@ministryofjustice/hmpps-prison-permissions-lib 0.4.0 → 1.0.0

package/CHANGELOG.md

@@ -2,9 +2,45 @@
 
 Please use this to capture reasoning behind changes:
 
+## 1.0.0
+
+### Breaking changes:
+
+* Renamed `PrisonerIncentivesPermission.read` to `PrisonerIncentivesPermission.read_incentive_level` to distinguish
+  between reading just the incentive level vs the incentives history and comments. This only affected the Prisoner
+  Profile contract tests.
+
+### New features:
+
+* Introduction of `PrisonerIncentivesPermission.read_incentive_level_history`.
+
+  We reviewed the permissions around incentives and found that there were conflicting permissions between
+  displaying the incentive level in the Prisoner Profile banner, the incentives card in the Prisoner Profile overview
+  and the incentives service itself. Connect DPS and the Incentives team agreed that just reading the incentive level
+  should follow the base checks for the profile, whilst reading the incentives history and comments should not
+  be allowed for prisoners in a prison outside the user's caseload.
+
+  We have therefore introduced a new permission to capture the incentive level history permission.
+
+* Introduction of CSRA permissions for reading the CSRA rating of a prisoner and also the history and details of
+  CSRA assessments.
+
+  It was decided (see Slack #hmpps-data-domains on 17/11/25) that CSRA should sit in the 'Prisoner Specific Risks'
+  domain, `as it is solely an assessment of their suitability to share a cell and who with`
+
+  The permissions mirror the logic that was used in the Prisoner Profile.
+
+* Introduction of a `PersonPrisonCategoryPermission.read` permission that matches the base checks. This matched the
+  existing logic in the Prisoner Profile for reading a prisoner's category.
+
+## 0.5.0
+
+No functionality changes. Dependencies updated and support for node 24 has been added.
+
 ## 0.4.0
 
-Access period for users with both the `POM` and `GLOBAL_SEARCH` roles to access prisoner case notes after a transfer extended from 30 to 90 days.
+Access period for users with both the `POM` and `GLOBAL_SEARCH` roles to access prisoner case notes after a transfer
+extended from 30 to 90 days.
 
 ## 0.3.0
 
@@ -12,9 +48,15 @@ Official release for updates to the Case Notes and Religion permissions.
 
 **Case Notes Permissions:**
 
-Previously if a user had both the `POM` and `GLOBAL_SEARCH` roles they would be able read/write case notes any prisoner. The case notes permissions have now been updated so that users with both the `POM` and `GLOBAL_SEARCH` roles will only be able to read/write a prisoner's case notes if the prisoner has been in the users establishment within the last 30 days.
+Previously if a user had both the `POM` and `GLOBAL_SEARCH` roles they would be able read/write case notes any prisoner.
+The case notes permissions have now been updated so that users with both the `POM` and `GLOBAL_SEARCH` roles will only
+be able to read/write a prisoner's case notes if the prisoner has been in the users establishment within the last 30
+days.
 
-The permissions check requires additional data to be passed in via the `Prisoner` which now expects the `previousPrisonId` and `previousPrisonLeavingDate` fields to be present. This data has been added to the prisoner search API so clients using the permissions library will need to ensure the following fields are present in the `Prisoner` interface.
+The permissions check requires additional data to be passed in via the `Prisoner` which now expects the
+`previousPrisonId` and `previousPrisonLeavingDate` fields to be present. This data has been added to the prisoner search
+API so clients using the permissions library will need to ensure the following fields are present in the `Prisoner`
+interface.
 
 ```
 export default interface Prisoner {
@@ -29,8 +71,8 @@ export default interface Prisoner {
 
 **Religion and Belief Permissions:**
 
-The permissions check for `PersonProtectedCharacteristicsPermission.read_religion_and_belief` updated to only allow read access to a
-prisoner's religion data to users who are part of the prisoner's caseload.
+The permissions check for `PersonProtectedCharacteristicsPermission.read_religion_and_belief` updated to only allow read
+access to a prisoner's religion data to users who are part of the prisoner's caseload.
