npm - @etherisc/gif-next - Versions diffs - 0.0.2-ce87da3-250 → 0.0.2-ceb30b2-601 - Mend

@etherisc/gif-next 0.0.2-ce87da3-250 → 0.0.2-ceb30b2-601

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (278) hide show

package/contracts/instance/InstanceService.sol CHANGED Viewed

@@ -2,6 +2,7 @@
 pragma solidity ^0.8.20;
 import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
+import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
 import {Instance} from "./Instance.sol";
 import {IInstance} from "./IInstance.sol";
@@ -9,46 +10,48 @@ import {InstanceAccessManager} from "./InstanceAccessManager.sol";
 import {IInstanceService} from "./IInstanceService.sol";
 import {InstanceReader} from "./InstanceReader.sol";
 import {BundleManager} from "./BundleManager.sol";
+import {AccessManagerUpgradeableInitializeable} from "./AccessManagerUpgradeableInitializeable.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
 import {IRegistryService} from "../registry/IRegistryService.sol";
-import {ChainNft} from "../registry/ChainNft.sol";
 import {Service} from "../../contracts/shared/Service.sol";
-import {IService} from "../shared/IService.sol";
 import {NftId} from "../../contracts/types/NftId.sol";
 import {RoleId} from "../types/RoleId.sol";
-import {ADMIN_ROLE, DISTRIBUTION_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE, INSTANCE_SERVICE_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, APPLICATION_SERVICE_ROLE, POLICY_SERVICE_ROLE, CLAIM_SERVICE_ROLE, BUNDLE_SERVICE_ROLE} from "../types/RoleId.sol";
+import {ADMIN_ROLE, INSTANCE_OWNER_ROLE, DISTRIBUTION_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE, INSTANCE_SERVICE_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, APPLICATION_SERVICE_ROLE, POLICY_SERVICE_ROLE, CLAIM_SERVICE_ROLE, BUNDLE_SERVICE_ROLE, INSTANCE_ROLE} from "../types/RoleId.sol";
 import {ObjectType, INSTANCE, BUNDLE, APPLICATION, POLICY, CLAIM, PRODUCT, DISTRIBUTION, REGISTRY, POOL} from "../types/ObjectType.sol";
-import {IDistributionComponent} from "../components/IDistributionComponent.sol";
-import {IPoolComponent} from "../components/IPoolComponent.sol";
-import {IProductComponent} from "../components/IProductComponent.sol";
 contract InstanceService is
     Service,
     IInstanceService
 {
+    // TODO update to real hash when instance is stable
+    bytes32 public constant INSTANCE_CREATION_CODE_HASH = bytes32(0);
+    IRegistryService internal _registryService;
+    address internal _masterOzAccessManager;
     address internal _masterInstanceAccessManager;
     address internal _masterInstance;
     address internal _masterInstanceReader;
     address internal _masterInstanceBundleManager;
-    // TODO update to real hash when instance is stable
-    bytes32 public constant INSTANCE_CREATION_CODE_HASH = bytes32(0);
-    modifier onlyInstanceOwner(NftId instanceNftId) {
-        IRegistry registry = getRegistry();
-        ChainNft chainNft = ChainNft(registry.getChainNftAddress());
-        if( msg.sender != chainNft.ownerOf(instanceNftId.toInt())) {
-            revert ErrorInstanceServiceNotInstanceOwner(msg.sender, instanceNftId);
+    modifier onlyInstanceOwner(NftId instanceNftId) {
+        if(msg.sender != getRegistry().ownerOf(instanceNftId)) {
+            revert ErrorInstanceServiceRequestUnauhorized(msg.sender);
         }
         _;
     }
+    // TODO check service domain?
+    // TODO check release version?
     modifier onlyRegisteredService() {
-        address caller = msg.sender;
-        if (! getRegistry().isRegisteredService(caller)) {
-            revert ErrorInstanceServiceRequestUnauhorized(caller);
+        if (! getRegistry().isRegisteredService(msg.sender)) {
+            revert ErrorInstanceServiceRequestUnauhorized(msg.sender);
+        }
+        _;
+    }
+    // TODO check release version?
