Merge branch 'main' into feat/service-map

chore: updated particle color + added service icon
2026-05-06 02:20:31 +01:00 · 2026-05-05 17:10:46 +05:30 · 2026-05-05 17:08:40 +05:30 · 2026-05-05 14:13:01 +05:30 · 2026-05-05 14:04:54 +05:30 · 2026-05-05 11:15:12 +05:30
149 changed files with 3332 additions and 3031 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -107,7 +107,6 @@ go.mod @therealpandey
 /pkg/modules/organization/ @therealpandey
 /pkg/modules/authdomain/ @therealpandey
 /pkg/modules/role/ @therealpandey
-/pkg/types/coretypes/ @therealpandey @vikrantgupta25

 # IdentN Owners

--- a/.github/workflows/goci.yaml
+++ b/.github/workflows/goci.yaml
@@ -102,20 +102,3 @@ jobs:
        run: |
          go run cmd/enterprise/*.go generate openapi
          git diff --compact-summary --exit-code || (echo; echo "Unexpected difference in openapi spec. Run go run cmd/enterprise/*.go generate openapi locally and commit."; exit 1)
-  authz:
-    if: |
-      github.event_name == 'merge_group' ||
-      (github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
-      (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))
-    runs-on: ubuntu-latest
-    steps:
-      - name: self-checkout
-        uses: actions/checkout@v4
-      - name: go-install
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-      - name: generate-authz
-        run: |
-          go run cmd/enterprise/*.go generate authz
-          git diff --compact-summary --exit-code || (echo; echo "Unexpected difference in authz permissions. Run go run cmd/enterprise/*.go generate authz locally and commit."; exit 1)
--- a/.github/workflows/jsci.yaml
+++ b/.github/workflows/jsci.yaml
@@ -63,6 +63,46 @@ jobs:
        uses: actions/checkout@v4
      - name: run
        run: bash frontend/scripts/validate-md-languages.sh
+  authz:
+    if: |
+      github.event_name == 'merge_group' ||
+      (github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
+      (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))
+    runs-on: ubuntu-latest
+    steps:
+      - name: self-checkout
+        uses: actions/checkout@v5
+      - name: node-install
+        uses: actions/setup-node@v5
+        with:
+          node-version: "22"
+      - name: deps-install
+        working-directory: ./frontend
+        run: |
+          yarn install
+      - name: uv-install
+        uses: astral-sh/setup-uv@v5
+      - name: uv-deps
+        working-directory: ./tests/integration
+        run: |
+          uv sync
+      - name: setup-test
+        run: |
+          make py-test-setup
+      - name: generate
+        working-directory: ./frontend
+        run: |
+          yarn generate:permissions-type
+      - name: teardown-test
+        if: always()
+        run: |
+          make py-test-teardown
+      - name: validate
+        run: |
+          if ! git diff --exit-code frontend/src/hooks/useAuthZ/permissions.type.ts; then
+            echo "::error::frontend/src/hooks/useAuthZ/permissions.type.ts is out of date. Please run the generator locally and commit the changes: npm run generate:permissions-type (from the frontend directory)"
+            exit 1
+          fi
  openapi:
    if: |
      github.event_name == 'merge_group' ||
--- a/cmd/authz.go
+++ b/cmd/authz.go
@@ -1,117 +0,0 @@
-package cmd
-
-import (
-	"bytes"
-	"context"
-	"os"
-	"sort"
-	"text/template"
-
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
-	"github.com/spf13/cobra"
-)
-
-const permissionsTypePath = "frontend/src/hooks/useAuthZ/permissions.type.ts"
-
-var permissionsTypeTemplate = template.Must(template.New("permissions").Parse(
-	`// AUTO GENERATED FILE - DO NOT EDIT - GENERATED BY cmd/enterprise/*.go generate authz
-export default {
-	status: 'success',
-	data: {
-		resources: [
-{{- range .Resources }}
-			{
-				kind: '{{ .Kind }}',
-				type: '{{ .Type }}',
-			},
-{{- end }}
-		],
-		relations: {
-{{- range .Relations }}
-			{{ .Verb }}: [{{ range $i, $t := .Types }}{{ if $i }}, {{ end }}'{{ $t }}'{{ end }}],
-{{- end }}
-		},
-	},
-} as const;
-`))
-
-type permissionsTypeRelation struct {
-	Verb  string
-	Types []string
-}
-
-type permissionsTypeResource struct {
-	Kind string
-	Type string
-}
-
-type permissionsTypeData struct {
-	Resources []permissionsTypeResource
-	Relations []permissionsTypeRelation
-}
-
-func registerGenerateAuthz(parentCmd *cobra.Command) {
-	authzCmd := &cobra.Command{
-		Use:   "authz",
-		Short: "Generate authz permissions for the frontend",
-		RunE: func(currCmd *cobra.Command, args []string) error {
-			return runGenerateAuthz(currCmd.Context())
-		},
-	}
-
-	parentCmd.AddCommand(authzCmd)
-}
-
-func runGenerateAuthz(_ context.Context) error {
-	registry := coretypes.NewRegistry()
-
-	allowedResources := map[string]bool{
-		coretypes.NewResourceRef(coretypes.ResourceServiceAccount).String():    true,
-		coretypes.NewResourceRef(coretypes.ResourceRole).String():              true,
-		coretypes.NewResourceRef(coretypes.ResourceMetaResourcesRole).String(): true,
-	}
-
-	allowedTypes := map[string]bool{}
-
-	refs := registry.ResourceRefs()
-	resources := make([]permissionsTypeResource, 0, len(refs))
-	for _, ref := range refs {
-		if !allowedResources[ref.String()] {
-			continue
-		}
-		allowedTypes[ref.Type.StringValue()] = true
-		resources = append(resources, permissionsTypeResource{
-			Kind: ref.Kind.String(),
-			Type: ref.Type.StringValue(),
-		})
-	}
-
-	typesByVerb := registry.TypesByVerb()
-	verbs := make([]coretypes.Verb, 0, len(typesByVerb))
-	for verb := range typesByVerb {
-		verbs = append(verbs, verb)
-	}
-	sort.Slice(verbs, func(i, j int) bool { return verbs[i].StringValue() < verbs[j].StringValue() })
-
-	relations := make([]permissionsTypeRelation, 0, len(verbs))
-	for _, verb := range verbs {
-		types := make([]string, 0, len(typesByVerb[verb]))
-		for _, t := range typesByVerb[verb] {
-			if !allowedTypes[t.StringValue()] {
-				continue
-			}
-			types = append(types, t.StringValue())
-		}
-		relations = append(relations, permissionsTypeRelation{
-			Verb:  verb.StringValue(),
-			Types: types,
-		})
-	}
-
-	var buf bytes.Buffer
-	if err := permissionsTypeTemplate.Execute(&buf, permissionsTypeData{Resources: resources, Relations: relations}); err != nil {
-		return err
-	}
-
-	return os.WriteFile(permissionsTypePath, buf.Bytes(), 0o600)
-}
--- a/cmd/community/server.go
+++ b/cmd/community/server.go
@@ -92,13 +92,13 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 		func(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing) (map[authtypes.AuthNProvider]authn.AuthN, error) {
 			return signoz.NewAuthNs(ctx, providerSettings, store, licensing)
 		},
-		func(ctx context.Context, sqlstore sqlstore.SQLStore, config authz.Config, _ licensing.Licensing, _ []authz.OnBeforeRoleDelete) (factory.ProviderFactory[authz.AuthZ, authz.Config], error) {
-			openfgaDataStore, err := openfgaserver.NewSQLStore(sqlstore, config)
+		func(ctx context.Context, sqlstore sqlstore.SQLStore, _ licensing.Licensing, _ []authz.OnBeforeRoleDelete, _ dashboard.Module) (factory.ProviderFactory[authz.AuthZ, authz.Config], error) {
+			openfgaDataStore, err := openfgaserver.NewSQLStore(sqlstore)
 			if err != nil {
 				return nil, err
 			}

-			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx), openfgaDataStore, authtypes.NewRegistry()), nil
+			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx), openfgaDataStore), nil
 		},
 		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, _ querier.Querier, _ licensing.Licensing) dashboard.Module {
 			return impldashboard.NewModule(impldashboard.NewStore(store), settings, analytics, orgGetter, queryParser)
--- a/cmd/enterprise/server.go
+++ b/cmd/enterprise/server.go
@@ -137,12 +137,12 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e

 			return authNs, nil
 		},
-		func(ctx context.Context, sqlstore sqlstore.SQLStore, config authz.Config, licensing licensing.Licensing, onBeforeRoleDelete []authz.OnBeforeRoleDelete) (factory.ProviderFactory[authz.AuthZ, authz.Config], error) {
-			openfgaDataStore, err := openfgaserver.NewSQLStore(sqlstore, config)
+		func(ctx context.Context, sqlstore sqlstore.SQLStore, licensing licensing.Licensing, onBeforeRoleDelete []authz.OnBeforeRoleDelete, dashboardModule dashboard.Module) (factory.ProviderFactory[authz.AuthZ, authz.Config], error) {
+			openfgaDataStore, err := openfgaserver.NewSQLStore(sqlstore)
 			if err != nil {
 				return nil, err
 			}
-			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx), openfgaDataStore, licensing, onBeforeRoleDelete, authtypes.NewRegistry()), nil
+			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx), openfgaDataStore, licensing, onBeforeRoleDelete, dashboardModule), nil
 		},
 		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing) dashboard.Module {
 			return impldashboard.NewModule(pkgimpldashboard.NewStore(store), settings, analytics, orgGetter, queryParser, querier, licensing)
--- a/cmd/generate.go
+++ b/cmd/generate.go
@@ -16,7 +16,6 @@ func RegisterGenerate(parentCmd *cobra.Command, logger *slog.Logger) {
 	}

 	registerGenerateOpenAPI(generateCmd)
-	registerGenerateAuthz(generateCmd)

 	parentCmd.AddCommand(generateCmd)
 }
--- a/conf/example.yaml
+++ b/conf/example.yaml
@@ -428,4 +428,4 @@ authz:
  provider: openfga
  openfga:
    # maximum tuples allowed per openfga write operation.
-    max_tuples_per_write: 300
+    max_tuples_per_write: 100
--- a/docs/api/openapi.yml
+++ b/docs/api/openapi.yml
@@ -321,6 +321,35 @@ components:
      required:
      - id
      type: object
+    AuthtypesGettableObjects:
+      properties:
+        resource:
+          $ref: '#/components/schemas/AuthtypesResource'
+        selectors:
+          items:
+            type: string
+          type: array
+      required:
+      - resource
+      - selectors
+      type: object
+    AuthtypesGettableResources:
+      properties:
+        relations:
+          additionalProperties:
+            items:
+              type: string
+            type: array
+          nullable: true
+          type: object
+        resources:
+          items:
+            $ref: '#/components/schemas/AuthtypesResource'
+          type: array
+      required:
+      - resources
+      - relations
+      type: object
    AuthtypesGettableToken:
      properties:
        accessToken:
@@ -337,9 +366,9 @@ components:
        authorized:
          type: boolean
        object:
-          $ref: '#/components/schemas/CoretypesObject'
+          $ref: '#/components/schemas/AuthtypesObject'
        relation:
-          $ref: '#/components/schemas/AuthtypesRelation'
+          type: string
      required:
      - relation
      - object
@@ -387,6 +416,16 @@ components:
        issuerAlias:
          type: string
      type: object
+    AuthtypesObject:
+      properties:
+        resource:
+          $ref: '#/components/schemas/AuthtypesResource'
+        selector:
+          type: string
+      required:
+      - resource
+      - selector
+      type: object
    AuthtypesOrgSessionContext:
      properties:
        authNSupport:
@@ -403,6 +442,22 @@ components:
        provider:
          $ref: '#/components/schemas/AuthtypesAuthNProvider'
      type: object
+    AuthtypesPatchableObjects:
+      properties:
+        additions:
+          items:
+            $ref: '#/components/schemas/AuthtypesGettableObjects'
+          nullable: true
+          type: array
+        deletions:
+          items:
+            $ref: '#/components/schemas/AuthtypesGettableObjects'
+          nullable: true
+          type: array
+      required:
+      - additions
+      - deletions
+      type: object
    AuthtypesPatchableRole:
      properties:
        description:
@@ -440,15 +495,16 @@ components:
        refreshToken:
          type: string
      type: object
-    AuthtypesRelation:
-      enum:
-      - create
-      - read
-      - update
-      - delete
-      - list
-      - assignee
-      type: string
+    AuthtypesResource:
+      properties:
+        name:
+          type: string
+        type:
+          type: string
+      required:
+      - name
+      - type
+      type: object
    AuthtypesRole:
      properties:
        createdAt:
@@ -512,9 +568,9 @@ components:
    AuthtypesTransaction:
      properties:
        object:
-          $ref: '#/components/schemas/CoretypesObject'
+          $ref: '#/components/schemas/AuthtypesObject'
        relation:
-          $ref: '#/components/schemas/AuthtypesRelation'
+          type: string
      required:
      - relation
      - object
@@ -2149,64 +2205,6 @@ components:
        to_user:
          type: string
      type: object
-    CoretypesObject:
-      properties:
-        resource:
-          $ref: '#/components/schemas/CoretypesResourceRef'
-        selector:
-          type: string
-      required:
-      - resource
-      - selector
-      type: object
-    CoretypesObjectGroup:
-      properties:
-        resource:
-          $ref: '#/components/schemas/CoretypesResourceRef'
-        selectors:
-          items:
-            type: string
-          type: array
-      required:
-      - resource
-      - selectors
-      type: object
-    CoretypesPatchableObjects:
-      properties:
-        additions:
-          items:
-            $ref: '#/components/schemas/CoretypesObjectGroup'
-          nullable: true
-          type: array
-        deletions:
-          items:
-            $ref: '#/components/schemas/CoretypesObjectGroup'
-          nullable: true
-          type: array
-      required:
-      - additions
-      - deletions
-      type: object
-    CoretypesResourceRef:
-      properties:
-        kind:
-          type: string
-        type:
-          $ref: '#/components/schemas/CoretypesType'
-      required:
-      - type
-      - kind
-      type: object
-    CoretypesType:
-      enum:
-      - user
-      - serviceaccount
-      - anonymous
-      - role
-      - organization
-      - metaresource
-      - metaresources
-      type: string
    DashboardtypesDashboard:
      properties:
        createdAt:
@@ -5323,9 +5321,6 @@ components:
        sub_tree_node_count:
          minimum: 0
          type: integer
-        time_unix:
-          minimum: 0
-          type: integer
        trace_id:
          type: string
        trace_state:
@@ -5706,6 +5701,35 @@ paths:
      summary: Check permissions
      tags:
      - authz
+  /api/v1/authz/resources:
+    get:
+      deprecated: false
+      description: Gets all the available resources
+      operationId: AuthzResources
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/AuthtypesGettableResources'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      summary: Get resources
+      tags:
+      - authz
  /api/v1/channels:
    get:
      deprecated: false
@@ -8929,7 +8953,7 @@ paths:
                properties:
                  data:
                    items:
-                      $ref: '#/components/schemas/CoretypesObjectGroup'
+                      $ref: '#/components/schemas/AuthtypesGettableObjects'
                    type: array
                  status:
                    type: string
@@ -9002,7 +9026,7 @@ paths:
        content:
          application/json:
            schema:
-              $ref: '#/components/schemas/CoretypesPatchableObjects'
+              $ref: '#/components/schemas/AuthtypesPatchableObjects'
      responses:
        "204":
          content:
--- a/ee/authz/openfgaauthz/provider.go
+++ b/ee/authz/openfgaauthz/provider.go
@@ -2,6 +2,7 @@ package openfgaauthz

 import (
 	"context"
+	"slices"

 	"github.com/SigNoz/signoz/ee/authz/openfgaserver"
 	"github.com/SigNoz/signoz/pkg/authz"
@@ -12,7 +13,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/licensing"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 	openfgapkgtransformer "github.com/openfga/language/pkg/go/transformer"
@@ -25,19 +25,19 @@ type provider struct {
 	openfgaServer      *openfgaserver.Server
 	licensing          licensing.Licensing
 	store              authtypes.RoleStore
-	registry           *authtypes.Registry
+	registry           []authz.RegisterTypeable
 	settings           factory.ScopedProviderSettings
 	onBeforeRoleDelete []authz.OnBeforeRoleDelete
 }

-func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, licensing licensing.Licensing, onBeforeRoleDelete []authz.OnBeforeRoleDelete, registry *authtypes.Registry) factory.ProviderFactory[authz.AuthZ, authz.Config] {
+func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, licensing licensing.Licensing, onBeforeRoleDelete []authz.OnBeforeRoleDelete, registry ...authz.RegisterTypeable) factory.ProviderFactory[authz.AuthZ, authz.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("openfga"), func(ctx context.Context, ps factory.ProviderSettings, config authz.Config) (authz.AuthZ, error) {
 		return newOpenfgaProvider(ctx, ps, config, sqlstore, openfgaSchema, openfgaDataStore, licensing, onBeforeRoleDelete, registry)
 	})
 }

-func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings, config authz.Config, sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, licensing licensing.Licensing, onBeforeRoleDelete []authz.OnBeforeRoleDelete, registry *authtypes.Registry) (authz.AuthZ, error) {
-	pkgOpenfgaAuthzProvider := pkgopenfgaauthz.NewProviderFactory(sqlstore, openfgaSchema, openfgaDataStore, registry)
+func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings, config authz.Config, sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, licensing licensing.Licensing, onBeforeRoleDelete []authz.OnBeforeRoleDelete, registry []authz.RegisterTypeable) (authz.AuthZ, error) {
+	pkgOpenfgaAuthzProvider := pkgopenfgaauthz.NewProviderFactory(sqlstore, openfgaSchema, openfgaDataStore)
 	pkgAuthzService, err := pkgOpenfgaAuthzProvider.New(ctx, settings, config)
 	if err != nil {
 		return nil, err
@@ -74,11 +74,11 @@ func (provider *provider) Stop(ctx context.Context) error {
 	return provider.openfgaServer.Stop(ctx)
 }

-func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable coretypes.Resource, selectors []coretypes.Selector, roleSelectors []coretypes.Selector) error {
+func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, roleSelectors []authtypes.Selector) error {
 	return provider.openfgaServer.CheckWithTupleCreation(ctx, claims, orgID, relation, typeable, selectors, roleSelectors)
 }

-func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable coretypes.Resource, selectors []coretypes.Selector, roleSelectors []coretypes.Selector) error {
+func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, roleSelectors []authtypes.Selector) error {
 	return provider.openfgaServer.CheckWithTupleCreationWithoutClaims(ctx, orgID, relation, typeable, selectors, roleSelectors)
 }

@@ -108,7 +108,7 @@ func (provider *provider) CheckTransactions(ctx context.Context, subject string,
 	return results, nil
 }

-func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType coretypes.Type) ([]*coretypes.Object, error) {
+func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType authtypes.Type) ([]*authtypes.Object, error) {
 	return provider.openfgaServer.ListObjects(ctx, subject, relation, objectType)
 }

@@ -159,10 +159,16 @@ func (provider *provider) CreateManagedRoles(ctx context.Context, orgID valuer.U
 func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) error {
 	tuples := make([]*openfgav1.TupleKey, 0)

-	grantTuples := provider.getManagedRoleGrantTuples(orgID, userID)
+	grantTuples, err := provider.getManagedRoleGrantTuples(orgID, userID)
+	if err != nil {
+		return err
+	}
 	tuples = append(tuples, grantTuples...)

-	managedRoleTuples := provider.getManagedRoleTransactionTuples(orgID)
+	managedRoleTuples, err := provider.getManagedRoleTransactionTuples(orgID)
+	if err != nil {
+		return err
+	}
 	tuples = append(tuples, managedRoleTuples...)

 	return provider.Write(ctx, tuples, nil)
@@ -202,7 +208,21 @@ func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, ro
 	return role, nil
 }

-func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*coretypes.Object, error) {
+func (provider *provider) GetResources(_ context.Context) []*authtypes.Resource {
+	resources := make([]*authtypes.Resource, 0)
+	for _, register := range provider.registry {
+		for _, typeable := range register.MustGetTypeables() {
+			resources = append(resources, &authtypes.Resource{Name: typeable.Name(), Type: typeable.Type()})
+		}
+	}
+	for _, typeable := range provider.MustGetTypeables() {
+		resources = append(resources, &authtypes.Resource{Name: typeable.Name(), Type: typeable.Type()})
+	}
+
+	return resources
+}
+
+func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*authtypes.Object, error) {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
 		return nil, errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
@@ -213,16 +233,16 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 		return nil, err
 	}

-	objects := make([]*coretypes.Object, 0)
-	for _, objectType := range provider.registry.Types() {
-		if coretypes.ErrIfVerbNotValidForType(relation.Verb, objectType) != nil {
+	objects := make([]*authtypes.Object, 0)
+	for _, objectType := range provider.getUniqueTypes() {
+		if !slices.Contains(authtypes.TypeableRelations[objectType], relation) {
 			continue
 		}

 		resourceObjects, err := provider.
 			ListObjects(
 				ctx,
-				authtypes.MustNewSubject(coretypes.NewResourceRole(), storableRole.Name, orgID, &coretypes.VerbAssignee),
+				authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.Name, orgID, &authtypes.RelationAssignee),
 				relation,
 				objectType,
 			)
@@ -245,7 +265,7 @@ func (provider *provider) Patch(ctx context.Context, orgID valuer.UUID, role *au
 	return provider.store.Update(ctx, orgID, role)
 }

-func (provider *provider) PatchObjects(ctx context.Context, orgID valuer.UUID, name string, relation authtypes.Relation, additions, deletions []*coretypes.Object) error {
+func (provider *provider) PatchObjects(ctx context.Context, orgID valuer.UUID, name string, relation authtypes.Relation, additions, deletions []*authtypes.Object) error {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
@@ -298,63 +318,84 @@ func (provider *provider) Delete(ctx context.Context, orgID valuer.UUID, id valu
 	return provider.store.Delete(ctx, orgID, id)
 }

-func (provider *provider) getManagedRoleGrantTuples(orgID valuer.UUID, userID valuer.UUID) []*openfgav1.TupleKey {
+func (provider *provider) MustGetTypeables() []authtypes.Typeable {
+	return []authtypes.Typeable{authtypes.TypeableRole, authtypes.TypeableResourcesRoles}
+}
+
+func (provider *provider) getManagedRoleGrantTuples(orgID valuer.UUID, userID valuer.UUID) ([]*openfgav1.TupleKey, error) {
 	tuples := []*openfgav1.TupleKey{}

 	// Grant the admin role to the user
-	adminSubject := authtypes.MustNewSubject(coretypes.NewResourceUser(), userID.String(), orgID, nil)
-	adminTuple := authtypes.NewTuples(
-		coretypes.NewResourceRole(),
+	adminSubject := authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil)
+	adminTuple, err := authtypes.TypeableRole.Tuples(
 		adminSubject,
-		authtypes.Relation{Verb: coretypes.VerbAssignee},
-		[]coretypes.Selector{coretypes.TypeRole.MustSelector(authtypes.SigNozAdminRoleName)},
+		authtypes.RelationAssignee,
+		[]authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
+		},
 		orgID,
 	)
+	if err != nil {
+		return nil, err
+	}
 	tuples = append(tuples, adminTuple...)

 	// Grant the admin role to the anonymous user
-	anonymousSubject := authtypes.MustNewSubject(coretypes.NewResourceAnonymous(), coretypes.AnonymousUser.String(), orgID, nil)
-	anonymousTuple := authtypes.NewTuples(
-		coretypes.NewResourceRole(),
+	anonymousSubject := authtypes.MustNewSubject(authtypes.TypeableAnonymous, authtypes.AnonymousUser.String(), orgID, nil)
+	anonymousTuple, err := authtypes.TypeableRole.Tuples(
 		anonymousSubject,
-		authtypes.Relation{Verb: coretypes.VerbAssignee},
-		[]coretypes.Selector{coretypes.TypeRole.MustSelector(authtypes.SigNozAnonymousRoleName)},
+		authtypes.RelationAssignee,
+		[]authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAnonymousRoleName),
+		},
 		orgID,
 	)
+	if err != nil {
+		return nil, err
+	}
 	tuples = append(tuples, anonymousTuple...)

