Merge branch 'main' into platform-pod/issues/1693

docs/api/openapi.yml

@@ -92,6 +92,15 @@ components:
         tokenType:
           type: string
       type: object
+    AuthtypesGettableTransaction:
+      properties:
+        authorized:
+          type: boolean
+        object:
+          $ref: '#/components/schemas/AuthtypesObject'
+        relation:
+          type: string
+      type: object
     AuthtypesGoogleConfig:
       properties:
         allowedGroups:
@@ -117,6 +126,8 @@ components:
         serviceAccountJson:
           type: string
       type: object
+    AuthtypesName:
+      type: object
     AuthtypesOIDCConfig:
       properties:
         claimMapping:
@@ -134,6 +145,16 @@ components:
         issuerAlias:
           type: string
       type: object
+    AuthtypesObject:
+      properties:
+        resource:
+          $ref: '#/components/schemas/AuthtypesResource'
+        selector:
+          $ref: '#/components/schemas/AuthtypesSelector'
+      required:
+      - resource
+      - selector
+      type: object
     AuthtypesOrgSessionContext:
       properties:
         authNSupport:
@@ -171,6 +192,16 @@ components:
         refreshToken:
           type: string
       type: object
+    AuthtypesResource:
+      properties:
+        name:
+          $ref: '#/components/schemas/AuthtypesName'
+        type:
+          type: string
+      required:
+      - name
+      - type
+      type: object
     AuthtypesRoleMapping:
       properties:
         defaultRole:
@@ -196,6 +227,8 @@ components:
         samlIdp:
           type: string
       type: object
+    AuthtypesSelector:
+      type: object
     AuthtypesSessionContext:
       properties:
         exists:
@@ -206,6 +239,18 @@ components:
           nullable: true
           type: array
       type: object
+    AuthtypesTransaction:
+      properties:
+        id:
+          type: string
+        object:
+          $ref: '#/components/schemas/AuthtypesObject'
+        relation:
+          type: string
+      required:
+      - relation
+      - object
+      type: object
     AuthtypesUpdateableAuthDomain:
       properties:
         config:
@@ -1613,6 +1658,52 @@ components:
         status:
           type: string
       type: object
+    RoletypesGettableResources:
+      properties:
+        relations:
+          additionalProperties:
+            items:
+              type: string
+            type: array
+          nullable: true
+          type: object
+        resources:
+          items:
+            $ref: '#/components/schemas/AuthtypesResource'
+          nullable: true
+          type: array
+      type: object
+    RoletypesPatchableObjects:
+      properties:
+        additions:
+          items:
+            $ref: '#/components/schemas/AuthtypesObject'
+          nullable: true
+          type: array
+        deletions:
+          items:
+            $ref: '#/components/schemas/AuthtypesObject'
+          nullable: true
+          type: array
+      required:
+      - additions
+      - deletions
+      type: object
+    RoletypesPatchableRole:
+      properties:
+        description:
+          nullable: true
+          type: string
+      type: object
+    RoletypesPostableRole:
+      properties:
+        description:
+          type: string
+        name:
+          type: string
+      required:
+      - name
+      type: object
     RoletypesRole:
       properties:
         createdAt:
@@ -2022,6 +2113,41 @@ info:
   version: ""
 openapi: 3.0.3
 paths:
+  /api/v1/authz/check:
+    post:
+      deprecated: false
+      description: Checks if the authenticated user has permissions for given transactions
+      operationId: AuthzCheck
+      requestBody:
+        content:
+          application/json:
+            schema:
+              items:
+                $ref: '#/components/schemas/AuthtypesTransaction'
+              type: array
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/AuthtypesGettableTransaction'
+                    type: array
+                  status:
+                    type: string
+                type: object
+          description: OK
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      summary: Check permissions
+      tags:
+      - authz
   /api/v1/changePassword/{id}:
     post:
       deprecated: false
@@ -3851,6 +3977,11 @@ paths:
       deprecated: false
       description: This endpoint creates a role
       operationId: CreateRole
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RoletypesPostableRole'
       responses:
         "201":
           content:
@@ -3863,6 +3994,12 @@ paths:
                     type: string
                 type: object
           description: Created
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
         "401":
           content:
             application/json:
@@ -3875,12 +4012,30 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
+        "409":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Conflict
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
         "500":
           content:
             application/json:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
       security:
       - api_key:
         - ADMIN
@@ -3919,12 +4074,30 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
         "500":
           content:
             application/json:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
       security:
       - api_key:
         - ADMIN
@@ -3991,6 +4164,11 @@ paths:
         required: true
         schema:
           type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RoletypesPatchableRole'
       responses:
         "204":
           content:
@@ -4010,6 +4188,220 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Patch role
+      tags:
+      - role
+  /api/v1/roles/{id}/relation/{relation}/objects:
+    get:
+      deprecated: false
+      description: Gets all objects connected to the specified role via a given relation
+        type
+      operationId: GetObjects
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      - in: path
+        name: relation
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/AuthtypesObject'
+                    type: array
+                  status:
+                    type: string
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Get objects for a role by relation
+      tags:
+      - role
+    patch:
+      deprecated: false
+      description: Patches the objects connected to the specified role via a given
+        relation type
+      operationId: PatchObjects
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      - in: path
+        name: relation
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RoletypesPatchableObjects'
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Patch objects for a role by relation
+      tags:
+      - role
+  /api/v1/roles/resources:
+    get:
+      deprecated: false
+      description: Gets all the available resources for role assignment
+      operationId: GetResources
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/RoletypesGettableResources'
+                  status:
+                    type: string
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
         "500":
           content:
             application/json:
@@ -4021,7 +4413,7 @@ paths:
         - ADMIN
       - tokenizer:
         - ADMIN
-      summary: Patch role
+      summary: Get resources
       tags:
       - role
   /api/v1/user:

ee/authz/openfgaauthz/provider.go

@@ -62,10 +62,6 @@ func (provider *provider) Stop(ctx context.Context) error {
 	return provider.openfgaServer.Stop(ctx)
 }
 
-func (provider *provider) Check(ctx context.Context, tuple *openfgav1.TupleKey) error {
-	return provider.openfgaServer.Check(ctx, tuple)
-}
-
 func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, roleSelectors []authtypes.Selector) error {
 	return provider.openfgaServer.CheckWithTupleCreation(ctx, claims, orgID, relation, typeable, selectors, roleSelectors)
 }
@@ -74,8 +70,8 @@ func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Contex
 	return provider.openfgaServer.CheckWithTupleCreationWithoutClaims(ctx, orgID, relation, typeable, selectors, roleSelectors)
 }
 
-func (provider *provider) BatchCheck(ctx context.Context, tuples []*openfgav1.TupleKey) error {
-	return provider.openfgaServer.BatchCheck(ctx, tuples)
+func (provider *provider) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
+	return provider.openfgaServer.BatchCheck(ctx, tupleReq)
 }
 
 func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {
@@ -187,6 +183,11 @@ func (provider *provider) GetResources(_ context.Context) []*authtypes.Resource
 }
 
 func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*authtypes.Object, error) {
+	_, err := provider.licensing.GetActive(ctx, orgID)
+	if err != nil {
+		return nil, errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
+	}
+
 	storableRole, err := provider.store.Get(ctx, orgID, id)
 	if err != nil {
 		return nil, err
@@ -198,7 +199,7 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 			resourceObjects, err := provider.
 				ListObjects(
 					ctx,
-					authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.ID.String(), orgID, &authtypes.RelationAssignee),
+					authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.Name, orgID, &authtypes.RelationAssignee),
 					relation,
 					authtypes.MustNewTypeableFromType(resource.Type, resource.Name),
 				)

ee/authz/openfgaserver/server.go

@@ -2,8 +2,10 @@ package openfgaserver
 
 import (
 	"context"
+	"strconv"
 
 	"github.com/SigNoz/signoz/pkg/authz"
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
@@ -28,27 +30,34 @@ func (server *Server) Stop(ctx context.Context) error {
 	return server.pkgAuthzService.Stop(ctx)
 }
 
-func (server *Server) Check(ctx context.Context, tuple *openfgav1.TupleKey) error {
-	return server.pkgAuthzService.Check(ctx, tuple)
-}
-
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
 	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
 	if err != nil {
 		return err
 	}
 
-	tuples, err := typeable.Tuples(subject, relation, selectors, orgID)
+	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
 func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
@@ -57,21 +66,32 @@ func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, o
 		return err
 	}
 
