.setState(TransactionState.ROLLING_BACK);
@ -325,6 +362,11 @@ public abstract class AbstractTransaction implements StrolchTransaction {
 			throw new StrolchPersistenceException(msg, e);

 		} finally {
+			try {
+
+			} catch (Exception e) {
+				logger.error("Failed to close connection: " + e.getMessage(), e); //$NON-NLS-1$
+			}
 			unlockElements();
 		}
 	}
@ -344,11 +386,13 @@ public abstract class AbstractTransaction implements StrolchTransaction {
 		}
 	}

-	protected abstract void commit(TransactionResult txResult) throws Exception;
+	protected abstract void writeChanges(TransactionResult txResult) throws Exception;

 	protected abstract void rollback(TransactionResult txResult) throws Exception;

-	private void handleCommit(long start, long observerUpdateDuration) {
+	protected abstract void commit() throws Exception;
+
+	private void handleCommit(long start, long auditTrailDuration, long observerUpdateDuration) {

 		long end = System.nanoTime();
 		long txDuration = end - this.txResult.getStartNanos();
@ -361,11 +405,16 @@ public abstract class AbstractTransaction implements StrolchTransaction {
 		StringBuilder sb = new StringBuilder();
 		sb.append("TX for realm "); //$NON-NLS-1$
 		sb.append(getRealmName());
-		sb.append(" was completed after "); //$NON-NLS-1$
+		sb.append(" took "); //$NON-NLS-1$
 		sb.append(StringHelper.formatNanoDuration(txDuration));
-		sb.append(" with close operation taking "); //$NON-NLS-1$
+		sb.append(" close took "); //$NON-NLS-1$
 		sb.append(StringHelper.formatNanoDuration(closeDuration));
-		sb.append(" and observer updates took "); //$NON-NLS-1$
+		if (isAuditTrailEnabled()) {
+			sb.append(" auditTrail took "); //$NON-NLS-1$
+			sb.append(StringHelper.formatNanoDuration(auditTrailDuration));
+		}
+		if (observerUpdateDuration > 0L)
+			sb.append(" updates took "); //$NON-NLS-1$
 		sb.append(StringHelper.formatNanoDuration(observerUpdateDuration));
 		logger.info(sb.toString());
 	}
@ -394,9 +443,9 @@ public abstract class AbstractTransaction implements StrolchTransaction {
 		StringBuilder sb = new StringBuilder();
 		sb.append("TX"); //$NON-NLS-1$
 		sb.append(getRealmName());
-		sb.append(" has failed after "); //$NON-NLS-1$
+		sb.append(" failed took "); //$NON-NLS-1$
 		sb.append(StringHelper.formatNanoDuration(txDuration));
-		sb.append(" with close operation taking "); //$NON-NLS-1$
+		sb.append(" close took "); //$NON-NLS-1$
 		sb.append(StringHelper.formatNanoDuration(closeDuration));
 		logger.info(sb.toString());

@ -405,18 +454,84 @@ public abstract class AbstractTransaction implements StrolchTransaction {
 		throw new StrolchPersistenceException(msg, e);
 	}

-	private void updateObservers() {
-		if (!this.suppressUpdates && this.observerHandler != null) {
+	private boolean isAuditTrailEnabled() {
+		return getAuditTrail().isEnabled();
+	}

-			Set<String> keys = this.txResult.getKeys();
-			for (String key : keys) {
-				ModificationResult modificationResult = this.txResult.getModificationResult(key);
+	private long updateObservers() {
+		if (isObserverUpdatesEnabled())
+			return 0L;

-				this.observerHandler.add(key, modificationResult.<StrolchElement> getCreated());
-				this.observerHandler.update(key, modificationResult.<StrolchElement> getUpdated());
-				this.observerHandler.remove(key, modificationResult.<StrolchElement> getDeleted());
+		long observerUpdateStart = System.nanoTime();
+		Set<String> keys = this.txResult.getKeys();
+		for (String key : keys) {
+			ModificationResult modificationResult = this.txResult.getModificationResult(key);
+
+			this.observerHandler.add(key, modificationResult.<StrolchElement> getCreated());
+			this.observerHandler.update(key, modificationResult.<StrolchElement> getUpdated());
+			this.observerHandler.remove(key, modificationResult.<StrolchElement> getDeleted());
+		}
+		long observerUpdateDuration = System.nanoTime() - observerUpdateStart;
+		return observerUpdateDuration;
+	}
+
+	private boolean isObserverUpdatesEnabled() {
+		return this.suppressUpdates || this.observerHandler == null;
+	}
+
+	private long writeAuditTrail() {
+		if (!isAuditTrailEnabled())
+			return 0L;
+
+		Set<String> keys = this.txResult.getKeys();
+		if (keys.isEmpty())
+			return 0L;
+
+		long auditTrailStart = System.nanoTime();
+
+		List<Audit> audits = new ArrayList<>();
+		for (String key : keys) {
+			ModificationResult modificationResult = this.txResult.getModificationResult(key);
+
+			List<StrolchElement> created = modificationResult.getCreated();
+			for (StrolchElement strolchElement : created) {
+				audits.add(auditFrom(AccessType.CREATE, (StrolchRootElement) strolchElement));
+			}
+
+			List<StrolchElement> updated = modificationResult.getUpdated();
+			for (StrolchElement strolchElement : updated) {
+				audits.add(auditFrom(AccessType.UPDATE, (StrolchRootElement) strolchElement));
+			}
+
+			List<StrolchElement> deleted = modificationResult.getDeleted();
+			for (StrolchElement strolchElement : deleted) {
+				audits.add(auditFrom(AccessType.DELETE, (StrolchRootElement) strolchElement));
 			}
 		}
+
+		getAuditTrail().addAll(this, audits);
+		long auditTrailDuration = System.nanoTime() - auditTrailStart;
+		return auditTrailDuration;
+	}
+
+	private Audit auditFrom(AccessType accessType, StrolchRootElement element) {
+		Audit audit = new Audit();
+
+		audit.setId(StrolchAgent.getUniqueIdLong());
+		audit.setUsername(this.certificate.getUsername());
+		audit.setFirstname(this.certificate.getFirstname());
+		audit.setLastname(this.certificate.getLastname());
+		audit.setDate(new Date());
+
+		audit.setElementType(element.accept(new ElementTypeVisitor()));
+		audit.setElementAccessed(element.getId());
+
+		//audit.setNewVersion();
+
+		audit.setAction(this.action);
+		audit.setAccessType(accessType);
+
+		return audit;
 	}

 	/**
--- a/src/main/java/li/strolch/persistence/api/AuditDao.java
+++ b/src/main/java/li/strolch/persistence/api/AuditDao.java
@ -0,0 +1,59 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.persistence.api;
+
+import java.util.List;
+import java.util.Set;
+
+import li.strolch.model.audit.Audit;
+import li.strolch.model.audit.AuditQuery;
+import li.strolch.model.audit.AuditVisitor;
+import ch.eitchnet.utils.collections.DateRange;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public interface AuditDao {
+
+	public boolean hasElement(String type, Long id);
+
+	public long querySize(DateRange dateRange);
+
+	public long querySize(String type, DateRange dateRange);
+
+	public Audit queryBy(String type, Long id);
+
+	public Set<String> queryTypes();
+
+	public List<Audit> queryAll(String type, DateRange dateRange);
+
+	public void save(Audit audit);
+
+	public void saveAll(List<Audit> audits);
+
+	public void update(Audit audit);
+
+	public void updateAll(List<Audit> audits);
+
+	public void remove(Audit audit);
+
+	public void removeAll(List<Audit> audits);
+
+	public long removeAll(String type, DateRange dateRange);
+
+	public <U> List<U> doQuery(AuditQuery query, AuditVisitor<U> auditVisitor);
+
+}
--- a/src/main/java/li/strolch/persistence/api/PersistenceHandler.java
+++ b/src/main/java/li/strolch/persistence/api/PersistenceHandler.java
@ -16,15 +16,18 @@
 package li.strolch.persistence.api;

 import li.strolch.agent.api.StrolchRealm;
+import ch.eitchnet.privilege.model.Certificate;

 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
 */
 public interface PersistenceHandler {

-	public StrolchTransaction openTx(StrolchRealm realm);
+	public StrolchTransaction openTx(StrolchRealm realm, Certificate certificate, String action);

 	public OrderDao getOrderDao(StrolchTransaction tx);

 	public ResourceDao getResourceDao(StrolchTransaction tx);
+
+	public AuditDao getAuditDao(StrolchTransaction tx);
 }
--- a/src/main/java/li/strolch/persistence/api/StrolchTransaction.java
+++ b/src/main/java/li/strolch/persistence/api/StrolchTransaction.java
@ -17,6 +17,7 @@ package li.strolch.persistence.api;

 import java.util.List;

