npm - @etherisc/gif-next - Versions diffs - 0.0.2-952752e-374 → 0.0.2-957bd35-589 - Mend

@etherisc/gif-next 0.0.2-952752e-374 → 0.0.2-957bd35-589

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (491) hide show

package/contracts/authorization/AccessAdmin.sol CHANGED Viewed

@@ -3,21 +3,25 @@ pragma solidity ^0.8.20;
 import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
-import {ReentrancyGuardUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol";
-import {AccessManagerCloneable} from "./AccessManagerCloneable.sol";
-import {ContractLib} from "../shared/ContractLib.sol";
+import {IAccess} from "./IAccess.sol";
 import {IAccessAdmin} from "./IAccessAdmin.sol";
+import {IAuthorization} from "./IAuthorization.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
+import {IServiceAuthorization} from "./IServiceAuthorization.sol";
+import {AccessAdminLib} from "./AccessAdminLib.sol";
+import {AccessManagerCloneable} from "./AccessManagerCloneable.sol";
+import {Blocknumber, BlocknumberLib} from "../type/Blocknumber.sol";
+import {ContractLib} from "../shared/ContractLib.sol";
+import {NftId, NftIdLib} from "../type/NftId.sol";
+import {ObjectType} from "../type/ObjectType.sol";
 import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
-import {Selector, SelectorLib, SelectorSetLib} from "../type/Selector.sol";
+import {Selector, SelectorSetLib} from "../type/Selector.sol";
 import {Str, StrLib} from "../type/String.sol";
 import {TimestampLib} from "../type/Timestamp.sol";
 import {VersionPart} from "../type/Version.sol";
-interface IAccessManagedChecker {
-    function authority() external view returns (address);
-}
 /**
  * @dev A generic access amin contract that implements role based access control based on OpenZeppelin's AccessManager contract.
@@ -26,20 +30,26 @@ interface IAccessManagedChecker {
  */
 contract AccessAdmin is
     AccessManagedUpgradeable,
-    ReentrancyGuardUpgradeable,
     IAccessAdmin
 {
     using EnumerableSet for EnumerableSet.AddressSet;
-    string public constant ADMIN_ROLE_NAME = "AdminRole";
-    string public constant PUBLIC_ROLE_NAME = "PublicRole";
+    /// @dev admin name used for logging only
+    string internal _adminName;
-    /// @dev the OpenZeppelin access manager driving the access admin contract
+    /// @dev the access manager driving the access admin contract
+    /// hold link to registry and release version
     AccessManagerCloneable internal _authority;
-    /// @dev stores the deployer address and allows to create initializers
-    /// that are restricted to the deployer address.
-    address internal _deployer;
+    /// @dev the authorization contract used for initial access control
+    IAuthorization internal _authorization;
+    // /// @dev stores the deployer address and allows to create initializers
+    // /// that are restricted to the deployer address.
