@etherisc/gif-next 0.0.2-f1fe735-758 → 0.0.2-f2273b3-211

package/contracts/instance/InstanceAdmin.sol

@@ -1,331 +1,437 @@
-// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: UNLICENSED
 pragma solidity ^0.8.20;
 
-import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
-import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
+import {IAccess} from "../authorization/IAccess.sol";
+import {IAuthorization} from "../authorization/IAuthorization.sol";
+import {IInstanceLinkedComponent} from "../shared/IInstanceLinkedComponent.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
+import {IInstance} from "./IInstance.sol";
 
-import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, INSTANCE_SERVICE_ROLE, INSTANCE_OWNER_ROLE, INSTANCE_ROLE} from "../type/RoleId.sol";
-import {TimestampLib} from "../type/Timestamp.sol";
+import {AccessAdmin} from "../authorization/AccessAdmin.sol";
+import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
 import {NftId} from "../type/NftId.sol";
+import {ObjectType} from "../type/ObjectType.sol";
+import {RoleId, RoleIdLib} from "../type/RoleId.sol";
+import {Str, StrLib} from "../type/String.sol";
+import {TokenHandler} from "../shared/TokenHandler.sol";
+import {VersionPart, VersionPartLib} from "../type/Version.sol";
 
-import {AccessManagerExtendedInitializeable} from "../shared/AccessManagerExtendedInitializeable.sol";
-
-import {IRegistry} from "../registry/IRegistry.sol";
-
-import {IInstance} from "./IInstance.sol";
-import {IAccess} from "./module/IAccess.sol";
 
 contract InstanceAdmin is
-    AccessManagedUpgradeable
+    AccessAdmin
 {
-    using RoleIdLib for RoleId;
-
-    string public constant INSTANCE_ROLE_NAME = "InstanceRole";
-    string public constant INSTANCE_OWNER_ROLE_NAME = "InstanceOwnerRole";
-
+    string public constant INSTANCE_TARGET_NAME = "Instance";
+    string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
     string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
+    string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
+    string public constant RISK_SET_TAGET_NAME = "RiskSet";
 
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
-    uint32 public constant EXECUTION_DELAY = 0;
 
-    mapping(address target => IAccess.Type) _targetType;
-    mapping(RoleId roleId => IAccess.Type) _roleType;
-    uint64 _idNext;
+    error ErrorInstanceAdminCallerNotInstanceOwner(address caller);
+    error ErrorInstanceAdminInstanceAlreadyLocked();
+    error ErrorInstanceAdminNotRegistered(address target);
+
+    error ErrorInstanceAdminAlreadyAuthorized(address target);
+    error ErrorInstanceAdminNotComponentRole(RoleId roleId);
+    error ErrorInstanceAdminRoleAlreadyExists(RoleId roleId);
+    error ErrorInstanceAdminRoleTypeNotContract(RoleId roleId, IAccess.RoleType roleType);
 
-    AccessManagerExtendedInitializeable internal _accessManager;
-    address _instance;
+    error ErrorInstanceAdminReleaseMismatch();
+    error ErrorInstanceAdminExpectedTargetMissing(string targetName);
+
+    IInstance internal _instance;
     IRegistry internal _registry;
+    uint64 internal _customIdNext;
 
-    // instance owner role is granted upon instance nft minting in callback function
-    // assume this contract is already a member of ADMIN_ROLE, the only member
-    function initialize(address instanceAddress) external initializer 
-    {
-        IInstance instance = IInstance(instanceAddress);
-        IRegistry registry = instance.getRegistry();
-        address authority = instance.authority();
+    mapping(address target => RoleId roleId) internal _targetRoleId;
+    uint64 internal _components;
 
-        __AccessManaged_init(authority);
+    IAuthorization internal _instanceAuthorization;
 
-        _accessManager = AccessManagerExtendedInitializeable(authority);
-        _instance = instanceAddress;
-        _registry = registry;
-        _idNext = CUSTOM_ROLE_ID_MIN;
 