-	tuples, err := typeable.Tuples(subject, relation, selectors, orgID)
+	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
-func (server *Server) BatchCheck(ctx context.Context, tuples []*openfgav1.TupleKey) error {
-	return server.pkgAuthzService.BatchCheck(ctx, tuples)
+func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
+	return server.pkgAuthzService.BatchCheck(ctx, tupleReq)
 }
 
 func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {

ee/modules/dashboard/impldashboard/module.go

@@ -220,6 +220,7 @@ func (module *module) MustGetManagedRoleTransactions() map[string][]*authtypes.T
 	return map[string][]*authtypes.Transaction{
 		roletypes.SigNozAnonymousRoleName: {
 			{
+				ID:       valuer.GenerateUUID(),
 				Relation: authtypes.RelationRead,
 				Object: *authtypes.MustNewObject(
 					authtypes.Resource{

frontend/src/api/generated/services/authz/index.ts

@@ -0,0 +1,107 @@
+/**
+ * ! Do not edit manually
+ * * The file has been auto-generated using Orval for SigNoz
+ * * regenerate with 'yarn generate:api'
+ * SigNoz
+ */
+import type {
+	MutationFunction,
+	UseMutationOptions,
+	UseMutationResult,
+} from 'react-query';
+import { useMutation } from 'react-query';
+
+import { GeneratedAPIInstance } from '../../../index';
+import type {
+	AuthtypesTransactionDTO,
+	AuthzCheck200,
+	RenderErrorResponseDTO,
+} from '../sigNoz.schemas';
+
+type AwaitedInput<T> = PromiseLike<T> | T;
+
+type Awaited<O> = O extends AwaitedInput<infer T> ? T : never;
+
+/**
+ * Checks if the authenticated user has permissions for given transactions
+ * @summary Check permissions
+ */
+export const authzCheck = (
+	authtypesTransactionDTO: AuthtypesTransactionDTO[],
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<AuthzCheck200>({
+		url: `/api/v1/authz/check`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: authtypesTransactionDTO,
+		signal,
+	});
+};
+
+export const getAuthzCheckMutationOptions = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof authzCheck>>,
+		TError,
+		{ data: AuthtypesTransactionDTO[] },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof authzCheck>>,
+	TError,
+	{ data: AuthtypesTransactionDTO[] },
+	TContext
+> => {
+	const mutationKey = ['authzCheck'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof authzCheck>>,
+		{ data: AuthtypesTransactionDTO[] }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return authzCheck(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type AuthzCheckMutationResult = NonNullable<
+	Awaited<ReturnType<typeof authzCheck>>
+>;
+export type AuthzCheckMutationBody = AuthtypesTransactionDTO[];
+export type AuthzCheckMutationError = RenderErrorResponseDTO;
+
+/**
+ * @summary Check permissions
+ */
+export const useAuthzCheck = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof authzCheck>>,
+		TError,
+		{ data: AuthtypesTransactionDTO[] },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof authzCheck>>,
+	TError,
+	{ data: AuthtypesTransactionDTO[] },
+	TContext
+> => {
+	const mutationOptions = getAuthzCheckMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};

frontend/src/api/generated/services/role/index.ts

@@ -21,11 +21,18 @@ import { GeneratedAPIInstance } from '../../../index';
 import type {
 	CreateRole201,
 	DeleteRolePathParameters,
+	GetObjects200,
+	GetObjectsPathParameters,
+	GetResources200,
 	GetRole200,
 	GetRolePathParameters,
 	ListRoles200,
+	PatchObjectsPathParameters,
 	PatchRolePathParameters,
 	RenderErrorResponseDTO,
+	RoletypesPatchableObjectsDTO,
+	RoletypesPatchableRoleDTO,
+	RoletypesPostableRoleDTO,
 } from '../sigNoz.schemas';
 
 type AwaitedInput<T> = PromiseLike<T> | T;
@@ -114,10 +121,15 @@ export const invalidateListRoles = async (
  * This endpoint creates a role
  * @summary Create role
  */
-export const createRole = (signal?: AbortSignal) => {
+export const createRole = (
+	roletypesPostableRoleDTO: RoletypesPostableRoleDTO,
+	signal?: AbortSignal,
+) => {
 	return GeneratedAPIInstance<CreateRole201>({
 		url: `/api/v1/roles`,
 		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: roletypesPostableRoleDTO,
 		signal,
 	});
 };
@@ -129,13 +141,13 @@ export const getCreateRoleMutationOptions = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createRole>>,
 		TError,
-		void,
+		{ data: RoletypesPostableRoleDTO },
 		TContext
 	>;
 }): UseMutationOptions<
 	Awaited<ReturnType<typeof createRole>>,
 	TError,
-	void,
+	{ data: RoletypesPostableRoleDTO },
 	TContext
 > => {
 	const mutationKey = ['createRole'];
@@ -149,9 +161,11 @@ export const getCreateRoleMutationOptions = <
 
 	const mutationFn: MutationFunction<
 		Awaited<ReturnType<typeof createRole>>,
-		void
-	> = () => {
-		return createRole();
+		{ data: RoletypesPostableRoleDTO }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return createRole(data);
 	};
 
 	return { mutationFn, ...mutationOptions };
@@ -160,7 +174,7 @@ export const getCreateRoleMutationOptions = <
 export type CreateRoleMutationResult = NonNullable<
 	Awaited<ReturnType<typeof createRole>>
 >;
-
+export type CreateRoleMutationBody = RoletypesPostableRoleDTO;
 export type CreateRoleMutationError = RenderErrorResponseDTO;
 
 /**
@@ -173,13 +187,13 @@ export const useCreateRole = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createRole>>,
 		TError,
-		void,
+		{ data: RoletypesPostableRoleDTO },
 		TContext
 	>;
 }): UseMutationResult<
 	Awaited<ReturnType<typeof createRole>>,
 	TError,
-	void,
+	{ data: RoletypesPostableRoleDTO },
 	TContext
 > => {
 	const mutationOptions = getCreateRoleMutationOptions(options);
@@ -358,10 +372,15 @@ export const invalidateGetRole = async (
  * This endpoint patches a role
  * @summary Patch role
  */
-export const patchRole = ({ id }: PatchRolePathParameters) => {
+export const patchRole = (
+	{ id }: PatchRolePathParameters,
+	roletypesPatchableRoleDTO: RoletypesPatchableRoleDTO,
+) => {
 	return GeneratedAPIInstance<string>({
 		url: `/api/v1/roles/${id}`,
 		method: 'PATCH',
+		headers: { 'Content-Type': 'application/json' },
+		data: roletypesPatchableRoleDTO,
 	});
 };
 
@@ -372,13 +391,13 @@ export const getPatchRoleMutationOptions = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof patchRole>>,
 		TError,
-		{ pathParams: PatchRolePathParameters },
+		{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 		TContext
 	>;
 }): UseMutationOptions<
 	Awaited<ReturnType<typeof patchRole>>,
 	TError,
-	{ pathParams: PatchRolePathParameters },
+	{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 	TContext
 > => {
 	const mutationKey = ['patchRole'];
@@ -392,11 +411,11 @@ export const getPatchRoleMutationOptions = <
 
 	const mutationFn: MutationFunction<
 		Awaited<ReturnType<typeof patchRole>>,
-		{ pathParams: PatchRolePathParameters }
+		{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO }
 	> = (props) => {
-		const { pathParams } = props ?? {};
+		const { pathParams, data } = props ?? {};
 
-		return patchRole(pathParams);
+		return patchRole(pathParams, data);
 	};
 
 	return { mutationFn, ...mutationOptions };
@@ -405,7 +424,7 @@ export const getPatchRoleMutationOptions = <
 export type PatchRoleMutationResult = NonNullable<
 	Awaited<ReturnType<typeof patchRole>>
 >;
-
+export type PatchRoleMutationBody = RoletypesPatchableRoleDTO;
 export type PatchRoleMutationError = RenderErrorResponseDTO;
 
 /**
@@ -418,16 +437,292 @@ export const usePatchRole = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof patchRole>>,
 		TError,
-		{ pathParams: PatchRolePathParameters },
+		{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 		TContext
 	>;
 }): UseMutationResult<
 	Awaited<ReturnType<typeof patchRole>>,
 	TError,
-	{ pathParams: PatchRolePathParameters },
+	{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 	TContext
 > => {
 	const mutationOptions = getPatchRoleMutationOptions(options);
 
 	return useMutation(mutationOptions);
 };
+/**
+ * Gets all objects connected to the specified role via a given relation type
+ * @summary Get objects for a role by relation
+ */
+export const getObjects = (
+	{ id, relation }: GetObjectsPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetObjects200>({
+		url: `/api/v1/roles/${id}/relation/${relation}/objects`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetObjectsQueryKey = ({
+	id,
+	relation,
+}: GetObjectsPathParameters) => {
+	return ['getObjects'] as const;
+};
+
+export const getGetObjectsQueryOptions = <
+	TData = Awaited<ReturnType<typeof getObjects>>,
+	TError = RenderErrorResponseDTO
+>(
+	{ id, relation }: GetObjectsPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getObjects>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey =
+		queryOptions?.queryKey ?? getGetObjectsQueryKey({ id, relation });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getObjects>>> = ({
+		signal,
+	}) => getObjects({ id, relation }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!(id && relation),
+		...queryOptions,
+	} as UseQueryOptions<Awaited<ReturnType<typeof getObjects>>, TError, TData> & {
+		queryKey: QueryKey;
+	};
+};
+
+export type GetObjectsQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getObjects>>
+>;
+export type GetObjectsQueryError = RenderErrorResponseDTO;
+
+/**
+ * @summary Get objects for a role by relation
+ */
+
+export function useGetObjects<
+	TData = Awaited<ReturnType<typeof getObjects>>,
+	TError = RenderErrorResponseDTO
+>(
+	{ id, relation }: GetObjectsPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getObjects>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetObjectsQueryOptions({ id, relation }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get objects for a role by relation
+ */
+export const invalidateGetObjects = async (
+	queryClient: QueryClient,
+	{ id, relation }: GetObjectsPathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetObjectsQueryKey({ id, relation }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * Patches the objects connected to the specified role via a given relation type
+ * @summary Patch objects for a role by relation
+ */
+export const patchObjects = (
+	{ id, relation }: PatchObjectsPathParameters,
+	roletypesPatchableObjectsDTO: RoletypesPatchableObjectsDTO,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/roles/${id}/relation/${relation}/objects`,
+		method: 'PATCH',
+		headers: { 'Content-Type': 'application/json' },
+		data: roletypesPatchableObjectsDTO,
+	});
+};
+
+export const getPatchObjectsMutationOptions = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof patchObjects>>,
+		TError,
+		{
+			pathParams: PatchObjectsPathParameters;
+			data: RoletypesPatchableObjectsDTO;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof patchObjects>>,
+	TError,
+	{ pathParams: PatchObjectsPathParameters; data: RoletypesPatchableObjectsDTO },
+	TContext
+> => {
+	const mutationKey = ['patchObjects'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof patchObjects>>,
+		{ pathParams: PatchObjectsPathParameters; data: RoletypesPatchableObjectsDTO }
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return patchObjects(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type PatchObjectsMutationResult = NonNullable<
+	Awaited<ReturnType<typeof patchObjects>>
+>;
+export type PatchObjectsMutationBody = RoletypesPatchableObjectsDTO;
+export type PatchObjectsMutationError = RenderErrorResponseDTO;
+
+/**
+ * @summary Patch objects for a role by relation
+ */
+export const usePatchObjects = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof patchObjects>>,
+		TError,
+		{
+			pathParams: PatchObjectsPathParameters;
+			data: RoletypesPatchableObjectsDTO;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof patchObjects>>,
+	TError,
+	{ pathParams: PatchObjectsPathParameters; data: RoletypesPatchableObjectsDTO },
+	TContext
+> => {
+	const mutationOptions = getPatchObjectsMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * Gets all the available resources for role assignment
+ * @summary Get resources
+ */
+export const getResources = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<GetResources200>({
+		url: `/api/v1/roles/resources`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetResourcesQueryKey = () => {
+	return ['getResources'] as const;
+};
+
+export const getGetResourcesQueryOptions = <
+	TData = Awaited<ReturnType<typeof getResources>>,
+	TError = RenderErrorResponseDTO
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getResources>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetResourcesQueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getResources>>> = ({
+		signal,
+	}) => getResources(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof getResources>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetResourcesQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getResources>>
+>;
+export type GetResourcesQueryError = RenderErrorResponseDTO;
+
+/**
+ * @summary Get resources
+ */
+
+export function useGetResources<
+	TData = Awaited<ReturnType<typeof getResources>>,
+	TError = RenderErrorResponseDTO
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getResources>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetResourcesQueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get resources
+ */
+export const invalidateGetResources = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetResourcesQueryKey() },
+		options,
+	);
+
+	return queryClient;
+};

