npm - @etherisc/gif-next - Versions diffs - 0.0.2-f1f3b2c-994 → 0.0.2-f2273b3-211 - Mend

@etherisc/gif-next 0.0.2-f1f3b2c-994 → 0.0.2-f2273b3-211

Files changed (483) hide show

package/contracts/instance/InstanceAdmin.sol CHANGED Viewed

@@ -1,22 +1,20 @@
 // SPDX-License-Identifier: UNLICENSED
 pragma solidity ^0.8.20;
-import {AccessManager} from "@openzeppelin/contracts/access/manager/AccessManager.sol";
-import {AccessAdmin} from "../authorization/AccessAdmin.sol";
-import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
-import {IAccessAdmin} from "../authorization/IAccessAdmin.sol";
+import {IAccess} from "../authorization/IAccess.sol";
 import {IAuthorization} from "../authorization/IAuthorization.sol";
-import {IComponent} from "../shared/IComponent.sol";
-import {IModuleAuthorization} from "../authorization/IModuleAuthorization.sol";
+import {IInstanceLinkedComponent} from "../shared/IInstanceLinkedComponent.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
 import {IInstance} from "./IInstance.sol";
-import {IService} from "../shared/IService.sol";
-import {ObjectType, ObjectTypeLib, ALL, POOL, RELEASE} from "../type/ObjectType.sol";
-import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, DISTRIBUTION_OWNER_ROLE, ORACLE_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE} from "../type/RoleId.sol";
+import {AccessAdmin} from "../authorization/AccessAdmin.sol";
+import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
+import {NftId} from "../type/NftId.sol";
+import {ObjectType} from "../type/ObjectType.sol";
+import {RoleId, RoleIdLib} from "../type/RoleId.sol";
 import {Str, StrLib} from "../type/String.sol";
 import {TokenHandler} from "../shared/TokenHandler.sol";
-import {VersionPart} from "../type/Version.sol";
+import {VersionPart, VersionPartLib} from "../type/Version.sol";
 contract InstanceAdmin is
@@ -26,143 +24,144 @@ contract InstanceAdmin is
     string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
     string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
     string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
+    string public constant RISK_SET_TAGET_NAME = "RiskSet";
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
+    error ErrorInstanceAdminCallerNotInstanceOwner(address caller);
+    error ErrorInstanceAdminInstanceAlreadyLocked();
     error ErrorInstanceAdminNotRegistered(address target);
     error ErrorInstanceAdminAlreadyAuthorized(address target);
+    error ErrorInstanceAdminNotComponentRole(RoleId roleId);
+    error ErrorInstanceAdminRoleAlreadyExists(RoleId roleId);
+    error ErrorInstanceAdminRoleTypeNotContract(RoleId roleId, IAccess.RoleType roleType);
     error ErrorInstanceAdminReleaseMismatch();
     error ErrorInstanceAdminExpectedTargetMissing(string targetName);
-    IInstance _instance;
+    IInstance internal _instance;
     IRegistry internal _registry;
-    uint64 _idNext;
+    uint64 internal _customIdNext;
-    IModuleAuthorization _instanceAuthorization;
+    mapping(address target => RoleId roleId) internal _targetRoleId;
+    uint64 internal _components;
+    IAuthorization internal _instanceAuthorization;
+    modifier onlyInstanceOwner() {
+        if(msg.sender != _registry.ownerOf(address(_instance))) {
+            revert ErrorInstanceAdminCallerNotInstanceOwner(msg.sender);
+        }
+        _;
+    }
     /// @dev Only used for master instance admin.
     /// Contracts created via constructor come with disabled initializers.
     constructor(
-        IModuleAuthorization instanceAuthorization
-    )
-        AccessAdmin()
-    {
-        _instanceAuthorization = instanceAuthorization;
+        address instanceAuthorization
+    ) {
+        initialize(new AccessManagerCloneable());
+        _instanceAuthorization = IAuthorization(instanceAuthorization);
+        _disableInitializers();
     }
-    /// @dev Initializes this instance admin with the provided instances authorization specification.
-    /// Internally the function creates an instance specific OpenZeppelin AccessManager that is used as the authority
-    /// for the inststance authorizatios.