-        // minimum configuration required for nft interception
-        _createRole(INSTANCE_ROLE(), INSTANCE_ROLE_NAME, IAccess.Type.Core);
-        _createRole(INSTANCE_OWNER_ROLE(), INSTANCE_OWNER_ROLE_NAME, IAccess.Type.Core);
-        _grantRole(INSTANCE_ROLE(), address(instance));
+    modifier onlyInstanceOwner() {        
+        if(msg.sender != _registry.ownerOf(address(_instance))) {
+            revert ErrorInstanceAdminCallerNotInstanceOwner(msg.sender);
+        }
+        _;
+    }
+
+    /// @dev Only used for master instance admin.
+    /// Contracts created via constructor come with disabled initializers.
+    constructor(
+        address instanceAuthorization
+    ) {
+        initialize(new AccessManagerCloneable());
+
+        _instanceAuthorization = IAuthorization(instanceAuthorization);
 
-        _createTarget(address(this), INSTANCE_ADMIN_TARGET_NAME, IAccess.Type.Core);
-        bytes4[] memory instanceAdminInstanceSelectors = new bytes4[](1);
-        instanceAdminInstanceSelectors[0] = this.transferInstanceOwnerRole.selector;
-        _setTargetFunctionRole(address(this), instanceAdminInstanceSelectors, INSTANCE_ROLE());                
+        _disableInitializers();
     }
 
-    //--- Role ------------------------------------------------------//
-    // ADMIN_ROLE
-    // assume all core roles are known at deployment time
-    // assume core roles are set and granted only during instance cloning
-    // assume core roles are never revoked -> core roles admin is never active after intialization
-    function createCoreRole(RoleId roleId, string memory name) external restricted() {
-        _createRole(roleId, name, IAccess.Type.Core);
+
+    function initialize(
+        AccessManagerCloneable clonedAccessManager,
+        IRegistry registry,
+        VersionPart release
+    )
+        external
+        initializer()
+    {
+        __AccessAdmin_init(clonedAccessManager);
+
+        clonedAccessManager.completeSetup(
+            address(registry), 
+            release); 
+
+        _registry = registry;
     }
 
-    // ADMIN_ROLE
-    // assume gif roles can be revoked
-    // assume admin is INSTANCE_OWNER_ROLE or INSTANCE_ROLE
-    function createGifRole(RoleId roleId, string memory name, RoleId admin) external restricted() {
-        _createRole(roleId, name, IAccess.Type.Gif);
-        _setRoleAdmin(roleId, admin);
+    /// @dev Completes the initialization of this instance admin using the provided instance, registry and version.
+    /// Important: Initialization of instance admin is only complete after calling this function. 
+    /// Important: The instance MUST be registered and all instance supporting contracts must be wired to this instance.
+    function completeSetup(
+        address instance,
+        address authorization
+    )
+        external
+        reinitializer(uint64(getRelease().toInt()))
+        onlyDeployer()
+    {
+        _components = 0;
+        _customIdNext = CUSTOM_ROLE_ID_MIN;
+        _instance = IInstance(instance);
+        _instanceAuthorization = IAuthorization(authorization);
+
+        _checkTargetIsReadyForAuthorization(instance);
+
+        // check matching releases
+        if (_instanceAuthorization.getRelease() != getRelease()) {
+            revert ErrorInstanceAdminReleaseMismatch();
+        }
+
+        // create instance role and target
+        _setupInstance(instance);
+
+        // add instance authorization
+        _createRoles(_instanceAuthorization);
+
+        _setupInstanceHelperTargetsWithRoles();
+        _createTargetAuthorizations(_instanceAuthorization);
     }
 
-    // INSTANCE_ROLE
-    // TODO specify how many owners role can have -> many roles MUST have exactly 1 member?
-    function createRole(string memory roleName, string memory adminName)
+
+    /// @dev Initializes the authorization for the specified component.
+    /// Important: The component MUST be registered.
+    function initializeComponentAuthorization(
+        IInstanceLinkedComponent component
+    )
         external
         restricted()
-        returns(RoleId roleId, RoleId admin)
     {
-        (roleId, admin) = _getNextCustomRoleId();
+        // checks
+        _checkTargetIsReadyForAuthorization(address(component));
 
-        _createRole(roleId, roleName, IAccess.Type.Custom);
-        _createRole(admin, adminName, IAccess.Type.Custom);
+        // setup target and role for component (including token handler)
+        _setupComponentAndTokenHandler(component);
 