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -127,6 +127,18 @@ export interface AuthtypesGettableTokenDTO {
 	tokenType?: string;
 }
 
+export interface AuthtypesGettableTransactionDTO {
+	/**
+	 * @type boolean
+	 */
+	authorized?: boolean;
+	object?: AuthtypesObjectDTO;
+	/**
+	 * @type string
+	 */
+	relation?: string;
+}
+
 export type AuthtypesGoogleConfigDTODomainToAdminEmail = {
 	[key: string]: string;
 };
@@ -170,6 +182,10 @@ export interface AuthtypesGoogleConfigDTO {
 	serviceAccountJson?: string;
 }
 
+export interface AuthtypesNameDTO {
+	[key: string]: unknown;
+}
+
 export interface AuthtypesOIDCConfigDTO {
 	claimMapping?: AuthtypesAttributeMappingDTO;
 	/**
@@ -198,6 +214,11 @@ export interface AuthtypesOIDCConfigDTO {
 	issuerAlias?: string;
 }
 
+export interface AuthtypesObjectDTO {
+	resource: AuthtypesResourceDTO;
+	selector: AuthtypesSelectorDTO;
+}
+
 export interface AuthtypesOrgSessionContextDTO {
 	authNSupport?: AuthtypesAuthNSupportDTO;
 	/**
@@ -248,6 +269,14 @@ export interface AuthtypesPostableRotateTokenDTO {
 	refreshToken?: string;
 }
 
+export interface AuthtypesResourceDTO {
+	name: AuthtypesNameDTO;
+	/**
+	 * @type string
+	 */
+	type: string;
+}
+
 /**
  * @nullable
  */
@@ -291,6 +320,10 @@ export interface AuthtypesSamlConfigDTO {
 	samlIdp?: string;
 }
 
+export interface AuthtypesSelectorDTO {
+	[key: string]: unknown;
+}
+
 export interface AuthtypesSessionContextDTO {
 	/**
 	 * @type boolean
@@ -303,6 +336,18 @@ export interface AuthtypesSessionContextDTO {
 	orgs?: AuthtypesOrgSessionContextDTO[] | null;
 }
 
+export interface AuthtypesTransactionDTO {
+	/**
+	 * @type string
+	 */
+	id?: string;
+	object: AuthtypesObjectDTO;
+	/**
+	 * @type string
+	 */
+	relation: string;
+}
+
 export interface AuthtypesUpdateableAuthDomainDTO {
 	config?: AuthtypesAuthDomainConfigDTO;
 }
@@ -1947,6 +1992,58 @@ export interface RenderErrorResponseDTO {
 	status?: string;
 }
 
+/**
+ * @nullable
+ */
+export type RoletypesGettableResourcesDTORelations = {
+	[key: string]: string[];
+} | null;
+
+export interface RoletypesGettableResourcesDTO {
+	/**
+	 * @type object
+	 * @nullable true
+	 */
+	relations?: RoletypesGettableResourcesDTORelations;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	resources?: AuthtypesResourceDTO[] | null;
+}
+
+export interface RoletypesPatchableObjectsDTO {
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	additions: AuthtypesObjectDTO[] | null;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	deletions: AuthtypesObjectDTO[] | null;
+}
+
+export interface RoletypesPatchableRoleDTO {
+	/**
+	 * @type string
+	 * @nullable true
+	 */
+	description?: string | null;
+}
+
+export interface RoletypesPostableRoleDTO {
+	/**
+	 * @type string
+	 */
+	description?: string;
+	/**
+	 * @type string
+	 */
+	name: string;
+}
+
 export interface RoletypesRoleDTO {
 	/**
 	 * @type string
@@ -2499,6 +2596,17 @@ export interface ZeustypesPostableProfileDTO {
 	where_did_you_discover_signoz: string;
 }
 
+export type AuthzCheck200 = {
+	/**
+	 * @type array
+	 */
+	data?: AuthtypesGettableTransactionDTO[];
+	/**
+	 * @type string
+	 */
+	status?: string;
+};
+
 export type ChangePasswordPathParameters = {
 	id: string;
 };
@@ -2902,6 +3010,33 @@ export type GetRole200 = {
 export type PatchRolePathParameters = {
 	id: string;
 };
+export type GetObjectsPathParameters = {
+	id: string;
+	relation: string;
+};
+export type GetObjects200 = {
+	/**
+	 * @type array
+	 */
+	data?: AuthtypesObjectDTO[];
+	/**
+	 * @type string
+	 */
+	status?: string;
+};
+
+export type PatchObjectsPathParameters = {
+	id: string;
+	relation: string;
+};
+export type GetResources200 = {
+	data?: RoletypesGettableResourcesDTO;
+	/**
+	 * @type string
+	 */
+	status?: string;
+};
+
 export type ListUsers200 = {
 	/**
 	 * @type array

frontend/src/container/DashboardContainer/visualization/components/ChartManager/ChartManager.styles.scss

@@ -1,22 +1,3 @@
-.chart-manager-series-label {
-	width: 100%;
-	min-width: 0;
-	max-width: 100%;
-	cursor: pointer;
-	border: none;
-	background-color: transparent;
-	color: inherit;
-	text-align: left;
-	padding: 0;
-	overflow: hidden;
-	text-overflow: ellipsis;
-	white-space: nowrap;
-
-	&:disabled {
-		cursor: not-allowed;
-	}
-}
-
 .chart-manager-container {
 	width: 100%;
 	max-height: calc(40% - 40px);

frontend/src/container/DashboardContainer/visualization/components/ChartManager/ChartManager.tsx

@@ -1,28 +1,24 @@
 import { useCallback, useEffect, useMemo, useState } from 'react';
 import { Button, Input } from 'antd';
-import { PrecisionOption, PrecisionOptionsEnum } from 'components/Graph/types';
 import { ResizeTable } from 'components/ResizeTable';
+import { getGraphManagerTableColumns } from 'container/GridCardLayout/GridCard/FullView/TableRender/GraphManagerColumns';
+import { ExtendedChartDataset } from 'container/GridCardLayout/GridCard/FullView/types';
+import { getDefaultTableDataSet } from 'container/GridCardLayout/GridCard/FullView/utils';
 import { useNotifications } from 'hooks/useNotifications';
 import { UPlotConfigBuilder } from 'lib/uPlotV2/config/UPlotConfigBuilder';
 import { usePlotContext } from 'lib/uPlotV2/context/PlotContext';
 import useLegendsSync from 'lib/uPlotV2/hooks/useLegendsSync';
 import { useDashboard } from 'providers/Dashboard/Dashboard';
 
-import { getChartManagerColumns } from './columns';
-import { ExtendedChartDataset, getDefaultTableDataSet } from './utils';
-
 import './ChartManager.styles.scss';
 
 interface ChartManagerProps {
 	config: UPlotConfigBuilder;
 	alignedData: uPlot.AlignedData;
 	yAxisUnit?: string;
-	decimalPrecision?: PrecisionOption;
 	onCancel?: () => void;
 }
 
