fix: use column for latest val based on table being used

* fix(openapi): make the error and status as mandatory

* fix(openapi): fix the frontend types

docs/api/openapi.yml

@@ -92,6 +92,19 @@ components:
         tokenType:
           type: string
       type: object
+    AuthtypesGettableTransaction:
+      properties:
+        authorized:
+          type: boolean
+        object:
+          $ref: '#/components/schemas/AuthtypesObject'
+        relation:
+          type: string
+      required:
+      - relation
+      - object
+      - authorized
+      type: object
     AuthtypesGoogleConfig:
       properties:
         allowedGroups:
@@ -117,6 +130,8 @@ components:
         serviceAccountJson:
           type: string
       type: object
+    AuthtypesName:
+      type: object
     AuthtypesOIDCConfig:
       properties:
         claimMapping:
@@ -134,6 +149,16 @@ components:
         issuerAlias:
           type: string
       type: object
+    AuthtypesObject:
+      properties:
+        resource:
+          $ref: '#/components/schemas/AuthtypesResource'
+        selector:
+          $ref: '#/components/schemas/AuthtypesSelector'
+      required:
+      - resource
+      - selector
+      type: object
     AuthtypesOrgSessionContext:
       properties:
         authNSupport:
@@ -171,6 +196,16 @@ components:
         refreshToken:
           type: string
       type: object
+    AuthtypesResource:
+      properties:
+        name:
+          $ref: '#/components/schemas/AuthtypesName'
+        type:
+          type: string
+      required:
+      - name
+      - type
+      type: object
     AuthtypesRoleMapping:
       properties:
         defaultRole:
@@ -196,6 +231,8 @@ components:
         samlIdp:
           type: string
       type: object
+    AuthtypesSelector:
+      type: object
     AuthtypesSessionContext:
       properties:
         exists:
@@ -206,6 +243,18 @@ components:
           nullable: true
           type: array
       type: object
+    AuthtypesTransaction:
+      properties:
+        id:
+          type: string
+        object:
+          $ref: '#/components/schemas/AuthtypesObject'
+        relation:
+          type: string
+      required:
+      - relation
+      - object
+      type: object
     AuthtypesUpdateableAuthDomain:
       properties:
         config:
@@ -277,6 +326,9 @@ components:
           type: string
         url:
           type: string
+      required:
+      - code
+      - message
       type: object
     ErrorsResponseerroradditional:
       properties:
@@ -1612,6 +1664,59 @@ components:
           $ref: '#/components/schemas/ErrorsJSON'
         status:
           type: string
+      required:
+      - status
+      - error
+      type: object
+    RoletypesGettableResources:
+      properties:
+        relations:
+          additionalProperties:
+            items:
+              type: string
+            type: array
+          nullable: true
+          type: object
+        resources:
+          items:
+            $ref: '#/components/schemas/AuthtypesResource'
+          nullable: true
+          type: array
+      required:
+      - resources
+      - relations
+      type: object
+    RoletypesPatchableObjects:
+      properties:
+        additions:
+          items:
+            $ref: '#/components/schemas/AuthtypesObject'
+          nullable: true
+          type: array
+        deletions:
+          items:
+            $ref: '#/components/schemas/AuthtypesObject'
+          nullable: true
+          type: array
+      required:
+      - additions
+      - deletions
+      type: object
+    RoletypesPatchableRole:
+      properties:
+        description:
+          type: string
+      required:
+      - description
+      type: object
+    RoletypesPostableRole:
+      properties:
+        description:
+          type: string
+        name:
+          type: string
+      required:
+      - name
       type: object
     RoletypesRole:
       properties:
@@ -1631,6 +1736,11 @@ components:
         updatedAt:
           format: date-time
           type: string
+      required:
+      - name
+      - description
+      - type
+      - orgId
       type: object
     TelemetrytypesFieldContext:
       enum:
@@ -2022,6 +2132,44 @@ info:
   version: ""
 openapi: 3.0.3
 paths:
+  /api/v1/authz/check:
+    post:
+      deprecated: false
+      description: Checks if the authenticated user has permissions for given transactions
+      operationId: AuthzCheck
+      requestBody:
+        content:
+          application/json:
+            schema:
+              items:
+                $ref: '#/components/schemas/AuthtypesTransaction'
+              type: array
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/AuthtypesGettableTransaction'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      summary: Check permissions
+      tags:
+      - authz
   /api/v1/changePassword/{id}:
     post:
       deprecated: false
@@ -2094,6 +2242,9 @@ paths:
                     $ref: '#/components/schemas/AuthtypesGettableToken'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: See Other
         "400":
@@ -2132,6 +2283,9 @@ paths:
                     $ref: '#/components/schemas/AuthtypesGettableToken'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: See Other
         "400":
@@ -2195,6 +2349,9 @@ paths:
                     $ref: '#/components/schemas/AuthtypesGettableToken'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: See Other
         "400":
@@ -2289,6 +2446,9 @@ paths:
                     $ref: '#/components/schemas/DashboardtypesGettablePublicDasbhboard'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -2343,6 +2503,9 @@ paths:
                     $ref: '#/components/schemas/TypesIdentifiable'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: Created
         "401":
@@ -2436,6 +2599,9 @@ paths:
                     type: array
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -2483,6 +2649,9 @@ paths:
                     $ref: '#/components/schemas/AuthtypesGettableAuthDomain'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -2679,6 +2848,9 @@ paths:
                     $ref: '#/components/schemas/TelemetrytypesGettableFieldKeys'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -2769,6 +2941,9 @@ paths:
                     $ref: '#/components/schemas/TelemetrytypesGettableFieldValues'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -2818,6 +2993,9 @@ paths:
                     $ref: '#/components/schemas/TypesResetPasswordToken'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -2873,6 +3051,9 @@ paths:
                     $ref: '#/components/schemas/TypesGettableGlobalConfig'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -2918,6 +3099,9 @@ paths:
                     type: array
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -2965,6 +3149,9 @@ paths:
                     $ref: '#/components/schemas/TypesInvite'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: Created
         "400":
@@ -3078,6 +3265,9 @@ paths:
                     $ref: '#/components/schemas/TypesInvite'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -3121,6 +3311,9 @@ paths:
                     $ref: '#/components/schemas/TypesUser'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: Created
         "400":
@@ -3215,6 +3408,9 @@ paths:
                     type: array
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -3313,6 +3509,9 @@ paths:
                     type: array
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -3362,6 +3561,9 @@ paths:
                     $ref: '#/components/schemas/PreferencetypesPreference'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -3475,6 +3677,9 @@ paths:
                     type: array
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -3522,6 +3727,9 @@ paths:
                     $ref: '#/components/schemas/TypesGettableAPIKey'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: Created
         "400":
@@ -3689,6 +3897,9 @@ paths:
                     $ref: '#/components/schemas/DashboardtypesGettablePublicDashboardData'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -3742,6 +3953,9 @@ paths:
                     $ref: '#/components/schemas/Querybuildertypesv5QueryRangeResponse'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -3819,6 +4033,9 @@ paths:
                     type: array
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -3851,6 +4068,11 @@ paths:
       deprecated: false
       description: This endpoint creates a role
       operationId: CreateRole
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RoletypesPostableRole'
       responses:
         "201":
           content:
@@ -3861,8 +4083,17 @@ paths:
                     $ref: '#/components/schemas/TypesIdentifiable'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: Created
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
         "401":
           content:
             application/json:
@@ -3875,12 +4106,30 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
+        "409":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Conflict
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
         "500":
           content:
             application/json:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
       security:
       - api_key:
         - ADMIN
@@ -3919,12 +4168,30 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
         "500":
           content:
             application/json:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
       security:
       - api_key:
         - ADMIN
@@ -3953,6 +4220,9 @@ paths:
                     $ref: '#/components/schemas/RoletypesRole'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -3991,6 +4261,11 @@ paths:
         required: true
         schema:
           type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RoletypesPatchableRole'
       responses:
         "204":
           content:
@@ -4010,6 +4285,226 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Patch role
+      tags:
+      - role
+  /api/v1/roles/{id}/relation/{relation}/objects:
+    get:
+      deprecated: false
+      description: Gets all objects connected to the specified role via a given relation
+        type
+      operationId: GetObjects
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      - in: path
+        name: relation
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/AuthtypesObject'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Get objects for a role by relation
+      tags:
+      - role
+    patch:
+      deprecated: false
+      description: Patches the objects connected to the specified role via a given
+        relation type
+      operationId: PatchObjects
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      - in: path
+        name: relation
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RoletypesPatchableObjects'
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Patch objects for a role by relation
+      tags:
+      - role
+  /api/v1/roles/resources:
+    get:
+      deprecated: false
+      description: Gets all the available resources for role assignment
+      operationId: GetResources
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/RoletypesGettableResources'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
         "500":
           content:
             application/json:
@@ -4021,7 +4516,7 @@ paths:
         - ADMIN
       - tokenizer:
         - ADMIN
-      summary: Patch role
+      summary: Get resources
       tags:
       - role
   /api/v1/user:
@@ -4041,6 +4536,9 @@ paths:
                     type: array
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -4135,6 +4633,9 @@ paths:
                     $ref: '#/components/schemas/TypesUser'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -4194,6 +4695,9 @@ paths:
                     $ref: '#/components/schemas/TypesUser'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -4249,6 +4753,9 @@ paths:
                     $ref: '#/components/schemas/TypesUser'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -4291,6 +4798,9 @@ paths:
                     type: array
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -4340,6 +4850,9 @@ paths:
                     $ref: '#/components/schemas/PreferencetypesPreference'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -4482,6 +4995,9 @@ paths:
                     type: array
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -4534,6 +5050,9 @@ paths:
                     $ref: '#/components/schemas/GatewaytypesGettableIngestionKeys'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -4581,6 +5100,9 @@ paths:
                     $ref: '#/components/schemas/GatewaytypesGettableCreatedIngestionKey'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -4719,6 +5241,9 @@ paths:
                     $ref: '#/components/schemas/GatewaytypesGettableCreatedIngestionKeyLimit'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: Created
         "401":
@@ -4860,6 +5385,9 @@ paths:
                     $ref: '#/components/schemas/GatewaytypesGettableIngestionKeys'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -4923,6 +5451,9 @@ paths:
                     $ref: '#/components/schemas/MetricsexplorertypesListMetricsResponse'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -4978,6 +5509,9 @@ paths:
                     $ref: '#/components/schemas/MetricsexplorertypesMetricAlertsResponse'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5044,6 +5578,9 @@ paths:
                     $ref: '#/components/schemas/MetricsexplorertypesMetricAttributesResponse'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5099,6 +5636,9 @@ paths:
                     $ref: '#/components/schemas/MetricsexplorertypesMetricDashboardsResponse'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5155,6 +5695,9 @@ paths:
                     $ref: '#/components/schemas/MetricsexplorertypesMetricHighlightsResponse'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5211,6 +5754,9 @@ paths:
                     $ref: '#/components/schemas/MetricsexplorertypesMetricMetadata'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5327,6 +5873,9 @@ paths:
                     $ref: '#/components/schemas/MetricsexplorertypesStatsResponse'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5382,6 +5931,9 @@ paths:
                     $ref: '#/components/schemas/MetricsexplorertypesTreemapResponse'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5431,6 +5983,9 @@ paths:
                     $ref: '#/components/schemas/TypesOrganization'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "401":
@@ -5561,6 +6116,9 @@ paths:
                     $ref: '#/components/schemas/AuthtypesSessionContext'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5598,6 +6156,9 @@ paths:
                     $ref: '#/components/schemas/AuthtypesGettableToken'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5641,6 +6202,9 @@ paths:
                     $ref: '#/components/schemas/AuthtypesGettableToken'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -5673,6 +6237,9 @@ paths:
                     $ref: '#/components/schemas/ZeustypesGettableHost'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -6187,6 +6754,9 @@ paths:
                     $ref: '#/components/schemas/Querybuildertypesv5QueryRangeResponse'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":
@@ -6241,6 +6811,9 @@ paths:
                     $ref: '#/components/schemas/Querybuildertypesv5QueryRangeRequest'
                   status:
                     type: string
+                required:
+                - status
+                - data
                 type: object
           description: OK
         "400":

ee/authz/openfgaauthz/provider.go

@@ -62,10 +62,6 @@ func (provider *provider) Stop(ctx context.Context) error {
 	return provider.openfgaServer.Stop(ctx)
 }
 
-func (provider *provider) Check(ctx context.Context, tuple *openfgav1.TupleKey) error {
-	return provider.openfgaServer.Check(ctx, tuple)
-}
-
 func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, roleSelectors []authtypes.Selector) error {
 	return provider.openfgaServer.CheckWithTupleCreation(ctx, claims, orgID, relation, typeable, selectors, roleSelectors)
 }
@@ -74,8 +70,8 @@ func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Contex
 	return provider.openfgaServer.CheckWithTupleCreationWithoutClaims(ctx, orgID, relation, typeable, selectors, roleSelectors)
 }
 
-func (provider *provider) BatchCheck(ctx context.Context, tuples []*openfgav1.TupleKey) error {
-	return provider.openfgaServer.BatchCheck(ctx, tuples)
+func (provider *provider) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
+	return provider.openfgaServer.BatchCheck(ctx, tupleReq)
 }
 
 func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {
@@ -187,6 +183,11 @@ func (provider *provider) GetResources(_ context.Context) []*authtypes.Resource
 }
 
 func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*authtypes.Object, error) {
+	_, err := provider.licensing.GetActive(ctx, orgID)
+	if err != nil {
+		return nil, errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
+	}
+
 	storableRole, err := provider.store.Get(ctx, orgID, id)
 	if err != nil {
 		return nil, err
@@ -198,7 +199,7 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 			resourceObjects, err := provider.
 				ListObjects(
 					ctx,
-					authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.ID.String(), orgID, &authtypes.RelationAssignee),
+					authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.Name, orgID, &authtypes.RelationAssignee),
 					relation,
 					authtypes.MustNewTypeableFromType(resource.Type, resource.Name),
 				)

ee/authz/openfgaserver/server.go

@@ -2,8 +2,10 @@ package openfgaserver
 
 import (
 	"context"
+	"strconv"
 
 	"github.com/SigNoz/signoz/pkg/authz"
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
@@ -28,27 +30,34 @@ func (server *Server) Stop(ctx context.Context) error {
 	return server.pkgAuthzService.Stop(ctx)
 }
 
-func (server *Server) Check(ctx context.Context, tuple *openfgav1.TupleKey) error {
-	return server.pkgAuthzService.Check(ctx, tuple)
-}
-
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
 	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
 	if err != nil {
 		return err
 	}
 
-	tuples, err := typeable.Tuples(subject, relation, selectors, orgID)
+	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
 func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
@@ -57,21 +66,32 @@ func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, o
 		return err
 	}
 
