@etherisc/gif-next 0.0.2-9e6b423-414 → 0.0.2-9f51324-299

package/contracts/instance/InstanceAdmin.sol

@@ -8,12 +8,13 @@ import {IRegistry} from "../registry/IRegistry.sol";
 import {IInstance} from "./IInstance.sol";
 
 import {AccessAdmin} from "../authorization/AccessAdmin.sol";
-import {AccessAdminLib} from "../authorization/AccessAdminLib.sol";
 import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
-import {ObjectType, INSTANCE} from "../type/ObjectType.sol";
-import {RoleId, ADMIN_ROLE} from "../type/RoleId.sol";
-import {Str} from "../type/String.sol";
-import {VersionPart} from "../type/Version.sol";
+import {NftId} from "../type/NftId.sol";
+import {ObjectType, INSTANCE, ORACLE} from "../type/ObjectType.sol";
+import {RoleId, RoleIdLib} from "../type/RoleId.sol";
+import {Str, StrLib} from "../type/String.sol";
+import {TokenHandler} from "../shared/TokenHandler.sol";
+import {VersionPart, VersionPartLib} from "../type/Version.sol";
 
 
 contract InstanceAdmin is
@@ -25,22 +26,29 @@ contract InstanceAdmin is
     string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
     string public constant RISK_SET_TARGET_NAME = "RiskSet";
 
-    // onlyInstanceService
+    uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
+
     error ErrorInstanceAdminNotInstanceService(address caller);
 
-    // authorizeFunctions
-    error ErrorInstanceAdminNotComponentOrCustomTarget(address target);
+    error ErrorInstanceAdminNotRegistered(address instance);
+    error ErrorInstanceAdminNotInstance(address instance);
+    error ErrorInstanceAdminAlreadyAuthorized(address instance);
+
+    error ErrorInstanceAdminNotComponentRole(RoleId roleId);
+    error ErrorInstanceAdminRoleAlreadyExists(RoleId roleId);
+    error ErrorInstanceAdminRoleTypeNotContract(RoleId roleId, IAccess.RoleType roleType);
+
+    error ErrorInstanceAdminReleaseMismatch();
+    error ErrorInstanceAdminExpectedTargetMissing(string targetName);
 
     IInstance internal _instance;
     IRegistry internal _registry;
     VersionPart internal _release;
-
-    uint64 internal _customRoleIdNext;
+    uint64 internal _customIdNext;
 
     mapping(address target => RoleId roleId) internal _targetRoleId;
     uint64 internal _components;
 
-
     modifier onlyInstanceService() {
         if (msg.sender != _registry.getServiceAddress(INSTANCE(), getRelease())) {
             revert ErrorInstanceAdminNotInstanceService(msg.sender);
@@ -61,23 +69,24 @@ contract InstanceAdmin is
     /// Important: The instance MUST be registered and all instance supporting contracts must be wired to this instance.
     function completeSetup(
         address registry,
+        address instance,
         address authorization,
-        VersionPart release,
-        address instance
+        VersionPart release
     )
         external
         reinitializer(uint64(release.toInt()))
         onlyDeployer()
     {
         // checks
-        AccessAdminLib.checkIsRegistered(registry, instance, INSTANCE());
+        _checkRegistry(registry);
+        _checkIsRegistered(registry, instance, INSTANCE());
 
         AccessManagerCloneable(
             authority()).completeSetup(
                 registry, 
                 release); 
 
-        _checkAuthorization(authorization, INSTANCE(), release, false, true);
+        _checkAuthorization(authorization, INSTANCE(), release, true);
 
         // effects
         _registry = IRegistry(registry);
@@ -86,63 +95,29 @@ contract InstanceAdmin is
         _instance = IInstance(instance);
         _authorization = IAuthorization(authorization);
         _components = 0;
-        _customRoleIdNext = 0;
+        _customIdNext = CUSTOM_ROLE_ID_MIN;
 
         // link nft ownability to instance
         _linkToNftOwnable(instance);
 
-        // setup instance targets
-        _createInstanceTargets(_authorization.getMainTargetName());
+        // create instance role and target
+        _setupInstance(instance);
 