 
 ## 0.3.0-alpha.1
 

package/README.md

@@ -1,6 +1,7 @@
 # hmpps-prison-permissions-lib
 
 [![repo standards badge](https://img.shields.io/badge/endpoint.svg?&style=flat&logo=github&url=https%3A%2F%2Foperations-engineering-reports.cloud-platform.service.justice.gov.uk%2Fapi%2Fv1%2Fcompliant_public_repositories%2Fhmpps-prison-permissions-lib)](https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/public-report/hmpps-prison-permissions-lib "Link to report")
+[![Test, lint & publish](https://github.com/ministryofjustice/hmpps-prison-permissions-lib/actions/workflows/pipeline.yml/badge.svg?branch=main)](https://github.com/ministryofjustice/hmpps-prison-permissions-lib/actions/workflows/pipeline.yml)
 
 A Node.js client library to centralise the process of determining user permissions for prison services and data.
 
@@ -143,7 +144,7 @@ setupNunjucksPermissions(njkEnv)
 
 * Using the permissions check in the template, for example:
 
-```
+```nunjucks
 {% if isGranted(PrisonerMoneyPermission.read, res.locals.prisonerPermissions) %}
  ...
 {% endif %}

package/dist/contractTests/prisonerProfile/scenarios/domains/prisonerSpecific/prisonerIncentives/{PrisonerIncentivesReadScenarios.d.ts → IncentiveLevelHistoryReadScenarios.d.ts}

@@ -1,2 +1,2 @@
 import { TestScenarios } from '../../../../../../testUtils/TestScenario';
-export declare const prisonerIncentivesReadScenarios: TestScenarios;
+export declare const incentiveLevelHistoryReadScenarios: TestScenarios;

package/dist/contractTests/prisonerProfile/scenarios/domains/prisonerSpecific/prisonerSpecificRisks/CsraAssessmentHistoryReadScenarios.d.ts

@@ -0,0 +1,2 @@
+import { TestScenarios } from '../../../../../../testUtils/TestScenario';
+export declare const csraAssessmentHistoryReadScenarios: TestScenarios;

package/dist/index.cjs

@@ -113,8 +113,14 @@ const isActiveCaseLoad = (prisonId, user) => user.authSource === 'nomis' && user
 function isInUsersCaseLoad(prisonId, user) {
     return user.authSource === 'nomis' && user.caseLoads?.some(caseLoad => caseLoad.caseLoadId === prisonId);
 }
-function isReleasedOrTransferring(prisonId) {
-    return ['OUT', 'TRN'].includes(prisonId);
+const isReleased = (prisoner) => {
+    return !!prisoner?.prisonId && ['OUT'].includes(prisoner.prisonId);
+};
+const isTransferring = (prisoner) => {
+    return !!prisoner?.prisonId && ['TRN'].includes(prisoner.prisonId);
+};
+function isReleasedOrTransferring(prisoner) {
+    return isReleased(prisoner) || isTransferring(prisoner);
 }
 function userHasSomeRolesFrom(rolesToCheck, user) {
     return (rolesToCheck.length === 0 ||
@@ -221,9 +227,9 @@ function baseCheckStatus(user, prisoner) {
         return exports.PermissionCheckStatus.NOT_PRISON_USER;
     if (prisoner.restrictedPatient)
         return restrictedPatientStatus(user, prisoner);
-    if (prisoner.prisonId === 'OUT')
+    if (isReleased(prisoner))
         return releasedPrisonerStatus(user);
-    if (prisoner.prisonId === 'TRN')
+    if (isTransferring(prisoner))
         return transferringPrisonerStatus(user);
     if (inUsersCaseLoad || globalSearchUser)
         return exports.PermissionCheckStatus.OK;
@@ -259,14 +265,14 @@ exports.PrisonerAdjudicationsPermission = void 0;
     PrisonerAdjudicationsPermission["read"] = "prisoner:prisoner-adjudications:read";
 })(exports.PrisonerAdjudicationsPermission || (exports.PrisonerAdjudicationsPermission = {}));
 
-const permission$f = exports.PrisonerAdjudicationsPermission.read;
+const permission$g = exports.PrisonerAdjudicationsPermission.read;
 function prisonerAdjudicationsReadCheck(request) {
     const { user, prisoner, baseCheckStatus } = request;