-	tuples, err := typeable.Tuples(subject, relation, selectors, orgID)
+	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
-func (server *Server) BatchCheck(ctx context.Context, tuples []*openfgav1.TupleKey) error {
-	return server.pkgAuthzService.BatchCheck(ctx, tuples)
+func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
+	return server.pkgAuthzService.BatchCheck(ctx, tupleReq)
 }
 
 func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {

ee/modules/dashboard/impldashboard/module.go

@@ -220,6 +220,7 @@ func (module *module) MustGetManagedRoleTransactions() map[string][]*authtypes.T
 	return map[string][]*authtypes.Transaction{
 		roletypes.SigNozAnonymousRoleName: {
 			{
+				ID:       valuer.GenerateUUID(),
 				Relation: authtypes.RelationRead,
 				Object: *authtypes.MustNewObject(
 					authtypes.Resource{

frontend/src/api/generated/services/authz/index.ts

@@ -0,0 +1,107 @@
+/**
+ * ! Do not edit manually
+ * * The file has been auto-generated using Orval for SigNoz
+ * * regenerate with 'yarn generate:api'
+ * SigNoz
+ */
+import type {
+	MutationFunction,
+	UseMutationOptions,
+	UseMutationResult,
+} from 'react-query';
+import { useMutation } from 'react-query';
+
+import { GeneratedAPIInstance } from '../../../index';
+import type {
+	AuthtypesTransactionDTO,
+	AuthzCheck200,
+	RenderErrorResponseDTO,
+} from '../sigNoz.schemas';
+
+type AwaitedInput<T> = PromiseLike<T> | T;
+
+type Awaited<O> = O extends AwaitedInput<infer T> ? T : never;
+
+/**
+ * Checks if the authenticated user has permissions for given transactions
+ * @summary Check permissions
+ */
+export const authzCheck = (
+	authtypesTransactionDTO: AuthtypesTransactionDTO[],
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<AuthzCheck200>({
+		url: `/api/v1/authz/check`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: authtypesTransactionDTO,
+		signal,
+	});
+};
+
+export const getAuthzCheckMutationOptions = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof authzCheck>>,
+		TError,
+		{ data: AuthtypesTransactionDTO[] },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof authzCheck>>,
+	TError,
+	{ data: AuthtypesTransactionDTO[] },
+	TContext
+> => {
+	const mutationKey = ['authzCheck'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof authzCheck>>,
+		{ data: AuthtypesTransactionDTO[] }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return authzCheck(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type AuthzCheckMutationResult = NonNullable<
+	Awaited<ReturnType<typeof authzCheck>>
+>;
+export type AuthzCheckMutationBody = AuthtypesTransactionDTO[];
+export type AuthzCheckMutationError = RenderErrorResponseDTO;
+
+/**
+ * @summary Check permissions
+ */
+export const useAuthzCheck = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof authzCheck>>,
+		TError,
+		{ data: AuthtypesTransactionDTO[] },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof authzCheck>>,
+	TError,
+	{ data: AuthtypesTransactionDTO[] },
+	TContext
+> => {
+	const mutationOptions = getAuthzCheckMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};

frontend/src/api/generated/services/role/index.ts

@@ -21,11 +21,18 @@ import { GeneratedAPIInstance } from '../../../index';
 import type {
 	CreateRole201,
 	DeleteRolePathParameters,
+	GetObjects200,
+	GetObjectsPathParameters,
+	GetResources200,
 	GetRole200,
 	GetRolePathParameters,
 	ListRoles200,
+	PatchObjectsPathParameters,
 	PatchRolePathParameters,
 	RenderErrorResponseDTO,
+	RoletypesPatchableObjectsDTO,
+	RoletypesPatchableRoleDTO,
+	RoletypesPostableRoleDTO,
 } from '../sigNoz.schemas';
 
 type AwaitedInput<T> = PromiseLike<T> | T;
@@ -114,10 +121,15 @@ export const invalidateListRoles = async (
  * This endpoint creates a role
  * @summary Create role
  */
-export const createRole = (signal?: AbortSignal) => {
+export const createRole = (
+	roletypesPostableRoleDTO: RoletypesPostableRoleDTO,
+	signal?: AbortSignal,
+) => {
 	return GeneratedAPIInstance<CreateRole201>({
 		url: `/api/v1/roles`,
 		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: roletypesPostableRoleDTO,
 		signal,
 	});
 };
@@ -129,13 +141,13 @@ export const getCreateRoleMutationOptions = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createRole>>,
 		TError,
-		void,
+		{ data: RoletypesPostableRoleDTO },
 		TContext
 	>;
 }): UseMutationOptions<
 	Awaited<ReturnType<typeof createRole>>,
 	TError,
-	void,
+	{ data: RoletypesPostableRoleDTO },
 	TContext
 > => {
 	const mutationKey = ['createRole'];
@@ -149,9 +161,11 @@ export const getCreateRoleMutationOptions = <
 
 	const mutationFn: MutationFunction<
 		Awaited<ReturnType<typeof createRole>>,
-		void
-	> = () => {
-		return createRole();
+		{ data: RoletypesPostableRoleDTO }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return createRole(data);
 	};
 
 	return { mutationFn, ...mutationOptions };
@@ -160,7 +174,7 @@ export const getCreateRoleMutationOptions = <
 export type CreateRoleMutationResult = NonNullable<
 	Awaited<ReturnType<typeof createRole>>
 >;
-
+export type CreateRoleMutationBody = RoletypesPostableRoleDTO;
 export type CreateRoleMutationError = RenderErrorResponseDTO;
 
 /**
@@ -173,13 +187,13 @@ export const useCreateRole = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createRole>>,
 		TError,
-		void,
+		{ data: RoletypesPostableRoleDTO },
 		TContext
 	>;
 }): UseMutationResult<
 	Awaited<ReturnType<typeof createRole>>,
 	TError,
-	void,
+	{ data: RoletypesPostableRoleDTO },
 	TContext
 > => {
 	const mutationOptions = getCreateRoleMutationOptions(options);
@@ -358,10 +372,15 @@ export const invalidateGetRole = async (
  * This endpoint patches a role
  * @summary Patch role
  */
-export const patchRole = ({ id }: PatchRolePathParameters) => {
+export const patchRole = (
+	{ id }: PatchRolePathParameters,
+	roletypesPatchableRoleDTO: RoletypesPatchableRoleDTO,
+) => {
 	return GeneratedAPIInstance<string>({
 		url: `/api/v1/roles/${id}`,
 		method: 'PATCH',
+		headers: { 'Content-Type': 'application/json' },
+		data: roletypesPatchableRoleDTO,
 	});
 };
 
@@ -372,13 +391,13 @@ export const getPatchRoleMutationOptions = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof patchRole>>,
 		TError,
-		{ pathParams: PatchRolePathParameters },
+		{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 		TContext
 	>;
 }): UseMutationOptions<
 	Awaited<ReturnType<typeof patchRole>>,
 	TError,
-	{ pathParams: PatchRolePathParameters },
+	{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 	TContext
 > => {
 	const mutationKey = ['patchRole'];
@@ -392,11 +411,11 @@ export const getPatchRoleMutationOptions = <
 
 	const mutationFn: MutationFunction<
 		Awaited<ReturnType<typeof patchRole>>,
-		{ pathParams: PatchRolePathParameters }
+		{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO }
 	> = (props) => {
-		const { pathParams } = props ?? {};
+		const { pathParams, data } = props ?? {};
 
-		return patchRole(pathParams);
+		return patchRole(pathParams, data);
 	};
 
 	return { mutationFn, ...mutationOptions };
@@ -405,7 +424,7 @@ export const getPatchRoleMutationOptions = <
 export type PatchRoleMutationResult = NonNullable<
 	Awaited<ReturnType<typeof patchRole>>
 >;
-
+export type PatchRoleMutationBody = RoletypesPatchableRoleDTO;
 export type PatchRoleMutationError = RenderErrorResponseDTO;
 
 /**
@@ -418,16 +437,292 @@ export const usePatchRole = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof patchRole>>,
 		TError,
-		{ pathParams: PatchRolePathParameters },
+		{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 		TContext
 	>;
 }): UseMutationResult<
 	Awaited<ReturnType<typeof patchRole>>,
 	TError,
-	{ pathParams: PatchRolePathParameters },
+	{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 	TContext
 > => {
 	const mutationOptions = getPatchRoleMutationOptions(options);
 
 	return useMutation(mutationOptions);
 };
+/**
+ * Gets all objects connected to the specified role via a given relation type
+ * @summary Get objects for a role by relation
+ */
+export const getObjects = (
+	{ id, relation }: GetObjectsPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetObjects200>({
+		url: `/api/v1/roles/${id}/relation/${relation}/objects`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetObjectsQueryKey = ({
+	id,
+	relation,
+}: GetObjectsPathParameters) => {
+	return ['getObjects'] as const;
+};
+
+export const getGetObjectsQueryOptions = <
+	TData = Awaited<ReturnType<typeof getObjects>>,
+	TError = RenderErrorResponseDTO
+>(
+	{ id, relation }: GetObjectsPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getObjects>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey =
+		queryOptions?.queryKey ?? getGetObjectsQueryKey({ id, relation });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getObjects>>> = ({
+		signal,
+	}) => getObjects({ id, relation }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!(id && relation),
+		...queryOptions,
+	} as UseQueryOptions<Awaited<ReturnType<typeof getObjects>>, TError, TData> & {
+		queryKey: QueryKey;
+	};
+};
+
+export type GetObjectsQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getObjects>>
+>;
+export type GetObjectsQueryError = RenderErrorResponseDTO;
+
+/**
+ * @summary Get objects for a role by relation
+ */
+
+export function useGetObjects<
+	TData = Awaited<ReturnType<typeof getObjects>>,
+	TError = RenderErrorResponseDTO
+>(
+	{ id, relation }: GetObjectsPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getObjects>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetObjectsQueryOptions({ id, relation }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get objects for a role by relation
+ */
+export const invalidateGetObjects = async (
+	queryClient: QueryClient,
+	{ id, relation }: GetObjectsPathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetObjectsQueryKey({ id, relation }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * Patches the objects connected to the specified role via a given relation type
+ * @summary Patch objects for a role by relation
+ */
+export const patchObjects = (
+	{ id, relation }: PatchObjectsPathParameters,
+	roletypesPatchableObjectsDTO: RoletypesPatchableObjectsDTO,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/roles/${id}/relation/${relation}/objects`,
+		method: 'PATCH',
+		headers: { 'Content-Type': 'application/json' },
+		data: roletypesPatchableObjectsDTO,
+	});
+};
+
+export const getPatchObjectsMutationOptions = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof patchObjects>>,
+		TError,
+		{
+			pathParams: PatchObjectsPathParameters;
+			data: RoletypesPatchableObjectsDTO;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof patchObjects>>,
+	TError,
+	{ pathParams: PatchObjectsPathParameters; data: RoletypesPatchableObjectsDTO },
+	TContext
+> => {
+	const mutationKey = ['patchObjects'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof patchObjects>>,
+		{ pathParams: PatchObjectsPathParameters; data: RoletypesPatchableObjectsDTO }
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return patchObjects(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type PatchObjectsMutationResult = NonNullable<
+	Awaited<ReturnType<typeof patchObjects>>
+>;
+export type PatchObjectsMutationBody = RoletypesPatchableObjectsDTO;
+export type PatchObjectsMutationError = RenderErrorResponseDTO;
+
+/**
+ * @summary Patch objects for a role by relation
+ */
+export const usePatchObjects = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof patchObjects>>,
+		TError,
+		{
+			pathParams: PatchObjectsPathParameters;
+			data: RoletypesPatchableObjectsDTO;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof patchObjects>>,
+	TError,
+	{ pathParams: PatchObjectsPathParameters; data: RoletypesPatchableObjectsDTO },
+	TContext
+> => {
+	const mutationOptions = getPatchObjectsMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * Gets all the available resources for role assignment
+ * @summary Get resources
+ */
+export const getResources = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<GetResources200>({
+		url: `/api/v1/roles/resources`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetResourcesQueryKey = () => {
+	return ['getResources'] as const;
+};
+
+export const getGetResourcesQueryOptions = <
+	TData = Awaited<ReturnType<typeof getResources>>,
+	TError = RenderErrorResponseDTO
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getResources>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetResourcesQueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getResources>>> = ({
+		signal,
+	}) => getResources(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof getResources>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetResourcesQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getResources>>
+>;
+export type GetResourcesQueryError = RenderErrorResponseDTO;
+
+/**
+ * @summary Get resources
+ */
+
+export function useGetResources<
+	TData = Awaited<ReturnType<typeof getResources>>,
+	TError = RenderErrorResponseDTO
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getResources>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetResourcesQueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get resources
+ */
+export const invalidateGetResources = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetResourcesQueryKey() },
+		options,
+	);
+
+	return queryClient;
+};

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -127,6 +127,18 @@ export interface AuthtypesGettableTokenDTO {
 	tokenType?: string;
 }
 
+export interface AuthtypesGettableTransactionDTO {
+	/**
+	 * @type boolean
+	 */
+	authorized: boolean;
+	object: AuthtypesObjectDTO;
+	/**
+	 * @type string
+	 */
+	relation: string;
+}
+
 export type AuthtypesGoogleConfigDTODomainToAdminEmail = {
 	[key: string]: string;
 };
@@ -170,6 +182,10 @@ export interface AuthtypesGoogleConfigDTO {
 	serviceAccountJson?: string;
 }
 
+export interface AuthtypesNameDTO {
+	[key: string]: unknown;
+}
+
 export interface AuthtypesOIDCConfigDTO {
 	claimMapping?: AuthtypesAttributeMappingDTO;
 	/**
@@ -198,6 +214,11 @@ export interface AuthtypesOIDCConfigDTO {
 	issuerAlias?: string;
 }
 
+export interface AuthtypesObjectDTO {
+	resource: AuthtypesResourceDTO;
+	selector: AuthtypesSelectorDTO;
+}
+
 export interface AuthtypesOrgSessionContextDTO {
 	authNSupport?: AuthtypesAuthNSupportDTO;
 	/**
@@ -248,6 +269,14 @@ export interface AuthtypesPostableRotateTokenDTO {
 	refreshToken?: string;
 }
 
+export interface AuthtypesResourceDTO {
+	name: AuthtypesNameDTO;
+	/**
+	 * @type string
+	 */
+	type: string;
+}
+
 /**
  * @nullable
  */
@@ -291,6 +320,10 @@ export interface AuthtypesSamlConfigDTO {
 	samlIdp?: string;
 }
 
+export interface AuthtypesSelectorDTO {
+	[key: string]: unknown;
+}
+
 export interface AuthtypesSessionContextDTO {
 	/**
 	 * @type boolean
@@ -303,6 +336,18 @@ export interface AuthtypesSessionContextDTO {
 	orgs?: AuthtypesOrgSessionContextDTO[] | null;
 }
 