+    modifier onlyComponent() {
+        if (! getRegistry().isRegisteredComponent(msg.sender)) {
+            revert ErrorInstanceServiceRequestUnauhorized(msg.sender);
         }
         _;
     }
@@ -56,56 +59,66 @@ contract InstanceService is
     function createInstanceClone()
         external
         returns (
-            InstanceAccessManager clonedAccessManager,
             Instance clonedInstance,
-            NftId clonedInstanceNftId,
-            InstanceReader clonedInstanceReader,
-            BundleManager clonedBundleManager
+            NftId clonedInstanceNftId
         )
     {
         address instanceOwner = msg.sender;
-        IRegistry registry = getRegistry();
-        address registryAddress = address(registry);
-        NftId registryNftId = registry.getNftId(registryAddress);
-        address registryServiceAddress = registry.getServiceAddress(REGISTRY(), getMajorVersion());
-        IRegistryService registryService = IRegistryService(registryServiceAddress);
+        AccessManagerUpgradeableInitializeable clonedOzAccessManager = AccessManagerUpgradeableInitializeable(
+            Clones.clone(_masterOzAccessManager));
-        // initially set the authority of the access managar to this (being the instance service).
-        // This will allow the instance service to bootstrap the authorizations of the instance
-        // and then transfer the ownership of the access manager to the instance owner once everything is setup
-        clonedAccessManager = InstanceAccessManager(Clones.clone(_masterInstanceAccessManager));
-        clonedAccessManager.initialize(address(this));
+        // initially grants ADMIN_ROLE to this (being the instance service).
+        // This will allow the instance service to bootstrap the authorizations of the instance.
+        // Instance service will not use oz access manager directlly but through instance access manager instead
+        // Instance service will renounce ADMIN_ROLE when bootstraping is finished
+        clonedOzAccessManager.initialize(address(this));
         clonedInstance = Instance(Clones.clone(_masterInstance));
-        clonedInstance.initialize(address(clonedAccessManager), registryAddress, registryNftId, msg.sender);
+        clonedInstance.initialize(
+            address(clonedOzAccessManager),
+            address(getRegistry()),
+            instanceOwner);
-        clonedInstanceReader = InstanceReader(Clones.clone(address(_masterInstanceReader)));
-        clonedInstanceReader.initialize(registryAddress, address(clonedInstance));
+        InstanceReader clonedInstanceReader = InstanceReader(Clones.clone(address(_masterInstanceReader)));
+        clonedInstanceReader.initialize(address(clonedInstance));
         clonedInstance.setInstanceReader(clonedInstanceReader);
-        clonedBundleManager = BundleManager(Clones.clone(_masterInstanceBundleManager));
-        clonedBundleManager.initialize(address(clonedAccessManager), registryAddress, address(clonedInstance));
+        BundleManager clonedBundleManager = BundleManager(Clones.clone(_masterInstanceBundleManager));
+        clonedBundleManager.initialize(address(clonedInstance));
         clonedInstance.setBundleManager(clonedBundleManager);
+        InstanceAccessManager clonedInstanceAccessManager = InstanceAccessManager(Clones.clone(_masterInstanceAccessManager));
+        clonedOzAccessManager.grantRole(ADMIN_ROLE().toInt(), address(clonedInstanceAccessManager), 0);
+        clonedInstanceAccessManager.initialize(address(clonedInstance));
+        clonedInstance.setInstanceAccessManager(clonedInstanceAccessManager);
         // TODO amend setters with instance specific , policy manager ...
-        _grantInitialAuthorizations(clonedAccessManager, clonedInstance, clonedBundleManager);
+        _grantInitialAuthorizations(clonedInstanceAccessManager, clonedInstance, clonedBundleManager, instanceOwner);
-        // to complete setup switch instance ownership to the instance owner
-        // TODO: use a role less powerful than admin, maybe INSTANCE_ADMIN (does not exist yet)
-        clonedAccessManager.grantRole(ADMIN_ROLE(), instanceOwner);
-        clonedAccessManager.revokeRole(ADMIN_ROLE(), address(this));
+        clonedOzAccessManager.renounceRole(ADMIN_ROLE().toInt(), address(this));
-        IRegistry.ObjectInfo memory info = registryService.registerInstance(clonedInstance, instanceOwner);
+        IRegistry.ObjectInfo memory info = _registryService.registerInstance(clonedInstance, instanceOwner);
         clonedInstanceNftId = info.nftId;
-        // clonedInstance.linkToRegisteredNftId();
-        emit LogInstanceCloned(address(clonedAccessManager), address(clonedInstance), address(clonedInstanceReader), clonedInstanceNftId);
+        emit LogInstanceCloned(
+            address(clonedOzAccessManager),
