@etherisc/gif-next 0.0.2-f78c672-338 → 0.0.2-f78f882-351

package/contracts/authorization/AccessAdmin.sol

@@ -3,21 +3,25 @@ pragma solidity ^0.8.20;
 
 import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
-import {ReentrancyGuardUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol";
 
-import {AccessManagerCloneable} from "./AccessManagerCloneable.sol";
-import {ContractLib} from "../shared/ContractLib.sol";
+import {IAccess} from "./IAccess.sol";
 import {IAccessAdmin} from "./IAccessAdmin.sol";
+import {IAuthorization} from "./IAuthorization.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
+import {IServiceAuthorization} from "./IServiceAuthorization.sol";
+
+import {AccessAdminLib} from "./AccessAdminLib.sol";
+import {AccessManagerCloneable} from "./AccessManagerCloneable.sol";
+import {Blocknumber, BlocknumberLib} from "../type/Blocknumber.sol";
+import {ContractLib} from "../shared/ContractLib.sol";
+import {NftId, NftIdLib} from "../type/NftId.sol";
+import {ObjectType} from "../type/ObjectType.sol";
 import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
-import {Selector, SelectorLib, SelectorSetLib} from "../type/Selector.sol";
+import {Selector, SelectorSetLib} from "../type/Selector.sol";
 import {Str, StrLib} from "../type/String.sol";
 import {TimestampLib} from "../type/Timestamp.sol";
 import {VersionPart} from "../type/Version.sol";
 
-interface IAccessManagedChecker {
-    function authority() external view returns (address);
-}
 
 /**
  * @dev A generic access amin contract that implements role based access control based on OpenZeppelin's AccessManager contract.
@@ -26,20 +30,26 @@ interface IAccessManagedChecker {
  */ 
 contract AccessAdmin is
     AccessManagedUpgradeable,
-    ReentrancyGuardUpgradeable,
     IAccessAdmin
 {
     using EnumerableSet for EnumerableSet.AddressSet;
 
-    string public constant ADMIN_ROLE_NAME = "AdminRole";
-    string public constant PUBLIC_ROLE_NAME = "PublicRole";
+    /// @dev admin name used for logging only
+    string internal _adminName;
 
-    /// @dev the OpenZeppelin access manager driving the access admin contract
+    /// @dev the access manager driving the access admin contract
+    /// hold link to registry and release version
     AccessManagerCloneable internal _authority;
 
-    /// @dev stores the deployer address and allows to create initializers
-    /// that are restricted to the deployer address.
-    address internal _deployer;
+    /// @dev the authorization contract used for initial access control
+    IAuthorization internal _authorization;
+
+    // /// @dev stores the deployer address and allows to create initializers
+    // /// that are restricted to the deployer address.
+    // address internal _deployer;
+
+    /// @dev the linked NFT ID
+    NftId internal _linkedNftId;
 
     /// @dev store role info per role id
     mapping(RoleId roleId => RoleInfo info) internal _roleInfo;
@@ -50,6 +60,9 @@ contract AccessAdmin is
     /// @dev store array with all created roles
     RoleId [] internal _roleIds;
 
+    // @dev target type specific role id counters
+    mapping(TargetType => uint64) internal _nextRoleId;
+
     /// @dev store set of current role members for given role
     mapping(RoleId roleId => EnumerableSet.AddressSet roleMembers) internal _roleMembers;
 
@@ -71,135 +84,93 @@ contract AccessAdmin is
     /// @dev temporary dynamic functions array
     bytes4[] private _functions;
 
