npm - @etherisc/gif-next - Versions diffs - 0.0.2-79292f9-089 → 0.0.2-79a4d57-521 - Mend

@etherisc/gif-next 0.0.2-79292f9-089 → 0.0.2-79a4d57-521

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (501) hide show

package/contracts/instance/InstanceAdmin.sol CHANGED Viewed

@@ -1,22 +1,20 @@
 // SPDX-License-Identifier: UNLICENSED
 pragma solidity ^0.8.20;
-import {AccessManager} from "@openzeppelin/contracts/access/manager/AccessManager.sol";
-import {AccessAdmin} from "../authorization/AccessAdmin.sol";
-import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
-import {IAccessAdmin} from "../authorization/IAccessAdmin.sol";
+import {IAccess} from "../authorization/IAccess.sol";
 import {IAuthorization} from "../authorization/IAuthorization.sol";
-import {IComponent} from "../shared/IComponent.sol";
-import {IModuleAuthorization} from "../authorization/IModuleAuthorization.sol";
+import {IInstanceLinkedComponent} from "../shared/IInstanceLinkedComponent.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
 import {IInstance} from "./IInstance.sol";
-import {IService} from "../shared/IService.sol";
-import {ObjectType, ObjectTypeLib, ALL, POOL, RELEASE} from "../type/ObjectType.sol";
-import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, DISTRIBUTION_OWNER_ROLE, ORACLE_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE} from "../type/RoleId.sol";
+import {AccessAdmin} from "../authorization/AccessAdmin.sol";
+import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
+import {NftId} from "../type/NftId.sol";
+import {ObjectType} from "../type/ObjectType.sol";
+import {RoleId, RoleIdLib} from "../type/RoleId.sol";
 import {Str, StrLib} from "../type/String.sol";
 import {TokenHandler} from "../shared/TokenHandler.sol";
-import {VersionPart} from "../type/Version.sol";
+import {VersionPart, VersionPartLib} from "../type/Version.sol";
 contract InstanceAdmin is
@@ -26,143 +24,156 @@ contract InstanceAdmin is
     string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
     string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
     string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
+    string public constant RISK_SET_TAGET_NAME = "RiskSet";
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
+    error ErrorInstanceAdminCallerNotInstanceOwner(address caller);
+    error ErrorInstanceAdminInstanceAlreadyLocked();
     error ErrorInstanceAdminNotRegistered(address target);
     error ErrorInstanceAdminAlreadyAuthorized(address target);
+    error ErrorInstanceAdminNotComponentRole(RoleId roleId);
+    error ErrorInstanceAdminRoleAlreadyExists(RoleId roleId);
+    error ErrorInstanceAdminRoleTypeNotContract(RoleId roleId, IAccess.RoleType roleType);
     error ErrorInstanceAdminReleaseMismatch();
     error ErrorInstanceAdminExpectedTargetMissing(string targetName);
-    IInstance _instance;
+    IInstance internal _instance;
     IRegistry internal _registry;
-    uint64 _idNext;
+    uint64 internal _customIdNext;
+    mapping(address target => RoleId roleId) internal _targetRoleId;
+    uint64 internal _components;
-    IModuleAuthorization _instanceAuthorization;
+    IAuthorization internal _instanceAuthorization;
+    modifier onlyInstanceOwner() {
+        if(msg.sender != _registry.ownerOf(address(_instance))) {
+            revert ErrorInstanceAdminCallerNotInstanceOwner(msg.sender);
+        }
+        _;
+    }
     /// @dev Only used for master instance admin.
     /// Contracts created via constructor come with disabled initializers.
     constructor(
-        IModuleAuthorization instanceAuthorization
-    )
-        AccessAdmin()
-    {
-        _instanceAuthorization = instanceAuthorization;
+        address instanceAuthorization
+    ) {
+        initialize(new AccessManagerCloneable());
+        _instanceAuthorization = IAuthorization(instanceAuthorization);
+        _disableInitializers();
     }
-    /// @dev Initializes this instance admin with the provided instances authorization specification.
-    /// Internally the function creates an instance specific OpenZeppelin AccessManager that is used as the authority
-    /// for the inststance authorizatios.