-	return tuples
+	return tuples, nil
 }

-func (provider *provider) getManagedRoleTransactionTuples(orgID valuer.UUID) []*openfgav1.TupleKey {
+func (provider *provider) getManagedRoleTransactionTuples(orgID valuer.UUID) ([]*openfgav1.TupleKey, error) {
+	transactionsByRole := make(map[string][]*authtypes.Transaction)
+	for _, register := range provider.registry {
+		for roleName, txns := range register.MustGetManagedRoleTransactions() {
+			transactionsByRole[roleName] = append(transactionsByRole[roleName], txns...)
+		}
+	}
+
 	tuples := make([]*openfgav1.TupleKey, 0)
-	for roleName, transactions := range provider.registry.ManagedRoleTransactions() {
+	for roleName, transactions := range transactionsByRole {
 		for _, txn := range transactions {
-			resource := coretypes.MustNewResourceFromTypeAndKind(txn.Object.Resource.Type, txn.Object.Resource.Kind)
-			txnTuples := authtypes.NewTuples(
-				resource,
+			typeable := authtypes.MustNewTypeableFromType(txn.Object.Resource.Type, txn.Object.Resource.Name)
+			txnTuples, err := typeable.Tuples(
 				authtypes.MustNewSubject(
-					coretypes.NewResourceRole(),
+					authtypes.TypeableRole,
 					roleName,
 					orgID,
-					&coretypes.VerbAssignee,
+					&authtypes.RelationAssignee,
 				),
 				txn.Relation,
-				[]coretypes.Selector{txn.Object.Selector},
+				[]authtypes.Selector{txn.Object.Selector},
 				orgID,
 			)
+			if err != nil {
+				return nil, err
+			}
 			tuples = append(tuples, txnTuples...)
 		}
 	}

-	return tuples
+	return tuples, nil
 }

 func (provider *provider) deleteTuples(ctx context.Context, roleName string, orgID valuer.UUID) error {
-	subject := authtypes.MustNewSubject(coretypes.NewResourceRole(), roleName, orgID, &coretypes.VerbAssignee)
+	subject := authtypes.MustNewSubject(authtypes.TypeableRole, roleName, orgID, &authtypes.RelationAssignee)

 	tuples := make([]*openfgav1.TupleKey, 0)
-	for _, objectType := range provider.registry.Types() {
+	for _, objectType := range provider.getUniqueTypes() {
 		typeTuples, err := provider.ReadTuples(ctx, &openfgav1.ReadRequestTupleKey{
 			User:   subject,
 			Object: objectType.StringValue() + ":",
@@ -383,3 +424,28 @@ func (provider *provider) deleteTuples(ctx context.Context, roleName string, org

 	return nil
 }
+
+func (provider *provider) getUniqueTypes() []authtypes.Type {
+	seen := make(map[string]struct{})
+	uniqueTypes := make([]authtypes.Type, 0)
+	for _, register := range provider.registry {
+		for _, typeable := range register.MustGetTypeables() {
+			typeKey := typeable.Type().StringValue()
+			if _, ok := seen[typeKey]; ok {
+				continue
+			}
+			seen[typeKey] = struct{}{}
+			uniqueTypes = append(uniqueTypes, typeable.Type())
+		}
+	}
+	for _, typeable := range provider.MustGetTypeables() {
+		typeKey := typeable.Type().StringValue()
+		if _, ok := seen[typeKey]; ok {
+			continue
+		}
+		seen[typeKey] = struct{}{}
+		uniqueTypes = append(uniqueTypes, typeable.Type())
+	}
+
+	return uniqueTypes
+}
--- a/ee/authz/openfgaschema/base.fga
+++ b/ee/authz/openfgaschema/base.fga
@@ -1,6 +1,6 @@
 module base

-type organization 
+type organisation 
  relations
    define read: [user, serviceaccount, role#assignee]
    define update: [user, serviceaccount, role#assignee]
@@ -10,14 +10,12 @@ type user
    define read: [user, serviceaccount, role#assignee]
    define update: [user, serviceaccount, role#assignee]
    define delete: [user, serviceaccount, role#assignee]
-    define attach: [user, serviceaccount, role#assignee]

-type serviceaccount
+type serviceaccount 
  relations
    define read: [user, serviceaccount, role#assignee]
    define update: [user, serviceaccount, role#assignee]
-    define delete: [user, serviceaccount, role#assignee]
-    define attach: [user, serviceaccount, role#assignee]
+    define delete: [user, serviceaccount, role#assignee]  

 type anonymous

@@ -28,7 +26,6 @@ type role
    define read: [user, serviceaccount, role#assignee]
    define update: [user, serviceaccount, role#assignee]
    define delete: [user, serviceaccount, role#assignee]
-    define attach: [user, serviceaccount, role#assignee]

 type metaresources
  relations
--- a/ee/authz/openfgaserver/server.go
+++ b/ee/authz/openfgaserver/server.go
@@ -7,7 +7,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 )
@@ -34,18 +33,18 @@ func (server *Server) Stop(ctx context.Context) error {
 	return server.pkgAuthzService.Stop(ctx)
 }

-func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable coretypes.Resource, selectors []coretypes.Selector, _ []coretypes.Selector) error {
+func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
 	subject := ""
 	switch claims.Principal {
 	case authtypes.PrincipalUser:
-		user, err := authtypes.NewSubject(coretypes.NewResourceUser(), claims.UserID, orgID, nil)
+		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
 		if err != nil {
 			return err
 		}

 		subject = user
 	case authtypes.PrincipalServiceAccount:
-		serviceAccount, err := authtypes.NewSubject(coretypes.NewResourceServiceAccount(), claims.ServiceAccountID, orgID, nil)
+		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableServiceAccount, claims.ServiceAccountID, orgID, nil)
 		if err != nil {
 			return err
 		}
@@ -53,7 +52,10 @@ func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtyp
 		subject = serviceAccount
 	}

-	tupleSlice := authtypes.NewTuples(typeable, subject, relation, selectors, orgID)
+	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)
+	if err != nil {
+		return err
+	}

 	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
 	for idx, tuple := range tupleSlice {
@@ -74,13 +76,16 @@ func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtyp
 	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }

-func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable coretypes.Resource, selectors []coretypes.Selector, _ []coretypes.Selector) error {
-	subject, err := authtypes.NewSubject(coretypes.NewResourceAnonymous(), coretypes.AnonymousUser.String(), orgID, nil)
+func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
+	subject, err := authtypes.NewSubject(authtypes.TypeableAnonymous, authtypes.AnonymousUser.String(), orgID, nil)
 	if err != nil {
 		return err
 	}

-	tupleSlice := authtypes.NewTuples(typeable, subject, relation, selectors, orgID)
+	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)
+	if err != nil {
+		return err
+	}

 	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
 	for idx, tuple := range tupleSlice {
@@ -105,7 +110,7 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openf
 	return server.pkgAuthzService.BatchCheck(ctx, tupleReq)
 }

-func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType coretypes.Type) ([]*coretypes.Object, error) {
+func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType authtypes.Type) ([]*authtypes.Object, error) {
 	return server.pkgAuthzService.ListObjects(ctx, subject, relation, objectType)
 }

--- a/ee/authz/openfgaserver/sqlstore.go
+++ b/ee/authz/openfgaserver/sqlstore.go
@@ -2,7 +2,6 @@ package openfgaserver

 import (
 	"github.com/SigNoz/signoz/ee/sqlstore/postgressqlstore"
-	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/openfga/openfga/pkg/storage"
@@ -11,11 +10,11 @@ import (
 	"github.com/openfga/openfga/pkg/storage/sqlite"
 )

-func NewSQLStore(store sqlstore.SQLStore, config authz.Config) (storage.OpenFGADatastore, error) {
+func NewSQLStore(store sqlstore.SQLStore) (storage.OpenFGADatastore, error) {
 	switch store.BunDB().Dialect().Name().String() {
 	case "sqlite":
 		return sqlite.NewWithDB(store.SQLDB(), &sqlcommon.Config{
-			MaxTuplesPerWriteField: config.OpenFGA.MaxTuplesPerWrite,
+			MaxTuplesPerWriteField: 100,
 			MaxTypesPerModelField:  100,
 		})
 	case "pg":
@@ -25,7 +24,7 @@ func NewSQLStore(store sqlstore.SQLStore, config authz.Config) (storage.OpenFGAD
 		}

 		return postgres.NewWithDB(pgStore.Pool(), nil, &sqlcommon.Config{
-			MaxTuplesPerWriteField: config.OpenFGA.MaxTuplesPerWrite,
+			MaxTuplesPerWriteField: 100,
 			MaxTypesPerModelField:  100,
 		})
 	}
--- a/ee/modules/dashboard/impldashboard/module.go
+++ b/ee/modules/dashboard/impldashboard/module.go
@@ -14,7 +14,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
 	"github.com/SigNoz/signoz/pkg/types/instrumentationtypes"
@@ -88,7 +88,7 @@ func (module *module) GetDashboardByPublicID(ctx context.Context, id valuer.UUID
 	return dashboardtypes.NewDashboardFromStorableDashboard(storableDashboard), nil
 }

-func (module *module) GetPublicDashboardSelectorsAndOrg(ctx context.Context, id valuer.UUID, orgs []*types.Organization) ([]coretypes.Selector, valuer.UUID, error) {
+func (module *module) GetPublicDashboardSelectorsAndOrg(ctx context.Context, id valuer.UUID, orgs []*types.Organization) ([]authtypes.Selector, valuer.UUID, error) {
 	orgIDs := make([]string, len(orgs))
 	for idx, org := range orgs {
 		orgIDs[idx] = org.ID.StringValue()
@@ -99,9 +99,9 @@ func (module *module) GetPublicDashboardSelectorsAndOrg(ctx context.Context, id
 		return nil, valuer.UUID{}, err
 	}

-	return []coretypes.Selector{
-		coretypes.TypeMetaResource.MustSelector(id.StringValue()),
-		coretypes.TypeMetaResource.MustSelector(coretypes.WildCardSelectorString),
+	return []authtypes.Selector{
+		authtypes.MustNewSelector(authtypes.TypeMetaResource, id.StringValue()),
+		authtypes.MustNewSelector(authtypes.TypeMetaResource, authtypes.WildCardSelectorString),
 	}, storableDashboard.OrgID, nil
 }

@@ -217,6 +217,28 @@ func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valu
 	return module.pkgDashboardModule.LockUnlock(ctx, orgID, id, updatedBy, isAdmin, lock)
 }

+func (module *module) MustGetTypeables() []authtypes.Typeable {
+	return module.pkgDashboardModule.MustGetTypeables()
+}
+
+func (module *module) MustGetManagedRoleTransactions() map[string][]*authtypes.Transaction {
+	return map[string][]*authtypes.Transaction{
+		authtypes.SigNozAnonymousRoleName: {
+			{
+				ID:       valuer.GenerateUUID(),
+				Relation: authtypes.RelationRead,
+				Object: *authtypes.MustNewObject(
+					authtypes.Resource{
+						Type: authtypes.TypeMetaResource,
+						Name: dashboardtypes.TypeableMetaResourcePublicDashboard.Name(),
+					},
+					authtypes.MustNewSelector(authtypes.TypeMetaResource, "*"),
+				),
+			},
+		},
+	}
+}
+
 func (module *module) deletePublic(ctx context.Context, _ valuer.UUID, dashboardID valuer.UUID) error {
 	return module.store.DeletePublic(ctx, dashboardID.StringValue())
 }
--- a/ee/query-service/app/api/queryrange.go
+++ b/ee/query-service/app/api/queryrange.go
@@ -6,8 +6,6 @@ import (
 	"io"
 	"net/http"

-	"log/slog"
-
 	"github.com/SigNoz/signoz/ee/query-service/anomaly"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
@@ -17,6 +15,7 @@ import (
 	v3 "github.com/SigNoz/signoz/pkg/query-service/model/v3"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
+	"log/slog"
 )

 func (aH *APIHandler) queryRangeV4(w http.ResponseWriter, r *http.Request) {
@@ -138,3 +137,4 @@ func (aH *APIHandler) queryRangeV4(w http.ResponseWriter, r *http.Request) {
 		aH.QueryRangeV4(w, r)
 	}
 }
+
--- a/ee/query-service/app/server.go
+++ b/ee/query-service/app/server.go
@@ -42,8 +42,8 @@ import (

 // Server runs HTTP, Mux and a grpc server
 type Server struct {
-	config signoz.Config
-	signoz *signoz.SigNoz
+	config      signoz.Config
+	signoz      *signoz.SigNoz

 	// public http router
 	httpConn     net.Listener
@@ -148,7 +148,7 @@ func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {

 	s := &Server{
 		config:             config,
-		signoz:             signoz,
+		signoz:       signoz,
 		httpHostPort:       baseconst.HTTPHostPort,
 		unavailableChannel: make(chan healthcheck.Status),
 		usageManager:       usageManager,
@@ -317,3 +317,4 @@ func (s *Server) Stop(ctx context.Context) error {

 	return nil
 }
+
--- a/frontend/.oxfmtrc.json
+++ b/frontend/.oxfmtrc.json
@@ -23,11 +23,6 @@
    "**/*.md",
    "**/*.json",
    "src/parser/**",
-    "src/TraceOperator/parser/**",
-    ".claude",
-    ".opencode",
-    "dist",
-    "playwright-report",
-    ".temp_cache"
+    "src/TraceOperator/parser/**"
  ]
 }
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -23,7 +23,8 @@
    "commitlint": "commitlint --edit $1",
    "test": "jest",
    "test:changedsince": "jest --changedSince=main --coverage --silent",
-    "generate:api": "orval --config ./orval.config.ts && sh scripts/post-types-generation.sh"
+    "generate:api": "orval --config ./orval.config.ts && sh scripts/post-types-generation.sh",
+    "generate:permissions-type": "node scripts/generate-permissions-type.cjs"
  },
  "engines": {
    "node": ">=22.0.0"
@@ -35,6 +36,7 @@
    "@ant-design/icons": "4.8.0",
    "@codemirror/autocomplete": "6.18.6",
    "@codemirror/lang-javascript": "6.2.3",
+    "@dagrejs/dagre": "3.0.0",
    "@dnd-kit/core": "6.1.0",
    "@dnd-kit/modifiers": "7.0.0",
    "@dnd-kit/sortable": "8.0.0",
@@ -62,6 +64,7 @@
    "@visx/shape": "3.5.0",
    "@visx/tooltip": "3.3.0",
    "@vitejs/plugin-react": "5.1.4",
+    "@xyflow/react": "12.10.2",
    "ansi-to-html": "0.7.2",
    "antd": "5.11.0",
    "antd-table-saveas-excel": "2.2.1",
@@ -114,7 +117,6 @@
    "react-dom": "18.2.0",
    "react-drag-listview": "2.0.0",
    "react-error-boundary": "4.0.11",
-    "react-force-graph-2d": "^1.29.1",
    "react-full-screen": "1.1.1",
    "react-grid-layout": "^1.3.4",
    "react-helmet-async": "1.3.0",
--- a/frontend/scripts/generate-permissions-type.cjs
+++ b/frontend/scripts/generate-permissions-type.cjs
@@ -0,0 +1,199 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const axios = require('axios');
+
+const PERMISSIONS_TYPE_FILE = path.join(
+	__dirname,
+	'../src/hooks/useAuthZ/permissions.type.ts',
+);
+
+const SIGNOZ_INTEGRATION_IMAGE = 'signoz:integration';
+const LOCAL_BACKEND_URL = 'http://localhost:8080';
+
+function log(message) {
+	console.log(`[generate-permissions-type] ${message}`);
+}
+
+function getBackendUrlFromDocker() {
+	try {
+		const output = execSync(
+			`docker ps --filter "ancestor=${SIGNOZ_INTEGRATION_IMAGE}" --format "{{.Ports}}"`,
+			{ encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] },
+		).trim();
+
+		if (!output) {
+			return null;
+		}
+
+		const portMatch = output.match(/0\.0\.0\.0:(\d+)->8080\/tcp/);
+		if (portMatch) {
+			return `http://localhost:${portMatch[1]}`;
+		}
+
+		const ipv6Match = output.match(/:::(\d+)->8080\/tcp/);
+		if (ipv6Match) {
+			return `http://localhost:${ipv6Match[1]}`;
+		}
+	} catch (err) {
+		log(`Warning: Could not get port from docker: ${err.message}`);
+	}
+	return null;
+}
+
+async function checkBackendHealth(url, maxAttempts = 3, delayMs = 1000) {
+	for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+		try {
+			await axios.get(`${url}/api/v1/health`, {
+				timeout: 5000,
+				validateStatus: (status) => status === 200,
+			});
+			return true;
+		} catch (err) {
+			if (attempt < maxAttempts) {
+				await new Promise((r) => setTimeout(r, delayMs));
+			}
+		}
+	}
+	return false;
+}
+
+async function discoverBackendUrl() {
+	const dockerUrl = getBackendUrlFromDocker();
+	if (dockerUrl) {
+		log(`Found ${SIGNOZ_INTEGRATION_IMAGE} container, trying ${dockerUrl}...`);
+		if (await checkBackendHealth(dockerUrl)) {
+			log(`Backend found at ${dockerUrl} (from py-test-setup)`);
+			return dockerUrl;
+		}
+		log(`Backend at ${dockerUrl} is not responding`);
+	}
+
+	log(`Trying local backend at ${LOCAL_BACKEND_URL}...`);
+	if (await checkBackendHealth(LOCAL_BACKEND_URL)) {
+		log(`Backend found at ${LOCAL_BACKEND_URL}`);
+		return LOCAL_BACKEND_URL;
+	}
+
+	return null;
+}
+
+async function fetchResources(backendUrl) {
+	log('Fetching resources from API...');
+	const resourcesUrl = `${backendUrl}/api/v1/authz/resources`;
+
+	const { data: response } = await axios.get(resourcesUrl);
+
+	return response;
+}
+
+function transformResponse(apiResponse) {
+	if (!apiResponse.data) {
+		throw new Error('Invalid API response: missing data field');
+	}
+
+	const { resources, relations } = apiResponse.data;
+
+	return {
+		status: apiResponse.status || 'success',
+		data: {
+			resources: resources,
+			relations: relations,
+		},
+	};
+}
+
+function generateTypeScriptFile(data) {
+	const resourcesStr = data.data.resources
+		.map(
+			(r) =>
+				`\t\t\t{\n\t\t\t\tname: '${r.name}',\n\t\t\t\ttype: '${r.type}',\n\t\t\t},`,
+		)
+		.join('\n');
+
+	const relationsStr = Object.entries(data.data.relations)
+		.map(
+			([type, relations]) =>
+				`\t\t\t${type}: [${relations.map((r) => `'${r}'`).join(', ')}],`,
+		)
+		.join('\n');
+
+	return `// AUTO GENERATED FILE - DO NOT EDIT - GENERATED BY scripts/generate-permissions-type
+export default {
+\tstatus: '${data.status}',
+\tdata: {
+\t\tresources: [
+${resourcesStr}
+\t\t],
+\t\trelations: {
+${relationsStr}
+\t\t},
+\t},
+} as const;
+`;
+}
+
+async function main() {
+	try {
+		log('Starting permissions type generation...');
+
+		const backendUrl = await discoverBackendUrl();
+
+		if (!backendUrl) {
+			console.error('\n' + '='.repeat(80));
+			console.error('ERROR: No running SigNoz backend found!');
+			console.error('='.repeat(80));
+			console.error(
+				'\nThe permissions type generator requires a running SigNoz backend.',
+			);
+			console.error('\nFor local development, start the backend with:');
+			console.error('  make go-run-enterprise');
+			console.error(
+				'\nFor CI or integration testing, start the test environment with:',
+			);
+			console.error('  make py-test-setup');
+			console.error(
+				'\nIf running in CI and seeing this error, check that the py-test-setup',
+			);
+			console.error('step completed successfully before this step runs.');
+			console.error('='.repeat(80) + '\n');
+			process.exit(1);
+		}
+
+		log('Fetching resources...');
+		const apiResponse = await fetchResources(backendUrl);
+
+		log('Transforming response...');
+		const transformed = transformResponse(apiResponse);
+
+		log('Generating TypeScript file...');
+		const content = generateTypeScriptFile(transformed);
+
+		log(`Writing to ${PERMISSIONS_TYPE_FILE}...`);
+		fs.writeFileSync(PERMISSIONS_TYPE_FILE, content, 'utf8');
+
+		const rootDir = path.join(__dirname, '../..');
+		const relativePath = path.relative(
+			path.join(rootDir, 'frontend'),
+			PERMISSIONS_TYPE_FILE,
+		);
+		log('Linting generated file...');
+		execSync(`cd frontend && yarn oxlint ${relativePath}`, {
+			cwd: rootDir,
+			stdio: 'inherit',
+		});
+
+		log('Successfully generated permissions.type.ts');
+	} catch (error) {
+		log(`Error: ${error.message}`);
+		process.exit(1);
+	}
+}
+
+if (require.main === module) {
+	main();
+}
+
+module.exports = { main };
--- a/frontend/src/api/generated/services/authz/index.ts
+++ b/frontend/src/api/generated/services/authz/index.ts
@@ -4,16 +4,23 @@
 * * regenerate with 'yarn generate:api'
 * SigNoz
 */
-import { useMutation } from 'react-query';
+import { useMutation, useQuery } from 'react-query';
 import type {
+	InvalidateOptions,
 	MutationFunction,
+	QueryClient,
+	QueryFunction,
+	QueryKey,
 	UseMutationOptions,
 	UseMutationResult,
+	UseQueryOptions,
+	UseQueryResult,
 } from 'react-query';

 import type {
 	AuthtypesTransactionDTO,
 	AuthzCheck200,
+	AuthzResources200,
 	RenderErrorResponseDTO,
 } from '../sigNoz.schemas';

@@ -103,3 +110,88 @@ export const useAuthzCheck = <

 	return useMutation(mutationOptions);
 };
+/**
+ * Gets all the available resources
+ * @summary Get resources
+ */
+export const authzResources = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<AuthzResources200>({
+		url: `/api/v1/authz/resources`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getAuthzResourcesQueryKey = () => {
+	return [`/api/v1/authz/resources`] as const;
+};
+
+export const getAuthzResourcesQueryOptions = <
+	TData = Awaited<ReturnType<typeof authzResources>>,
+	TError = ErrorType<RenderErrorResponseDTO>,
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof authzResources>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getAuthzResourcesQueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof authzResources>>> = ({
+		signal,
+	}) => authzResources(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof authzResources>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type AuthzResourcesQueryResult = NonNullable<
+	Awaited<ReturnType<typeof authzResources>>
+>;
+export type AuthzResourcesQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get resources
+ */
+
+export function useAuthzResources<
+	TData = Awaited<ReturnType<typeof authzResources>>,
+	TError = ErrorType<RenderErrorResponseDTO>,
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof authzResources>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getAuthzResourcesQueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get resources
+ */
+export const invalidateAuthzResources = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getAuthzResourcesQueryKey() },
+		options,
+	);
+
+	return queryClient;
+};
--- a/frontend/src/api/generated/services/role/index.ts
+++ b/frontend/src/api/generated/services/role/index.ts
@@ -18,9 +18,9 @@ import type {
 } from 'react-query';

 import type {
+	AuthtypesPatchableObjectsDTO,
 	AuthtypesPatchableRoleDTO,
 	AuthtypesPostableRoleDTO,
-	CoretypesPatchableObjectsDTO,
 	CreateRole201,
 	DeleteRolePathParameters,
 	GetObjects200,
@@ -571,13 +571,13 @@ export const invalidateGetObjects = async (
 */
 export const patchObjects = (
 	{ id, relation }: PatchObjectsPathParameters,
-	coretypesPatchableObjectsDTO: BodyType<CoretypesPatchableObjectsDTO>,
+	authtypesPatchableObjectsDTO: BodyType<AuthtypesPatchableObjectsDTO>,
 ) => {
 	return GeneratedAPIInstance<string>({
 		url: `/api/v1/roles/${id}/relations/${relation}/objects`,
 		method: 'PATCH',
 		headers: { 'Content-Type': 'application/json' },
-		data: coretypesPatchableObjectsDTO,
+		data: authtypesPatchableObjectsDTO,
 	});
 };

@@ -590,7 +590,7 @@ export const getPatchObjectsMutationOptions = <
 		TError,
 		{
 			pathParams: PatchObjectsPathParameters;
-			data: BodyType<CoretypesPatchableObjectsDTO>;
+			data: BodyType<AuthtypesPatchableObjectsDTO>;
 		},
 		TContext
 	>;
@@ -599,7 +599,7 @@ export const getPatchObjectsMutationOptions = <
 	TError,
 	{
 		pathParams: PatchObjectsPathParameters;
-		data: BodyType<CoretypesPatchableObjectsDTO>;
+		data: BodyType<AuthtypesPatchableObjectsDTO>;
 	},
 	TContext
 > => {
@@ -616,7 +616,7 @@ export const getPatchObjectsMutationOptions = <
 		Awaited<ReturnType<typeof patchObjects>>,
 		{
 			pathParams: PatchObjectsPathParameters;
-			data: BodyType<CoretypesPatchableObjectsDTO>;
+			data: BodyType<AuthtypesPatchableObjectsDTO>;
 		}
 	> = (props) => {
 		const { pathParams, data } = props ?? {};
@@ -630,7 +630,7 @@ export const getPatchObjectsMutationOptions = <
 export type PatchObjectsMutationResult = NonNullable<
 	Awaited<ReturnType<typeof patchObjects>>
 >;
-export type PatchObjectsMutationBody = BodyType<CoretypesPatchableObjectsDTO>;
+export type PatchObjectsMutationBody = BodyType<AuthtypesPatchableObjectsDTO>;
 export type PatchObjectsMutationError = ErrorType<RenderErrorResponseDTO>;