     const baseCheckPassed = baseCheckStatus === exports.PermissionCheckStatus.OK;
     const check = baseCheckPassed &&
         (isInUsersCaseLoad(prisoner.prisonId, user) || userHasSomeRolesFrom([exports.Role.PomUser, exports.Role.ReceptionUser], user));
     if (!check)
-        logDeniedPermissionCheck(permission$f, request, exports.PermissionCheckStatus.NOT_IN_CASELOAD);
+        logDeniedPermissionCheck(permission$g, request, exports.PermissionCheckStatus.NOT_IN_CASELOAD);
     return check;
 }
 
@@ -278,43 +284,64 @@ function prisonerAdjudicationsCheck(request) {
 
 exports.PrisonerIncentivesPermission = void 0;
 (function (PrisonerIncentivesPermission) {
-    PrisonerIncentivesPermission["read"] = "prisoner:prisoner-incentives:read";
+    PrisonerIncentivesPermission["read_incentive_level"] = "prisoner:prisoner-incentives:read_incentive_level";
+    PrisonerIncentivesPermission["read_incentive_level_history"] = "prisoner:prisoner-incentives:read_incentive_level_history";
 })(exports.PrisonerIncentivesPermission || (exports.PrisonerIncentivesPermission = {}));
 
-const permission$e = exports.PrisonerIncentivesPermission.read;
-function prisonerIncentivesReadCheck(request) {
-    const { user, prisoner, baseCheckStatus } = request;
-    const baseCheckPassed = baseCheckStatus === exports.PermissionCheckStatus.OK;
-    const check = baseCheckPassed && (isInUsersCaseLoad(prisoner.prisonId, user) || userHasRole(exports.Role.GlobalSearch, user));
+const permission$f = exports.PrisonerIncentivesPermission.read_incentive_level_history;
+function incentiveLevelHistoryReadCheck(request) {
+    const baseCheckPassed = request.baseCheckStatus === exports.PermissionCheckStatus.OK;
+    const incentiveLevelHistoryAccess = checkIncentiveLevelHistoryAccess(request);
+    const incentiveLevelHistoryCheckPassed = incentiveLevelHistoryAccess === exports.PermissionCheckStatus.OK;
+    const check = baseCheckPassed && incentiveLevelHistoryCheckPassed;
     if (!check)
-        logDeniedPermissionCheck(permission$e, request, exports.PermissionCheckStatus.NOT_IN_CASELOAD);
+        logDeniedPermissionCheck(permission$f, request, incentiveLevelHistoryAccess);
     return check;
 }
+function checkIncentiveLevelHistoryAccess(request) {
+    const { user, prisoner } = request;
+    // Restricted patients follows the base check rules:
+    if (prisoner.restrictedPatient)
+        return restrictedPatientStatus(user, prisoner);
+    // Released prisoners follows the base check rules:
+    if (isReleased(prisoner))
+        return releasedPrisonerStatus(user);
+    // Transferring prisoner incentive history can only be accessed by users with the Global Search role:
+    if (isTransferring(prisoner))
+        return userHasSomeRolesFrom([exports.Role.GlobalSearch], user)
+            ? exports.PermissionCheckStatus.OK
+            : exports.PermissionCheckStatus.PRISONER_IS_TRANSFERRING;
+    // Global search is not sufficient for incentive level history access:
+    return isInUsersCaseLoad(prisoner.prisonId, user) ? exports.PermissionCheckStatus.OK : exports.PermissionCheckStatus.NOT_IN_CASELOAD;
+}
 
 function prisonerIncentivesCheck(request) {
     return {
-        [exports.PrisonerIncentivesPermission.read]: prisonerIncentivesReadCheck(request),
+        [exports.PrisonerIncentivesPermission.read_incentive_level]: baseCheck(exports.PrisonerIncentivesPermission.read_incentive_level, request),
+        [exports.PrisonerIncentivesPermission.read_incentive_level_history]: incentiveLevelHistoryReadCheck(request),
     };
 }
 
 exports.PersonPrisonCategoryPermission = void 0;
 (function (PersonPrisonCategoryPermission) {