-    /// Important: Initialization of this instance admin is only complete after calling function initializeInstance.
     function initialize(
-        AccessManagerCloneable accessManager,
-        IModuleAuthorization instanceAuthorization
+        AccessManagerCloneable clonedAccessManager,
+        IRegistry registry,
+        VersionPart release
     )
         external
-        initializer()
+        initializer()
     {
-        // create new access manager for this instance admin
-        _initializeAuthority(address(accessManager));
+        __AccessAdmin_init(clonedAccessManager);
-        // create basic instance independent setup
-        _createAdminAndPublicRoles();
+        clonedAccessManager.completeSetup(
+            address(registry),
+            release);
-        // store instance authorization specification
-        _instanceAuthorization = IModuleAuthorization(instanceAuthorization);
+        _registry = registry;
     }
-    function _checkTargetIsReadyForAuthorization(address target)
-        internal
-        view
-    {
-        if (address(_registry) != address(0) && !_registry.isRegistered(target)) {
-            revert ErrorInstanceAdminNotRegistered(target);
-        }
-        if (targetExists(target)) {
-            revert ErrorInstanceAdminAlreadyAuthorized(target);
-        }
-    }
-    /// @dev Completes the initialization of this instance admin using the provided instance.
+    /// @dev Completes the initialization of this instance admin using the provided instance, registry and version.
+    /// Important: Initialization of instance admin is only complete after calling this function.
     /// Important: The instance MUST be registered and all instance supporting contracts must be wired to this instance.
-    function initializeInstanceAuthorization(address instanceAddress)
+    function completeSetup(
+        address instance,
+        address authorization
+    )
         external
+        reinitializer(uint64(getRelease().toInt()))
+        onlyDeployer()
     {
-        _checkTargetIsReadyForAuthorization(instanceAddress);
+        _components = 0;
+        _customIdNext = CUSTOM_ROLE_ID_MIN;
+        _instance = IInstance(instance);
+        _instanceAuthorization = IAuthorization(authorization);
-        _idNext = CUSTOM_ROLE_ID_MIN;
-        _instance = IInstance(instanceAddress);
-        _registry = _instance.getRegistry();
+        _checkTargetIsReadyForAuthorization(instance);
         // check matching releases
-        if (_instanceAuthorization.getRelease() != _instance.getMajorVersion()) {
+        if (_instanceAuthorization.getRelease() != getRelease()) {
             revert ErrorInstanceAdminReleaseMismatch();
         }
+        // create instance role and target
+        _setupInstance(instance);
         // add instance authorization
         _createRoles(_instanceAuthorization);
-        _createModuleTargetsWithRoles();
-        _createTargetAuthorizations(_instanceAuthorization);
-        // grant component owner roles to instance owner
-        _grantComponentOwnerRoles();
+        _setupInstanceHelperTargetsWithRoles();
+        _createTargetAuthorizations(_instanceAuthorization);
     }
     /// @dev Initializes the authorization for the specified component.
     /// Important: The component MUST be registered.
     function initializeComponentAuthorization(
-        IComponent component,
-        IAuthorization authorization
+        IInstanceLinkedComponent component
     )
         external
+        restricted()
     {
+        // checks
         _checkTargetIsReadyForAuthorization(address(component));
-        _createRoles(authorization);
+        // setup target and role for component (including token handler)
+        _setupComponentAndTokenHandler(component);
-        // create component target
-        _createTarget(
-            address(component),
-            authorization.getTargetName(),
-            true, // checkAuthority
-            false); // custom
-        _createTarget(
-            address(component.getTokenHandler()),
-            string(abi.encodePacked(authorization.getTargetName(), "TH")),
-            true,
-            false);
-        // FIXME: make this a bit nicer and work with IAuthorization. Use a specific role, not public - access to TokenHandler must be restricted
-        FunctionInfo[] memory functions = new FunctionInfo[](3);
-        functions[0] = toFunction(TokenHandler.collectTokens.selector, "collectTokens");
-        functions[1] = toFunction(TokenHandler.collectTokensToThreeRecipients.selector, "collectTokensToThreeRecipients");
-        functions[2] = toFunction(TokenHandler.distributeTokens.selector, "distributeTokens");