-    modifier onlyDeployer() {
-        // special case for cloned AccessAdmin contracts
-        // IMPORTANT cloning and initialize authority needs to be done in a single transaction
-        if (_deployer == address(0)) {
-            _deployer = msg.sender;
-        }
-
-        if (msg.sender != _deployer) {
-            revert ErrorNotDeployer();
-        }
-        _;
-    }
-
-    modifier onlyRoleAdmin(RoleId roleId) {
-        _checkRoleExists(roleId, false);
-
-        if (!hasAdminRole(msg.sender, roleId)) {
-            revert ErrorNotAdminOfRole(_roleInfo[roleId].adminRoleId);
-        }
-        _;
-    }
-
-    modifier onlyRoleMember(RoleId roleId) {
-        if (!hasRole(msg.sender, roleId)) {
-            revert ErrorNotRoleOwner(roleId);
-        }
-        _;
-    }
-
-    modifier onlyExistingRole(
-        RoleId roleId, 
-        bool onlyActiveRole,
-        bool allowLockedRoles
-    )
-    {
-        if (!allowLockedRoles) {
-            _checkRoleExists(roleId, onlyActiveRole);
-        }
-        _;
-    }
-
-    modifier onlyExistingTarget(address target) {
-        _checkTarget(target);
-        _;
-    }
 
     //-------------- initialization functions ------------------------------//
 
-    // event LogAccessAdminDebug(string message);
-
     /// @dev Initializes this admin with the provided accessManager (and authorization specification).
     /// Internally initializes access manager with this admin and creates basic role setup.
     function initialize(
-        AccessManagerCloneable authority 
+        address authority,
+        string memory adminName 
     )
         public
         initializer()
     {
-        __AccessAdmin_init(authority);
+        __AccessAdmin_init(authority, adminName);
     }
 
 
+    /// @dev Initializes this admin with the provided accessManager and name.
+    /// IMPORTANT
+    /// - cloning of an access admin and initialization MUST be done in the same tx.
+    /// - this function as well as any completeSetup functions MUST be called in the same tx.
     function __AccessAdmin_init(
-        AccessManagerCloneable authority 
+        address authority, 
+        string memory adminName 
     )
         internal
         onlyInitializing()
-        onlyDeployer() // initializes deployer if not initialized yet
     {
-        authority.initialize(address(this));
+        AccessAdminLib.checkInitParameters(authority, adminName);
+        _authority = AccessManagerCloneable(authority);
+        _authority.initialize(address(this));
+
+        // delayed additional check for authority after its initialization
+        if (!ContractLib.isAuthority(authority)) {
+            revert ErrorAccessAdminAccessManagerNotAccessManager(authority);
+        }
 
+        // effects
         // set and initialize this access manager contract as
         // the admin (ADMIN_ROLE) of the provided authority
-        __AccessManaged_init(address(authority));
-        _authority = authority;
+        __AccessManaged_init(authority);
 
-        // create admin and public roles
-        _initializeAdminAndPublicRoles();
+        // set name for logging
+        _adminName = adminName;
 
-        // additional use case specific initialization
-        _initializeCustom();
-    }
+        // set initial linked NFT ID to zero
+        _linkedNftId = NftIdLib.zero();
 
+        // setup admin role
+        _createRoleUnchecked(
+            ADMIN_ROLE(), AccessAdminLib.adminRoleInfo());
 
-    function getRegistry() public view returns (IRegistry registry) {
-        return _authority.getRegistry();
+        // add this contract as admin role member, as contract roles cannot be revoked
+        // and max member count is 1 for admin role this access admin contract will
+        // always be the only admin of the access manager.
+        _roleMembers[
+            RoleIdLib.toRoleId(_authority.ADMIN_ROLE())].add(address(this));
+
+        // setup public role
+        _createRoleUnchecked(
+            PUBLIC_ROLE(), AccessAdminLib.publicRoleInfo());
     }
 
+    //--- view functions for access admin ---------------------------------------//
 
-    function getRelease() public view returns (VersionPart release) {
+    function getRelease() public view virtual returns (VersionPart release) {
         return _authority.getRelease();
     }
 
 
-    function _initializeAdminAndPublicRoles()
-        internal
-        virtual
-        onlyInitializing()
-    {
-        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
+    function getRegistry() public view returns (IRegistry registry) {
+        return _authority.getRegistry();
+    }
 
-        // setup admin role
-        _createRoleUnchecked(
-            ADMIN_ROLE(),
-            toRole({
-                adminRoleId: ADMIN_ROLE(),
-                roleType: RoleType.Contract,
-                maxMemberCount: 1,
-                name: ADMIN_ROLE_NAME}));
 