-        _setRoleAdmin(roleId, admin);
-        _setRoleAdmin(admin, INSTANCE_OWNER_ROLE());
+        // create other roles
+        IAuthorization authorization = component.getAuthorization();
+        _createRoles(authorization);        
+        _createTargetAuthorizations(authorization);
     }
 
-    // ADMIN_ROLE
-    // assume used by instance service only during instance cloning
-    // assume used only by this.createRole(), this.createGifRole() afterwards
-    function setRoleAdmin(RoleId roleId, RoleId admin) public restricted() {
-        _setRoleAdmin(roleId, admin);
+    // create instance role and target
+    function _setupInstance(address instance) internal {
+        // create instance role
+        RoleId instanceRoleId = _instanceAuthorization.getTargetRole(
+            _instanceAuthorization.getMainTarget());
+
+        _createRole(
+            instanceRoleId,
+            _instanceAuthorization.getRoleInfo(instanceRoleId));
+
+        // create instance target
+        _createTarget(
+            instance, 
+            _instanceAuthorization.getMainTargetName(), 
+            true, // checkAuthority
+            false); // custom
+
+        // assign instance role to instance
+        _grantRoleToAccount(
+            instanceRoleId, 
+            instance);
     }
 
-    // INSTANCE_ROLE
-    function transferInstanceOwnerRole(address from, address to) external restricted() {
-        // temp pre transfer checks
-        assert(_getRoleMembers(INSTANCE_ROLE()) == 1);
-        assert(_hasRole(INSTANCE_ROLE(), _instance));
-        assert(_getRoleAdmin(INSTANCE_OWNER_ROLE()).toInt() == ADMIN_ROLE().toInt());
-        if(from != address(0)) { // nft transfer
-            assert(_getRoleMembers(INSTANCE_OWNER_ROLE()) == 1);
-        } else { // nft minting 
-            assert(_getRoleMembers(INSTANCE_OWNER_ROLE()) == 0);            
-        }
+    /// @dev Creates a custom role
+    // TODO implement
+    // function createRole()
+    //     external
+    //     restricted()
+    // {
 
-        // transfer
-        assert(from != to);
-        _grantRole(INSTANCE_OWNER_ROLE(), to);
-        if(from != address(0)) { // nft transfer
-            _revokeRole(INSTANCE_OWNER_ROLE(), from);
-        }
+    // }
 
-        // temp post transfer checks
-        assert(_getRoleMembers(INSTANCE_OWNER_ROLE()) == 1);// temp
-        assert(_hasRole(INSTANCE_OWNER_ROLE(), to));
+    /// @dev Grants the provided role to the specified account
+    function grantRole(
+        RoleId roleId, 
+        address account)
+        external
+        restricted()
+    {
+        _grantRoleToAccount(roleId, account);
     }
 
-    //--- Target ------------------------------------------------------//
-    // ADMIN_ROLE
-    // assume some core targets are registred (instance) while others are not (instance accesss manager, instance reader, bundle manager)
-    function createCoreTarget(address target, string memory name) external restricted() {
-        _createTarget(target, name, IAccess.Type.Core);
-    }
 
-    // INSTANCE_SERVICE_ROLE
-    function createGifTarget(address target, string memory name) external restricted() 
+    function setInstanceLocked(bool locked)
+        external
+        onlyInstanceOwner()
     {
-        if(!_registry.isRegistered(target)) {
-            revert IAccess.ErrorIAccessTargetNotRegistered(target);
-        }
+        AccessManagerCloneable accessManager = AccessManagerCloneable(authority());
 
-        NftId targetParentNftId = _registry.getObjectInfo(target).parentNftId;
-        NftId instanceNftId = _registry.getObjectInfo(_instance).nftId;
-        if(targetParentNftId != instanceNftId) {
-            revert IAccess.ErrorIAccessTargetInstanceMismatch(target, targetParentNftId, instanceNftId);
+        if(accessManager.isLocked() == locked) {
+            revert ErrorInstanceAdminInstanceAlreadyLocked();
         }
-
-        _createTarget(target, name, IAccess.Type.Gif);
+        accessManager.setLocked(locked);
     }
 