+export interface AuthtypesTransactionDTO {
+	/**
+	 * @type string
+	 */
+	id?: string;
+	object: AuthtypesObjectDTO;
+	/**
+	 * @type string
+	 */
+	relation: string;
+}
+
 export interface AuthtypesUpdateableAuthDomainDTO {
 	config?: AuthtypesAuthDomainConfigDTO;
 }
@@ -391,7 +436,7 @@ export interface ErrorsJSONDTO {
 	/**
 	 * @type string
 	 */
-	code?: string;
+	code: string;
 	/**
 	 * @type array
 	 */
@@ -399,7 +444,7 @@ export interface ErrorsJSONDTO {
 	/**
 	 * @type string
 	 */
-	message?: string;
+	message: string;
 	/**
 	 * @type string
 	 */
@@ -1940,11 +1985,62 @@ export enum Querybuildertypesv5VariableTypeDTO {
 	text = 'text',
 }
 export interface RenderErrorResponseDTO {
-	error?: ErrorsJSONDTO;
+	error: ErrorsJSONDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
+}
+
+/**
+ * @nullable
+ */
+export type RoletypesGettableResourcesDTORelations = {
+	[key: string]: string[];
+} | null;
+
+export interface RoletypesGettableResourcesDTO {
+	/**
+	 * @type object
+	 * @nullable true
+	 */
+	relations: RoletypesGettableResourcesDTORelations;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	resources: AuthtypesResourceDTO[] | null;
+}
+
+export interface RoletypesPatchableObjectsDTO {
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	additions: AuthtypesObjectDTO[] | null;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	deletions: AuthtypesObjectDTO[] | null;
+}
+
+export interface RoletypesPatchableRoleDTO {
+	/**
+	 * @type string
+	 */
+	description: string;
+}
+
+export interface RoletypesPostableRoleDTO {
+	/**
+	 * @type string
+	 */
+	description?: string;
+	/**
+	 * @type string
+	 */
+	name: string;
 }
 
 export interface RoletypesRoleDTO {
@@ -1956,7 +2052,7 @@ export interface RoletypesRoleDTO {
 	/**
 	 * @type string
 	 */
-	description?: string;
+	description: string;
 	/**
 	 * @type string
 	 */
@@ -1964,15 +2060,15 @@ export interface RoletypesRoleDTO {
 	/**
 	 * @type string
 	 */
-	name?: string;
+	name: string;
 	/**
 	 * @type string
 	 */
-	orgId?: string;
+	orgId: string;
 	/**
 	 * @type string
 	 */
-	type?: string;
+	type: string;
 	/**
 	 * @type string
 	 * @format date-time
@@ -2499,23 +2595,34 @@ export interface ZeustypesPostableProfileDTO {
 	where_did_you_discover_signoz: string;
 }
 
+export type AuthzCheck200 = {
+	/**
+	 * @type array
+	 */
+	data: AuthtypesGettableTransactionDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type ChangePasswordPathParameters = {
 	id: string;
 };
 export type CreateSessionByGoogleCallback303 = {
-	data?: AuthtypesGettableTokenDTO;
+	data: AuthtypesGettableTokenDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type CreateSessionByOIDCCallback303 = {
-	data?: AuthtypesGettableTokenDTO;
+	data: AuthtypesGettableTokenDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type CreateSessionBySAMLCallbackParams = {
@@ -2543,11 +2650,11 @@ export type CreateSessionBySAMLCallbackBody = {
 };
 
 export type CreateSessionBySAMLCallback303 = {
-	data?: AuthtypesGettableTokenDTO;
+	data: AuthtypesGettableTokenDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type DeletePublicDashboardPathParameters = {
@@ -2557,22 +2664,22 @@ export type GetPublicDashboardPathParameters = {
 	id: string;
 };
 export type GetPublicDashboard200 = {
-	data?: DashboardtypesGettablePublicDasbhboardDTO;
+	data: DashboardtypesGettablePublicDasbhboardDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type CreatePublicDashboardPathParameters = {
 	id: string;
 };
 export type CreatePublicDashboard201 = {
-	data?: TypesIdentifiableDTO;
+	data: TypesIdentifiableDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type UpdatePublicDashboardPathParameters = {
@@ -2582,19 +2689,19 @@ export type ListAuthDomains200 = {
 	/**
 	 * @type array
 	 */
-	data?: AuthtypesGettableAuthDomainDTO[];
+	data: AuthtypesGettableAuthDomainDTO[];
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type CreateAuthDomain200 = {
-	data?: AuthtypesGettableAuthDomainDTO;
+	data: AuthtypesGettableAuthDomainDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type DeleteAuthDomainPathParameters = {
@@ -2650,11 +2757,11 @@ export type GetFieldsKeysParams = {
 };
 
 export type GetFieldsKeys200 = {
-	data?: TelemetrytypesGettableFieldKeysDTO;
+	data: TelemetrytypesGettableFieldKeysDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetFieldsValuesParams = {
@@ -2714,49 +2821,49 @@ export type GetFieldsValuesParams = {
 };
 
 export type GetFieldsValues200 = {
-	data?: TelemetrytypesGettableFieldValuesDTO;
+	data: TelemetrytypesGettableFieldValuesDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetResetPasswordTokenPathParameters = {
 	id: string;
 };
 export type GetResetPasswordToken200 = {
-	data?: TypesResetPasswordTokenDTO;
+	data: TypesResetPasswordTokenDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetGlobalConfig200 = {
-	data?: TypesGettableGlobalConfigDTO;
+	data: TypesGettableGlobalConfigDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type ListInvite200 = {
 	/**
 	 * @type array
 	 */
-	data?: TypesInviteDTO[];
+	data: TypesInviteDTO[];
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type CreateInvite201 = {
-	data?: TypesInviteDTO;
+	data: TypesInviteDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type DeleteInvitePathParameters = {
@@ -2766,19 +2873,19 @@ export type GetInvitePathParameters = {
 	token: string;
 };
 export type GetInvite200 = {
-	data?: TypesInviteDTO;
+	data: TypesInviteDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type AcceptInvite201 = {
-	data?: TypesUserDTO;
+	data: TypesUserDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type ListPromotedAndIndexedPaths200 = {
@@ -2786,33 +2893,33 @@ export type ListPromotedAndIndexedPaths200 = {
 	 * @type array
 	 * @nullable true
 	 */
-	data?: PromotetypesPromotePathDTO[] | null;
+	data: PromotetypesPromotePathDTO[] | null;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type ListOrgPreferences200 = {
 	/**
 	 * @type array
 	 */
-	data?: PreferencetypesPreferenceDTO[];
+	data: PreferencetypesPreferenceDTO[];
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetOrgPreferencePathParameters = {
 	name: string;
 };
 export type GetOrgPreference200 = {
-	data?: PreferencetypesPreferenceDTO;
+	data: PreferencetypesPreferenceDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type UpdateOrgPreferencePathParameters = {
@@ -2822,19 +2929,19 @@ export type ListAPIKeys200 = {
 	/**
 	 * @type array
 	 */
-	data?: TypesGettableAPIKeyDTO[];
+	data: TypesGettableAPIKeyDTO[];
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type CreateAPIKey201 = {
-	data?: TypesGettableAPIKeyDTO;
+	data: TypesGettableAPIKeyDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type RevokeAPIKeyPathParameters = {
@@ -2847,11 +2954,11 @@ export type GetPublicDashboardDataPathParameters = {
 	id: string;
 };
 export type GetPublicDashboardData200 = {
-	data?: DashboardtypesGettablePublicDashboardDataDTO;
+	data: DashboardtypesGettablePublicDashboardDataDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetPublicDashboardWidgetQueryRangePathParameters = {
@@ -2859,30 +2966,30 @@ export type GetPublicDashboardWidgetQueryRangePathParameters = {
 	idx: string;
 };
 export type GetPublicDashboardWidgetQueryRange200 = {
-	data?: Querybuildertypesv5QueryRangeResponseDTO;
+	data: Querybuildertypesv5QueryRangeResponseDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type ListRoles200 = {
 	/**
 	 * @type array
 	 */
-	data?: RoletypesRoleDTO[];
+	data: RoletypesRoleDTO[];
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type CreateRole201 = {
-	data?: TypesIdentifiableDTO;
+	data: TypesIdentifiableDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type DeleteRolePathParameters = {
@@ -2892,25 +2999,52 @@ export type GetRolePathParameters = {
 	id: string;
 };
 export type GetRole200 = {
-	data?: RoletypesRoleDTO;
+	data: RoletypesRoleDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type PatchRolePathParameters = {
 	id: string;
 };
+export type GetObjectsPathParameters = {
+	id: string;
+	relation: string;
+};
+export type GetObjects200 = {
+	/**
+	 * @type array
+	 */
+	data: AuthtypesObjectDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type PatchObjectsPathParameters = {
+	id: string;
+	relation: string;
+};
+export type GetResources200 = {
+	data: RoletypesGettableResourcesDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type ListUsers200 = {
 	/**
 	 * @type array
 	 */
-	data?: TypesUserDTO[];
+	data: TypesUserDTO[];
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type DeleteUserPathParameters = {
@@ -2920,52 +3054,52 @@ export type GetUserPathParameters = {
 	id: string;
 };
 export type GetUser200 = {
-	data?: TypesUserDTO;
+	data: TypesUserDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type UpdateUserPathParameters = {
 	id: string;
 };
 export type UpdateUser200 = {
-	data?: TypesUserDTO;
+	data: TypesUserDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetMyUser200 = {
-	data?: TypesUserDTO;
+	data: TypesUserDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type ListUserPreferences200 = {
 	/**
 	 * @type array
 	 */
-	data?: PreferencetypesPreferenceDTO[];
+	data: PreferencetypesPreferenceDTO[];
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetUserPreferencePathParameters = {
 	name: string;
 };
 export type GetUserPreference200 = {
-	data?: PreferencetypesPreferenceDTO;
+	data: PreferencetypesPreferenceDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type UpdateUserPreferencePathParameters = {
@@ -2975,11 +3109,11 @@ export type GetFeatures200 = {
 	/**
 	 * @type array
 	 */
-	data?: FeaturetypesGettableFeatureDTO[];
+	data: FeaturetypesGettableFeatureDTO[];
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetIngestionKeysParams = {
@@ -2996,19 +3130,19 @@ export type GetIngestionKeysParams = {
 };
 
 export type GetIngestionKeys200 = {
-	data?: GatewaytypesGettableIngestionKeysDTO;
+	data: GatewaytypesGettableIngestionKeysDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type CreateIngestionKey200 = {
-	data?: GatewaytypesGettableCreatedIngestionKeyDTO;
+	data: GatewaytypesGettableCreatedIngestionKeyDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type DeleteIngestionKeyPathParameters = {
@@ -3021,11 +3155,11 @@ export type CreateIngestionKeyLimitPathParameters = {
 	keyId: string;
 };
 export type CreateIngestionKeyLimit201 = {
-	data?: GatewaytypesGettableCreatedIngestionKeyLimitDTO;
+	data: GatewaytypesGettableCreatedIngestionKeyLimitDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type DeleteIngestionKeyLimitPathParameters = {
@@ -3053,11 +3187,11 @@ export type SearchIngestionKeysParams = {
 };
 
 export type SearchIngestionKeys200 = {
-	data?: GatewaytypesGettableIngestionKeysDTO;
+	data: GatewaytypesGettableIngestionKeysDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type ListMetricsParams = {
@@ -3086,22 +3220,22 @@ export type ListMetricsParams = {
 };
 
 export type ListMetrics200 = {
-	data?: MetricsexplorertypesListMetricsResponseDTO;
+	data: MetricsexplorertypesListMetricsResponseDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetMetricAlertsPathParameters = {
 	metricName: string;
 };
 export type GetMetricAlerts200 = {
-	data?: MetricsexplorertypesMetricAlertsResponseDTO;
+	data: MetricsexplorertypesMetricAlertsResponseDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetMetricAttributesPathParameters = {
@@ -3123,117 +3257,117 @@ export type GetMetricAttributesParams = {
 };
 
 export type GetMetricAttributes200 = {
-	data?: MetricsexplorertypesMetricAttributesResponseDTO;
+	data: MetricsexplorertypesMetricAttributesResponseDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetMetricDashboardsPathParameters = {
 	metricName: string;
 };
 export type GetMetricDashboards200 = {
-	data?: MetricsexplorertypesMetricDashboardsResponseDTO;
+	data: MetricsexplorertypesMetricDashboardsResponseDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetMetricHighlightsPathParameters = {
 	metricName: string;
 };
 export type GetMetricHighlights200 = {
-	data?: MetricsexplorertypesMetricHighlightsResponseDTO;
+	data: MetricsexplorertypesMetricHighlightsResponseDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetMetricMetadataPathParameters = {
 	metricName: string;
 };
 export type GetMetricMetadata200 = {
-	data?: MetricsexplorertypesMetricMetadataDTO;
+	data: MetricsexplorertypesMetricMetadataDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type UpdateMetricMetadataPathParameters = {
 	metricName: string;
 };
 export type GetMetricsStats200 = {
-	data?: MetricsexplorertypesStatsResponseDTO;
+	data: MetricsexplorertypesStatsResponseDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetMetricsTreemap200 = {
-	data?: MetricsexplorertypesTreemapResponseDTO;
+	data: MetricsexplorertypesTreemapResponseDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetMyOrganization200 = {
-	data?: TypesOrganizationDTO;
+	data: TypesOrganizationDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetSessionContext200 = {
-	data?: AuthtypesSessionContextDTO;
+	data: AuthtypesSessionContextDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type CreateSessionByEmailPassword200 = {
-	data?: AuthtypesGettableTokenDTO;
+	data: AuthtypesGettableTokenDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type RotateSession200 = {
-	data?: AuthtypesGettableTokenDTO;
+	data: AuthtypesGettableTokenDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type GetHosts200 = {
-	data?: ZeustypesGettableHostDTO;
+	data: ZeustypesGettableHostDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type QueryRangeV5200 = {
-	data?: Querybuildertypesv5QueryRangeResponseDTO;
+	data: Querybuildertypesv5QueryRangeResponseDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };
 
 export type ReplaceVariables200 = {
-	data?: Querybuildertypesv5QueryRangeRequestDTO;
+	data: Querybuildertypesv5QueryRangeRequestDTO;
 	/**
 	 * @type string
 	 */
-	status?: string;
+	status: string;
 };

frontend/src/container/DashboardContainer/visualization/components/ChartManager/ChartManager.styles.scss

@@ -1,3 +1,22 @@
+.chart-manager-series-label {
+	width: 100%;
+	min-width: 0;
+	max-width: 100%;
+	cursor: pointer;
+	border: none;
+	background-color: transparent;
+	color: inherit;
+	text-align: left;
+	padding: 0;
+	overflow: hidden;
+	text-overflow: ellipsis;
+	white-space: nowrap;
+
+	&:disabled {
+		cursor: not-allowed;
+	}
+}
+
 .chart-manager-container {
 	width: 100%;
 	max-height: calc(40% - 40px);

frontend/src/container/DashboardContainer/visualization/components/ChartManager/ChartManager.tsx