+            address(clonedInstanceAccessManager),
+            address(clonedInstance),
+            address(clonedBundleManager),
+            address(clonedInstanceReader),
+            clonedInstanceNftId);
     }
-    function _grantInitialAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
-        _createGifRoles(clonedAccessManager);
-        _createGifTargets(clonedAccessManager, clonedInstance, clonedBundleManager);
+    function _grantInitialAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        Instance clonedInstance,
+        BundleManager clonedBundleManager,
+        address instanceOwner)
+            internal
+    {
+        _createCoreAndGifRoles(clonedAccessManager);
+        _createCoreTargets(clonedAccessManager, clonedInstance, clonedBundleManager);
         _grantDistributionServiceAuthorizations(clonedAccessManager, clonedInstance);
         _grantPoolServiceAuthorizations(clonedAccessManager, clonedInstance);
         _grantProductServiceAuthorizations(clonedAccessManager, clonedInstance);
@@ -114,33 +127,35 @@ contract InstanceService is
         _grantClaimServiceAuthorizations(clonedAccessManager, clonedInstance);
         _grantBundleServiceAuthorizations(clonedAccessManager, clonedInstance, clonedBundleManager);
         _grantInstanceServiceAuthorizations(clonedAccessManager, clonedInstance);
+        _grantInstanceOwnerAuthorizations(clonedAccessManager, instanceOwner);
     }
-    function _createGifRoles(InstanceAccessManager clonedAccessManager) internal {
-        clonedAccessManager.createGifRole(DISTRIBUTION_OWNER_ROLE(), "DistributionOwnerRole");
-        clonedAccessManager.createGifRole(POOL_OWNER_ROLE(), "PoolOwnerRole");
-        clonedAccessManager.createGifRole(PRODUCT_OWNER_ROLE(), "ProductOwnerRole");
-        clonedAccessManager.createGifRole(DISTRIBUTION_SERVICE_ROLE(), "DistributionServiceRole");
-        clonedAccessManager.createGifRole(POOL_SERVICE_ROLE(), "PoolServiceRole");
-        clonedAccessManager.createGifRole(PRODUCT_SERVICE_ROLE(), "ProductServiceRole");
-        clonedAccessManager.createGifRole(APPLICATION_SERVICE_ROLE(), "ApplicationServiceRole");
-        clonedAccessManager.createGifRole(POLICY_SERVICE_ROLE(), "PolicyServiceRole");
-        clonedAccessManager.createGifRole(CLAIM_SERVICE_ROLE(), "ClaimServiceRole");
-        clonedAccessManager.createGifRole(BUNDLE_SERVICE_ROLE(), "BundleServiceRole");
-        clonedAccessManager.createGifRole(INSTANCE_SERVICE_ROLE(), "InstanceServiceRole");
+    function _createCoreAndGifRoles(InstanceAccessManager clonedAccessManager) internal {
+        // default roles controlled by ADMIN_ROLE -> core roles
+        // all set/granted only once during cloning (the only exception is INSTANCE_OWNER_ROLE, hooked to instance nft)
+        clonedAccessManager.createCoreRole(INSTANCE_SERVICE_ROLE(), "InstanceServiceRole");
+        clonedAccessManager.createCoreRole(DISTRIBUTION_SERVICE_ROLE(), "DistributionServiceRole");
+        clonedAccessManager.createCoreRole(POOL_SERVICE_ROLE(), "PoolServiceRole");
+        clonedAccessManager.createCoreRole(APPLICATION_SERVICE_ROLE(), "ApplicationServiceRole");
+        clonedAccessManager.createCoreRole(PRODUCT_SERVICE_ROLE(), "ProductServiceRole");
+        clonedAccessManager.createCoreRole(CLAIM_SERVICE_ROLE(), "ClaimServiceRole");
+        clonedAccessManager.createCoreRole(POLICY_SERVICE_ROLE(), "PolicyServiceRole");
+        clonedAccessManager.createCoreRole(BUNDLE_SERVICE_ROLE(), "BundleServiceRole");
+        // default roles controlled by INSTANCE_OWNER_ROLE -> gif roles
+        clonedAccessManager.createGifRole(DISTRIBUTION_OWNER_ROLE(), "DistributionOwnerRole", INSTANCE_OWNER_ROLE());
+        clonedAccessManager.createGifRole(POOL_OWNER_ROLE(), "PoolOwnerRole", INSTANCE_OWNER_ROLE());
+        clonedAccessManager.createGifRole(PRODUCT_OWNER_ROLE(), "ProductOwnerRole", INSTANCE_OWNER_ROLE());
     }
-    function _createGifTargets(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
-        clonedAccessManager.createGifTarget(address(clonedAccessManager), "InstanceAccessManager");
-        clonedAccessManager.createGifTarget(address(clonedInstance), "Instance");
-        clonedAccessManager.createGifTarget(address(clonedBundleManager), "BundleManager");
+    function _createCoreTargets(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
+        clonedAccessManager.createCoreTarget(address(clonedAccessManager), "InstanceAccessManager");
+        clonedAccessManager.createCoreTarget(address(clonedInstance), "Instance");
+        clonedAccessManager.createCoreTarget(address(clonedBundleManager), "BundleManager");
     }
     function _grantDistributionServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for distribution service on instance
-        IRegistry registry = getRegistry();