+    // address internal _deployer;
+    /// @dev the linked NFT ID
+    NftId internal _linkedNftId;
     /// @dev store role info per role id
     mapping(RoleId roleId => RoleInfo info) internal _roleInfo;
@@ -50,6 +60,9 @@ contract AccessAdmin is
     /// @dev store array with all created roles
     RoleId [] internal _roleIds;
+    // @dev target type specific role id counters
+    mapping(TargetType => uint64) internal _nextRoleId;
     /// @dev store set of current role members for given role
     mapping(RoleId roleId => EnumerableSet.AddressSet roleMembers) internal _roleMembers;
@@ -71,135 +84,93 @@ contract AccessAdmin is
     /// @dev temporary dynamic functions array
     bytes4[] private _functions;
-    modifier onlyDeployer() {
-        // special case for cloned AccessAdmin contracts
-        // IMPORTANT cloning and initialize authority needs to be done in a single transaction
-        if (_deployer == address(0)) {
-            _deployer = msg.sender;
-        }
-        if (msg.sender != _deployer) {
-            revert ErrorNotDeployer();
-        }
-        _;
-    }
-    modifier onlyRoleAdmin(RoleId roleId) {
-        _checkRoleExists(roleId, false);
-        if (!hasAdminRole(msg.sender, roleId)) {
-            revert ErrorNotAdminOfRole(_roleInfo[roleId].adminRoleId);
-        }
-        _;
-    }
-    modifier onlyRoleMember(RoleId roleId) {
-        if (!hasRole(msg.sender, roleId)) {
-            revert ErrorNotRoleOwner(roleId);
-        }
-        _;
-    }
-    modifier onlyExistingRole(
-        RoleId roleId,
-        bool onlyActiveRole,
-        bool allowLockedRoles
-    )
-    {
-        if (!allowLockedRoles) {
-            _checkRoleExists(roleId, onlyActiveRole);
-        }
-        _;
-    }
-    modifier onlyExistingTarget(address target) {
-        _checkTarget(target);
-        _;
-    }
     //-------------- initialization functions ------------------------------//
-    // event LogAccessAdminDebug(string message);
     /// @dev Initializes this admin with the provided accessManager (and authorization specification).
     /// Internally initializes access manager with this admin and creates basic role setup.
     function initialize(
-        AccessManagerCloneable authority
+        address authority,
+        string memory adminName
     )
         public
         initializer()
     {
-        __AccessAdmin_init(authority);
+        __AccessAdmin_init(authority, adminName);
     }
+    /// @dev Initializes this admin with the provided accessManager and name.
+    /// IMPORTANT
+    /// - cloning of an access admin and initialization MUST be done in the same tx.
+    /// - this function as well as any completeSetup functions MUST be called in the same tx.
     function __AccessAdmin_init(
-        AccessManagerCloneable authority
+        address authority,
+        string memory adminName
     )
         internal
         onlyInitializing()
-        onlyDeployer() // initializes deployer if not initialized yet
     {
-        authority.initialize(address(this));
+        AccessAdminLib.checkInitParameters(authority, adminName);
+        _authority = AccessManagerCloneable(authority);
+        _authority.initialize(address(this));
+        // delayed additional check for authority after its initialization
+        if (!ContractLib.isAuthority(authority)) {
+            revert ErrorAccessAdminAccessManagerNotAccessManager(authority);
+        }
+        // effects
         // set and initialize this access manager contract as
         // the admin (ADMIN_ROLE) of the provided authority
-        __AccessManaged_init(address(authority));
-        _authority = authority;
+        __AccessManaged_init(authority);
-        // create admin and public roles
-        _initializeAdminAndPublicRoles();
+        // set name for logging
+        _adminName = adminName;
-        // additional use case specific initialization
-        _initializeCustom();
-    }
+        // set initial linked NFT ID to zero
+        _linkedNftId = NftIdLib.zero();
+        // setup admin role
+        _createRoleUnchecked(
+            ADMIN_ROLE(), AccessAdminLib.adminRoleInfo());
-    function getRegistry() public view returns (IRegistry registry) {
-        return _authority.getRegistry();
+        // add this contract as admin role member, as contract roles cannot be revoked
+        // and max member count is 1 for admin role this access admin contract will
+        // always be the only admin of the access manager.