 /**
@@ -645,7 +645,7 @@ export const usePatchObjects = <
 		TError,
 		{
 			pathParams: PatchObjectsPathParameters;
-			data: BodyType<CoretypesPatchableObjectsDTO>;
+			data: BodyType<AuthtypesPatchableObjectsDTO>;
 		},
 		TContext
 	>;
@@ -654,7 +654,7 @@ export const usePatchObjects = <
 	TError,
 	{
 		pathParams: PatchObjectsPathParameters;
-		data: BodyType<CoretypesPatchableObjectsDTO>;
+		data: BodyType<AuthtypesPatchableObjectsDTO>;
 	},
 	TContext
 > => {
--- a/frontend/src/api/generated/services/sigNoz.schemas.ts
+++ b/frontend/src/api/generated/services/sigNoz.schemas.ts
@@ -1668,6 +1668,33 @@ export interface AuthtypesGettableAuthDomainDTO {
 	updatedAt?: Date;
 }

+export interface AuthtypesGettableObjectsDTO {
+	resource: AuthtypesResourceDTO;
+	/**
+	 * @type array
+	 */
+	selectors: string[];
+}
+
+/**
+ * @nullable
+ */
+export type AuthtypesGettableResourcesDTORelations = {
+	[key: string]: string[];
+} | null;
+
+export interface AuthtypesGettableResourcesDTO {
+	/**
+	 * @type object
+	 * @nullable true
+	 */
+	relations: AuthtypesGettableResourcesDTORelations;
+	/**
+	 * @type array
+	 */
+	resources: AuthtypesResourceDTO[];
+}
+
 export interface AuthtypesGettableTokenDTO {
 	/**
 	 * @type string
@@ -1692,8 +1719,11 @@ export interface AuthtypesGettableTransactionDTO {
 	 * @type boolean
 	 */
 	authorized: boolean;
-	object: CoretypesObjectDTO;
-	relation: AuthtypesRelationDTO;
+	object: AuthtypesObjectDTO;
+	/**
+	 * @type string
+	 */
+	relation: string;
 }

 export type AuthtypesGoogleConfigDTODomainToAdminEmail = {
@@ -1767,6 +1797,14 @@ export interface AuthtypesOIDCConfigDTO {
 	issuerAlias?: string;
 }

+export interface AuthtypesObjectDTO {
+	resource: AuthtypesResourceDTO;
+	/**
+	 * @type string
+	 */
+	selector: string;
+}
+
 export interface AuthtypesOrgSessionContextDTO {
 	authNSupport?: AuthtypesAuthNSupportDTO;
 	/**
@@ -1784,6 +1822,19 @@ export interface AuthtypesPasswordAuthNSupportDTO {
 	provider?: AuthtypesAuthNProviderDTO;
 }

+export interface AuthtypesPatchableObjectsDTO {
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	additions: AuthtypesGettableObjectsDTO[] | null;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	deletions: AuthtypesGettableObjectsDTO[] | null;
+}
+
 export interface AuthtypesPatchableRoleDTO {
 	/**
 	 * @type string
@@ -1832,14 +1883,17 @@ export interface AuthtypesPostableRotateTokenDTO {
 	refreshToken?: string;
 }

-export enum AuthtypesRelationDTO {
-	create = 'create',
-	read = 'read',
-	update = 'update',
-	delete = 'delete',
-	list = 'list',
-	assignee = 'assignee',
+export interface AuthtypesResourceDTO {
+	/**
+	 * @type string
+	 */
+	name: string;
+	/**
+	 * @type string
+	 */
+	type: string;
 }
+
 export interface AuthtypesRoleDTO {
 	/**
 	 * @type string
@@ -1929,8 +1983,11 @@ export interface AuthtypesSessionContextDTO {
 }

 export interface AuthtypesTransactionDTO {
-	object: CoretypesObjectDTO;
-	relation: AuthtypesRelationDTO;
+	object: AuthtypesObjectDTO;
+	/**
+	 * @type string
+	 */
+	relation: string;
 }

 export interface AuthtypesUpdatableAuthDomainDTO {
@@ -4116,52 +4173,6 @@ export interface ConfigWechatConfigDTO {
 	to_user?: string;
 }

-export interface CoretypesObjectDTO {
-	resource: CoretypesResourceRefDTO;
-	/**
-	 * @type string
-	 */
-	selector: string;
-}
-
-export interface CoretypesObjectGroupDTO {
-	resource: CoretypesResourceRefDTO;
-	/**
-	 * @type array
-	 */
-	selectors: string[];
-}
-
-export interface CoretypesPatchableObjectsDTO {
-	/**
-	 * @type array
-	 * @nullable true
-	 */
-	additions: CoretypesObjectGroupDTO[] | null;
-	/**
-	 * @type array
-	 * @nullable true
-	 */
-	deletions: CoretypesObjectGroupDTO[] | null;
-}
-
-export interface CoretypesResourceRefDTO {
-	/**
-	 * @type string
-	 */
-	kind: string;
-	type: CoretypesTypeDTO;
-}
-
-export enum CoretypesTypeDTO {
-	user = 'user',
-	serviceaccount = 'serviceaccount',
-	anonymous = 'anonymous',
-	role = 'role',
-	organization = 'organization',
-	metaresource = 'metaresource',
-	metaresources = 'metaresources',
-}
 export interface DashboardtypesDashboardDTO {
 	/**
 	 * @type string
@@ -7703,11 +7714,6 @@ export interface TracedetailtypesWaterfallSpanDTO {
 	 * @minimum 0
 	 */
 	sub_tree_node_count?: number;
-	/**
-	 * @type integer
-	 * @minimum 0
-	 */
-	time_unix?: number;
 	/**
 	 * @type string
 	 */
@@ -8099,6 +8105,14 @@ export type AuthzCheck200 = {
 	status: string;
 };

+export type AuthzResources200 = {
+	data: AuthtypesGettableResourcesDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type ListChannels200 = {
 	/**
 	 * @type array
@@ -8724,7 +8738,7 @@ export type GetObjects200 = {
 	/**
 	 * @type array
 	 */
-	data: CoretypesObjectGroupDTO[];
+	data: AuthtypesGettableObjectsDTO[];
 	/**
 	 * @type string
 	 */
--- a/frontend/src/components/GuardAuthZ/GuardAuthZ.test.tsx
+++ b/frontend/src/components/GuardAuthZ/GuardAuthZ.test.tsx
@@ -55,7 +55,7 @@ describe('GuardAuthZ', () => {
 		);

 		render(
-			<GuardAuthZ relation="read" object="role:*">
+			<GuardAuthZ relation="read" object="dashboard:*">
 				<TestChild />
 			</GuardAuthZ>,
 		);
@@ -79,7 +79,7 @@ describe('GuardAuthZ', () => {
 		render(
 			<GuardAuthZ
 				relation="read"
-				object="role:*"
+				object="dashboard:*"
 				fallbackOnLoading={<LoadingFallback />}
 			>
 				<TestChild />
@@ -102,7 +102,7 @@ describe('GuardAuthZ', () => {
 		);

 		const { container } = render(
-			<GuardAuthZ relation="read" object="role:*">
+			<GuardAuthZ relation="read" object="dashboard:*">
 				<TestChild />
 			</GuardAuthZ>,
 		);
@@ -121,7 +121,11 @@ describe('GuardAuthZ', () => {
 		);

 		render(
-			<GuardAuthZ relation="read" object="role:*" fallbackOnError={ErrorFallback}>
+			<GuardAuthZ
+				relation="read"
+				object="dashboard:*"
+				fallbackOnError={ErrorFallback}
+			>
 				<TestChild />
 			</GuardAuthZ>,
 		);
@@ -151,7 +155,7 @@ describe('GuardAuthZ', () => {
 		render(
 			<GuardAuthZ
 				relation="read"
-				object="role:*"
+				object="dashboard:*"
 				fallbackOnError={errorFallbackWithCapture}
 			>
 				<TestChild />
@@ -174,7 +178,7 @@ describe('GuardAuthZ', () => {
 		);

 		const { container } = render(
-			<GuardAuthZ relation="read" object="role:*">
+			<GuardAuthZ relation="read" object="dashboard:*">
 				<TestChild />
 			</GuardAuthZ>,
 		);
@@ -197,7 +201,7 @@ describe('GuardAuthZ', () => {
 		render(
 			<GuardAuthZ
 				relation="update"
-				object="role:123"
+				object="dashboard:123"
 				fallbackOnNoPermissions={NoPermissionFallback}
 			>
 				<TestChild />
@@ -220,7 +224,7 @@ describe('GuardAuthZ', () => {
 		);

 		const { container } = render(
-			<GuardAuthZ relation="update" object="role:123">
+			<GuardAuthZ relation="update" object="dashboard:123">
 				<TestChild />
 			</GuardAuthZ>,
 		);
@@ -240,7 +244,7 @@ describe('GuardAuthZ', () => {
 		);

 		const { container } = render(
-			<GuardAuthZ relation="read" object="role:*">
+			<GuardAuthZ relation="read" object="dashboard:*">
 				<TestChild />
 			</GuardAuthZ>,
 		);
@@ -253,7 +257,7 @@ describe('GuardAuthZ', () => {
 	});

 	it('should pass requiredPermissionName to fallbackOnNoPermissions', async () => {
-		const permission = buildPermission('update', 'role:123');
+		const permission = buildPermission('update', 'dashboard:123');

 		server.use(
 			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
@@ -265,7 +269,7 @@ describe('GuardAuthZ', () => {
 		render(
 			<GuardAuthZ
 				relation="update"
-				object="role:123"
+				object="dashboard:123"
 				fallbackOnNoPermissions={NoPermissionFallbackWithSuggestions}
 			>
 				<TestChild />
@@ -295,7 +299,7 @@ describe('GuardAuthZ', () => {
 		);

 		const { rerender } = render(
-			<GuardAuthZ relation="read" object="role:*">
+			<GuardAuthZ relation="read" object="dashboard:*">
 				<TestChild />
 			</GuardAuthZ>,
 		);
@@ -305,7 +309,7 @@ describe('GuardAuthZ', () => {
 		});

 		rerender(
-			<GuardAuthZ relation="delete" object="role:456">
+			<GuardAuthZ relation="delete" object="dashboard:456">
 				<TestChild />
 			</GuardAuthZ>,
 		);
--- a/frontend/src/components/createGuardedRoute/createGuardedRoute.test.tsx
+++ b/frontend/src/components/createGuardedRoute/createGuardedRoute.test.tsx
@@ -41,7 +41,11 @@ describe('createGuardedRoute', () => {
 			}),
 		);

-		const GuardedComponent = createGuardedRoute(TestComponent, 'read', 'role:*');
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'read',
+			'dashboard:*',
+		);

 		const mockMatch = {
 			params: {},
@@ -75,7 +79,7 @@ describe('createGuardedRoute', () => {
 		const GuardedComponent = createGuardedRoute(
 			TestComponent,
 			'read',
-			'role:{id}',
+			'dashboard:{id}',
 		);

 		const mockMatch = {
@@ -109,7 +113,7 @@ describe('createGuardedRoute', () => {
 						relation: txn.relation,
 						object: {
 							resource: {
-								kind: txn.object.resource.kind,
+								name: txn.object.resource.name,
 								type: txn.object.resource.type,
 							},
 							selector: '123:456',
@@ -127,7 +131,7 @@ describe('createGuardedRoute', () => {
 		const GuardedComponent = createGuardedRoute(
 			TestComponent,
 			'update',
-			'role:{id}:{version}',
+			'dashboard:{id}:{version}',
 		);

 		const mockMatch = {
@@ -162,7 +166,7 @@ describe('createGuardedRoute', () => {
 		const GuardedComponent = createGuardedRoute(
 			TestComponent,
 			'read',
-			'role:{id}',
+			'dashboard:{id}',
 		);

 		const mockMatch = {
@@ -197,7 +201,11 @@ describe('createGuardedRoute', () => {
 			}),
 		);

-		const GuardedComponent = createGuardedRoute(TestComponent, 'read', 'role:*');
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'read',
+			'dashboard:*',
+		);

 		const mockMatch = {
 			params: {},
@@ -228,7 +236,11 @@ describe('createGuardedRoute', () => {
 			}),
 		);

-		const GuardedComponent = createGuardedRoute(TestComponent, 'read', 'role:*');
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'read',
+			'dashboard:*',
+		);

 		const mockMatch = {
 			params: {},
@@ -266,7 +278,7 @@ describe('createGuardedRoute', () => {
 		const GuardedComponent = createGuardedRoute(
 			TestComponent,
 			'update',
-			'role:{id}',
+			'dashboard:{id}',
 		);

 		const mockMatch = {
@@ -292,7 +304,7 @@ describe('createGuardedRoute', () => {
 		});

 		expect(screen.getByText('update')).toBeInTheDocument();
-		expect(screen.getByText('role:123')).toBeInTheDocument();
+		expect(screen.getByText('dashboard:123')).toBeInTheDocument();
 		expect(
 			screen.queryByText('Test Component: test-value'),
 		).not.toBeInTheDocument();
@@ -323,7 +335,7 @@ describe('createGuardedRoute', () => {
 		const GuardedComponent = createGuardedRoute(
 			ComponentWithMultipleProps,
 			'read',
-			'role:*',
+			'dashboard:*',
 		);

 		const mockMatch = {
@@ -358,10 +370,10 @@ describe('createGuardedRoute', () => {
 				requestCount++;
 				const payload = (await req.json()) as AuthtypesTransactionDTO[];
 				const obj = payload[0]?.object;
-				const kind = obj?.resource?.kind;
+				const name = obj?.resource?.name;
 				const selector = obj?.selector ?? '*';
 				const objectStr =
-					obj?.resource?.type === 'metaresources' ? kind : `${kind}:${selector}`;
+					obj?.resource?.type === 'metaresources' ? name : `${name}:${selector}`;
 				requestedObjects.push(objectStr ?? '');

 				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
@@ -371,7 +383,7 @@ describe('createGuardedRoute', () => {
 		const GuardedComponent = createGuardedRoute(
 			TestComponent,
 			'read',
-			'role:{id}',
+			'dashboard:{id}',
 		);

 		const mockMatch1 = {
@@ -395,7 +407,7 @@ describe('createGuardedRoute', () => {
 		});

 		expect(requestCount).toBe(1);
-		expect(requestedObjects).toContain('role:123');
+		expect(requestedObjects).toContain('dashboard:123');

 		unmount();

@@ -420,7 +432,7 @@ describe('createGuardedRoute', () => {
 		});

 		expect(requestCount).toBe(2);
-		expect(requestedObjects).toContain('role:456');
+		expect(requestedObjects).toContain('dashboard:456');
 	});

 	it('should handle different relation types', async () => {
@@ -434,7 +446,7 @@ describe('createGuardedRoute', () => {
 		const GuardedComponent = createGuardedRoute(
 			TestComponent,
 			'delete',
-			'role:{id}',
+			'dashboard:{id}',
 		);

 		const mockMatch = {
--- a/frontend/src/container/RolesSettings/RoleDetails/RoleDetailsPage.tsx
+++ b/frontend/src/container/RolesSettings/RoleDetails/RoleDetailsPage.tsx
@@ -4,6 +4,7 @@ import { useHistory, useLocation } from 'react-router-dom';
 import { Table2, Trash2, Users } from '@signozhq/icons';
 import { Button, toast, ToggleGroup, ToggleGroupItem } from '@signozhq/ui';
 import { Skeleton } from 'antd';
+import { useAuthzResources } from 'api/generated/services/authz';
 import {
 	getGetObjectsQueryKey,
 	useDeleteRole,
@@ -11,9 +12,6 @@ import {
 	useGetRole,
 	usePatchObjects,
 } from 'api/generated/services/role';
-import permissionsType from 'hooks/useAuthZ/permissions.type';
-
-import type { AuthzResources } from '../utils';
 import ErrorInPlace from 'components/ErrorInPlace/ErrorInPlace';
 import ROUTES from 'constants/routes';
 import { capitalize } from 'lodash-es';
@@ -54,7 +52,10 @@ function RoleDetailsPage(): JSX.Element {
 	const queryClient = useQueryClient();
 	const { showErrorModal } = useErrorModal();

-	const authzResources = permissionsType.data as unknown as AuthzResources;
+	const { data: authzResourcesResponse } = useAuthzResources({
+		query: { enabled: true },
+	});
+	const authzResources = authzResourcesResponse?.data ?? null;

 	// Extract channelId from URL pathname since useParams doesn't work in nested routing
 	const roleIdMatch = pathname.match(ROLE_ID_REGEX);
@@ -93,7 +94,7 @@ function RoleDetailsPage(): JSX.Element {

 	const initialConfig = useMemo(() => {
 		if (!objectsData?.data || !activePermission) {
-			return;
+			return undefined;
 		}
 		return objectsToPermissionConfig(
 			objectsData.data,
--- a/frontend/src/container/RolesSettings/RoleDetails/tests/RoleDetailsPage.test.tsx
+++ b/frontend/src/container/RolesSettings/RoleDetails/tests/RoleDetailsPage.test.tsx
@@ -15,6 +15,15 @@ const CUSTOM_ROLE_ID = '019c24aa-3333-0001-aaaa-111111111111';
 const MANAGED_ROLE_ID = '019c24aa-2248-756f-9833-984f1ab63819';

 const rolesApiBase = 'http://localhost/api/v1/roles';
+const authzResourcesUrl = 'http://localhost/api/v1/authz/resources';
+
+const authzResourcesResponse = {
+	status: 'success',
+	data: {
+		relations: { create: ['dashboard'], read: ['dashboard'] },
+		resources: [{ name: 'dashboard', type: 'dashboard' }],
+	},
+};

 const emptyObjectsResponse = { status: 'success', data: [] };

@@ -36,6 +45,9 @@ function setupDefaultHandlers(roleId = CUSTOM_ROLE_ID): void {
 		rest.get(`${rolesApiBase}/:id`, (_req, res, ctx) =>
 			res(ctx.status(200), ctx.json(roleResponse)),
 		),
+		rest.get(authzResourcesUrl, (_req, res, ctx) =>
+			res(ctx.status(200), ctx.json(authzResourcesResponse)),
+		),
 	);
 }

--- a/frontend/src/container/RolesSettings/tests/utils.test.ts
+++ b/frontend/src/container/RolesSettings/tests/utils.test.ts
@@ -1,18 +1,12 @@
 import type {
-	CoretypesResourceRefDTO,
-	CoretypesObjectGroupDTO,
-	CoretypesTypeDTO,
+	AuthtypesGettableObjectsDTO,
+	AuthtypesGettableResourcesDTO,
 } from 'api/generated/services/sigNoz.schemas';

 import type {
 	PermissionConfig,
 	ResourceDefinition,
 } from '../PermissionSidePanel/PermissionSidePanel.types';
-
-type AuthzResources = {
-	resources: CoretypesResourceRefDTO[];
-	relations: Record<string, string[]>;
-};
 import { PermissionScope } from '../PermissionSidePanel/PermissionSidePanel.types';
 import {
 	buildConfig,
@@ -39,17 +33,17 @@ jest.mock('../RoleDetails/constants', () => {
 	};
 });

-const dashboardResource: AuthzResources['resources'][number] = {
-	kind: 'dashboard',
-	type: 'metaresource' as CoretypesTypeDTO,
+const dashboardResource: AuthtypesGettableResourcesDTO['resources'][number] = {
+	name: 'dashboard',
+	type: 'metaresource',
 };

-const alertResource: AuthzResources['resources'][number] = {
-	kind: 'alert',
-	type: 'metaresource' as CoretypesTypeDTO,
+const alertResource: AuthtypesGettableResourcesDTO['resources'][number] = {
+	name: 'alert',
+	type: 'metaresource',
 };

-const baseAuthzResources: AuthzResources = {
+const baseAuthzResources: AuthtypesGettableResourcesDTO = {
 	resources: [dashboardResource, alertResource],
 	relations: {
 		create: ['metaresource'],
@@ -226,7 +220,7 @@ describe('buildPatchPayload', () => {

 describe('objectsToPermissionConfig', () => {
 	it('maps a wildcard selector to ALL scope', () => {
-		const objects: CoretypesObjectGroupDTO[] = [
+		const objects: AuthtypesGettableObjectsDTO[] = [
 			{ resource: dashboardResource, selectors: ['*'] },
 		];

@@ -239,7 +233,7 @@ describe('objectsToPermissionConfig', () => {
 	});

 	it('maps specific selectors to ONLY_SELECTED scope with the IDs', () => {
-		const objects: CoretypesObjectGroupDTO[] = [
+		const objects: AuthtypesGettableObjectsDTO[] = [
 			{ resource: dashboardResource, selectors: [ID_A, ID_B] },
 		];

@@ -344,7 +338,7 @@ describe('buildConfig', () => {

 describe('derivePermissionTypes', () => {
 	it('derives one PermissionType per relation key with correct key and capitalised label', () => {
-		const relations: AuthzResources['relations'] = {
+		const relations: AuthtypesGettableResourcesDTO['relations'] = {
 			create: ['metaresource'],
 			read: ['metaresource'],
 			delete: ['metaresource'],
--- a/frontend/src/container/RolesSettings/utils.tsx
+++ b/frontend/src/container/RolesSettings/utils.tsx
@@ -1,8 +1,8 @@
 import React from 'react';
 import { Badge } from '@signozhq/ui';
 import type {
-	CoretypesResourceRefDTO,
-	CoretypesObjectGroupDTO,
+	AuthtypesGettableObjectsDTO,
+	AuthtypesGettableResourcesDTO,
 } from 'api/generated/services/sigNoz.schemas';
 import { DATE_TIME_FORMATS } from 'constants/dateTimeFormats';
 import { capitalize } from 'lodash-es';
@@ -19,11 +19,6 @@ import {
 	PERMISSION_ICON_MAP,
 } from './RoleDetails/constants';

-export type AuthzResources = {
-	resources: ReadonlyArray<CoretypesResourceRefDTO>;
-	relations: Readonly<Record<string, ReadonlyArray<string>>>;
-};
-
 export interface PermissionType {
 	key: string;
 	label: string;
@@ -34,11 +29,11 @@ export interface PatchPayloadOptions {
 	newConfig: PermissionConfig;
 	initialConfig: PermissionConfig;
 	resources: ResourceDefinition[];
-	authzRes: AuthzResources;
+	authzRes: AuthtypesGettableResourcesDTO;
 }

 export function derivePermissionTypes(
-	relations: AuthzResources['relations'] | null,
+	relations: AuthtypesGettableResourcesDTO['relations'] | null,
 ): PermissionType[] {
 	const iconSize = { size: 14 };

