@etherisc/gif-next 0.0.2-b7d6ed2-016 → 0.0.2-b7e6198-021

package/contracts/instance/InstanceAdmin.sol

@@ -8,13 +8,12 @@ import {IRegistry} from "../registry/IRegistry.sol";
 import {IInstance} from "./IInstance.sol";
 
 import {AccessAdmin} from "../authorization/AccessAdmin.sol";
+import {AccessAdminLib} from "../authorization/AccessAdminLib.sol";
 import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
-import {NftId} from "../type/NftId.sol";
-import {ObjectType, INSTANCE, ORACLE} from "../type/ObjectType.sol";
-import {RoleId, RoleIdLib} from "../type/RoleId.sol";
-import {Str, StrLib} from "../type/String.sol";
-import {TokenHandler} from "../shared/TokenHandler.sol";
-import {VersionPart, VersionPartLib} from "../type/Version.sol";
+import {ObjectType, INSTANCE} from "../type/ObjectType.sol";
+import {RoleId, ADMIN_ROLE} from "../type/RoleId.sol";
+import {Str} from "../type/String.sol";
+import {VersionPart} from "../type/Version.sol";
 
 
 contract InstanceAdmin is
@@ -26,29 +25,22 @@ contract InstanceAdmin is
     string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
     string public constant RISK_SET_TARGET_NAME = "RiskSet";
 
-    uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
-
+    // onlyInstanceService
     error ErrorInstanceAdminNotInstanceService(address caller);
 
-    error ErrorInstanceAdminNotRegistered(address instance);
-    error ErrorInstanceAdminNotInstance(address instance);
-    error ErrorInstanceAdminAlreadyAuthorized(address instance);
-
-    error ErrorInstanceAdminNotComponentRole(RoleId roleId);
-    error ErrorInstanceAdminRoleAlreadyExists(RoleId roleId);
-    error ErrorInstanceAdminRoleTypeNotContract(RoleId roleId, IAccess.RoleType roleType);
-
-    error ErrorInstanceAdminReleaseMismatch();
-    error ErrorInstanceAdminExpectedTargetMissing(string targetName);
+    // authorizeFunctions
+    error ErrorInstanceAdminNotComponentOrCustomTarget(address target);
 
     IInstance internal _instance;
     IRegistry internal _registry;
     VersionPart internal _release;
-    uint64 internal _customIdNext;
+
+    uint64 internal _customRoleIdNext;
 
     mapping(address target => RoleId roleId) internal _targetRoleId;
     uint64 internal _components;
 
+
     modifier onlyInstanceService() {
         if (msg.sender != _registry.getServiceAddress(INSTANCE(), getRelease())) {
             revert ErrorInstanceAdminNotInstanceService(msg.sender);
@@ -69,24 +61,23 @@ contract InstanceAdmin is
     /// Important: The instance MUST be registered and all instance supporting contracts must be wired to this instance.
     function completeSetup(
         address registry,
-        address instance,
         address authorization,
-        VersionPart release
+        VersionPart release,
+        address instance
     )
         external
         reinitializer(uint64(release.toInt()))
         onlyDeployer()
     {
         // checks
-        _checkRegistry(registry);
-        _checkIsRegistered(registry, instance, INSTANCE());
+        AccessAdminLib.checkIsRegistered(registry, instance, INSTANCE());
 
         AccessManagerCloneable(
             authority()).completeSetup(
                 registry, 
                 release); 
 
-        _checkAuthorization(authorization, INSTANCE(), release, true);
+        _checkAuthorization(authorization, INSTANCE(), release, false, true);
 
         // effects
         _registry = IRegistry(registry);
@@ -95,29 +86,63 @@ contract InstanceAdmin is
         _instance = IInstance(instance);
         _authorization = IAuthorization(authorization);
         _components = 0;
-        _customIdNext = CUSTOM_ROLE_ID_MIN;
+        _customRoleIdNext = 0;
 
         // link nft ownability to instance
         _linkToNftOwnable(instance);
 
-        // create instance role and target
-        _setupInstance(instance);
+        // setup instance targets
+        _createInstanceTargets(_authorization.getMainTargetName());
 
-        // add instance authorization
+        // setup non-contract roles
+        _setupServiceRoles(_authorization);
         _createRoles(_authorization);
-        // _createTargets(_authorization);
-        _setupInstanceHelperTargetsWithRoles();
+
+        // authorize functions of instance contracts
         _createTargetAuthorizations(_authorization);
     }
 