+        _roleMembers[
+            RoleIdLib.toRoleId(_authority.ADMIN_ROLE())].add(address(this));
+        // setup public role
+        _createRoleUnchecked(
+            PUBLIC_ROLE(), AccessAdminLib.publicRoleInfo());
     }
+    //--- view functions for access admin ---------------------------------------//
-    function getRelease() public view returns (VersionPart release) {
+    function getRelease() public view virtual returns (VersionPart release) {
         return _authority.getRelease();
     }
-    function _initializeAdminAndPublicRoles()
-        internal
-        virtual
-        onlyInitializing()
-    {
-        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
+    function getRegistry() public view returns (IRegistry registry) {
+        return _authority.getRegistry();
+    }
-        // setup admin role
-        _createRoleUnchecked(
-            ADMIN_ROLE(),
-            toRole({
-                adminRoleId: ADMIN_ROLE(),
-                roleType: RoleType.Contract,
-                maxMemberCount: 1,
-                name: ADMIN_ROLE_NAME}));
-        // add this contract as admin role member
-        _roleMembers[adminRoleId].add(address(this));
+    function getLinkedNftId() external view returns (NftId linkedNftId) {
+        return _linkedNftId;
+    }
-        // setup public role
-        _createRoleUnchecked(
-            PUBLIC_ROLE(),
-            toRole({
-                adminRoleId: ADMIN_ROLE(),
-                roleType: RoleType.Gif,
-                maxMemberCount: type(uint32).max,
-                name: PUBLIC_ROLE_NAME}));
+    function getAuthorization() public view returns (IAuthorization authorization) {
+        return _authorization;
     }
-    function _initializeCustom()
-        internal
-        virtual
-        onlyInitializing()
-    { }
+    function isLocked() public view returns (bool locked) {
+        return _authority.isLocked();
+    }
     //--- view functions for roles ------------------------------------------//
@@ -220,15 +191,28 @@ contract AccessAdmin is
     }
     function roleExists(RoleId roleId) public view returns (bool exists) {
-        return _roleInfo[roleId].createdAt.gtz();
+        return _roleInfo[roleId].targetType != TargetType.Undefined;
     }
-    function getRoleInfo(RoleId roleId) external view returns (RoleInfo memory) {
+    function getRoleForName(string memory name) public view returns (RoleId roleId, bool exists) {
+        roleId = _roleForName[StrLib.toStr(name)].roleId;
+        exists = false;
+        if (roleId.gtz() || AccessAdminLib.isAdminRoleName(name)) {
+            exists = true;
+        }
+    }
+    function getRoleInfo(RoleId roleId) public view returns (RoleInfo memory) {
         return _roleInfo[roleId];
     }
-    function getRoleForName(Str name) external view returns (RoleNameInfo memory) {
-        return _roleForName[name];
+    function isRoleActive(RoleId roleId) external view returns (bool isActive) {
+        return _roleInfo[roleId].pausedAt > TimestampLib.current();
+    }
+    function isRoleCustom(RoleId roleId) external view returns (bool isActive) {
+        return _roleInfo[roleId].targetType == TargetType.Custom;
     }
     function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
@@ -239,21 +223,15 @@ contract AccessAdmin is
         return _roleMembers[roleId].at(idx);
     }
-    // TODO false because not role member or because role not exists?
-    function hasRole(address account, RoleId roleId) public view returns (bool) {
+    function isRoleMember(RoleId roleId, address account) public view returns (bool) {
         (bool isMember, ) = _authority.hasRole(
             RoleId.unwrap(roleId),
             account);
         return isMember;
     }
-    function hasAdminRole(address account, RoleId roleId)
-        public
-        virtual
-        view
-        returns (bool)
-    {
-        return hasRole(account, _roleInfo[roleId].adminRoleId);
+    function isRoleAdmin(RoleId roleId, address account) public virtual view returns (bool) {
+        return isRoleMember(_roleInfo[roleId].adminRoleId, account);
     }
     //--- view functions for targets ----------------------------------------//