@@ -1,24 +1,28 @@
 import { useCallback, useEffect, useMemo, useState } from 'react';
 import { Button, Input } from 'antd';
+import { PrecisionOption, PrecisionOptionsEnum } from 'components/Graph/types';
 import { ResizeTable } from 'components/ResizeTable';
-import { getGraphManagerTableColumns } from 'container/GridCardLayout/GridCard/FullView/TableRender/GraphManagerColumns';
-import { ExtendedChartDataset } from 'container/GridCardLayout/GridCard/FullView/types';
-import { getDefaultTableDataSet } from 'container/GridCardLayout/GridCard/FullView/utils';
 import { useNotifications } from 'hooks/useNotifications';
 import { UPlotConfigBuilder } from 'lib/uPlotV2/config/UPlotConfigBuilder';
 import { usePlotContext } from 'lib/uPlotV2/context/PlotContext';
 import useLegendsSync from 'lib/uPlotV2/hooks/useLegendsSync';
 import { useDashboard } from 'providers/Dashboard/Dashboard';
 
+import { getChartManagerColumns } from './getChartMangerColumns';
+import { ExtendedChartDataset, getDefaultTableDataSet } from './utils';
+
 import './ChartManager.styles.scss';
 
 interface ChartManagerProps {
 	config: UPlotConfigBuilder;
 	alignedData: uPlot.AlignedData;
 	yAxisUnit?: string;
+	decimalPrecision?: PrecisionOption;
 	onCancel?: () => void;
 }
 
+const X_AXIS_INDEX = 0;
+
 /**
  * ChartManager provides a tabular view to manage the visibility of
  * individual series on a uPlot chart.
@@ -28,16 +32,12 @@ interface ChartManagerProps {
  * - filter series by label
  * - toggle individual series on/off
  * - persist the visibility configuration to local storage.
- *
- * @param config - `UPlotConfigBuilder` instance used to derive chart options.
- * @param alignedData - uPlot aligned data used to build the initial table dataset.
- * @param yAxisUnit - Optional unit label for Y-axis values shown in the table.
- * @param onCancel - Optional callback invoked when the user cancels the dialog.
  */
 export default function ChartManager({
 	config,
 	alignedData,
 	yAxisUnit,
+	decimalPrecision = PrecisionOptionsEnum.TWO,
 	onCancel,
 }: ChartManagerProps): JSX.Element {
 	const { notifications } = useNotifications();
@@ -53,8 +53,13 @@ export default function ChartManager({
 	const { isDashboardLocked } = useDashboard();
 
 	const [tableDataSet, setTableDataSet] = useState<ExtendedChartDataset[]>(() =>
-		getDefaultTableDataSet(config.getConfig() as uPlot.Options, alignedData),
+		getDefaultTableDataSet(
+			config.getConfig() as uPlot.Options,
+			alignedData,
+			decimalPrecision,
+		),
 	);
+	const [filterValue, setFilterValue] = useState('');
 
 	const graphVisibilityState = useMemo(
 		() =>
@@ -67,46 +72,62 @@ export default function ChartManager({
 
 	useEffect(() => {
 		setTableDataSet(
-			getDefaultTableDataSet(config.getConfig() as uPlot.Options, alignedData),
-		);
-	}, [alignedData, config]);
-
-	const filterHandler = useCallback(
-		(event: React.ChangeEvent<HTMLInputElement>): void => {
-			const value = event.target.value.toString().toLowerCase();
-			const updatedDataSet = tableDataSet.map((item) => {
-				if (item.label?.toLocaleLowerCase().includes(value)) {
-					return { ...item, show: true };
-				}
-				return { ...item, show: false };
-			});
-			setTableDataSet(updatedDataSet);
-		},
-		[tableDataSet],
-	);
-
-	const dataSource = useMemo(
-		() =>
-			tableDataSet.filter(
-				(item, index) => index !== 0 && item.show, // skipping the first item as it is the x-axis
+			getDefaultTableDataSet(
+				config.getConfig() as uPlot.Options,
+				alignedData,
+				decimalPrecision,
 			),
-		[tableDataSet],
+		);
+		setFilterValue('');
+	}, [alignedData, config, decimalPrecision]);
+
+	const handleFilterChange = useCallback(
+		(e: React.ChangeEvent<HTMLInputElement>): void => {
+			setFilterValue(e.target.value.toLowerCase());
+		},
+		[],
 	);
 
+	const handleToggleSeriesOnOff = useCallback(
+		(index: number): void => {
+			onToggleSeriesOnOff(index);
+		},
+		[onToggleSeriesOnOff],
+	);
+
+	const dataSource = useMemo(() => {
+		const filter = filterValue.trim();
+		return tableDataSet.filter((item, index) => {
+			if (index === X_AXIS_INDEX) {
+				return false;
+			}
+			if (!filter) {
+				return true;
+			}
+			return item.label?.toLowerCase().includes(filter) ?? false;
+		});
+	}, [tableDataSet, filterValue]);
+
 	const columns = useMemo(
 		() =>
-			getGraphManagerTableColumns({
+			getChartManagerColumns({
 				tableDataSet,
-				checkBoxOnChangeHandler: (_e, index) => {
-					onToggleSeriesOnOff(index);
-				},
 				graphVisibilityState,
-				labelClickedHandler: onToggleSeriesVisibility,
+				onToggleSeriesOnOff: handleToggleSeriesOnOff,
+				onToggleSeriesVisibility,
 				yAxisUnit,
 				isGraphDisabled: isDashboardLocked,
+				decimalPrecision,
 			}),
-		// eslint-disable-next-line react-hooks/exhaustive-deps
-		[tableDataSet, graphVisibilityState, yAxisUnit, isDashboardLocked],
+		[
+			tableDataSet,
+			graphVisibilityState,
+			handleToggleSeriesOnOff,
+			onToggleSeriesVisibility,
+			yAxisUnit,
+			isDashboardLocked,
+			decimalPrecision,
+		],
 	);
 
 	const handleSave = useCallback((): void => {
@@ -114,15 +135,18 @@ export default function ChartManager({
 		notifications.success({
 			message: 'The updated graphs & legends are saved',
 		});
-		if (onCancel) {
-			onCancel();
-		}
+		onCancel?.();
 	}, [syncSeriesVisibilityToLocalStorage, notifications, onCancel]);
 
 	return (
 		<div className="chart-manager-container">
 			<div className="chart-manager-header">
-				<Input onChange={filterHandler} placeholder="Filter Series" />
+				<Input
+					placeholder="Filter Series"
+					value={filterValue}
+					onChange={handleFilterChange}
+					data-testid="filter-input"
+				/>
 				<div className="chart-manager-actions-container">
 					<Button type="default" onClick={onCancel}>
 						Cancel
@@ -136,10 +160,10 @@ export default function ChartManager({
 				<ResizeTable
 					columns={columns}
 					dataSource={dataSource}
-					virtual
 					rowKey="index"
 					scroll={{ y: 200 }}
 					pagination={false}
+					virtual
 				/>
 			</div>
 		</div>

frontend/src/container/DashboardContainer/visualization/components/ChartManager/SeriesLabel.tsx

@@ -0,0 +1,31 @@
+import { Tooltip } from 'antd';
+
+import './ChartManager.styles.scss';
+
+interface SeriesLabelProps {
+	label: string;
+	labelIndex: number;
+	onClick: (idx: number) => void;
+	disabled?: boolean;
+}
+
+export function SeriesLabel({
+	label,
+	labelIndex,
+	onClick,
+	disabled,
+}: SeriesLabelProps): JSX.Element {
+	return (
+		<Tooltip placement="topLeft" title={label}>
+			<button
+				className="chart-manager-series-label"
+				disabled={disabled}
+				type="button"
+				data-testid={`series-label-button-${labelIndex}`}
+				onClick={(): void => onClick(labelIndex)}
+			>
+				{label}
+			</button>
+		</Tooltip>
+	);
+}

frontend/src/container/DashboardContainer/visualization/components/ChartManager/__tests__/ChartManager.test.tsx

@@ -0,0 +1,172 @@
+import userEvent from '@testing-library/user-event';
+import { UPlotConfigBuilder } from 'lib/uPlotV2/config/UPlotConfigBuilder';
+import { render, screen } from 'tests/test-utils';
+
+import ChartManager from '../ChartManager';
+
+const mockSyncSeriesVisibilityToLocalStorage = jest.fn();
+const mockNotificationsSuccess = jest.fn();
+
+jest.mock('lib/uPlotV2/context/PlotContext', () => ({
+	usePlotContext: (): {
+		onToggleSeriesOnOff: jest.Mock;
+		onToggleSeriesVisibility: jest.Mock;
+		syncSeriesVisibilityToLocalStorage: jest.Mock;
+	} => ({
+		onToggleSeriesOnOff: jest.fn(),
+		onToggleSeriesVisibility: jest.fn(),
+		syncSeriesVisibilityToLocalStorage: mockSyncSeriesVisibilityToLocalStorage,
+	}),
+}));
+
+jest.mock('lib/uPlotV2/hooks/useLegendsSync', () => ({
+	__esModule: true,
+	default: (): {
+		legendItemsMap: { [key: number]: { show: boolean; label: string } };
+	} => ({
+		legendItemsMap: {
+			0: { show: true, label: 'Time' },
+			1: { show: true, label: 'Series 1' },
+			2: { show: true, label: 'Series 2' },
+		},
+	}),
+}));
+
+jest.mock('providers/Dashboard/Dashboard', () => ({
+	useDashboard: (): { isDashboardLocked: boolean } => ({
+		isDashboardLocked: false,
+	}),
+}));
+
+jest.mock('hooks/useNotifications', () => ({
+	useNotifications: (): { notifications: { success: jest.Mock } } => ({
+		notifications: {
+			success: mockNotificationsSuccess,
+		},
+	}),
+}));
+
+jest.mock('components/ResizeTable', () => {
+	const MockTable = ({
+		dataSource,
+		columns,
+	}: {
+		dataSource: { index: number; label?: string }[];
+		columns: { key: string; title: string }[];
+	}): JSX.Element => (
+		<div data-testid="resize-table">
+			{columns.map((col) => (
+				<span key={col.key}>{col.title}</span>
+			))}
+			{dataSource.map((row) => (
+				<div key={row.index} data-testid={`row-${row.index}`}>
+					{row.label}
+				</div>
+			))}
+		</div>
+	);
+	return { ResizeTable: MockTable };
+});
+
+const createMockConfig = (): { getConfig: () => uPlot.Options } => ({
+	getConfig: (): uPlot.Options => ({
+		width: 100,
+		height: 100,
+		series: [
+			{ label: 'Time', value: 'time' },
+			{ label: 'Series 1', scale: 'y' },
+			{ label: 'Series 2', scale: 'y' },
+		],
+	}),
+});
+
+const createAlignedData = (): uPlot.AlignedData => [
+	[1000, 2000, 3000],
+	[10, 20, 30],
+	[1, 2, 3],
+];
+
+describe('ChartManager', () => {
+	const mockOnCancel = jest.fn();
+
+	beforeEach(() => {
+		jest.clearAllMocks();
+	});
+
+	it('renders filter input and action buttons', () => {
+		render(
+			<ChartManager
+				config={createMockConfig() as any}
+				alignedData={createAlignedData()}
+				onCancel={mockOnCancel}
+			/>,
+		);
+
+		expect(screen.getByPlaceholderText('Filter Series')).toBeInTheDocument();
+		expect(screen.getByRole('button', { name: /Cancel/ })).toBeInTheDocument();
+		expect(screen.getByRole('button', { name: /Save/ })).toBeInTheDocument();
+	});
+
+	it('renders ResizeTable with data', () => {
+		render(
+			<ChartManager
+				config={createMockConfig() as UPlotConfigBuilder}
+				alignedData={createAlignedData()}
+			/>,
+		);
+
+		expect(screen.getByTestId('resize-table')).toBeInTheDocument();
+	});
+
+	it('calls onCancel when Cancel button is clicked', async () => {
+		render(
+			<ChartManager
+				config={createMockConfig() as UPlotConfigBuilder}
+				alignedData={createAlignedData()}
+				onCancel={mockOnCancel}
+			/>,
+		);
+
+		await userEvent.click(screen.getByRole('button', { name: /Cancel/ }));
+
+		expect(mockOnCancel).toHaveBeenCalledTimes(1);
+	});
+
+	it('filters table data when typing in filter input', async () => {
+		render(
+			<ChartManager
+				config={createMockConfig() as UPlotConfigBuilder}
+				alignedData={createAlignedData()}
+			/>,
+		);
+
+		// Before filter: both Series 1 and Series 2 rows are visible
+		expect(screen.getByTestId('row-1')).toBeInTheDocument();
+		expect(screen.getByTestId('row-2')).toBeInTheDocument();
+
+		const filterInput = screen.getByTestId('filter-input');
+		await userEvent.type(filterInput, 'Series 1');
+
+		// After filter: only Series 1 row is visible, Series 2 row is filtered out
+		expect(screen.getByTestId('row-1')).toBeInTheDocument();
+		expect(screen.queryByTestId('row-2')).not.toBeInTheDocument();
+	});
+
+	it('calls syncSeriesVisibilityToLocalStorage, notifications.success, and onCancel when Save is clicked', async () => {
+		render(
+			<ChartManager
+				config={createMockConfig() as UPlotConfigBuilder}
+				alignedData={createAlignedData()}
+				onCancel={mockOnCancel}
+			/>,
+		);
+
+		await userEvent.click(screen.getByRole('button', { name: /Save/ }));
+
+		expect(mockSyncSeriesVisibilityToLocalStorage).toHaveBeenCalledTimes(1);
+		expect(mockNotificationsSuccess).toHaveBeenCalledWith({
+			message: 'The updated graphs & legends are saved',
+		});
+		expect(mockOnCancel).toHaveBeenCalledTimes(1);
+	});
+});

frontend/src/container/DashboardContainer/visualization/components/ChartManager/__tests__/SeriesLabel.test.tsx

@@ -0,0 +1,39 @@
+import userEvent from '@testing-library/user-event';
+import { render, screen } from 'tests/test-utils';
+
+import { SeriesLabel } from '../SeriesLabel';
+
+describe('SeriesLabel', () => {
+	it('renders the label text', () => {
+		render(
+			<SeriesLabel label="Test Series Label" labelIndex={1} onClick={jest.fn()} />,
+		);
+		expect(screen.getByTestId('series-label-button-1')).toHaveTextContent(
+			'Test Series Label',
+		);
+	});
+
+	it('calls onClick with labelIndex when clicked', async () => {
+		const onClick = jest.fn();
+		render(<SeriesLabel label="Series A" labelIndex={2} onClick={onClick} />);
+
+		await userEvent.click(screen.getByTestId('series-label-button-2'));
+
+		expect(onClick).toHaveBeenCalledWith(2);
+		expect(onClick).toHaveBeenCalledTimes(1);
+	});
+
+	it('renders disabled button when disabled prop is true', () => {
+		render(
+			<SeriesLabel label="Disabled" labelIndex={0} onClick={jest.fn()} disabled />,
+		);
+		const button = screen.getByTestId('series-label-button-0');
+		expect(button).toBeDisabled();
+	});
+
+	it('has chart-manager-series-label class', () => {
+		render(<SeriesLabel label="Label" labelIndex={0} onClick={jest.fn()} />);
+		const button = screen.getByTestId('series-label-button-0');
+		expect(button).toHaveClass('chart-manager-series-label');
+	});
+});

frontend/src/container/DashboardContainer/visualization/components/ChartManager/__tests__/getChartManagerColumns.test.tsx