+import li.strolch.agent.api.AuditTrail;
 import li.strolch.agent.api.OrderMap;
 import li.strolch.agent.api.ResourceMap;
 import li.strolch.exception.StrolchException;
@ -28,6 +29,9 @@ import li.strolch.model.Resource;
 import li.strolch.model.ResourceVisitor;
 import li.strolch.model.StrolchElement;
 import li.strolch.model.StrolchRootElement;
+import li.strolch.model.audit.Audit;
+import li.strolch.model.audit.AuditQuery;
+import li.strolch.model.audit.AuditVisitor;
 import li.strolch.model.parameter.Parameter;
 import li.strolch.model.parameter.StringParameter;
 import li.strolch.model.query.OrderQuery;
@ -58,6 +62,8 @@ public interface StrolchTransaction extends AutoCloseable {

 	public boolean isRolledBack();

+	public AuditTrail getAuditTrail();
+
 	public ResourceMap getResourceMap();

 	public OrderMap getOrderMap();
@ -76,6 +82,10 @@ public interface StrolchTransaction extends AutoCloseable {

 	public <U> List<U> doQuery(ResourceQuery query, ResourceVisitor<U> resourceVisitor);

+	public List<Audit> doQuery(AuditQuery query);
+
+	public <U> List<U> doQuery(AuditQuery query, AuditVisitor<U> auditVisitor);
+
 	/**
 	 * <p>
 	 * Used to find a {@link StrolchElement} by a {@link Locator}.
--- a/src/main/java/li/strolch/persistence/inmemory/InMemoryAuditDao.java
+++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryAuditDao.java
@ -0,0 +1,162 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.persistence.inmemory;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import li.strolch.model.audit.Audit;
+import li.strolch.model.audit.AuditQuery;
+import li.strolch.model.audit.AuditVisitor;
+import li.strolch.persistence.api.AuditDao;
+import ch.eitchnet.utils.collections.DateRange;
+import ch.eitchnet.utils.collections.MapOfMaps;
+
+/**
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class InMemoryAuditDao implements AuditDao {
+
+	private MapOfMaps<String, Long, Audit> auditMap;
+
+	public InMemoryAuditDao() {
+		this.auditMap = new MapOfMaps<>();
+	}
+
+	@Override
+	public boolean hasElement(String type, Long id) {
+		Map<Long, Audit> byType = this.auditMap.getMap(type);
+		if (byType == null)
+			return false;
+		return byType.containsKey(id);
+	}
+
+	@Override
+	public long querySize(DateRange dateRange) {
+		long size = 0L;
+
+		for (String type : this.auditMap.keySet()) {
+			Map<Long, Audit> byType = this.auditMap.getMap(type);
+			for (Audit audit : byType.values()) {
+				if (dateRange.contains(audit.getDate()))
+					size++;
+			}
+		}
+
+		return size;
+	}
+
+	@Override
+	public long querySize(String type, DateRange dateRange) {
+		long size = 0L;
+		Map<Long, Audit> byType = this.auditMap.getMap(type);
+		for (Audit audit : byType.values()) {
+			if (dateRange.contains(audit.getDate()))
+				size++;
+		}
+		return size;
+	}
+
+	@Override
+	public Audit queryBy(String type, Long id) {
+		return this.auditMap.getElement(type, id);
+	}
+
+	@Override
+	public Set<String> queryTypes() {
+		return this.auditMap.keySet();
+	}
+
+	@Override
+	public List<Audit> queryAll(String type, DateRange dateRange) {
+		List<Audit> audits = new ArrayList<>();
+		Map<Long, Audit> byType = this.auditMap.getMap(type);
+		if (byType == null)
+			return audits;
+
+		for (Audit audit : byType.values()) {
+			if (dateRange.contains(audit.getDate()))
+				audits.add(audit);
+		}
+		return audits;
+	}
+
+	@Override
+	public void save(Audit audit) {
+		this.auditMap.addElement(audit.getElementType(), audit.getId(), audit);
+	}
+
+	@Override
+	public void saveAll(List<Audit> audits) {
+		for (Audit audit : audits) {
+			this.auditMap.addElement(audit.getElementType(), audit.getId(), audit);
+		}
+	}
+
+	@Override
+	public void update(Audit audit) {
+		this.auditMap.addElement(audit.getElementType(), audit.getId(), audit);
+	}
+
+	@Override
+	public void updateAll(List<Audit> audits) {
+		for (Audit audit : audits) {
+			this.auditMap.addElement(audit.getElementType(), audit.getId(), audit);
+		}
+	}
+
+	@Override
+	public void remove(Audit audit) {
+		this.auditMap.removeElement(audit.getElementType(), audit.getId());
+	}
+
+	@Override
+	public void removeAll(List<Audit> audits) {
+		for (Audit audit : audits) {
+			this.auditMap.removeElement(audit.getElementType(), audit.getId());
+		}
+	}
+
+	@Override
+	public long removeAll(String type, DateRange dateRange) {
+
+		Map<Long, Audit> byType = this.auditMap.getMap(type);
+		if (byType == null)
+			return 0L;
+
+		List<Audit> toRemoveList = new ArrayList<>();
+
+		for (Audit audit : byType.values()) {
+			if (dateRange.contains(audit.getDate())) {
+				toRemoveList.add(audit);
+			}
+		}
+
+		for (Audit toRemove : toRemoveList) {
+			this.auditMap.removeElement(type, toRemove.getId());
+		}
+
+		return toRemoveList.size();
+	}
+
+	@Override
+	public <U> List<U> doQuery(AuditQuery query, AuditVisitor<U> auditVisitor) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+}
--- a/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistence.java
+++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistence.java
@ -4,10 +4,12 @@ import java.util.HashMap;
 import java.util.Map;

 import li.strolch.agent.api.StrolchRealm;
+import li.strolch.persistence.api.AuditDao;
 import li.strolch.persistence.api.OrderDao;
 import li.strolch.persistence.api.PersistenceHandler;
 import li.strolch.persistence.api.ResourceDao;
 import li.strolch.persistence.api.StrolchTransaction;
+import ch.eitchnet.privilege.model.Certificate;

 public class InMemoryPersistence implements PersistenceHandler {

@ -18,8 +20,8 @@ public class InMemoryPersistence implements PersistenceHandler {
 	}

 	@Override
-	public StrolchTransaction openTx(StrolchRealm realm) {
-		return new InMemoryTransaction(realm, this);
+	public StrolchTransaction openTx(StrolchRealm realm, Certificate certificate, String action) {
+		return new InMemoryTransaction(realm, certificate, action, this);
 	}

 	@Override
@ -34,10 +36,16 @@ public class InMemoryPersistence implements PersistenceHandler {
 		return daoCache.getResourceDao();
 	}

+	@Override
+	public AuditDao getAuditDao(StrolchTransaction tx) {
+		DaoCache daoCache = getDaoCache(tx);
+		return daoCache.getAuditDao();
+	}
+
 	private synchronized DaoCache getDaoCache(StrolchTransaction tx) {
 		DaoCache daoCache = this.daoCache.get(tx.getRealmName());
 		if (daoCache == null) {
-			daoCache = new DaoCache(new InMemoryOrderDao(), new InMemoryResourceDao());
+			daoCache = new DaoCache(new InMemoryOrderDao(), new InMemoryResourceDao(), new InMemoryAuditDao());
 			this.daoCache.put(tx.getRealmName(), daoCache);
 		}
 		return daoCache;
@ -46,10 +54,12 @@ public class InMemoryPersistence implements PersistenceHandler {
 	private class DaoCache {
 		private OrderDao orderDao;
 		private ResourceDao resourceDao;
+		private AuditDao auditDao;