+    PersonPrisonCategoryPermission["read"] = "prisoner:person-prison-category:read";
     PersonPrisonCategoryPermission["edit"] = "prisoner:person-prison-category:edit";
 })(exports.PersonPrisonCategoryPermission || (exports.PersonPrisonCategoryPermission = {}));
 
-const permission$d = exports.PersonPrisonCategoryPermission.edit;
+const permission$e = exports.PersonPrisonCategoryPermission.edit;
 function personPrisonCategoryEditCheck(request) {
     const { user, baseCheckStatus } = request;
     const baseCheckPassed = baseCheckStatus === exports.PermissionCheckStatus.OK;
     const check = baseCheckPassed &&
         userHasSomeRolesFrom([exports.Role.CreateCategorisation, exports.Role.CreateRecategorisation, exports.Role.ApproveCategorisation, exports.Role.CategorisationSecurity], user);
     if (!check)
-        logDeniedPermissionCheck(permission$d, request, exports.PermissionCheckStatus.ROLE_NOT_PRESENT);
+        logDeniedPermissionCheck(permission$e, request, exports.PermissionCheckStatus.ROLE_NOT_PRESENT);
     return check;
 }
 
 function personPrisonCategoryCheck(request) {
     return {
+        [exports.PersonPrisonCategoryPermission.read]: baseCheck(exports.PersonPrisonCategoryPermission.read, request),
         [exports.PersonPrisonCategoryPermission.edit]: personPrisonCategoryEditCheck(request),
     };
 }
@@ -325,17 +352,17 @@ exports.PrisonerSchedulePermission = void 0;
     PrisonerSchedulePermission["edit_activity"] = "prisoner:activity:edit";
 })(exports.PrisonerSchedulePermission || (exports.PrisonerSchedulePermission = {}));
 
-const permission$c = exports.PrisonerSchedulePermission.edit_appointment;
+const permission$d = exports.PrisonerSchedulePermission.edit_appointment;
 function prisonerAppointmentEditCheck(request) {
     const { user, prisoner, baseCheckStatus } = request;
     const baseCheckPassed = baseCheckStatus === exports.PermissionCheckStatus.OK;
     const check = baseCheckPassed && isActiveCaseLoad(prisoner.prisonId, user) && !prisoner.restrictedPatient;
     if (!check)
-        logDeniedPermissionCheck(permission$c, request, exports.PermissionCheckStatus.NOT_ACTIVE_CASELOAD);
+        logDeniedPermissionCheck(permission$d, request, exports.PermissionCheckStatus.NOT_ACTIVE_CASELOAD);
     return check;
 }
 
-const permission$b = exports.PrisonerSchedulePermission.edit_activity;
+const permission$c = exports.PrisonerSchedulePermission.edit_activity;
 function prisonerActivityEditCheck(request) {
     const { user, prisoner, baseCheckStatus } = request;
     const baseCheckPassed = baseCheckStatus === exports.PermissionCheckStatus.OK;
@@ -345,7 +372,7 @@ function prisonerActivityEditCheck(request) {
         isActiveCaseLoad(prisoner.prisonId, user) &&
         !prisoner.restrictedPatient;
     if (!check)
-        logDeniedPermissionCheck(permission$b, request, userHasActivityHubRole ? exports.PermissionCheckStatus.NOT_ACTIVE_CASELOAD : exports.PermissionCheckStatus.ROLE_NOT_PRESENT);
+        logDeniedPermissionCheck(permission$c, request, userHasActivityHubRole ? exports.PermissionCheckStatus.NOT_ACTIVE_CASELOAD : exports.PermissionCheckStatus.ROLE_NOT_PRESENT);
     return check;
 }
 
@@ -361,16 +388,16 @@ exports.UseOfForcePermission = void 0;
     UseOfForcePermission["edit"] = "prisoner:use-of-force:edit";
 })(exports.UseOfForcePermission || (exports.UseOfForcePermission = {}));
 
-const permission$a = exports.UseOfForcePermission.edit;
+const permission$b = exports.UseOfForcePermission.edit;
 function useOfForceEditCheck(request) {
     const { user, prisoner, baseCheckStatus } = request;
     const baseCheckPassed = baseCheckStatus === exports.PermissionCheckStatus.OK;