-    // INSTANCE_ROLE
-    // assume custom target.authority() is constant -> target MUST not be used with different instance access manager
-    // assume custom target can not be registered as component -> each service which is doing component registration MUST register a gif target
-    // assume custom target can not be registered as instance or service -> why?
-    // TODO check target associated with instance owner or instance or instance components or components helpers
-    function createTarget(address target, string memory name) external restricted() {
-        _createTarget(target, name, IAccess.Type.Custom);
+    function setTargetLocked(address target, bool locked) 
+        external 
+        restricted()
+    {
+        _setTargetClosed(target, locked);
     }
 
-    // TODO instance owner locks component instead of revoking it access to the instance...
-    // INSTANCE_SERVICE_ROLE
-    function setTargetLockedByService(address target, bool locked) external restricted {
-        _setTargetLocked(target, locked);
+    /// @dev Returns the number of components that have been registered with this instance.   
+    function components() 
+        external 
+        view 
+        returns (uint64)
+    {
+        return _components;
     }
 
-    // INSTANCE_ROLE
-    function setTargetLockedByInstance(address target, bool locked) external restricted {
-        _setTargetLocked(target, locked);
+    /// @dev Returns the instance authorization specification used to set up this instance admin.
+    function getInstanceAuthorization()
+        external
+        view
+        returns (IAuthorization instanceAuthorizaion)
+    {
+        return _instanceAuthorization;
     }
 
+    // ------------------- Internal functions ------------------- //
 
-    // allowed combinations of roles and targets:
-    //1) set core role for core target 
-    //2) set gif role for gif target  
-    //3) set custom role for gif target
-    //4) set custom role for custom target
-
-    // ADMIN_ROLE if used only during initialization, works with:
-    //      any roles for any targets
-    // INSTANCE_SERVICE_ROLE if used not only during initilization, works with:
-    //      core roles for core targets
-    //      gif roles for gif targets
-    function setTargetFunctionRoleByService(
-        string memory targetName,
-        bytes4[] calldata selectors,
-        RoleId roleId
-    ) 
-        public 
-        virtual 
-        restricted
+    function _setupComponentAndTokenHandler(IInstanceLinkedComponent component)
+        internal
     {
-        address target = _accessManager.getTargetAddress(targetName);
-        // not custom target
-        if(_targetType[target] == IAccess.Type.Custom) {
-            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Custom);
-        }
-
-        // not custom role
-        if(_roleType[roleId] == IAccess.Type.Custom) {
-            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Custom);
-        }
 
-        _setTargetFunctionRole(target, selectors, roleId);
+        IAuthorization authorization = component.getAuthorization();
+        string memory targetName = authorization.getMainTargetName();
+
+        // create component role and target
+        RoleId componentRoleId = _createComponentRoleId(component, authorization);
+
+        // create component's target
+        _createTarget(
+            address(component), 
+            targetName, 
+            true, // checkAuthority
+            false); // custom
+
+        // create component's token handler target
+        NftId componentNftId = _registry.getNftIdForAddress(address(component));
+        address tokenHandler = address(
+            _instance.getInstanceReader().getComponentInfo(
+                componentNftId).tokenHandler);
+
+        _createTarget(
+            tokenHandler, 
+            authorization.getTokenHandlerName(), 
+            true, 
+            false);
+
+        // assign component role to component
+        _grantRoleToAccount(
+            componentRoleId, 
+            address(component));
+
+        // token handler does not require its own role
+        // token handler is not calling other components
     }
 
-    // INSTANCE_ROLE
-    // gif role for gif target
-    // gif role for custom target
-    // custom role for gif target -> need to prohibit
-    // custom role for custom target
-    // TODO instance owner can mess with gif target (component) -> e.g. set custom role for function intendent to work with gif role
-    function setTargetFunctionRoleByInstance(
-        string memory targetName,
-        bytes4[] calldata selectors,
-        RoleId roleId// string memory roleName
-    ) 
-        public 
-        virtual 
-        restricted() 
-    {
-        address target = _accessManager.getTargetAddress(targetName);
 
-        // not core target
-        if(_targetType[target] == IAccess.Type.Core) {
-            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Core);
+    function _createComponentRoleId(
+        IInstanceLinkedComponent component,
+        IAuthorization authorization
+    )
+        internal 
+        returns (RoleId componentRoleId)
+    {
+        // checks
+        // check component is not yet authorized
+        if (_targetRoleId[address(component)].gtz()) {
+            revert ErrorInstanceAdminAlreadyAuthorized(address(component));
         }
 