@@ -60,7 +55,7 @@ export function derivePermissionTypes(
 }

 export function deriveResourcesForRelation(
-	authzResources: AuthzResources | null,
+	authzResources: AuthtypesGettableResourcesDTO | null,
 	relation: string,
 ): ResourceDefinition[] {
 	if (!authzResources?.relations) {
@@ -70,19 +65,19 @@ export function deriveResourcesForRelation(
 	return authzResources.resources
 		.filter((r) => supportedTypes.includes(r.type))
 		.map((r) => ({
-			id: r.kind,
-			label: capitalize(r.kind).replaceAll('_', ' '),
+			id: r.name,
+			label: capitalize(r.name).replace(/_/g, ' '),
 			options: [],
 		}));
 }

 export function objectsToPermissionConfig(
-	objects: CoretypesObjectGroupDTO[],
+	objects: AuthtypesGettableObjectsDTO[],
 	resources: ResourceDefinition[],
 ): PermissionConfig {
 	const config: PermissionConfig = {};
 	for (const res of resources) {
-		const obj = objects.find((o) => o.resource.kind === res.id);
+		const obj = objects.find((o) => o.resource.name === res.id);
 		if (!obj) {
 			config[res.id] = {
 				scope: PermissionScope.ONLY_SELECTED,
@@ -106,19 +101,19 @@ export function buildPatchPayload({
 	resources,
 	authzRes,
 }: PatchPayloadOptions): {
-	additions: CoretypesObjectGroupDTO[] | null;
-	deletions: CoretypesObjectGroupDTO[] | null;
+	additions: AuthtypesGettableObjectsDTO[] | null;
+	deletions: AuthtypesGettableObjectsDTO[] | null;
 } {
 	if (!authzRes) {
 		return { additions: null, deletions: null };
 	}
-	const additions: CoretypesObjectGroupDTO[] = [];
-	const deletions: CoretypesObjectGroupDTO[] = [];
+	const additions: AuthtypesGettableObjectsDTO[] = [];
+	const deletions: AuthtypesGettableObjectsDTO[] = [];

 	for (const res of resources) {
 		const initial = initialConfig[res.id];
 		const current = newConfig[res.id];
-		const resourceDef = authzRes.resources.find((r) => r.kind === res.id);
+		const resourceDef = authzRes.resources.find((r) => r.name === res.id);
 		if (!resourceDef) {
 			continue;
 		}
--- a/frontend/src/hooks/useAuthZ/permissions.type.ts
+++ b/frontend/src/hooks/useAuthZ/permissions.type.ts
@@ -1,29 +1,32 @@
-// AUTO GENERATED FILE - DO NOT EDIT - GENERATED BY cmd/enterprise/*.go generate authz
+// AUTO GENERATED FILE - DO NOT EDIT - GENERATED BY scripts/generate-permissions-type
 export default {
 	status: 'success',
 	data: {
 		resources: [
 			{
-				kind: 'role',
+				name: 'dashboard',
+				type: 'metaresource',
+			},
+			{
+				name: 'dashboards',
 				type: 'metaresources',
 			},
 			{
-				kind: 'role',
+				name: 'role',
 				type: 'role',
 			},
 			{
-				kind: 'serviceaccount',
-				type: 'serviceaccount',
+				name: 'roles',
+				type: 'metaresources',
 			},
 		],
 		relations: {
 			assignee: ['role'],
-			attach: ['role', 'serviceaccount'],
 			create: ['metaresources'],
-			delete: ['role', 'serviceaccount'],
+			delete: ['user', 'serviceaccount', 'role', 'organization', 'metaresource'],
 			list: ['metaresources'],
-			read: ['role', 'serviceaccount'],
-			update: ['role', 'serviceaccount'],
+			read: ['user', 'serviceaccount', 'role', 'organization', 'metaresource'],
+			update: ['user', 'serviceaccount', 'role', 'organization', 'metaresource'],
 		},
 	},
 } as const;
--- a/frontend/src/hooks/useAuthZ/types.ts
+++ b/frontend/src/hooks/useAuthZ/types.ts
@@ -1,16 +1,15 @@
 import permissionsType from './permissions.type';
-
-const ObjectSeparator = ':';
+import { ObjectSeparator } from './utils';

 type PermissionsData = typeof permissionsType.data;
 export type Resource = PermissionsData['resources'][number];
-export type ResourceName = Resource['kind'];
+export type ResourceName = Resource['name'];
 export type ResourceType = Resource['type'];

 type RelationsByType = PermissionsData['relations'];

 type ResourceTypeMap = {
-	[K in ResourceName]: Extract<Resource, { kind: K }>['type'];
+	[K in ResourceName]: Extract<Resource, { name: K }>['type'];
 };

 type RelationName = keyof RelationsByType;
@@ -18,7 +17,7 @@ type RelationName = keyof RelationsByType;
 export type ResourcesForRelation<R extends RelationName> = Extract<
 	Resource,
 	{ type: RelationsByType[R][number] }
->['kind'];
+>['name'];

 type IsPluralResource<R extends ResourceName> =
 	ResourceTypeMap[R] extends 'metaresources' ? true : false;
--- a/frontend/src/hooks/useAuthZ/useAuthZ.test.tsx
+++ b/frontend/src/hooks/useAuthZ/useAuthZ.test.tsx
@@ -36,8 +36,8 @@ const wrapper = ({ children }: { children: ReactElement }): ReactElement => (

 describe('useAuthZ', () => {
 	it('should fetch and return permissions successfully', async () => {
-		const permission1 = buildPermission('read', 'role:*');
-		const permission2 = buildPermission('update', 'role:123');
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');

 		const expectedResponse = {
 			[permission1]: {
@@ -74,7 +74,7 @@ describe('useAuthZ', () => {
 	});

 	it('should handle API errors', async () => {
-		const permission = buildPermission('read', 'role:*');
+		const permission = buildPermission('read', 'dashboard:*');

 		server.use(
 			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
@@ -95,9 +95,9 @@ describe('useAuthZ', () => {
 	});

 	it('should refetch when permissions array changes', async () => {
-		const permission1 = buildPermission('read', 'role:*');
-		const permission2 = buildPermission('update', 'role:123');
-		const permission3 = buildPermission('delete', 'role:456');
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+		const permission3 = buildPermission('delete', 'dashboard:456');

 		let requestCount = 0;

@@ -161,8 +161,8 @@ describe('useAuthZ', () => {
 	});

 	it('should not refetch when permissions array order changes but content is the same', async () => {
-		const permission1 = buildPermission('read', 'role:*');
-		const permission2 = buildPermission('update', 'role:123');
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');

 		let requestCount = 0;

@@ -217,8 +217,8 @@ describe('useAuthZ', () => {
 	});

 	it('should send correct payload format to API', async () => {
-		const permission1 = buildPermission('read', 'role:*');
-		const permission2 = buildPermission('update', 'role:123');
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');

 		let receivedPayload: any = null;

@@ -244,23 +244,23 @@ describe('useAuthZ', () => {
 		expect(receivedPayload[0]).toMatchObject({
 			relation: 'read',
 			object: {
-				resource: { kind: 'role', type: 'role' },
+				resource: { name: 'dashboard', type: 'metaresource' },
 				selector: '*',
 			},
 		});
 		expect(receivedPayload[1]).toMatchObject({
 			relation: 'update',
 			object: {
-				resource: { kind: 'role', type: 'role' },
+				resource: { name: 'dashboard', type: 'metaresource' },
 				selector: '123',
 			},
 		});
 	});

 	it('should batch multiple hooks into single flight request', async () => {
-		const permission1 = buildPermission('read', 'role:*');
-		const permission2 = buildPermission('update', 'role:123');
-		const permission3 = buildPermission('delete', 'role:456');
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+		const permission3 = buildPermission('delete', 'dashboard:456');

 		let requestCount = 0;
 		const receivedPayloads: any[] = [];
@@ -304,17 +304,17 @@ describe('useAuthZ', () => {
 		expect(receivedPayloads[0][0]).toMatchObject({
 			relation: 'read',
 			object: {
-				resource: { kind: 'role', type: 'role' },
+				resource: { name: 'dashboard', type: 'metaresource' },
 				selector: '*',
 			},
 		});
 		expect(receivedPayloads[0][1]).toMatchObject({
 			relation: 'update',
-			object: { resource: { kind: 'role' }, selector: '123' },
+			object: { resource: { name: 'dashboard' }, selector: '123' },
 		});
 		expect(receivedPayloads[0][2]).toMatchObject({
 			relation: 'delete',
-			object: { resource: { kind: 'role' }, selector: '456' },
+			object: { resource: { name: 'dashboard' }, selector: '456' },
 		});

 		expect(result1.current.permissions).toStrictEqual({
@@ -329,9 +329,9 @@ describe('useAuthZ', () => {
 	});

 	it('should create separate batches for calls after single flight window', async () => {
-		const permission1 = buildPermission('read', 'role:*');
-		const permission2 = buildPermission('update', 'role:123');
-		const permission3 = buildPermission('delete', 'role:456');
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+		const permission3 = buildPermission('delete', 'dashboard:456');

 		let requestCount = 0;
 		const receivedPayloads: any[] = [];
@@ -386,18 +386,18 @@ describe('useAuthZ', () => {
 		expect(receivedPayloads[1]).toHaveLength(2);
 		expect(receivedPayloads[1][0]).toMatchObject({
 			relation: 'update',
-			object: { resource: { kind: 'role' }, selector: '123' },
+			object: { resource: { name: 'dashboard' }, selector: '123' },
 		});
 		expect(receivedPayloads[1][1]).toMatchObject({
 			relation: 'delete',
-			object: { resource: { kind: 'role' }, selector: '456' },
+			object: { resource: { name: 'dashboard' }, selector: '456' },
 		});
 	});

 	it('should map permissions correctly when API returns response out of order', async () => {
-		const permission1 = buildPermission('read', 'role:*');
-		const permission2 = buildPermission('update', 'role:123');
-		const permission3 = buildPermission('delete', 'role:456');
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+		const permission3 = buildPermission('delete', 'dashboard:456');

 		server.use(
 			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
@@ -435,8 +435,8 @@ describe('useAuthZ', () => {
 	});

 	it('should not leak state between separate batches', async () => {
-		const permission1 = buildPermission('read', 'role:*');
-		const permission2 = buildPermission('update', 'role:123');
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');

 		let requestCount = 0;

--- a/frontend/src/hooks/useAuthZ/useAuthZ.tsx
+++ b/frontend/src/hooks/useAuthZ/useAuthZ.tsx
@@ -2,7 +2,7 @@ import { useCallback, useMemo } from 'react';
 import { useQueries } from 'react-query';
 import { authzCheck } from 'api/generated/services/authz';
 import type {
-	CoretypesObjectDTO,
+	AuthtypesObjectDTO,
 	AuthtypesTransactionDTO,
 } from 'api/generated/services/sigNoz.schemas';

@@ -34,7 +34,7 @@ function dispatchPermission(
 		});

 		setTimeout(() => {
-			const copiedPermissions = [...pendingPermissions];
+			const copiedPermissions = pendingPermissions.slice();
 			pendingPermissions = [];
 			ctx = null;

@@ -50,9 +50,9 @@ async function fetchManyPermissions(
 ): Promise<AuthZCheckResponse> {
 	const payload: AuthtypesTransactionDTO[] = permissions.map((permission) => {
 		const dto = permissionToTransactionDto(permission);
-		const object: CoretypesObjectDTO = {
+		const object: AuthtypesObjectDTO = {
 			resource: {
-				kind: dto.object.resource.kind,
+				name: dto.object.resource.name,
 				type: dto.object.resource.type,
 			},
 			selector: dto.object.selector,
--- a/frontend/src/hooks/useAuthZ/utils.ts
+++ b/frontend/src/hooks/useAuthZ/utils.ts
@@ -1,8 +1,4 @@
-import {
-	AuthtypesTransactionDTO,
-	CoretypesTypeDTO,
-	AuthtypesRelationDTO,
-} from '../../api/generated/services/sigNoz.schemas';
+import { AuthtypesTransactionDTO } from '../../api/generated/services/sigNoz.schemas';
 import permissionsType from './permissions.type';
 import {
 	AuthZObject,
@@ -37,72 +33,36 @@ export function parsePermission(permission: BrandedPermission): {
 	return { relation: relation as AuthZRelation, object };
 }

-const kindsByType = permissionsType.data.resources.reduce(
+const resourceNameToType = permissionsType.data.resources.reduce(
 	(acc, r) => {
-		if (!acc[r.type]) {
-			acc[r.type] = new Set();
-		}
-		acc[r.type].add(r.kind);
+		acc[r.name] = r.type;
 		return acc;
 	},
-	{} as Record<string, Set<string>>,
+	{} as Record<ResourceName, ResourceType>,
 );

-function resolveType(
-	relation: AuthZRelation,
-	kind: string,
-): ResourceType | undefined {
-	const candidates: readonly string[] =
-		permissionsType.data.relations[relation] ?? [];
-	for (const t of candidates) {
-		if (kindsByType[t]?.has(kind)) {
-			return t as ResourceType;
-		}
-	}
-	return undefined;
-}
-
-function splitObjectString(objectStr: string): {
-	resourceName: string;
-	selector: string;
-} {
-	const idx = objectStr.indexOf(ObjectSeparator);
-	if (idx === -1) {
-		return { resourceName: objectStr, selector: '' };
-	}
-	return {
-		resourceName: objectStr.slice(0, idx),
-		selector: objectStr.slice(idx + 1),
-	};
-}
-
 export function permissionToTransactionDto(
 	permission: BrandedPermission,
 ): AuthtypesTransactionDTO {
 	const { relation, object: objectStr } = parsePermission(permission);
-	const directType = resolveType(relation, objectStr);
+	const directType = resourceNameToType[objectStr as ResourceName];
 	if (directType === 'metaresources') {
 		return {
-			relation: relation as AuthtypesRelationDTO,
+			relation,
 			object: {
-				resource: {
-					kind: objectStr as ResourceName,
-					type: directType as CoretypesTypeDTO,
-				},
+				resource: { name: objectStr, type: directType },
 				selector: '*',
 			},
 		};
 	}
-	const { resourceName, selector } = splitObjectString(objectStr);
-	const type = resolveType(relation, resourceName) ?? 'metaresource';
+	const [resourceName, selector] = objectStr.split(ObjectSeparator);
+	const type =
+		resourceNameToType[resourceName as ResourceName] ?? 'metaresource';

 	return {
-		relation: relation as AuthtypesRelationDTO,
+		relation,
 		object: {
-			resource: {
-				kind: resourceName as ResourceName,
-				type: type as CoretypesTypeDTO,
-			},
+			resource: { name: resourceName, type },
 			selector: selector || '*',
 		},
 	};
@@ -115,7 +75,7 @@ export function gettableTransactionToPermission(
 		relation,
 		object: { resource, selector },
 	} = item;
-	const resourceName = String(resource.kind);
+	const resourceName = String(resource.name);
 	const selectorStr = typeof selector === 'string' ? selector : '*';
 	const objectStr =
 		resource.type === 'metaresources'
--- a/frontend/src/lib/uPlotV2/plugins/TooltipPlugin/TooltipPlugin.tsx
+++ b/frontend/src/lib/uPlotV2/plugins/TooltipPlugin/TooltipPlugin.tsx
@@ -4,7 +4,6 @@ import cx from 'classnames';
 import uPlot from 'uplot';
 import logEvent from 'api/common/logEvent';

-import { syncCursorRegistry } from './syncCursorRegistry';
 import { createSyncDisplayHook } from './syncDisplayHook';
 import {
 	createInitialControllerState,
@@ -13,7 +12,6 @@ import {
 	createSetSeriesHandler,
 	getPlot,
 	isScrollEventInPlot,
-	shouldShowTooltipForSync,
 	updatePlotVisibility,
 	updateWindowSize,
 } from './tooltipController';
@@ -302,17 +300,49 @@ export default function TooltipPlugin({
 			}
 		};

-		// Returns false when the cursor is offscreen so the caller can bail
-		// without scheduling side effects.
-		function pinAtCursor(): boolean {
-			const plot = getPlot(controller);
-			if (!plot) {
-				return false;
+		// Handles all tooltip-pin keyboard interactions:
+		//   Escape  — always releases the tooltip when pinned (never steals Escape
+		//             from other handlers since we do not call stopPropagation).
+		//   pinKey  — toggles: pins when hovering+unpinned, unpins when pinned.
+		const handleKeyDown = (event: KeyboardEvent): void => {
+			// Escape: release-only (never toggles on).
+			if (event.key === 'Escape') {
+				if (controller.pinned) {
+					logEvent(Events.TOOLTIP_UNPINNED, {
+						id: config.getId(),
+					});
+					dismissTooltip();
+				}
+				return;
 			}
+
+			if (event.key.toLowerCase() !== pinKey.toLowerCase()) {
+				return;
+			}
+
+			// Toggle off: P pressed while already pinned.
+			if (controller.pinned) {
+				logEvent(Events.TOOLTIP_UNPINNED, {
+					id: config.getId(),
+				});
+				dismissTooltip();
+				return;
+			}
+
+			// Toggle on: P pressed while hovering.
+			const plot = getPlot(controller);
+			if (
+				!plot ||
+				!controller.hoverActive ||
+				controller.focusedSeriesIndex == null
+			) {
+				return;
+			}
+
 			const cursorLeft = plot.cursor.left ?? -1;
 			const cursorTop = plot.cursor.top ?? -1;
 			if (cursorLeft < 0 || cursorTop < 0) {
-				return false;
+				return;
 			}

 			const plotRect = plot.over.getBoundingClientRect();
@@ -330,71 +360,8 @@ export default function TooltipPlugin({
 				id: config.getId(),
 			});
 			scheduleRender(true);
-			return true;
-		}
-
-		// Escape always releases (never pins); pinKey toggles. Unpin fans out
-		// naturally — every pinned panel's document listener sees the same key
-		// event and dismisses itself — so only pinning needs a broadcast.
-		const handleKeyDown = (event: KeyboardEvent): void => {
-			if (event.key === 'Escape') {
-				if (controller.pinned) {
-					logEvent(Events.TOOLTIP_UNPINNED, {
-						id: config.getId(),
-					});
-					dismissTooltip();
-				}
-				return;
-			}
-
-			if (event.key.toLowerCase() !== pinKey.toLowerCase()) {
-				return;
-			}
-
-			if (controller.pinned) {
-				logEvent(Events.TOOLTIP_UNPINNED, {
-					id: config.getId(),
-				});
-				dismissTooltip();
-				return;
-			}
-
-			if (!controller.hoverActive || controller.focusedSeriesIndex == null) {
-				return;
-			}
-
-			if (!pinAtCursor()) {
-				return;
-			}
-
-			// Deferred to a macrotask so the same P keydown finishes dispatching
-			// to every panel's listener first. A microtask is not enough — those
-			// run between listener invocations, and once a receiver's `pinned`
-			// flips, its own listener takes the unpin branch on the same event.
-			if (syncTooltipWithDashboard) {
-				setTimeout(() => {
-					syncCursorRegistry.broadcastPin(syncKey);
-				}, 0);
-			}
 		};

-		// Skips the focusedSeriesIndex guard so single-series or no-overlap
-		// receivers still pin at the synced timestamp.
-		const handleSyncPinBroadcast = (): void => {
-			if (controller.pinned) {
-				return;
-			}
-			if (!shouldShowTooltipForSync(controller, syncTooltipWithDashboard)) {
-				return;
-			}
-			pinAtCursor();
-		};
-
-		const unsubscribeSyncPin =
-			syncTooltipWithDashboard && canPinTooltip
-				? syncCursorRegistry.subscribePin(syncKey, handleSyncPinBroadcast)
-				: null;
-
 		// Forward overlay clicks to the consumer-provided onClick callback.
 		const handleOverClick = (event: MouseEvent): void => {
 			const plot = getPlot(controller);
@@ -486,7 +453,6 @@ export default function TooltipPlugin({
 			removeSetLegendHook();
 			removeSetCursorHook();
 			removeSyncDisplayHook?.();
-			unsubscribeSyncPin?.();
 			if (overClickHandler) {
 				const plot = getPlot(controller);
 				plot?.over.removeEventListener('click', overClickHandler);
--- a/frontend/src/lib/uPlotV2/plugins/TooltipPlugin/syncCursorRegistry.ts
+++ b/frontend/src/lib/uPlotV2/plugins/TooltipPlugin/syncCursorRegistry.ts
@@ -17,9 +17,6 @@ const activeSeriesMetricBySyncKey = new Map<
 	Record<string, string> | null
 >();

-type SyncPinListener = () => void;
-const pinListenersBySyncKey = new Map<string, Set<SyncPinListener>>();
-
 export const syncCursorRegistry = {
 	setMetadata(syncKey: string, metadata: TooltipSyncMetadata | undefined): void {
 		metadataBySyncKey.set(syncKey, metadata);
@@ -39,20 +36,4 @@ export const syncCursorRegistry = {
 	getActiveSeriesMetric(syncKey: string): Record<string, string> | null {
 		return activeSeriesMetricBySyncKey.get(syncKey) ?? null;
 	},
-
-	subscribePin(syncKey: string, listener: SyncPinListener): () => void {
-		let listeners = pinListenersBySyncKey.get(syncKey);
-		if (!listeners) {
-			listeners = new Set();
-			pinListenersBySyncKey.set(syncKey, listeners);
-		}
-		listeners.add(listener);
-		return (): void => {
-			pinListenersBySyncKey.get(syncKey)?.delete(listener);
-		};
-	},
-
-	broadcastPin(syncKey: string): void {
-		pinListenersBySyncKey.get(syncKey)?.forEach((listener) => listener());
-	},
 };
--- a/frontend/src/modules/Servicemap/Map.tsx
+++ b/frontend/src/modules/Servicemap/Map.tsx
@@ -1,62 +0,0 @@
-/* eslint-disable  */
-//@ts-nocheck
-import { memo } from 'react';
-import ForceGraph2D from 'react-force-graph-2d';
-import { useIsDarkMode } from 'hooks/useDarkMode';
-
-import { getGraphData, getTooltip, transformLabel } from './utils';
-
-function ServiceMap({ fgRef, serviceMap }: any): JSX.Element {
-	const isDarkMode = useIsDarkMode();
-
-	const { nodes, links } = getGraphData(serviceMap, isDarkMode);
-
-	const graphData = { nodes, links };
-
-	let zoomLevel = 1;
-
-	return (
-		<ForceGraph2D
-			ref={fgRef}
-			cooldownTicks={100}
-			graphData={graphData}
-			linkLabel={getTooltip}
-			linkAutoColorBy={(d) => d.target}
-			linkDirectionalParticles="value"
-			linkDirectionalParticleSpeed={(d) => d.value}
-			nodeCanvasObject={(node, ctx) => {
-				const label = transformLabel(node.id, zoomLevel);
-				let { fontSize } = node;
-				fontSize = (fontSize * 3) / zoomLevel;
-				ctx.font = `${fontSize}px Roboto`;
-				const { width } = node;
-
-				ctx.fillStyle = node.color;
-				ctx.beginPath();
-				ctx.arc(node.x, node.y, width, 0, 2 * Math.PI, false);
-				ctx.fill();
-				ctx.textAlign = 'center';
-				ctx.textBaseline = 'middle';
-				ctx.fillStyle = isDarkMode ? '#ffffff' : '#000000';
-				ctx.fillText(label, node.x, node.y);
-			}}
-			onLinkHover={(node) => {
-				const tooltip = document.querySelector('.graph-tooltip');
-				if (tooltip && node) {
-					tooltip.innerHTML = getTooltip(node);
-				}
-			}}
-			onZoom={(zoom) => {
-				zoomLevel = zoom.k;
-			}}
-			nodePointerAreaPaint={(node, color, ctx) => {
-				ctx.fillStyle = color;
-				ctx.beginPath();
-				ctx.arc(node.x, node.y, 5, 0, 2 * Math.PI, false);
-				ctx.fill();
-			}}
-		/>
-	);
-}
-
-export default memo(ServiceMap);
--- a/frontend/src/modules/Servicemap/ServiceMap.tsx
+++ b/frontend/src/modules/Servicemap/ServiceMap.tsx
@@ -1,6 +1,6 @@
 //@ts-nocheck

-import { useEffect, useRef } from 'react';
+import { useEffect } from 'react';
 // eslint-disable-next-line no-restricted-imports
 import { connect } from 'react-redux';
 import { RouteComponentProps, withRouter } from 'react-router-dom';
@@ -16,27 +16,9 @@ import { AppState } from 'store/reducers';
 import styled from 'styled-components';
 import { GlobalTime } from 'types/actions/globalTime';

-import Map from './Map';
+import Map from './components/Map/Map';

-const Container = styled.div`
-	.force-graph-container {
-		overflow: scroll;
-	}
-
-	.force-graph-container .graph-tooltip {
-		background: black;
-		padding: 1px;
-		.keyval {
-			display: flex;
-			.key {
-				margin-right: 4px;
-			}
-			.val {
-				margin-left: auto;
-			}
-		}
-	}
-`;
+const Container = styled.div``;

 interface ServiceMapProps extends RouteComponentProps<any> {
 	serviceMap: ServiceMapStore;
@@ -48,7 +30,8 @@ interface ServiceMapProps extends RouteComponentProps<any> {
 }
 interface graphNode {
 	id: string;
-	group: number;
+	color: string;
+	name: string;
 }
 interface graphLink {
 	source: string;
@@ -64,8 +47,6 @@ export interface graphDataType {
 }

 function ServiceMap(props: ServiceMapProps): JSX.Element {
-	const fgRef = useRef();
-
 	const { getDetailedServiceMapItems, globalTime, serviceMap } = props;

 	const { queries } = useResourceAttribute();
@@ -78,10 +59,6 @@ function ServiceMap(props: ServiceMapProps): JSX.Element {
 		getDetailedServiceMapItems(globalTime, queries);
 	}, [globalTime, getDetailedServiceMapItems, queries]);

-	useEffect(() => {
-		fgRef.current && fgRef.current.d3Force('charge').strength(-400);
-	});
-
 	if (serviceMap.loading) {
 		return <Spinner size="large" tip="Loading..." />;
 	}
@@ -108,7 +85,7 @@ function ServiceMap(props: ServiceMapProps): JSX.Element {
 				}
 			/>