-    /// Important: Initialization of this instance admin is only complete after calling function initializeInstance.
     function initialize(
-        AccessManagerCloneable accessManager,
-        IModuleAuthorization instanceAuthorization
+        AccessManagerCloneable clonedAccessManager,
+        IRegistry registry,
+        VersionPart release
     )
         external
-        initializer()
+        initializer()
     {
-        // create new access manager for this instance admin
-        _initializeAuthority(address(accessManager));
-        // create basic instance independent setup
-        _createAdminAndPublicRoles();
-        // store instance authorization specification
-        _instanceAuthorization = IModuleAuthorization(instanceAuthorization);
-    }
+        __AccessAdmin_init(clonedAccessManager);
-    function _checkTargetIsReadyForAuthorization(address target)
-        internal
-        view
-    {
-        if (address(_registry) != address(0) && !_registry.isRegistered(target)) {
-            revert ErrorInstanceAdminNotRegistered(target);
-        }
+        clonedAccessManager.completeSetup(
+            address(registry),
+            release);
-        if (targetExists(target)) {
-            revert ErrorInstanceAdminAlreadyAuthorized(target);
-        }
+        _registry = registry;
     }
-    /// @dev Completes the initialization of this instance admin using the provided instance.
+    /// @dev Completes the initialization of this instance admin using the provided instance, registry and version.
+    /// Important: Initialization of instance admin is only complete after calling this function.
     /// Important: The instance MUST be registered and all instance supporting contracts must be wired to this instance.
-    function initializeInstanceAuthorization(address instanceAddress)
+    function completeSetup(
+        address instance,
+        address authorization
+    )
         external
+        reinitializer(uint64(getRelease().toInt()))
+        onlyDeployer()
     {
-        _checkTargetIsReadyForAuthorization(instanceAddress);
+        _components = 0;
+        _customIdNext = CUSTOM_ROLE_ID_MIN;
+        _instance = IInstance(instance);
+        _instanceAuthorization = IAuthorization(authorization);
-        _idNext = CUSTOM_ROLE_ID_MIN;
-        _instance = IInstance(instanceAddress);
-        _registry = _instance.getRegistry();
+        _checkTargetIsReadyForAuthorization(instance);
         // check matching releases
-        if (_instanceAuthorization.getRelease() != _instance.getMajorVersion()) {
+        if (_instanceAuthorization.getRelease() != getRelease()) {
             revert ErrorInstanceAdminReleaseMismatch();
         }
+        // create instance role and target
+        _setupInstance(instance);
         // add instance authorization
         _createRoles(_instanceAuthorization);
-        _createModuleTargetsWithRoles();
-        _createTargetAuthorizations(_instanceAuthorization);
-        // grant component owner roles to instance owner
-        _grantComponentOwnerRoles();
+        _setupInstanceHelperTargetsWithRoles();
+        _createTargetAuthorizations(_instanceAuthorization);
     }
     /// @dev Initializes the authorization for the specified component.
     /// Important: The component MUST be registered.