 
-    function _createTargets(IAuthorization authorization)
+    /// @dev grants the service roles to the service addresses based on the authorization specification.
+    /// Service addresses used for the granting are determined by the registry and the release of this instance.
+    function _setupServiceRoles(IAuthorization authorization)
         internal
     {
-        _createTargetWithRole(address(this), INSTANCE_ADMIN_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(INSTANCE_ADMIN_TARGET_NAME)));
-        _createTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(INSTANCE_STORE_TARGET_NAME)));
-        _createTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(BUNDLE_SET_TARGET_NAME)));
-        _createTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(RISK_SET_TARGET_NAME)));
+        ObjectType[] memory serviceDomains = authorization.getServiceDomains();
+
+        for(uint256 i = 0; i < serviceDomains.length; i++) {
+            ObjectType serviceDomain = serviceDomains[i];
+            RoleId serviceRoleId = authorization.getServiceRole(serviceDomain);
+            string memory serviceRoleName = authorization.getRoleName(serviceRoleId);
+
+            // create service role if missing
+            if (!roleExists(serviceRoleId)) {
+                _createRole(
+                    serviceRoleId, 
+                    AccessAdminLib.toRole(
+                        ADMIN_ROLE(), 
+                        IAccess.RoleType.Contract, 
+                        1, 
+                        serviceRoleName));
+            }
+
+            // grant service role to service
+            address service = _registry.getServiceAddress(serviceDomain, _release);
+            _grantRoleToAccount(
+                serviceRoleId,
+                service);
+        }
+    }
+
+
+    function _createInstanceTargets(string memory instanceTargetName)
+        internal
+    {
+        _createManagedTarget(address(_instance), instanceTargetName, TargetType.Instance); 
+        _createManagedTarget(address(this), INSTANCE_ADMIN_TARGET_NAME, TargetType.Instance); 
+        _createManagedTarget(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME, TargetType.Instance); 
+        _createManagedTarget(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME, TargetType.Instance); 
+        _createManagedTarget(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME, TargetType.Instance); 
     }
 
 
@@ -131,19 +156,19 @@ contract InstanceAdmin is
         restricted()
     {
         // checks
-        _checkIsRegistered(address(getRegistry()), componentAddress, expectedType);
+        AccessAdminLib.checkIsRegistered(address(getRegistry()), componentAddress, expectedType);
 
         IInstanceLinkedComponent component = IInstanceLinkedComponent(componentAddress);
         IAuthorization authorization = component.getAuthorization();
-        _checkAuthorization(address(authorization), expectedType, getRelease(), false);
+        _checkAuthorization(address(authorization), expectedType, getRelease(), false, false);
 
         // effects
-        // setup target and role for component (including token handler if applicable)
-        _setupComponentAndTokenHandler(component, expectedType);
-
-        // create other roles and function authorizations
         _createRoles(authorization);
+        _createManagedTarget(componentAddress, authorization.getMainTargetName(), TargetType.Component);
         _createTargetAuthorizations(authorization);
+
+        // increase component count
+        _components++;
     }
 
     function getRelease()
@@ -156,38 +181,45 @@ contract InstanceAdmin is
     }
 
 
-    // create instance role and target
-    function _setupInstance(address instance) internal {
+    /// @dev Creates a custom role.
+    function createRole(
+        string memory name,
+        RoleId adminRoleId,
+        uint32 maxMemberCount
+    )
+        external
+        restricted()
+        returns (RoleId roleId)
+    {
+        // check role does not yet exist
+        if (roleExists(name)) {
+            revert ErrorAccessAdminRoleAlreadyCreated(
+                getRoleForName(name),
+                name);
+        }
 
-        // create instance role
-        RoleId instanceRoleId = _authorization.getTargetRole(
-            _authorization.getMainTarget());
+        // create roleId
+        roleId = AccessAdminLib.getCustomRoleId(_customRoleIdNext++);
 
+        // create role
         _createRole(
-            instanceRoleId,
-            _authorization.getRoleInfo(instanceRoleId));
-
-        // create instance target
-        _createTarget(
-            instance, 
-            _authorization.getMainTargetName(), 
-            true, // checkAuthority
-            false); // custom
-
-        // assign instance role to instance
-        _grantRoleToAccount(
-            instanceRoleId, 
-            instance);
+            roleId, 
+            AccessAdminLib.toRole(
+                adminRoleId, 
+                IAccess.RoleType.Custom, 
+                maxMemberCount, 
+                name));
     }
 