-			<Map fgRef={fgRef} serviceMap={serviceMap} />
+			<Map serviceMap={serviceMap} />
 		</div>
 	);
 }
--- a/frontend/src/modules/Servicemap/components/FlowEdge/FlowEdge.tsx
+++ b/frontend/src/modules/Servicemap/components/FlowEdge/FlowEdge.tsx
@@ -0,0 +1,89 @@
+import { BaseEdge, Edge, EdgeProps, getBezierPath } from '@xyflow/react';
+
+import { getParticleAnimation } from '../Map/Map.constants';
+
+export interface FlowEdgeData extends Record<string, unknown> {
+	p99: number;
+	callRate: number;
+	errorRate: number;
+	particleColor: string;
+	maxCallRate: number;
+}
+
+const DEFAULT_PARTICLE_COLOR = 'var(--accent-primary)';
+
+function FlowEdge({
+	id,
+	sourceX,
+	sourceY,
+	targetX,
+	targetY,
+	sourcePosition,
+	targetPosition,
+	style,
+	markerEnd,
+	data,
+}: EdgeProps<Edge<FlowEdgeData>>): JSX.Element {
+	const [edgePath] = getBezierPath({
+		sourceX,
+		sourceY,
+		targetX,
+		targetY,
+		sourcePosition,
+		targetPosition,
+	});
+
+	// Particles flow callee -> caller (child -> parent), opposite to the edge's
+	// source -> target direction. Computing a reversed bezier instead of just
+	// playing the same path backward keeps the curve handles correct on both
+	// ends and avoids relying on `keyPoints`/`calcMode` quirks.
+	const [particlePath] = getBezierPath({
+		sourceX: targetX,
+		sourceY: targetY,
+		targetX: sourceX,
+		targetY: sourceY,
+		sourcePosition: targetPosition,
+		targetPosition: sourcePosition,
+	});
+
+	const callRate = data?.callRate ?? 0;
+	const maxCallRate = data?.maxCallRate ?? 0;
+	const { particleCount, duration } = getParticleAnimation(
+		callRate,
+		maxCallRate,
+	);
+	const fill = data?.particleColor || DEFAULT_PARTICLE_COLOR;
+
+	// Stagger each particle's `begin` so they're evenly distributed around the
+	// loop; the result is a continuous moving stream rather than synchronized
+	// dots stacking on top of each other.
+	const particles = Array.from({ length: particleCount }, (_, i) => {
+		const offset = (duration * i) / particleCount;
+		return (
+			<circle
+				key={`${id}-p${i}`}
+				className="flow-edge__particle"
+				r={2.75}
+				fill={fill}
+				pointerEvents="none"
+			>
+				<animateMotion
+					dur={`${duration}s`}
+					begin={`-${offset.toFixed(3)}s`}
+					repeatCount="indefinite"
+					path={particlePath}
+					rotate="auto"
+				/>
+			</circle>
+		);
+	});
+
+	return (
+		<>
+			<BaseEdge id={id} path={edgePath} style={style} markerEnd={markerEnd} />
+			{particles}
+		</>
+	);
+}
+
+export default FlowEdge;
--- a/frontend/src/modules/Servicemap/components/LinkTooltip/LinkTooltip.module.scss
+++ b/frontend/src/modules/Servicemap/components/LinkTooltip/LinkTooltip.module.scss
@@ -0,0 +1,27 @@
+.tooltip {
+	position: fixed;
+	pointer-events: none;
+	z-index: 1000;
+	padding: 12px;
+	min-width: 160px;
+	font-size: 12px;
+	font-family: Inter, sans-serif;
+	border-radius: 4px;
+	box-shadow: 0 2px 8px rgba(0, 0, 0, 0.15);
+	color: var(--popover-foreground);
+	background: var(--popover);
+	border: 1px solid var(--secondary-border);
+}
+
+.row {
+	display: flex;
+	justify-content: space-between;
+}
+
+.label {
+	margin-right: 8px;
+}
+
+.value {
+	margin-left: auto;
+}
--- a/frontend/src/modules/Servicemap/components/LinkTooltip/LinkTooltip.tsx
+++ b/frontend/src/modules/Servicemap/components/LinkTooltip/LinkTooltip.tsx
@@ -0,0 +1,39 @@
+import styles from './LinkTooltip.module.scss';
+
+export interface LinkTooltipData {
+	p99: string | number;
+	callRate: string | number;
+	errorRate: string | number;
+}
+
+export interface LinkTooltipProps {
+	tooltip: LinkTooltipData;
+	x: number;
+	y: number;
+}
+
+const POINTER_OFFSET = 12;
+
+function LinkTooltip({ tooltip, x, y }: LinkTooltipProps): JSX.Element {
+	return (
+		<div
+			className={styles.tooltip}
+			style={{ top: y + POINTER_OFFSET, left: x + POINTER_OFFSET }}
+		>
+			<div className={styles.row}>
+				<span className={styles.label}>P99 latency:</span>
+				<span className={styles.value}>{tooltip.p99}ms</span>
+			</div>
+			<div className={styles.row}>
+				<span className={styles.label}>Request:</span>
+				<span className={styles.value}>{tooltip.callRate}/sec</span>
+			</div>
+			<div className={styles.row}>
+				<span className={styles.label}>Error Rate:</span>
+				<span className={styles.value}>{tooltip.errorRate}%</span>
+			</div>
+		</div>
+	);
+}
+
+export default LinkTooltip;
--- a/frontend/src/modules/Servicemap/components/Map/Map.constants.ts
+++ b/frontend/src/modules/Servicemap/components/Map/Map.constants.ts
@@ -0,0 +1,41 @@
+// Geometry of a service node as drawn on the map. The dagre layout uses a
+// taller bounding box (label + circle) than the circle itself, so the outer
+// height is exposed for the position centering calc.
+export const NODE_DIAMETER = 64;
+export const LABEL_HEIGHT = 18;
+export const NODE_LABEL_GAP = 6;
+export const NODE_OUTER_HEIGHT = NODE_DIAMETER + LABEL_HEIGHT + NODE_LABEL_GAP;
+
+// Per-edge animated stream of dots. Speed and particle count scale with the
+// edge's call rate *relative to the busiest edge in the current graph*, on a
+// log10 ladder. The busiest edge always pegs the fastest/most-dense
+// visualisation; the slowest gets a single drifting particle. This keeps the
+// stream legible whether the busiest service handles 5 req/sec or 5k.
+export const PARTICLE_FAST_SECS = 0.6;
+export const PARTICLE_SLOW_SECS = 5;
+export const MAX_PARTICLES = 8;
+
+// Compute particle count + per-loop duration for an edge's call rate, scaled
+// against the max call rate observed across the graph. Pure so it can be
+// unit-tested without rendering the edge.
+export function getParticleAnimation(
+	callRate: number,
+	maxCallRate: number,
+): { particleCount: number; duration: number } {
+	if (callRate <= 0) {
+		return { particleCount: 0, duration: PARTICLE_SLOW_SECS };
+	}
+	// Defensive: if a stale/zero max sneaks in, treat this edge as the max so
+	// `factor` stays in [0, 1] rather than going to Infinity or NaN.
+	const effectiveMax = Math.max(maxCallRate, callRate);
+	const logRate = Math.log10(callRate + 1);
+	const logMax = Math.log10(effectiveMax + 1);
+	const factor = logMax > 0 ? logRate / logMax : 1;
+	const duration =
+		PARTICLE_SLOW_SECS - factor * (PARTICLE_SLOW_SECS - PARTICLE_FAST_SECS);
+	const particleCount = Math.max(
+		1,
+		Math.min(MAX_PARTICLES, Math.ceil(factor * MAX_PARTICLES)),
+	);
+	return { particleCount, duration };
+}
--- a/frontend/src/modules/Servicemap/components/Map/Map.module.scss
+++ b/frontend/src/modules/Servicemap/components/Map/Map.module.scss
@@ -0,0 +1,21 @@
+.container {
+	width: 100%;
+	height: calc(100vh - 124px);
+	position: relative;
+	border: 1px solid var(--l3-border);
+	border-radius: 8px;
+	overflow: hidden;
+
+	// ReactFlow defaults edge pointer-events to `visibleStroke`, which means
+	// our thin dashed line only captures hover on the painted dash segments.
+	// Force `stroke` on the wide invisible interaction path so the entire edge
+	// length is hoverable for the tooltip.
+	:global(.react-flow__edge-interaction) {
+		pointer-events: stroke;
+		cursor: default;
+	}
+
+	:global(.react-flow__edge) {
+		pointer-events: stroke;
+	}
+}
--- a/frontend/src/modules/Servicemap/components/Map/Map.tsx
+++ b/frontend/src/modules/Servicemap/components/Map/Map.tsx
@@ -0,0 +1,185 @@
+import '@xyflow/react/dist/style.css';
+
+import { memo, useEffect, useMemo, useState } from 'react';
+import {
+	Background,
+	BackgroundVariant,
+	Controls,
+	Edge,
+	Node,
+	ReactFlow,
+	useEdgesState,
+	useNodesState,
+} from '@xyflow/react';
+
+import { useIsDarkMode } from 'hooks/useDarkMode';
+
+import FlowEdge, { FlowEdgeData } from '../FlowEdge/FlowEdge';
+import { NODE_DIAMETER, NODE_OUTER_HEIGHT } from './Map.constants';
+import styles from './Map.module.scss';
+import ServiceNode, { ServiceNodeData } from '../ServiceNode/ServiceNode';
+import LinkTooltip from '../LinkTooltip/LinkTooltip';
+import {
+	computeNodePositions,
+	getEdgeColor,
+	getGraphData,
+	getLinkTooltip,
+	LinkTooltip as LinkTooltipData,
+} from '../../utils';
+
+const nodeTypes = { service: ServiceNode };
+const edgeTypes = { flow: FlowEdge };
+
+const PARTICLE_COLOR = 'var(--l1-foreground)';
+const BG_COLOR = 'var(--l2-background)';
+
+const BASE_EDGE_STYLE = {
+	strokeWidth: 1.25,
+	strokeDasharray: '5 4',
+};
+interface HoverState {
+	tooltip: LinkTooltipData;
+	x: number;
+	y: number;
+}
+
+function ServiceMap({ serviceMap }: any): JSX.Element {
+	const isDarkMode = useIsDarkMode();
+	const [hovered, setHovered] = useState<HoverState | null>(null);
+
+	const { nodes: rawNodes, links } = useMemo(
+		() => getGraphData(serviceMap, isDarkMode),
+		[serviceMap, isDarkMode],
+	);
+
+	const positions = useMemo(
+		() => computeNodePositions(rawNodes, links),
+		[rawNodes, links],
+	);
+
+	const initialNodes: Node<ServiceNodeData>[] = useMemo(
+		() =>
+			rawNodes.map((node) => {
+				const center = positions[node.id] ?? { x: 0, y: 0 };
+				return {
+					id: node.id,
+					type: 'service',
+					// `position` is the top-left of the node bounding box; centre the
+					// circle on the simulated coordinate.
+					position: {
+						x: center.x - NODE_DIAMETER / 2,
+						y: center.y - NODE_OUTER_HEIGHT / 2,
+					},
+					data: { label: node.id, color: node.color },
+					draggable: true,
+					selectable: false,
+				};
+			}),
+		[rawNodes, positions],
+	);
+
+	// Particle visualisation is scaled relative to the busiest edge in the
+	// current graph, so each render of the edge layer needs the per-graph max.
+	const maxCallRate = useMemo(
+		() => links.reduce((max, link) => Math.max(max, link.callRate ?? 0), 0),
+		[links],
+	);
+
+	const initialEdges: Edge<FlowEdgeData>[] = useMemo(
+		() =>
+			links.map((link, i) => ({
+				id: `${link.source}->${link.target}-${i}`,
+				source: link.source,
+				target: link.target,
+				type: 'flow',
+				data: {
+					p99: link.p99,
+					callRate: link.callRate,
+					errorRate: link.errorRate,
+					particleColor: PARTICLE_COLOR,
+					maxCallRate,
+				},
+				// markerEnd: EDGE_MARKER,
+				// Stroke is hashed off the target so edges sharing a destination read
+				// as a single visual fan-in (matches the pre-rewrite behaviour).
+				style: { ...BASE_EDGE_STYLE, stroke: getEdgeColor(link.target) },
+			})),
+		[links, maxCallRate],
+	);
+
+	const [flowNodes, setFlowNodes, onNodesChange] =
+		useNodesState<Node<ServiceNodeData>>(initialNodes);
+	const [flowEdges, setFlowEdges, onEdgesChange] =
+		useEdgesState<Edge<FlowEdgeData>>(initialEdges);
+
+	// Reset internal node/edge state when the source graph changes (filters,
+	// time range, theme). User drag positions during a stable graph are kept.
+	useEffect(() => {
+		setFlowNodes(initialNodes);
+	}, [initialNodes, setFlowNodes]);
+
+	useEffect(() => {
+		setFlowEdges(initialEdges);
+	}, [initialEdges, setFlowEdges]);
+
+	const handleEdgeMouseEnter = (event: React.MouseEvent, edge: Edge): void => {
+		setHovered({
+			tooltip: getLinkTooltip(edge.data as any),
+			x: event.clientX,
+			y: event.clientY,
+		});
+	};
+
+	const handleEdgeMouseMove = (event: React.MouseEvent, edge: Edge): void => {
+		setHovered((prev) =>
+			prev
+				? { ...prev, x: event.clientX, y: event.clientY }
+				: {
+						tooltip: getLinkTooltip(edge.data as any),
+						x: event.clientX,
+						y: event.clientY,
+					},
+		);
+	};
+
+	const handleEdgeMouseLeave = (): void => {
+		setHovered(null);
+	};
+
+	return (
+		<div className={styles.container}>
+			<ReactFlow
+				nodes={flowNodes}
+				edges={flowEdges}
+				onNodesChange={onNodesChange}
+				onEdgesChange={onEdgesChange}
+				nodeTypes={nodeTypes}
+				edgeTypes={edgeTypes}
+				fitView
+				minZoom={0.2}
+				maxZoom={4}
+				nodesDraggable
+				nodesConnectable={false}
+				elementsSelectable={false}
+				proOptions={{ hideAttribution: true }}
+				colorMode={isDarkMode ? 'dark' : 'light'}
+				onEdgeMouseEnter={handleEdgeMouseEnter}
+				onEdgeMouseMove={handleEdgeMouseMove}
+				onEdgeMouseLeave={handleEdgeMouseLeave}
+			>
+				<Background
+					bgColor={BG_COLOR}
+					variant={BackgroundVariant.Dots}
+					gap={24}
+					size={1}
+				/>
+				<Controls showInteractive={false} />
+			</ReactFlow>
+			{hovered && (
+				<LinkTooltip tooltip={hovered.tooltip} x={hovered.x} y={hovered.y} />
+			)}
+		</div>
+	);
+}
+
+export default memo(ServiceMap);
--- a/frontend/src/modules/Servicemap/components/ServiceNode/ServiceNode.module.scss
+++ b/frontend/src/modules/Servicemap/components/ServiceNode/ServiceNode.module.scss
@@ -0,0 +1,39 @@
+.node {
+	display: flex;
+	flex-direction: column;
+	align-items: center;
+	overflow: visible;
+}
+
+.circle {
+	border-radius: 50%;
+	border: 1px solid var(--l3-border);
+	box-sizing: border-box;
+	position: relative;
+	display: flex;
+	align-items: center;
+	justify-content: center;
+	color: var(--l1-foreground);
+}
+
+.handle {
+	opacity: 0;
+	width: 1px;
+	height: 1px;
+	pointer-events: none;
+	border: none;
+}
+
+.label {
+	margin-top: 6px;
+	max-width: 120px;
+	font-size: 12px;
+	line-height: 14px;
+	text-align: center;
+	color: var(--l1-foreground);
+	font-family: Inter, sans-serif;
+	white-space: nowrap;
+	overflow: hidden;
+	text-overflow: ellipsis;
+	user-select: none;
+}
--- a/frontend/src/modules/Servicemap/components/ServiceNode/ServiceNode.tsx
+++ b/frontend/src/modules/Servicemap/components/ServiceNode/ServiceNode.tsx
@@ -0,0 +1,38 @@
+import { Handle, Node, NodeProps, Position } from '@xyflow/react';
+import { Cpu } from 'lucide-react';
+
+import { NODE_DIAMETER } from '../Map/Map.constants';
+import styles from './ServiceNode.module.scss';
+
+// Icon takes ~35% of the circle diameter — large enough to read at typical
+// zoom, small enough to leave the colored ring visible as the health signal.
+const ICON_SIZE = Math.round(NODE_DIAMETER * 0.35);
+
+export interface ServiceNodeData extends Record<string, unknown> {
+	label: string;
+	color: string;
+}
+
+function ServiceNode({ data }: NodeProps<Node<ServiceNodeData>>): JSX.Element {
+	return (
+		<div className={styles.node}>
+			<div
+				className={styles.circle}
+				style={{
+					width: NODE_DIAMETER,
+					height: NODE_DIAMETER,
+					background: data.color,
+				}}
+			>
+				<Cpu size={ICON_SIZE} strokeWidth={1.5} aria-hidden />
+				<Handle type="target" position={Position.Left} className={styles.handle} />
+				<Handle type="source" position={Position.Right} className={styles.handle} />
+			</div>
+			<div className={styles.label} title={data.label}>
+				{data.label}
+			</div>
+		</div>
+	);
+}
+
+export default ServiceNode;
--- a/frontend/src/modules/Servicemap/components/tests/FlowEdge.test.tsx
+++ b/frontend/src/modules/Servicemap/components/tests/FlowEdge.test.tsx
@@ -0,0 +1,185 @@
+import { Position } from '@xyflow/react';
+import { render } from '@testing-library/react';
+
+import FlowEdge, { FlowEdgeData } from '../FlowEdge/FlowEdge';
+
+// Stub BaseEdge / getBezierPath so assertions don't depend on the internal
+// path geometry — we only care that FlowEdge wires its inputs through and
+// renders the right number of particles for the given call rate.
+jest.mock('@xyflow/react', () => {
+	const actual = jest.requireActual('@xyflow/react');
+	return {
+		...actual,
+		BaseEdge: ({
+			id,
+			path,
+			style,
+			markerEnd,
+		}: {
+			id: string;
+			path: string;
+			style?: React.CSSProperties;
+			markerEnd?: string;
+		}): JSX.Element => (
+			<path
+				data-testid="base-edge"
+				data-id={id}
+				data-path={path}
+				data-marker-end={markerEnd ?? ''}
+				style={style}
+			/>
+		),
+		// Encode the inputs into the returned path so tests can distinguish
+		// between the forward edge path and the reversed particle path.
+		getBezierPath: ({
+			sourceX,
+			sourceY,
+			targetX,
+			targetY,
+		}: {
+			sourceX: number;
+			sourceY: number;
+			targetX: number;
+			targetY: number;
+		}): [string, number, number, number, number] => [
+			`M${sourceX},${sourceY} L${targetX},${targetY}`,
+			(sourceX + targetX) / 2,
+			(sourceY + targetY) / 2,
+			0,
+			0,
+		],
+	};
+});
+
+const baseEdgeProps = {
+	id: 'edge-1',
+	source: 'a',
+	target: 'b',
+	sourceX: 0,
+	sourceY: 0,
+	targetX: 100,
+	targetY: 0,
+	sourcePosition: Position.Right,
+	targetPosition: Position.Left,
+	style: { stroke: '#000' },
+	markerEnd: 'url(#arrow)',
+} as const;
+
+function renderEdge(data: FlowEdgeData | undefined): ReturnType<typeof render> {
+	return render(<FlowEdge {...(baseEdgeProps as any)} data={data} />);
+}
+
+const SAMPLE_DATA: FlowEdgeData = {
+	p99: 1000000,
+	callRate: 25,
+	errorRate: 0,
+	particleColor: 'rgb(0, 200, 0)',
+	maxCallRate: 1000,
+};
+
+describe('FlowEdge', () => {
+	it('forwards id, path, style, and markerEnd to BaseEdge', () => {
+		const { getByTestId } = renderEdge(SAMPLE_DATA);
+
+		const baseEdge = getByTestId('base-edge');
+		expect(baseEdge).toHaveAttribute('data-id', 'edge-1');
+		// BaseEdge gets the forward path (source -> target).
+		expect(baseEdge).toHaveAttribute('data-path', 'M0,0 L100,0');
+		expect(baseEdge).toHaveAttribute('data-marker-end', 'url(#arrow)');
+		expect(baseEdge).toHaveStyle({ stroke: '#000' });
+	});
+
+	it('renders no particles when callRate is zero', () => {
+		const { container } = renderEdge({ ...SAMPLE_DATA, callRate: 0 });
+
+		expect(container.querySelectorAll('circle')).toHaveLength(0);
+	});
+
+	it('renders no particles when data is missing', () => {
+		const { container } = renderEdge(undefined);
+
+		expect(container.querySelectorAll('circle')).toHaveLength(0);
+	});
+
+	it('renders multiple staggered particles for mid-range traffic', () => {
+		// callRate=25 against maxCallRate=1000:
+		//   factor = log10(26) / log10(1001) ≈ 0.4716
+		//   particleCount = ceil(0.4716 * 8) = 4
+		const { container } = renderEdge({
+			...SAMPLE_DATA,
+			callRate: 25,
+			maxCallRate: 1000,
+		});
+
+		const circles = container.querySelectorAll('circle');
+		expect(circles).toHaveLength(4);
+
+		// Each particle's animateMotion `begin` should be a distinct negative
+		// offset; identical offsets would stack particles on top of each other.
+		const begins = Array.from(container.querySelectorAll('animateMotion')).map(
+			(el) => el.getAttribute('begin'),
+		);
+		expect(new Set(begins).size).toBe(begins.length);
+		begins.forEach((begin) => {
+			expect(begin).toMatch(/^-\d+\.\d{3}s$/);
+		});
+	});
+
+	it('saturates at MAX_PARTICLES (8) when the edge is the busiest in the graph', () => {
+		// Relative scaling: whichever absolute rate is the max pegs at 8.
+		const { container } = renderEdge({
+			...SAMPLE_DATA,
+			callRate: 50,
+			maxCallRate: 50,
+		});
+
+		expect(container.querySelectorAll('circle')).toHaveLength(8);
+	});
+
+	it('uses data.particleColor as the particle fill', () => {
+		const { container } = renderEdge({
+			...SAMPLE_DATA,
+			callRate: 5,
+			particleColor: 'rgb(123, 45, 67)',
+		});
+
+		const circle = container.querySelector('circle');
+		expect(circle).toHaveAttribute('fill', 'rgb(123, 45, 67)');
+	});
+
+	it('falls back to the default particle color when particleColor is empty', () => {
+		const { container } = renderEdge({
+			...SAMPLE_DATA,
+			callRate: 5,
+			particleColor: '',
+		});
+
+		const circle = container.querySelector('circle');
+		expect(circle).toHaveAttribute('fill', 'var(--accent-primary)');
+	});
+
+	it('marks particles as non-interactive so they do not show a grab cursor', () => {
+		// Without pointer-events:none, react-flow's edge layer cursor (grab)
+		// cascades onto the SVG circles. Particles are decorative.
+		const { container } = renderEdge({ ...SAMPLE_DATA, callRate: 5 });
+
+		const circles = container.querySelectorAll('circle');
+		expect(circles.length).toBeGreaterThan(0);
+		circles.forEach((circle) => {
+			expect(circle).toHaveAttribute('pointer-events', 'none');
+		});
+	});
+
+	it('animates particles along the reversed path so they flow callee -> caller', () => {
+		// Edge goes (0,0) -> (100,0) but particles must travel back the other
+		// way to visualise the call-graph response direction.
+		const { container } = renderEdge({ ...SAMPLE_DATA, callRate: 5 });
+
+		const motions = container.querySelectorAll('animateMotion');
+		expect(motions.length).toBeGreaterThan(0);
+		motions.forEach((el) => {
+			expect(el).toHaveAttribute('path', 'M100,0 L0,0');
+			expect(el).toHaveAttribute('repeatCount', 'indefinite');
+		});
+	});
+});
--- a/frontend/src/modules/Servicemap/components/tests/LinkTooltip.test.tsx
+++ b/frontend/src/modules/Servicemap/components/tests/LinkTooltip.test.tsx
@@ -0,0 +1,58 @@
+import { render, screen } from '@testing-library/react';
+
+import LinkTooltip, { LinkTooltipData } from '../LinkTooltip/LinkTooltip';
+
+const baseTooltip: LinkTooltipData = {
+	p99: 12.34,
+	callRate: 5.6,
+	errorRate: 0.1,
+};
+
+describe('LinkTooltip', () => {
+	it('renders p99, request, and error rate rows with their suffixes', () => {
+		render(<LinkTooltip tooltip={baseTooltip} x={0} y={0} />);
+
+		expect(screen.getByText('P99 latency:')).toBeInTheDocument();
+		expect(screen.getByText('12.34ms')).toBeInTheDocument();
+
+		expect(screen.getByText('Request:')).toBeInTheDocument();
+		expect(screen.getByText('5.6/sec')).toBeInTheDocument();
+
+		expect(screen.getByText('Error Rate:')).toBeInTheDocument();
+		expect(screen.getByText('0.1%')).toBeInTheDocument();
+	});
+
+	it('renders string-typed metric values verbatim', () => {
+		render(
+			<LinkTooltip
+				tooltip={{ p99: '0', callRate: '0', errorRate: '0' }}
+				x={0}
+				y={0}
+			/>,
+		);
+
+		expect(screen.getByText('0ms')).toBeInTheDocument();
+		expect(screen.getByText('0/sec')).toBeInTheDocument();
+		expect(screen.getByText('0%')).toBeInTheDocument();
+	});
+
+	it('positions itself offset from the cursor coordinates', () => {
+		const { container } = render(
+			<LinkTooltip tooltip={baseTooltip} x={100} y={200} />,
+		);
+
+		// POINTER_OFFSET is 12 in the component; the tooltip should sit at
+		// (x + 12, y + 12) so it does not occlude the hovered edge segment.
+		const tooltip = container.firstChild as HTMLElement;
+		expect(tooltip).toHaveStyle({ top: '212px', left: '112px' });
+	});
+
+	it('handles negative coordinates without breaking the offset math', () => {
+		const { container } = render(
+			<LinkTooltip tooltip={baseTooltip} x={-50} y={-30} />,
+		);
+
+		const tooltip = container.firstChild as HTMLElement;
+		expect(tooltip).toHaveStyle({ top: '-18px', left: '-38px' });
+	});
+});
--- a/frontend/src/modules/Servicemap/components/tests/Map.constants.test.ts
+++ b/frontend/src/modules/Servicemap/components/tests/Map.constants.test.ts
@@ -0,0 +1,91 @@
+import {
+	getParticleAnimation,
+	MAX_PARTICLES,
+	PARTICLE_FAST_SECS,
+	PARTICLE_SLOW_SECS,
+} from '../Map/Map.constants';
+
+describe('getParticleAnimation', () => {
+	it('returns zero particles and the slow duration for non-positive call rates', () => {
+		expect(getParticleAnimation(0, 1000)).toStrictEqual({
+			particleCount: 0,
+			duration: PARTICLE_SLOW_SECS,
+		});
+		expect(getParticleAnimation(-5, 1000)).toStrictEqual({
+			particleCount: 0,
+			duration: PARTICLE_SLOW_SECS,
+		});
+	});
+
+	it('produces at least one particle for any positive call rate', () => {
+		expect(getParticleAnimation(0.1, 1000).particleCount).toBeGreaterThanOrEqual(
+			1,
+		);
+		expect(getParticleAnimation(1, 1000).particleCount).toBeGreaterThanOrEqual(1);
+	});
+
+	it('saturates at MAX_PARTICLES and PARTICLE_FAST_SECS when callRate equals max', () => {
+		// Whatever the absolute scale, the busiest edge should peg the
+		// visualisation — that's the point of the relative scaling.
+		const EPS = 1e-9;
+		[5, 50, 500, 5_000, 1_000_000].forEach((rate) => {
+			const { particleCount, duration } = getParticleAnimation(rate, rate);
+			expect(particleCount).toBe(MAX_PARTICLES);
+			expect(duration).toBeGreaterThanOrEqual(PARTICLE_FAST_SECS - EPS);
+			expect(duration).toBeLessThanOrEqual(PARTICLE_FAST_SECS + EPS);
+		});
+	});
+
+	it('caps particleCount at MAX_PARTICLES even if max is stale or zero', () => {
+		// Defensive: if max somehow lags behind callRate, factor still clamps to 1.
+		expect(getParticleAnimation(1000, 0).particleCount).toBe(MAX_PARTICLES);
+		expect(getParticleAnimation(1000, 100).particleCount).toBe(MAX_PARTICLES);
+	});
+
+	it('produces different particle counts for the same callRate at different scales', () => {
+		// 50 req/sec is "busy" in a 50-max graph but "trickle" in a 5k-max graph.
+		const busy = getParticleAnimation(50, 50);
+		const trickle = getParticleAnimation(50, 5000);
+		expect(busy.particleCount).toBeGreaterThan(trickle.particleCount);
+		expect(busy.duration).toBeLessThan(trickle.duration);
+	});
+
+	it('monotonically increases particle count as rate climbs toward max', () => {
+		const max = 5000;
+		const rates = [0.5, 5, 50, 500, max];
+		const counts = rates.map((r) => getParticleAnimation(r, max).particleCount);
+		for (let i = 1; i < counts.length; i += 1) {
+			expect(counts[i]).toBeGreaterThanOrEqual(counts[i - 1]);
+		}
+	});
+
+	it('monotonically decreases per-loop duration as rate climbs toward max', () => {
+		const max = 5000;
+		const rates = [0.5, 5, 50, 500, max];
+		const durations = rates.map((r) => getParticleAnimation(r, max).duration);
+		for (let i = 1; i < durations.length; i += 1) {
+			expect(durations[i]).toBeLessThanOrEqual(durations[i - 1]);
+		}
+	});
+
+	it('keeps duration bounded between PARTICLE_FAST_SECS and PARTICLE_SLOW_SECS', () => {
+		// At saturation the formula computes to PARTICLE_FAST_SECS up to
+		// floating-point error (~1e-16), so allow a small epsilon.
+		const EPS = 1e-9;
+		const cases: Array<[number, number]> = [
+			[0, 1000],
+			[0.01, 1000],
+			[1, 1000],
+			[10, 1000],
+			[100, 1000],
+			[1000, 1000],
+			[1000, 0], // defensive max
+			[1_000_000, 1_000_000],
+		];
+		cases.forEach(([rate, max]) => {
+			const { duration } = getParticleAnimation(rate, max);
+			expect(duration).toBeGreaterThanOrEqual(PARTICLE_FAST_SECS - EPS);
+			expect(duration).toBeLessThanOrEqual(PARTICLE_SLOW_SECS + EPS);
+		});
+	});
+});
--- a/frontend/src/modules/Servicemap/components/tests/ServiceNode.test.tsx
+++ b/frontend/src/modules/Servicemap/components/tests/ServiceNode.test.tsx
@@ -0,0 +1,93 @@
+import { render, screen } from '@testing-library/react';
+
+import ServiceNode from '../ServiceNode/ServiceNode';
+import { NODE_DIAMETER } from '../Map/Map.constants';
+
+// `Handle` requires a ReactFlowProvider to mount. We don't exercise its
+// connection logic from this component, so a stub keeps the test isolated to
+// ServiceNode's own rendering responsibilities.
+jest.mock('@xyflow/react', () => {
+	const actual = jest.requireActual('@xyflow/react');
+	return {
+		...actual,
+		Handle: ({
+			type,
+			position,
+		}: {
+			type: string;
+			position: string;
+		}): JSX.Element => (
+			<div data-testid={`handle-${type}`} data-position={position} />
+		),
+	};
+});
+
+const baseNodeProps = {
+	id: 'frontend',
+	type: 'service',
+	dragging: false,
+	isConnectable: true,
+	positionAbsoluteX: 0,
+	positionAbsoluteY: 0,
+	zIndex: 0,
+	selectable: false,
+	deletable: false,
+	draggable: true,
+	selected: false,
+} as const;
+
+function renderNode(data: {
+	label: string;
+	color: string;
+}): ReturnType<typeof render> {
+	return render(<ServiceNode {...(baseNodeProps as any)} data={data} />);
+}
+
+describe('ServiceNode', () => {
+	it('renders the label text from data', () => {
+		renderNode({ label: 'checkout-service', color: 'red' });
+
+		expect(screen.getByText('checkout-service')).toBeInTheDocument();
+	});
+
+	it('exposes the label as a title attribute for full-name hover-disclosure', () => {
+		// The visible label is truncated for layout, so the full service name is
+		// surfaced via title — assert the attribute round-trips data.label.
+		renderNode({
+			label: 'a-very-long-service-name-that-truncates',
+			color: 'red',
+		});
+
+		const label = screen.getByText('a-very-long-service-name-that-truncates');
+		expect(label).toHaveAttribute(
+			'title',
+			'a-very-long-service-name-that-truncates',
+		);
+	});
+
+	it('applies data.color as the circle background and uses the configured diameter', () => {
+		// All nodes render at NODE_DIAMETER — there is no per-node sizing.
+		const { container } = renderNode({
+			label: 'frontend',
+			color: 'rgb(255, 0, 0)',
+		});
+
+		const wrapper = container.firstChild as HTMLElement;
+		const circle = wrapper.firstChild as HTMLElement;
+		expect(circle).toHaveStyle({
+			background: 'rgb(255, 0, 0)',
+			width: `${NODE_DIAMETER}px`,
+			height: `${NODE_DIAMETER}px`,
+		});
+	});
+
+	it('renders a target handle on the left and a source handle on the right', () => {
+		renderNode({ label: 'frontend', color: 'red' });
+
+		const target = screen.getByTestId('handle-target');
+		const source = screen.getByTestId('handle-source');
+
+		expect(target).toHaveAttribute('data-position', 'left');
+		expect(source).toHaveAttribute('data-position', 'right');
+	});
+});
--- a/frontend/src/modules/Servicemap/utils.ts
+++ b/frontend/src/modules/Servicemap/utils.ts
@@ -1,5 +1,8 @@
 //@ts-nocheck