     const check = baseCheckPassed &&
         !prisoner.restrictedPatient &&
         (isInUsersCaseLoad(prisoner.prisonId, user) ||
-            (isReleasedOrTransferring(prisoner.prisonId) && userHasRole(exports.Role.InactiveBookings, user)));
+            (isReleasedOrTransferring(prisoner) && userHasRole(exports.Role.InactiveBookings, user)));
     if (!check)
-        logDeniedPermissionCheck(permission$a, request, exports.PermissionCheckStatus.NOT_IN_CASELOAD);
+        logDeniedPermissionCheck(permission$b, request, exports.PermissionCheckStatus.NOT_IN_CASELOAD);
     return check;
 }
 
@@ -385,14 +412,14 @@ exports.PrisonerAlertsPermission = void 0;
     PrisonerAlertsPermission["edit"] = "prisoner:prisoner-alerts:edit";
 })(exports.PrisonerAlertsPermission || (exports.PrisonerAlertsPermission = {}));
 
-const permission$9 = exports.PrisonerAlertsPermission.edit;
+const permission$a = exports.PrisonerAlertsPermission.edit;
 function prisonerAlertsEditCheck(request) {
     const baseCheckPassed = request.baseCheckStatus === exports.PermissionCheckStatus.OK;
     const alertsEditCheck = checkAlertsEditAccess(request);
     const alertsEditCheckPassed = alertsEditCheck === exports.PermissionCheckStatus.OK;
     const check = baseCheckPassed && alertsEditCheckPassed;
     if (!check)
-        logDeniedPermissionCheck(permission$9, request, alertsEditCheck);
+        logDeniedPermissionCheck(permission$a, request, alertsEditCheck);
     return check;
 }
 function checkAlertsEditAccess(request) {
@@ -405,11 +432,11 @@ function checkAlertsEditAccess(request) {
     if (prisoner.restrictedPatient)
         return restrictedPatientStatus(user, prisoner);
     // Released prisoners follow base check:
-    if (prisoner.prisonId === 'OUT')
+    if (isReleased(prisoner))
         return releasedPrisonerStatus(user);
     // For transferring prisoners, only the Inactive Bookings role is acceptable,
     // Global Search role is not sufficient:
-    if (prisoner.prisonId === 'TRN') {
+    if (isTransferring(prisoner)) {
         return userHasRole(exports.Role.InactiveBookings, user)
             ? exports.PermissionCheckStatus.OK
             : exports.PermissionCheckStatus.PRISONER_IS_TRANSFERRING;
@@ -426,6 +453,30 @@ function prisonerAlertsCheck(request) {
     };
 }
 
+exports.PrisonerSpecificRisksPermission = void 0;
+(function (PrisonerSpecificRisksPermission) {
+    PrisonerSpecificRisksPermission["read_csra_rating"] = "prisoner:csra-rating:read";
+    PrisonerSpecificRisksPermission["read_csra_assessment_history"] = "prisoner:csra-assessment-history:read";
+})(exports.PrisonerSpecificRisksPermission || (exports.PrisonerSpecificRisksPermission = {}));
+
+const permission$9 = exports.PrisonerSpecificRisksPermission.read_csra_assessment_history;
+function csraAssessmentHistoryReadCheck(request) {
+    const { user, prisoner } = request;
+    const baseCheckPassed = request.baseCheckStatus === exports.PermissionCheckStatus.OK;
+    const inUsersCaseLoad = isInUsersCaseLoad(prisoner.prisonId, user);
+    const check = baseCheckPassed && (inUsersCaseLoad || (isTransferring(prisoner) && userHasRole(exports.Role.GlobalSearch, user)));
+    if (!check)
+        logDeniedPermissionCheck(permission$9, request, isTransferring(prisoner) ? exports.PermissionCheckStatus.PRISONER_IS_TRANSFERRING : exports.PermissionCheckStatus.NOT_IN_CASELOAD);
+    return check;
+}
+
+function prisonerSpecificRisksCheck(request) {
+    return {
+        [exports.PrisonerSpecificRisksPermission.read_csra_rating]: baseCheck(exports.PrisonerSpecificRisksPermission.read_csra_rating, request),