-		public DaoCache(OrderDao orderDao, ResourceDao resourceDao) {
+		public DaoCache(OrderDao orderDao, ResourceDao resourceDao, AuditDao auditDao) {
 			this.orderDao = orderDao;
 			this.resourceDao = resourceDao;
+			this.auditDao = auditDao;
 		}

 		public OrderDao getOrderDao() {
@ -59,5 +69,9 @@ public class InMemoryPersistence implements PersistenceHandler {
 		public ResourceDao getResourceDao() {
 			return this.resourceDao;
 		}
+
+		public AuditDao getAuditDao() {
+			return this.auditDao;
+		}
 	}
 }
--- a/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistenceHandler.java
+++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistenceHandler.java
@ -18,19 +18,20 @@ package li.strolch.persistence.inmemory;
 import li.strolch.agent.api.ComponentContainer;
 import li.strolch.agent.api.StrolchComponent;
 import li.strolch.agent.api.StrolchRealm;
+import li.strolch.persistence.api.AuditDao;
 import li.strolch.persistence.api.OrderDao;
 import li.strolch.persistence.api.PersistenceHandler;
 import li.strolch.persistence.api.ResourceDao;
 import li.strolch.persistence.api.StrolchTransaction;
 import li.strolch.runtime.configuration.ComponentConfiguration;
+import ch.eitchnet.privilege.model.Certificate;

 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
- * 
 */
 public class InMemoryPersistenceHandler extends StrolchComponent implements PersistenceHandler {

-	private InMemoryPersistence persistenceHandler;
+	private InMemoryPersistence persistence;

 	/**
 	 * @param container
@ -42,22 +43,27 @@ public class InMemoryPersistenceHandler extends StrolchComponent implements Pers

 	@Override
 	public void initialize(ComponentConfiguration configuration) {
-		this.persistenceHandler = new InMemoryPersistence();
+		this.persistence = new InMemoryPersistence();
 		super.initialize(configuration);
 	}

 	@Override
-	public StrolchTransaction openTx(StrolchRealm realm) {
-		return this.persistenceHandler.openTx(realm);
+	public StrolchTransaction openTx(StrolchRealm realm, Certificate certificate, String action) {
+		return this.persistence.openTx(realm, certificate, action);
 	}

 	@Override
 	public OrderDao getOrderDao(StrolchTransaction tx) {
-		return this.persistenceHandler.getOrderDao(tx);
+		return this.persistence.getOrderDao(tx);
 	}

 	@Override
 	public ResourceDao getResourceDao(StrolchTransaction tx) {
-		return this.persistenceHandler.getResourceDao(tx);
+		return this.persistence.getResourceDao(tx);
+	}
+
+	@Override
+	public AuditDao getAuditDao(StrolchTransaction tx) {
+		return this.persistence.getAuditDao(tx);
 	}
 }
--- a/src/main/java/li/strolch/persistence/inmemory/InMemoryTransaction.java
+++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryTransaction.java
@ -5,18 +5,20 @@ import li.strolch.persistence.api.AbstractTransaction;
 import li.strolch.persistence.api.PersistenceHandler;
 import li.strolch.persistence.api.TransactionResult;
 import li.strolch.persistence.api.TransactionState;
+import ch.eitchnet.privilege.model.Certificate;

 public class InMemoryTransaction extends AbstractTransaction {

 	private InMemoryPersistence persistenceHandler;

-	public InMemoryTransaction(StrolchRealm realm, InMemoryPersistence persistenceHandler) {
-		super(realm);
+	public InMemoryTransaction(StrolchRealm realm, Certificate certificate, String action,
+			InMemoryPersistence persistenceHandler) {
+		super(realm, certificate, action);
 		this.persistenceHandler = persistenceHandler;
 	}

 	@Override
-	protected void commit(TransactionResult txResult) throws Exception {
+	protected void writeChanges(TransactionResult txResult) throws Exception {
 		txResult.setState(TransactionState.COMMITTED);
 	}

@ -25,6 +27,11 @@ public class InMemoryTransaction extends AbstractTransaction {
 		txResult.setState(TransactionState.ROLLED_BACK);
 	}

+	@Override
+	protected void commit() throws Exception {
+		// no-op
+	}
+
 	@Override
 	public PersistenceHandler getPersistenceHandler() {
 		return this.persistenceHandler;
--- a/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java
+++ b/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java
@ -30,7 +30,6 @@ import ch.eitchnet.privilege.base.PrivilegeException;
 import ch.eitchnet.privilege.handler.DefaultPrivilegeHandler;
 import ch.eitchnet.privilege.handler.EncryptionHandler;
 import ch.eitchnet.privilege.handler.PersistenceHandler;
-import ch.eitchnet.privilege.handler.PrivilegeHandler;
 import ch.eitchnet.privilege.handler.SystemUserAction;
 import ch.eitchnet.privilege.handler.XmlPersistenceHandler;
 import ch.eitchnet.privilege.helper.PrivilegeInitializationHelper;
@ -41,12 +40,12 @@ import ch.eitchnet.privilege.model.internal.PrivilegeContainerModel;
 import ch.eitchnet.privilege.xml.PrivilegeConfigSaxReader;
 import ch.eitchnet.utils.helper.XmlHelper;

-public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements StrolchPrivilegeHandler {
+public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements PrivilegeHandler {

 	public static final String PROP_PRIVILEGE_CONFIG_FILE = "privilegeConfigFile"; //$NON-NLS-1$
 	public static final String PRIVILEGE_CONFIG_XML = "PrivilegeConfig.xml"; //$NON-NLS-1$

-	private PrivilegeHandler privilegeHandler;
+	private ch.eitchnet.privilege.handler.PrivilegeHandler privilegeHandler;

 	public DefaultStrolchPrivilegeHandler(ComponentContainer container, String componentName) {
 		super(container, componentName);
@ -60,7 +59,8 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
 		RuntimeConfiguration runtimeConfiguration = configuration.getRuntimeConfiguration();
 		File privilegeConfigFile = configuration.getConfigFile(PROP_PRIVILEGE_CONFIG_FILE, PRIVILEGE_CONFIG_XML,
 				runtimeConfiguration);
-		PrivilegeHandler privilegeHandler = initializeFromXml(configuration, privilegeConfigFile);
+		ch.eitchnet.privilege.handler.PrivilegeHandler privilegeHandler = initializeFromXml(configuration,
+				privilegeConfigFile);
 		this.privilegeHandler = privilegeHandler;
 	}

@ -73,7 +73,8 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
 	 * @return the initialized {@link PrivilegeHandler} where the {@link EncryptionHandler} and
 	 *         {@link PersistenceHandler} are set and initialized as well
 	 */
-	private PrivilegeHandler initializeFromXml(ComponentConfiguration configuration, File privilegeXmlFile) {
+	private ch.eitchnet.privilege.handler.PrivilegeHandler initializeFromXml(ComponentConfiguration configuration,
+			File privilegeXmlFile) {

 		// make sure file exists
 		if (!privilegeXmlFile.exists()) {
@ -168,7 +169,8 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
 	}

 	@Override
-	public PrivilegeHandler getPrivilegeHandler(Certificate certificate) throws PrivilegeException {
+	public ch.eitchnet.privilege.handler.PrivilegeHandler getPrivilegeHandler(Certificate certificate)
+			throws PrivilegeException {
 		assertContainerStarted();
 		this.privilegeHandler.assertIsPrivilegeAdmin(certificate);
 		return this.privilegeHandler;
--- a/src/main/java/li/strolch/runtime/privilege/StrolchPrivilegeHandler.java
+++ b/src/main/java/li/strolch/runtime/privilege/StrolchPrivilegeHandler.java
@ -16,7 +16,6 @@
 package li.strolch.runtime.privilege;

 import ch.eitchnet.privilege.base.PrivilegeException;
-import ch.eitchnet.privilege.handler.PrivilegeHandler;
 import ch.eitchnet.privilege.handler.SystemUserAction;
 import ch.eitchnet.privilege.model.Certificate;
 import ch.eitchnet.privilege.model.PrivilegeContext;
@ -24,7 +23,7 @@ import ch.eitchnet.privilege.model.PrivilegeContext;
 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
 */
-public interface StrolchPrivilegeHandler {
+public interface PrivilegeHandler {

 	/**
 	 * @param username
@ -71,6 +70,7 @@ public interface StrolchPrivilegeHandler {
 	 * @return
 	 * @throws PrivilegeException
 	 */
-	public abstract PrivilegeHandler getPrivilegeHandler(Certificate certificate) throws PrivilegeException;
+	public abstract ch.eitchnet.privilege.handler.PrivilegeHandler getPrivilegeHandler(Certificate certificate)
+			throws PrivilegeException;

 }
--- a/src/main/java/li/strolch/runtime/query/enums/DefaultEnumHandler.java
+++ b/src/main/java/li/strolch/runtime/query/enums/DefaultEnumHandler.java
@ -33,6 +33,7 @@ import li.strolch.model.parameter.StringParameter;
 import li.strolch.persistence.api.StrolchTransaction;
 import li.strolch.runtime.StrolchConstants;
 import li.strolch.runtime.configuration.ComponentConfiguration;
+import ch.eitchnet.privilege.model.Certificate;
 import ch.eitchnet.utils.dbc.DBC;