-        // add this contract as admin role member
-        _roleMembers[adminRoleId].add(address(this));
+    function getLinkedNftId() external view returns (NftId linkedNftId) {
+        return _linkedNftId;
+    }
 
-        // setup public role
-        _createRoleUnchecked(
-            PUBLIC_ROLE(),
-            toRole({
-                adminRoleId: ADMIN_ROLE(),
-                roleType: RoleType.Gif,
-                maxMemberCount: type(uint32).max,
-                name: PUBLIC_ROLE_NAME}));
+
+    function getAuthorization() public view returns (IAuthorization authorization) {
+        return _authorization;
     }
 
 
-    function _initializeCustom()
-        internal
-        virtual
-        onlyInitializing()
-    { }
+    function isLocked() public view returns (bool locked) {
+        return _authority.isLocked();
+    }
 
     //--- view functions for roles ------------------------------------------//
 
@@ -220,15 +191,28 @@ contract AccessAdmin is
     }
 
     function roleExists(RoleId roleId) public view returns (bool exists) {
-        return _roleInfo[roleId].createdAt.gtz();
+        return _roleInfo[roleId].targetType != TargetType.Undefined;
     }
 
-    function getRoleInfo(RoleId roleId) external view returns (RoleInfo memory) {
+    function getRoleForName(string memory name) public view returns (RoleId roleId, bool exists) {
+        roleId = _roleForName[StrLib.toStr(name)].roleId;
+        exists = false;
+
+        if (roleId.gtz() || AccessAdminLib.isAdminRoleName(name)) {
+            exists = true;
+        }
+    }
+
+    function getRoleInfo(RoleId roleId) public view returns (RoleInfo memory) {
         return _roleInfo[roleId];
     }
 
-    function getRoleForName(Str name) external view returns (RoleNameInfo memory) {
-        return _roleForName[name];
+    function isRoleActive(RoleId roleId) external view returns (bool isActive) {
+        return _roleInfo[roleId].pausedAt > TimestampLib.current();
+    }
+
+    function isRoleCustom(RoleId roleId) external view returns (bool isActive) {
+        return _roleInfo[roleId].targetType == TargetType.Custom;
     }
 
     function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
@@ -239,21 +223,15 @@ contract AccessAdmin is
         return _roleMembers[roleId].at(idx);
     }
 
-    // TODO false because not role member or because role not exists?
-    function hasRole(address account, RoleId roleId) public view returns (bool) {
+    function isRoleMember(RoleId roleId, address account) public view returns (bool) {
         (bool isMember, ) = _authority.hasRole(
             RoleId.unwrap(roleId), 
             account);
         return isMember;
     }
 
-    function hasAdminRole(address account, RoleId roleId)
-        public 
-        virtual
-        view 
-        returns (bool)
-    {
-        return hasRole(account, _roleInfo[roleId].adminRoleId);
+    function isRoleAdmin(RoleId roleId, address account) public virtual view returns (bool) {
+        return isRoleMember(_roleInfo[roleId].adminRoleId, account);
     }
 
     //--- view functions for targets ----------------------------------------//
@@ -270,7 +248,7 @@ contract AccessAdmin is
         return _targets[idx];
     }
 
-    function getTargetInfo(address target) external view returns (TargetInfo memory targetInfo) {
+    function getTargetInfo(address target) public view returns (TargetInfo memory targetInfo) {
         return _targetInfo[target];
     }
 
@@ -279,9 +257,11 @@ contract AccessAdmin is
     }
 
     function isTargetLocked(address target) public view returns (bool locked) {
-        return _authority.isTargetClosed(target);
+        return _authority.isLocked() || _authority.isTargetClosed(target);
     }
 
+    //--- view functions for target functions -------------------------------//
+
     function authorizedFunctions(address target) external view returns (uint256 numberOfFunctions) {
         return SelectorSetLib.size(_targetFunctions[target]);
     }
@@ -305,385 +285,395 @@ contract AccessAdmin is
                 selector.toBytes4()));
     }
 