+        [exports.PrisonerSpecificRisksPermission.read_csra_assessment_history]: csraAssessmentHistoryReadCheck(request),
+    };
+}
+
 function prisonerSpecificCheck(request) {
     return {
         prisonerMoney: prisonerMoneyCheck(request),
@@ -435,6 +486,7 @@ function prisonerSpecificCheck(request) {
         prisonerSchedule: prisonerScheduleCheck(request),
         useOfForce: useOfForceCheck(request),
         prisonerAlerts: prisonerAlertsCheck(request),
+        prisonerSpecificRisks: prisonerSpecificRisksCheck(request),
     };
 }
 
@@ -468,9 +520,9 @@ function checkLocationDetailsAndHistoryAccess(request) {
     // Follows the base check:
     if (prisoner.restrictedPatient)
         return restrictedPatientStatus(user, prisoner);
-    if (prisoner.prisonId === 'OUT')
+    if (isReleased(prisoner))
         return releasedPrisonerStatus(user);
-    if (prisoner.prisonId === 'TRN')
+    if (isTransferring(prisoner))
         return transferringPrisonerStatus(user);
     if (inUsersCaseLoad)
         return exports.PermissionCheckStatus.OK;
@@ -551,10 +603,10 @@ function checkCaseNotesAccess(request) {
     if (prisoner.restrictedPatient)
         return restrictedPatientStatus(user, prisoner);
     // Released prisoners follows the base check rules:
-    if (prisoner.prisonId === 'OUT')
+    if (isReleased(prisoner))
         return releasedPrisonerStatus(user);
     // Case notes are only accessible for transferring prisoners if the user has the Inactive Bookings role:
-    if (prisoner.prisonId === 'TRN') {
+    if (isTransferring(prisoner)) {
         return userHasRole(exports.Role.InactiveBookings, user)
             ? exports.PermissionCheckStatus.OK
             : exports.PermissionCheckStatus.PRISONER_IS_TRANSFERRING;
@@ -688,11 +740,11 @@ function checkPhotoAccess(request) {
     if (prisoner.restrictedPatient)
         return restrictedPatientStatus(user, prisoner);
     // Released prisoners follows the base check rules:
-    if (prisoner.prisonId === 'OUT')
+    if (isReleased(prisoner))
         return releasedPrisonerStatus(user);
     // Photos are only accessible for transferring prisoners if the user has the Inactive Bookings role
     // (Global Search is NOT sufficient):
-    if (prisoner.prisonId === 'TRN') {
+    if (isTransferring(prisoner)) {
         return userHasRole(exports.Role.InactiveBookings, user)
             ? exports.PermissionCheckStatus.OK
             : exports.PermissionCheckStatus.PRISONER_IS_TRANSFERRING;
@@ -967,10 +1019,10 @@ function checkProbationDocumentsReadAccess(request) {
     if (prisoner.restrictedPatient)
         return restrictedPatientStatus(user, prisoner);
     // Released prisoners follow the base check rules:
-    if (prisoner.prisonId === 'OUT')
+    if (isReleased(prisoner))
         return releasedPrisonerStatus(user);
     // Transferring prisoners follow the base check rules:
-    if (prisoner.prisonId === 'TRN')
+    if (isTransferring(prisoner))
         return transferringPrisonerStatus(user);
     if (isInUsersCaseLoad(prisoner.prisonId, user))
         return exports.PermissionCheckStatus.OK;
@@ -995,13 +1047,9 @@ exports.PersonInterventionsPermission = void 0;
     PersonInterventionsPermission["read_csip"] = "prisoner:csip:read";
 })(exports.PersonInterventionsPermission || (exports.PersonInterventionsPermission = {}));
 
-function csipReadCheck(request) {
-    return inUsersCaseLoad(exports.PersonInterventionsPermission.read_csip, request);
-}
-
 function personInterventionsCheck(request) {
     return {
-        [exports.PersonInterventionsPermission.read_csip]: csipReadCheck(request),