@@ -270,7 +248,7 @@ contract AccessAdmin is
         return _targets[idx];
     }
-    function getTargetInfo(address target) external view returns (TargetInfo memory targetInfo) {
+    function getTargetInfo(address target) public view returns (TargetInfo memory targetInfo) {
         return _targetInfo[target];
     }
@@ -279,9 +257,11 @@ contract AccessAdmin is
     }
     function isTargetLocked(address target) public view returns (bool locked) {
-        return _authority.isTargetClosed(target);
+        return _authority.isLocked() || _authority.isTargetClosed(target);
     }
+    //--- view functions for target functions -------------------------------//
     function authorizedFunctions(address target) external view returns (uint256 numberOfFunctions) {
         return SelectorSetLib.size(_targetFunctions[target]);
     }
@@ -305,355 +285,395 @@ contract AccessAdmin is
                 selector.toBytes4()));
     }
-    function canCall(address caller, address target, Selector selector) external virtual view returns (bool can) {
-        (can, ) = _authority.canCall(caller, target, selector.toBytes4());
-    }
-    function toRole(RoleId adminRoleId, RoleType roleType, uint32 maxMemberCount, string memory name) public view returns (RoleInfo memory) {
-        return RoleInfo({
-            name: StrLib.toStr(name),
-            adminRoleId: adminRoleId,
-            roleType: roleType,
-            maxMemberCount: maxMemberCount,
-            createdAt: TimestampLib.blockTimestamp(),
-            pausedAt: TimestampLib.max()
-        });
+    function getFunctionInfo(address target, Selector selector)
+        external
+        view
+        returns (FunctionInfo memory functionInfo)
+    {
+        return _functionInfo[target][selector];
     }
-    function toFunction(bytes4 selector, string memory name) public view returns (FunctionInfo memory) {
-        return FunctionInfo({
-            name: StrLib.toStr(name),
-            selector: SelectorLib.toSelector(selector),
-            createdAt: TimestampLib.blockTimestamp()});
-    }
+    //--- internal/private functions -------------------------------------------------//
-    function deployer() public view returns (address) {
-        return _deployer;
+    function _linkToNftOwnable(address registerable) internal {
+        if (!getRegistry().isRegistered(registerable)) {
+            revert ErrorAccessAdminNotRegistered(registerable);
+        }
+        _linkedNftId = getRegistry().getNftIdForAddress(registerable);
     }
-    //--- internal/private functions -------------------------------------------------//
-    function _authorizeTargetFunctions(
-        address target,
-        RoleId roleId,
-        FunctionInfo[] memory functions
+    function _createRoles(
+        IServiceAuthorization authorization
     )
         internal
     {
-        if (roleId == getAdminRole()) {
-            revert ErrorAuthorizeForAdminRoleInvalid(target);
+        RoleId[] memory roles = authorization.getRoles();
+        for(uint256 i = 0; i < roles.length; i++) {
+            RoleId authzRoleId = roles[i];
+            IAccess.RoleInfo memory roleInfo = authorization.getRoleInfo(authzRoleId);
+            (RoleId roleId, bool exists) = getRoleForName(roleInfo.name.toString());
+            if (!exists) {
+                if (!AccessAdminLib.isDynamicRoleId(authzRoleId)) {
+                    roleId = authzRoleId;
+                }
+                _createRole(
+                    roleId,
+                    roleInfo,
+                    true);
+            }
         }
-        bool addFunctions = true;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
-        // apply authz via access manager
-        _grantRoleAccessToFunctions(
-            target,
-            roleId,
-            functionSelectors,
-            false); // allowLockedRoles
     }
-    function _unauthorizeTargetFunctions(
-        address target,
-        FunctionInfo[] memory functions
+    /// @dev Creates a role based on the provided parameters.
+    /// Checks that the provided role and role id and role name not already used.