-const X_AXIS_INDEX = 0;
-
 /**
  * ChartManager provides a tabular view to manage the visibility of
  * individual series on a uPlot chart.
@@ -32,12 +28,16 @@ const X_AXIS_INDEX = 0;
  * - filter series by label
  * - toggle individual series on/off
  * - persist the visibility configuration to local storage.
+ *
+ * @param config - `UPlotConfigBuilder` instance used to derive chart options.
+ * @param alignedData - uPlot aligned data used to build the initial table dataset.
+ * @param yAxisUnit - Optional unit label for Y-axis values shown in the table.
+ * @param onCancel - Optional callback invoked when the user cancels the dialog.
  */
 export default function ChartManager({
 	config,
 	alignedData,
 	yAxisUnit,
-	decimalPrecision = PrecisionOptionsEnum.TWO,
 	onCancel,
 }: ChartManagerProps): JSX.Element {
 	const { notifications } = useNotifications();
@@ -53,13 +53,8 @@ export default function ChartManager({
 	const { isDashboardLocked } = useDashboard();
 
 	const [tableDataSet, setTableDataSet] = useState<ExtendedChartDataset[]>(() =>
-		getDefaultTableDataSet(
-			config.getConfig() as uPlot.Options,
-			alignedData,
-			decimalPrecision,
-		),
+		getDefaultTableDataSet(config.getConfig() as uPlot.Options, alignedData),
 	);
-	const [filterValue, setFilterValue] = useState('');
 
 	const graphVisibilityState = useMemo(
 		() =>
@@ -72,62 +67,46 @@ export default function ChartManager({
 
 	useEffect(() => {
 		setTableDataSet(
-			getDefaultTableDataSet(
-				config.getConfig() as uPlot.Options,
-				alignedData,
-				decimalPrecision,
-			),
+			getDefaultTableDataSet(config.getConfig() as uPlot.Options, alignedData),
 		);
-		setFilterValue('');
-	}, [alignedData, config, decimalPrecision]);
+	}, [alignedData, config]);
 
-	const handleFilterChange = useCallback(
-		(e: React.ChangeEvent<HTMLInputElement>): void => {
-			setFilterValue(e.target.value.toLowerCase());
+	const filterHandler = useCallback(
+		(event: React.ChangeEvent<HTMLInputElement>): void => {
+			const value = event.target.value.toString().toLowerCase();
+			const updatedDataSet = tableDataSet.map((item) => {
+				if (item.label?.toLocaleLowerCase().includes(value)) {
+					return { ...item, show: true };
+				}
+				return { ...item, show: false };
+			});
+			setTableDataSet(updatedDataSet);
 		},
-		[],
+		[tableDataSet],
 	);
 
-	const handleToggleSeriesOnOff = useCallback(
-		(index: number): void => {
-			onToggleSeriesOnOff(index);
-		},
-		[onToggleSeriesOnOff],
+	const dataSource = useMemo(
+		() =>
+			tableDataSet.filter(
+				(item, index) => index !== 0 && item.show, // skipping the first item as it is the x-axis
+			),
+		[tableDataSet],
 	);
 
-	const dataSource = useMemo(() => {
-		const filter = filterValue.trim();
-		return tableDataSet.filter((item, index) => {
-			if (index === X_AXIS_INDEX) {
-				return false;
-			}
-			if (!filter) {
-				return true;
-			}
-			return item.label?.toLowerCase().includes(filter) ?? false;
-		});
-	}, [tableDataSet, filterValue]);
-
 	const columns = useMemo(
 		() =>
-			getChartManagerColumns({
+			getGraphManagerTableColumns({
 				tableDataSet,
+				checkBoxOnChangeHandler: (_e, index) => {
+					onToggleSeriesOnOff(index);
+				},
 				graphVisibilityState,
-				onToggleSeriesOnOff: handleToggleSeriesOnOff,
-				onToggleSeriesVisibility,
+				labelClickedHandler: onToggleSeriesVisibility,
 				yAxisUnit,
 				isGraphDisabled: isDashboardLocked,
-				decimalPrecision,
 			}),
-		[
-			tableDataSet,
-			graphVisibilityState,
-			handleToggleSeriesOnOff,
-			onToggleSeriesVisibility,
-			yAxisUnit,
-			isDashboardLocked,
-			decimalPrecision,
-		],
+		// eslint-disable-next-line react-hooks/exhaustive-deps
+		[tableDataSet, graphVisibilityState, yAxisUnit, isDashboardLocked],
 	);
 
 	const handleSave = useCallback((): void => {
@@ -135,23 +114,20 @@ export default function ChartManager({
 		notifications.success({
 			message: 'The updated graphs & legends are saved',
 		});
-		onCancel?.();
+		if (onCancel) {
+			onCancel();
+		}
 	}, [syncSeriesVisibilityToLocalStorage, notifications, onCancel]);
 
 	return (
 		<div className="chart-manager-container">
 			<div className="chart-manager-header">
-				<Input
-					placeholder="Filter Series"
-					value={filterValue}
-					onChange={handleFilterChange}
-					data-testid="filter-input"
-				/>
+				<Input onChange={filterHandler} placeholder="Filter Series" />
 				<div className="chart-manager-actions-container">
-					<Button type="default" onClick={onCancel} data-testid="cancel-button">
+					<Button type="default" onClick={onCancel}>
 						Cancel
 					</Button>
-					<Button type="primary" onClick={handleSave} data-testid="save-button">
+					<Button type="primary" onClick={handleSave}>
 						Save
 					</Button>
 				</div>
@@ -160,10 +136,10 @@ export default function ChartManager({
 				<ResizeTable
 					columns={columns}
 					dataSource={dataSource}
+					virtual
 					rowKey="index"
 					scroll={{ y: 200 }}
 					pagination={false}
-					virtual
 				/>
 			</div>
 		</div>

frontend/src/container/DashboardContainer/visualization/components/ChartManager/SeriesLabel.tsx

@@ -1,31 +0,0 @@
-import { Tooltip } from 'antd';
-
-import './ChartManager.styles.scss';
-
-interface SeriesLabelProps {
-	label: string;
-	labelIndex: number;
-	onClick: (idx: number) => void;
-	disabled?: boolean;
-}
-
-export function SeriesLabel({
-	label,
-	labelIndex,
-	onClick,
-	disabled,
-}: SeriesLabelProps): JSX.Element {
-	return (
-		<Tooltip placement="topLeft" title={label}>
-			<button
-				className="chart-manager-series-label"
-				disabled={disabled}
-				type="button"
-				data-testid={`series-label-button-${labelIndex}`}
-				onClick={(): void => onClick(labelIndex)}
-			>
-				{label}
-			</button>
-		</Tooltip>
-	);
-}

frontend/src/container/DashboardContainer/visualization/components/ChartManager/__tests__/ChartManager.test.tsx

@@ -1,172 +0,0 @@
-import userEvent from '@testing-library/user-event';
-import { UPlotConfigBuilder } from 'lib/uPlotV2/config/UPlotConfigBuilder';
-import { render, screen } from 'tests/test-utils';
-
-import ChartManager from '../ChartManager';
-
-const mockSyncSeriesVisibilityToLocalStorage = jest.fn();
-const mockNotificationsSuccess = jest.fn();
-
-jest.mock('lib/uPlotV2/context/PlotContext', () => ({
-	usePlotContext: (): {
-		onToggleSeriesOnOff: jest.Mock;
-		onToggleSeriesVisibility: jest.Mock;
-		syncSeriesVisibilityToLocalStorage: jest.Mock;
-	} => ({
-		onToggleSeriesOnOff: jest.fn(),
-		onToggleSeriesVisibility: jest.fn(),
-		syncSeriesVisibilityToLocalStorage: mockSyncSeriesVisibilityToLocalStorage,
-	}),
-}));
-
-jest.mock('lib/uPlotV2/hooks/useLegendsSync', () => ({
-	__esModule: true,
-	default: (): {
-		legendItemsMap: { [key: number]: { show: boolean; label: string } };
-	} => ({
-		legendItemsMap: {
-			0: { show: true, label: 'Time' },
-			1: { show: true, label: 'Series 1' },
-			2: { show: true, label: 'Series 2' },
-		},
-	}),
-}));
-
-jest.mock('providers/Dashboard/Dashboard', () => ({
-	useDashboard: (): { isDashboardLocked: boolean } => ({
-		isDashboardLocked: false,
-	}),
-}));
-
-jest.mock('hooks/useNotifications', () => ({
-	useNotifications: (): { notifications: { success: jest.Mock } } => ({
-		notifications: {
-			success: mockNotificationsSuccess,
-		},
-	}),
-}));
-
-jest.mock('components/ResizeTable', () => {
-	const MockTable = ({
-		dataSource,
-		columns,
-	}: {
-		dataSource: { index: number; label?: string }[];
-		columns: { key: string; title: string }[];
-	}): JSX.Element => (
-		<div data-testid="resize-table">
-			{columns.map((col) => (
-				<span key={col.key}>{col.title}</span>
-			))}
-			{dataSource.map((row) => (
-				<div key={row.index} data-testid={`row-${row.index}`}>
-					{row.label}
-				</div>
-			))}
-		</div>
-	);
-	return { ResizeTable: MockTable };
-});
-
-const createMockConfig = (): { getConfig: () => uPlot.Options } => ({
-	getConfig: (): uPlot.Options => ({
-		width: 100,
-		height: 100,
-		series: [
-			{ label: 'Time', value: 'time' },
-			{ label: 'Series 1', scale: 'y' },
-			{ label: 'Series 2', scale: 'y' },
-		],
-	}),
-});
-
-const createAlignedData = (): uPlot.AlignedData => [
-	[1000, 2000, 3000],
-	[10, 20, 30],
-	[1, 2, 3],
-];
-
-describe('ChartManager', () => {
-	const mockOnCancel = jest.fn();
-
-	beforeEach(() => {
-		jest.clearAllMocks();
-	});
-
-	it('renders filter input and action buttons', () => {
-		render(
-			<ChartManager
-				config={createMockConfig() as any}
-				alignedData={createAlignedData()}
-				onCancel={mockOnCancel}
-			/>,
-		);
-
-		expect(screen.getByPlaceholderText('Filter Series')).toBeInTheDocument();
-		expect(screen.getByRole('button', { name: /cancel/i })).toBeInTheDocument();
-		expect(screen.getByRole('button', { name: /save/i })).toBeInTheDocument();
-	});
-
-	it('renders ResizeTable with data', () => {
-		render(
-			<ChartManager
-				config={createMockConfig() as UPlotConfigBuilder}
-				alignedData={createAlignedData()}
-			/>,
-		);
-
-		expect(screen.getByTestId('resize-table')).toBeInTheDocument();
-	});
-
-	it('calls onCancel when Cancel button is clicked', async () => {
-		render(
-			<ChartManager
-				config={createMockConfig() as UPlotConfigBuilder}
-				alignedData={createAlignedData()}
-				onCancel={mockOnCancel}
-			/>,
-		);
-
-		await userEvent.click(screen.getByTestId('cancel-button'));
-
-		expect(mockOnCancel).toHaveBeenCalledTimes(1);
-	});
-
-	it('filters table data when typing in filter input', async () => {
-		render(
-			<ChartManager
-				config={createMockConfig() as UPlotConfigBuilder}
-				alignedData={createAlignedData()}
-			/>,
-		);
-
-		// Before filter: both Series 1 and Series 2 rows are visible
-		expect(screen.getByTestId('row-1')).toBeInTheDocument();
-		expect(screen.getByTestId('row-2')).toBeInTheDocument();
-
-		const filterInput = screen.getByTestId('filter-input');
-		await userEvent.type(filterInput, 'Series 1');
-
-		// After filter: only Series 1 row is visible, Series 2 row is filtered out
-		expect(screen.getByTestId('row-1')).toBeInTheDocument();
-		expect(screen.queryByTestId('row-2')).not.toBeInTheDocument();
-	});
-
-	it('calls syncSeriesVisibilityToLocalStorage, notifications.success, and onCancel when Save is clicked', async () => {
-		render(
-			<ChartManager
-				config={createMockConfig() as UPlotConfigBuilder}
-				alignedData={createAlignedData()}
-				onCancel={mockOnCancel}
-			/>,
-		);
-
-		await userEvent.click(screen.getByTestId('save-button'));
-
-		expect(mockSyncSeriesVisibilityToLocalStorage).toHaveBeenCalledTimes(1);
-		expect(mockNotificationsSuccess).toHaveBeenCalledWith({
-			message: 'The updated graphs & legends are saved',
-		});
-		expect(mockOnCancel).toHaveBeenCalledTimes(1);
-	});
-});