+        // create other roles
+        IAuthorization authorization = component.getAuthorization();
+        _createRoles(authorization);
-        _authorizeTargetFunctions(
-            address(component.getTokenHandler()),
-            getPublicRole(),
-            functions);
+        // TODO cleanup
+        // FunctionInfo[] memory functions = new FunctionInfo[](2);
+        // functions[0] = toFunction(TokenHandler.pullToken.selector, "pullToken");
+        // functions[1] = toFunction(TokenHandler.pushToken.selector, "pushToken");
-        _grantRoleToAccount(
-            authorization.getTargetRole(
-                authorization.getTarget()),
-            address(component));
+        // // FIXME: make this a bit nicer and work with IAuthorization. Use a specific role, not public - access to TokenHandler must be restricted
+        // _authorizeTargetFunctions(
+        //     address(component.getTokenHandler()),
+        //     getPublicRole(),
+        //     functions);
         _createTargetAuthorizations(authorization);
     }
+    // create instance role and target
+    function _setupInstance(address instance) internal {
+        // create instance role
+        RoleId instanceRoleId = _instanceAuthorization.getTargetRole(
+            _instanceAuthorization.getMainTarget());
-    function _grantComponentOwnerRoles()
-        internal
-    {
-        address instanceOwner = _registry.ownerOf(_instance.getNftId());
-        _grantRoleToAccount(DISTRIBUTION_OWNER_ROLE(), instanceOwner);
-        _grantRoleToAccount(ORACLE_OWNER_ROLE(), instanceOwner);
-        _grantRoleToAccount(POOL_OWNER_ROLE(), instanceOwner);
-        _grantRoleToAccount(PRODUCT_OWNER_ROLE(), instanceOwner);
+        _createRole(
+            instanceRoleId,
+            _instanceAuthorization.getRoleInfo(instanceRoleId));
+        // create instance target
+        _createTarget(
+            instance,
+            _instanceAuthorization.getMainTargetName(),
+            true, // checkAuthority
+            false); // custom
+        // assign instance role to instance
+        _grantRoleToAccount(
+            instanceRoleId,
+            instance);
     }
     /// @dev Creates a custom role
@@ -184,32 +195,176 @@ contract InstanceAdmin is
         _grantRoleToAccount(roleId, account);
     }
+    function setInstanceLocked(bool locked)
+        external
+        onlyInstanceOwner()
+    {
+        AccessManagerCloneable accessManager = AccessManagerCloneable(authority());
+        if(accessManager.isLocked() == locked) {
+            revert ErrorInstanceAdminInstanceAlreadyLocked();
+        }
+        accessManager.setLocked(locked);
+    }
+    function setTargetLocked(address target, bool locked)
+        external
+        restricted()
+    {
+        _setTargetClosed(target, locked);
+    }
     /// @dev Returns the instance authorization specification used to set up this instance admin.
     function getInstanceAuthorization()
         external
         view
-        returns (IModuleAuthorization instanceAuthorizaion)
+        returns (IAuthorization instanceAuthorizaion)
     {
         return _instanceAuthorization;
     }
+    // ------------------- Internal functions ------------------- //
+    function _setupComponentAndTokenHandler(IInstanceLinkedComponent component)
+        internal
+    {
+        IAuthorization authorization = component.getAuthorization();
+        string memory targetName = authorization.getMainTargetName();
+        // create component role and target
+        RoleId componentRoleId = _createComponentRoleId(component, authorization);
+        // create component's target
+        _createTarget(
+            address(component),
+            targetName,
+            true, // checkAuthority
+            false); // custom
+        // create component's token handler target
+        NftId componentNftId = _registry.getNftIdForAddress(address(component));
+        address tokenHandler = address(
+            _instance.getInstanceReader().getComponentInfo(
+                componentNftId).tokenHandler);
+        _createTarget(
+            tokenHandler,
+            authorization.getTokenHandlerName(),
+            true,
+            false);
+        // assign component role to component
+        _grantRoleToAccount(
+            componentRoleId,
+            address(component));
+        // token handler does not require its own role
+        // token handler is not calling other components
+    }
+    function _createComponentRoleId(
+        IInstanceLinkedComponent component,
+        IAuthorization authorization
+    )