-    /// @dev Creates a custom role
-    // TODO implement
-    // function createRole()
-    //     external
-    //     restricted()
-    // {
 
-    // }
+    /// @dev Activtes/pauses the specified role.
+    function setRoleActive(RoleId roleId, bool active)
+        external
+        restricted()
+    {
+        _setRoleActive(roleId, active);
+    }
+
 
     /// @dev Grants the provided role to the specified account
     function grantRole(
@@ -200,6 +232,62 @@ contract InstanceAdmin is
     }
 
 
+    /// @dev Revokes the provided role from the specified account
+    function revokeRole(
+        RoleId roleId, 
+        address account)
+        external
+        restricted()
+    {
+        _revokeRoleFromAccount(roleId, account);
+    }
+
+
+    /// @dev Create a new custom target.
+    /// The target needs to be an access managed contract.
+    function createTarget(
+        address target, 
+        string memory name
+    )
+        external
+        restricted()
+        returns (RoleId contractRoleId)
+    {
+        return _createManagedTarget(
+            target, 
+            name, 
+            TargetType.Custom);
+    }
+
+
+    /// @dev Add function authorizations for the specified component or custom target.
+    function authorizeFunctions(
+        address target,
+        RoleId roleId,
+        IAccess.FunctionInfo[] memory functions
+    )
+        external
+        restricted()
+    {
+        _checkComponentOrCustomTarget(target);
+        _authorizeTargetFunctions(target, roleId, functions, true);
+    }
+
+
+    /// @dev Removes function authorizations for the specified component or custom target.
+    function unauthorizeFunctions(
+        address target,
+        IAccess.FunctionInfo[] memory functions
+    )
+        external
+        restricted()
+    {
+        _checkComponentOrCustomTarget(target);
+        _authorizeTargetFunctions(target, ADMIN_ROLE(), functions, false);
+    }
+
+
+    /// @dev locks the instance and all its releated targets including component and custom targets.
     function setInstanceLocked(bool locked)
         external
         // not restricted(): need to operate on locked instances to unlock instance
@@ -246,100 +334,6 @@ contract InstanceAdmin is
 
     // ------------------- Internal functions ------------------- //
 
-    function _setupComponentAndTokenHandler(
-        IInstanceLinkedComponent component,
-        ObjectType componentType
-    )
-        internal
-    {
-
-        IAuthorization authorization = component.getAuthorization();
-        string memory targetName = authorization.getMainTargetName();
-
-        // create component role and target
-        RoleId componentRoleId = _createComponentRoleId(component, authorization);
-
-        // create component's target
-        _createTarget(
-            address(component), 
-            targetName, 
-            true, // checkAuthority
-            false); // custom
-
-        // create component's token handler target if app
-        if (componentType != ORACLE()) {
-            NftId componentNftId = _registry.getNftIdForAddress(address(component));
-            address tokenHandler = address(
-                _instance.getInstanceReader().getComponentInfo(
-                    componentNftId).tokenHandler);
-
-            _createTarget(
-                tokenHandler, 
-                authorization.getTokenHandlerName(), 
-                true, 
-                false);
-
-            // token handler does not require its own role
-            // token handler is not calling other components
-        }
-
-        // assign component role to component
-        _grantRoleToAccount(
-            componentRoleId, 
-            address(component));
-    }
-
-
-    function _createComponentRoleId(
-        IInstanceLinkedComponent component,
-        IAuthorization authorization
-    )
-        internal 
-        returns (RoleId componentRoleId)
-    {
-        // checks
-        // check component is not yet authorized
-        if (_targetRoleId[address(component)].gtz()) {
-            revert ErrorInstanceAdminAlreadyAuthorized(address(component));
-        }
-
-        // check generic component role
-        RoleId genericComponentRoleId = authorization.getTargetRole(
-            authorization.getMainTarget());
-
-        if (!genericComponentRoleId.isComponentRole()) {
-            revert ErrorInstanceAdminNotComponentRole(genericComponentRoleId);
-        }
-
-        // check component role does not exist
-        componentRoleId = toComponentRole(
-            genericComponentRoleId, 
-            _components);
-
-        if (roleExists(componentRoleId)) {
-            revert ErrorInstanceAdminRoleAlreadyExists(componentRoleId);
-        }
-
-        // check role info
-        IAccess.RoleInfo memory roleInfo = authorization.getRoleInfo(
-            genericComponentRoleId);
-
-        if (roleInfo.roleType != IAccess.RoleType.Contract) {
-            revert ErrorInstanceAdminRoleTypeNotContract(
-                componentRoleId,
-                roleInfo.roleType);
-        }
-
-        // effects
-        _targetRoleId[address(component)] = componentRoleId;
-        _components++;
-
-        _createRole(
-            componentRoleId,
-            roleInfo);
-    }
-
-
     function _createRoles(IAuthorization authorization)
         internal
     {
@@ -347,12 +341,8 @@ contract InstanceAdmin is
         RoleId mainTargetRoleId = authorization.getTargetRole(
             authorization.getMainTarget());
 