     function initializeComponentAuthorization(
-        IComponent component,
-        IAuthorization authorization
+        IInstanceLinkedComponent component
     )
         external
+        restricted()
     {
+        // checks
         _checkTargetIsReadyForAuthorization(address(component));
-        _createRoles(authorization);
+        // setup target and role for component (including token handler)
+        _setupComponentAndTokenHandler(component);
+        // create other roles
+        IAuthorization authorization = component.getAuthorization();
+        _createRoles(authorization);
+        _createTargetAuthorizations(authorization);
+    }
+    // create instance role and target
+    function _setupInstance(address instance) internal {
+        // create instance role
+        RoleId instanceRoleId = _instanceAuthorization.getTargetRole(
+            _instanceAuthorization.getMainTarget());
-        // create component target
+        _createRole(
+            instanceRoleId,
+            _instanceAuthorization.getRoleInfo(instanceRoleId));
+        // create instance target
         _createTarget(
-            address(component),
-            authorization.getTargetName(),
+            instance,
+            _instanceAuthorization.getMainTargetName(),
             true, // checkAuthority
             false); // custom
-        _createTarget(
-            address(component.getTokenHandler()),
-            string(abi.encodePacked(authorization.getTargetName(), "TH")),
-            true,
-            false);
-        // FIXME: make this a bit nicer and work with IAuthorization. Use a specific role, not public - access to TokenHandler must be restricted
-        FunctionInfo[] memory functions = new FunctionInfo[](3);
-        functions[0] = toFunction(TokenHandler.collectTokens.selector, "collectTokens");
-        functions[1] = toFunction(TokenHandler.collectTokensToThreeRecipients.selector, "collectTokensToThreeRecipients");
-        functions[2] = toFunction(TokenHandler.distributeTokens.selector, "distributeTokens");
-        _authorizeTargetFunctions(
-            address(component.getTokenHandler()),
-            getPublicRole(),
-            functions);
+        // assign instance role to instance
         _grantRoleToAccount(
-            authorization.getTargetRole(
-                authorization.getTarget()),
-            address(component));
-        _createTargetAuthorizations(authorization);
-    }
-    function _grantComponentOwnerRoles()
-        internal
-    {
-        address instanceOwner = _registry.ownerOf(_instance.getNftId());
-        _grantRoleToAccount(DISTRIBUTION_OWNER_ROLE(), instanceOwner);
-        _grantRoleToAccount(ORACLE_OWNER_ROLE(), instanceOwner);
-        _grantRoleToAccount(POOL_OWNER_ROLE(), instanceOwner);
-        _grantRoleToAccount(PRODUCT_OWNER_ROLE(), instanceOwner);
+            instanceRoleId,
+            instance);
     }
     /// @dev Creates a custom role
@@ -184,27 +183,165 @@ contract InstanceAdmin is
         _grantRoleToAccount(roleId, account);
     }
+    function setInstanceLocked(bool locked)
+        external
+        onlyInstanceOwner()
+    {
+        AccessManagerCloneable accessManager = AccessManagerCloneable(authority());
+        if(accessManager.isLocked() == locked) {
+            revert ErrorInstanceAdminInstanceAlreadyLocked();
+        }
+        accessManager.setLocked(locked);
+    }
+    function setTargetLocked(address target, bool locked)
+        external
+        restricted()
+    {
+        _setTargetClosed(target, locked);
+    }
+    /// @dev Returns the number of components that have been registered with this instance.
+    function components()
+        external
+        view
+        returns (uint64)
+    {
+        return _components;
+    }
     /// @dev Returns the instance authorization specification used to set up this instance admin.
     function getInstanceAuthorization()
         external
         view
-        returns (IModuleAuthorization instanceAuthorizaion)
+        returns (IAuthorization instanceAuthorizaion)
     {
         return _instanceAuthorization;
     }
+    // ------------------- Internal functions ------------------- //
+    function _setupComponentAndTokenHandler(IInstanceLinkedComponent component)
+        internal
+    {
+        IAuthorization authorization = component.getAuthorization();
+        string memory targetName = authorization.getMainTargetName();
+        // create component role and target
+        RoleId componentRoleId = _createComponentRoleId(component, authorization);
+        // create component's target
+        _createTarget(
+            address(component),
+            targetName,