-        address distributionServiceAddress = registry.getServiceAddress(DISTRIBUTION(), getMajorVersion());
+        address distributionServiceAddress = getRegistry().getServiceAddress(DISTRIBUTION(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(DISTRIBUTION_SERVICE_ROLE(), distributionServiceAddress);
         bytes4[] memory instanceDistributionServiceSelectors = new bytes4[](11);
         instanceDistributionServiceSelectors[0] = clonedInstance.createDistributionSetup.selector;
@@ -154,7 +169,7 @@ contract InstanceService is
         instanceDistributionServiceSelectors[8] = clonedInstance.createReferral.selector;
         instanceDistributionServiceSelectors[9] = clonedInstance.updateReferral.selector;
         instanceDistributionServiceSelectors[10] = clonedInstance.updateReferralState.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        clonedAccessManager.setCoreTargetFunctionRole(
             "Instance",
             instanceDistributionServiceSelectors,
             DISTRIBUTION_SERVICE_ROLE());
@@ -162,12 +177,12 @@ contract InstanceService is
     function _grantPoolServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for pool service on instance
-        address poolServiceAddress = getRegistry().getServiceAddress(POOL(), getMajorVersion());
+        address poolServiceAddress = getRegistry().getServiceAddress(POOL(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(POOL_SERVICE_ROLE(), address(poolServiceAddress));
         bytes4[] memory instancePoolServiceSelectors = new bytes4[](4);
         instancePoolServiceSelectors[0] = clonedInstance.createPoolSetup.selector;
         instancePoolServiceSelectors[1] = clonedInstance.updatePoolSetup.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        clonedAccessManager.setCoreTargetFunctionRole(
             "Instance",
             instancePoolServiceSelectors,
             POOL_SERVICE_ROLE());
@@ -175,7 +190,7 @@ contract InstanceService is
     function _grantProductServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for product service on instance
-        address productServiceAddress = getRegistry().getServiceAddress(PRODUCT(), getMajorVersion());
+        address productServiceAddress = getRegistry().getServiceAddress(PRODUCT(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(PRODUCT_SERVICE_ROLE(), address(productServiceAddress));
         bytes4[] memory instanceProductServiceSelectors = new bytes4[](5);
         instanceProductServiceSelectors[0] = clonedInstance.createProductSetup.selector;
@@ -183,7 +198,7 @@ contract InstanceService is
         instanceProductServiceSelectors[2] = clonedInstance.createRisk.selector;
         instanceProductServiceSelectors[3] = clonedInstance.updateRisk.selector;
         instanceProductServiceSelectors[4] = clonedInstance.updateRiskState.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        clonedAccessManager.setCoreTargetFunctionRole(
             "Instance",
             instanceProductServiceSelectors,
             PRODUCT_SERVICE_ROLE());
@@ -191,13 +206,13 @@ contract InstanceService is
     function _grantApplicationServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for application services on instance
-        address applicationServiceAddress = getRegistry().getServiceAddress(APPLICATION(), getMajorVersion());
+        address applicationServiceAddress = getRegistry().getServiceAddress(APPLICATION(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(APPLICATION_SERVICE_ROLE(), applicationServiceAddress);
         bytes4[] memory instanceApplicationServiceSelectors = new bytes4[](3);
         instanceApplicationServiceSelectors[0] = clonedInstance.createApplication.selector;
         instanceApplicationServiceSelectors[1] = clonedInstance.updateApplication.selector;
         instanceApplicationServiceSelectors[2] = clonedInstance.updateApplicationState.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        clonedAccessManager.setCoreTargetFunctionRole(
             "Instance",
             instanceApplicationServiceSelectors,
             APPLICATION_SERVICE_ROLE());
@@ -205,12 +220,12 @@ contract InstanceService is
     function _grantPolicyServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for policy services on instance
-        address policyServiceAddress = getRegistry().getServiceAddress(POLICY(), getMajorVersion());
+        address policyServiceAddress = getRegistry().getServiceAddress(POLICY(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(POLICY_SERVICE_ROLE(), policyServiceAddress);
         bytes4[] memory instancePolicyServiceSelectors = new bytes4[](2);
         instancePolicyServiceSelectors[0] = clonedInstance.updatePolicy.selector;
         instancePolicyServiceSelectors[1] = clonedInstance.updatePolicyState.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        clonedAccessManager.setCoreTargetFunctionRole(