-    function canCall(address caller, address target, Selector selector) external virtual view returns (bool can) {
-        (can, ) = _authority.canCall(caller, target, selector.toBytes4());
-    }
-
-    function toRole(RoleId adminRoleId, RoleType roleType, uint32 maxMemberCount, string memory name) public view returns (RoleInfo memory) {
-        return RoleInfo({
-            name: StrLib.toStr(name),
-            adminRoleId: adminRoleId,
-            roleType: roleType,
-            maxMemberCount: maxMemberCount,
-            createdAt: TimestampLib.blockTimestamp(),
-            pausedAt: TimestampLib.max()
-        });
-    }
-
-    function toFunction(bytes4 selector, string memory name) public view returns (FunctionInfo memory) {
-        return FunctionInfo({
-            name: StrLib.toStr(name),
-            selector: SelectorLib.toSelector(selector),
-            createdAt: TimestampLib.blockTimestamp()});
-    }
 
-    function deployer() public view returns (address) {
-        return _deployer;
+    function getFunctionInfo(address target, Selector selector)
+        external
+        view
+        returns (FunctionInfo memory functionInfo)
+    {
+        return _functionInfo[target][selector];
     }
 
     //--- internal/private functions -------------------------------------------------//
 
-    function _authorizeTargetFunctions(
-        address target, 
-        RoleId roleId, 
-        FunctionInfo[] memory functions
-    )
-        internal
-    {
-        if (roleId == getAdminRole()) {
-            revert ErrorAuthorizeForAdminRoleInvalid(target);
+    function _linkToNftOwnable(address registerable) internal {
+        if (!getRegistry().isRegistered(registerable)) {
+            revert ErrorAccessAdminNotRegistered(registerable);
         }
 
-        (
-            bytes4[] memory functionSelectors,
-            string[] memory functionNames
-        ) = _processFunctionSelectors(target, functions, true);
-
-        // apply authz via access manager
-        _grantRoleAccessToFunctions(
-            target, 
-            roleId, 
-            functionSelectors,
-            functionNames, 
-            false); // allow locked roles
+        _linkedNftId = getRegistry().getNftIdForAddress(registerable);
     }
 
-    function _unauthorizeTargetFunctions(
-        address target, 
-        FunctionInfo[] memory functions
+
+    function _createRoles(
+        IServiceAuthorization authorization
     )
         internal
     {
-        (
-            bytes4[] memory functionSelectors,
-            string[] memory functionNames
-        ) = _processFunctionSelectors(target, functions, false);
-
-        _grantRoleAccessToFunctions(
-            target, 
-            getAdminRole(), 
-            functionSelectors, 
-            functionNames, 
-            true);  // allowLockedRoles
+        RoleId[] memory roles = authorization.getRoles();
+
+        for(uint256 i = 0; i < roles.length; i++) {
+            RoleId authzRoleId = roles[i];
+            IAccess.RoleInfo memory roleInfo = authorization.getRoleInfo(authzRoleId);
+            (RoleId roleId, bool exists) = getRoleForName(roleInfo.name.toString());
+
+            if (!exists) {
+                if (!AccessAdminLib.isDynamicRoleId(authzRoleId)) {
+                    roleId = authzRoleId;
+                }
+
+                _createRole(
+                    roleId,
+                    roleInfo,
+                    true);
+            }
+        }
     }
 
-    function _processFunctionSelectors(
-        address target,
-        FunctionInfo[] memory functions,
-        bool addFunctions
+
+    /// @dev Creates a role based on the provided parameters.
+    /// Checks that the provided role and role id and role name not already used.
+    function _createRole(
+        RoleId roleId, 
+        RoleInfo memory info,
+        bool revertOnExistingRole
     )
         internal
-        onlyExistingTarget(target)
-        returns (
-            bytes4[] memory functionSelectors,
-            string[] memory functionNames
-        )
     {
-        uint256 n = functions.length;
-        functionSelectors = new bytes4[](n);
-        functionNames = new string[](n);
-        FunctionInfo memory func;
-        Selector selector;
-
-        for (uint256 i = 0; i < n; i++) {
-            func = functions[i];
-            selector = func.selector;
-
-            // add function selector to target selector set if not in set
-            if (addFunctions) { SelectorSetLib.add(_targetFunctions[target], selector); } 
-            else { SelectorSetLib.remove(_targetFunctions[target], selector); }
-
-            // set function name
-            _functionInfo[target][selector] = func;
-
-            // add bytes4 selector to function selector array
-            functionSelectors[i] = selector.toBytes4();
-            functionNames[i] = func.name.toString();
+        bool isAdminOrPublicRole = AccessAdminLib.checkRoleCreation(this, roleId, info, revertOnExistingRole);
+        if (!isAdminOrPublicRole) {
+            _createRoleUnchecked(roleId, info);
         }
     }
 