 /**
@ -75,7 +76,7 @@ public class DefaultEnumHandler extends StrolchComponent implements EnumHandler
 	}

 	@Override
-	public StrolchEnum getEnum(String name, Locale locale) {
+	public StrolchEnum getEnum(Certificate certificate, String name, Locale locale) {

 		DBC.PRE.assertNotEmpty("Enum name must be given!", name); //$NON-NLS-1$
 		DBC.PRE.assertNotNull("Locale must be given!", locale); //$NON-NLS-1$
@ -84,7 +85,8 @@ public class DefaultEnumHandler extends StrolchComponent implements EnumHandler
 		if (enumLocator == null)
 			throw new StrolchException(MessageFormat.format("No enumeration is configured for the name {0}", name)); //$NON-NLS-1$

-		try (StrolchTransaction tx = getContainer().getRealm(this.realm).openTx()) {
+		try (StrolchTransaction tx = getContainer().getRealm(this.realm).openTx(certificate,
+				EnumHandler.class)) {
 			Resource enumeration = tx.findElement(enumLocator);
 			ParameterBag enumValuesByLanguage = findParameterBagByLanguage(enumeration, locale);

--- a/src/main/java/li/strolch/runtime/query/enums/EnumHandler.java
+++ b/src/main/java/li/strolch/runtime/query/enums/EnumHandler.java
@ -17,10 +17,12 @@ package li.strolch.runtime.query.enums;

 import java.util.Locale;

+import ch.eitchnet.privilege.model.Certificate;
+
 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
 */
 public interface EnumHandler {

-	public StrolchEnum getEnum(String name, Locale locale);
+	public StrolchEnum getEnum(Certificate certificate, String name, Locale locale);
 }
--- a/src/main/java/li/strolch/service/api/AbstractService.java
+++ b/src/main/java/li/strolch/service/api/AbstractService.java
@ -107,7 +107,16 @@ public abstract class AbstractService<T extends ServiceArgument, U extends Servi
 	 * @return
 	 */
 	protected final StrolchTransaction openTx(String realm) {
-		return this.container.getRealm(realm).openTx();
+		return this.container.getRealm(realm).openTx(getCertificate(), getClass());
+	}
+
+	/**
+	 * @param realm
+	 * @param action
+	 * @return
+	 */
+	protected final StrolchTransaction openTx(String realm, String action) {
+		return this.container.getRealm(realm).openTx(getCertificate(), action);
 	}

 	@Override
--- a/src/main/java/li/strolch/service/api/DefaultServiceHandler.java
+++ b/src/main/java/li/strolch/service/api/DefaultServiceHandler.java
@ -22,7 +22,7 @@ import li.strolch.agent.api.StrolchComponent;
 import li.strolch.exception.StrolchException;
 import li.strolch.runtime.configuration.ComponentConfiguration;
 import li.strolch.runtime.configuration.RuntimeConfiguration;
-import li.strolch.runtime.privilege.StrolchPrivilegeHandler;
+import li.strolch.runtime.privilege.PrivilegeHandler;
 import ch.eitchnet.privilege.model.Certificate;
 import ch.eitchnet.privilege.model.PrivilegeContext;
 import ch.eitchnet.utils.helper.StringHelper;
@ -33,7 +33,7 @@ import ch.eitchnet.utils.helper.StringHelper;
 public class DefaultServiceHandler extends StrolchComponent implements ServiceHandler {

 	private RuntimeConfiguration runtimeConfiguration;
-	private StrolchPrivilegeHandler privilegeHandler;
+	private PrivilegeHandler privilegeHandler;

 	/**
 	 * @param container
@ -45,8 +45,7 @@ public class DefaultServiceHandler extends StrolchComponent implements ServiceHa

 	@Override
 	public void initialize(ComponentConfiguration configuration) {
-		if (getContainer().hasComponent(StrolchPrivilegeHandler.class))
-			this.privilegeHandler = getContainer().getComponent(StrolchPrivilegeHandler.class);
+		this.privilegeHandler = getContainer().getPrivilegeHandler();
 		this.runtimeConfiguration = configuration.getRuntimeConfiguration();
 		super.initialize(configuration);
 	}
@ -71,11 +70,8 @@ public class DefaultServiceHandler extends StrolchComponent implements ServiceHa
 		long start = System.nanoTime();

 		// first check that the caller may perform this service
-		PrivilegeContext privilegeContext = null;
-		if (this.privilegeHandler != null) {
-			privilegeContext = this.privilegeHandler.getPrivilegeContext(certificate);
-			privilegeContext.validateAction(service);
-		}
+		PrivilegeContext privilegeContext = this.privilegeHandler.getPrivilegeContext(certificate);
+		privilegeContext.validateAction(service);

 		try {
 			// then perform the service
--- a/src/test/java/li/strolch/agent/ComponentContainerTest.java
+++ b/src/test/java/li/strolch/agent/ComponentContainerTest.java
@ -37,11 +37,13 @@ import li.strolch.runtime.configuration.RuntimeConfiguration;
 import li.strolch.runtime.configuration.model.ResourceGeneratorHandlerTest;
 import li.strolch.runtime.configuration.model.ServiceHandlerTest;
 import li.strolch.runtime.configuration.model.ServiceResultTest;
+import li.strolch.runtime.privilege.PrivilegeHandler;

 import org.junit.Test;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

+import ch.eitchnet.privilege.model.Certificate;
 import ch.eitchnet.utils.helper.FileHelper;

@SuppressWarnings("nls")
@ -52,6 +54,7 @@ public class ComponentContainerTest {
 	public static final String PATH_TRANSACTIONAL_CONTAINER = "src/test/resources/transactionaltest";
 	public static final String PATH_CACHED_CONTAINER = "src/test/resources/cachedtest";
 	public static final String PATH_EMPTY_CONTAINER = "src/test/resources/emptytest";
+	public static final String PATH_MINIMAL_CONTAINER = "src/test/resources/minimaltest";

 	public static final String PATH_REALM_RUNTIME = "target/realmtest/";
 	public static final String PATH_TRANSIENT_RUNTIME = "target/transienttest/";
@ -144,6 +147,25 @@ public class ComponentContainerTest {
 		}
 	}

+	@Test
+	public void shouldTestMinimal() {
+
+		try {
+			StrolchAgent agent = startContainer(PATH_REALM_RUNTIME, PATH_MINIMAL_CONTAINER);
+
+			ComponentContainer container = agent.getContainer();
+
+			ServiceHandlerTest serviceHandler = container.getComponent(ServiceHandlerTest.class);
+			ServiceResultTest result = serviceHandler.doService();
+			assertEquals(1, result.getResult());
+
+			destroyContainer(agent);
+		} catch (Exception e) {
+			logger.error(e.getMessage(), e);
+			throw e;
+		}
+	}
+
 	public static void testContainer(StrolchAgent agent) {

 		ComponentContainer container = agent.getContainer();
@ -159,6 +181,11 @@ public class ComponentContainerTest {
 		assertEquals("@testRes", resource.getId());
 	}

+	private static Certificate login(StrolchAgent agent) {
+		PrivilegeHandler privilegeHandler = agent.getContainer().getPrivilegeHandler();
+		return privilegeHandler.authenticate("test", "test".getBytes());
+	}
+
 	public static void testPersistenceContainer(StrolchAgent agent) {

 		ComponentContainer container = agent.getContainer();
@ -167,7 +194,8 @@ public class ComponentContainerTest {
 		ServiceResultTest result = serviceHandler.doService();
 		assertEquals(1, result.getResult());

-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		Certificate certificate = login(agent);
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			ResourceDao resourceDao = tx.getPersistenceHandler().getResourceDao(tx);
 			resourceDao.save(ModelGenerator.createResource("@testRes0", "Test Res", "Test"));
 			Resource queriedRes = resourceDao.queryBy("Test", "@testRes0");
@ -175,7 +203,7 @@ public class ComponentContainerTest {
 			assertEquals("@testRes0", queriedRes.getId());
 		}

-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			OrderDao orderDao = tx.getPersistenceHandler().getOrderDao(tx);
 			orderDao.save(ModelGenerator.createOrder("@testOrder0", "Test Order", "Test"));
 			Order queriedOrder = orderDao.queryBy("Test", "@testOrder0");
@ -188,7 +216,8 @@ public class ComponentContainerTest {

 		ComponentContainer container = agent.getContainer();