frontend/src/container/DashboardContainer/visualization/components/ChartManager/__tests__/SeriesLabel.test.tsx

@@ -1,39 +0,0 @@
-import userEvent from '@testing-library/user-event';
-import { render, screen } from 'tests/test-utils';
-
-import { SeriesLabel } from '../SeriesLabel';
-
-describe('SeriesLabel', () => {
-	it('renders the label text', () => {
-		render(
-			<SeriesLabel label="Test Series Label" labelIndex={1} onClick={jest.fn()} />,
-		);
-		expect(screen.getByTestId('series-label-button-1')).toHaveTextContent(
-			'Test Series Label',
-		);
-	});
-
-	it('calls onClick with labelIndex when clicked', async () => {
-		const onClick = jest.fn();
-		render(<SeriesLabel label="Series A" labelIndex={2} onClick={onClick} />);
-
-		await userEvent.click(screen.getByTestId('series-label-button-2'));
-
-		expect(onClick).toHaveBeenCalledWith(2);
-		expect(onClick).toHaveBeenCalledTimes(1);
-	});
-
-	it('renders disabled button when disabled prop is true', () => {
-		render(
-			<SeriesLabel label="Disabled" labelIndex={0} onClick={jest.fn()} disabled />,
-		);
-		const button = screen.getByTestId('series-label-button-0');
-		expect(button).toBeDisabled();
-	});
-
-	it('has chart-manager-series-label class', () => {
-		render(<SeriesLabel label="Label" labelIndex={0} onClick={jest.fn()} />);
-		const button = screen.getByTestId('series-label-button-0');
-		expect(button).toHaveClass('chart-manager-series-label');
-	});
-});

frontend/src/container/DashboardContainer/visualization/components/ChartManager/__tests__/columns.test.tsx

@@ -1,167 +0,0 @@
-import { render } from '@testing-library/react';
-import { Y_AXIS_UNIT_NAMES } from 'components/YAxisUnitSelector/constants';
-import { UniversalYAxisUnit } from 'components/YAxisUnitSelector/types';
-
-import { getChartManagerColumns } from '../columns';
-import { ExtendedChartDataset } from '../utils';
-
-const createMockDataset = (
-	index: number,
-	overrides: Partial<ExtendedChartDataset> = {},
-): ExtendedChartDataset =>
-	({
-		index,
-		label: `Series ${index}`,
-		show: true,
-		sum: 100,
-		avg: 50,
-		min: 10,
-		max: 90,
-		stroke: '#ff0000',
-		...overrides,
-	} as ExtendedChartDataset);
-
-describe('getChartManagerColumns', () => {
-	const tableDataSet: ExtendedChartDataset[] = [
-		createMockDataset(0, { label: 'Time' }),
-		createMockDataset(1),
-		createMockDataset(2),
-	];
-	const graphVisibilityState = [true, true, false];
-	const onToggleSeriesOnOff = jest.fn();
-	const onToggleSeriesVisibility = jest.fn();
-
-	beforeEach(() => {
-		jest.clearAllMocks();
-	});
-
-	it('returns columns with expected structure', () => {
-		const columns = getChartManagerColumns({
-			tableDataSet,
-			graphVisibilityState,
-			onToggleSeriesOnOff,
-			onToggleSeriesVisibility,
-		});
-
-		expect(columns).toHaveLength(6);
-		expect(columns[0].key).toBe('index');
-		expect(columns[1].key).toBe('label');
-		expect(columns[2].key).toBe('avg');
-		expect(columns[3].key).toBe('sum');
-		expect(columns[4].key).toBe('max');
-		expect(columns[5].key).toBe('min');
-	});
-
-	it('includes Label column with title', () => {
-		const columns = getChartManagerColumns({
-			tableDataSet,
-			graphVisibilityState,
-			onToggleSeriesOnOff,
-			onToggleSeriesVisibility,
-		});
-
-		const labelCol = columns.find((c) => c.key === 'label');
-		expect(labelCol?.title).toBe('Label');
-	});
-
-	it('formats column titles with yAxisUnit', () => {
-		const columns = getChartManagerColumns({
-			tableDataSet,
-			graphVisibilityState,
-			onToggleSeriesOnOff,
-			onToggleSeriesVisibility,
-			yAxisUnit: 'ms',
-		});
-
-		const avgCol = columns.find((c) => c.key === 'avg');
-		expect(avgCol?.title).toBe(
-			`Avg (in ${Y_AXIS_UNIT_NAMES[UniversalYAxisUnit.MILLISECONDS]})`,
-		);
-	});
-
-	it('numeric column render returns formatted string with yAxisUnit', () => {
-		const columns = getChartManagerColumns({
-			tableDataSet,
-			graphVisibilityState,
-			onToggleSeriesOnOff,
-			onToggleSeriesVisibility,
-			yAxisUnit: 'ms',
-		});
-
-		const avgCol = columns.find((c) => c.key === 'avg');
-		const renderFn = avgCol?.render as
-			| ((val: number, record: ExtendedChartDataset, index: number) => string)
-			| undefined;
-		expect(renderFn).toBeDefined();
-		const output = renderFn?.(123.45, tableDataSet[1], 1);
-		expect(output).toBe('123.45 ms');
-	});
-
-	it('numeric column render formats zero when value is undefined', () => {
-		const columns = getChartManagerColumns({
-			tableDataSet,
-			graphVisibilityState,
-			onToggleSeriesOnOff,
-			onToggleSeriesVisibility,
-			yAxisUnit: 'none',
-		});
-
-		const sumCol = columns.find((c) => c.key === 'sum');
-		const renderFn = sumCol?.render as
-			| ((
-					val: number | undefined,
-					record: ExtendedChartDataset,
-					index: number,
-			  ) => string)
-			| undefined;
-		const output = renderFn?.(undefined, tableDataSet[1], 1);
-		expect(output).toBe('0');
-	});
-
-	it('label column render displays label text and is clickable', () => {
-		const columns = getChartManagerColumns({
-			tableDataSet,
-			graphVisibilityState,
-			onToggleSeriesOnOff,
-			onToggleSeriesVisibility,
-		});
-
-		const labelCol = columns.find((c) => c.key === 'label');
-		const renderFn = labelCol?.render as
-			| ((
-					label: string,
-					record: ExtendedChartDataset,
-					index: number,
-			  ) => JSX.Element)
-			| undefined;
-		expect(renderFn).toBeDefined();
-		const renderResult = renderFn!('Series 1', tableDataSet[1], 1);
-
-		const { getByRole } = render(renderResult);
-		expect(getByRole('button', { name: 'Series 1' })).toBeInTheDocument();
-	});
-
-	it('index column render renders checkbox with correct checked state', () => {
-		const columns = getChartManagerColumns({
-			tableDataSet,
-			graphVisibilityState,
-			onToggleSeriesOnOff,
-			onToggleSeriesVisibility,
-		});
-
-		const indexCol = columns.find((c) => c.key === 'index');
-		const renderFn = indexCol?.render as
-			| ((
-					_val: unknown,
-					record: ExtendedChartDataset,
-					index: number,
-			  ) => JSX.Element)
-			| undefined;
-		expect(renderFn).toBeDefined();
-		const { container } = render(renderFn!(null, tableDataSet[1], 1));
-
-		const checkbox = container.querySelector('input[type="checkbox"]');
-		expect(checkbox).toBeInTheDocument();
-		expect(checkbox).toBeChecked(); // graphVisibilityState[1] is true
-	});
-});

frontend/src/container/DashboardContainer/visualization/components/ChartManager/__tests__/utils.test.ts