-    /// @dev grant the specified role access to all functions in the provided selector list
-    function _grantRoleAccessToFunctions(
-        address target,
+
+    function _createRoleUnchecked(
         RoleId roleId, 
-        bytes4[] memory functionSelectors,
-        string[] memory functionNames,
-        bool allowLockedRoles // admin and public roles are locked
+        RoleInfo memory info
     )
-        internal
-        onlyExistingTarget(target)
-        onlyExistingRole(roleId, true, allowLockedRoles)
+        private
     {
+        // create role info
+        info.createdAt = TimestampLib.current();
+        info.pausedAt = TimestampLib.max();
+        _roleInfo[roleId] = info;
 
-        _authority.setTargetFunctionRole(
-            target,
-            functionSelectors,
-            RoleId.unwrap(roleId));
+        // create role name info
+        _roleForName[info.name] = RoleNameInfo({
+            roleId: roleId,
+            exists: true});
 
-        for (uint256 i = 0; i < functionSelectors.length; i++) {
-            emit LogAccessAdminFunctionGranted(
-                target, 
-                // _getAccountName(target), 
-                // string(abi.encodePacked("", functionSelectors[i])), 
-                functionNames[i], 
-                _getRoleName(roleId));
+        // add role to list of roles
+        _roleIds.push(roleId);
+
+        emit LogAccessAdminRoleCreated(_adminName, roleId, info.targetType, info.adminRoleId, info.name.toString());
+    }
+
+
+    /// @dev Activates or deactivates role.
+    /// The role activ property is indirectly controlled over the pausedAt timestamp.
+    function _setRoleActive(RoleId roleId, bool active)
+        internal
+    {
+        AccessAdminLib.checkRoleExists(this, roleId, false, false);
+
+        if (active) {
+            _roleInfo[roleId].pausedAt = TimestampLib.max();
+        } else {
+            _roleInfo[roleId].pausedAt = TimestampLib.current();
         }
+
+        Blocknumber lastUpdateIn = _roleInfo[roleId].lastUpdateIn;
+        _roleInfo[roleId].lastUpdateIn = BlocknumberLib.current();
+
+        emit LogAccessAdminRoleActivatedSet(_adminName, roleId, active, lastUpdateIn);
     }
 
 
     /// @dev grant the specified role to the provided account
     function _grantRoleToAccount(RoleId roleId, address account)
         internal
-        onlyExistingRole(roleId, true, false)
     {
+        AccessAdminLib.checkRoleExists(this, roleId, true, false);
+
         // check max role members will not be exceeded
         if (_roleMembers[roleId].length() >= _roleInfo[roleId].maxMemberCount) {
-            revert ErrorRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
+            revert ErrorAccessAdminRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
         }
 
         // check account is contract for contract role
         if (
-            _roleInfo[roleId].roleType == RoleType.Contract &&
+            _roleInfo[roleId].targetType != TargetType.Custom &&
             !ContractLib.isContract(account) // will fail in account's constructor
         ) {
-            revert ErrorRoleMemberNotContract(roleId, account);
+            revert ErrorAccessAdminRoleMemberNotContract(roleId, account);
         }
 
-        // TODO check account already have roleId
+        // effects
         _roleMembers[roleId].add(account);
         _authority.grantRole(
             RoleId.unwrap(roleId), 
             account, 
             0);
         
-        emit LogAccessAdminRoleGranted(account, _getRoleName(roleId));
+        emit LogAccessAdminRoleGranted(
+            _adminName, 
+            account, 
+            AccessAdminLib.getRoleName(this, roleId));
     }
 