+        internal
+        returns (RoleId componentRoleId)
+    {
+        // checks
+        // check component is not yet authorized
+        if (_targetRoleId[address(component)].gtz()) {
+            revert ErrorInstanceAdminAlreadyAuthorized(address(component));
+        }
+        // check generic component role
+        RoleId genericComponentRoleId = authorization.getTargetRole(
+            authorization.getMainTarget());
+        if (!genericComponentRoleId.isComponentRole()) {
+            revert ErrorInstanceAdminNotComponentRole(genericComponentRoleId);
+        }
+        // check component role does not exist
+        componentRoleId = toComponentRole(
+            genericComponentRoleId,
+            _components);
+        if (roleExists(componentRoleId)) {
+            revert ErrorInstanceAdminRoleAlreadyExists(componentRoleId);
+        }
+        // check role info
+        IAccess.RoleInfo memory roleInfo = authorization.getRoleInfo(
+            genericComponentRoleId);
+        if (roleInfo.roleType != IAccess.RoleType.Contract) {
+            revert ErrorInstanceAdminRoleTypeNotContract(
+                componentRoleId,
+                roleInfo.roleType);
+        }
+        // effects
+        _targetRoleId[address(component)] = componentRoleId;
+        _components++;
+        _createRole(
+            componentRoleId,
+            roleInfo);
+    }
+    function _checkTargetIsReadyForAuthorization(address target)
+        internal
+        view
+    {
+        if (!_registry.isRegistered(target)) {
+            revert ErrorInstanceAdminNotRegistered(target);
+        }
+        if (targetExists(target)) {
+            revert ErrorInstanceAdminAlreadyAuthorized(target);
+        }
+    }
     function _createRoles(IAuthorization authorization)
         internal
     {
         RoleId[] memory roles = authorization.getRoles();
+        RoleId mainTargetRoleId = authorization.getTargetRole(
+            authorization.getMainTarget());
         RoleId roleId;
         RoleInfo memory roleInfo;
         for(uint256 i = 0; i < roles.length; i++) {
             roleId = roles[i];
-            _createRole(
-                roleId,
-                authorization.getRoleInfo(roleId));
+            // skip main target role, create role if not exists
+            if (roleId != mainTargetRoleId && !roleExists(roleId)) {
+                _createRole(
+                    roleId,
+                    authorization.getRoleInfo(roleId));
+            }
         }
     }
+    function toComponentRole(RoleId roleId, uint64 componentIdx)
+        internal
+        pure
+        returns (RoleId)
+    {
+        return RoleIdLib.toRoleId(
+            RoleIdLib.toInt(roleId) + componentIdx);
+    }
     function _createTargetAuthorizations(IAuthorization authorization)
         internal
     {
@@ -250,7 +405,7 @@ contract InstanceAdmin is
         _createTarget(
             target,
             targetName,
-            false, // check authority TODO check normal targets, don't check service targets (they share authority with registry admin)
+            false, // check authority TODO check normal targets, don't check service targets (they share authority with release admin)
             false);
         // assign target role if defined
@@ -260,14 +415,16 @@ contract InstanceAdmin is
         }
     }
-    function _createModuleTargetsWithRoles()
+    function _setupInstanceHelperTargetsWithRoles()
         internal
     {
+        // _checkAndCreateTargetWithRole(address(_instance), INSTANCE_TARGET_NAME);
         // create module targets
-        _checkAndCreateTargetWithRole(address(_instance), INSTANCE_TARGET_NAME);
         _checkAndCreateTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME);
         _checkAndCreateTargetWithRole(address(_instance.getInstanceAdmin()), INSTANCE_ADMIN_TARGET_NAME);
         _checkAndCreateTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TAGET_NAME);
         // create targets for services that need to access the module targets
         ObjectType[] memory serviceDomains = _instanceAuthorization.getServiceDomains();

package/contracts/instance/InstanceAuthorizationV3.sol CHANGED Viewed

@@ -2,75 +2,53 @@
 pragma solidity ^0.8.20;
 import {
-     PRODUCT, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE
+     ACCOUNTING, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE, RISK
 } from "../../contracts/type/ObjectType.sol";
-import {
-     ADMIN_ROLE, DISTRIBUTION_OWNER_ROLE, ORACLE_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE
-} from "../../contracts/type/RoleId.sol";
-import {BundleSet} from "../instance/BundleSet.sol";