+            true, // checkAuthority
+            false); // custom
+        // create component's token handler target
+        NftId componentNftId = _registry.getNftIdForAddress(address(component));
+        address tokenHandler = address(
+            _instance.getInstanceReader().getComponentInfo(
+                componentNftId).tokenHandler);
+        _createTarget(
+            tokenHandler,
+            authorization.getTokenHandlerName(),
+            true,
+            false);
+        // assign component role to component
+        _grantRoleToAccount(
+            componentRoleId,
+            address(component));
+        // token handler does not require its own role
+        // token handler is not calling other components
+    }
+    function _createComponentRoleId(
+        IInstanceLinkedComponent component,
+        IAuthorization authorization
+    )
+        internal
+        returns (RoleId componentRoleId)
+    {
+        // checks
+        // check component is not yet authorized
+        if (_targetRoleId[address(component)].gtz()) {
+            revert ErrorInstanceAdminAlreadyAuthorized(address(component));
+        }
+        // check generic component role
+        RoleId genericComponentRoleId = authorization.getTargetRole(
+            authorization.getMainTarget());
+        if (!genericComponentRoleId.isComponentRole()) {
+            revert ErrorInstanceAdminNotComponentRole(genericComponentRoleId);
+        }
+        // check component role does not exist
+        componentRoleId = toComponentRole(
+            genericComponentRoleId,
+            _components);
+        if (roleExists(componentRoleId)) {
+            revert ErrorInstanceAdminRoleAlreadyExists(componentRoleId);
+        }
+        // check role info
+        IAccess.RoleInfo memory roleInfo = authorization.getRoleInfo(
+            genericComponentRoleId);
+        if (roleInfo.roleType != IAccess.RoleType.Contract) {
+            revert ErrorInstanceAdminRoleTypeNotContract(
+                componentRoleId,
+                roleInfo.roleType);
+        }
+        // effects
+        _targetRoleId[address(component)] = componentRoleId;
+        _components++;
+        _createRole(
+            componentRoleId,
+            roleInfo);
+    }
+    function _checkTargetIsReadyForAuthorization(address target)
+        internal
+        view
+    {
+        if (!_registry.isRegistered(target)) {
+            revert ErrorInstanceAdminNotRegistered(target);
+        }
+        if (targetExists(target)) {
+            revert ErrorInstanceAdminAlreadyAuthorized(target);
+        }
+    }
     function _createRoles(IAuthorization authorization)
         internal
     {
         RoleId[] memory roles = authorization.getRoles();
+        RoleId mainTargetRoleId = authorization.getTargetRole(
+            authorization.getMainTarget());
         RoleId roleId;
         RoleInfo memory roleInfo;
         for(uint256 i = 0; i < roles.length; i++) {
             roleId = roles[i];
-            if (!roleExists(roleId)) {
+            // skip main target role, create role if not exists
+            if (roleId != mainTargetRoleId && !roleExists(roleId)) {
                 _createRole(
                     roleId,
                     authorization.getRoleInfo(roleId));
@@ -213,6 +350,16 @@ contract InstanceAdmin is
     }
+    function toComponentRole(RoleId roleId, uint64 componentIdx)
+        internal
+        pure
+        returns (RoleId)
+    {
+        return RoleIdLib.toRoleId(
+            RoleIdLib.toInt(roleId) + componentIdx);
+    }
     function _createTargetAuthorizations(IAuthorization authorization)
         internal
     {
@@ -253,7 +400,7 @@ contract InstanceAdmin is
         _createTarget(
             target,
             targetName,
-            false, // check authority TODO check normal targets, don't check service targets (they share authority with registry admin)
+            false, // check authority TODO check normal targets, don't check service targets (they share authority with release admin)
             false);
         // assign target role if defined
@@ -263,14 +410,16 @@ contract InstanceAdmin is
         }
     }
-    function _createModuleTargetsWithRoles()
+    function _setupInstanceHelperTargetsWithRoles()
         internal
     {
+        // _checkAndCreateTargetWithRole(address(_instance), INSTANCE_TARGET_NAME);
         // create module targets
-        _checkAndCreateTargetWithRole(address(_instance), INSTANCE_TARGET_NAME);
         _checkAndCreateTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME);
         _checkAndCreateTargetWithRole(address(_instance.getInstanceAdmin()), INSTANCE_ADMIN_TARGET_NAME);