+    function _createRole(
+        RoleId roleId,
+        RoleInfo memory info,
+        bool revertOnExistingRole
     )
         internal
     {
-        bool addFunctions = false;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
-        _grantRoleAccessToFunctions(
-            target,
-            getAdminRole(),
-            functionSelectors,
-            true); // allowLockedRoles
+        bool isAdminOrPublicRole = AccessAdminLib.checkRoleCreation(this, roleId, info, revertOnExistingRole);
+        if (!isAdminOrPublicRole) {
+            _createRoleUnchecked(roleId, info);
+        }
     }
-    function _processFunctionSelectors(
-        address target,
-        FunctionInfo[] memory functions,
-        bool addFunctions
+    function _createRoleUnchecked(
+        RoleId roleId,
+        RoleInfo memory info
     )
-        internal
-        onlyExistingTarget(target)
-        returns (
-            bytes4[] memory functionSelectors
-        )
+        private
     {
-        uint256 n = functions.length;
-        functionSelectors = new bytes4[](n);
-        FunctionInfo memory func;
-        Selector selector;
-        for (uint256 i = 0; i < n; i++) {
-            func = functions[i];
-            selector = func.selector;
+        // create role info
+        info.createdAt = TimestampLib.current();
+        info.pausedAt = TimestampLib.max();
+        _roleInfo[roleId] = info;
-            // add function selector to target selector set if not in set
-            if (addFunctions) { SelectorSetLib.add(_targetFunctions[target], selector); }
-            else { SelectorSetLib.remove(_targetFunctions[target], selector); }
+        // create role name info
+        _roleForName[info.name] = RoleNameInfo({
+            roleId: roleId,
+            exists: true});
-            // set function name
-            _functionInfo[target][selector] = func;
+        // add role to list of roles
+        _roleIds.push(roleId);
-            // add bytes4 selector to function selector array
-            functionSelectors[i] = selector.toBytes4();
-        }
+        emit LogAccessAdminRoleCreated(_adminName, roleId, info.targetType, info.adminRoleId, info.name.toString());
     }
-    /// @dev grant the specified role access to all functions in the provided selector list
-    function _grantRoleAccessToFunctions(
-        address target,
-        RoleId roleId,
-        bytes4[] memory functionSelectors,
-        bool allowLockedRoles // admin and public roles are locked
-    )
+    /// @dev Activates or deactivates role.
+    /// The role activ property is indirectly controlled over the pausedAt timestamp.
+    function _setRoleActive(RoleId roleId, bool active)
         internal
-        onlyExistingTarget(target)
-        onlyExistingRole(roleId, true, allowLockedRoles)
     {
-        _authority.setTargetFunctionRole(
-            target,
-            functionSelectors,
-            RoleId.unwrap(roleId));
+        AccessAdminLib.checkRoleExists(this, roleId, false, false);
+        if (active) {
+            _roleInfo[roleId].pausedAt = TimestampLib.max();
+        } else {
+            _roleInfo[roleId].pausedAt = TimestampLib.current();
+        }
+        Blocknumber lastUpdateIn = _roleInfo[roleId].lastUpdateIn;
+        _roleInfo[roleId].lastUpdateIn = BlocknumberLib.current();
-        // implizit logging: rely on OpenZeppelin log TargetFunctionRoleUpdated
+        emit LogAccessAdminRoleActivatedSet(_adminName, roleId, active, lastUpdateIn);
     }
     /// @dev grant the specified role to the provided account
     function _grantRoleToAccount(RoleId roleId, address account)
         internal
-        onlyExistingRole(roleId, true, false)
     {
+        AccessAdminLib.checkRoleExists(this, roleId, true, false);
         // check max role members will not be exceeded
         if (_roleMembers[roleId].length() >= _roleInfo[roleId].maxMemberCount) {
-            revert ErrorRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
+            revert ErrorAccessAdminRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
         }
         // check account is contract for contract role
         if (
-            _roleInfo[roleId].roleType == RoleType.Contract &&
+            _roleInfo[roleId].targetType != TargetType.Custom &&
             !ContractLib.isContract(account) // will fail in account's constructor
         ) {
-            revert ErrorRoleMemberNotContract(roleId, account);
+            revert ErrorAccessAdminRoleMemberNotContract(roleId, account);
         }
-        // TODO check account already have roleId
+        // effects
         _roleMembers[roleId].add(account);
         _authority.grantRole(
             RoleId.unwrap(roleId),
             account,
             0);
-        // indirect logging: rely on OpenZeppelin log RoleGranted
+        emit LogAccessAdminRoleGranted(
+            _adminName,
+            account,
+            AccessAdminLib.getRoleName(this, roleId));
     }
     /// @dev revoke the specified role from the provided account
     function _revokeRoleFromAccount(RoleId roleId, address account)
         internal
-        onlyExistingRole(roleId, false, false)
     {
+        AccessAdminLib.checkRoleExists(this, roleId, false, false);
-        // check role removal is permitted
-        if (_roleInfo[roleId].roleType == RoleType.Contract) {
-            revert ErrorRoleMemberRemovalDisabled(roleId, account);
+        // check for attempt to revoke contract role
+        if (_roleInfo[roleId].targetType != TargetType.Custom) {
+            revert ErrorAccessAdminRoleMemberRemovalDisabled(roleId, account);
         }
-        // TODO check account have roleId?