-        RoleId roleId;
-        RoleInfo memory roleInfo;
-
         for(uint256 i = 0; i < roles.length; i++) {
-
-            roleId = roles[i];
+            RoleId roleId = roles[i];
 
             // skip main target role, create role if not exists
             if (roleId != mainTargetRoleId && !roleExists(roleId)) {
@@ -364,16 +354,6 @@ contract InstanceAdmin is
     }
 
 
-    function toComponentRole(RoleId roleId, uint64 componentIdx)
-        internal
-        pure
-        returns (RoleId)
-    {
-        return RoleIdLib.toRoleId(
-            RoleIdLib.toInt(roleId) + componentIdx);
-    }
-
-
     function _createTargetAuthorizations(IAuthorization authorization)
         internal
     {
@@ -383,68 +363,21 @@ contract InstanceAdmin is
         for(uint256 i = 0; i < targets.length; i++) {
             target = targets[i];
             RoleId[] memory authorizedRoles = authorization.getAuthorizedRoles(target);
-            RoleId authorizedRole;
 
             for(uint256 j = 0; j < authorizedRoles.length; j++) {
-                authorizedRole = authorizedRoles[j];
-
-                _authorizeTargetFunctions(
-                    getTargetForName(target),
-                    authorizedRole,
-                    authorization.getAuthorizedFunctions(
-                        target, 
-                        authorizedRole));
+                _authorizeFunctions(authorization, target, authorizedRoles[j]);
             }
         }
     }
 
-    function _checkAndCreateTargetWithRole(
-        address target,
-        string memory targetName
-    )
-        internal
-    {
-        // check that target name is defined in authorization specification
-        Str name = StrLib.toStr(targetName);
-        if (!_authorization.targetExists(name)) {
-            revert ErrorInstanceAdminExpectedTargetMissing(targetName);
-        }
-
-        // create named target
-        _createTarget(
-            target, 
-            targetName, 
-            false, // check authority TODO check normal targets, don't check service targets (they share authority with release admin)
-            false);
-
-        // assign target role if defined
-        RoleId targetRoleId = _authorization.getTargetRole(name);
-        if (targetRoleId != RoleIdLib.zero()) {
-            _grantRoleToAccount(targetRoleId, target);
-        }
-    }
 
-    function _setupInstanceHelperTargetsWithRoles()
+    function _checkComponentOrCustomTarget(address target) 
         internal
+        view
     {
-
-        // create module targets
-        _checkAndCreateTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME);
-        _checkAndCreateTargetWithRole(address(_instance.getInstanceAdmin()), INSTANCE_ADMIN_TARGET_NAME);
-        _checkAndCreateTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME);
-        _checkAndCreateTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME);
-
-        // create targets for services that need to access the instance targets
-        ObjectType[] memory serviceDomains = _authorization.getServiceDomains();
-        VersionPart release = _authorization.getRelease();
-        ObjectType serviceDomain;
-
-        for (uint256 i = 0; i < serviceDomains.length; i++) {
-            serviceDomain = serviceDomains[i];
-
-            _checkAndCreateTargetWithRole(
-                _registry.getServiceAddress(serviceDomain, release),
-                _authorization.getServiceTarget(serviceDomain).toString());
+        IAccess.TargetType targetType = getTargetInfo(target).targetType;
+        if (targetType != TargetType.Component && targetType != TargetType.Custom) {
+            revert ErrorInstanceAdminNotComponentOrCustomTarget(target);
         }
     }
 }

package/contracts/instance/InstanceAuthorizationV3.sol

@@ -2,14 +2,15 @@
 pragma solidity ^0.8.20;
 
 import {IAccess} from "../authorization/IAccess.sol";
+import {IInstance} from "../instance/Instance.sol";
 