         _checkAndCreateTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TAGET_NAME);
         // create targets for services that need to access the module targets
         ObjectType[] memory serviceDomains = _instanceAuthorization.getServiceDomains();

package/contracts/instance/InstanceAuthorizationV3.sol CHANGED Viewed

@@ -2,73 +2,53 @@
 pragma solidity ^0.8.20;
 import {
-     PRODUCT, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE
+     ACCOUNTING, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE, RISK
 } from "../../contracts/type/ObjectType.sol";
-import {
-     DISTRIBUTION_OWNER_ROLE, ORACLE_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE
-} from "../../contracts/type/RoleId.sol";
-import {BundleSet} from "../instance/BundleSet.sol";
+import {BundleSet} from "../instance/BundleSet.sol";
+import {RiskSet} from "../instance/RiskSet.sol";
 import {IAccess} from "../authorization/IAccess.sol";
 import {Instance} from "../instance/Instance.sol";
 import {InstanceAdmin} from "../instance/InstanceAdmin.sol";
 import {InstanceStore} from "../instance/InstanceStore.sol";
-import {ModuleAuthorization} from "../authorization/ModuleAuthorization.sol";
+import {Authorization} from "../authorization/Authorization.sol";
 contract InstanceAuthorizationV3
-     is ModuleAuthorization
+     is Authorization
 {
+     string public constant INSTANCE_ROLE_NAME = "InstanceRole";
      string public constant INSTANCE_TARGET_NAME = "Instance";
      string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
      string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
      string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
+     string public constant RISK_SET_TARGET_NAME = "RiskSet";
-     string public constant INSTANCE_ROLE_NAME = "InstanceRole";
-     string public constant DISTRIBUTION_OWNER_ROLE_NAME = "DistributionOwnerRole";
-     string public constant ORACLE_OWNER_ROLE_NAME = "OracleOwnerRole";
-     string public constant POOL_OWNER_ROLE_NAME = "PoolOwnerRole";
-     string public constant PRODUCT_OWNER_ROLE_NAME = "ProductOwnerRole";
-     constructor() ModuleAuthorization(INSTANCE_TARGET_NAME) {}
-     function _setupRoles()
-          internal
-          override
-     {
-          _addGifRole(DISTRIBUTION_OWNER_ROLE(), DISTRIBUTION_OWNER_ROLE_NAME);
-          _addGifRole(ORACLE_OWNER_ROLE(), ORACLE_OWNER_ROLE_NAME);
-          _addGifRole(POOL_OWNER_ROLE(), POOL_OWNER_ROLE_NAME);
-          _addGifRole(PRODUCT_OWNER_ROLE(), PRODUCT_OWNER_ROLE_NAME);
-     }
+     constructor()
+          Authorization(INSTANCE_TARGET_NAME, INSTANCE())
+     { }
      function _setupTargets()
           internal
           override
      {
-          // instance target
-          _addTargetWithRole(
-               INSTANCE_TARGET_NAME,
-               _getTargetRoleId(INSTANCE()),
-               INSTANCE_ROLE_NAME);
           // instance supporting targets
           _addTarget(INSTANCE_STORE_TARGET_NAME);
           _addTarget(INSTANCE_ADMIN_TARGET_NAME);
           _addTarget(BUNDLE_SET_TARGET_NAME);
+          _addTarget(RISK_SET_TARGET_NAME);
           // service targets relevant to instance
           _addServiceTargetWithRole(INSTANCE());
+          _addServiceTargetWithRole(ACCOUNTING());
           _addServiceTargetWithRole(COMPONENT());
           _addServiceTargetWithRole(DISTRIBUTION());
           _addServiceTargetWithRole(ORACLE());
           _addServiceTargetWithRole(POOL());
           _addServiceTargetWithRole(BUNDLE());
-          _addServiceTargetWithRole(PRODUCT());
+          _addServiceTargetWithRole(RISK());
           _addServiceTargetWithRole(APPLICATION());
           _addServiceTargetWithRole(POLICY());
           _addServiceTargetWithRole(CLAIM());
@@ -83,6 +63,7 @@ contract InstanceAuthorizationV3
           _setupInstanceAdminAuthorization();
           _setupInstanceStoreAuthorization();
           _setupBundleSetAuthorization();
+          _setUpRiskSetAuthorization();
      }
@@ -93,11 +74,31 @@ contract InstanceAuthorizationV3
           // authorize bundle service role
           functions = _authorizeForTarget(BUNDLE_SET_TARGET_NAME, getServiceRole(BUNDLE()));
-          _authorize(functions, BundleSet.linkPolicy.selector, "linkPolicy");
-          _authorize(functions, BundleSet.unlinkPolicy.selector, "unlinkPolicy");
           _authorize(functions, BundleSet.add.selector, "add");
           _authorize(functions, BundleSet.lock.selector, "lock");
           _authorize(functions, BundleSet.unlock.selector, "unlock");
+          // authorize bundle service role
+          functions = _authorizeForTarget(BUNDLE_SET_TARGET_NAME, getServiceRole(POLICY()));