@@ -0,0 +1,167 @@
+import { render } from '@testing-library/react';
+import { Y_AXIS_UNIT_NAMES } from 'components/YAxisUnitSelector/constants';
+import { UniversalYAxisUnit } from 'components/YAxisUnitSelector/types';
+
+import { getChartManagerColumns } from '../getChartMangerColumns';
+import { ExtendedChartDataset } from '../utils';
+
+const createMockDataset = (
+	index: number,
+	overrides: Partial<ExtendedChartDataset> = {},
+): ExtendedChartDataset =>
+	({
+		index,
+		label: `Series ${index}`,
+		show: true,
+		sum: 100,
+		avg: 50,
+		min: 10,
+		max: 90,
+		stroke: '#ff0000',
+		...overrides,
+	} as ExtendedChartDataset);
+
+describe('getChartManagerColumns', () => {
+	const tableDataSet: ExtendedChartDataset[] = [
+		createMockDataset(0, { label: 'Time' }),
+		createMockDataset(1),
+		createMockDataset(2),
+	];
+	const graphVisibilityState = [true, true, false];
+	const onToggleSeriesOnOff = jest.fn();
+	const onToggleSeriesVisibility = jest.fn();
+
+	beforeEach(() => {
+		jest.clearAllMocks();
+	});
+
+	it('returns columns with expected structure', () => {
+		const columns = getChartManagerColumns({
+			tableDataSet,
+			graphVisibilityState,
+			onToggleSeriesOnOff,
+			onToggleSeriesVisibility,
+		});
+
+		expect(columns).toHaveLength(6);
+		expect(columns[0].key).toBe('index');
+		expect(columns[1].key).toBe('label');
+		expect(columns[2].key).toBe('avg');
+		expect(columns[3].key).toBe('sum');
+		expect(columns[4].key).toBe('max');
+		expect(columns[5].key).toBe('min');
+	});
+
+	it('includes Label column with title', () => {
+		const columns = getChartManagerColumns({
+			tableDataSet,
+			graphVisibilityState,
+			onToggleSeriesOnOff,
+			onToggleSeriesVisibility,
+		});
+
+		const labelCol = columns.find((c) => c.key === 'label');
+		expect(labelCol!.title).toBe('Label');
+	});
+
+	it('formats column titles with yAxisUnit', () => {
+		const columns = getChartManagerColumns({
+			tableDataSet,
+			graphVisibilityState,
+			onToggleSeriesOnOff,
+			onToggleSeriesVisibility,
+			yAxisUnit: 'ms',
+		});
+
+		const avgCol = columns.find((c) => c.key === 'avg');
+		expect(avgCol!.title).toBe(
+			`Avg (in ${Y_AXIS_UNIT_NAMES[UniversalYAxisUnit.MILLISECONDS]})`,
+		);
+	});
+
+	it('numeric column render returns formatted string with yAxisUnit', () => {
+		const columns = getChartManagerColumns({
+			tableDataSet,
+			graphVisibilityState,
+			onToggleSeriesOnOff,
+			onToggleSeriesVisibility,
+			yAxisUnit: 'ms',
+		});
+
+		const avgCol = columns.find((c) => c.key === 'avg');
+		const renderFn = avgCol?.render as
+			| ((val: number, record: ExtendedChartDataset, index: number) => string)
+			| undefined;
+		expect(renderFn).toBeDefined();
+		const output = renderFn!(123.45, tableDataSet[1], 1);
+		expect(output).toBe('123.45 ms');
+	});
+
+	it('numeric column render formats zero when value is undefined', () => {
+		const columns = getChartManagerColumns({
+			tableDataSet,
+			graphVisibilityState,
+			onToggleSeriesOnOff,
+			onToggleSeriesVisibility,
+			yAxisUnit: 'none',
+		});
+
+		const sumCol = columns.find((c) => c.key === 'sum');
+		const renderFn = sumCol?.render as
+			| ((
+					val: number | undefined,
+					record: ExtendedChartDataset,
+					index: number,
+			  ) => string)
+			| undefined;
+		const output = renderFn!(undefined, tableDataSet[1], 1);
+		expect(output).toBe('0');
+	});
+
+	it('label column render displays label text and is clickable', () => {
+		const columns = getChartManagerColumns({
+			tableDataSet,
+			graphVisibilityState,
+			onToggleSeriesOnOff,
+			onToggleSeriesVisibility,
+		});
+
+		const labelCol = columns.find((c) => c.key === 'label');
+		const renderFn = labelCol!.render as
+			| ((
+					label: string,
+					record: ExtendedChartDataset,
+					index: number,
+			  ) => JSX.Element)
+			| undefined;
+		expect(renderFn).toBeDefined();
+		const renderResult = renderFn!('Series 1', tableDataSet[1], 1);
+
+		const { getByRole } = render(renderResult);
+		expect(getByRole('button', { name: 'Series 1' })).toBeInTheDocument();
+	});
+
+	it('index column render renders checkbox with correct checked state', () => {
+		const columns = getChartManagerColumns({
+			tableDataSet,
+			graphVisibilityState,
+			onToggleSeriesOnOff,
+			onToggleSeriesVisibility,
+		});
+
+		const indexCol = columns.find((c) => c.key === 'index');
+		const renderFn = indexCol!.render as
+			| ((
+					_val: unknown,
+					record: ExtendedChartDataset,
+					index: number,
+			  ) => JSX.Element)
+			| undefined;
+		expect(renderFn).toBeDefined();
+		const { container } = render(renderFn!(null, tableDataSet[1], 1));
+
+		const checkbox = container.querySelector('input[type="checkbox"]');
+		expect(checkbox).toBeInTheDocument();
+		expect(checkbox).toBeChecked(); // graphVisibilityState[1] is true
+	});
+});

frontend/src/container/DashboardContainer/visualization/components/ChartManager/__tests__/utils.test.ts

@@ -0,0 +1,113 @@
+import { PrecisionOptionsEnum } from 'components/Graph/types';
+
+import {
+	formatTableValueWithUnit,
+	getDefaultTableDataSet,
+	getTableColumnTitle,
+} from '../utils';
+
+describe('ChartManager utils', () => {
+	describe('getDefaultTableDataSet', () => {
+		const createOptions = (seriesCount: number): uPlot.Options => ({
+			series: Array.from({ length: seriesCount }, (_, i) =>
+				i === 0
+					? { label: 'Time', value: 'time' }
+					: { label: `Series ${i}`, scale: 'y' },
+			),
+			width: 100,
+			height: 100,
+		});
+
+		it('returns one row per series with computed stats', () => {
+			const options = createOptions(3);
+			const data: uPlot.AlignedData = [
+				[1000, 2000, 3000],
+				[10, 20, 30],
+				[1, 2, 3],
+			];
+
+			const result = getDefaultTableDataSet(options, data);
+
+			expect(result).toHaveLength(3);
+			expect(result[0]).toMatchObject({
+				index: 0,
+				label: 'Time',
+				show: true,
+			});
+			expect(result[1]).toMatchObject({
+				index: 1,
+				label: 'Series 1',
+				show: true,
+				sum: 60,
+				avg: 20,
+				max: 30,
+				min: 10,
+			});
+			expect(result[2]).toMatchObject({
+				index: 2,
+				label: 'Series 2',
+				show: true,
+				sum: 6,
+				avg: 2,
+				max: 3,
+				min: 1,
+			});
+		});
+
+		it('handles empty data arrays', () => {
+			const options = createOptions(2);
+			const data: uPlot.AlignedData = [[], []];
+
+			const result = getDefaultTableDataSet(options, data);
+
+			expect(result[0]).toMatchObject({
+				sum: 0,
+				avg: 0,
+				max: 0,
+				min: 0,
+			});
+		});
+
+		it('respects decimalPrecision parameter', () => {
+			const options = createOptions(2);
+			const data: uPlot.AlignedData = [[1000], [123.454]];
+
+			const resultTwo = getDefaultTableDataSet(
+				options,
+				data,
+				PrecisionOptionsEnum.TWO,
+			);
+			expect(resultTwo[1].avg).toBe(123.45);
+
+			const resultZero = getDefaultTableDataSet(
+				options,
+				data,
+				PrecisionOptionsEnum.ZERO,
+			);
+			expect(resultZero[1].avg).toBe(123);
+		});
+	});
+
+	describe('formatTableValueWithUnit', () => {
+		it('formats value with unit', () => {
+			const result = formatTableValueWithUnit(1234.56, 'ms');
+			expect(result).toBe('1.23 s');
+		});
+
+		it('falls back to none format when yAxisUnit is undefined', () => {
+			const result = formatTableValueWithUnit(123.45);
+			expect(result).toBe('123.45');
+		});
+	});
+
+	describe('getTableColumnTitle', () => {
+		it('returns title only when yAxisUnit is undefined', () => {
+			expect(getTableColumnTitle('Avg')).toBe('Avg');
+		});
+
+		it('returns title with unit when yAxisUnit is provided', () => {
+			const result = getTableColumnTitle('Avg', 'ms');
+			expect(result).toBe('Avg (in Milliseconds (ms))');
+		});
+	});
+});

frontend/src/container/DashboardContainer/visualization/components/ChartManager/getChartMangerColumns.tsx

@@ -0,0 +1,94 @@
+import { ColumnType } from 'antd/es/table';
+import { PrecisionOption, PrecisionOptionsEnum } from 'components/Graph/types';
+import CustomCheckBox from 'container/GridCardLayout/GridCard/FullView/TableRender/CustomCheckBox';
+
+import { SeriesLabel } from './SeriesLabel';
+import {
+	ExtendedChartDataset,
+	formatTableValueWithUnit,
+	getTableColumnTitle,
+} from './utils';
+
+export interface GetChartManagerColumnsParams {
+	tableDataSet: ExtendedChartDataset[];
+	graphVisibilityState: boolean[];
+	onToggleSeriesOnOff: (index: number) => void;
+	onToggleSeriesVisibility: (index: number) => void;
+	yAxisUnit?: string;
+	decimalPrecision?: PrecisionOption;
+	isGraphDisabled?: boolean;
+}
+
+export function getChartManagerColumns({
+	tableDataSet,
+	graphVisibilityState,
+	onToggleSeriesOnOff,
+	onToggleSeriesVisibility,
+	yAxisUnit,
+	decimalPrecision = PrecisionOptionsEnum.TWO,
+	isGraphDisabled,
+}: GetChartManagerColumnsParams): ColumnType<ExtendedChartDataset>[] {
+	return [
+		{
+			title: '',
+			width: 50,
+			dataIndex: 'index',
+			key: 'index',
+			render: (_: unknown, record: ExtendedChartDataset): JSX.Element => (
+				<CustomCheckBox
+					data={tableDataSet}
+					graphVisibilityState={graphVisibilityState}
+					index={record.index}
+					disabled={isGraphDisabled}
+					checkBoxOnChangeHandler={(_e, idx): void => onToggleSeriesOnOff(idx)}
+				/>
+			),
+		},
+		{
+			title: 'Label',
+			width: 300,
+			dataIndex: 'label',
+			key: 'label',
+			render: (label: string, record: ExtendedChartDataset): JSX.Element => (
+				<SeriesLabel
+					label={label ?? ''}
+					labelIndex={record.index}
+					disabled={isGraphDisabled}
+					onClick={onToggleSeriesVisibility}
+				/>
+			),
+		},
+		{
+			title: getTableColumnTitle('Avg', yAxisUnit),
+			width: 90,
+			dataIndex: 'avg',
+			key: 'avg',
+			render: (val: number | undefined): string =>
+				formatTableValueWithUnit(val ?? 0, yAxisUnit, decimalPrecision),
+		},
+		{
+			title: getTableColumnTitle('Sum', yAxisUnit),
+			width: 90,
+			dataIndex: 'sum',
+			key: 'sum',
+			render: (val: number | undefined): string =>
+				formatTableValueWithUnit(val ?? 0, yAxisUnit, decimalPrecision),
+		},
+		{
+			title: getTableColumnTitle('Max', yAxisUnit),
+			width: 90,
+			dataIndex: 'max',
+			key: 'max',
+			render: (val: number | undefined): string =>
+				formatTableValueWithUnit(val ?? 0, yAxisUnit, decimalPrecision),
+		},
+		{
+			title: getTableColumnTitle('Min', yAxisUnit),
+			width: 90,
+			dataIndex: 'min',
+			key: 'min',
+			render: (val: number | undefined): string =>
+				formatTableValueWithUnit(val ?? 0, yAxisUnit, decimalPrecision),
+		},
+	];
+}

frontend/src/container/DashboardContainer/visualization/components/ChartManager/utils.ts

@@ -0,0 +1,93 @@
+import { PrecisionOption, PrecisionOptionsEnum } from 'components/Graph/types';
+import { getYAxisFormattedValue } from 'components/Graph/yAxisConfig';
+import { Y_AXIS_UNIT_NAMES } from 'components/YAxisUnitSelector/constants';
+import uPlot from 'uplot';
+
+/** Extended series with computed stats for table display */
+export type ExtendedChartDataset = uPlot.Series & {
+	show: boolean;
+	sum: number;
+	avg: number;
+	min: number;
+	max: number;
+	index: number;
+};
+
+function roundToDecimalPrecision(
+	value: number,
+	decimalPrecision: PrecisionOption = PrecisionOptionsEnum.TWO,
+): number {
+	if (
+		typeof value !== 'number' ||
+		Number.isNaN(value) ||
+		value === Infinity ||
+		value === -Infinity
+	) {
+		return 0;
+	}
+
+	if (decimalPrecision === PrecisionOptionsEnum.FULL) {
+		return value;
+	}
+
+	// regex to match the decimal precision for the given decimal precision
+	const regex = new RegExp(`^-?\\d*\\.?0*\\d{0,${decimalPrecision}}`);
+	const matched = value ? value.toFixed(decimalPrecision).match(regex) : null;
+	return matched ? parseFloat(matched[0]) : 0;
+}
+
+/** Build table dataset from uPlot options and aligned data */
+export function getDefaultTableDataSet(
+	options: uPlot.Options,
+	data: uPlot.AlignedData,
+	decimalPrecision: PrecisionOption = PrecisionOptionsEnum.TWO,
+): ExtendedChartDataset[] {
+	return options.series.map(
+		(series: uPlot.Series, index: number): ExtendedChartDataset => {
+			const arr = (data[index] as number[]) ?? [];
+			const sum = arr.reduce((a, b) => a + b, 0) || 0;
+			const count = arr.length || 1;
+
+			const hasValues = arr.length > 0;
+			return {
+				...series,
+				index,
+				show: true,
+				sum: roundToDecimalPrecision(sum, decimalPrecision),
+				avg: roundToDecimalPrecision(sum / count, decimalPrecision),
+				max: hasValues
+					? roundToDecimalPrecision(Math.max(...arr), decimalPrecision)
+					: 0,
+				min: hasValues
+					? roundToDecimalPrecision(Math.min(...arr), decimalPrecision)
+					: 0,
+			};
+		},
+	);
+}
+
+/** Format numeric value for table display using yAxisUnit */
+export function formatTableValueWithUnit(
+	value: number,
+	yAxisUnit?: string,
+	decimalPrecision: PrecisionOption = PrecisionOptionsEnum.TWO,
+): string {
+	return `${getYAxisFormattedValue(
+		String(value),
+		yAxisUnit ?? 'none',
+		decimalPrecision,
+	)}`;
+}
+
+/** Format column header with optional unit */
+export function getTableColumnTitle(title: string, yAxisUnit?: string): string {
+	if (!yAxisUnit) {
+		return title;
+	}
+	const universalName =
+		Y_AXIS_UNIT_NAMES[yAxisUnit as keyof typeof Y_AXIS_UNIT_NAMES];
+	if (!universalName) {
+		return `${title} (in ${yAxisUnit})`;
+	}
+	return `${title} (in ${universalName})`;
+}

frontend/src/container/DashboardContainer/visualization/panels/BarPanel/BarPanel.tsx