             "Instance",
             instancePolicyServiceSelectors,
             POLICY_SERVICE_ROLE());
@@ -218,13 +233,22 @@ contract InstanceService is
     function _grantClaimServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for claim/payout services on instance
-        address claimServiceAddress = getRegistry().getServiceAddress(CLAIM(), getMajorVersion());
-        clonedAccessManager.grantRole(POLICY_SERVICE_ROLE(), claimServiceAddress);
-        // TODO add claims function authz
-        bytes4[] memory instanceClaimServiceSelectors = new bytes4[](0);
-        // instanceClaimServiceSelectors[0] = clonedInstance.updatePolicy.selector;
-        // instanceClaimServiceSelectors[1] = clonedInstance.updatePolicyState.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        address claimServiceAddress = getRegistry().getServiceAddress(CLAIM(), getVersion().toMajorPart());
+        clonedAccessManager.grantRole(CLAIM_SERVICE_ROLE(), claimServiceAddress);
+        bytes4[] memory instancePolicyServiceSelectors = new bytes4[](1);
+        instancePolicyServiceSelectors[0] = clonedInstance.updatePolicyClaims.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "Instance",
+            instancePolicyServiceSelectors,
+            CLAIM_SERVICE_ROLE());
+        bytes4[] memory instanceClaimServiceSelectors = new bytes4[](4);
+        instanceClaimServiceSelectors[0] = clonedInstance.createClaim.selector;
+        instanceClaimServiceSelectors[1] = clonedInstance.updateClaim.selector;
+        instanceClaimServiceSelectors[2] = clonedInstance.createPayout.selector;
+        instanceClaimServiceSelectors[3] = clonedInstance.updatePayout.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
             "Instance",
             instanceClaimServiceSelectors,
             CLAIM_SERVICE_ROLE());
@@ -232,12 +256,13 @@ contract InstanceService is
     function _grantBundleServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
         // configure authorization for bundle service on instance
-        address bundleServiceAddress = getRegistry().getServiceAddress(BUNDLE(), getMajorVersion());
+        address bundleServiceAddress = getRegistry().getServiceAddress(BUNDLE(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(BUNDLE_SERVICE_ROLE(), address(bundleServiceAddress));
-        bytes4[] memory instanceBundleServiceSelectors = new bytes4[](2);
+        bytes4[] memory instanceBundleServiceSelectors = new bytes4[](3);
         instanceBundleServiceSelectors[0] = clonedInstance.createBundle.selector;
         instanceBundleServiceSelectors[1] = clonedInstance.updateBundle.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        instanceBundleServiceSelectors[2] = clonedInstance.updateBundleState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
             "Instance",
             instanceBundleServiceSelectors,
             BUNDLE_SERVICE_ROLE());
@@ -249,69 +274,86 @@ contract InstanceService is
         bundleManagerBundleServiceSelectors[2] = clonedBundleManager.add.selector;
         bundleManagerBundleServiceSelectors[3] = clonedBundleManager.lock.selector;
         bundleManagerBundleServiceSelectors[4] = clonedBundleManager.unlock.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        clonedAccessManager.setCoreTargetFunctionRole(
             "BundleManager",
             bundleManagerBundleServiceSelectors,
             BUNDLE_SERVICE_ROLE());
     }
     function _grantInstanceServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
-// configure authorization for instance service on instance
-        address instanceServiceAddress = getRegistry().getServiceAddress(INSTANCE(), getMajorVersion());
+        // configure authorization for instance service on instance
+        address instanceServiceAddress = getRegistry().getServiceAddress(INSTANCE(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(INSTANCE_SERVICE_ROLE(), instanceServiceAddress);
         bytes4[] memory instanceInstanceServiceSelectors = new bytes4[](1);
         instanceInstanceServiceSelectors[0] = clonedInstance.setInstanceReader.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        clonedAccessManager.setCoreTargetFunctionRole(
             "Instance",
             instanceInstanceServiceSelectors,
             INSTANCE_SERVICE_ROLE());
-        bytes4[] memory instanceAccessManagerInstanceServiceSelectors = new bytes4[](1);
-        instanceAccessManagerInstanceServiceSelectors[0] = clonedAccessManager.createGifTarget.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        // configure authorizations for instance service on instance access manager
+        bytes4[] memory accessManagerInstanceServiceSelectors = new bytes4[](3);
+        accessManagerInstanceServiceSelectors[0] = clonedAccessManager.createGifTarget.selector;