+
     /// @dev revoke the specified role from the provided account
     function _revokeRoleFromAccount(RoleId roleId, address account)
         internal
-        onlyExistingRole(roleId, false, false)
     {
+        AccessAdminLib.checkRoleExists(this, roleId, false, false);
 
-        // check role removal is permitted
-        if (_roleInfo[roleId].roleType == RoleType.Contract) {
-            revert ErrorRoleMemberRemovalDisabled(roleId, account);
+        // check for attempt to revoke contract role
+        if (_roleInfo[roleId].targetType != TargetType.Custom) {
+            revert ErrorAccessAdminRoleMemberRemovalDisabled(roleId, account);
         }
 
-        // TODO check account have roleId?
+        // effects
         _roleMembers[roleId].remove(account);
         _authority.revokeRole(
             RoleId.unwrap(roleId), 
             account);
 
-        emit LogAccessAdminRoleRevoked(account, _roleInfo[roleId].name.toString());
+        emit LogAccessAdminRoleRevoked(_adminName, account, _roleInfo[roleId].name.toString());
     }
 
 
-    /// @dev Creates a role based on the provided parameters.
-    /// Checks that the provided role and role id and role name not already used.
-    function _createRole(
-        RoleId roleId, 
-        RoleInfo memory info
+    function _getOrCreateTargetRoleIdAndName(
+        address target,
+        string memory targetName,
+        TargetType targetType
     )
         internal
+        returns (
+            RoleId roleId,
+            string memory roleName,
+            bool exists
+        )
     {
-        // check role does not yet exist
-        if(roleExists(roleId)) {
-            revert ErrorRoleAlreadyCreated(
-                roleId, 
-                _roleInfo[roleId].name.toString());
-        }
-
-        // check admin role exists
-        if(!roleExists(info.adminRoleId)) {
-            revert ErrorRoleAdminNotExisting(info.adminRoleId);
-        }
-
-        // check role name is not empty
-        if(info.name.length() == 0) {
-            revert ErrorRoleNameEmpty(roleId);
+        roleName = AccessAdminLib.toRoleName(targetName);
+        (roleId, exists) = getRoleForName(roleName);
+
+        if (exists) {
+            return (roleId, roleName, true);
+        } 
+
+        // get roleId
+        if (targetType == TargetType.Service || targetType == TargetType.GenericService) {
+            roleId = AccessAdminLib.getServiceRoleId(target, targetType); 
+        } else {
+            uint64 nextRoleId = _nextRoleId[targetType];
+            roleId = AccessAdminLib.getTargetRoleId(target, targetType, nextRoleId);
+
+            // increment target type specific role id counter
+            _nextRoleId[targetType]++;
         }
-
-        // check role name is not used for another role
-        if(_roleForName[info.name].exists) {
-            revert ErrorRoleNameAlreadyExists(
-                roleId, 
-                info.name.toString(),
-                _roleForName[info.name].roleId);
-        }
-
-        _createRoleUnchecked(roleId, info);
     }
 
 
-    function _createRoleUnchecked(
-        RoleId roleId, 
-        RoleInfo memory info
+    function _createTarget(
+        address target, 
+        string memory targetName, 
+        TargetType targetType,
+        bool checkAuthority
     )
-        private
+        internal
+        returns (RoleId contractRoleId)
     {
-        // create role info
-        info.createdAt = TimestampLib.blockTimestamp();
-        _roleInfo[roleId] = info;
+        // checks
+        AccessAdminLib.checkTargetCreation(this, target, targetName, checkAuthority);
 
-        // create role name info
-        _roleForName[info.name] = RoleNameInfo({
-            roleId: roleId,
-            exists: true});
-
-        // add role to list of roles
-        _roleIds.push(roleId);
+        // effects
+        contractRoleId = _createTargetUnchecked(
+            target, 
+            targetName, 
+            targetType,
+            checkAuthority);
 
