diff --git a/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java b/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java
index 1d9757d..8f02fe2 100644
--- a/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java
+++ b/util/src/main/java/org/killbill/billing/util/security/shiro/dao/DefaultUserDao.java
@@ -123,11 +123,10 @@ public class DefaultUserDao implements UserDao {
public Void inTransaction(final Handle handle, final TransactionStatus status) throws Exception {
final RolesPermissionsSqlDao rolesPermissionsSqlDao = handle.attach(RolesPermissionsSqlDao.class);
final List<RolesPermissionsModelDao> existingPermissions = rolesPermissionsSqlDao.getByRoleName(role);
- if (existingPermissions.isEmpty()) {
- throw new SecurityApiException(ErrorCode.SECURITY_INVALID_ROLE, role);
- }
-
- final Iterable<RolesPermissionsModelDao> toBeDeleted = Iterables.filter(existingPermissions, new Predicate<RolesPermissionsModelDao>() {
+ // A empty list of permissions means we should remove all current permissions
+ final Iterable<RolesPermissionsModelDao> toBeDeleted = existingPermissions.isEmpty() ?
+ existingPermissions :
+ Iterables.filter(existingPermissions, new Predicate<RolesPermissionsModelDao>() {
@Override
public boolean apply(final RolesPermissionsModelDao input) {
return !permissions.contains(input.getPermission());
diff --git a/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java b/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java
index 5e89611..ea70d42 100644
--- a/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java
+++ b/util/src/test/java/org/killbill/billing/util/security/shiro/realm/TestKillBillJdbcRealm.java
@@ -40,6 +40,7 @@ import org.testng.annotations.Test;
import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
public class TestKillBillJdbcRealm extends UtilTestSuiteWithEmbeddedDB {
@@ -206,6 +207,8 @@ public class TestKillBillJdbcRealm extends UtilTestSuiteWithEmbeddedDB {
Assert.assertTrue(updatedRoleDefinition.contains("tag:create_tag_definition"));
Assert.assertTrue(updatedRoleDefinition.contains("entitlement:create"));
+ securityApi.updateRoleDefinition("original", ImmutableList.<String>of(), callContext);
+ Assert.assertEquals(securityApi.getRoleDefinition("original", callContext).size(), 0);
}
private void testInvalidPermissionScenario(final List<String> permissions) {