+        [exports.PersonInterventionsPermission.read_csip]: inUsersCaseLoad(exports.PersonInterventionsPermission.read_csip, request),
     };
 }
 
@@ -1100,11 +1148,13 @@ const prisonerMoneyPermissionPaths = {
 
 // eslint-disable-next-line import/prefer-default-export
 const prisonerIncentivesPermissionPaths = {
-    [exports.PrisonerIncentivesPermission.read]: `domainGroups.prisonerSpecific.prisonerIncentives.${exports.PrisonerIncentivesPermission.read}`,
+    [exports.PrisonerIncentivesPermission.read_incentive_level]: `domainGroups.prisonerSpecific.prisonerIncentives.${exports.PrisonerIncentivesPermission.read_incentive_level}`,
+    [exports.PrisonerIncentivesPermission.read_incentive_level_history]: `domainGroups.prisonerSpecific.prisonerIncentives.${exports.PrisonerIncentivesPermission.read_incentive_level_history}`,
 };
 
 // eslint-disable-next-line import/prefer-default-export
 const personPrisonCategoryPermissionPaths = {
+    [exports.PersonPrisonCategoryPermission.read]: `domainGroups.prisonerSpecific.personPrisonCategory.${exports.PersonPrisonCategoryPermission.read}`,
     [exports.PersonPrisonCategoryPermission.edit]: `domainGroups.prisonerSpecific.personPrisonCategory.${exports.PersonPrisonCategoryPermission.edit}`,
 };
 
@@ -1124,6 +1174,12 @@ const prisonerAlertsPermissionPaths = {
     [exports.PrisonerAlertsPermission.edit]: `domainGroups.prisonerSpecific.prisonerAlerts.${exports.PrisonerAlertsPermission.edit}`,
 };
 
+// eslint-disable-next-line import/prefer-default-export
+const prisonerSpecificRisksPermissionPaths = {
+    [exports.PrisonerSpecificRisksPermission.read_csra_rating]: `domainGroups.prisonerSpecific.prisonerSpecificRisks.${exports.PrisonerSpecificRisksPermission.read_csra_rating}`,
+    [exports.PrisonerSpecificRisksPermission.read_csra_assessment_history]: `domainGroups.prisonerSpecific.prisonerSpecificRisks.${exports.PrisonerSpecificRisksPermission.read_csra_assessment_history}`,
+};
+
 // eslint-disable-next-line import/prefer-default-export
 const prisonerSpecificDomainPermissionPaths = {
     ...prisonerMoneyPermissionPaths,
@@ -1133,6 +1189,7 @@ const prisonerSpecificDomainPermissionPaths = {
     ...prisonerSchedulePermissionPaths,
     ...useOfForcePermissionPaths,
     ...prisonerAlertsPermissionPaths,
+    ...prisonerSpecificRisksPermissionPaths,
 };
 
 // eslint-disable-next-line import/prefer-default-export
@@ -1374,6 +1431,7 @@ const nunjucksEnums = {
     ...nunjucksEnum({ PrisonerIncentivesPermission: exports.PrisonerIncentivesPermission }),
     ...nunjucksEnum({ PrisonerMoneyPermission: exports.PrisonerMoneyPermission }),
     ...nunjucksEnum({ PrisonerSchedulePermission: exports.PrisonerSchedulePermission }),
+    ...nunjucksEnum({ PrisonerSpecificRisksPermission: exports.PrisonerSpecificRisksPermission }),
     ...nunjucksEnum({ PrisonerVisitsAndVisitorsPermission: exports.PrisonerVisitsAndVisitorsPermission }),
     ...nunjucksEnum({ ProbationDocumentsPermission: exports.ProbationDocumentsPermission }),
     ...nunjucksEnum({ SOCPermission: exports.SOCPermission }),
@@ -1411,6 +1469,7 @@ exports.prisonerPermissionPaths = prisonerPermissionPaths;
 exports.prisonerPermissionsGuard = prisonerPermissionsGuard;
 exports.prisonerSchedulePermissionPaths = prisonerSchedulePermissionPaths;
 exports.prisonerSpecificDomainPermissionPaths = prisonerSpecificDomainPermissionPaths;
+exports.prisonerSpecificRisksPermissionPaths = prisonerSpecificRisksPermissionPaths;
 exports.prisonerVisitsAndVisitorsPermissionPaths = prisonerVisitsAndVisitorsPermissionPaths;
 exports.probationDocumentsPermissionPaths = probationDocumentsPermissionPaths;
 exports.probationDomainPermissionPaths = probationDomainPermissionPaths;