-        // setup non-contract roles
-        _setupServiceRoles(_authorization);
+        // add instance authorization
         _createRoles(_authorization);
-
-        // authorize functions of instance contracts
+        // _createTargets(_authorization);
+        _setupInstanceHelperTargetsWithRoles();
         _createTargetAuthorizations(_authorization);
     }
 
 
-    /// @dev grants the service roles to the service addresses based on the authorization specification.
-    /// Service addresses used for the granting are determined by the registry and the release of this instance.
-    function _setupServiceRoles(IAuthorization authorization)
+    function _createTargets(IAuthorization authorization)
         internal
     {
-        ObjectType[] memory serviceDomains = authorization.getServiceDomains();
-
-        for(uint256 i = 0; i < serviceDomains.length; i++) {
-            ObjectType serviceDomain = serviceDomains[i];
-            RoleId serviceRoleId = authorization.getServiceRole(serviceDomain);
-            string memory serviceRoleName = authorization.getRoleName(serviceRoleId);
-
-            // create service role if missing
-            if (!roleExists(serviceRoleId)) {
-                _createRole(
-                    serviceRoleId, 
-                    AccessAdminLib.toRole(
-                        ADMIN_ROLE(), 
-                        IAccess.RoleType.Contract, 
-                        1, 
-                        serviceRoleName));
-            }
-
-            // grant service role to service
-            address service = _registry.getServiceAddress(serviceDomain, _release);
-            _grantRoleToAccount(
-                serviceRoleId,
-                service);
-        }
-    }
-
-
-    function _createInstanceTargets(string memory instanceTargetName)
-        internal
-    {
-        _createManagedTarget(address(_instance), instanceTargetName, TargetType.Instance); 
-        _createManagedTarget(address(this), INSTANCE_ADMIN_TARGET_NAME, TargetType.Instance); 
-        _createManagedTarget(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME, TargetType.Instance); 
-        _createManagedTarget(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME, TargetType.Instance); 
-        _createManagedTarget(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME, TargetType.Instance); 
+        _createTargetWithRole(address(this), INSTANCE_ADMIN_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(INSTANCE_ADMIN_TARGET_NAME)));
+        _createTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(INSTANCE_STORE_TARGET_NAME)));
+        _createTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(BUNDLE_SET_TARGET_NAME)));
+        _createTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(RISK_SET_TARGET_NAME)));
     }
 
 
@@ -156,19 +131,19 @@ contract InstanceAdmin is
         restricted()
     {
         // checks
-        AccessAdminLib.checkIsRegistered(address(getRegistry()), componentAddress, expectedType);
+        _checkIsRegistered(address(getRegistry()), componentAddress, expectedType);
 
         IInstanceLinkedComponent component = IInstanceLinkedComponent(componentAddress);
         IAuthorization authorization = component.getAuthorization();
-        _checkAuthorization(address(authorization), expectedType, getRelease(), false, false);
+        _checkAuthorization(address(authorization), expectedType, getRelease(), false);
 
         // effects
+        // setup target and role for component (including token handler if applicable)
+        _setupComponentAndTokenHandler(component, expectedType);
+
+        // create other roles and function authorizations
         _createRoles(authorization);
-        _createManagedTarget(componentAddress, authorization.getMainTargetName(), TargetType.Component);
         _createTargetAuthorizations(authorization);
-
-        // increase component count
-        _components++;
     }
 
     function getRelease()
@@ -181,45 +156,38 @@ contract InstanceAdmin is
     }
 
 
-    /// @dev Creates a custom role.
-    function createRole(
-        string memory name,
-        RoleId adminRoleId,
-        uint32 maxMemberCount
-    )
-        external
-        restricted()
-        returns (RoleId roleId)
-    {
-        // check role does not yet exist
-        if (roleExists(name)) {
-            revert ErrorAccessAdminRoleAlreadyCreated(
-                getRoleForName(name),
-                name);
-        }
+    // create instance role and target
+    function _setupInstance(address instance) internal {
 
-        // create roleId
-        roleId = AccessAdminLib.getCustomRoleId(_customRoleIdNext++);
+        // create instance role
+        RoleId instanceRoleId = _authorization.getTargetRole(
+            _authorization.getMainTarget());
 