+          _authorize(functions, BundleSet.linkPolicy.selector, "linkPolicy");
+          _authorize(functions, BundleSet.unlinkPolicy.selector, "unlinkPolicy");
+     }
+     function _setUpRiskSetAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+          // authorize risk service role
+          functions = _authorizeForTarget(RISK_SET_TARGET_NAME, getServiceRole(RISK()));
+          _authorize(functions, RiskSet.add.selector, "add");
+          _authorize(functions, RiskSet.pause.selector, "pause");
+          _authorize(functions, RiskSet.activate.selector, "activate");
+          // authorize policy service role
+          functions = _authorizeForTarget(RISK_SET_TARGET_NAME, getServiceRole(POLICY()));
+          _authorize(functions, RiskSet.linkPolicy.selector, "linkPolicy");
+          _authorize(functions, RiskSet.unlinkPolicy.selector, "unlinkPolicy");
      }
@@ -118,11 +119,13 @@ contract InstanceAuthorizationV3
           IAccess.FunctionInfo[] storage functions;
           // authorize instance role
-          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, _getTargetRoleId(INSTANCE()));
+          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getComponentRole(INSTANCE()));
           _authorize(functions, InstanceAdmin.grantRole.selector, "grantRole");
-          // authorize instance service role
-          // functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(INSTANCE()));
+          // authorize component service role
+          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(COMPONENT()));
+          _authorize(functions, InstanceAdmin.initializeComponentAuthorization.selector, "initializeComponentAuthoriz");
+          _authorize(functions, InstanceAdmin.setTargetLocked.selector, "setTargetLocked");
      }
@@ -131,6 +134,13 @@ contract InstanceAuthorizationV3
      {
           IAccess.FunctionInfo[] storage functions;
+          // authorize accounting service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(ACCOUNTING()));
+          _authorize(functions, InstanceStore.increaseBalance.selector, "increaseBalance");
+          _authorize(functions, InstanceStore.decreaseBalance.selector, "decreaseBalance");
+          _authorize(functions, InstanceStore.increaseFees.selector, "increaseFees");
+          _authorize(functions, InstanceStore.decreaseFees.selector, "decreaseFees");
           // authorize component service role
           functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(COMPONENT()));
           _authorize(functions, InstanceStore.createComponent.selector, "createComponent");
@@ -138,11 +148,9 @@ contract InstanceAuthorizationV3
           _authorize(functions, InstanceStore.createPool.selector, "createPool");
           _authorize(functions, InstanceStore.createProduct.selector, "createProduct");
           _authorize(functions, InstanceStore.updateProduct.selector, "updateProduct");
-          _authorize(functions, InstanceStore.increaseBalance.selector, "increaseBalance");
-          _authorize(functions, InstanceStore.decreaseBalance.selector, "decreaseBalance");
-          _authorize(functions, InstanceStore.increaseFees.selector, "increaseFees");
-          _authorize(functions, InstanceStore.decreaseFees.selector, "decreaseFees");
+          _authorize(functions, InstanceStore.createFee.selector, "createFee");
+          _authorize(functions, InstanceStore.updateFee.selector, "updateFee");
           // authorize distribution service role
           functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(DISTRIBUTION()));
           _authorize(functions, InstanceStore.createDistributorType.selector, "createDistributorType");
@@ -174,7 +182,7 @@ contract InstanceAuthorizationV3
           _authorize(functions, InstanceStore.decreaseLocked.selector, "decreaseLocked");
           // authorize product service role
-          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(PRODUCT()));
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(RISK()));
           _authorize(functions, InstanceStore.createRisk.selector, "createRisk");
           _authorize(functions, InstanceStore.updateRisk.selector, "updateRisk");
           _authorize(functions, InstanceStore.updateRiskState.selector, "updateRiskState");
@@ -199,6 +207,7 @@ contract InstanceAuthorizationV3
           _authorize(functions, InstanceStore.updateClaim.selector, "updateClaim");
           _authorize(functions, InstanceStore.createPayout.selector, "createPayout");
           _authorize(functions, InstanceStore.updatePayout.selector, "updatePayout");
+          _authorize(functions, InstanceStore.updatePayoutState.selector, "updatePayoutState");
      }
 }