+        // effects
         _roleMembers[roleId].remove(account);
         _authority.revokeRole(
             RoleId.unwrap(roleId),
             account);
-        // indirect logging: rely on OpenZeppelin log RoleGranted
+        emit LogAccessAdminRoleRevoked(_adminName, account, _roleInfo[roleId].name.toString());
     }
-    /// @dev Creates a role based on the provided parameters.
-    /// Checks that the provided role and role id and role name not already used.
-    function _createRole(
-        RoleId roleId,
-        RoleInfo memory info
+    function _getOrCreateTargetRoleIdAndName(
+        address target,
+        string memory targetName,
+        TargetType targetType
     )
         internal
+        returns (
+            RoleId roleId,
+            string memory roleName,
+            bool exists
+        )
     {
-        // check role does not yet exist
-        if(roleExists(roleId)) {
-            revert ErrorRoleAlreadyCreated(
-                roleId,
-                _roleInfo[roleId].name.toString());
+        roleName = AccessAdminLib.toRoleName(targetName);
+        (roleId, exists) = getRoleForName(roleName);
+        if (exists) {
+            return (roleId, roleName, true);
+        }
+        // get roleId
+        if (targetType == TargetType.Service || targetType == TargetType.GenericService) {
+            roleId = AccessAdminLib.getServiceRoleId(target, targetType);
+        } else {
+            uint64 nextRoleId = _nextRoleId[targetType];
+            roleId = AccessAdminLib.getTargetRoleId(target, targetType, nextRoleId);
+            // increment target type specific role id counter
+            _nextRoleId[targetType]++;
         }
-        // check admin role exists
-        if(!roleExists(info.adminRoleId)) {
-            revert ErrorRoleAdminNotExisting(info.adminRoleId);
-        }
-        // check role name is not empty
-        if(info.name.length() == 0) {
-            revert ErrorRoleNameEmpty(roleId);
-        }
-        // check role name is not used for another role
-        if(_roleForName[info.name].exists) {
-            revert ErrorRoleNameAlreadyExists(
-                roleId,
-                info.name.toString(),
-                _roleForName[info.name].roleId);
-        }
-        _createRoleUnchecked(roleId, info);
     }
-    function _createRoleUnchecked(
-        RoleId roleId,
-        RoleInfo memory info
+    function _createTarget(
+        address target,
+        string memory targetName,
+        TargetType targetType,
+        bool checkAuthority
     )
-        private
+        internal
+        returns (RoleId contractRoleId)
     {
-        // create role info
-        info.createdAt = TimestampLib.blockTimestamp();
-        _roleInfo[roleId] = info;
-        // create role name info
-        _roleForName[info.name] = RoleNameInfo({
-            roleId: roleId,
-            exists: true});
-        // add role to list of roles
-        _roleIds.push(roleId);
+        // checks
+        AccessAdminLib.checkTargetCreation(this, target, targetName, checkAuthority);
-        emit LogRoleCreated(roleId, info.roleType, info.adminRoleId, info.name.toString());
+        // effects
+        contractRoleId = _createTargetUnchecked(
+            target,
+            targetName,
+            targetType,
+            checkAuthority);
+        // deal with token handler, if applicable
+        (
+            address tokenHandler,
+            string memory tokenHandlerName
+        ) = AccessAdminLib.getTokenHandler(target, targetName, targetType);
+        if (tokenHandler != address(0)) {
+            _createTargetUnchecked(
+                tokenHandler,
+                tokenHandlerName,
+                targetType,
+                checkAuthority);
+        }
     }
-    function _createTarget(
+    /// @dev Creates a new target and a corresponding contract role.