+        accessManagerInstanceServiceSelectors[1] = clonedAccessManager.setTargetLocked.selector;
+        accessManagerInstanceServiceSelectors[2] = clonedAccessManager.setCoreTargetFunctionRole.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
             "InstanceAccessManager",
-            instanceAccessManagerInstanceServiceSelectors,
+            accessManagerInstanceServiceSelectors,
             INSTANCE_SERVICE_ROLE());
     }
+    function _grantInstanceOwnerAuthorizations(InstanceAccessManager clonedAccessManager, address instanceOwner) internal {
+        // configure authorization for instance owner on instance access manager
+        // instance owner role is granted/revoked ONLY by INSTANCE_ROLE
+        bytes4[] memory accessManagerInstanceOwnerSelectors = new bytes4[](3);
+        accessManagerInstanceOwnerSelectors[0] = clonedAccessManager.createRole.selector;
+        accessManagerInstanceOwnerSelectors[1] = clonedAccessManager.createTarget.selector;
+        accessManagerInstanceOwnerSelectors[2] = clonedAccessManager.setTargetFunctionRole.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceAccessManager",
+            accessManagerInstanceOwnerSelectors,
+            INSTANCE_OWNER_ROLE());
+    }
     function setAndRegisterMasterInstance(address instanceAddress)
             external
             onlyOwner
             returns(NftId masterInstanceNftId)
     {
         if(_masterInstance != address(0)) { revert ErrorInstanceServiceMasterInstanceAlreadySet(); }
+        if(_masterOzAccessManager != address(0)) { revert ErrorInstanceServiceMasterOzAccessManagerAlreadySet(); }
         if(_masterInstanceAccessManager != address(0)) { revert ErrorInstanceServiceMasterInstanceAccessManagerAlreadySet(); }
         if(_masterInstanceBundleManager != address(0)) { revert ErrorInstanceServiceMasterBundleManagerAlreadySet(); }
         if(instanceAddress == address(0)) { revert ErrorInstanceServiceInstanceAddressZero(); }
         IInstance instance = IInstance(instanceAddress);
-        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
-        address accessManagerAddress = address(accessManager);
+        InstanceAccessManager instanceAccessManager = instance.getInstanceAccessManager();
+        address instanceAccessManagerAddress = address(instanceAccessManager);
         InstanceReader instanceReader = instance.getInstanceReader();
         address instanceReaderAddress = address(instanceReader);
         BundleManager bundleManager = instance.getBundleManager();
         address bundleManagerAddress = address(bundleManager);
-        if(accessManagerAddress == address(0)) { revert ErrorInstanceServiceAccessManagerZero(); }
+        if(instanceAccessManagerAddress == address(0)) { revert ErrorInstanceServiceInstanceAccessManagerZero(); }
         if(instanceReaderAddress == address(0)) { revert ErrorInstanceServiceInstanceReaderZero(); }
         if(bundleManagerAddress == address(0)) { revert ErrorInstanceServiceBundleManagerZero(); }
-        if(instance.authority() != accessManagerAddress) { revert ErrorInstanceServiceInstanceAuthorityMismatch(); }
-        if(instanceReader.getInstance() != instance) { revert ErrorInstanceServiceInstanceReaderInstanceMismatch2(); }
+        if(instance.authority() != instanceAccessManager.authority()) { revert ErrorInstanceServiceInstanceAuthorityMismatch(); }
+        if(bundleManager.authority() != instance.authority()) { revert ErrorInstanceServiceBundleManagerAuthorityMismatch(); }
         if(bundleManager.getInstance() != instance) { revert ErrorInstanceServiceBundleMangerInstanceMismatch(); }
+        if(instanceReader.getInstance() != instance) { revert ErrorInstanceServiceInstanceReaderInstanceMismatch2(); }
-        _masterInstanceAccessManager = accessManagerAddress;
+        _masterOzAccessManager = instance.authority();
+        _masterInstanceAccessManager = instanceAccessManagerAddress;
         _masterInstance = instanceAddress;
         _masterInstanceReader = instanceReaderAddress;
         _masterInstanceBundleManager = bundleManagerAddress;
-        IRegistryService registryService = IRegistryService(getRegistry().getServiceAddress(REGISTRY(), getMajorVersion()));
         IInstance masterInstance = IInstance(_masterInstance);
-        IRegistry.ObjectInfo memory info = registryService.registerInstance(masterInstance, getOwner());
+        IRegistry.ObjectInfo memory info = _registryService.registerInstance(masterInstance, getOwner());
         masterInstanceNftId = info.nftId;
-        // masterInstance.linkToRegisteredNftId();
     }
     function setMasterInstanceReader(address instanceReaderAddress) external onlyOwner {
@@ -325,40 +367,72 @@ contract InstanceService is
         _masterInstanceReader = instanceReaderAddress;
     }
-    // TODO access restriction