-        emit LogAccessAdminRoleCreated(roleId, info.roleType, info.adminRoleId, info.name.toString());
+        // deal with token handler, if applicable
+        (
+            address tokenHandler,
+            string memory tokenHandlerName
+        ) = AccessAdminLib.getTokenHandler(target, targetName, targetType);
+
+        if (tokenHandler != address(0)) {
+            _createTargetUnchecked(
+                tokenHandler, 
+                tokenHandlerName, 
+                targetType,
+                checkAuthority);
+        }
     }
 
 
-    function _createTarget(
+    /// @dev Creates a new target and a corresponding contract role.
+    /// The function assigns the role to the target and logs the creation.
+    function _createTargetUnchecked(
         address target, 
         string memory targetName, 
-        bool checkAuthority,
-        bool custom
+        TargetType targetType,
+        bool managed
     )
         internal
+        returns (RoleId targetRoleId)
     {
-        // check target does not yet exist
-        if(targetExists(target)) {
-            revert ErrorTargetAlreadyCreated(
-                target, 
-                _targetInfo[target].name.toString());
-        }
-
-        // check target name is not empty
-        Str name = StrLib.toStr(targetName);
-        if(name.length() == 0) {
-            revert ErrorTargetNameEmpty(target);
-        }
-
-        // check target name is not used for another target
-        if( _targetForName[name] != address(0)) {
-            revert ErrorTargetNameAlreadyExists(
-                target, 
-                targetName,
-                _targetForName[name]);
-        }
-
-        // check target is an access managed contract
-        if (!_isAccessManaged(target)) {
-            revert ErrorTargetNotAccessManaged(target);
-        }
-
-        // check target shares authority with this contract
-        if (checkAuthority) {
-            address targetAuthority = AccessManagedUpgradeable(target).authority();
-            if (targetAuthority != authority()) {
-                revert ErrorTargetAuthorityMismatch(authority(), targetAuthority);
-            }
+        // create target role (if not existing)
+        string memory roleName;
+        bool roleExists;
+        (targetRoleId, roleName, roleExists) = _getOrCreateTargetRoleIdAndName(target, targetName, targetType);
+
+        if (!roleExists) {
+            _createRole(
+                targetRoleId, 
+                AccessAdminLib.roleInfo(
+                    ADMIN_ROLE(), 
+                    targetType, 
+                    1, 
+                    roleName),
+                true); // revert on existing role
         }
 
         // create target info
+        Str name = StrLib.toStr(targetName);
         _targetInfo[target] = TargetInfo({
             name: name,
-            isCustom: custom,
-            createdAt: TimestampLib.blockTimestamp()
-        });
+            targetType: targetType,
+            roleId: targetRoleId,
+            createdAt: TimestampLib.current(),
+            lastUpdateIn: BlocknumberLib.current()});
 
         // create name to target mapping
         _targetForName[name] = target;
 
-        // add role to list of roles
+        // add target to list of targets
         _targets.push(target);
 
-        emit LogAccessAdminTargetCreated(target, targetName);
+        // grant contract role to target
+        _grantRoleToAccount(targetRoleId, target);
+
+        emit LogAccessAdminTargetCreated(_adminName, targetName, managed, target, targetRoleId);
     }
 
 
-    function _isAccessManaged(address target)
+    function _setTargetLocked(address target, bool locked)
         internal
-        view
-        returns (bool)
     {
-        if (!ContractLib.isContract(target)) {
-            return false;
-        }
+        AccessAdminLib.checkTargetExists(this, target);
+        _authority.setTargetClosed(target, locked);
 
-        (bool success, ) = target.staticcall(
-            abi.encodeWithSelector(
-                IAccessManagedChecker.authority.selector));
+        // logging
+        Blocknumber lastUpdateIn = _targetInfo[target].lastUpdateIn;
+        _targetInfo[target].lastUpdateIn = BlocknumberLib.current();
 
-        return success;
+        emit LogAccessAdminTargetLockedSet(_adminName, target, locked, lastUpdateIn);
     }
 
 
-    function _setTargetClosed(address target, bool locked)
+    /// @dev Authorize the functions of the target for the specified role.
+    function _authorizeFunctions(IAuthorization authorization, Str target, RoleId roleId)
         internal
     {
-        _checkTarget(target);
+        _authorizeTargetFunctions(
+            getTargetForName(target),
+            AccessAdminLib.getAuthorizedRole(
+                this, 
+                authorization, 
+                roleId),
+            authorization.getAuthorizedFunctions(
+                target, 
+                roleId),
+            false,
+            true);
+    }
 