+import {BundleSet} from "../instance/BundleSet.sol";
+import {RiskSet} from "../instance/RiskSet.sol";
 import {IAccess} from "../authorization/IAccess.sol";
 import {Instance} from "../instance/Instance.sol";
 import {InstanceAdmin} from "../instance/InstanceAdmin.sol";
 import {InstanceStore} from "../instance/InstanceStore.sol";
-import {ModuleAuthorization} from "../authorization/ModuleAuthorization.sol";
-import {RoleId} from "../type/RoleId.sol";
-import {VersionPart, VersionPartLib} from "../type/Version.sol";
+import {Authorization} from "../authorization/Authorization.sol";
 contract InstanceAuthorizationV3
-     is ModuleAuthorization
+     is Authorization
 {
+     string public constant INSTANCE_ROLE_NAME = "InstanceRole";
      string public constant INSTANCE_TARGET_NAME = "Instance";
      string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
      string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
      string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
+     string public constant RISK_SET_TARGET_NAME = "RiskSet";
-     string public constant INSTANCE_ROLE_NAME = "InstanceRole";
-     string public constant DISTRIBUTION_OWNER_ROLE_NAME = "DistributionOwnerRole";
-     string public constant ORACLE_OWNER_ROLE_NAME = "OracleOwnerRole";
-     string public constant POOL_OWNER_ROLE_NAME = "PoolOwnerRole";
-     string public constant PRODUCT_OWNER_ROLE_NAME = "ProductOwnerRole";
-     constructor() ModuleAuthorization(INSTANCE_TARGET_NAME) {}
-     function _setupRoles()
-          internal
-          override
-     {
-          _addGifRole(DISTRIBUTION_OWNER_ROLE(), DISTRIBUTION_OWNER_ROLE_NAME);
-          _addGifRole(ORACLE_OWNER_ROLE(), ORACLE_OWNER_ROLE_NAME);
-          _addGifRole(POOL_OWNER_ROLE(), POOL_OWNER_ROLE_NAME);
-          _addGifRole(PRODUCT_OWNER_ROLE(), PRODUCT_OWNER_ROLE_NAME);
-     }
+     constructor()
+          Authorization(INSTANCE_TARGET_NAME, INSTANCE())
+     { }
      function _setupTargets()
           internal
           override
      {
-          // instance target
-          _addTargetWithRole(
-               INSTANCE_TARGET_NAME,
-               _getTargetRoleId(INSTANCE()),
-               INSTANCE_ROLE_NAME);
           // instance supporting targets
           _addTarget(INSTANCE_STORE_TARGET_NAME);
           _addTarget(INSTANCE_ADMIN_TARGET_NAME);
           _addTarget(BUNDLE_SET_TARGET_NAME);
+          _addTarget(RISK_SET_TARGET_NAME);
           // service targets relevant to instance
           _addServiceTargetWithRole(INSTANCE());
+          _addServiceTargetWithRole(ACCOUNTING());
           _addServiceTargetWithRole(COMPONENT());
           _addServiceTargetWithRole(DISTRIBUTION());
           _addServiceTargetWithRole(ORACLE());
           _addServiceTargetWithRole(POOL());
           _addServiceTargetWithRole(BUNDLE());
-          _addServiceTargetWithRole(PRODUCT());
+          _addServiceTargetWithRole(RISK());
           _addServiceTargetWithRole(APPLICATION());
           _addServiceTargetWithRole(POLICY());
           _addServiceTargetWithRole(CLAIM());
@@ -85,6 +63,7 @@ contract InstanceAuthorizationV3
           _setupInstanceAdminAuthorization();
           _setupInstanceStoreAuthorization();
           _setupBundleSetAuthorization();
+          _setUpRiskSetAuthorization();
      }
@@ -95,11 +74,31 @@ contract InstanceAuthorizationV3
           // authorize bundle service role
           functions = _authorizeForTarget(BUNDLE_SET_TARGET_NAME, getServiceRole(BUNDLE()));
-          _authorize(functions, BundleSet.linkPolicy.selector, "linkPolicy");
-          _authorize(functions, BundleSet.unlinkPolicy.selector, "unlinkPolicy");
           _authorize(functions, BundleSet.add.selector, "add");
           _authorize(functions, BundleSet.lock.selector, "lock");
           _authorize(functions, BundleSet.unlock.selector, "unlock");
+          // authorize bundle service role
+          functions = _authorizeForTarget(BUNDLE_SET_TARGET_NAME, getServiceRole(POLICY()));
+          _authorize(functions, BundleSet.linkPolicy.selector, "linkPolicy");
+          _authorize(functions, BundleSet.unlinkPolicy.selector, "unlinkPolicy");
+     }
+     function _setUpRiskSetAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+          // authorize risk service role
+          functions = _authorizeForTarget(RISK_SET_TARGET_NAME, getServiceRole(RISK()));
+          _authorize(functions, RiskSet.add.selector, "add");
+          _authorize(functions, RiskSet.pause.selector, "pause");
+          _authorize(functions, RiskSet.activate.selector, "activate");
+          // authorize policy service role