-    function upgradeInstanceReader(NftId instanceNftId) external {
+    function upgradeInstanceReader(NftId instanceNftId)
+        external
+        onlyInstanceOwner(instanceNftId)
+    {
         IRegistry registry = getRegistry();
         IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
         Instance instance = Instance(instanceInfo.objectAddress);
-        address owner = instance.getOwner();
-        if (msg.sender != owner) {
-            revert ErrorInstanceServiceRequestUnauhorized(msg.sender);
-        }
         InstanceReader upgradedInstanceReaderClone = InstanceReader(Clones.clone(address(_masterInstanceReader)));
-        upgradedInstanceReaderClone.initialize(address(registry), address(instance));
+        upgradedInstanceReaderClone.initialize(address(instance));
         instance.setInstanceReader(upgradedInstanceReaderClone);
     }
-    function getMasterInstanceReader() external view returns (address) {
-        return _masterInstanceReader;
-    }
-    function getMasterInstance() external view returns (address) {
-        return _masterInstance;
+    // all gif targets MUST be childs of instanceNftId
+    function createGifTarget(
+        NftId instanceNftId,
+        address targetAddress,
+        string memory targetName,
+        bytes4[][] memory selectors,
+        RoleId[] memory roles
+    )
+        external
+        onlyRegisteredService
+    {
+        (
+            IInstance instance, // or instanceInfo
+            // or targetInfo
+        ) = _validateInstanceAndComponent(instanceNftId, targetAddress);
+        InstanceAccessManager accessManager = instance.getInstanceAccessManager();
+        accessManager.createGifTarget(targetAddress, targetName);
+        // set proposed target config
+        // TODO restriction: for gif targets can set only once and only here?
+        //      assume config is a mix of gif and custom roles and no further configuration by INSTANCE_OWNER_ROLE is ever needed?
+        for(uint roleIdx = 0; roleIdx < roles.length; roleIdx++)
+        {
+            accessManager.setCoreTargetFunctionRole(targetName, selectors[roleIdx], roles[roleIdx]);
+        }
     }
-    function getMasterInstanceAccessManager() external view returns (address) {
-        return _masterInstanceAccessManager;
+    // TODO called by component, but target can be component helper...so needs target name
+    // TODO check that targetName associated with component...how???
+    function setComponentLocked(bool locked) onlyComponent external {
+        address componentAddress = msg.sender;
+        IRegistry registry = getRegistry();
+        NftId instanceNftId = registry.getObjectInfo(componentAddress).parentNftId;
+        IInstance instance = IInstance(
+            registry.getObjectInfo(
+                instanceNftId).objectAddress);
+        instance.getInstanceAccessManager().setTargetLocked(
+            componentAddress,
+            locked);
     }
-    function getMasterInstanceBundleManager() external view returns (address) {
-        return _masterInstanceBundleManager;
+    function getMasterInstanceReader() external view returns (address) {
+        return _masterInstanceReader;
     }
     // From IService
-    function getDomain() public pure override(Service, IService) returns(ObjectType) {
+    function getDomain() public pure override returns(ObjectType) {
         return INSTANCE();
     }
@@ -371,106 +445,40 @@ contract InstanceService is
         initializer
         virtual override
     {
-        address initialOwner;
-        address registryAddress;
-        (registryAddress, initialOwner) = abi.decode(data, (address, address));
+        (
+            address registryAddress,
+            address initialOwner
+        ) = abi.decode(data, (address, address));
+        _registryService = IRegistryService(
+            IRegistry(registryAddress).getServiceAddress(
+                REGISTRY(),
+                getVersion().toMajorPart()));
         // TODO while InstanceService is not deployed in InstanceServiceManager constructor
         //      owner is InstanceServiceManager deployer
-        initializeService(registryAddress, owner);
+        initializeService(registryAddress, address(0), owner);
         registerInterface(type(IInstanceService).interfaceId);
     }
-    function hasRole(address account, RoleId role, address instanceAddress) public view returns (bool) {
-        Instance instance = Instance(instanceAddress);
-        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
-        return accessManager.hasRole(role, account);
-    }
-    function createGifTarget(NftId instanceNftId, address targetAddress, string memory targetName) external onlyRegisteredService {
-        IRegistry registry = getRegistry();
-        IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