+    /// The function assigns the role to the target and logs the creation.
+    function _createTargetUnchecked(
         address target,
         string memory targetName,
-        bool checkAuthority,
-        bool custom
+        TargetType targetType,
+        bool managed
     )
         internal
+        returns (RoleId targetRoleId)
     {
-        // check target does not yet exist
-        if(targetExists(target)) {
-            revert ErrorTargetAlreadyCreated(
-                target,
-                _targetInfo[target].name.toString());
-        }
-        // check target name is not empty
-        Str name = StrLib.toStr(targetName);
-        if(name.length() == 0) {
-            revert ErrorTargetNameEmpty(target);
-        }
-        // check target name is not used for another target
-        if( _targetForName[name] != address(0)) {
-            revert ErrorTargetNameAlreadyExists(
-                target,
-                targetName,
-                _targetForName[name]);
-        }
-        // check target is an access managed contract
-        if (!_isAccessManaged(target)) {
-            revert ErrorTargetNotAccessManaged(target);
-        }
-        // check target shares authority with this contract
-        if (checkAuthority) {
-            address targetAuthority = AccessManagedUpgradeable(target).authority();
-            if (targetAuthority != authority()) {
-                revert ErrorTargetAuthorityMismatch(authority(), targetAuthority);
-            }
+        // create target role (if not existing)
+        string memory roleName;
+        bool roleExists;
+        (targetRoleId, roleName, roleExists) = _getOrCreateTargetRoleIdAndName(target, targetName, targetType);
+        if (!roleExists) {
+            _createRole(
+                targetRoleId,
+                AccessAdminLib.roleInfo(
+                    ADMIN_ROLE(),
+                    targetType,
+                    1,
+                    roleName),
+                true); // revert on existing role
         }
         // create target info
+        Str name = StrLib.toStr(targetName);
         _targetInfo[target] = TargetInfo({
             name: name,
-            isCustom: custom,
-            createdAt: TimestampLib.blockTimestamp()
-        });
+            targetType: targetType,
+            roleId: targetRoleId,
+            createdAt: TimestampLib.current(),
+            lastUpdateIn: BlocknumberLib.current()});
         // create name to target mapping
         _targetForName[name] = target;
-        // add role to list of roles
+        // add target to list of targets
         _targets.push(target);
-        emit LogTargetCreated(target, targetName);
+        // grant contract role to target
+        _grantRoleToAccount(targetRoleId, target);
+        emit LogAccessAdminTargetCreated(_adminName, targetName, managed, target, targetRoleId);
     }
-    function _isAccessManaged(address target)
+    function _setTargetLocked(address target, bool locked)
         internal
-        view
-        returns (bool)
     {
-        if (!ContractLib.isContract(target)) {
-            return false;
-        }
+        AccessAdminLib.checkTargetExists(this, target);
+        _authority.setTargetClosed(target, locked);
-        (bool success, ) = target.staticcall(
-            abi.encodeWithSelector(
-                IAccessManagedChecker.authority.selector));
+        // logging
+        Blocknumber lastUpdateIn = _targetInfo[target].lastUpdateIn;
+        _targetInfo[target].lastUpdateIn = BlocknumberLib.current();
-        return success;
+        emit LogAccessAdminTargetLockedSet(_adminName, target, locked, lastUpdateIn);
     }
-    function _setTargetClosed(address target, bool locked)
+    /// @dev Authorize the functions of the target for the specified role.