-        // create role
         _createRole(
-            roleId, 
-            AccessAdminLib.toRole(
-                adminRoleId, 
-                IAccess.RoleType.Custom, 
-                maxMemberCount, 
-                name));
+            instanceRoleId,
+            _authorization.getRoleInfo(instanceRoleId));
+
+        // create instance target
+        _createTarget(
+            instance, 
+            _authorization.getMainTargetName(), 
+            true, // checkAuthority
+            false); // custom
+
+        // assign instance role to instance
+        _grantRoleToAccount(
+            instanceRoleId, 
+            instance);
     }
 
+    /// @dev Creates a custom role
+    // TODO implement
+    // function createRole()
+    //     external
+    //     restricted()
+    // {
 
-    /// @dev Activtes/pauses the specified role.
-    function setRoleActive(RoleId roleId, bool active)
-        external
-        restricted()
-    {
-        _setRoleActive(roleId, active);
-    }
-
+    // }
 
     /// @dev Grants the provided role to the specified account
     function grantRole(
@@ -232,62 +200,6 @@ contract InstanceAdmin is
     }
 
 
-    /// @dev Revokes the provided role from the specified account
-    function revokeRole(
-        RoleId roleId, 
-        address account)
-        external
-        restricted()
-    {
-        _revokeRoleFromAccount(roleId, account);
-    }
-
-
-    /// @dev Create a new custom target.
-    /// The target needs to be an access managed contract.
-    function createTarget(
-        address target, 
-        string memory name
-    )
-        external
-        restricted()
-        returns (RoleId contractRoleId)
-    {
-        return _createManagedTarget(
-            target, 
-            name, 
-            TargetType.Custom);
-    }
-
-
-    /// @dev Add function authorizations for the specified component or custom target.
-    function authorizeFunctions(
-        address target,
-        RoleId roleId,
-        IAccess.FunctionInfo[] memory functions
-    )
-        external
-        restricted()
-    {
-        _checkComponentOrCustomTarget(target);
-        _authorizeTargetFunctions(target, roleId, functions, true);
-    }
-
-
-    /// @dev Removes function authorizations for the specified component or custom target.
-    function unauthorizeFunctions(
-        address target,
-        IAccess.FunctionInfo[] memory functions
-    )
-        external
-        restricted()
-    {
-        _checkComponentOrCustomTarget(target);
-        _authorizeTargetFunctions(target, ADMIN_ROLE(), functions, false);
-    }
-
-
-    /// @dev locks the instance and all its releated targets including component and custom targets.
     function setInstanceLocked(bool locked)
         external
         // not restricted(): need to operate on locked instances to unlock instance
@@ -334,6 +246,100 @@ contract InstanceAdmin is
 
     // ------------------- Internal functions ------------------- //
 
+    function _setupComponentAndTokenHandler(
+        IInstanceLinkedComponent component,
+        ObjectType componentType
+    )
+        internal
+    {
+
+        IAuthorization authorization = component.getAuthorization();
+        string memory targetName = authorization.getMainTargetName();
+
+        // create component role and target
+        RoleId componentRoleId = _createComponentRoleId(component, authorization);
+
+        // create component's target
+        _createTarget(
+            address(component), 
+            targetName, 
+            true, // checkAuthority
+            false); // custom
+
+        // create component's token handler target if app
+        if (componentType != ORACLE()) {
+            NftId componentNftId = _registry.getNftIdForAddress(address(component));
+            address tokenHandler = address(
+                _instance.getInstanceReader().getComponentInfo(
+                    componentNftId).tokenHandler);
+
+            _createTarget(
+                tokenHandler, 
+                authorization.getTokenHandlerName(), 
+                true, 
+                false);
+
+            // token handler does not require its own role
+            // token handler is not calling other components
+        }
+
+        // assign component role to component
+        _grantRoleToAccount(
+            componentRoleId, 
+            address(component));
+    }
+
+
+    function _createComponentRoleId(
+        IInstanceLinkedComponent component,
+        IAuthorization authorization
+    )
+        internal 
+        returns (RoleId componentRoleId)
+    {
+        // checks
+        // check component is not yet authorized
+        if (_targetRoleId[address(component)].gtz()) {
+            revert ErrorInstanceAdminAlreadyAuthorized(address(component));
+        }
+
+        // check generic component role
+        RoleId genericComponentRoleId = authorization.getTargetRole(
+            authorization.getMainTarget());
+
+        if (!genericComponentRoleId.isComponentRole()) {
+            revert ErrorInstanceAdminNotComponentRole(genericComponentRoleId);
+        }
+
+        // check component role does not exist
+        componentRoleId = toComponentRole(
+            genericComponentRoleId, 
+            _components);
+
+        if (roleExists(componentRoleId)) {
+            revert ErrorInstanceAdminRoleAlreadyExists(componentRoleId);
+        }
+
+        // check role info
+        IAccess.RoleInfo memory roleInfo = authorization.getRoleInfo(
+            genericComponentRoleId);
+
+        if (roleInfo.roleType != IAccess.RoleType.Contract) {
+            revert ErrorInstanceAdminRoleTypeNotContract(
+                componentRoleId,
+                roleInfo.roleType);
+        }
+
+        // effects
+        _targetRoleId[address(component)] = componentRoleId;
+        _components++;
+
+        _createRole(
+            componentRoleId,
+            roleInfo);
+    }
+
+
     function _createRoles(IAuthorization authorization)
         internal
     {
@@ -341,8 +347,12 @@ contract InstanceAdmin is
         RoleId mainTargetRoleId = authorization.getTargetRole(
             authorization.getMainTarget());
 