-        // not core role
-        if(_roleType[roleId] == IAccess.Type.Core) {
-            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Core);
+        // check generic component role
+        RoleId genericComponentRoleId = authorization.getTargetRole(
+            authorization.getMainTarget());
+
+        if (!genericComponentRoleId.isComponentRole()) {
+            revert ErrorInstanceAdminNotComponentRole(genericComponentRoleId);
         }
 
-        _setTargetFunctionRole(target, selectors, roleId);
-    }
+        // check component role does not exist
+        componentRoleId = toComponentRole(
+            genericComponentRoleId, 
+            _components);
 
-    //--- Role internal view/pure functions --------------------------------------//
-    function _createRole(RoleId roleId, string memory name, IAccess.Type rtype) internal {
-        _validateRole(roleId, rtype);
+        if (roleExists(componentRoleId)) {
+            revert ErrorInstanceAdminRoleAlreadyExists(componentRoleId);
+        }
 
-        _roleType[roleId] = rtype;
-        _accessManager.createRole(roleId.toInt(), name);
-    }
+        // check role info
+        IAccess.RoleInfo memory roleInfo = authorization.getRoleInfo(
+            genericComponentRoleId);
 
-    function _validateRole(RoleId roleId, IAccess.Type rtype) internal pure
-    {
-        uint roleIdInt = roleId.toInt();
-        if(rtype == IAccess.Type.Custom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
-            revert IAccess.ErrorIAccessRoleIdTooSmall(roleId);
+        if (roleInfo.roleType != IAccess.RoleType.Contract) {
+            revert ErrorInstanceAdminRoleTypeNotContract(
+                componentRoleId,
+                roleInfo.roleType);
         }
 
-        if(
-            rtype != IAccess.Type.Custom && 
-            roleIdInt >= CUSTOM_ROLE_ID_MIN && 
-            roleIdInt != PUBLIC_ROLE().toInt()) 
-        {
-            revert IAccess.ErrorIAccessRoleIdTooBig(roleId);
-        }
-    }
+        // effects
+        _targetRoleId[address(component)] = componentRoleId;
+        _components++;
 
-    function _grantRole(RoleId roleId, address account) internal {
-        _accessManager.grantRole(roleId.toInt(), account, EXECUTION_DELAY);
+        _createRole(
+            componentRoleId,
+            roleInfo);
     }
 
-    function _revokeRole(RoleId roleId, address member) internal {
-        _accessManager.revokeRole(roleId.toInt(), member);
-    }
 
-    function _setRoleAdmin(RoleId roleId, RoleId admin) internal {
-        if(_roleType[roleId] == IAccess.Type.Core) {
-            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Core);
+    function _checkTargetIsReadyForAuthorization(address target)
+        internal
+        view
+    {
+        if (!_registry.isRegistered(target)) {
+            revert ErrorInstanceAdminNotRegistered(target);
         }
 
-        _accessManager.setRoleAdmin(roleId.toInt(), admin.toInt());
+        if (targetExists(target)) {
+            revert ErrorInstanceAdminAlreadyAuthorized(target);
+        }
     }
 
-    function _getRoleAdmin(RoleId roleId) internal view returns (RoleId admin) {
-        return RoleIdLib.toRoleId(_accessManager.getRoleAdmin(roleId.toInt()));
-    }
 
-    function _hasRole(RoleId roleId, address account) internal view returns (bool accountHasRole) {
-        uint32 executionDelay;
-        (accountHasRole, executionDelay) = _accessManager.hasRole(roleId.toInt(), account);
-        assert(executionDelay == 0);
-    }
+    function _createRoles(IAuthorization authorization)
+        internal
+    {
+        RoleId[] memory roles = authorization.getRoles();
+        RoleId mainTargetRoleId = authorization.getTargetRole(
+            authorization.getMainTarget());
 
-    function _getRoleMembers(RoleId roleId) internal view returns (uint) {
-        return _accessManager.getRoleMembers(roleId.toInt());
-    }
+        RoleId roleId;
+        RoleInfo memory roleInfo;
 
-    function _getNextCustomRoleId() internal returns(RoleId roleId, RoleId admin) {
-        uint64 roleIdInt = _idNext;
-        uint64 adminInt = roleIdInt + 1;
+        for(uint256 i = 0; i < roles.length; i++) {
 