+    function _authorizeFunctions(IAuthorization authorization, Str target, RoleId roleId)
         internal
     {
-        _checkTarget(target);
-        // target locked/unlocked already
-        if(_authority.isTargetClosed(target) == locked) {
-            revert ErrorTargetAlreadyLocked(target, locked);
-        }
-        _authority.setTargetClosed(target, locked);
+        _authorizeTargetFunctions(
+            getTargetForName(target),
+            AccessAdminLib.getAuthorizedRole(
+                this,
+                authorization,
+                roleId),
+            authorization.getAuthorizedFunctions(
+                target,
+                roleId),
+            false,
+            true);
     }
-    function _checkRoleExists(
+    /// @dev Authorize the functions of the target for the specified role.
+    /// Flag addFunctions determines if functions are added or removed.
+    function _authorizeTargetFunctions(
+        address target,
         RoleId roleId,
-        bool onlyActiveRole
+        FunctionInfo[] memory functions,
+        bool onlyComponentOrContractTargets,
+        bool addFunctions
     )
         internal
-        view
     {
-        if (!roleExists(roleId)) {
-            revert ErrorRoleUnknown(roleId);
-        }
+        // checks
+        AccessAdminLib.checkTargetAndRoleForFunctions(
+            this,
+            target,
+            roleId,
+            onlyComponentOrContractTargets);
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if (roleIdInt == _authority.ADMIN_ROLE())
-        // TODO cleanup
-            //|| roleIdInt == _authority.PUBLIC_ROLE()) prevents granting of public role
-        {
-            revert ErrorRoleIsLocked(roleId);
+        if (addFunctions && roleId == getAdminRole()) {
+            revert ErrorAccessAdminAuthorizeForAdminRoleInvalid(target);
         }
-        // check if role is disabled
-        if (onlyActiveRole && _roleInfo[roleId].pausedAt <= TimestampLib.blockTimestamp()) {
-            revert ErrorRoleIsPaused(roleId);
+        _authority.setTargetFunctionRole(
+            target,
+            AccessAdminLib.getSelectors(functions),
+            RoleId.unwrap(roleId));
+        // update function set and log function grantings
+        for (uint256 i = 0; i < functions.length; i++) {
+            _updateFunctionAccess(
+                target,
+                roleId,
+                functions[i],
+                addFunctions);
         }
     }
-    /// @dev check if target exists and reverts if it doesn't
-    function _checkTarget(address target)
+    function _updateFunctionAccess(
+        address target,
+        RoleId roleId,
+        FunctionInfo memory func,
+        bool addFunction
+    )
+        internal
+    {
+        // update functions info
+        Selector selector = func.selector;
+        Blocknumber lastUpdateIn = _functionInfo[target][selector].lastUpdateIn;
+        // update function sets
+        if (addFunction) { SelectorSetLib.add(_targetFunctions[target], selector); }
+        else { SelectorSetLib.remove(_targetFunctions[target], selector); }
+        _functionInfo[target][selector] = func;
+        _functionInfo[target][selector].lastUpdateIn = BlocknumberLib.current();
+        // logging
+        emit LogAccessAdminFunctionGranted(
+            _adminName,
+            target,
+            AccessAdminLib.toFunctionGrantingString(this, func.name, roleId),
+            lastUpdateIn);
+    }
+    function _checkAuthorization(
+        address authorization,
+        ObjectType expectedDomain,
+        VersionPart expectedRelease,
+        bool expectServiceAuthorization,
+        bool checkAlreadyInitialized
+    )
         internal
         view
     {
-        if (!targetExists(target)) {
-            revert ErrorTargetUnknown(target);
-        }
+        AccessAdminLib.checkAuthorization(
+            address(_authorization),
+            authorization,
+            expectedDomain,
+            expectedRelease,
+            expectServiceAuthorization,
+            checkAlreadyInitialized);
     }
 }