@@ -1,113 +0,0 @@
-import { PrecisionOptionsEnum } from 'components/Graph/types';
-
-import {
-	formatTableValueWithUnit,
-	getDefaultTableDataSet,
-	getTableColumnTitle,
-} from '../utils';
-
-describe('ChartManager utils', () => {
-	describe('getDefaultTableDataSet', () => {
-		const createOptions = (seriesCount: number): uPlot.Options => ({
-			series: Array.from({ length: seriesCount }, (_, i) =>
-				i === 0
-					? { label: 'Time', value: 'time' }
-					: { label: `Series ${i}`, scale: 'y' },
-			),
-			width: 100,
-			height: 100,
-		});
-
-		it('returns one row per series with computed stats', () => {
-			const options = createOptions(3);
-			const data: uPlot.AlignedData = [
-				[1000, 2000, 3000],
-				[10, 20, 30],
-				[1, 2, 3],
-			];
-
-			const result = getDefaultTableDataSet(options, data);
-
-			expect(result).toHaveLength(3);
-			expect(result[0]).toMatchObject({
-				index: 0,
-				label: 'Time',
-				show: true,
-			});
-			expect(result[1]).toMatchObject({
-				index: 1,
-				label: 'Series 1',
-				show: true,
-				sum: 60,
-				avg: 20,
-				max: 30,
-				min: 10,
-			});
-			expect(result[2]).toMatchObject({
-				index: 2,
-				label: 'Series 2',
-				show: true,
-				sum: 6,
-				avg: 2,
-				max: 3,
-				min: 1,
-			});
-		});
-
-		it('handles empty data arrays', () => {
-			const options = createOptions(2);
-			const data: uPlot.AlignedData = [[], []];
-
-			const result = getDefaultTableDataSet(options, data);
-
-			expect(result[0]).toMatchObject({
-				sum: 0,
-				avg: 0,
-				max: 0,
-				min: 0,
-			});
-		});
-
-		it('respects decimalPrecision parameter', () => {
-			const options = createOptions(2);
-			const data: uPlot.AlignedData = [[1000], [123.454]];
-
-			const resultTwo = getDefaultTableDataSet(
-				options,
-				data,
-				PrecisionOptionsEnum.TWO,
-			);
-			expect(resultTwo[1].avg).toBe(123.45);
-
-			const resultZero = getDefaultTableDataSet(
-				options,
-				data,
-				PrecisionOptionsEnum.ZERO,
-			);
-			expect(resultZero[1].avg).toBe(123);
-		});
-	});
-
-	describe('formatTableValueWithUnit', () => {
-		it('formats value with unit', () => {
-			const result = formatTableValueWithUnit(1234.56, 'ms');
-			expect(result).toBe('1.23 s');
-		});
-
-		it('falls back to none format when yAxisUnit is undefined', () => {
-			const result = formatTableValueWithUnit(123.45);
-			expect(result).toBe('123.45');
-		});
-	});
-
-	describe('getTableColumnTitle', () => {
-		it('returns title only when yAxisUnit is undefined', () => {
-			expect(getTableColumnTitle('Avg')).toBe('Avg');
-		});
-
-		it('returns title with unit when yAxisUnit is provided', () => {
-			const result = getTableColumnTitle('Avg', 'ms');
-			expect(result).toBe('Avg (in Milliseconds (ms))');
-		});
-	});
-});

frontend/src/container/DashboardContainer/visualization/components/ChartManager/columns.tsx

@@ -1,94 +0,0 @@
-import { ColumnType } from 'antd/es/table';
-import { PrecisionOption, PrecisionOptionsEnum } from 'components/Graph/types';
-import CustomCheckBox from 'container/GridCardLayout/GridCard/FullView/TableRender/CustomCheckBox';
-
-import { SeriesLabel } from './SeriesLabel';
-import {
-	ExtendedChartDataset,
-	formatTableValueWithUnit,
-	getTableColumnTitle,
-} from './utils';
-
-export interface GetChartManagerColumnsParams {
-	tableDataSet: ExtendedChartDataset[];
-	graphVisibilityState: boolean[];
-	onToggleSeriesOnOff: (index: number) => void;
-	onToggleSeriesVisibility: (index: number) => void;
-	yAxisUnit?: string;
-	decimalPrecision?: PrecisionOption;
-	isGraphDisabled?: boolean;
-}
-
-export function getChartManagerColumns({
-	tableDataSet,
-	graphVisibilityState,
-	onToggleSeriesOnOff,
-	onToggleSeriesVisibility,
-	yAxisUnit,
-	decimalPrecision = PrecisionOptionsEnum.TWO,
-	isGraphDisabled,
-}: GetChartManagerColumnsParams): ColumnType<ExtendedChartDataset>[] {
-	return [
-		{
-			title: '',
-			width: 50,
-			dataIndex: 'index',
-			key: 'index',
-			render: (_: unknown, record: ExtendedChartDataset): JSX.Element => (
-				<CustomCheckBox
-					data={tableDataSet}
-					graphVisibilityState={graphVisibilityState}
-					index={record.index}
-					disabled={isGraphDisabled}
-					checkBoxOnChangeHandler={(_e, idx): void => onToggleSeriesOnOff(idx)}
-				/>
-			),
-		},
-		{
-			title: 'Label',
-			width: 300,
-			dataIndex: 'label',
-			key: 'label',
-			render: (label: string, record: ExtendedChartDataset): JSX.Element => (
-				<SeriesLabel
-					label={label ?? ''}
-					labelIndex={record.index}
-					disabled={isGraphDisabled}
-					onClick={onToggleSeriesVisibility}
-				/>
-			),
-		},
-		{
-			title: getTableColumnTitle('Avg', yAxisUnit),
-			width: 90,
-			dataIndex: 'avg',
-			key: 'avg',
-			render: (val: number | undefined): string =>
-				formatTableValueWithUnit(val ?? 0, yAxisUnit, decimalPrecision),
-		},
-		{
-			title: getTableColumnTitle('Sum', yAxisUnit),
-			width: 90,
-			dataIndex: 'sum',
-			key: 'sum',
-			render: (val: number | undefined): string =>
-				formatTableValueWithUnit(val ?? 0, yAxisUnit, decimalPrecision),
-		},
-		{
-			title: getTableColumnTitle('Max', yAxisUnit),
-			width: 90,
-			dataIndex: 'max',
-			key: 'max',
-			render: (val: number | undefined): string =>
-				formatTableValueWithUnit(val ?? 0, yAxisUnit, decimalPrecision),
-		},
-		{
-			title: getTableColumnTitle('Min', yAxisUnit),
-			width: 90,
-			dataIndex: 'min',
-			key: 'min',
-			render: (val: number | undefined): string =>
-				formatTableValueWithUnit(val ?? 0, yAxisUnit, decimalPrecision),
-		},
-	];
-}

frontend/src/container/DashboardContainer/visualization/components/ChartManager/utils.ts

@@ -1,93 +0,0 @@
-import { PrecisionOption, PrecisionOptionsEnum } from 'components/Graph/types';
-import { getYAxisFormattedValue } from 'components/Graph/yAxisConfig';
-import { Y_AXIS_UNIT_NAMES } from 'components/YAxisUnitSelector/constants';
-import uPlot from 'uplot';
-
-/** Extended series with computed stats for table display */
-export type ExtendedChartDataset = uPlot.Series & {
-	show: boolean;
-	sum: number;
-	avg: number;
-	min: number;
-	max: number;
-	index: number;
-};
-
-function roundToDecimalPrecision(
-	value: number,
-	decimalPrecision: PrecisionOption = PrecisionOptionsEnum.TWO,
-): number {
-	if (
-		typeof value !== 'number' ||
-		Number.isNaN(value) ||
-		value === Infinity ||
-		value === -Infinity
-	) {
-		return 0;
-	}
-
-	if (decimalPrecision === PrecisionOptionsEnum.FULL) {
-		return value;
-	}
-
-	// regex to match the decimal precision for the given decimal precision
-	const regex = new RegExp(`^-?\\d*\\.?0*\\d{0,${decimalPrecision}}`);
-	const matched = value ? value.toFixed(decimalPrecision).match(regex) : null;
-	return matched ? parseFloat(matched[0]) : 0;
-}
-
-/** Build table dataset from uPlot options and aligned data */
-export function getDefaultTableDataSet(
-	options: uPlot.Options,
-	data: uPlot.AlignedData,
-	decimalPrecision: PrecisionOption = PrecisionOptionsEnum.TWO,
-): ExtendedChartDataset[] {
-	return options.series.map(
-		(series: uPlot.Series, index: number): ExtendedChartDataset => {
-			const arr = (data[index] as number[]) ?? [];
-			const sum = arr.reduce((a, b) => a + b, 0) || 0;
-			const count = arr.length || 1;
-
-			const hasValues = arr.length > 0;
-			return {
-				...series,
-				index,
-				show: true,
-				sum: roundToDecimalPrecision(sum, decimalPrecision),
-				avg: roundToDecimalPrecision(sum / count, decimalPrecision),
-				max: hasValues
-					? roundToDecimalPrecision(Math.max(...arr), decimalPrecision)
-					: 0,
-				min: hasValues
-					? roundToDecimalPrecision(Math.min(...arr), decimalPrecision)
-					: 0,
-			};
-		},
-	);
-}
-
-/** Format numeric value for table display using yAxisUnit */
-export function formatTableValueWithUnit(
-	value: number,
-	yAxisUnit?: string,
-	decimalPrecision: PrecisionOption = PrecisionOptionsEnum.TWO,
-): string {
-	return `${getYAxisFormattedValue(
-		String(value),
-		yAxisUnit ?? 'none',
-		decimalPrecision,
-	)}`;
-}
-
-/** Format column header with optional unit */
-export function getTableColumnTitle(title: string, yAxisUnit?: string): string {
-	if (!yAxisUnit) {
-		return title;
-	}
-	const universalName =
-		Y_AXIS_UNIT_NAMES[yAxisUnit as keyof typeof Y_AXIS_UNIT_NAMES];
-	if (!universalName) {
-		return `${title} (in ${yAxisUnit})`;
-	}
-	return `${title} (in ${universalName})`;
-}

frontend/src/container/DashboardContainer/visualization/panels/BarPanel/BarPanel.tsx