+import dagre from '@dagrejs/dagre';
+import { themeColors } from 'constants/theme';
+import { generateColor } from 'lib/uPlotLib/utils/generateColor';
 import {
 	cloneDeep,
 	find,
@@ -12,27 +15,7 @@ import {

 import { graphDataType } from './ServiceMap';

-const MIN_WIDTH = 10;
-const MAX_WIDTH = 20;
-const DEFAULT_FONT_SIZE = 6;
-
-export const getDimensions = (
-	num: number,
-	highest: number,
-): {
-	fontSize: number;
-	width: number;
-} => {
-	const percentage = (num / highest) * 100;
-	const width = (percentage * (MAX_WIDTH - MIN_WIDTH)) / 100 + MIN_WIDTH;
-	const fontSize = DEFAULT_FONT_SIZE;
-	return {
-		fontSize,
-		width,
-	};
-};
-
-export const getGraphData = (serviceMap, isDarkMode): graphDataType => {
+export const getGraphData = (serviceMap, _isDarkMode): graphDataType => {
 	const { items } = serviceMap;
 	const services = Object.values(groupBy(items, 'child')).map((e) => {
 		return {
@@ -42,7 +25,6 @@ export const getGraphData = (serviceMap, isDarkMode): graphDataType => {
 		};
 	});
 	const highestCallCount = maxBy(items, (e) => e?.callCount)?.callCount;
-	const highestCallRate = maxBy(services, (e) => e?.callRate)?.callRate;

 	const divNum = Number(
 		String(1).padEnd(highestCallCount.toString().length, '0'),
@@ -62,31 +44,19 @@ export const getGraphData = (serviceMap, isDarkMode): graphDataType => {
 	const uniqParent = uniqBy(cloneDeep(items), 'parent').map((e) => e.parent);
 	const uniqChild = uniqBy(cloneDeep(items), 'child').map((e) => e.child);
 	const uniqNodes = uniq([...uniqParent, ...uniqChild]);
-	const nodes = uniqNodes.map((node, i) => {
+	// Semantic tokens auto-flip with theme; passed as CSS variable strings so
+	// the consuming component can apply them directly via `style.background`.
+	const HEALTHY_COLOR = 'var(--l3-background)';
+	const ERROR_COLOR = 'var(--danger-background)';
+	const nodes = uniqNodes.map((node) => {
 		const service = find(services, (service) => service.serviceName === node);
-		let color = isDarkMode ? '#7CA568' : '#D5F2BB';
-		if (!service) {
-			return {
-				id: node,
-				group: i + 1,
-				fontSize: DEFAULT_FONT_SIZE,
-				width: MIN_WIDTH,
-				color,
-				nodeVal: MIN_WIDTH,
-				name: node,
-			};
+		let color = HEALTHY_COLOR;
+		if (service && service.errorRate > 0) {
+			color = ERROR_COLOR;
 		}
-		if (service.errorRate > 0) {
-			color = isDarkMode ? '#DB836E' : '#F98989';
-		}
-		const { fontSize, width } = getDimensions(service.callRate, highestCallRate);
 		return {
 			id: node,
-			group: i + 1,
-			fontSize,
-			width,
 			color,
-			nodeVal: width,
 			name: node,
 		};
 	});
@@ -96,20 +66,6 @@ export const getGraphData = (serviceMap, isDarkMode): graphDataType => {
 	};
 };

-export const getZoomPx = (): number => {
-	const { width } = window.screen;
-	if (width < 1400) {
-		return 190;
-	}
-	if (width > 1400 && width < 1700) {
-		return 380;
-	}
-	if (width > 1700) {
-		return 470;
-	}
-	return 190;
-};
-
 const getRound2DigitsAfterDecimal = (num: number): number => {
 	if (num === 0) {
 		return 0;
@@ -117,27 +73,28 @@ const getRound2DigitsAfterDecimal = (num: number): number => {
 	return num.toFixed(20).match(/^-?\d*\.?0*\d{0,2}/)[0];
 };

-export const getTooltip = (link: {
+export interface LinkTooltip {
+	p99: string | number;
+	callRate: string | number;
+	errorRate: string | number;
+}
+
+export const getLinkTooltip = (link: {
 	p99: number;
 	errorRate: number;
 	callRate: number;
-	id: string;
-}): string => {
-	return `<div style="color:#333333;padding:12px;background: white;border-radius: 2px;">
-								<div class="keyval">
-									<div class="key">P99 latency:</div>
-									<div class="val">${getRound2DigitsAfterDecimal(link.p99 / 1000000)}ms</div>
-								</div>
-								<div class="keyval">
-									<div class="key">Request:</div>
-									<div class="val">${getRound2DigitsAfterDecimal(link.callRate)}/sec</div>
-								</div>
-								<div class="keyval">
-									<div class="key">Error Rate:</div>
-									<div class="val">${getRound2DigitsAfterDecimal(link.errorRate)}%</div>
-								</div>
-							</div>`;
-};
+}): LinkTooltip => ({
+	p99: getRound2DigitsAfterDecimal(link.p99 / 1000000),
+	callRate: getRound2DigitsAfterDecimal(link.callRate),
+	errorRate: getRound2DigitsAfterDecimal(link.errorRate),
+});
+
+// Edges share a color with every other edge pointing at the same destination
+// service (mirrors the original `linkAutoColorBy={(d) => d.target}` behaviour).
+// Hashing onto the existing chart palette keeps it visually consistent with
+// the rest of the app and stable across renders for a given target id.
+export const getEdgeColor = (targetId: string): string =>
+	generateColor(targetId, themeColors.chartcolors);

 export const transformLabel = (label: string, zoomLevel: number): string => {
 	//? 13 is the minimum label length. Scaling factor of 0.9 which is slightly less than 1
@@ -150,3 +107,51 @@ export const transformLabel = (label: string, zoomLevel: number): string => {
 	}
 	return label;
 };
+
+// Layered DAG layout via dagre. For service maps the data flows
+// caller -> callee, so a left-to-right rank direction reads naturally and
+// minimises edge crossings vs. a force-directed simulation.
+//
+// `nodeBoxWidth` reserves space for the label rendered below each circle —
+// the visible label can be up to ~120px wide, so dagre needs to know that
+// horizontally adjacent ranks must keep that distance.
+export const computeNodePositions = (
+	nodes: { id: string }[],
+	links: { source: string; target: string }[],
+	nodeBoxWidth = 130,
+	nodeBoxHeight = 100,
+): Record<string, { x: number; y: number }> => {
+	const result: Record<string, { x: number; y: number }> = {};
+	if (nodes.length === 0) {
+		return result;
+	}
+
+	const g = new dagre.graphlib.Graph({ multigraph: true, compound: false });
+	g.setGraph({
+		rankdir: 'LR',
+		nodesep: 40,
+		ranksep: 90,
+		marginx: 40,
+		marginy: 40,
+	});
+	g.setDefaultEdgeLabel(() => ({}));
+
+	nodes.forEach((node) => {
+		g.setNode(node.id, { width: nodeBoxWidth, height: nodeBoxHeight });
+	});
+	links.forEach((link, i) => {
+		// `name` makes parallel edges (same source+target, different metrics)
+		// safe under multigraph mode.
+		g.setEdge(link.source, link.target, {}, `${link.source}-${link.target}-${i}`);
+	});
+
+	dagre.layout(g);
+
+	nodes.forEach((node) => {
+		const laidOut = g.node(node.id);
+		if (laidOut) {
+			result[node.id] = { x: laidOut.x, y: laidOut.y };
+		}
+	});
+	return result;
+};
--- a/frontend/yarn.lock
+++ b/frontend/yarn.lock
@@ -2953,6 +2953,18 @@
  resolved "https://registry.yarnpkg.com/@ctrl/tinycolor/-/tinycolor-3.6.1.tgz#b6c75a56a1947cc916ea058772d666a2c8932f31"
  integrity sha512-SITSV6aIXsuVNV3f3O0f2n/cgyEDWoSqtZMYiAmcsYHydcKrOz3gUxB/iXd/Qf08+IZX4KpgNbvUdMBmWz+kcA==

+"@dagrejs/dagre@3.0.0":
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/@dagrejs/dagre/-/dagre-3.0.0.tgz#543f20188f7494db0f45d634f7b3760747f87f23"
+  integrity sha512-ZzhnTy1rfuoew9Ez3EIw4L2znPGnYYhfn8vc9c4oB8iw6QAsszbiU0vRhlxWPFnmmNSFAkrYeF1PhM5m4lAN0Q==
+  dependencies:
+    "@dagrejs/graphlib" "4.0.1"
+
+"@dagrejs/graphlib@4.0.1":
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/@dagrejs/graphlib/-/graphlib-4.0.1.tgz#a9cf907cc5ddf9140a64360ad487766f17d1ee36"
+  integrity sha512-IvcV6FduIIAmLwnH+yun+QtV36SC7mERqa86aClNqmMN09WhmPPYU8ckHrZBozErf+UvHPWOTJYaGYiIcs0DgA==
+
 "@date-fns/tz@^1.4.1":
  version "1.4.1"
  resolved "https://registry.yarnpkg.com/@date-fns/tz/-/tz-1.4.1.tgz#2d905f282304630e07bef6d02d2e7dbf3f0cc4e4"
@@ -6002,11 +6014,6 @@
  resolved "https://registry.npmjs.org/@tsconfig/node16/-/node16-1.0.3.tgz"
  integrity sha512-yOlFc+7UtL/89t2ZhjPvvB/DeAr3r+Dq58IgzsFkOAvVC6NMJXmCGjbptdXdR9qsX7pKcTL+s87FtYREi2dEEQ==

-"@tweenjs/tween.js@18 - 25":
-  version "25.0.0"
-  resolved "https://registry.yarnpkg.com/@tweenjs/tween.js/-/tween.js-25.0.0.tgz#7266baebcc3affe62a3a54318a3ea82d904cd0b9"
-  integrity sha512-XKLA6syeBUaPzx4j3qwMqzzq+V4uo72BnlbOjmuljLrRqdsd3qnzvZZoxvMHZ23ndsRS4aufU6JOZYpCbU6T1A==
-
 "@tybys/wasm-util@^0.10.0", "@tybys/wasm-util@^0.10.1":
  version "0.10.1"
  resolved "https://registry.yarnpkg.com/@tybys/wasm-util/-/wasm-util-0.10.1.tgz#ecddd3205cf1e2d5274649ff0eedd2991ed7f414"
@@ -6124,6 +6131,13 @@
  resolved "https://registry.yarnpkg.com/@types/d3-delaunay/-/d3-delaunay-6.0.1.tgz#006b7bd838baec1511270cb900bf4fc377bbbf41"
  integrity sha512-tLxQ2sfT0p6sxdG75c6f/ekqxjyYR0+LwPrsO1mbC9YDBzPJhs2HbJJRrn8Ez1DBoHRo2yx7YEATI+8V1nGMnQ==

+"@types/d3-drag@^3.0.7":
+  version "3.0.7"
+  resolved "https://registry.yarnpkg.com/@types/d3-drag/-/d3-drag-3.0.7.tgz#b13aba8b2442b4068c9a9e6d1d82f8bcea77fc02"
+  integrity sha512-HE3jVKlzU9AaMazNufooRJ5ZpWmLIoc90A37WU2JMmeq28w1FQqCZswHZ3xR+SuxYftzHq6WU6KJHvqxKzTxxQ==
+  dependencies:
+    "@types/d3-selection" "*"
+
 "@types/d3-format@3.0.1":
  version "3.0.1"
  resolved "https://registry.yarnpkg.com/@types/d3-format/-/d3-format-3.0.1.tgz#194f1317a499edd7e58766f96735bdc0216bb89d"
@@ -6141,6 +6155,13 @@
  resolved "https://registry.yarnpkg.com/@types/d3-hierarchy/-/d3-hierarchy-1.1.11.tgz#c3bd70d025621f73cb3319e97e08ae4c9051c791"
  integrity sha512-lnQiU7jV+Gyk9oQYk0GGYccuexmQPTp08E0+4BidgFdiJivjEvf+esPSdZqCZ2C7UwTWejWpqetVaU8A+eX3FA==

+"@types/d3-interpolate@*", "@types/d3-interpolate@^3.0.4":
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/@types/d3-interpolate/-/d3-interpolate-3.0.4.tgz#412b90e84870285f2ff8a846c6eb60344f12a41c"
+  integrity sha512-mgLPETlrpVV1YRJIglr4Ez47g7Yxjl1lj7YKsiMCb27VJH9W8NVM6Bb9d8kkpG/uAQS5AmbA48q2IAolKKo1MA==
+  dependencies:
+    "@types/d3-color" "*"
+
 "@types/d3-interpolate@3.0.1", "@types/d3-interpolate@^3.0.0":
  version "3.0.1"
  resolved "https://registry.yarnpkg.com/@types/d3-interpolate/-/d3-interpolate-3.0.1.tgz#e7d17fa4a5830ad56fe22ce3b4fac8541a9572dc"
@@ -6160,6 +6181,11 @@
  dependencies:
    "@types/d3-time" "*"

+"@types/d3-selection@*", "@types/d3-selection@^3.0.10":
+  version "3.0.11"
+  resolved "https://registry.yarnpkg.com/@types/d3-selection/-/d3-selection-3.0.11.tgz#bd7a45fc0a8c3167a631675e61bc2ca2b058d4a3"
+  integrity sha512-bhAXu23DJWsrI45xafYpkQ4NtcKMwWnAC/vKrd2l+nxMFuvOT3XMYTIj2opv8vq8AO5Yh7Qac/nSeP/3zjTK0w==
+
 "@types/d3-shape@^1.3.1":
  version "1.3.12"
  resolved "https://registry.yarnpkg.com/@types/d3-shape/-/d3-shape-1.3.12.tgz#8f2f9f7a12e631ce6700d6d55b84795ce2c8b259"
@@ -6182,6 +6208,21 @@
  resolved "https://registry.yarnpkg.com/@types/d3-time/-/d3-time-3.0.0.tgz#e1ac0f3e9e195135361fa1a1d62f795d87e6e819"
  integrity sha512-sZLCdHvBUcNby1cB6Fd3ZBrABbjz3v1Vm90nysCQ6Vt7vd6e/h9Lt7SiJUoEX0l4Dzc7P5llKyhqSi1ycSf1Hg==

+"@types/d3-transition@^3.0.8":
+  version "3.0.9"
+  resolved "https://registry.yarnpkg.com/@types/d3-transition/-/d3-transition-3.0.9.tgz#1136bc57e9ddb3c390dccc9b5ff3b7d2b8d94706"
+  integrity sha512-uZS5shfxzO3rGlu0cC3bjmMFKsXv+SmZZcgp0KD22ts4uGXp5EVYGzu/0YdwZeKmddhcAccYtREJKkPfXkZuCg==
+  dependencies:
+    "@types/d3-selection" "*"
+
+"@types/d3-zoom@^3.0.8":
+  version "3.0.8"
+  resolved "https://registry.yarnpkg.com/@types/d3-zoom/-/d3-zoom-3.0.8.tgz#dccb32d1c56b1e1c6e0f1180d994896f038bc40b"
+  integrity sha512-iqMC4/YlFCSlO8+2Ii1GGGliCAY4XdeG748w5vQUbevlbDu0zSjH/+jojorQVBK/se0j6DUFNPBGSqD3YWYnDw==
+  dependencies:
+    "@types/d3-interpolate" "*"
+    "@types/d3-selection" "*"
+
 "@types/debug@^4.0.0":
  version "4.1.8"
  resolved "https://registry.yarnpkg.com/@types/debug/-/debug-4.1.8.tgz#cef723a5d0a90990313faec2d1e22aee5eecb317"
@@ -7072,6 +7113,30 @@
  resolved "https://registry.npmjs.org/@xobotyi/scrollbar-width/-/scrollbar-width-1.9.5.tgz"
  integrity sha512-N8tkAACJx2ww8vFMneJmaAgmjAG1tnVBZJRLRcx061tmsLRZHSEZSLuGWnwPtunsSLvSqXQ2wfp7Mgqg1I+2dQ==

+"@xyflow/react@12.10.2":
+  version "12.10.2"
+  resolved "https://registry.yarnpkg.com/@xyflow/react/-/react-12.10.2.tgz#40f6d71944f674f0ffbb83c660f9473018adbe61"
+  integrity sha512-CgIi6HwlcHXwlkTpr0fxLv/0sRVNZ8IdwKLzzeCscaYBwpvfcH1QFOCeaTCuEn1FQEs/B8CjnTSjhs8udgmBgQ==
+  dependencies:
+    "@xyflow/system" "0.0.76"
+    classcat "^5.0.3"
+    zustand "^4.4.0"
+
+"@xyflow/system@0.0.76":
+  version "0.0.76"
+  resolved "https://registry.yarnpkg.com/@xyflow/system/-/system-0.0.76.tgz#57da5e4d230cdbec56548a6d5eec115f22858259"
+  integrity sha512-hvwvnRS1B3REwVDlWexsq7YQaPZeG3/mKo1jv38UmnpWmxihp14bW6VtEOuHEwJX2FvzFw8k77LyKSk/wiZVNA==
+  dependencies:
+    "@types/d3-drag" "^3.0.7"
+    "@types/d3-interpolate" "^3.0.4"
+    "@types/d3-selection" "^3.0.10"
+    "@types/d3-transition" "^3.0.8"
+    "@types/d3-zoom" "^3.0.8"
+    d3-drag "^3.0.0"
+    d3-interpolate "^3.0.1"
+    d3-selection "^3.0.0"
+    d3-zoom "^3.0.0"
+
 "@zxing/text-encoding@0.9.0":
  version "0.9.0"
  resolved "https://registry.yarnpkg.com/@zxing/text-encoding/-/text-encoding-0.9.0.tgz#fb50ffabc6c7c66a0c96b4c03e3d9be74864b70b"
@@ -7097,11 +7162,6 @@ abort-controller@^3.0.0:
  dependencies:
    event-target-shim "^5.0.0"