-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		Certificate certificate = login(agent);
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			ResourceMap resourceMap = tx.getResourceMap();
 			resourceMap.add(tx, ModelGenerator.createResource("@testRes1", "Test Res", "Test"));
 			Resource queriedRes = resourceMap.getBy(tx, "Test", "@testRes1");
@ -196,7 +225,7 @@ public class ComponentContainerTest {
 			assertEquals("@testRes1", queriedRes.getId());
 		}

-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			OrderMap orderMap = tx.getOrderMap();
 			orderMap.add(tx, ModelGenerator.createOrder("@testOrder1", "Test Order", "Test"));
 			Order queriedOrder = orderMap.getBy(tx, "Test", "@testOrder1");
@ -209,7 +238,8 @@ public class ComponentContainerTest {

 		ComponentContainer container = agent.getContainer();

-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		Certificate certificate = login(agent);
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			ResourceMap resourceMap = tx.getResourceMap();
 			resourceMap.add(tx, ModelGenerator.createResource("@testRes1", "Test Res", "Test"));
 			Resource queriedRes = resourceMap.getBy(tx, "Test", "@testRes1");
@ -223,7 +253,7 @@ public class ComponentContainerTest {
 			assertEquals("@testOrder1", queriedOrder.getId());
 		}

-		try (StrolchTransaction tx = container.getRealm("myRealm").openTx()) {
+		try (StrolchTransaction tx = container.getRealm("myRealm").openTx(certificate, "test")) {
 			ResourceMap resourceMap = tx.getResourceMap();
 			Resource myRealmRes = resourceMap.getBy(tx, "TestType", "MyRealmRes");
 			assertNotNull(myRealmRes);
@ -238,7 +268,7 @@ public class ComponentContainerTest {
 			Order otherRealmOrder = orderMap.getBy(tx, "TestType", "OtherRealmOrder");
 			assertNull(otherRealmOrder);
 		}
-		try (StrolchTransaction tx = container.getRealm("otherRealm").openTx()) {
+		try (StrolchTransaction tx = container.getRealm("otherRealm").openTx(certificate, "test")) {
 			ResourceMap resourceMap = tx.getResourceMap();
 			Resource otherRealmRes = resourceMap.getBy(tx, "TestType", "OtherRealmRes");
 			assertNotNull(otherRealmRes);
--- a/src/test/java/li/strolch/runtime/query/enums/EnumHandlerTest.java
+++ b/src/test/java/li/strolch/runtime/query/enums/EnumHandlerTest.java
@ -24,11 +24,11 @@ import java.util.Locale;
 import li.strolch.agent.ComponentContainerTest;
 import li.strolch.agent.api.ComponentContainer;
 import li.strolch.agent.api.StrolchAgent;
-import li.strolch.runtime.query.enums.EnumHandler;
-import li.strolch.runtime.query.enums.StrolchEnum;

 import org.junit.Test;

+import ch.eitchnet.privilege.model.Certificate;
+
 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
 */
@ -44,8 +44,10 @@ public class EnumHandlerTest {
 				ComponentContainerTest.PATH_TRANSIENT_CONTAINER);
 		ComponentContainer container = agent.getContainer();

+		Certificate certificate = container.getPrivilegeHandler().authenticate("test", "test".getBytes());
+
 		EnumHandler enumHandler = container.getComponent(EnumHandler.class);
-		StrolchEnum sexEnum = enumHandler.getEnum("sex", Locale.ENGLISH);
+		StrolchEnum sexEnum = enumHandler.getEnum(certificate, "sex", Locale.ENGLISH);
 		assertEquals("sex", sexEnum.getName());
 		assertEquals("en", sexEnum.getLocale());
 		assertEquals(3, sexEnum.getValues().size());
@ -53,7 +55,7 @@ public class EnumHandlerTest {
 		Collections.sort(values);
 		assertEquals("both", values.get(0));

-		StrolchEnum salutationsEnum = enumHandler.getEnum("salutations", Locale.UK);
+		StrolchEnum salutationsEnum = enumHandler.getEnum(certificate, "salutations", Locale.UK);
 		assertEquals("salutations", salutationsEnum.getName());
 		assertEquals("en_GB", salutationsEnum.getLocale());
 		assertEquals(3, salutationsEnum.getValues().size());
@ -61,7 +63,7 @@ public class EnumHandlerTest {
 		Collections.sort(values);
 		assertEquals("Mr", values.get(0));

-		StrolchEnum religionsEnum = enumHandler.getEnum("religions", Locale.CANADA);
+		StrolchEnum religionsEnum = enumHandler.getEnum(certificate, "religions", Locale.CANADA);
 		assertEquals("religions", religionsEnum.getName());
 		assertEquals("en_CA", religionsEnum.getLocale());
 		assertEquals(9, religionsEnum.getValues().size());
--- a/src/test/java/li/strolch/runtime/query/inmemory/FindByLocatorTest.java
+++ b/src/test/java/li/strolch/runtime/query/inmemory/FindByLocatorTest.java
@ -30,6 +30,8 @@ import li.strolch.runtime.StrolchConstants;

 import org.junit.Test;

+import ch.eitchnet.privilege.model.Certificate;
+
 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
 */
@ -45,7 +47,9 @@ public class FindByLocatorTest {
 				ComponentContainerTest.PATH_TRANSIENT_CONTAINER);
 		ComponentContainer container = agent.getContainer();

-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		Certificate certificate = container.getPrivilegeHandler().authenticate("test", "test".getBytes());
+
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {

 			// Resource
 			Locator locResource = Locator.valueOf("Resource/TestType/MyTestResource");
--- a/src/test/java/li/strolch/runtime/query/inmemory/QueryTest.java
+++ b/src/test/java/li/strolch/runtime/query/inmemory/QueryTest.java
@ -42,6 +42,8 @@ import li.strolch.runtime.StrolchConstants;

 import org.junit.Test;

+import ch.eitchnet.privilege.model.Certificate;
+
 /**
 * @author Robert von Burg <eitch@eitchnet.ch>
 * 
@ -51,6 +53,10 @@ public class QueryTest {

 	public static final String PATH_EMPTY_RUNTIME = "target/QueryTest/"; //$NON-NLS-1$

+	private Certificate login(ComponentContainer container) {
+		return container.getPrivilegeHandler().authenticate("test", "test".getBytes());
+	}
+
 	@Test
 	public void shouldQueryResourceWithParamValue() {

@ -58,10 +64,12 @@ public class QueryTest {
 				ComponentContainerTest.PATH_EMPTY_CONTAINER);
 		ComponentContainer container = agent.getContainer();

+		Certificate certificate = login(container);
+
 		Resource res1 = createResource("@1", "Test Resource", "MyType");
 		IntegerParameter iP = new IntegerParameter("nbOfBooks", "Number of Books", 33);
 		res1.addParameter(BAG_ID, iP);
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			tx.getResourceMap().add(tx, res1);
 		}

@ -74,7 +82,7 @@ public class QueryTest {
 		InMemoryResourceQueryVisitor resourceQuery = new InMemoryResourceQueryVisitor();
 		InMemoryQuery<Resource, Resource> inMemoryQuery = resourceQuery.visit(query, new NoStrategyResourceVisitor());
 		List<Resource> result;
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			result = inMemoryQuery.doQuery(tx.getPersistenceHandler().getResourceDao(tx));
 		}
 		assertEquals(1, result.size());
@ -88,10 +96,12 @@ public class QueryTest {
 				ComponentContainerTest.PATH_EMPTY_CONTAINER);
 		ComponentContainer container = agent.getContainer();

+		Certificate certificate = login(container);
+
 		Order o1 = createOrder("@1", "Test Order", "MyType");
 		IntegerParameter iP = new IntegerParameter("nbOfBooks", "Number of Books", 33);
 		o1.addParameter(BAG_ID, iP);
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			tx.getOrderMap().add(tx, o1);
 		}

@ -104,7 +114,7 @@ public class QueryTest {
 		InMemoryOrderQueryVisitor orderQuery = new InMemoryOrderQueryVisitor();
 		InMemoryQuery<Order, Order> inMemoryQuery = orderQuery.visit(query, new NoStrategyOrderVisitor());
 		List<Order> result;
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			result = inMemoryQuery.doQuery(tx.getPersistenceHandler().getOrderDao(tx));
 		}
 		assertEquals(1, result.size());
@ -118,15 +128,17 @@ public class QueryTest {
 				ComponentContainerTest.PATH_EMPTY_CONTAINER);
 		ComponentContainer container = agent.getContainer();

+		Certificate certificate = login(container);
+
 		Resource res1 = createResource("@1", "Test Resource", "MyType");
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			tx.getResourceMap().add(tx, res1);
 		}