-        Instance instance = Instance(instanceInfo.objectAddress);
-        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
-        accessManager.createGifTarget(targetAddress, targetName);
-    }
-    function grantDistributionDefaultPermissions(NftId instanceNftId, address distributionAddress, string memory distributionName) external onlyRegisteredService {
-        IRegistry registry = getRegistry();
-        IRegistry.ObjectInfo memory distributionInfo = registry.getObjectInfo(distributionAddress);
-        if (distributionInfo.objectType != DISTRIBUTION()) {
-            revert ErrorInstanceServiceInvalidComponentType(distributionAddress, DISTRIBUTION(), distributionInfo.objectType);
-        }
-        IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
-        Instance instance = Instance(instanceInfo.objectAddress);
-        InstanceAccessManager instanceAccessManager = InstanceAccessManager(instance.authority());
-        bytes4[] memory fctSelectors = new bytes4[](1);
-        fctSelectors[0] = IDistributionComponent.setFees.selector;
-        instanceAccessManager.setTargetFunctionRole(distributionName, fctSelectors, DISTRIBUTION_OWNER_ROLE());
-        bytes4[] memory fctSelectors2 = new bytes4[](2);
-        fctSelectors2[0] = IDistributionComponent.processSale.selector;
-        fctSelectors2[1] = IDistributionComponent.processRenewal.selector;
-        instanceAccessManager.setTargetFunctionRole(distributionName, fctSelectors2, PRODUCT_SERVICE_ROLE());
-    }
-    function grantPoolDefaultPermissions(NftId instanceNftId, address poolAddress, string memory poolName) external onlyRegisteredService {
+    function _validateInstanceAndComponent(NftId instanceNftId, address componentAddress)
+        internal
+        view
+        returns (IInstance instance, NftId componentNftId)
+    {
         IRegistry registry = getRegistry();
-        IRegistry.ObjectInfo memory poolInfo = registry.getObjectInfo(poolAddress);
-        if (poolInfo.objectType != POOL()) {
-            revert ErrorInstanceServiceInvalidComponentType(poolAddress, POOL(), poolInfo.objectType);
-        }
         IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
-        Instance instance = Instance(instanceInfo.objectAddress);
-        InstanceAccessManager instanceAccessManager = InstanceAccessManager(instance.authority());
-        bytes4[] memory fctSelectors = new bytes4[](1);
-        fctSelectors[0] = IPoolComponent.setFees.selector;
-        instanceAccessManager.setTargetFunctionRole(poolName, fctSelectors, POOL_OWNER_ROLE());
-        bytes4[] memory fctSelectors2 = new bytes4[](1);
-        fctSelectors2[0] = IPoolComponent.verifyApplication.selector;
-        instanceAccessManager.setTargetFunctionRole(poolName, fctSelectors2, POLICY_SERVICE_ROLE());
-    }
-    function grantProductDefaultPermissions(NftId instanceNftId, address productAddress, string memory productName) external onlyRegisteredService {
-        IRegistry registry = getRegistry();
-        IRegistry.ObjectInfo memory productInfo = registry.getObjectInfo(productAddress);
-        if (productInfo.objectType != PRODUCT()) {
-            revert ErrorInstanceServiceInvalidComponentType(productAddress, PRODUCT(), productInfo.objectType);
+        if(instanceInfo.objectType != INSTANCE()) {
+            revert ErrorInstanceServiceNotInstance(instanceNftId);
         }
-        IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
-        Instance instance = Instance(instanceInfo.objectAddress);
-        InstanceAccessManager instanceAccessManager = InstanceAccessManager(instance.authority());
-        bytes4[] memory fctSelectors = new bytes4[](1);
-        fctSelectors[0] = IProductComponent.setFees.selector;
-        instanceAccessManager.setTargetFunctionRole(productName, fctSelectors, PRODUCT_OWNER_ROLE());
-    }
-    function setTargetLocked(string memory targetName, bool locked) external {
-        address componentAddress = msg.sender;
-        IRegistry registry = getRegistry();
         IRegistry.ObjectInfo memory componentInfo = registry.getObjectInfo(componentAddress);
-        if (componentInfo.nftId.eqz()) {
-            revert ErrorInstanceServiceComponentNotRegistered(componentAddress);
+        if(componentInfo.parentNftId != instanceNftId) {
+            revert ErrorInstanceServiceInstanceComponentMismatch(instanceNftId, componentInfo.nftId);
         }
-        // TODO validate component type
-        address instanceAddress = registry.getObjectInfo(componentInfo.parentNftId).objectAddress;
-        IInstance instance = IInstance(instanceAddress);
-        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
-        accessManager.setTargetClosed(targetName, locked);
+        instance = Instance(instanceInfo.objectAddress);
+        componentNftId = componentInfo.nftId;
     }
-}
+}