@@ -96,7 +96,6 @@ function BarPanel(props: PanelWrapperProps): JSX.Element {
 				config={config}
 				alignedData={chartData}
 				yAxisUnit={widget.yAxisUnit}
-				decimalPrecision={widget.decimalPrecision}
 				onCancel={onToggleModelHandler}
 			/>
 		);
@@ -106,7 +105,6 @@ function BarPanel(props: PanelWrapperProps): JSX.Element {
 		chartData,
 		widget.yAxisUnit,
 		onToggleModelHandler,
-		widget.decimalPrecision,
 	]);
 
 	const onPlotDestroy = useCallback(() => {

frontend/src/container/DashboardContainer/visualization/panels/TimeSeriesPanel/TimeSeriesPanel.tsx

@@ -95,7 +95,6 @@ function TimeSeriesPanel(props: PanelWrapperProps): JSX.Element {
 				config={config}
 				alignedData={chartData}
 				yAxisUnit={widget.yAxisUnit}
-				decimalPrecision={widget.decimalPrecision}
 				onCancel={onToggleModelHandler}
 			/>
 		);
@@ -105,7 +104,6 @@ function TimeSeriesPanel(props: PanelWrapperProps): JSX.Element {
 		chartData,
 		widget.yAxisUnit,
 		onToggleModelHandler,
-		widget.decimalPrecision,
 	]);
 
 	return (

pkg/apiserver/signozapiserver/authz.go

@@ -0,0 +1,30 @@
+package signozapiserver
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/gorilla/mux"
+)
+
+func (provider *provider) addAuthzRoutes(router *mux.Router) error {
+	if err := router.Handle("/api/v1/authz/check", handler.New(provider.authzHandler.Check, handler.OpenAPIDef{
+		ID:                  "AuthzCheck",
+		Tags:                []string{"authz"},
+		Summary:             "Check permissions",
+		Description:         "Checks if the authenticated user has permissions for given transactions",
+		Request:             make([]*authtypes.Transaction, 0),
+		RequestContentType:  "",
+		Response:            make([]*authtypes.GettableTransaction, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     nil,
+	})).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/apiserver/signozapiserver/provider.go

@@ -207,6 +207,10 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}
 
+	if err := provider.addAuthzRoutes(router); err != nil {
+		return err
+	}
+
 	if err := provider.addFieldsRoutes(router); err != nil {
 		return err
 	}

pkg/apiserver/signozapiserver/role.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/gorilla/mux"
 )
@@ -15,12 +16,12 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Tags:                []string{"role"},
 		Summary:             "Create role",
 		Description:         "This endpoint creates a role",
-		Request:             nil,
+		Request:             new(roletypes.PostableRole),
 		RequestContentType:  "",
 		Response:            new(types.Identifiable),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{},
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodPost).GetError(); err != nil {
@@ -44,6 +45,23 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/roles/resources", handler.New(provider.authZ.AdminAccess(provider.authzHandler.GetResources), handler.OpenAPIDef{
+		ID:                  "GetResources",
+		Tags:                []string{"role"},
+		Summary:             "Get resources",
+		Description:         "Gets all the available resources for role assignment",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(roletypes.GettableResources),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authZ.AdminAccess(provider.authzHandler.Get), handler.OpenAPIDef{
 		ID:                  "GetRole",
 		Tags:                []string{"role"},
@@ -61,17 +79,51 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/roles/{id}/relation/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.GetObjects), handler.OpenAPIDef{
+		ID:                  "GetObjects",
+		Tags:                []string{"role"},
+		Summary:             "Get objects for a role by relation",
+		Description:         "Gets all objects connected to the specified role via a given relation type",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*authtypes.Object, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authZ.AdminAccess(provider.authzHandler.Patch), handler.OpenAPIDef{
 		ID:                  "PatchRole",
 		Tags:                []string{"role"},
 		Summary:             "Patch role",
 		Description:         "This endpoint patches a role",
-		Request:             nil,
+		Request:             new(roletypes.PatchableRole),
 		RequestContentType:  "",
 		Response:            nil,
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPatch).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/roles/{id}/relation/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.PatchObjects), handler.OpenAPIDef{
+		ID:                  "PatchObjects",
+		Tags:                []string{"role"},
+		Summary:             "Patch objects for a role by relation",
+		Description:         "Patches the objects connected to the specified role via a given relation type",
+		Request:             new(roletypes.PatchableObjects),
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodPatch).GetError(); err != nil {
@@ -88,7 +140,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Response:            nil,
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodDelete).GetError(); err != nil {

pkg/authz/authz.go

@@ -14,17 +14,14 @@ import (
 type AuthZ interface {
 	factory.Service
 
-	// Check returns error when the upstream authorization server is unavailable or the subject (s) doesn't have relation (r) on object (o).
-	Check(context.Context, *openfgav1.TupleKey) error
-
 	// CheckWithTupleCreation takes upon the responsibility for generating the tuples alongside everything Check does.
 	CheckWithTupleCreation(context.Context, authtypes.Claims, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error
 
 	// CheckWithTupleCreationWithoutClaims checks permissions for anonymous users.
 	CheckWithTupleCreationWithoutClaims(context.Context, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error
 
-	// Batch Check returns error when the upstream authorization server is unavailable or for all the tuples of subject (s) doesn't have relation (r) on object (o).
-	BatchCheck(context.Context, []*openfgav1.TupleKey) error
+	// BatchCheck accepts a map of ID → tuple and returns a map of ID → authorization result.
+	BatchCheck(context.Context, map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error)
 
 	// Write accepts the insertion tuples and the deletion tuples.
 	Write(context.Context, []*openfgav1.TupleKey, []*openfgav1.TupleKey) error
@@ -102,5 +99,7 @@ type Handler interface {
 
 	PatchObjects(http.ResponseWriter, *http.Request)
 
+	Check(http.ResponseWriter, *http.Request)
+
 	Delete(http.ResponseWriter, *http.Request)
 }

pkg/authz/authzstore/sqlauthzstore/store.go

@@ -26,7 +26,7 @@ func (store *store) Create(ctx context.Context, role *roletypes.StorableRole) er
 		Model(role).
 		Exec(ctx)
 	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, errors.CodeAlreadyExists, "role with id: %s already exists", role.ID)
+		return store.sqlstore.WrapAlreadyExistsErrf(err, errors.CodeAlreadyExists, "role with name: %s already exists", role.Name)
 	}
 
 	return nil

pkg/authz/openfgaauthz/provider.go

@@ -48,11 +48,7 @@ func (provider *provider) Stop(ctx context.Context) error {
 	return provider.server.Stop(ctx)
 }
 
-func (provider *provider) Check(ctx context.Context, tupleReq *openfgav1.TupleKey) error {
-	return provider.server.Check(ctx, tupleReq)
-}
-
-func (provider *provider) BatchCheck(ctx context.Context, tupleReq []*openfgav1.TupleKey) error {
+func (provider *provider) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
 	return provider.server.BatchCheck(ctx, tupleReq)
 }
 
@@ -181,10 +177,6 @@ func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID,
 	return nil
 }
 
-func (provider *provider) SetManagedRoleTransactions(context.Context, valuer.UUID) error {
-	return nil
-}
-
 func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) error {
 	return provider.Grant(ctx, orgID, roletypes.SigNozAdminRoleName, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
 }

pkg/authz/openfgaserver/server.go

@@ -90,42 +90,18 @@ func (server *Server) Stop(ctx context.Context) error {
 	return nil
 }
 
-func (server *Server) Check(ctx context.Context, tupleReq *openfgav1.TupleKey) error {
+func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
 	storeID, modelID := server.getStoreIDandModelID()
-	checkResponse, err := server.openfgaServer.Check(
-		ctx,
-		&openfgav1.CheckRequest{
-			StoreId:              storeID,
-			AuthorizationModelId: modelID,
-			TupleKey: &openfgav1.CheckRequestTupleKey{
-				User:     tupleReq.User,
-				Relation: tupleReq.Relation,
-				Object:   tupleReq.Object,
-			},
-		})
-	if err != nil {
-		return errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "authorization server is unavailable").WithAdditional(err.Error())
-	}
-
-	if !checkResponse.Allowed {
-		return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subject %s cannot %s object %s", tupleReq.User, tupleReq.Relation, tupleReq.Object)
-	}
-
-	return nil
-}
-
-func (server *Server) BatchCheck(ctx context.Context, tupleReq []*openfgav1.TupleKey) error {
-	storeID, modelID := server.getStoreIDandModelID()
-	batchCheckItems := make([]*openfgav1.BatchCheckItem, 0)
-	for idx, tuple := range tupleReq {
+	batchCheckItems := make([]*openfgav1.BatchCheckItem, 0, len(tupleReq))
+	for id, tuple := range tupleReq {
 		batchCheckItems = append(batchCheckItems, &openfgav1.BatchCheckItem{
 			TupleKey: &openfgav1.CheckRequestTupleKey{
 				User:     tuple.User,
 				Relation: tuple.Relation,
 				Object:   tuple.Object,
 			},
-			// the batch check response is map[string] keyed by correlationID.
-			CorrelationId: strconv.Itoa(idx),
+			// Use transaction ID as correlation ID for deterministic mapping
+			CorrelationId: id,
 		})
 	}
 