 		ResourceQuery query = ResourceQuery.query("MyType");
 		query.and().with(ParameterSelection.stringSelection(BAG_ID, PARAM_STRING_ID, "olch").contains(true));
 		List<Resource> result;
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			result = tx.doQuery(query);
 		}
 		assertEquals(1, result.size());
@ -140,15 +152,17 @@ public class QueryTest {
 				ComponentContainerTest.PATH_EMPTY_CONTAINER);
 		ComponentContainer container = agent.getContainer();

+		Certificate certificate = login(container);
+
 		Resource res1 = createResource("@1", "Test Resource", "MyType");
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			tx.getResourceMap().add(tx, res1);
 		}

 		ResourceQuery query = ResourceQuery.query("MyType");
 		query.and().with(ParameterSelection.stringSelection(BAG_ID, PARAM_STRING_ID, "str").contains(true));
 		List<Resource> result;
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			result = tx.doQuery(query);
 		}
 		assertEquals(0, result.size());
@ -161,15 +175,17 @@ public class QueryTest {
 				ComponentContainerTest.PATH_EMPTY_CONTAINER);
 		ComponentContainer container = agent.getContainer();

+		Certificate certificate = login(container);
+
 		Resource res1 = createResource("@1", "Test Resource", "MyType");
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			tx.getResourceMap().add(tx, res1);
 		}

 		ResourceQuery query = ResourceQuery.query("MyType");
 		query.and().with(ParameterSelection.stringSelection(BAG_ID, PARAM_STRING_ID, "strolch").caseInsensitive(true));
 		List<Resource> result;
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			result = tx.doQuery(query);
 		}
 		assertEquals(1, result.size());
@ -183,15 +199,17 @@ public class QueryTest {
 				ComponentContainerTest.PATH_EMPTY_CONTAINER);
 		ComponentContainer container = agent.getContainer();

+		Certificate certificate = login(container);
+
 		Resource res1 = createResource("@1", "Test Resource", "MyType");
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			tx.getResourceMap().add(tx, res1);
 		}

 		ResourceQuery query = ResourceQuery.query("MyType");
 		query.and().with(ParameterSelection.stringSelection(BAG_ID, PARAM_STRING_ID, "strolch"));
 		List<Resource> result;
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			result = tx.doQuery(query);
 		}
 		assertEquals(0, result.size());
@ -204,9 +222,11 @@ public class QueryTest {
 				ComponentContainerTest.PATH_EMPTY_CONTAINER);
 		ComponentContainer container = agent.getContainer();