-        // target locked/unlocked already
-        if(_authority.isTargetClosed(target) == locked) {
-            revert ErrorTargetAlreadyLocked(target, locked);
-        }
 
-        _authority.setTargetClosed(target, locked);
-    }
+    /// @dev Authorize the functions of the target for the specified role.
+    /// Flag addFunctions determines if functions are added or removed.
+    function _authorizeTargetFunctions(
+        address target, 
+        RoleId roleId, 
+        FunctionInfo[] memory functions,
+        bool onlyComponentOrContractTargets,
+        bool addFunctions
+    )
+        internal
+    {
+        // checks
+        AccessAdminLib.checkTargetAndRoleForFunctions(
+            this, 
+            target, 
+            roleId,
+            onlyComponentOrContractTargets);
 
-    function _getAccountName(address account) internal view returns (string memory) {
-        if (targetExists(account)) {
-            return _targetInfo[account].name.toString();
+        if (addFunctions && roleId == getAdminRole()) {
+            revert ErrorAccessAdminAuthorizeForAdminRoleInvalid(target);
         }
-        return "<unknown-account>";
-    }
 
+        _authority.setTargetFunctionRole(
+            target,
+            AccessAdminLib.getSelectors(functions),
+            RoleId.unwrap(roleId));
 
-    function _getRoleName(RoleId roleId) internal view returns (string memory) {
-        if (roleExists(roleId)) {
-            return _roleInfo[roleId].name.toString();
+        // update function set and log function grantings
+        for (uint256 i = 0; i < functions.length; i++) {
+            _updateFunctionAccess(
+                target, 
+                roleId,
+                functions[i], 
+                addFunctions);
         }
-        return "<unknown-role>";
     }
 
 
-    function _checkRoleExists(
-        RoleId roleId, 
-        bool onlyActiveRole
+    function _updateFunctionAccess(
+        address target, 
+        RoleId roleId,
+        FunctionInfo memory func, 
+        bool addFunction
     )
         internal
-        view
     {
-        if (!roleExists(roleId)) {
-            revert ErrorRoleUnknown(roleId);
-        }
+        // update functions info
+        Selector selector = func.selector;
+        Blocknumber lastUpdateIn = _functionInfo[target][selector].lastUpdateIn;
 
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if (roleIdInt == _authority.ADMIN_ROLE()) {
-            revert ErrorRoleIsLocked(roleId);
-        }
+        // update function sets
+        if (addFunction) { SelectorSetLib.add(_targetFunctions[target], selector); } 
+        else { SelectorSetLib.remove(_targetFunctions[target], selector); }
 
-        // check if role is disabled
-        if (onlyActiveRole && _roleInfo[roleId].pausedAt <= TimestampLib.blockTimestamp()) {
-            revert ErrorRoleIsPaused(roleId);
-        }
+        _functionInfo[target][selector] = func;
+        _functionInfo[target][selector].lastUpdateIn = BlocknumberLib.current();
+
+        // logging
+        emit LogAccessAdminFunctionGranted(
+            _adminName, 
+            target, 
+            AccessAdminLib.toFunctionGrantingString(this, func.name, roleId),
+            lastUpdateIn);
     }
 
 
-    /// @dev check if target exists and reverts if it doesn't
-    function _checkTarget(address target)
+    function _checkAuthorization( 
+        address authorization,
+        ObjectType expectedDomain, 
+        VersionPart expectedRelease,
+        bool expectServiceAuthorization,
+        bool checkAlreadyInitialized
+    )
         internal
         view
     {
-        if (!targetExists(target)) {
-            revert ErrorTargetUnknown(target);
-        }
+        AccessAdminLib.checkAuthorization(
+            address(_authorization), 
+            authorization, 
+            expectedDomain, 
+            expectedRelease, 
+            expectServiceAuthorization,
+            checkAlreadyInitialized);
     }
 }