-accessor-fn@1:
-  version "1.4.1"
-  resolved "https://registry.npmjs.org/accessor-fn/-/accessor-fn-1.4.1.tgz"
-  integrity sha512-P7yNKfmpuWLUwiRVk9RkRIPGjngemjZ7yANc0DL7otgDqEIWkEByMhShzfgQ5ZwCPEUmba4v1kOqCdGhpzY3ew==
-
 acorn-globals@^7.0.0:
  version "7.0.1"
  resolved "https://registry.yarnpkg.com/acorn-globals/-/acorn-globals-7.0.1.tgz#0dbf05c44fa7c94332914c02066d5beff62c40c3"
@@ -7999,11 +8059,6 @@ better-xlsx@^0.7.5:
    jszip "^3.2.2"
    kind-of "^6.0.3"

-"bezier-js@3 - 6":
-  version "6.1.3"
-  resolved "https://registry.npmjs.org/bezier-js/-/bezier-js-6.1.3.tgz"
-  integrity sha512-VPFvkyO98oCJ1Tsi+bFBrKEWLdefAj4DJVaWp3xTEsdCbunC7Pt/nTeIgu/UdskBNcmHv8TOfsgdMZb1GsICmg==
-
 big-integer@^1.6.16:
  version "1.6.51"
  resolved "https://registry.yarnpkg.com/big-integer/-/big-integer-1.6.51.tgz#0df92a5d9880560d3ff2d5fd20245c889d130686"
@@ -8273,13 +8328,6 @@ caniuse-lite@^1.0.30001759:
  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001767.tgz#0279c498e862efb067938bba0a0aabafe8d0b730"
  integrity sha512-34+zUAMhSH+r+9eKmYG+k2Rpt8XttfE4yXAjoZvkAPs15xcYQhyBYdalJ65BzivAvGRMViEjy6oKr/S91loekQ==

-canvas-color-tracker@^1.3:
-  version "1.3.2"
-  resolved "https://registry.yarnpkg.com/canvas-color-tracker/-/canvas-color-tracker-1.3.2.tgz#b924cf94b33441b82692938fca5b936be971a46d"
-  integrity sha512-ryQkDX26yJ3CXzb3hxUVNlg1NKE4REc5crLBq661Nxzr8TNd236SaEf2ffYLXyI5tSABSeguHLqcVq4vf9L3Zg==
-  dependencies:
-    tinycolor2 "^1.6.0"
-
 ccount@^2.0.0:
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/ccount/-/ccount-2.0.1.tgz#17a3bf82302e0870d6da43a01311a8bc02a3ecf5"
@@ -8421,6 +8469,11 @@ class-variance-authority@^0.7.0:
  dependencies:
    clsx "^2.1.1"

+classcat@^5.0.3:
+  version "5.0.5"
+  resolved "https://registry.yarnpkg.com/classcat/-/classcat-5.0.5.tgz#8c209f359a93ac302404a10161b501eba9c09c77"
+  integrity sha512-JhZUT7JFcQy/EzW605k/ktHtncoo9vnyW/2GspNYwFlN1C/WmjuV/xtS04e9SOkL2sTdw0VAZ2UGCcQ9lR6p6w==
+
 classnames@2.3.2, classnames@2.x, classnames@^2.2.1, classnames@^2.2.3, classnames@^2.2.5, classnames@^2.2.6, classnames@^2.3.1, classnames@^2.3.2:
  version "2.3.2"
  resolved "https://registry.npmjs.org/classnames/-/classnames-2.3.2.tgz"
@@ -9055,7 +9108,7 @@ csstype@^3.1.2:
  resolved "https://registry.yarnpkg.com/csstype/-/csstype-3.1.3.tgz#d80ff294d114fb0e6ac500fbf85b60137d7eff81"
  integrity sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw==

-"d3-array@1 - 3", "d3-array@2 - 3", "d3-array@2.10.0 - 3":
+"d3-array@2 - 3", "d3-array@2.10.0 - 3":
  version "3.2.3"
  resolved "https://registry.npmjs.org/d3-array/-/d3-array-3.2.3.tgz"
  integrity sha512-JRHwbQQ84XuAESWhvIPaUV4/1UYTBOLiOPGWqgFDHZS1D5QN9c57FbH3QpEnQMYiOXNzKUQyGTZf+EVO7RT5TQ==
@@ -9081,11 +9134,6 @@ d3-array@^1.2.0:
  resolved "https://registry.yarnpkg.com/d3-array/-/d3-array-1.2.4.tgz#635ce4d5eea759f6f605863dbcfc30edc737f71f"
  integrity sha512-KHW6M86R+FUPYGb3R5XiYjXPq7VzwxZ22buHhAEVG5ztoEcZZMLov530mmccaqA1GghZArjQV46fuc8kUqhhHw==

-d3-binarytree@1:
-  version "1.0.2"
-  resolved "https://registry.npmjs.org/d3-binarytree/-/d3-binarytree-1.0.2.tgz"
-  integrity sha512-cElUNH+sHu95L04m92pG73t2MEJXKu+GeKUN1TJkFsu93E5W8E9Sc3kHEGJKgenGvj19m6upSn2EunvMgMD2Yw==
-
 "d3-color@1 - 3", d3-color@3.1.0:
  version "3.1.0"
  resolved "https://registry.npmjs.org/d3-color/-/d3-color-3.1.0.tgz"
@@ -9103,7 +9151,7 @@ d3-delaunay@6.0.2:
  resolved "https://registry.npmjs.org/d3-dispatch/-/d3-dispatch-3.0.1.tgz"
  integrity sha512-rzUyPU/S7rwUflMyLc1ETDeBj0NRuHKKAcvukozwhshr6g6c5d8zh4c2gQjY2bZ0dXeGLWc1PF174P2tVvKhfg==

-"d3-drag@2 - 3":
+"d3-drag@2 - 3", d3-drag@^3.0.0:
  version "3.0.0"
  resolved "https://registry.npmjs.org/d3-drag/-/d3-drag-3.0.0.tgz"
  integrity sha512-pWbUJLdETVA8lQNJecMxoXfH6x+mO2UQo8rSmZ+QqxcbyA3hfeprFgIT//HW2nlHChWeIIMwS2Fq+gEARkhTkg==
@@ -9116,17 +9164,6 @@ d3-delaunay@6.0.2:
  resolved "https://registry.npmjs.org/d3-ease/-/d3-ease-3.0.1.tgz"
  integrity sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w==

-"d3-force-3d@2 - 3":
-  version "3.0.5"
-  resolved "https://registry.npmjs.org/d3-force-3d/-/d3-force-3d-3.0.5.tgz"
-  integrity sha512-tdwhAhoTYZY/a6eo9nR7HP3xSW/C6XvJTbeRpR92nlPzH6OiE+4MliN9feuSFd0tPtEUo+191qOhCTWx3NYifg==
-  dependencies:
-    d3-binarytree "1"
-    d3-dispatch "1 - 3"
-    d3-octree "1"
-    d3-quadtree "1 - 3"
-    d3-timer "1 - 3"
-
 "d3-format@1 - 3", d3-format@3.1.0:
  version "3.1.0"
  resolved "https://registry.npmjs.org/d3-format/-/d3-format-3.1.0.tgz"
@@ -9149,18 +9186,13 @@ d3-hierarchy@^1.1.4:
  resolved "https://registry.yarnpkg.com/d3-hierarchy/-/d3-hierarchy-1.1.9.tgz#2f6bee24caaea43f8dc37545fa01628559647a83"
  integrity sha512-j8tPxlqh1srJHAtxfvOUwKNYJkQuBFdM1+JAUfq6xqH5eAqf93L7oG1NVqDa4CpFZNvnNKtCYEUC8KY9yEn9lQ==

-"d3-interpolate@1 - 3", "d3-interpolate@1.2.0 - 3", d3-interpolate@3.0.1:
+"d3-interpolate@1 - 3", "d3-interpolate@1.2.0 - 3", d3-interpolate@3.0.1, d3-interpolate@^3.0.1:
  version "3.0.1"
  resolved "https://registry.yarnpkg.com/d3-interpolate/-/d3-interpolate-3.0.1.tgz#3c47aa5b32c5b3dfb56ef3fd4342078a632b400d"
  integrity sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g==
  dependencies:
    d3-color "1 - 3"

-d3-octree@1:
-  version "1.0.2"
-  resolved "https://registry.npmjs.org/d3-octree/-/d3-octree-1.0.2.tgz"
-  integrity sha512-Qxg4oirJrNXauiuC94uKMbgxwnhdda9xRLl9ihq45srlJ4Ga3CSgqGcAL8iW7N5CIv4Oz8x3E734ulxyvHPvwA==
-
 d3-path@1, d3-path@^1.0.5:
  version "1.0.9"
  resolved "https://registry.yarnpkg.com/d3-path/-/d3-path-1.0.9.tgz#48c050bb1fe8c262493a8caf5524e3e9591701cf"
@@ -9171,20 +9203,7 @@ d3-polygon@^1.0.3:
  resolved "https://registry.yarnpkg.com/d3-polygon/-/d3-polygon-1.0.6.tgz#0bf8cb8180a6dc107f518ddf7975e12abbfbd38e"
  integrity sha512-k+RF7WvI08PC8reEoXa/w2nSg5AUMTi+peBD9cmFc+0ixHfbs4QmxxkarVal1IkVkgxVuk9JSHhJURHiyHKAuQ==

-"d3-quadtree@1 - 3":
-  version "3.0.1"
-  resolved "https://registry.npmjs.org/d3-quadtree/-/d3-quadtree-3.0.1.tgz"
-  integrity sha512-04xDrxQTDTCFwP5H6hRhsRcb9xxv2RzkcsygFzmkSIOJy3PeRJP7sNk3VRIbKXcog561P9oU0/rVH6vDROAgUw==
-
-"d3-scale-chromatic@1 - 3":
-  version "3.0.0"
-  resolved "https://registry.npmjs.org/d3-scale-chromatic/-/d3-scale-chromatic-3.0.0.tgz"
-  integrity sha512-Lx9thtxAKrO2Pq6OO2Ua474opeziKr279P/TKZsMAhYyNDD3EnCffdbgeSYN5O7m2ByQsxtuP2CSDczNUIZ22g==
-  dependencies:
-    d3-color "1 - 3"
-    d3-interpolate "1 - 3"
-
-"d3-scale@1 - 4", d3-scale@4.0.2:
+d3-scale@4.0.2:
  version "4.0.2"
  resolved "https://registry.npmjs.org/d3-scale/-/d3-scale-4.0.2.tgz"
  integrity sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ==
@@ -9195,9 +9214,9 @@ d3-polygon@^1.0.3:
    d3-time "2.1.1 - 3"
    d3-time-format "2 - 4"

-"d3-selection@2 - 3", d3-selection@3:
+"d3-selection@2 - 3", d3-selection@3, d3-selection@^3.0.0:
  version "3.0.0"
-  resolved "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz"
+  resolved "https://registry.yarnpkg.com/d3-selection/-/d3-selection-3.0.0.tgz#c25338207efa72cc5b9bd1458a1a41901f1e1b31"
  integrity sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==

 d3-shape@^1.0.6, d3-shape@^1.2.0:
@@ -9237,9 +9256,9 @@ d3-shape@^1.0.6, d3-shape@^1.2.0:
    d3-interpolate "1 - 3"
    d3-timer "1 - 3"

-"d3-zoom@2 - 3":
+d3-zoom@^3.0.0:
  version "3.0.0"
-  resolved "https://registry.npmjs.org/d3-zoom/-/d3-zoom-3.0.0.tgz"
+  resolved "https://registry.yarnpkg.com/d3-zoom/-/d3-zoom-3.0.0.tgz#d13f4165c73217ffeaa54295cd6969b3e7aee8f3"
  integrity sha512-b8AmV3kfQaqWAuacbPuNbL6vahnOJflOhexLzMMNLga62+/nh0JzvJ0aO/5a5MVgUFGS7Hu1P9P03o3fJkDCyw==
  dependencies:
    d3-dispatch "1 - 3"
@@ -10460,15 +10479,6 @@ flatted@^3.4.2:
  resolved "https://registry.yarnpkg.com/flatted/-/flatted-3.4.2.tgz#f5c23c107f0f37de8dbdf24f13722b3b98d52726"
  integrity sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==

-float-tooltip@^1.7:
-  version "1.7.5"
-  resolved "https://registry.yarnpkg.com/float-tooltip/-/float-tooltip-1.7.5.tgz#7083bf78f0de5a97f9c2d6aa8e90d2139f34047f"
-  integrity sha512-/kXzuDnnBqyyWyhDMH7+PfP8J/oXiAavGzcRxASOMRHFuReDtofizLLJsf7nnDLAfEaMW4pVWaXrAjtnglpEkg==
-  dependencies:
-    d3-selection "2 - 3"
-    kapsule "^1.16"
-    preact "10"
-
 flubber@^0.4.2:
  version "0.4.2"
  resolved "https://registry.yarnpkg.com/flubber/-/flubber-0.4.2.tgz#14452d4a838cc3b9f2fb6175da94e35acd55fbaa"
@@ -10505,27 +10515,6 @@ for-each@^0.3.5:
  dependencies:
    is-callable "^1.2.7"

-force-graph@^1.51:
-  version "1.51.1"
-  resolved "https://registry.yarnpkg.com/force-graph/-/force-graph-1.51.1.tgz#c967249bf6ad2cb4a3ba89ed4c6d79895bd70fe1"
-  integrity sha512-uEEX8iRzgq1IKRISOw6RrB2RLMhcI25xznQYrCTVvxZHZZ+A2jH6qIolYuwavVxAMi64pFp2yZm4KFVdD993cg==
-  dependencies:
-    "@tweenjs/tween.js" "18 - 25"
-    accessor-fn "1"
-    bezier-js "3 - 6"
-    canvas-color-tracker "^1.3"
-    d3-array "1 - 3"
-    d3-drag "2 - 3"
-    d3-force-3d "2 - 3"
-    d3-scale "1 - 4"
-    d3-scale-chromatic "1 - 3"
-    d3-selection "2 - 3"
-    d3-zoom "2 - 3"
-    float-tooltip "^1.7"
-    index-array-by "1"
-    kapsule "^1.16"
-    lodash-es "4"
-
 foreground-child@^3.1.0:
  version "3.3.1"
  resolved "https://registry.yarnpkg.com/foreground-child/-/foreground-child-3.3.1.tgz#32e8e9ed1b68a3497befb9ac2b6adf92a638576f"
@@ -11673,11 +11662,6 @@ indent-string@^4.0.0:
  resolved "https://registry.npmjs.org/indent-string/-/indent-string-4.0.0.tgz"
  integrity sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg==

-index-array-by@1:
-  version "1.4.1"
-  resolved "https://registry.npmjs.org/index-array-by/-/index-array-by-1.4.1.tgz"
-  integrity sha512-Zu6THdrxQdyTuT2uA5FjUoBEsFHPzHcPIj18FszN6yXKHxSfGcR4TPLabfuT//E25q1Igyx9xta2WMvD/x9P/g==
-
 inflected@^2.1.0:
  version "2.1.0"
  resolved "https://registry.yarnpkg.com/inflected/-/inflected-2.1.0.tgz#2816ac17a570bbbc8303ca05bca8bf9b3f959687"
@@ -12383,11 +12367,6 @@ jake@^10.8.5:
    filelist "^1.0.4"
    picocolors "^1.1.1"

-jerrypick@^1.1.1:
-  version "1.1.1"
-  resolved "https://registry.npmjs.org/jerrypick/-/jerrypick-1.1.1.tgz"
-  integrity sha512-XTtedPYEyVp4t6hJrXuRKr/jHj8SC4z+4K0b396PMkov6muL+i8IIamJIvZWe3jUspgIJak0P+BaWKawMYNBLg==
-
 jest-changed-files@30.2.0:
  version "30.2.0"
  resolved "https://registry.yarnpkg.com/jest-changed-files/-/jest-changed-files-30.2.0.tgz#602266e478ed554e1e1469944faa7efd37cee61c"
@@ -13103,13 +13082,6 @@ junk@^3.1.0:
  resolved "https://registry.yarnpkg.com/junk/-/junk-3.1.0.tgz#31499098d902b7e98c5d9b9c80f43457a88abfa1"
  integrity sha512-pBxcB3LFc8QVgdggvZWyeys+hnrNWg4OcZIU/1X59k5jQdLBlCsYGRQaz234SqoRLTCgMH00fY0xRJH+F9METQ==

-kapsule@^1.16:
-  version "1.16.3"
-  resolved "https://registry.yarnpkg.com/kapsule/-/kapsule-1.16.3.tgz#5684ed89838b6658b30d0f2cc056dffc3ba68c30"
-  integrity sha512-4+5mNNf4vZDSwPhKprKwz3330iisPrb08JyMgbsdFrimBCKNHecua/WBwvVg3n7vwx0C1ARjfhwIpbrbd9n5wg==
-  dependencies:
-    lodash-es "4"
-
 keyv@^4.0.0:
  version "4.5.4"
  resolved "https://registry.yarnpkg.com/keyv/-/keyv-4.5.4.tgz#a879a99e29452f942439f2a405e3af8b31d4de93"
@@ -13334,7 +13306,7 @@ locate-path@^7.1.0:
  dependencies:
    p-locate "^6.0.0"

-lodash-es@4, lodash-es@^4.17.21:
+lodash-es@^4.17.21:
  version "4.17.21"
  resolved "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.21.tgz"
  integrity sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==
@@ -15645,11 +15617,6 @@ powershell-utils@^0.1.0:
  resolved "https://registry.yarnpkg.com/powershell-utils/-/powershell-utils-0.1.0.tgz#5a42c9a824fb4f2f251ccb41aaae73314f5d6ac2"
  integrity sha512-dM0jVuXJPsDN6DvRpea484tCUaMiXWjuCn++HGTqUWzGDjv5tZkEZldAJ/UMlqRYGFrD/etByo4/xOuC/snX2A==

-preact@10:
-  version "10.28.4"
-  resolved "https://registry.yarnpkg.com/preact/-/preact-10.28.4.tgz#8ffab01c5c0590535bdaecdd548801f44c6e483a"
-  integrity sha512-uKFfOHWuSNpRFVTnljsCluEFq57OKT+0QdOiQo8XWnQ/pSvg7OpX5eNOejELXJMWy+BwM2nobz0FkvzmnpCNsQ==
-
 preact@^10.19.3:
  version "10.22.0"
  resolved "https://registry.yarnpkg.com/preact/-/preact-10.22.0.tgz#a50f38006ae438d255e2631cbdaf7488e6dd4e16"
@@ -15711,7 +15678,7 @@ progress@^2.0.3:
  resolved "https://registry.yarnpkg.com/progress/-/progress-2.0.3.tgz#7e8cf8d8f5b8f239c1bc68beb4eb78567d572ef8"
  integrity sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==

-prop-types@15, prop-types@15.8.1, prop-types@15.x, prop-types@^15.0.0, prop-types@^15.5.10, prop-types@^15.5.8, prop-types@^15.6.1, prop-types@^15.6.2, prop-types@^15.7.2, prop-types@^15.8.1:
+prop-types@15.8.1, prop-types@15.x, prop-types@^15.0.0, prop-types@^15.5.10, prop-types@^15.5.8, prop-types@^15.6.1, prop-types@^15.6.2, prop-types@^15.7.2, prop-types@^15.8.1:
  version "15.8.1"
  resolved "https://registry.yarnpkg.com/prop-types/-/prop-types-15.8.1.tgz#67d87bf1a694f48435cf332c24af10214a3140b5"
  integrity sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==
@@ -16335,15 +16302,6 @@ react-fast-compare@^3.2.0:
  resolved "https://registry.yarnpkg.com/react-fast-compare/-/react-fast-compare-3.2.2.tgz#929a97a532304ce9fee4bcae44234f1ce2c21d49"
  integrity sha512-nsO+KSNgo1SbJqJEYRE9ERzo7YtYbou/OqjSQKxV7jcKox7+usiUVZOAC+XnDOABXggQTno0Y1CpVnuWEc1boQ==

-react-force-graph-2d@^1.29.1:
-  version "1.29.1"
-  resolved "https://registry.yarnpkg.com/react-force-graph-2d/-/react-force-graph-2d-1.29.1.tgz#a0784d4387b12b28e2b552058ec09d092b4e8cda"
-  integrity sha512-1Rl/1Z3xy2iTHKj6a0jRXGyiI86xUti81K+jBQZ+Oe46csaMikp47L5AjrzA9hY9fNGD63X8ffrqnvaORukCuQ==
-  dependencies:
-    force-graph "^1.51"
-    prop-types "15"
-    react-kapsule "^2.5"
-
 react-full-screen@1.1.1:
  version "1.1.1"
  resolved "https://registry.yarnpkg.com/react-full-screen/-/react-full-screen-1.1.1.tgz#b707d56891015a71c503a65dbab3086d75be97d7"
@@ -16413,13 +16371,6 @@ react-is@^18.3.1:
  resolved "https://registry.yarnpkg.com/react-is/-/react-is-18.3.1.tgz#e83557dc12eae63a99e003a46388b1dcbb44db7e"
  integrity sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==

-react-kapsule@^2.5:
-  version "2.5.7"
-  resolved "https://registry.yarnpkg.com/react-kapsule/-/react-kapsule-2.5.7.tgz#dcd957ae8e897ff48055fc8ff48ed04ebe3c5bd2"
-  integrity sha512-kifAF4ZPD77qZKc4CKLmozq6GY1sBzPEJTIJb0wWFK6HsePJatK3jXplZn2eeAt3x67CDozgi7/rO8fNQ/AL7A==
-  dependencies:
-    jerrypick "^1.1.1"
-
 react-lottie@1.2.10:
  version "1.2.10"
  resolved "https://registry.yarnpkg.com/react-lottie/-/react-lottie-1.2.10.tgz#399f78a448a7833b2380d74fc489ecf15f8d18c7"
@@ -18489,7 +18440,7 @@ tiny-warning@^1.0.0:
  resolved "https://registry.npmjs.org/tiny-warning/-/tiny-warning-1.0.3.tgz"
  integrity sha512-lBN9zLN/oAf68o3zNXYrdCt1kP8WsiGW8Oo2ka41b2IM5JL/S1CTyX1rW0mb/zSuJun0ZUrDxx4sqvYS2FWzPA==

-tinycolor2@1.6.0, tinycolor2@^1.6.0:
+tinycolor2@1.6.0:
  version "1.6.0"
  resolved "https://registry.yarnpkg.com/tinycolor2/-/tinycolor2-1.6.0.tgz#f98007460169b0263b97072c5ae92484ce02d09e"
  integrity sha512-XPaBkWQJdsf3pLKJV9p4qN/S+fm2Oj8AIPo1BTUhg5oxkvm9+SVEGFdhyOz7tTdUTfvxMiAs4sp6/eZO2Ew+pw==
@@ -19194,7 +19145,7 @@ use-sidecar@^1.1.3:
    detect-node-es "^1.1.0"
    tslib "^2.0.0"

-use-sync-external-store@1.6.0:
+use-sync-external-store@1.6.0, use-sync-external-store@^1.2.2:
  version "1.6.0"
  resolved "https://registry.yarnpkg.com/use-sync-external-store/-/use-sync-external-store-1.6.0.tgz#b174bfa65cb2b526732d9f2ac0a408027876f32d"
  integrity sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w==
@@ -19837,6 +19788,13 @@ zustand@5.0.11:
  resolved "https://registry.yarnpkg.com/zustand/-/zustand-5.0.11.tgz#99f912e590de1ca9ce6c6d1cab6cdb1f034ab494"
  integrity sha512-fdZY+dk7zn/vbWNCYmzZULHRrss0jx5pPFiOuMZ/5HJN6Yv3u+1Wswy/4MpZEkEGhtNH+pwxZB8OKgUBPzYAGg==