+        RoleId roleId;
+        RoleInfo memory roleInfo;
+
         for(uint256 i = 0; i < roles.length; i++) {
-            RoleId roleId = roles[i];
+
+            roleId = roles[i];
 
             // skip main target role, create role if not exists
             if (roleId != mainTargetRoleId && !roleExists(roleId)) {
@@ -354,6 +364,16 @@ contract InstanceAdmin is
     }
 
 
+    function toComponentRole(RoleId roleId, uint64 componentIdx)
+        internal
+        pure
+        returns (RoleId)
+    {
+        return RoleIdLib.toRoleId(
+            RoleIdLib.toInt(roleId) + componentIdx);
+    }
+
+
     function _createTargetAuthorizations(IAuthorization authorization)
         internal
     {
@@ -363,21 +383,68 @@ contract InstanceAdmin is
         for(uint256 i = 0; i < targets.length; i++) {
             target = targets[i];
             RoleId[] memory authorizedRoles = authorization.getAuthorizedRoles(target);
+            RoleId authorizedRole;
 
             for(uint256 j = 0; j < authorizedRoles.length; j++) {
-                _authorizeFunctions(authorization, target, authorizedRoles[j]);
+                authorizedRole = authorizedRoles[j];
+
+                _authorizeTargetFunctions(
+                    getTargetForName(target),
+                    authorizedRole,
+                    authorization.getAuthorizedFunctions(
+                        target, 
+                        authorizedRole));
             }
         }
     }
 
+    function _checkAndCreateTargetWithRole(
+        address target,
+        string memory targetName
+    )
+        internal
+    {
+        // check that target name is defined in authorization specification
+        Str name = StrLib.toStr(targetName);
+        if (!_authorization.targetExists(name)) {
+            revert ErrorInstanceAdminExpectedTargetMissing(targetName);
+        }
+
+        // create named target
+        _createTarget(
+            target, 
+            targetName, 
+            false, // check authority TODO check normal targets, don't check service targets (they share authority with release admin)
+            false);
+
+        // assign target role if defined
+        RoleId targetRoleId = _authorization.getTargetRole(name);
+        if (targetRoleId != RoleIdLib.zero()) {
+            _grantRoleToAccount(targetRoleId, target);
+        }
+    }
 
-    function _checkComponentOrCustomTarget(address target) 
+    function _setupInstanceHelperTargetsWithRoles()
         internal
-        view
     {
-        IAccess.TargetType targetType = getTargetInfo(target).targetType;
-        if (targetType != TargetType.Component && targetType != TargetType.Custom) {
-            revert ErrorInstanceAdminNotComponentOrCustomTarget(target);
+
+        // create module targets
+        _checkAndCreateTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getInstanceAdmin()), INSTANCE_ADMIN_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME);
+
+        // create targets for services that need to access the instance targets
+        ObjectType[] memory serviceDomains = _authorization.getServiceDomains();
+        VersionPart release = _authorization.getRelease();
+        ObjectType serviceDomain;
+
+        for (uint256 i = 0; i < serviceDomains.length; i++) {
+            serviceDomain = serviceDomains[i];
+
+            _checkAndCreateTargetWithRole(
+                _registry.getServiceAddress(serviceDomain, release),
+                _authorization.getServiceTarget(serviceDomain).toString());
         }
     }
 }