@@ -137,17 +113,18 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq []*openfgav1.Tupl
 			Checks:               batchCheckItems,
 		})
 	if err != nil {
-		return errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "authorization server is unavailable").WithAdditional(err.Error())
+		return nil, errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "authorization server is unavailable").WithAdditional(err.Error())
 	}
 
-	for _, checkResponse := range checkResponse.Result {
-		if checkResponse.GetAllowed() {
-			return nil
+	response := make(map[string]*authtypes.TupleKeyAuthorization, len(tupleReq))
+	for id, tuple := range tupleReq {
+		response[id] = &authtypes.TupleKeyAuthorization{
+			Tuple:      tuple,
+			Authorized: checkResponse.Result[id].GetAllowed(),
 		}
 	}
 
-	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
-
+	return response, nil
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
@@ -156,17 +133,29 @@ func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtyp
 		return err
 	}
 
-	tuples, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	// Convert slice to map with generated IDs for internal use
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
 func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
@@ -175,17 +164,29 @@ func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, o
 		return err
 	}
 
-	tuples, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	// Convert slice to map with generated IDs for internal use
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
 func (server *Server) Write(ctx context.Context, additions []*openfgav1.TupleKey, deletions []*openfgav1.TupleKey) error {

pkg/authz/signozauthzapi/handler.go

@@ -7,6 +7,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/binding"
 	"github.com/SigNoz/signoz/pkg/http/render"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -35,13 +36,14 @@ func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = handler.authz.Create(ctx, valuer.MustNewUUID(claims.OrgID), roletypes.NewRole(req.Name, req.Description, roletypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID)))
+	role := roletypes.NewRole(req.Name, req.Description, roletypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID))
+	err = handler.authz.Create(ctx, valuer.MustNewUUID(claims.OrgID), role)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	render.Success(rw, http.StatusCreated, nil)
+	render.Success(rw, http.StatusCreated, types.Identifiable{ID: role.ID})
 }
 
 func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
@@ -112,17 +114,9 @@ func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
 }
 
 func (handler *handler) GetResources(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	resources := handler.authz.GetResources(ctx)
+	resources := handler.authz.GetResources(r.Context())
 
-	var resourceRelations = struct {
-		Resources []*authtypes.Resource                   `json:"resources"`
-		Relations map[authtypes.Type][]authtypes.Relation `json:"relations"`
-	}{
-		Resources: resources,
-		Relations: authtypes.TypeableRelations,
-	}
-	render.Success(rw, http.StatusOK, resourceRelations)
+	render.Success(rw, http.StatusOK, roletypes.NewGettableResources(resources))
 }
 
 func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
@@ -227,7 +221,7 @@ func (handler *handler) PatchObjects(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	render.Success(rw, http.StatusAccepted, nil)
+	render.Success(rw, http.StatusNoContent, nil)
 }
 
 func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
@@ -252,3 +246,39 @@ func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
 
 	render.Success(rw, http.StatusNoContent, nil)
 }
+
+func (handler *handler) Check(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	transactions := make([]*authtypes.Transaction, 0)
+	if err := binding.JSON.BindBody(r.Body, &transactions); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	orgID := valuer.MustNewUUID(claims.OrgID)
+	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	tuples, err := authtypes.NewTuplesFromTransactions(transactions, subject, orgID)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	results, err := handler.authz.BatchCheck(ctx, tuples)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, authtypes.NewGettableTransaction(transactions, results))
+}

pkg/query-service/app/clickhouseReader/reader.go

@@ -1913,7 +1913,7 @@ func (r *ClickHouseReader) GetCustomRetentionTTL(ctx context.Context, orgID stri
 			// No V2 configuration found, return defaults
 			response.DefaultTTLDays = 15
 			response.TTLConditions = []model.CustomRetentionRule{}
-			response.Status = constants.StatusFailed
+			response.Status = constants.StatusSuccess
 			response.ColdStorageTTLDays = -1
 			return response, nil
 		}

pkg/types/authtypes/relation.go

@@ -15,15 +15,14 @@ var (
 	RelationUpdate   = Relation{valuer.NewString("update")}
 	RelationDelete   = Relation{valuer.NewString("delete")}
 	RelationList     = Relation{valuer.NewString("list")}
-	RelationBlock    = Relation{valuer.NewString("block")}
 	RelationAssignee = Relation{valuer.NewString("assignee")}
 )
 
 var TypeableRelations = map[Type][]Relation{
 	TypeUser:          {RelationRead, RelationUpdate, RelationDelete},
 	TypeRole:          {RelationAssignee, RelationRead, RelationUpdate, RelationDelete},
-	TypeOrganization:  {RelationCreate, RelationRead, RelationUpdate, RelationDelete, RelationList},
-	TypeMetaResource:  {RelationRead, RelationUpdate, RelationDelete, RelationBlock},
+	TypeOrganization:  {RelationRead, RelationUpdate, RelationDelete},
+	TypeMetaResource:  {RelationRead, RelationUpdate, RelationDelete},
 	TypeMetaResources: {RelationCreate, RelationList},
 }
 
@@ -41,8 +40,6 @@ func NewRelation(relation string) (Relation, error) {
 		return RelationDelete, nil
 	case "list":
 		return RelationList, nil
-	case "block":
-		return RelationBlock, nil
 	case "assignee":
 		return RelationAssignee, nil
 	default:

pkg/types/authtypes/transaction.go

@@ -6,21 +6,29 @@ import (
 	"strings"
 
 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type Resource struct {
-	Name Name `json:"name"`
-	Type Type `json:"type"`
+	Name Name `json:"name" required:"true"`
+	Type Type `json:"type" required:"true"`
 }
 
 type Object struct {
-	Resource Resource `json:"resource"`
-	Selector Selector `json:"selector"`
+	Resource Resource `json:"resource" required:"true"`
+	Selector Selector `json:"selector" required:"true"`
 }
 
 type Transaction struct {
-	Relation Relation `json:"relation"`
-	Object   Object   `json:"object"`
+	ID       valuer.UUID `json:"id"`
+	Relation Relation    `json:"relation" required:"true"`
+	Object   Object      `json:"object" required:"true"`
+}
+
+type GettableTransaction struct {
+	Relation   Relation `json:"relation"`
+	Object     Object   `json:"object"`
+	Authorized bool     `json:"authorized"`
 }
 
 func NewObject(resource Resource, selector Selector) (*Object, error) {
@@ -75,7 +83,21 @@ func NewTransaction(relation Relation, object Object) (*Transaction, error) {
 		return nil, errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidRelation, "invalid relation %s for type %s", relation.StringValue(), object.Resource.Type.StringValue())
 	}
 
-	return &Transaction{Relation: relation, Object: object}, nil
+	return &Transaction{ID: valuer.GenerateUUID(), Relation: relation, Object: object}, nil
+}
+
+func NewGettableTransaction(transactions []*Transaction, results map[string]*TupleKeyAuthorization) []*GettableTransaction {
+	gettableTransactions := make([]*GettableTransaction, len(transactions))
+	for i, txn := range transactions {
+		result := results[txn.ID.StringValue()]
+		gettableTransactions[i] = &GettableTransaction{
+			Relation:   txn.Relation,
+			Object:     txn.Object,
+			Authorized: result.Authorized,
+		}
+	}
+
+	return gettableTransactions
 }
 
 func (object *Object) UnmarshalJSON(data []byte) error {

pkg/types/authtypes/tuple.go

@@ -0,0 +1,31 @@
+package authtypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/valuer"
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
+)
+
+type TupleKeyAuthorization struct {
+	Tuple      *openfgav1.TupleKey
+	Authorized bool
+}
+
+func NewTuplesFromTransactions(transactions []*Transaction, subject string, orgID valuer.UUID) (map[string]*openfgav1.TupleKey, error) {
+	tuples := make(map[string]*openfgav1.TupleKey, len(transactions))
+	for _, txn := range transactions {
+		typeable, err := NewTypeableFromType(txn.Object.Resource.Type, txn.Object.Resource.Name)
+		if err != nil {
+			return nil, err
+		}
+
+		txnTuples, err := typeable.Tuples(subject, txn.Relation, []Selector{txn.Object.Selector}, orgID)
+		if err != nil {
+			return nil, err
+		}
+
+		// Each transaction produces one tuple, keyed by transaction ID
+		tuples[txn.ID.StringValue()] = txnTuples[0]
+	}
+
+	return tuples, nil
+}

pkg/types/roletypes/role.go

@@ -76,7 +76,7 @@ type Role struct {
 }
 
 type PostableRole struct {
-	Name        string `json:"name"`
+	Name        string `json:"name" required:"true"`
 	Description string `json:"description"`
 }
 
@@ -85,8 +85,13 @@ type PatchableRole struct {
 }
 
 type PatchableObjects struct {
-	Additions []*authtypes.Object `json:"additions"`
-	Deletions []*authtypes.Object `json:"deletions"`
+	Additions []*authtypes.Object `json:"additions" required:"true"`
+	Deletions []*authtypes.Object `json:"deletions" required:"true"`
+}
+
+type GettableResources struct {
+	Resources []*authtypes.Resource                   `json:"resources"`
+	Relations map[authtypes.Type][]authtypes.Relation `json:"relations"`
 }
 
 func NewStorableRoleFromRole(role *Role) *StorableRole {
@@ -137,6 +142,13 @@ func NewManagedRoles(orgID valuer.UUID) []*Role {
 
 }
 
+func NewGettableResources(resources []*authtypes.Resource) *GettableResources {
+	return &GettableResources{
+		Resources: resources,
+		Relations: authtypes.TypeableRelations,
+	}
+}
+
 func (role *Role) PatchMetadata(description *string) error {
 	err := role.CanEditDelete()
 	if err != nil {