+import {AccessAdminLib} from "../authorization/AccessAdminLib.sol";
 import {Authorization} from "../authorization/Authorization.sol";
 import {ACCOUNTING, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE, RISK} from "../../contracts/type/ObjectType.sol";
 import {BundleSet} from "../instance/BundleSet.sol";
-import {Instance} from "../instance/Instance.sol";
 import {InstanceAdmin} from "../instance/InstanceAdmin.sol";
 import {InstanceStore} from "../instance/InstanceStore.sol";
-import {PUBLIC_ROLE} from "../type/RoleId.sol";
+import {ADMIN_ROLE, INSTANCE_OWNER_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
 import {RiskSet} from "../instance/RiskSet.sol"; 
 
 
@@ -18,6 +19,7 @@ contract InstanceAuthorizationV3
 {
 
      string public constant INSTANCE_ROLE_NAME = "InstanceRole";
+     string public constant INSTANCE_OWNER_ROLE_NAME = "InstanceOwnerRole";
 
      string public constant INSTANCE_TARGET_NAME = "Instance";
      string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
@@ -26,22 +28,41 @@ contract InstanceAuthorizationV3
      string public constant RISK_SET_TARGET_NAME = "RiskSet";
 
      constructor()
-          Authorization(INSTANCE_TARGET_NAME, INSTANCE(), false, false)
+          Authorization(
+               INSTANCE_TARGET_NAME, 
+               INSTANCE(), 
+               3, 
+               COMMIT_HASH,
+               false, 
+               false)
      { }
 
      function _setupServiceTargets() internal virtual override {
           // service targets relevant to instance
-          _addServiceTargetWithRole(INSTANCE());
-          _addServiceTargetWithRole(ACCOUNTING());
-          _addServiceTargetWithRole(COMPONENT());
-          _addServiceTargetWithRole(DISTRIBUTION());
-          _addServiceTargetWithRole(ORACLE());
-          _addServiceTargetWithRole(POOL());
-          _addServiceTargetWithRole(BUNDLE());
-          _addServiceTargetWithRole(RISK());
-          _addServiceTargetWithRole(APPLICATION());
-          _addServiceTargetWithRole(POLICY());
-          _addServiceTargetWithRole(CLAIM());
+          _authorizeServiceDomain(INSTANCE(), address(10));
+          _authorizeServiceDomain(ACCOUNTING(), address(11));
+          _authorizeServiceDomain(COMPONENT(), address(12));
+          _authorizeServiceDomain(DISTRIBUTION(), address(13));
+          _authorizeServiceDomain(ORACLE(), address(14));
+          _authorizeServiceDomain(POOL(), address(15));
+          _authorizeServiceDomain(BUNDLE(), address(16));
+          _authorizeServiceDomain(RISK(), address(17));
+          _authorizeServiceDomain(APPLICATION(), address(18));
+          _authorizeServiceDomain(POLICY(), address(19));
+          _authorizeServiceDomain(CLAIM(), address(20));
+     }
+
+     function _setupRoles()
+          internal
+          override
+     {
+          _addRole(
+               INSTANCE_OWNER_ROLE(),
+               AccessAdminLib.toRole(
+                    ADMIN_ROLE(),
+                    RoleType.Custom,
+                    0, // max member count special case: instance nft owner is sole role owner
+                    INSTANCE_OWNER_ROLE_NAME));
      }
 
      function _setupTargets()
@@ -49,7 +70,6 @@ contract InstanceAuthorizationV3
           override
      {
           // instance supporting targets
-          // _addGifContractTarget(INSTANCE_ADMIN_TARGET_NAME);
           _addTarget(INSTANCE_ADMIN_TARGET_NAME);
           _addTarget(INSTANCE_STORE_TARGET_NAME);
           _addTarget(BUNDLE_SET_TARGET_NAME);
@@ -95,7 +115,7 @@ contract InstanceAuthorizationV3
           // authorize risk service role
           functions = _authorizeForTarget(RISK_SET_TARGET_NAME, getServiceRole(RISK()));
           _authorize(functions, RiskSet.add.selector, "add");
-          _authorize(functions, RiskSet.pause.selector, "pause");
+          _authorize(functions, RiskSet.deactivate.selector, "deactivate");
           _authorize(functions, RiskSet.activate.selector, "activate");
 