package/contracts/instance/InstanceAuthorizationV3.sol

@@ -2,15 +2,14 @@
 pragma solidity ^0.8.20;
 
 import {IAccess} from "../authorization/IAccess.sol";
-import {IInstance} from "../instance/Instance.sol";
 
-import {AccessAdminLib} from "../authorization/AccessAdminLib.sol";
 import {Authorization} from "../authorization/Authorization.sol";
 import {ACCOUNTING, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE, RISK} from "../../contracts/type/ObjectType.sol";
 import {BundleSet} from "../instance/BundleSet.sol";
+import {Instance} from "../instance/Instance.sol";
 import {InstanceAdmin} from "../instance/InstanceAdmin.sol";
 import {InstanceStore} from "../instance/InstanceStore.sol";
-import {ADMIN_ROLE, INSTANCE_OWNER_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
+import {PUBLIC_ROLE} from "../type/RoleId.sol";
 import {RiskSet} from "../instance/RiskSet.sol"; 
 
 
@@ -19,7 +18,6 @@ contract InstanceAuthorizationV3
 {
 
      string public constant INSTANCE_ROLE_NAME = "InstanceRole";
-     string public constant INSTANCE_OWNER_ROLE_NAME = "InstanceOwnerRole";
 
      string public constant INSTANCE_TARGET_NAME = "Instance";
      string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
@@ -28,41 +26,22 @@ contract InstanceAuthorizationV3
      string public constant RISK_SET_TARGET_NAME = "RiskSet";
 
      constructor()
-          Authorization(
-               INSTANCE_TARGET_NAME, 
-               INSTANCE(), 
-               3, 
-               COMMIT_HASH,
-               false, 
-               false)
+          Authorization(INSTANCE_TARGET_NAME, INSTANCE(), false, false)
      { }
 
      function _setupServiceTargets() internal virtual override {
           // service targets relevant to instance
-          _authorizeServiceDomain(INSTANCE(), address(10));
-          _authorizeServiceDomain(ACCOUNTING(), address(11));
-          _authorizeServiceDomain(COMPONENT(), address(12));
-          _authorizeServiceDomain(DISTRIBUTION(), address(13));
-          _authorizeServiceDomain(ORACLE(), address(14));
-          _authorizeServiceDomain(POOL(), address(15));
-          _authorizeServiceDomain(BUNDLE(), address(16));
-          _authorizeServiceDomain(RISK(), address(17));
-          _authorizeServiceDomain(APPLICATION(), address(18));
-          _authorizeServiceDomain(POLICY(), address(19));
-          _authorizeServiceDomain(CLAIM(), address(20));
-     }
-
-     function _setupRoles()
-          internal
-          override
-     {
-          _addRole(
-               INSTANCE_OWNER_ROLE(),
-               AccessAdminLib.toRole(
-                    ADMIN_ROLE(),
-                    RoleType.Custom,
-                    0, // max member count special case: instance nft owner is sole role owner
-                    INSTANCE_OWNER_ROLE_NAME));
+          _addServiceTargetWithRole(INSTANCE());
+          _addServiceTargetWithRole(ACCOUNTING());
+          _addServiceTargetWithRole(COMPONENT());
+          _addServiceTargetWithRole(DISTRIBUTION());
+          _addServiceTargetWithRole(ORACLE());
+          _addServiceTargetWithRole(POOL());
+          _addServiceTargetWithRole(BUNDLE());
+          _addServiceTargetWithRole(RISK());
+          _addServiceTargetWithRole(APPLICATION());
+          _addServiceTargetWithRole(POLICY());
+          _addServiceTargetWithRole(CLAIM());
      }
 
      function _setupTargets()
@@ -70,6 +49,7 @@ contract InstanceAuthorizationV3
           override
      {
           // instance supporting targets
+          // _addGifContractTarget(INSTANCE_ADMIN_TARGET_NAME);
           _addTarget(INSTANCE_ADMIN_TARGET_NAME);
           _addTarget(INSTANCE_STORE_TARGET_NAME);
           _addTarget(BUNDLE_SET_TARGET_NAME);
@@ -132,27 +112,25 @@ contract InstanceAuthorizationV3
 