@@ -96,6 +96,7 @@ function BarPanel(props: PanelWrapperProps): JSX.Element {
 				config={config}
 				alignedData={chartData}
 				yAxisUnit={widget.yAxisUnit}
+				decimalPrecision={widget.decimalPrecision}
 				onCancel={onToggleModelHandler}
 			/>
 		);
@@ -105,6 +106,7 @@ function BarPanel(props: PanelWrapperProps): JSX.Element {
 		chartData,
 		widget.yAxisUnit,
 		onToggleModelHandler,
+		widget.decimalPrecision,
 	]);
 
 	const onPlotDestroy = useCallback(() => {

frontend/src/container/DashboardContainer/visualization/panels/TimeSeriesPanel/TimeSeriesPanel.tsx

@@ -95,6 +95,7 @@ function TimeSeriesPanel(props: PanelWrapperProps): JSX.Element {
 				config={config}
 				alignedData={chartData}
 				yAxisUnit={widget.yAxisUnit}
+				decimalPrecision={widget.decimalPrecision}
 				onCancel={onToggleModelHandler}
 			/>
 		);
@@ -104,6 +105,7 @@ function TimeSeriesPanel(props: PanelWrapperProps): JSX.Element {
 		chartData,
 		widget.yAxisUnit,
 		onToggleModelHandler,
+		widget.decimalPrecision,
 	]);
 
 	return (

frontend/src/container/ForgotPassword/index.tsx

@@ -48,7 +48,9 @@ function ForgotPassword({
 		}
 
 		try {
-			ErrorResponseHandlerV2(mutationError as AxiosError<ErrorV2Resp>);
+			ErrorResponseHandlerV2(
+				(mutationError as unknown) as AxiosError<ErrorV2Resp>,
+			);
 		} catch (apiError) {
 			return apiError as APIError;
 		}

frontend/src/container/InfraMonitoringHosts/HostsListTable.tsx

@@ -178,7 +178,9 @@ export default function HostsListTable({
 				indicator: <Spin indicator={<LoadingOutlined size={14} spin />} />,
 			}}
 			tableLayout="fixed"
-			rowKey={(record): string => record.hostName}
+			rowKey={(record): string =>
+				(record as HostRowData & { key: string }).key ?? record.hostName
+			}
 			onChange={handleTableChange}
 			onRow={(record): { onClick: () => void; className: string } => ({
 				onClick: (): void => handleRowClick(record),

frontend/src/container/InfraMonitoringHosts/InfraMonitoring.styles.scss

@@ -126,7 +126,8 @@
 				background: var(--bg-ink-500);
 			}
 
-			.ant-table-cell:has(.hostname-column-value) {
+			.ant-table-cell:has(.hostname-column-value),
+			.ant-table-cell:has(.hostname-cell-missing) {
 				background: var(--bg-ink-400);
 			}
 
@@ -139,6 +140,23 @@
 				letter-spacing: -0.07px;
 			}
 
+			.hostname-cell-missing {
+				display: flex;
+				align-items: center;
+				gap: 4px;
+			}
+
+			.hostname-cell-placeholder {
+				color: var(--Vanilla-400, #c0c1c3);
+			}
+
+			.hostname-cell-warning-icon {
+				display: inline-flex;
+				align-items: center;
+				margin-left: 4px;
+				cursor: help;
+			}
+
 			.status-cell {
 				.active-tag {
 					color: var(--bg-forest-500);
@@ -357,7 +375,8 @@
 				color: var(--bg-ink-500);
 			}
 
-			.ant-table-cell:has(.hostname-column-value) {
+			.ant-table-cell:has(.hostname-column-value),
+			.ant-table-cell:has(.hostname-cell-missing) {
 				background: var(--bg-vanilla-100);
 			}
 
@@ -365,6 +384,10 @@
 				color: var(--bg-ink-300);
 			}
 
+			.hostname-cell-placeholder {
+				color: var(--text-ink-300);
+			}
+
 			.ant-table-tbody > tr:hover > td {
 				background: rgba(0, 0, 0, 0.04);
 			}

frontend/src/container/InfraMonitoringHosts/__tests__/utilts.test.tsx

@@ -1,13 +1,24 @@
-import { render } from '@testing-library/react';
+import { render, screen } from '@testing-library/react';
+import { HostData, TimeSeries } from 'api/infraMonitoring/getHostLists';
 
-import { formatDataForTable, GetHostsQuickFiltersConfig } from '../utils';
+import {
+	formatDataForTable,
+	GetHostsQuickFiltersConfig,
+	HostnameCell,
+} from '../utils';
 
 const PROGRESS_BAR_CLASS = '.progress-bar';
 
+const emptyTimeSeries: TimeSeries = {
+	labels: {},
+	labelsArray: [],
+	values: [],
+};
+
 describe('InfraMonitoringHosts utils', () => {
 	describe('formatDataForTable', () => {
 		it('should format host data correctly', () => {
-			const mockData = [
+			const mockData: HostData[] = [
 				{
 					hostName: 'test-host',
 					active: true,
@@ -16,8 +27,12 @@ describe('InfraMonitoringHosts utils', () => {
 					wait: 0.05,
 					load15: 2.5,
 					os: 'linux',
+					cpuTimeSeries: emptyTimeSeries,
+					memoryTimeSeries: emptyTimeSeries,
+					waitTimeSeries: emptyTimeSeries,
+					load15TimeSeries: emptyTimeSeries,
 				},
-			] as any;
+			];
 
 			const result = formatDataForTable(mockData);
 
@@ -46,7 +61,7 @@ describe('InfraMonitoringHosts utils', () => {
 		});
 
 		it('should handle inactive hosts', () => {
-			const mockData = [
+			const mockData: HostData[] = [
 				{
 					hostName: 'test-host',
 					active: false,
@@ -55,12 +70,12 @@ describe('InfraMonitoringHosts utils', () => {
 					wait: 0.02,
 					load15: 1.2,
 					os: 'linux',
-					cpuTimeSeries: [],
-					memoryTimeSeries: [],
-					waitTimeSeries: [],
-					load15TimeSeries: [],
+					cpuTimeSeries: emptyTimeSeries,
+					memoryTimeSeries: emptyTimeSeries,
+					waitTimeSeries: emptyTimeSeries,
+					load15TimeSeries: emptyTimeSeries,
 				},
-			] as any;
+			];
 
 			const result = formatDataForTable(mockData);
 
@@ -68,6 +83,65 @@ describe('InfraMonitoringHosts utils', () => {
 			expect(inactiveTag.container.textContent).toBe('INACTIVE');
 			expect(inactiveTag.container.querySelector('.inactive')).toBeTruthy();
 		});
+
+		it('should set hostName to empty string when host has no hostname', () => {
+			const mockData: HostData[] = [
+				{
+					hostName: '',
+					active: true,
+					cpu: 0.5,
+					memory: 0.4,
+					wait: 0.01,
+					load15: 1.0,
+					os: 'linux',
+					cpuTimeSeries: emptyTimeSeries,
+					memoryTimeSeries: emptyTimeSeries,
+					waitTimeSeries: emptyTimeSeries,
+					load15TimeSeries: emptyTimeSeries,
+				},
+			];
+
+			const result = formatDataForTable(mockData);
+			expect(result[0].hostName).toBe('');
+			expect(result[0].key).toBe('-0');
+		});
+	});
+
+	describe('HostnameCell', () => {
+		it('should render hostname when present (case A: no icon)', () => {
+			const { container } = render(<HostnameCell hostName="gke-prod-1" />);
+			expect(container.querySelector('.hostname-column-value')).toBeTruthy();
+			expect(container.textContent).toBe('gke-prod-1');
+			expect(container.querySelector('.hostname-cell-missing')).toBeFalsy();
+			expect(container.querySelector('.hostname-cell-warning-icon')).toBeFalsy();
+		});
+
+		it('should render placeholder and icon when hostName is empty (case B)', () => {
+			const { container } = render(<HostnameCell hostName="" />);
+			expect(screen.getByText('-')).toBeTruthy();
+			expect(container.querySelector('.hostname-cell-missing')).toBeTruthy();
+			const iconWrapper = container.querySelector('.hostname-cell-warning-icon');
+			expect(iconWrapper).toBeTruthy();
+			expect(iconWrapper?.getAttribute('aria-label')).toBe(
+				'Missing host.name metadata',
+			);
+			expect(iconWrapper?.getAttribute('tabindex')).toBe('0');
+			// Tooltip with "Learn how to configure →" link is shown on hover/focus
+		});
+
+		it('should render placeholder and icon when hostName is whitespace only (case C)', () => {
+			const { container } = render(<HostnameCell hostName="   " />);
+			expect(screen.getByText('-')).toBeTruthy();
+			expect(container.querySelector('.hostname-cell-missing')).toBeTruthy();
+			expect(container.querySelector('.hostname-cell-warning-icon')).toBeTruthy();
+		});
+
+		it('should render placeholder and icon when hostName is undefined (case D)', () => {
+			const { container } = render(<HostnameCell hostName={undefined} />);
+			expect(screen.getByText('-')).toBeTruthy();
+			expect(container.querySelector('.hostname-cell-missing')).toBeTruthy();
+			expect(container.querySelector('.hostname-cell-warning-icon')).toBeTruthy();
+		});
 	});
 
 	describe('GetHostsQuickFiltersConfig', () => {

frontend/src/container/InfraMonitoringHosts/utils.tsx

@@ -1,7 +1,7 @@
 import { Dispatch, SetStateAction } from 'react';
 import { InfoCircleOutlined } from '@ant-design/icons';
 import { Color } from '@signozhq/design-tokens';
-import { Progress, TabsProps, Tag, Tooltip } from 'antd';
+import { Progress, TabsProps, Tag, Tooltip, Typography } from 'antd';
 import { ColumnType } from 'antd/es/table';
 import {
 	HostData,
@@ -14,6 +14,7 @@ import {
 } from 'components/QuickFilters/types';
 import TabLabel from 'components/TabLabel';
 import { PANEL_TYPES } from 'constants/queryBuilder';
+import { TriangleAlert } from 'lucide-react';
 import { ErrorResponse, SuccessResponse } from 'types/api';
 import { DataTypes } from 'types/api/queryBuilder/queryAutocompleteResponse';
 import { TagFilter } from 'types/api/queryBuilder/queryBuilderData';
@@ -24,6 +25,7 @@ import HostsList from './HostsList';
 import './InfraMonitoring.styles.scss';
 
 export interface HostRowData {
+	key?: string;
 	hostName: string;
 	cpu: React.ReactNode;
 	memory: React.ReactNode;
@@ -32,6 +34,59 @@ export interface HostRowData {
 	active: React.ReactNode;
 }
 
+const HOSTNAME_DOCS_URL =
+	'https://signoz.io/docs/infrastructure-monitoring/hostmetrics/#host-name-is-blankempty';
+
+export function HostnameCell({
+	hostName,
+}: {
+	hostName?: string | null;
+}): React.ReactElement {
+	const isEmpty = !hostName || !hostName.trim();
+	if (!isEmpty) {
+		return <div className="hostname-column-value">{hostName}</div>;
+	}
+	return (
+		<div className="hostname-cell-missing">
+			<Typography.Text type="secondary" className="hostname-cell-placeholder">
+				-
+			</Typography.Text>
+			<Tooltip
+				title={
+					<div>
+						Missing host.name metadata.
+						<br />
+						<a
+							href={HOSTNAME_DOCS_URL}
+							target="_blank"
+							rel="noopener noreferrer"
+							onClick={(e): void => e.stopPropagation()}
+						>
+							Learn how to configure →
+						</a>
+					</div>
+				}
+				trigger={['hover', 'focus']}
+			>
+				<span
+					className="hostname-cell-warning-icon"
+					tabIndex={0}
+					role="img"
+					aria-label="Missing host.name metadata"
+					onClick={(e): void => e.stopPropagation()}
+					onKeyDown={(e): void => {
+						if (e.key === 'Enter' || e.key === ' ') {
+							e.stopPropagation();
+						}
+					}}
+				>
+					<TriangleAlert size={14} color={Color.BG_CHERRY_500} />
+				</span>
+			</Tooltip>
+		</div>
+	);
+}
+
 export interface HostsListTableProps {
 	isLoading: boolean;
 	isError: boolean;
@@ -75,8 +130,8 @@ export const getHostsListColumns = (): ColumnType<HostRowData>[] => [
 		dataIndex: 'hostName',
 		key: 'hostName',
 		width: 250,
-		render: (value: string): React.ReactNode => (
-			<div className="hostname-column-value">{value}</div>
+		render: (value: string | undefined): React.ReactNode => (
+			<HostnameCell hostName={value ?? ''} />
 		),
 	},
 	{

frontend/src/container/IngestionSettings/MultiIngestionSettings.tsx

@@ -342,7 +342,7 @@ function MultiIngestionSettings(): JSX.Element {
 
 	useEffect(() => {
 		if (isError) {
-			showErrorNotification(notifications, error as AxiosError);
+			showErrorNotification(notifications, (error as unknown) as AxiosError);
 		}
 	}, [error, isError, notifications]);
 

frontend/src/container/OnboardingV2Container/IngestionDetails/IngestionDetails.tsx