+		Certificate certificate = login(container);
+
 		Resource res1 = createResource("@1", "Test Resource", "MyType");
 		Resource res2 = createResource("@2", "Test Resource", "MyType");
-		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+		try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 			tx.getResourceMap().add(tx, res1);
 			tx.getResourceMap().add(tx, res2);
 		}
@ -215,7 +235,7 @@ public class QueryTest {
 			ResourceQuery query = ResourceQuery.query("MyType");
 			query.not(new IdSelection("@1"));
 			List<Resource> result;
-			try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+			try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 				result = tx.doQuery(query);
 			}
 			assertEquals(1, result.size());
@ -226,7 +246,7 @@ public class QueryTest {
 			ResourceQuery query = ResourceQuery.query("MyType");
 			query.not(new IdSelection("@2"));
 			List<Resource> result;
-			try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+			try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 				result = tx.doQuery(query);
 			}
 			assertEquals(1, result.size());
@ -237,7 +257,7 @@ public class QueryTest {
 			ResourceQuery query = ResourceQuery.query("MyType");
 			query.not(new IdSelection("@1", "@2"));
 			List<Resource> result;
-			try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx()) {
+			try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate, "test")) {
 				result = tx.doQuery(query);
 			}
 			assertEquals(0, result.size());
--- a/src/test/resources/cachedtest/config/PrivilegeConfig.xml
+++ b/src/test/resources/cachedtest/config/PrivilegeConfig.xml
@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Privilege>
+
+	<Container>
+
+		<Parameters>
+			<!-- parameters for the container itself -->
+			<Parameter name="autoPersistOnPasswordChange" value="true" />
+		</Parameters>
+
+		<EncryptionHandler class="ch.eitchnet.privilege.handler.DefaultEncryptionHandler">
+			<Parameters>
+				<Parameter name="hashAlgorithm" value="SHA-256" />
+			</Parameters>
+		</EncryptionHandler>
+
+		<PersistenceHandler class="ch.eitchnet.privilege.handler.XmlPersistenceHandler">
+			<Parameters>
+				<Parameter name="basePath" value="target/strolchRuntime/config" />
+				<Parameter name="modelXmlFile" value="PrivilegeModel.xml" />
+			</Parameters>
+		</PersistenceHandler>
+
+	</Container>
+
+	<Policies>
+		<Policy name="DefaultPrivilege" class="ch.eitchnet.privilege.policy.DefaultPrivilege" />
+	</Policies>
+
+</Privilege>
--- a/src/test/resources/cachedtest/config/PrivilegeModel.xml
+++ b/src/test/resources/cachedtest/config/PrivilegeModel.xml
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<UsersAndRoles>
+
+	<Users>
+		<User userId="1" username="agent">
+			<State>SYSTEM</State>
+			<Roles>
+				<Role>agent</Role>
+			</Roles>
+		</User>
+		<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+			<Firstname>Application</Firstname>
+			<Lastname>Administrator</Lastname>
+			<State>ENABLED</State>
+			<Locale>en_GB</Locale>
+			<Roles>
+				<Role>PrivilegeAdmin</Role>
+				<Role>AppUser</Role>
+			</Roles>
+		</User>
+	</Users>
+
+	<Roles>
+		<Role name="PrivilegeAdmin" />
+		<Role name="agent">
+			<Privilege name="li.strolch.agent.impl.StartRealms" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+		<Role name="AppUser">
+			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+
+	</Roles>
+</UsersAndRoles>
--- a/src/test/resources/cachedtest/config/StrolchConfiguration.xml
+++ b/src/test/resources/cachedtest/config/StrolchConfiguration.xml
@ -7,11 +7,19 @@
 				<verbose>true</verbose>
 			</Properties>
 		</Runtime>
+		<Component>
+			<name>PrivilegeHandler</name>
+			<api>li.strolch.runtime.privilege.PrivilegeHandler</api>
+			<impl>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</impl>
+			<Properties>
+				<privilegeConfigFile>PrivilegeConfig.xml</privilegeConfigFile>
+			</Properties>
+		</Component>
 		<Component>
 			<name>RealmHandler</name>
 			<api>li.strolch.agent.api.RealmHandler</api>
 			<impl>li.strolch.agent.impl.DefaultRealmHandler</impl>
-			<depends>PersistenceHandler</depends>
+			<depends>PrivilegeHandler</depends>
 			<Properties>
 				<dataStoreMode>CACHED</dataStoreMode>
 				<dataStoreFile>StrolchModel.xml</dataStoreFile>
--- a/src/test/resources/configtest/config/StrolchConfiguration.xml
+++ b/src/test/resources/configtest/config/StrolchConfiguration.xml
@ -7,10 +7,20 @@
 				<verbose>true</verbose>
 			</Properties>
 		</Runtime>
+		<Component>
+			<name>PrivilegeHandler</name>
+			<api>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</api>
+			<impl>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</impl>
+			<depends>PersistenceHandler</depends>
+			<Properties>
+				<privilegeConfigFile>PrivilegeConfig.xml</privilegeConfigFile>
+			</Properties>
+		</Component>
 		<Component>
 			<name>RealmHandler</name>
 			<api>li.strolch.agent.api.RealmHandler</api>
 			<impl>li.strolch.agent.impl.DefaultRealmHandler</impl>
+			<depends>PrivilegeHandler</depends>
 			<Properties>
 				<dataStoreMode>EMPTY</dataStoreMode>
 			</Properties>
@ -23,15 +33,6 @@
 			<Properties>
 			</Properties>
 		</Component>
-		<Component>
-			<name>PrivilegeHandler</name>
-			<api>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</api>
-			<impl>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</impl>
-			<depends>PersistenceHandler</depends>
-			<Properties>
-				<privilegeConfigFile>PrivilegeConfig.xml</privilegeConfigFile>
-			</Properties>
-		</Component>
 		<Component>
 			<name>ResourceGeneratorHandler</name>
 			<api>li.strolch.runtime.configuration.model.ResourceGeneratorHandlerTest</api>
--- a/src/test/resources/emptytest/config/PrivilegeConfig.xml
+++ b/src/test/resources/emptytest/config/PrivilegeConfig.xml
@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Privilege>
+
+	<Container>
+
+		<Parameters>
+			<!-- parameters for the container itself -->
+			<Parameter name="autoPersistOnPasswordChange" value="true" />
+		</Parameters>
+
+		<EncryptionHandler class="ch.eitchnet.privilege.handler.DefaultEncryptionHandler">
+			<Parameters>
+				<Parameter name="hashAlgorithm" value="SHA-256" />
+			</Parameters>
+		</EncryptionHandler>
+
+		<PersistenceHandler class="ch.eitchnet.privilege.handler.XmlPersistenceHandler">
+			<Parameters>
+				<Parameter name="basePath" value="target/strolchRuntime/config" />
+				<Parameter name="modelXmlFile" value="PrivilegeModel.xml" />
+			</Parameters>
+		</PersistenceHandler>
+
+	</Container>
+
+	<Policies>
+		<Policy name="DefaultPrivilege" class="ch.eitchnet.privilege.policy.DefaultPrivilege" />
+	</Policies>
+
+</Privilege>
--- a/src/test/resources/emptytest/config/PrivilegeModel.xml
+++ b/src/test/resources/emptytest/config/PrivilegeModel.xml
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<UsersAndRoles>
+
+	<Users>
+		<User userId="1" username="agent">
+			<State>SYSTEM</State>
+			<Roles>
+				<Role>agent</Role>
+			</Roles>
+		</User>
+		<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+			<Firstname>Application</Firstname>
+			<Lastname>Administrator</Lastname>
+			<State>ENABLED</State>
+			<Locale>en_GB</Locale>
+			<Roles>
+				<Role>PrivilegeAdmin</Role>
+				<Role>AppUser</Role>
+			</Roles>
+		</User>
+	</Users>
+
+	<Roles>
+		<Role name="PrivilegeAdmin" />
+		<Role name="agent">
+			<Privilege name="li.strolch.agent.impl.StartRealms" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+		<Role name="AppUser">
+			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+
+	</Roles>
+</UsersAndRoles>
--- a/src/test/resources/emptytest/config/StrolchConfiguration.xml
+++ b/src/test/resources/emptytest/config/StrolchConfiguration.xml
@ -7,10 +7,19 @@
 				<verbose>true</verbose>
 			</Properties>
 		</Runtime>
+		<Component>
+			<name>PrivilegeHandler</name>
+			<api>li.strolch.runtime.privilege.PrivilegeHandler</api>
+			<impl>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</impl>
+			<Properties>
+				<privilegeConfigFile>PrivilegeConfig.xml</privilegeConfigFile>
+			</Properties>
+		</Component>
 		<Component>
 			<name>RealmHandler</name>
 			<api>li.strolch.agent.api.RealmHandler</api>
 			<impl>li.strolch.agent.impl.DefaultRealmHandler</impl>
+			<depends>PrivilegeHandler</depends>
 			<Properties>
 				<dataStoreMode>EMPTY</dataStoreMode>
 			</Properties>
--- a/src/test/resources/minimaltest/config/PrivilegeConfig.xml
+++ b/src/test/resources/minimaltest/config/PrivilegeConfig.xml
@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Privilege>
+
+	<Container>
+
+		<Parameters>
+			<!-- parameters for the container itself -->
+			<Parameter name="autoPersistOnPasswordChange" value="true" />
+		</Parameters>
+
+		<EncryptionHandler class="ch.eitchnet.privilege.handler.DefaultEncryptionHandler">
+			<Parameters>
+				<Parameter name="hashAlgorithm" value="SHA-256" />
+			</Parameters>
+		</EncryptionHandler>
+
+		<PersistenceHandler class="ch.eitchnet.privilege.handler.XmlPersistenceHandler">
+			<Parameters>
+				<Parameter name="basePath" value="target/strolchRuntime/config" />
+				<Parameter name="modelXmlFile" value="PrivilegeModel.xml" />
+			</Parameters>
+		</PersistenceHandler>
+
+	</Container>
+
+	<Policies>
+		<Policy name="DefaultPrivilege" class="ch.eitchnet.privilege.policy.DefaultPrivilege" />
+	</Policies>
+
+</Privilege>
--- a/src/test/resources/minimaltest/config/PrivilegeModel.xml
+++ b/src/test/resources/minimaltest/config/PrivilegeModel.xml
@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<UsersAndRoles>
+
+	<Users>
+		<User userId="1" username="agent">
+			<State>SYSTEM</State>
+			<Roles>
+				<Role>agent</Role>
+			</Roles>
+		</User>
+		<User userId="2" username="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918">
+			<Firstname>Application</Firstname>
+			<Lastname>Administrator</Lastname>
+			<State>ENABLED</State>
+			<Locale>en_GB</Locale>
+			<Roles>
+				<Role>PrivilegeAdmin</Role>
+				<Role>AppUser</Role>
+			</Roles>
+		</User>
+	</Users>
+
+	<Roles>
+		<Role name="PrivilegeAdmin" />
+		<Role name="agent">
+			<Privilege name="li.strolch.agent.impl.StartRealms" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+		<Role name="AppUser">
+			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+	</Roles>
+</UsersAndRoles>