+          functions = _authorizeForTarget(RISK_SET_TARGET_NAME, getServiceRole(POLICY()));
+          _authorize(functions, RiskSet.linkPolicy.selector, "linkPolicy");
+          _authorize(functions, RiskSet.unlinkPolicy.selector, "unlinkPolicy");
      }
@@ -120,11 +119,13 @@ contract InstanceAuthorizationV3
           IAccess.FunctionInfo[] storage functions;
           // authorize instance role
-          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, _getTargetRoleId(INSTANCE()));
+          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getComponentRole(INSTANCE()));
           _authorize(functions, InstanceAdmin.grantRole.selector, "grantRole");
-          // authorize instance service role
-          // functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(INSTANCE()));
+          // authorize component service role
+          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(COMPONENT()));
+          _authorize(functions, InstanceAdmin.initializeComponentAuthorization.selector, "initializeComponentAuthoriz");
+          _authorize(functions, InstanceAdmin.setTargetLocked.selector, "setTargetLocked");
      }
@@ -133,6 +134,13 @@ contract InstanceAuthorizationV3
      {
           IAccess.FunctionInfo[] storage functions;
+          // authorize accounting service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(ACCOUNTING()));
+          _authorize(functions, InstanceStore.increaseBalance.selector, "increaseBalance");
+          _authorize(functions, InstanceStore.decreaseBalance.selector, "decreaseBalance");
+          _authorize(functions, InstanceStore.increaseFees.selector, "increaseFees");
+          _authorize(functions, InstanceStore.decreaseFees.selector, "decreaseFees");
           // authorize component service role
           functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(COMPONENT()));
           _authorize(functions, InstanceStore.createComponent.selector, "createComponent");
@@ -140,11 +148,9 @@ contract InstanceAuthorizationV3
           _authorize(functions, InstanceStore.createPool.selector, "createPool");
           _authorize(functions, InstanceStore.createProduct.selector, "createProduct");
           _authorize(functions, InstanceStore.updateProduct.selector, "updateProduct");
-          _authorize(functions, InstanceStore.increaseBalance.selector, "increaseBalance");
-          _authorize(functions, InstanceStore.decreaseBalance.selector, "decreaseBalance");
-          _authorize(functions, InstanceStore.increaseFees.selector, "increaseFees");
-          _authorize(functions, InstanceStore.decreaseFees.selector, "decreaseFees");
+          _authorize(functions, InstanceStore.createFee.selector, "createFee");
+          _authorize(functions, InstanceStore.updateFee.selector, "updateFee");
           // authorize distribution service role
           functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(DISTRIBUTION()));
           _authorize(functions, InstanceStore.createDistributorType.selector, "createDistributorType");
@@ -176,7 +182,7 @@ contract InstanceAuthorizationV3
           _authorize(functions, InstanceStore.decreaseLocked.selector, "decreaseLocked");
           // authorize product service role
-          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(PRODUCT()));
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(RISK()));
           _authorize(functions, InstanceStore.createRisk.selector, "createRisk");
           _authorize(functions, InstanceStore.updateRisk.selector, "updateRisk");
           _authorize(functions, InstanceStore.updateRiskState.selector, "updateRiskState");
@@ -191,6 +197,8 @@ contract InstanceAuthorizationV3
           functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(POLICY()));
           _authorize(functions, InstanceStore.updatePolicy.selector, "updatePolicy");
           _authorize(functions, InstanceStore.updatePolicyState.selector, "updatePolicyState");
+          _authorize(functions, InstanceStore.createPremium.selector, "createPremium");
+          _authorize(functions, InstanceStore.updatePremiumState.selector, "updatePremiumState");
           // authorize claim service role
           functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(CLAIM()));
@@ -199,6 +207,7 @@ contract InstanceAuthorizationV3
           _authorize(functions, InstanceStore.updateClaim.selector, "updateClaim");
           _authorize(functions, InstanceStore.createPayout.selector, "createPayout");
           _authorize(functions, InstanceStore.updatePayout.selector, "updatePayout");
+          _authorize(functions, InstanceStore.updatePayoutState.selector, "updatePayoutState");
      }
 }