           // authorize policy service role
@@ -112,25 +132,28 @@ contract InstanceAuthorizationV3
 
           // authorize instance service role
           functions = _authorizeForTarget(INSTANCE_TARGET_NAME, PUBLIC_ROLE());
-          _authorize(functions, Instance.registerProduct.selector, "registerProduct");
-          _authorize(functions, Instance.upgradeInstanceReader.selector, "upgradeInstanceReader");
+          _authorize(functions, IInstance.registerProduct.selector, "registerProduct");
+          _authorize(functions, IInstance.upgradeInstanceReader.selector, "upgradeInstanceReader");
 
           // staking
-          _authorize(functions, Instance.setStakingLockingPeriod.selector, "setStakingLockingPeriod");
-          _authorize(functions, Instance.setStakingRewardRate.selector, "setStakingRewardRate");
-          _authorize(functions, Instance.refillStakingRewardReserves.selector, "refillStakingRewardReserves");
-          _authorize(functions, Instance.withdrawStakingRewardReserves.selector, "withdrawStakingRewardReserves");
+          _authorize(functions, IInstance.setStakingLockingPeriod.selector, "setStakingLockingPeriod");
+          _authorize(functions, IInstance.setStakingRewardRate.selector, "setStakingRewardRate");
+          _authorize(functions, IInstance.setStakingMaxAmount.selector, "setStakingMaxAmount");
+          _authorize(functions, IInstance.refillStakingRewardReserves.selector, "refillStakingRewardReserves");
+          _authorize(functions, IInstance.withdrawStakingRewardReserves.selector, "withdrawStakingRewardReserves");
 
           // custom authz
-          _authorize(functions, Instance.createRole.selector, "createRole");
-          _authorize(functions, Instance.grantRole.selector, "grantRole");
-          _authorize(functions, Instance.revokeRole.selector, "revokeRole");
-          _authorize(functions, Instance.createTarget.selector, "createTarget");
-          _authorize(functions, Instance.setTargetFunctionRole.selector, "setTargetFunctionRole");
+          _authorize(functions, IInstance.createRole.selector, "createRole");
+          _authorize(functions, IInstance.setRoleActive.selector, "setRoleActive");
+          _authorize(functions, IInstance.grantRole.selector, "grantRole");
+          _authorize(functions, IInstance.revokeRole.selector, "revokeRole");
+          _authorize(functions, IInstance.createTarget.selector, "createTarget");
+          _authorize(functions, IInstance.authorizeFunctions.selector, "authorizeFunctions");
+          _authorize(functions, IInstance.unauthorizeFunctions.selector, "unauthorizeFunctions");
 
           // authorize instance service role
           functions = _authorizeForTarget(INSTANCE_TARGET_NAME, getServiceRole(INSTANCE()));
-          _authorize(functions, Instance.setInstanceReader.selector, "setInstanceReader");
+          _authorize(functions, IInstance.setInstanceReader.selector, "setInstanceReader");
      }
 
 
@@ -141,8 +164,16 @@ contract InstanceAuthorizationV3
 
           // authorize component service role
           functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(INSTANCE()));
-          _authorize(functions, InstanceAdmin.setInstanceLocked.selector, "setInstanceLocked");
+          _authorize(functions, InstanceAdmin.createRole.selector, "createRole");
+          _authorize(functions, InstanceAdmin.setRoleActive.selector, "setRoleActive");
+          _authorize(functions, InstanceAdmin.grantRole.selector, "grantRole");
+          _authorize(functions, InstanceAdmin.revokeRole.selector, "revokeRole");
+
+          _authorize(functions, InstanceAdmin.createTarget.selector, "createTarget");
+          _authorize(functions, InstanceAdmin.authorizeFunctions.selector, "authorizeFunctions");
+          _authorize(functions, InstanceAdmin.unauthorizeFunctions.selector, "unauthorizeFunctions");
           _authorize(functions, InstanceAdmin.setTargetLocked.selector, "setTargetLocked");
+          _authorize(functions, InstanceAdmin.setInstanceLocked.selector, "setInstanceLocked");
 
           // authorize component service role
           functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(COMPONENT()));