           // authorize instance service role
           functions = _authorizeForTarget(INSTANCE_TARGET_NAME, PUBLIC_ROLE());
-          _authorize(functions, IInstance.registerProduct.selector, "registerProduct");
-          _authorize(functions, IInstance.upgradeInstanceReader.selector, "upgradeInstanceReader");
+          _authorize(functions, Instance.registerProduct.selector, "registerProduct");
+          _authorize(functions, Instance.upgradeInstanceReader.selector, "upgradeInstanceReader");
 
           // staking
-          _authorize(functions, IInstance.setStakingLockingPeriod.selector, "setStakingLockingPeriod");
-          _authorize(functions, IInstance.setStakingRewardRate.selector, "setStakingRewardRate");
-          _authorize(functions, IInstance.refillStakingRewardReserves.selector, "refillStakingRewardReserves");
-          _authorize(functions, IInstance.withdrawStakingRewardReserves.selector, "withdrawStakingRewardReserves");
+          _authorize(functions, Instance.setStakingLockingPeriod.selector, "setStakingLockingPeriod");
+          _authorize(functions, Instance.setStakingRewardRate.selector, "setStakingRewardRate");
+          _authorize(functions, Instance.refillStakingRewardReserves.selector, "refillStakingRewardReserves");
+          _authorize(functions, Instance.withdrawStakingRewardReserves.selector, "withdrawStakingRewardReserves");
 
           // custom authz
-          _authorize(functions, IInstance.createRole.selector, "createRole");
-          _authorize(functions, IInstance.setRoleActive.selector, "setRoleActive");
-          _authorize(functions, IInstance.grantRole.selector, "grantRole");
-          _authorize(functions, IInstance.revokeRole.selector, "revokeRole");
-          _authorize(functions, IInstance.createTarget.selector, "createTarget");
-          _authorize(functions, IInstance.authorizeFunctions.selector, "authorizeFunctions");
-          _authorize(functions, IInstance.unauthorizeFunctions.selector, "unauthorizeFunctions");
+          _authorize(functions, Instance.createRole.selector, "createRole");
+          _authorize(functions, Instance.grantRole.selector, "grantRole");
+          _authorize(functions, Instance.revokeRole.selector, "revokeRole");
+          _authorize(functions, Instance.createTarget.selector, "createTarget");
+          _authorize(functions, Instance.setTargetFunctionRole.selector, "setTargetFunctionRole");
 
           // authorize instance service role
           functions = _authorizeForTarget(INSTANCE_TARGET_NAME, getServiceRole(INSTANCE()));
-          _authorize(functions, IInstance.setInstanceReader.selector, "setInstanceReader");
+          _authorize(functions, Instance.setInstanceReader.selector, "setInstanceReader");
      }
 
 
@@ -163,16 +141,8 @@ contract InstanceAuthorizationV3
 
           // authorize component service role
           functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(INSTANCE()));
-          _authorize(functions, InstanceAdmin.createRole.selector, "createRole");
-          _authorize(functions, InstanceAdmin.setRoleActive.selector, "setRoleActive");
-          _authorize(functions, InstanceAdmin.grantRole.selector, "grantRole");
-          _authorize(functions, InstanceAdmin.revokeRole.selector, "revokeRole");
-
-          _authorize(functions, InstanceAdmin.createTarget.selector, "createTarget");
-          _authorize(functions, InstanceAdmin.authorizeFunctions.selector, "authorizeFunctions");
-          _authorize(functions, InstanceAdmin.unauthorizeFunctions.selector, "unauthorizeFunctions");
-          _authorize(functions, InstanceAdmin.setTargetLocked.selector, "setTargetLocked");
           _authorize(functions, InstanceAdmin.setInstanceLocked.selector, "setInstanceLocked");
+          _authorize(functions, InstanceAdmin.setTargetLocked.selector, "setTargetLocked");
 
           // authorize component service role
           functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(COMPONENT()));