@@ -86,9 +86,9 @@ export default function OnboardingIngestionDetails(): JSX.Element {
 				<div className="ingestion-endpoint-section-error-container">
 					<Typography.Text className="ingestion-endpoint-section-error-text error">
 						<TriangleAlert size={14} />{' '}
-						{(error as AxiosError<RenderErrorResponseDTO>)?.response?.data?.error
-							?.message ||
-							(error as AxiosError)?.message ||
+						{((error as unknown) as AxiosError<RenderErrorResponseDTO>)?.response
+							?.data?.error.message ||
+							((error as unknown) as AxiosError)?.message ||
 							'Something went wrong'}
 					</Typography.Text>
 

frontend/src/container/OrganizationSettings/AuthDomain/index.tsx

@@ -110,7 +110,7 @@ function AuthDomain(): JSX.Element {
 		let errorResult: APIError | null = null;
 		try {
 			ErrorResponseHandlerV2(
-				errorFetchingAuthDomainListResponse as AxiosError<ErrorV2Resp>,
+				(errorFetchingAuthDomainListResponse as unknown) as AxiosError<ErrorV2Resp>,
 			);
 		} catch (error) {
 			errorResult = error as APIError;

pkg/apiserver/signozapiserver/authz.go

@@ -0,0 +1,30 @@
+package signozapiserver
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/gorilla/mux"
+)
+
+func (provider *provider) addAuthzRoutes(router *mux.Router) error {
+	if err := router.Handle("/api/v1/authz/check", handler.New(provider.authzHandler.Check, handler.OpenAPIDef{
+		ID:                  "AuthzCheck",
+		Tags:                []string{"authz"},
+		Summary:             "Check permissions",
+		Description:         "Checks if the authenticated user has permissions for given transactions",
+		Request:             make([]*authtypes.Transaction, 0),
+		RequestContentType:  "",
+		Response:            make([]*authtypes.GettableTransaction, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     nil,
+	})).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/apiserver/signozapiserver/provider.go

@@ -207,6 +207,10 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}
 
+	if err := provider.addAuthzRoutes(router); err != nil {
+		return err
+	}
+
 	if err := provider.addFieldsRoutes(router); err != nil {
 		return err
 	}

pkg/apiserver/signozapiserver/role.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/gorilla/mux"
 )
@@ -15,12 +16,12 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Tags:                []string{"role"},
 		Summary:             "Create role",
 		Description:         "This endpoint creates a role",
-		Request:             nil,
+		Request:             new(roletypes.PostableRole),
 		RequestContentType:  "",
 		Response:            new(types.Identifiable),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{},
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodPost).GetError(); err != nil {
@@ -44,6 +45,23 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/roles/resources", handler.New(provider.authZ.AdminAccess(provider.authzHandler.GetResources), handler.OpenAPIDef{
+		ID:                  "GetResources",
+		Tags:                []string{"role"},
+		Summary:             "Get resources",
+		Description:         "Gets all the available resources for role assignment",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(roletypes.GettableResources),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authZ.AdminAccess(provider.authzHandler.Get), handler.OpenAPIDef{
 		ID:                  "GetRole",
 		Tags:                []string{"role"},
@@ -61,17 +79,51 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/roles/{id}/relation/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.GetObjects), handler.OpenAPIDef{
+		ID:                  "GetObjects",
+		Tags:                []string{"role"},
+		Summary:             "Get objects for a role by relation",
+		Description:         "Gets all objects connected to the specified role via a given relation type",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*authtypes.Object, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authZ.AdminAccess(provider.authzHandler.Patch), handler.OpenAPIDef{
 		ID:                  "PatchRole",
 		Tags:                []string{"role"},
 		Summary:             "Patch role",
 		Description:         "This endpoint patches a role",
-		Request:             nil,
+		Request:             new(roletypes.PatchableRole),
 		RequestContentType:  "",
 		Response:            nil,
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPatch).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/roles/{id}/relation/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.PatchObjects), handler.OpenAPIDef{
+		ID:                  "PatchObjects",
+		Tags:                []string{"role"},
+		Summary:             "Patch objects for a role by relation",
+		Description:         "Patches the objects connected to the specified role via a given relation type",
+		Request:             new(roletypes.PatchableObjects),
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodPatch).GetError(); err != nil {
@@ -88,7 +140,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Response:            nil,
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodDelete).GetError(); err != nil {

pkg/authz/authz.go

@@ -14,17 +14,14 @@ import (
 type AuthZ interface {
 	factory.Service
 
-	// Check returns error when the upstream authorization server is unavailable or the subject (s) doesn't have relation (r) on object (o).
-	Check(context.Context, *openfgav1.TupleKey) error
-
 	// CheckWithTupleCreation takes upon the responsibility for generating the tuples alongside everything Check does.
 	CheckWithTupleCreation(context.Context, authtypes.Claims, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error
 
 	// CheckWithTupleCreationWithoutClaims checks permissions for anonymous users.
 	CheckWithTupleCreationWithoutClaims(context.Context, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error
 
-	// Batch Check returns error when the upstream authorization server is unavailable or for all the tuples of subject (s) doesn't have relation (r) on object (o).
-	BatchCheck(context.Context, []*openfgav1.TupleKey) error
+	// BatchCheck accepts a map of ID → tuple and returns a map of ID → authorization result.
+	BatchCheck(context.Context, map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error)
 
 	// Write accepts the insertion tuples and the deletion tuples.
 	Write(context.Context, []*openfgav1.TupleKey, []*openfgav1.TupleKey) error
@@ -102,5 +99,7 @@ type Handler interface {
 
 	PatchObjects(http.ResponseWriter, *http.Request)
 
+	Check(http.ResponseWriter, *http.Request)
+
 	Delete(http.ResponseWriter, *http.Request)
 }

pkg/authz/authzstore/sqlauthzstore/store.go

@@ -26,7 +26,7 @@ func (store *store) Create(ctx context.Context, role *roletypes.StorableRole) er
 		Model(role).
 		Exec(ctx)
 	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, errors.CodeAlreadyExists, "role with id: %s already exists", role.ID)
+		return store.sqlstore.WrapAlreadyExistsErrf(err, errors.CodeAlreadyExists, "role with name: %s already exists", role.Name)
 	}
 
 	return nil

pkg/authz/openfgaauthz/provider.go

@@ -48,11 +48,7 @@ func (provider *provider) Stop(ctx context.Context) error {
 	return provider.server.Stop(ctx)
 }
 
-func (provider *provider) Check(ctx context.Context, tupleReq *openfgav1.TupleKey) error {
-	return provider.server.Check(ctx, tupleReq)
-}
-
-func (provider *provider) BatchCheck(ctx context.Context, tupleReq []*openfgav1.TupleKey) error {
+func (provider *provider) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
 	return provider.server.BatchCheck(ctx, tupleReq)
 }
 
@@ -181,10 +177,6 @@ func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID,
 	return nil
 }
 
-func (provider *provider) SetManagedRoleTransactions(context.Context, valuer.UUID) error {
-	return nil
-}
-
 func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) error {
 	return provider.Grant(ctx, orgID, roletypes.SigNozAdminRoleName, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
 }

pkg/authz/openfgaserver/server.go

@@ -90,42 +90,18 @@ func (server *Server) Stop(ctx context.Context) error {
 	return nil
 }
 
-func (server *Server) Check(ctx context.Context, tupleReq *openfgav1.TupleKey) error {
+func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
 	storeID, modelID := server.getStoreIDandModelID()
-	checkResponse, err := server.openfgaServer.Check(
-		ctx,
-		&openfgav1.CheckRequest{
-			StoreId:              storeID,
-			AuthorizationModelId: modelID,
-			TupleKey: &openfgav1.CheckRequestTupleKey{
-				User:     tupleReq.User,
-				Relation: tupleReq.Relation,
-				Object:   tupleReq.Object,
-			},
-		})
-	if err != nil {
-		return errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "authorization server is unavailable").WithAdditional(err.Error())
-	}
-
-	if !checkResponse.Allowed {
-		return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subject %s cannot %s object %s", tupleReq.User, tupleReq.Relation, tupleReq.Object)
-	}
-
-	return nil
-}
-
-func (server *Server) BatchCheck(ctx context.Context, tupleReq []*openfgav1.TupleKey) error {
-	storeID, modelID := server.getStoreIDandModelID()
-	batchCheckItems := make([]*openfgav1.BatchCheckItem, 0)
-	for idx, tuple := range tupleReq {
+	batchCheckItems := make([]*openfgav1.BatchCheckItem, 0, len(tupleReq))
+	for id, tuple := range tupleReq {
 		batchCheckItems = append(batchCheckItems, &openfgav1.BatchCheckItem{
 			TupleKey: &openfgav1.CheckRequestTupleKey{
 				User:     tuple.User,
 				Relation: tuple.Relation,
 				Object:   tuple.Object,
 			},
-			// the batch check response is map[string] keyed by correlationID.
-			CorrelationId: strconv.Itoa(idx),
+			// Use transaction ID as correlation ID for deterministic mapping
+			CorrelationId: id,
 		})
 	}
 
@@ -137,17 +113,18 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq []*openfgav1.Tupl
 			Checks:               batchCheckItems,
 		})
 	if err != nil {
-		return errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "authorization server is unavailable").WithAdditional(err.Error())
+		return nil, errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "authorization server is unavailable").WithAdditional(err.Error())
 	}
 
-	for _, checkResponse := range checkResponse.Result {
-		if checkResponse.GetAllowed() {
-			return nil
+	response := make(map[string]*authtypes.TupleKeyAuthorization, len(tupleReq))
+	for id, tuple := range tupleReq {
+		response[id] = &authtypes.TupleKeyAuthorization{
+			Tuple:      tuple,
+			Authorized: checkResponse.Result[id].GetAllowed(),
 		}
 	}
 
-	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
-
+	return response, nil
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
@@ -156,17 +133,29 @@ func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtyp
 		return err
 	}
 
-	tuples, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	// Convert slice to map with generated IDs for internal use
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
 func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
@@ -175,17 +164,29 @@ func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, o
 		return err
 	}
 
-	tuples, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	// Convert slice to map with generated IDs for internal use
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
 func (server *Server) Write(ctx context.Context, additions []*openfgav1.TupleKey, deletions []*openfgav1.TupleKey) error {

pkg/authz/signozauthzapi/handler.go

@@ -7,6 +7,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/binding"
 	"github.com/SigNoz/signoz/pkg/http/render"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -35,13 +36,14 @@ func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = handler.authz.Create(ctx, valuer.MustNewUUID(claims.OrgID), roletypes.NewRole(req.Name, req.Description, roletypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID)))
+	role := roletypes.NewRole(req.Name, req.Description, roletypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID))
+	err = handler.authz.Create(ctx, valuer.MustNewUUID(claims.OrgID), role)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	render.Success(rw, http.StatusCreated, nil)
+	render.Success(rw, http.StatusCreated, types.Identifiable{ID: role.ID})
 }
 
 func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
@@ -112,17 +114,9 @@ func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
 }
 
 func (handler *handler) GetResources(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	resources := handler.authz.GetResources(ctx)
+	resources := handler.authz.GetResources(r.Context())
 
-	var resourceRelations = struct {
-		Resources []*authtypes.Resource                   `json:"resources"`
-		Relations map[authtypes.Type][]authtypes.Relation `json:"relations"`
-	}{
-		Resources: resources,
-		Relations: authtypes.TypeableRelations,
-	}
-	render.Success(rw, http.StatusOK, resourceRelations)
+	render.Success(rw, http.StatusOK, roletypes.NewGettableResources(resources))
 }
 
 func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
@@ -227,7 +221,7 @@ func (handler *handler) PatchObjects(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	render.Success(rw, http.StatusAccepted, nil)
+	render.Success(rw, http.StatusNoContent, nil)
 }
 
 func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
@@ -252,3 +246,39 @@ func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
 
 	render.Success(rw, http.StatusNoContent, nil)
 }
+
+func (handler *handler) Check(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	transactions := make([]*authtypes.Transaction, 0)
+	if err := binding.JSON.BindBody(r.Body, &transactions); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	orgID := valuer.MustNewUUID(claims.OrgID)
+	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	tuples, err := authtypes.NewTuplesFromTransactions(transactions, subject, orgID)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	results, err := handler.authz.BatchCheck(ctx, tuples)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, authtypes.NewGettableTransaction(transactions, results))
+}

pkg/errors/http.go

@@ -6,8 +6,8 @@ import (
 )
 
 type JSON struct {
-	Code    string                    `json:"code"`
-	Message string                    `json:"message"`
+	Code    string                    `json:"code" required:"true"`
+	Message string                    `json:"message" required:"true"`
 	Url     string                    `json:"url,omitempty"`
 	Errors  []responseerroradditional `json:"errors,omitempty"`
 }

pkg/http/render/render.go

@@ -16,13 +16,13 @@ const (
 var json = jsoniter.ConfigCompatibleWithStandardLibrary
 
 type SuccessResponse struct {
-	Status string      `json:"status"`
-	Data   interface{} `json:"data,omitempty"`
+	Status string      `json:"status" required:"true"`
+	Data   interface{} `json:"data,omitempty" required:"true"`
 }
 
 type ErrorResponse struct {
-	Status string       `json:"status"`
-	Error  *errors.JSON `json:"error"`
+	Status string       `json:"status" required:"true"`
+	Error  *errors.JSON `json:"error" required:"true"`
 }
 
 func Success(rw http.ResponseWriter, httpCode int, data interface{}) {

pkg/query-service/app/clickhouseReader/reader.go

@@ -1913,7 +1913,7 @@ func (r *ClickHouseReader) GetCustomRetentionTTL(ctx context.Context, orgID stri
 			// No V2 configuration found, return defaults
 			response.DefaultTTLDays = 15
 			response.TTLConditions = []model.CustomRetentionRule{}
-			response.Status = constants.StatusFailed
+			response.Status = constants.StatusSuccess
 			response.ColdStorageTTLDays = -1
 			return response, nil
 		}

pkg/telemetrymetrics/statement_builder.go

@@ -26,6 +26,9 @@ const (
 	IncreaseMultiTemporality = `IF(LOWER(temporality) LIKE LOWER('delta'), %s, multiIf(row_number() OVER rate_window = 1, nan, (%s - lagInFrame(%s, 1) OVER rate_window) < 0, %s, (%s - lagInFrame(%s, 1) OVER rate_window))) AS per_series_value`
 