--- a/src/test/resources/minimaltest/config/StrolchConfiguration.xml
+++ b/src/test/resources/minimaltest/config/StrolchConfiguration.xml
@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<StrolchConfiguration>
+	<env id="dev">
+		<Runtime>
+			<applicationName>StrolchRuntimeTest</applicationName>
+			<Properties>
+				<verbose>true</verbose>
+			</Properties>
+		</Runtime>
+		<Component>
+			<name>PrivilegeHandler</name>
+			<api>li.strolch.runtime.privilege.PrivilegeHandler</api>
+			<impl>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</impl>
+			<Properties>
+				<privilegeConfigFile>PrivilegeConfig.xml</privilegeConfigFile>
+			</Properties>
+		</Component>
+		<Component>
+			<name>RealmHandler</name>
+			<api>li.strolch.agent.api.RealmHandler</api>
+			<impl>li.strolch.agent.impl.DefaultRealmHandler</impl>
+			<depends>PrivilegeHandler</depends>
+			<Properties>
+				<dataStoreMode>EMPTY</dataStoreMode>
+			</Properties>
+		</Component>
+		<Component>
+			<name>ServiceHandler</name>
+			<api>li.strolch.runtime.configuration.model.ServiceHandlerTest</api>
+			<impl>li.strolch.runtime.configuration.model.ServiceHandlerTestImpl</impl>
+			<depends>RealmHandler</depends>
+			<Properties>
+			</Properties>
+		</Component>
+	</env>
+</StrolchConfiguration>
--- a/src/test/resources/realmtest/config/PrivilegeConfig.xml
+++ b/src/test/resources/realmtest/config/PrivilegeConfig.xml
@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Privilege>
+
+	<Container>
+
+		<Parameters>
+			<!-- parameters for the container itself -->
+			<Parameter name="autoPersistOnPasswordChange" value="true" />
+		</Parameters>
+
+		<EncryptionHandler class="ch.eitchnet.privilege.handler.DefaultEncryptionHandler">
+			<Parameters>
+				<Parameter name="hashAlgorithm" value="SHA-256" />
+			</Parameters>
+		</EncryptionHandler>
+
+		<PersistenceHandler class="ch.eitchnet.privilege.handler.XmlPersistenceHandler">
+			<Parameters>
+				<Parameter name="basePath" value="target/strolchRuntime/config" />
+				<Parameter name="modelXmlFile" value="PrivilegeModel.xml" />
+			</Parameters>
+		</PersistenceHandler>
+
+	</Container>
+
+	<Policies>
+		<Policy name="DefaultPrivilege" class="ch.eitchnet.privilege.policy.DefaultPrivilege" />
+	</Policies>
+
+</Privilege>
--- a/src/test/resources/realmtest/config/PrivilegeModel.xml
+++ b/src/test/resources/realmtest/config/PrivilegeModel.xml
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<UsersAndRoles>
+
+	<Users>
+		<User userId="1" username="agent">
+			<State>SYSTEM</State>
+			<Roles>
+				<Role>agent</Role>
+			</Roles>
+		</User>
+		<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+			<Firstname>Application</Firstname>
+			<Lastname>Administrator</Lastname>
+			<State>ENABLED</State>
+			<Locale>en_GB</Locale>
+			<Roles>
+				<Role>PrivilegeAdmin</Role>
+				<Role>AppUser</Role>
+			</Roles>
+		</User>
+	</Users>
+
+	<Roles>
+		<Role name="PrivilegeAdmin" />
+		<Role name="agent">
+			<Privilege name="li.strolch.agent.impl.StartRealms" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+		<Role name="AppUser">
+			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+
+	</Roles>
+</UsersAndRoles>
--- a/src/test/resources/realmtest/config/StrolchConfiguration.xml
+++ b/src/test/resources/realmtest/config/StrolchConfiguration.xml
@ -8,10 +8,25 @@
 				<verbose>true</verbose>
 			</Properties>
 		</Runtime>
+		<Component>
+			<name>PrivilegeHandler</name>
+			<api>li.strolch.runtime.privilege.PrivilegeHandler</api>
+			<impl>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</impl>
+			<Properties>
+				<privilegeConfigFile>PrivilegeConfig.xml</privilegeConfigFile>
+			</Properties>
+		</Component>
+		<Component>
+			<name>PersistenceHandler</name>
+			<api>li.strolch.persistence.api.PersistenceHandler</api>
+			<impl>li.strolch.persistence.inmemory.InMemoryPersistenceHandler</impl>
+		</Component>
 		<Component>
 			<name>RealmHandler</name>
 			<api>li.strolch.agent.api.RealmHandler</api>
 			<impl>li.strolch.agent.impl.DefaultRealmHandler</impl>
+			<depends>PrivilegeHandler</depends>
+			<depends>PersistenceHandler</depends>
 			<Properties>
 				<realms>defaultRealm, myRealm, otherRealm, cachedRealm, transactionalRealm, emptyRealm</realms>
 				<dataStoreMode>TRANSIENT</dataStoreMode>
@ -49,10 +64,5 @@
 				<verbose>true</verbose>
 			</Properties>
 		</Component>
-		<Component>
-			<name>PersistenceHandler</name>
-			<api>li.strolch.persistence.api.PersistenceHandler</api>
-			<impl>li.strolch.persistence.inmemory.InMemoryPersistenceHandler</impl>
-		</Component>
 	</env>
 </StrolchConfiguration>
--- a/src/test/resources/transactionaltest/config/PrivilegeConfig.xml
+++ b/src/test/resources/transactionaltest/config/PrivilegeConfig.xml
@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Privilege>
+
+	<Container>
+
+		<Parameters>
+			<!-- parameters for the container itself -->
+			<Parameter name="autoPersistOnPasswordChange" value="true" />
+		</Parameters>
+
+		<EncryptionHandler class="ch.eitchnet.privilege.handler.DefaultEncryptionHandler">
+			<Parameters>
+				<Parameter name="hashAlgorithm" value="SHA-256" />
+			</Parameters>
+		</EncryptionHandler>
+
+		<PersistenceHandler class="ch.eitchnet.privilege.handler.XmlPersistenceHandler">
+			<Parameters>
+				<Parameter name="basePath" value="target/strolchRuntime/config" />
+				<Parameter name="modelXmlFile" value="PrivilegeModel.xml" />
+			</Parameters>
+		</PersistenceHandler>
+
+	</Container>
+
+	<Policies>
+		<Policy name="DefaultPrivilege" class="ch.eitchnet.privilege.policy.DefaultPrivilege" />
+	</Policies>
+
+</Privilege>
--- a/src/test/resources/transactionaltest/config/PrivilegeModel.xml
+++ b/src/test/resources/transactionaltest/config/PrivilegeModel.xml
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<UsersAndRoles>
+
+	<Users>
+		<User userId="1" username="agent">
+			<State>SYSTEM</State>
+			<Roles>
+				<Role>agent</Role>
+			</Roles>
+		</User>
+		<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+			<Firstname>Application</Firstname>
+			<Lastname>Administrator</Lastname>
+			<State>ENABLED</State>
+			<Locale>en_GB</Locale>
+			<Roles>
+				<Role>PrivilegeAdmin</Role>
+				<Role>AppUser</Role>
+			</Roles>
+		</User>
+	</Users>
+
+	<Roles>
+		<Role name="PrivilegeAdmin" />
+		<Role name="agent">
+			<Privilege name="li.strolch.agent.impl.StartRealms" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+		<Role name="AppUser">
+			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+
+	</Roles>
+</UsersAndRoles>
--- a/src/test/resources/transactionaltest/config/StrolchConfiguration.xml
+++ b/src/test/resources/transactionaltest/config/StrolchConfiguration.xml
@ -7,10 +7,19 @@
 				<verbose>true</verbose>
 			</Properties>
 		</Runtime>
+		<Component>
+			<name>PrivilegeHandler</name>
+			<api>li.strolch.runtime.privilege.PrivilegeHandler</api>
+			<impl>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</impl>
+			<Properties>
+				<privilegeConfigFile>PrivilegeConfig.xml</privilegeConfigFile>
+			</Properties>
+		</Component>
 		<Component>
 			<name>RealmHandler</name>
 			<api>li.strolch.agent.api.RealmHandler</api>
 			<impl>li.strolch.agent.impl.DefaultRealmHandler</impl>
+			<depends>PrivilegeHandler</depends>
 			<depends>PersistenceHandler</depends>
 			<Properties>
 				<dataStoreMode>TRANSACTIONAL</dataStoreMode>
--- a/src/test/resources/transienttest/config/PrivilegeConfig.xml
+++ b/src/test/resources/transienttest/config/PrivilegeConfig.xml
@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Privilege>
+
+	<Container>
+
+		<Parameters>
+			<!-- parameters for the container itself -->
+			<Parameter name="autoPersistOnPasswordChange" value="true" />
+		</Parameters>
+
+		<EncryptionHandler class="ch.eitchnet.privilege.handler.DefaultEncryptionHandler">
+			<Parameters>
+				<Parameter name="hashAlgorithm" value="SHA-256" />
+			</Parameters>
+		</EncryptionHandler>
+
+		<PersistenceHandler class="ch.eitchnet.privilege.handler.XmlPersistenceHandler">
+			<Parameters>
+				<Parameter name="basePath" value="target/strolchRuntime/config" />
+				<Parameter name="modelXmlFile" value="PrivilegeModel.xml" />
+			</Parameters>
+		</PersistenceHandler>
+
+	</Container>
+
+	<Policies>
+		<Policy name="DefaultPrivilege" class="ch.eitchnet.privilege.policy.DefaultPrivilege" />
+	</Policies>
+
+</Privilege>
--- a/src/test/resources/transienttest/config/PrivilegeModel.xml
+++ b/src/test/resources/transienttest/config/PrivilegeModel.xml
@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<UsersAndRoles>
+
+	<Users>
+		<User userId="1" username="agent">
+			<State>SYSTEM</State>
+			<Firstname>Application</Firstname>
+			<Lastname>Agent</Lastname>
+			<Roles>
+				<Role>agent</Role>
+			</Roles>
+		</User>
+		<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+			<Firstname>Application</Firstname>
+			<Lastname>Administrator</Lastname>
+			<State>ENABLED</State>
+			<Locale>en_GB</Locale>
+			<Roles>
+				<Role>PrivilegeAdmin</Role>
+				<Role>AppUser</Role>
+			</Roles>
+		</User>
+	</Users>
+
+	<Roles>
+		<Role name="PrivilegeAdmin" />
+		<Role name="agent">
+			<Privilege name="li.strolch.agent.impl.StartRealms" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+		<Role name="AppUser">
+			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
+		</Role>
+
+	</Roles>
+</UsersAndRoles>
--- a/src/test/resources/transienttest/config/StrolchConfiguration.xml
+++ b/src/test/resources/transienttest/config/StrolchConfiguration.xml
@ -7,11 +7,19 @@
 				<verbose>true</verbose>
 			</Properties>
 		</Runtime>
+		<Component>
+			<name>PrivilegeHandler</name>
+			<api>li.strolch.runtime.privilege.PrivilegeHandler</api>
+			<impl>li.strolch.runtime.privilege.DefaultStrolchPrivilegeHandler</impl>
+			<Properties>
+				<privilegeConfigFile>PrivilegeConfig.xml</privilegeConfigFile>
+			</Properties>
+		</Component>
 		<Component>
 			<name>RealmHandler</name>
 			<api>li.strolch.agent.api.RealmHandler</api>
 			<impl>li.strolch.agent.impl.DefaultRealmHandler</impl>
-			<!-- depends>PersistenceHandler</depends -->
+			<depends>PrivilegeHandler</depends>
 			<Properties>
 				<dataStoreMode>TRANSIENT</dataStoreMode>
 				<dataStoreFile>StrolchModel.xml</dataStoreFile>