-        _idNext = roleIdInt + 2;
+            roleId = roles[i];
 
-        roleId = RoleIdLib.toRoleId(roleIdInt);
-        admin = RoleIdLib.toRoleId(adminInt);
+            // skip main target role, create role if not exists
+            if (roleId != mainTargetRoleId && !roleExists(roleId)) {
+                _createRole(
+                    roleId,
+                    authorization.getRoleInfo(roleId));
+            }
+        }
     }
 
-    //--- Target internal view/pure functions --------------------------------------//
-    function _createTarget(address target, string memory name, IAccess.Type ttype) 
-        internal 
+
+    function toComponentRole(RoleId roleId, uint64 componentIdx)
+        internal
+        pure
+        returns (RoleId)
     {
-        _validateTarget(target, ttype);
-        _targetType[target] = ttype;
-        _accessManager.createTarget(target, name);
+        return RoleIdLib.toRoleId(
+            RoleIdLib.toInt(roleId) + componentIdx);
     }
 
-    function _validateTarget(address target, IAccess.Type ttype) 
-        internal 
-        view 
-    {}
 
-    // IMPORTANT: instance admin MUST be of Core type -> otherwise can be locked forever
-    // TODO: consider locking gif targets in a separate function?
-    function _setTargetLocked(address target, bool locked) internal
+    function _createTargetAuthorizations(IAuthorization authorization)
+        internal
     {
-        IAccess.Type targetType = _targetType[target];
+        Str[] memory targets = authorization.getTargets();
+        Str target;
+
+        for(uint256 i = 0; i < targets.length; i++) {
+            target = targets[i];
+            RoleId[] memory authorizedRoles = authorization.getAuthorizedRoles(target);
+            RoleId authorizedRole;
+
+            for(uint256 j = 0; j < authorizedRoles.length; j++) {
+                authorizedRole = authorizedRoles[j];
+
+                _authorizeTargetFunctions(
+                    getTargetForName(target),
+                    authorizedRole,
+                    authorization.getAuthorizedFunctions(
+                        target, 
+                        authorizedRole));
+            }
+        }
+    }
 
-        if(targetType == IAccess.Type.Core) {
-            revert IAccess.ErrorIAccessTargetTypeInvalid(target, targetType);
+    function _checkAndCreateTargetWithRole(
+        address target,
+        string memory targetName
+    )
+        internal
+    {
+        // check that target name is defined in authorization specification
+        Str name = StrLib.toStr(targetName);
+        if (!_instanceAuthorization.targetExists(name)) {
+            revert ErrorInstanceAdminExpectedTargetMissing(targetName);
         }
 
-        _accessManager.setTargetClosed(target, locked);
+        // create named target
+        _createTarget(
+            target, 
+            targetName, 
+            false, // check authority TODO check normal targets, don't check service targets (they share authority with release admin)
+            false);
+
+        // assign target role if defined
+        RoleId targetRoleId = _instanceAuthorization.getTargetRole(name);
+        if (targetRoleId != RoleIdLib.zero()) {
+            _grantRoleToAccount(targetRoleId, target);
+        }
     }
 
-    function _setTargetFunctionRole(address target, bytes4[] memory selectors, RoleId roleId) internal {
-        _accessManager.setTargetFunctionRole(target, selectors, roleId.toInt());
+    function _setupInstanceHelperTargetsWithRoles()
+        internal
+    {
+        // _checkAndCreateTargetWithRole(address(_instance), INSTANCE_TARGET_NAME);
+
+        // create module targets
+        _checkAndCreateTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getInstanceAdmin()), INSTANCE_ADMIN_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TAGET_NAME);
+
+        // create targets for services that need to access the module targets
+        ObjectType[] memory serviceDomains = _instanceAuthorization.getServiceDomains();
+        VersionPart release = _instanceAuthorization.getRelease();
+        ObjectType serviceDomain;
+
+        for (uint256 i = 0; i < serviceDomains.length; i++) {
+            serviceDomain = serviceDomains[i];
+
+            _checkAndCreateTargetWithRole(
+                _registry.getServiceAddress(serviceDomain, release),
+                _instanceAuthorization.getServiceTarget(serviceDomain).toString());
+        }
     }
-}
+}