 	OthersMultiTemporality = `IF(LOWER(temporality) LIKE LOWER('delta'), %s, %s) AS per_series_value`
+
+	RateWithStartTs     = "multiIf(row_number() OVER rate_window = 1 AND earliest_start_ts < %d, NAN, row_number() OVER rate_window = 1, sum_all_values / (ts - earliest_start_ts), earliest_start_ts = lagInFrame(latest_start_ts, 1) OVER rate_window, (sum_all_values - lagInFrame(latest_value, 1) OVER rate_window) / (ts - lagInFrame(ts, 1)), sum_all_values / (ts - lagInFrame(ts, 1))) AS per_series_value"
+	IncreaseWithStartTs = "multiIf(row_number() OVER rate_window = 1 AND earliest_start_ts < %d, NAN, row_number() OVER rate_window = 1, sum_all_values, earliest_start_ts = lagInFrame(latest_start_ts, 1) OVER rate_window, sum_all_values - lagInFrame(latest_value, 1) OVER rate_window, sum_all_values) AS per_series_value"
 )
 
 type MetricQueryStatementBuilder struct {
@@ -330,6 +333,9 @@ func (b *MetricQueryStatementBuilder) buildTemporalAggregationCTE(
 	if query.Aggregations[0].Temporality == metrictypes.Delta {
 		return b.buildTemporalAggDelta(ctx, start, end, query, timeSeriesCTE, timeSeriesCTEArgs)
 	} else if query.Aggregations[0].Temporality != metrictypes.Multiple {
+		if query.Aggregations[0].TimeAggregation == metrictypes.TimeAggregationIncrease || query.Aggregations[0].TimeAggregation == metrictypes.TimeAggregationRate {
+			return b.buildTemporalAggCumulativeOrUnspecifiedWithStartTs(ctx, start, end, query, timeSeriesCTE, timeSeriesCTEArgs)
+		}
 		return b.buildTemporalAggCumulativeOrUnspecified(ctx, start, end, query, timeSeriesCTE, timeSeriesCTEArgs)
 	}
 	return b.buildTemporalAggForMultipleTemporalities(ctx, start, end, query, timeSeriesCTE, timeSeriesCTEArgs)
@@ -382,6 +388,101 @@ func (b *MetricQueryStatementBuilder) buildTemporalAggDelta(
 	return fmt.Sprintf("__temporal_aggregation_cte AS (%s)", q), args, nil
 }
 
+func (b *MetricQueryStatementBuilder) buildTemporalAggCumulativeOrUnspecifiedWithStartTs(
+	ctx context.Context,
+	start, end uint64,
+	query qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation],
+	timeSeriesCTE string,
+	timeSeriesCTEArgs []any,
+) (string, []any, error) {
+	stepSec := int64(query.StepInterval.Seconds())
+
+	moreInfoQueryBuilder := sqlbuilder.NewSelectBuilder()
+	moreInfoQueryBuilder.Select("fingerprint")
+	moreInfoQueryBuilder.SelectMore(fmt.Sprintf(
+		"toStartOfInterval(toDateTime(intDiv(unix_milli, 1000)), toIntervalSecond(%d)) AS ts",
+		stepSec,
+	))
+	moreInfoQueryBuilder.SelectMore("toDateTime(intDiv(start_timestamp_unix_milli, 1000)) AS start_ts")
+	for _, g := range query.GroupBy {
+		moreInfoQueryBuilder.SelectMore(fmt.Sprintf("`%s`", g.TelemetryFieldKey.Name))
+	}
+
+	aggCol, err := AggregationColumnForSamplesTable(start, end, query.Aggregations[0].Type, query.Aggregations[0].Temporality, query.Aggregations[0].TimeAggregation, query.Aggregations[0].TableHints)
+	if err != nil {
+		return "", nil, err
+	}
+	moreInfoQueryBuilder.SelectMore(fmt.Sprintf("%s AS max_value", aggCol))
+
+	colWithLatestValue, err := AggregationColumnForSamplesTable(start, end, query.Aggregations[0].Type, query.Aggregations[0].Temporality, metrictypes.TimeAggregationLatest, query.Aggregations[0].TableHints)
+	if err != nil {
+		return "", nil, err
+	}
+	moreInfoQueryBuilder.SelectMore(fmt.Sprintf("%s AS latest_value", colWithLatestValue))
+	moreInfoQueryBuilder.SelectMore("max(unix_milli) AS latest_timestamp")
+
+	tbl := WhichSamplesTableToUse(start, end, query.Aggregations[0].Type, query.Aggregations[0].TimeAggregation, query.Aggregations[0].TableHints)
+	moreInfoQueryBuilder.From(fmt.Sprintf("%s.%s AS points", DBName, tbl))
+	moreInfoQueryBuilder.JoinWithOption(sqlbuilder.InnerJoin, timeSeriesCTE, "points.fingerprint = filtered_time_series.fingerprint")
+	moreInfoQueryBuilder.Where(
+		moreInfoQueryBuilder.In("metric_name", query.Aggregations[0].MetricName),
+		moreInfoQueryBuilder.GTE("unix_milli", start),
+		moreInfoQueryBuilder.LT("unix_milli", end),
+	)
+	moreInfoQueryBuilder.GroupBy("fingerprint", "ts", "start_ts")
+	moreInfoQueryBuilder.GroupBy(querybuilder.GroupByKeys(query.GroupBy)...)
+
+	moreInfoPerRowQuery, moreInfoPerRowArgs := moreInfoQueryBuilder.BuildWithFlavor(sqlbuilder.ClickHouse, timeSeriesCTEArgs...)
+
+	innerQueryBuilder := sqlbuilder.NewSelectBuilder()
+	innerQueryBuilder.Select("fingerprint")
+	innerQueryBuilder.SelectMore("ts")
+	for _, g := range query.GroupBy {
+		innerQueryBuilder.SelectMore(fmt.Sprintf("`%s`", g.TelemetryFieldKey.Name))
+	}
+	innerQueryBuilder.SelectMore("max(start_ts) AS latest_start_ts")
+	innerQueryBuilder.SelectMore("min(start_ts) AS earliest_start_ts")
+	innerQueryBuilder.SelectMore("sum(max_value) AS sum_all_values")
+	innerQueryBuilder.SelectMore("argMax(latest_value, latest_timestamp) AS latest_value")
+
+	innerQueryBuilder.From(fmt.Sprintf("(%s)", moreInfoPerRowQuery))
+
+	innerQueryBuilder.GroupBy("fingerprint", "ts")
+	innerQueryBuilder.GroupBy(querybuilder.GroupByKeys(query.GroupBy)...)
+
+	innerQuery, innerQueryArgs := innerQueryBuilder.BuildWithFlavor(sqlbuilder.ClickHouse, moreInfoPerRowArgs...)
+
+	switch query.Aggregations[0].TimeAggregation {
+	case metrictypes.TimeAggregationRate:
+		rateExpr := fmt.Sprintf(RateWithStartTs, start)
+		wrapped := sqlbuilder.NewSelectBuilder()
+		wrapped.Select("ts")
+		wrapped.SelectMore("latest_value")
+		for _, g := range query.GroupBy {
+			wrapped.SelectMore(fmt.Sprintf("`%s`", g.TelemetryFieldKey.Name))
+		}
+		wrapped.SelectMore(rateExpr)
+		wrapped.From(fmt.Sprintf("(%s) WINDOW rate_window AS (PARTITION BY fingerprint ORDER BY fingerprint, ts)", innerQuery))
+		q, args := wrapped.BuildWithFlavor(sqlbuilder.ClickHouse, moreInfoPerRowArgs...)
+		return fmt.Sprintf("__temporal_aggregation_cte AS (%s)", q), args, nil
+
+	case metrictypes.TimeAggregationIncrease:
+		incExpr := fmt.Sprintf(IncreaseWithStartTs, start)
+		wrapped := sqlbuilder.NewSelectBuilder()
+		wrapped.Select("ts")
+		wrapped.SelectMore("latest_value")
+		for _, g := range query.GroupBy {
+			wrapped.SelectMore(fmt.Sprintf("`%s`", g.TelemetryFieldKey.Name))
+		}
+		wrapped.SelectMore(incExpr)
+		wrapped.From(fmt.Sprintf("(%s) WINDOW rate_window AS (PARTITION BY fingerprint ORDER BY fingerprint, ts)", innerQuery))
+		q, args := wrapped.BuildWithFlavor(sqlbuilder.ClickHouse, moreInfoPerRowArgs...)
+		return fmt.Sprintf("__temporal_aggregation_cte AS (%s)", q), args, nil
+	default:
+		return fmt.Sprintf("__temporal_aggregation_cte AS (%s)", innerQuery), innerQueryArgs, nil
+	}
+}
+
 func (b *MetricQueryStatementBuilder) buildTemporalAggCumulativeOrUnspecified(
 	_ context.Context,
 	start, end uint64,

pkg/types/authtypes/relation.go

@@ -15,15 +15,14 @@ var (
 	RelationUpdate   = Relation{valuer.NewString("update")}
 	RelationDelete   = Relation{valuer.NewString("delete")}
 	RelationList     = Relation{valuer.NewString("list")}
-	RelationBlock    = Relation{valuer.NewString("block")}
 	RelationAssignee = Relation{valuer.NewString("assignee")}
 )
 
 var TypeableRelations = map[Type][]Relation{
 	TypeUser:          {RelationRead, RelationUpdate, RelationDelete},
 	TypeRole:          {RelationAssignee, RelationRead, RelationUpdate, RelationDelete},
-	TypeOrganization:  {RelationCreate, RelationRead, RelationUpdate, RelationDelete, RelationList},
-	TypeMetaResource:  {RelationRead, RelationUpdate, RelationDelete, RelationBlock},
+	TypeOrganization:  {RelationRead, RelationUpdate, RelationDelete},
+	TypeMetaResource:  {RelationRead, RelationUpdate, RelationDelete},
 	TypeMetaResources: {RelationCreate, RelationList},
 }
 
@@ -41,8 +40,6 @@ func NewRelation(relation string) (Relation, error) {
 		return RelationDelete, nil
 	case "list":
 		return RelationList, nil
-	case "block":
-		return RelationBlock, nil
 	case "assignee":
 		return RelationAssignee, nil
 	default:

pkg/types/authtypes/transaction.go

@@ -6,21 +6,29 @@ import (
 	"strings"
 
 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type Resource struct {
-	Name Name `json:"name"`
-	Type Type `json:"type"`
+	Name Name `json:"name" required:"true"`
+	Type Type `json:"type" required:"true"`
 }
 
 type Object struct {
-	Resource Resource `json:"resource"`
-	Selector Selector `json:"selector"`
+	Resource Resource `json:"resource" required:"true"`
+	Selector Selector `json:"selector" required:"true"`
 }
 
 type Transaction struct {
-	Relation Relation `json:"relation"`
-	Object   Object   `json:"object"`
+	ID       valuer.UUID `json:"id"`
+	Relation Relation    `json:"relation" required:"true"`
+	Object   Object      `json:"object" required:"true"`
+}
+
+type GettableTransaction struct {
+	Relation   Relation `json:"relation" required:"true"`
+	Object     Object   `json:"object" required:"true"`
+	Authorized bool     `json:"authorized" required:"true"`
 }
 
 func NewObject(resource Resource, selector Selector) (*Object, error) {
@@ -75,7 +83,21 @@ func NewTransaction(relation Relation, object Object) (*Transaction, error) {
 		return nil, errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidRelation, "invalid relation %s for type %s", relation.StringValue(), object.Resource.Type.StringValue())
 	}
 
-	return &Transaction{Relation: relation, Object: object}, nil
+	return &Transaction{ID: valuer.GenerateUUID(), Relation: relation, Object: object}, nil
+}
+
+func NewGettableTransaction(transactions []*Transaction, results map[string]*TupleKeyAuthorization) []*GettableTransaction {
+	gettableTransactions := make([]*GettableTransaction, len(transactions))
+	for i, txn := range transactions {
+		result := results[txn.ID.StringValue()]
+		gettableTransactions[i] = &GettableTransaction{
+			Relation:   txn.Relation,
+			Object:     txn.Object,
+			Authorized: result.Authorized,
+		}
+	}
+
+	return gettableTransactions
 }
 
 func (object *Object) UnmarshalJSON(data []byte) error {

pkg/types/authtypes/tuple.go

@@ -0,0 +1,31 @@
+package authtypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/valuer"
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
+)
+
+type TupleKeyAuthorization struct {
+	Tuple      *openfgav1.TupleKey
+	Authorized bool
+}
+
+func NewTuplesFromTransactions(transactions []*Transaction, subject string, orgID valuer.UUID) (map[string]*openfgav1.TupleKey, error) {
+	tuples := make(map[string]*openfgav1.TupleKey, len(transactions))
+	for _, txn := range transactions {
+		typeable, err := NewTypeableFromType(txn.Object.Resource.Type, txn.Object.Resource.Name)
+		if err != nil {
+			return nil, err
+		}
+
+		txnTuples, err := typeable.Tuples(subject, txn.Relation, []Selector{txn.Object.Selector}, orgID)
+		if err != nil {
+			return nil, err
+		}
+
+		// Each transaction produces one tuple, keyed by transaction ID
+		tuples[txn.ID.StringValue()] = txnTuples[0]
+	}
+
+	return tuples, nil
+}

pkg/types/roletypes/role.go

@@ -69,24 +69,29 @@ type StorableRole struct {
 type Role struct {
 	types.Identifiable
 	types.TimeAuditable
-	Name        string        `json:"name"`
-	Description string        `json:"description"`
-	Type        valuer.String `json:"type"`
-	OrgID       valuer.UUID   `json:"orgId"`
+	Name        string        `json:"name" required:"true"`
+	Description string        `json:"description" required:"true"`
+	Type        valuer.String `json:"type" required:"true"`
+	OrgID       valuer.UUID   `json:"orgId" required:"true"`
 }
 
 type PostableRole struct {
-	Name        string `json:"name"`
+	Name        string `json:"name" required:"true"`
 	Description string `json:"description"`
 }
 
 type PatchableRole struct {
-	Description *string `json:"description"`
+	Description string `json:"description" required:"true"`
 }
 
 type PatchableObjects struct {
-	Additions []*authtypes.Object `json:"additions"`
-	Deletions []*authtypes.Object `json:"deletions"`
+	Additions []*authtypes.Object `json:"additions" required:"true"`
+	Deletions []*authtypes.Object `json:"deletions" required:"true"`
+}
+
+type GettableResources struct {
+	Resources []*authtypes.Resource                   `json:"resources" required:"true"`
+	Relations map[authtypes.Type][]authtypes.Relation `json:"relations" required:"true"`
 }
 
 func NewStorableRoleFromRole(role *Role) *StorableRole {
@@ -137,15 +142,20 @@ func NewManagedRoles(orgID valuer.UUID) []*Role {
 
 }
 
-func (role *Role) PatchMetadata(description *string) error {
+func NewGettableResources(resources []*authtypes.Resource) *GettableResources {
+	return &GettableResources{
+		Resources: resources,
+		Relations: authtypes.TypeableRelations,
+	}
+}
+
+func (role *Role) PatchMetadata(description string) error {
 	err := role.CanEditDelete()
 	if err != nil {
 		return err
 	}
 
-	if description != nil {
-		role.Description = *description
-	}
+	role.Description = description
 	role.UpdatedAt = time.Now()
 	return nil
 }
@@ -210,7 +220,7 @@ func (role *PostableRole) UnmarshalJSON(data []byte) error {
 
 func (role *PatchableRole) UnmarshalJSON(data []byte) error {
 	type shadowPatchableRole struct {
-		Description *string `json:"description"`
+		Description string `json:"description"`
 	}
 
 	var shadowRole shadowPatchableRole
@@ -218,7 +228,7 @@ func (role *PatchableRole) UnmarshalJSON(data []byte) error {
 		return err
 	}
 
-	if shadowRole.Description == nil {
+	if shadowRole.Description == "" {
 		return errors.New(errors.TypeInvalidInput, ErrCodeRoleEmptyPatch, "empty role patch request received, description must be present")
 	}