+zustand@^4.4.0:
+  version "4.5.7"
+  resolved "https://registry.yarnpkg.com/zustand/-/zustand-4.5.7.tgz#7d6bb2026a142415dd8be8891d7870e6dbe65f55"
+  integrity sha512-CHOUy7mu3lbD6o6LJLfllpjkzhHXSBlX8B9+qPddUsIfeF5S/UZ5q0kmCsnRqT1UHFQZchNFDDzMbQsuesHWlw==
+  dependencies:
+    use-sync-external-store "^1.2.2"
+
 zwitch@^2.0.0, zwitch@^2.0.4:
  version "2.0.4"
  resolved "https://registry.yarnpkg.com/zwitch/-/zwitch-2.0.4.tgz#c827d4b0acb76fc3e685a4c6ec2902d51070e9d7"
--- a/pkg/apiserver/signozapiserver/authz.go
+++ b/pkg/apiserver/signozapiserver/authz.go
@@ -26,5 +26,22 @@ func (provider *provider) addAuthzRoutes(router *mux.Router) error {
 		return err
 	}

+	if err := router.Handle("/api/v1/authz/resources", handler.New(provider.authZ.OpenAccess(provider.authzHandler.GetResources), handler.OpenAPIDef{
+		ID:                  "AuthzResources",
+		Tags:                []string{"authz"},
+		Summary:             "Get resources",
+		Description:         "Gets all the available resources",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(authtypes.GettableResources),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     nil,
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	return nil
 }
--- a/pkg/apiserver/signozapiserver/dashboard.go
+++ b/pkg/apiserver/signozapiserver/dashboard.go
@@ -6,7 +6,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
 	"github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -84,9 +83,9 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {

 	if err := router.Handle("/api/v1/public/dashboards/{id}", handler.New(provider.authZ.CheckWithoutClaims(
 		provider.dashboardHandler.GetPublicData,
-		authtypes.Relation{Verb: coretypes.VerbRead},
-		coretypes.ResourceMetaResourcePublicDashboard,
-		func(req *http.Request, orgs []*types.Organization) ([]coretypes.Selector, valuer.UUID, error) {
+		authtypes.RelationRead,
+		dashboardtypes.TypeableMetaResourcePublicDashboard,
+		func(req *http.Request, orgs []*types.Organization) ([]authtypes.Selector, valuer.UUID, error) {
 			id, err := valuer.NewUUID(mux.Vars(req)["id"])
 			if err != nil {
 				return nil, valuer.UUID{}, err
@@ -105,16 +104,16 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newAnonymousSecuritySchemes([]string{coretypes.ResourceMetaResourcePublicDashboard.Scope(coretypes.VerbRead)}),
+		SecuritySchemes:     newAnonymousSecuritySchemes([]string{dashboardtypes.TypeableMetaResourcePublicDashboard.Scope(authtypes.RelationRead)}),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}

 	if err := router.Handle("/api/v1/public/dashboards/{id}/widgets/{idx}/query_range", handler.New(provider.authZ.CheckWithoutClaims(
 		provider.dashboardHandler.GetPublicWidgetQueryRange,
-		authtypes.Relation{Verb: coretypes.VerbRead},
-		coretypes.ResourceMetaResourcePublicDashboard,
-		func(req *http.Request, orgs []*types.Organization) ([]coretypes.Selector, valuer.UUID, error) {
+		authtypes.RelationRead,
+		dashboardtypes.TypeableMetaResourcePublicDashboard,
+		func(req *http.Request, orgs []*types.Organization) ([]authtypes.Selector, valuer.UUID, error) {
 			id, err := valuer.NewUUID(mux.Vars(req)["id"])
 			if err != nil {
 				return nil, valuer.UUID{}, err
@@ -133,7 +132,7 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newAnonymousSecuritySchemes([]string{coretypes.ResourceMetaResourcePublicDashboard.Scope(coretypes.VerbRead)}),
+		SecuritySchemes:     newAnonymousSecuritySchemes([]string{dashboardtypes.TypeableMetaResourcePublicDashboard.Scope(authtypes.RelationRead)}),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
--- a/pkg/apiserver/signozapiserver/role.go
+++ b/pkg/apiserver/signozapiserver/role.go
@@ -6,7 +6,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/gorilla/mux"
 )

@@ -69,7 +68,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Description:         "Gets all objects connected to the specified role via a given relation type",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            make([]*coretypes.ObjectGroup, 0),
+		Response:            make([]*authtypes.GettableObjects, 0),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
@@ -101,7 +100,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Tags:                []string{"role"},
 		Summary:             "Patch objects for a role by relation",
 		Description:         "Patches the objects connected to the specified role via a given relation type",
-		Request:             new(coretypes.PatchableObjects),
+		Request:             new(authtypes.PatchableObjects),
 		RequestContentType:  "",
 		Response:            nil,
 		ResponseContentType: "application/json",
--- a/pkg/auditor/auditorserver/server_test.go
+++ b/pkg/auditor/auditorserver/server_test.go
@@ -11,7 +11,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/types/audittypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -20,16 +19,16 @@ func newTestSettings() factory.ScopedProviderSettings {
 	return factory.NewScopedProviderSettings(instrumentationtest.New().ToProviderSettings(), "auditorserver_test")
 }

-func newTestEvent(resource string, action coretypes.Verb) audittypes.AuditEvent {
+func newTestEvent(resource string, action audittypes.Action) audittypes.AuditEvent {
 	return audittypes.AuditEvent{
 		Timestamp: time.Now(),
-		EventName: audittypes.NewEventName(coretypes.MustNewKind(resource), action),
+		EventName: audittypes.NewEventName(resource, action),
 		AuditAttributes: audittypes.AuditAttributes{
 			Action:  action,
 			Outcome: audittypes.OutcomeSuccess,
 		},
 		ResourceAttributes: audittypes.ResourceAttributes{
-			ResourceKind: coretypes.MustNewKind(resource),
+			ResourceKind: resource,
 		},
 	}
 }
@@ -84,7 +83,7 @@ func TestAdd_FlushesOnBatchSize(t *testing.T) {
 	go func() { _ = server.Start(ctx) }()

 	for i := 0; i < 3; i++ {
-		server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))
+		server.Add(ctx, newTestEvent("dashboard", audittypes.ActionCreate))
 	}

 	assert.Eventually(t, func() bool {
@@ -113,7 +112,7 @@ func TestAdd_FlushesOnInterval(t *testing.T) {

 	go func() { _ = server.Start(ctx) }()

-	server.Add(ctx, newTestEvent("user", coretypes.VerbUpdate))
+	server.Add(ctx, newTestEvent("user", audittypes.ActionUpdate))

 	assert.Eventually(t, func() bool {
 		return exported.Load() == 1
@@ -131,9 +130,9 @@ func TestAdd_DropsWhenBufferFull(t *testing.T) {

 	ctx := context.Background()

-	server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))
-	server.Add(ctx, newTestEvent("dashboard", coretypes.VerbUpdate))
-	server.Add(ctx, newTestEvent("dashboard", coretypes.VerbDelete))
+	server.Add(ctx, newTestEvent("dashboard", audittypes.ActionCreate))
+	server.Add(ctx, newTestEvent("dashboard", audittypes.ActionUpdate))
+	server.Add(ctx, newTestEvent("dashboard", audittypes.ActionDelete))

 	assert.Equal(t, 2, server.queueLen())
 }
@@ -156,7 +155,7 @@ func TestStop_DrainsRemainingEvents(t *testing.T) {
 	go func() { _ = server.Start(ctx) }()

 	for i := 0; i < 5; i++ {
-		server.Add(ctx, newTestEvent("alert-rule", coretypes.VerbCreate))
+		server.Add(ctx, newTestEvent("alert-rule", audittypes.ActionCreate))
 	}

 	require.NoError(t, server.Stop(ctx))
@@ -181,8 +180,8 @@ func TestAdd_ContinuesAfterExportFailure(t *testing.T) {

 	go func() { _ = server.Start(ctx) }()

-	server.Add(ctx, newTestEvent("user", coretypes.VerbDelete))
-	server.Add(ctx, newTestEvent("user", coretypes.VerbDelete))
+	server.Add(ctx, newTestEvent("user", audittypes.ActionDelete))
+	server.Add(ctx, newTestEvent("user", audittypes.ActionDelete))

 	assert.Eventually(t, func() bool {
 		return calls.Load() >= 1
@@ -213,7 +212,7 @@ func TestAdd_ConcurrentSafety(t *testing.T) {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))
+			server.Add(ctx, newTestEvent("dashboard", audittypes.ActionCreate))
 		}()
 	}
 	wg.Wait()
--- a/pkg/authz/authz.go
+++ b/pkg/authz/authz.go
@@ -6,7 +6,6 @@ import (

 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 )
@@ -15,10 +14,10 @@ type AuthZ interface {
 	factory.ServiceWithHealthy

 	// CheckWithTupleCreation takes upon the responsibility for generating the tuples alongside everything Check does.
-	CheckWithTupleCreation(context.Context, authtypes.Claims, valuer.UUID, authtypes.Relation, coretypes.Resource, []coretypes.Selector, []coretypes.Selector) error
+	CheckWithTupleCreation(context.Context, authtypes.Claims, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error

 	// CheckWithTupleCreationWithoutClaims checks permissions for anonymous users.
-	CheckWithTupleCreationWithoutClaims(context.Context, valuer.UUID, authtypes.Relation, coretypes.Resource, []coretypes.Selector, []coretypes.Selector) error
+	CheckWithTupleCreationWithoutClaims(context.Context, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error

 	// BatchCheck accepts a map of ID → tuple and returns a map of ID → authorization result.
 	BatchCheck(context.Context, map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error)
@@ -31,7 +30,7 @@ type AuthZ interface {
 	Write(context.Context, []*openfgav1.TupleKey, []*openfgav1.TupleKey) error

 	// Lists the selectors for objects assigned to subject (s) with relation (r) on resource (s)
-	ListObjects(context.Context, string, authtypes.Relation, coretypes.Type) ([]*coretypes.Object, error)
+	ListObjects(context.Context, string, authtypes.Relation, authtypes.Type) ([]*authtypes.Object, error)

 	// Creates the role.
 	Create(context.Context, valuer.UUID, *authtypes.Role) error
@@ -40,13 +39,16 @@ type AuthZ interface {
 	GetOrCreate(context.Context, valuer.UUID, *authtypes.Role) (*authtypes.Role, error)

 	// Gets the objects associated with the given role and relation.
-	GetObjects(context.Context, valuer.UUID, valuer.UUID, authtypes.Relation) ([]*coretypes.Object, error)
+	GetObjects(context.Context, valuer.UUID, valuer.UUID, authtypes.Relation) ([]*authtypes.Object, error)
+
+	// Gets all the typeable resources registered from role registry.
+	GetResources(context.Context) []*authtypes.Resource

 	// Patches the role.
 	Patch(context.Context, valuer.UUID, *authtypes.Role) error

 	// Patches the objects in authorization server associated with the given role and relation
-	PatchObjects(context.Context, valuer.UUID, string, authtypes.Relation, []*coretypes.Object, []*coretypes.Object) error
+	PatchObjects(context.Context, valuer.UUID, string, authtypes.Relation, []*authtypes.Object, []*authtypes.Object) error

 	// Deletes the role and tuples in authorization server.
 	Delete(context.Context, valuer.UUID, valuer.UUID) error
@@ -88,6 +90,12 @@ type AuthZ interface {
 // OnBeforeRoleDelete is a callback invoked before a role is deleted.
 type OnBeforeRoleDelete func(context.Context, valuer.UUID, valuer.UUID) error

+type RegisterTypeable interface {
+	MustGetTypeables() []authtypes.Typeable
+
+	MustGetManagedRoleTransactions() map[string][]*authtypes.Transaction
+}
+
 type Handler interface {
 	Create(http.ResponseWriter, *http.Request)

@@ -95,6 +103,8 @@ type Handler interface {

 	GetObjects(http.ResponseWriter, *http.Request)

+	GetResources(http.ResponseWriter, *http.Request)
+
 	List(http.ResponseWriter, *http.Request)

 	Patch(http.ResponseWriter, *http.Request)
--- a/pkg/authz/config.go
+++ b/pkg/authz/config.go
@@ -25,7 +25,7 @@ func newConfig() factory.Config {
 	return &Config{
 		Provider: "openfga",
 		OpenFGA: OpenFGAConfig{
-			MaxTuplesPerWrite: 300,
+			MaxTuplesPerWrite: 100,
 		},
 	}
 }
--- a/pkg/authz/openfgaauthz/provider.go
+++ b/pkg/authz/openfgaauthz/provider.go
@@ -8,7 +8,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/authz/openfgaserver"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"

 	"github.com/SigNoz/signoz/pkg/factory"
@@ -19,27 +18,31 @@ import (
 )

 type provider struct {
-	server   *openfgaserver.Server
-	store    authtypes.RoleStore
-	registry *authtypes.Registry
+	server                    *openfgaserver.Server
+	store                     authtypes.RoleStore
+	registry                  []authz.RegisterTypeable
+	managedRolesByTransaction map[string][]string
 }

-func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, registry *authtypes.Registry) factory.ProviderFactory[authz.AuthZ, authz.Config] {
+func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, registry ...authz.RegisterTypeable) factory.ProviderFactory[authz.AuthZ, authz.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("openfga"), func(ctx context.Context, ps factory.ProviderSettings, config authz.Config) (authz.AuthZ, error) {
 		return newOpenfgaProvider(ctx, ps, config, sqlstore, openfgaSchema, openfgaDataStore, registry)
 	})
 }

-func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings, config authz.Config, sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, registry *authtypes.Registry) (authz.AuthZ, error) {
+func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings, config authz.Config, sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile, openfgaDataStore storage.OpenFGADatastore, registry []authz.RegisterTypeable) (authz.AuthZ, error) {
 	server, err := openfgaserver.NewOpenfgaServer(ctx, settings, config, sqlstore, openfgaSchema, openfgaDataStore)
 	if err != nil {
 		return nil, err
 	}

+	managedRolesByTransaction := buildManagedRolesByTransaction(registry)
+
 	return &provider{
-		server:   server,
-		store:    sqlauthzstore.NewSqlAuthzStore(sqlstore),
-		registry: registry,
+		server:                    server,
+		store:                     sqlauthzstore.NewSqlAuthzStore(sqlstore),
+		registry:                  registry,
+		managedRolesByTransaction: managedRolesByTransaction,
 	}, nil
 }

@@ -59,11 +62,11 @@ func (provider *provider) BatchCheck(ctx context.Context, tupleReq map[string]*o
 	return provider.server.BatchCheck(ctx, tupleReq)
 }

-func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable coretypes.Resource, selectors []coretypes.Selector, roleSelectors []coretypes.Selector) error {
+func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, roleSelectors []authtypes.Selector) error {
 	return provider.server.CheckWithTupleCreation(ctx, claims, orgID, relation, typeable, selectors, roleSelectors)
 }

-func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable coretypes.Resource, selectors []coretypes.Selector, roleSelectors []coretypes.Selector) error {
+func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, roleSelectors []authtypes.Selector) error {
 	return provider.server.CheckWithTupleCreationWithoutClaims(ctx, orgID, relation, typeable, selectors, roleSelectors)
 }

@@ -75,7 +78,7 @@ func (provider *provider) ReadTuples(ctx context.Context, tupleKey *openfgav1.Re
 	return provider.server.ReadTuples(ctx, tupleKey)
 }

-func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType coretypes.Type) ([]*coretypes.Object, error) {
+func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType authtypes.Type) ([]*authtypes.Object, error) {
 	return provider.server.ListObjects(ctx, subject, relation, objectType)
 }

@@ -100,14 +103,22 @@ func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UU
 }

 func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
-	selectors := make([]coretypes.Selector, len(names))
+	selectors := make([]authtypes.Selector, len(names))
 	for idx, name := range names {
-		selectors[idx] = coretypes.TypeRole.MustSelector(name)
+		selectors[idx] = authtypes.MustNewSelector(authtypes.TypeRole, name)
 	}

-	tuples := authtypes.NewTuples(coretypes.NewResourceRole(), subject, authtypes.Relation{Verb: coretypes.VerbAssignee}, selectors, orgID)
+	tuples, err := authtypes.TypeableRole.Tuples(
+		subject,
+		authtypes.RelationAssignee,
+		selectors,
+		orgID,
+	)
+	if err != nil {
+		return err
+	}

-	err := provider.Write(ctx, tuples, nil)
+	err = provider.Write(ctx, tuples, nil)
 	if err != nil {
 		return errors.WithAdditionalf(err, "failed to grant roles: %v to subject: %s", names, subject)
 	}
@@ -130,14 +141,22 @@ func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, ex
 }

 func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
-	selectors := make([]coretypes.Selector, len(names))
+	selectors := make([]authtypes.Selector, len(names))
 	for idx, name := range names {
-		selectors[idx] = coretypes.TypeRole.MustSelector(name)
+		selectors[idx] = authtypes.MustNewSelector(authtypes.TypeRole, name)
 	}

-	tuples := authtypes.NewTuples(coretypes.NewResourceRole(), subject, authtypes.Relation{Verb: coretypes.VerbAssignee}, selectors, orgID)
+	tuples, err := authtypes.TypeableRole.Tuples(
+		subject,
+		authtypes.RelationAssignee,
+		selectors,
+		orgID,
+	)
+	if err != nil {
+		return err
+	}

-	err := provider.Write(ctx, nil, tuples)
+	err = provider.Write(ctx, nil, tuples)
 	if err != nil {
 		return errors.WithAdditionalf(err, "failed to revoke roles: %v to subject: %s", names, subject)
 	}
@@ -165,7 +184,7 @@ func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID,
 }

 func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) error {
-	return provider.Grant(ctx, orgID, []string{authtypes.SigNozAdminRoleName}, authtypes.MustNewSubject(coretypes.NewResourceUser(), userID.String(), orgID, nil))
+	return provider.Grant(ctx, orgID, []string{authtypes.SigNozAdminRoleName}, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
 }

 func (setter *provider) Create(_ context.Context, _ valuer.UUID, _ *authtypes.Role) error {
@@ -176,7 +195,11 @@ func (provider *provider) GetOrCreate(_ context.Context, _ valuer.UUID, _ *autht
 	return nil, errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }

-func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*coretypes.Object, error) {
+func (provider *provider) GetResources(_ context.Context) []*authtypes.Resource {
+	return []*authtypes.Resource{}
+}
+
+func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*authtypes.Object, error) {
 	return nil, errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }

@@ -184,7 +207,7 @@ func (provider *provider) Patch(_ context.Context, _ valuer.UUID, _ *authtypes.R
 	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }

-func (provider *provider) PatchObjects(_ context.Context, _ valuer.UUID, _ string, _ authtypes.Relation, _, _ []*coretypes.Object) error {
+func (provider *provider) PatchObjects(_ context.Context, _ valuer.UUID, _ string, _ authtypes.Relation, _, _ []*authtypes.Object) error {
 	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }

@@ -197,7 +220,7 @@ func (provider *provider) CheckTransactions(ctx context.Context, subject string,
 		return make([]*authtypes.TransactionWithAuthorization, 0), nil
 	}

-	tuples, preResolved, roleCorrelations, err := authtypes.NewTuplesFromTransactionsWithManagedRoles(transactions, subject, orgID, provider.registry.ManagedRolesByTransaction())
+	tuples, preResolved, roleCorrelations, err := authtypes.NewTuplesFromTransactionsWithManagedRoles(transactions, subject, orgID, provider.managedRolesByTransaction)
 	if err != nil {
 		return nil, err
 	}
@@ -213,3 +236,21 @@ func (provider *provider) CheckTransactions(ctx context.Context, subject string,

 	return authtypes.NewTransactionWithAuthorizationFromBatchResults(transactions, batchResults, preResolved, roleCorrelations), nil
 }
+
+func buildManagedRolesByTransaction(registry []authz.RegisterTypeable) map[string][]string {
+	managedRolesByTransaction := make(map[string][]string)
+	for _, register := range registry {
+		for roleName, transactions := range register.MustGetManagedRoleTransactions() {
+			for _, txn := range transactions {
+				key := txn.TransactionKey()
+				managedRolesByTransaction[key] = append(managedRolesByTransaction[key], roleName)
+			}
+		}
+	}
+
+	return managedRolesByTransaction
+}
+
+func (provider *provider) MustGetTypeables() []authtypes.Typeable {
+	return nil
+}
--- a/pkg/authz/openfgaschema/base.fga
+++ b/pkg/authz/openfgaschema/base.fga
@@ -8,7 +8,7 @@ type role
  relations
    define assignee: [user, serviceaccount]

-type organization 
+type organisation 
  relations
    define create: [role#assignee]
    define read: [role#assignee]
--- a/pkg/authz/openfgaserver/server.go
+++ b/pkg/authz/openfgaserver/server.go
@@ -8,7 +8,6 @@ import (
 	authz "github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"

 	"github.com/SigNoz/signoz/pkg/factory"
@@ -142,18 +141,18 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openf
 	return response, nil
 }

-func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ coretypes.Resource, _ []coretypes.Selector, roleSelectors []coretypes.Selector) error {
+func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
 	subject := ""
 	switch claims.Principal {
 	case authtypes.PrincipalUser:
-		user, err := authtypes.NewSubject(coretypes.NewResourceUser(), claims.UserID, orgID, nil)
+		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
 		if err != nil {
 			return err
 		}

 		subject = user
 	case authtypes.PrincipalServiceAccount:
-		serviceAccount, err := authtypes.NewSubject(coretypes.NewResourceServiceAccount(), claims.ServiceAccountID, orgID, nil)
+		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableServiceAccount, claims.ServiceAccountID, orgID, nil)
 		if err != nil {
 			return err
 		}
@@ -161,7 +160,10 @@ func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtyp
 		subject = serviceAccount
 	}

-	tupleSlice := authtypes.NewTuples(coretypes.NewResourceRole(), subject, authtypes.Relation{Verb: coretypes.VerbAssignee}, roleSelectors, orgID)
+	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	if err != nil {
+		return err
+	}

 	// Convert slice to map with generated IDs for internal use
 	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
@@ -183,13 +185,16 @@ func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtyp
 	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }

-func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, _ authtypes.Relation, _ coretypes.Resource, _ []coretypes.Selector, roleSelectors []coretypes.Selector) error {
-	subject, err := authtypes.NewSubject(coretypes.NewResourceAnonymous(), coretypes.AnonymousUser.String(), orgID, nil)
+func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
+	subject, err := authtypes.NewSubject(authtypes.TypeableAnonymous, authtypes.AnonymousUser.String(), orgID, nil)
 	if err != nil {
 		return err
 	}

-	tupleSlice := authtypes.NewTuples(coretypes.NewResourceRole(), subject, authtypes.Relation{Verb: coretypes.VerbAssignee}, roleSelectors, orgID)
+	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	if err != nil {
+		return err
+	}

 	// Convert slice to map with generated IDs for internal use
 	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
@@ -288,7 +293,7 @@ func (server *Server) ReadTuples(ctx context.Context, tupleKey *openfgav1.ReadRe
 	return tuples, nil
 }

-func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType coretypes.Type) ([]*coretypes.Object, error) {
+func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, objectType authtypes.Type) ([]*authtypes.Object, error) {
 	storeID, modelID := server.getStoreIDandModelID()
 	response, err := server.openfgaServer.ListObjects(ctx, &openfgav1.ListObjectsRequest{
 		StoreId:              storeID,
@@ -301,7 +306,7 @@ func (server *Server) ListObjects(ctx context.Context, subject string, relation
 		return nil, errors.Wrapf(err, errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "cannot list objects for subject %s with relation %s for type %s", subject, relation.StringValue(), objectType.StringValue())
 	}

-	return coretypes.MustNewObjectsFromStringSlice(response.Objects), nil
+	return authtypes.MustNewObjectsFromStringSlice(response.Objects), nil
 }

 func (server *Server) getOrCreateStore(ctx context.Context, name string) (string, error) {
--- a/pkg/authz/openfgaserver/server_test.go
+++ b/pkg/authz/openfgaserver/server_test.go
@@ -18,7 +18,7 @@ func TestProviderStartStop(t *testing.T) {
 	providerSettings := instrumentationtest.New().ToProviderSettings()
 	sqlstore := sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherRegexp)

-	openfgaDataStore, err := NewSQLStore(sqlstore, authz.Config{OpenFGA: authz.OpenFGAConfig{MaxTuplesPerWrite: 100}})
+	openfgaDataStore, err := NewSQLStore(sqlstore)
 	require.NoError(t, err)

 	expectedModel := `module base 
--- a/pkg/authz/openfgaserver/sqlstore.go
+++ b/pkg/authz/openfgaserver/sqlstore.go
@@ -1,7 +1,6 @@
 package openfgaserver

 import (
-	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/openfga/openfga/pkg/storage"
@@ -9,11 +8,11 @@ import (
 	"github.com/openfga/openfga/pkg/storage/sqlite"
 )

-func NewSQLStore(store sqlstore.SQLStore, config authz.Config) (storage.OpenFGADatastore, error) {
+func NewSQLStore(store sqlstore.SQLStore) (storage.OpenFGADatastore, error) {
 	switch store.BunDB().Dialect().Name().String() {
 	case "sqlite":
 		return sqlite.NewWithDB(store.SQLDB(), &sqlcommon.Config{
-			MaxTuplesPerWriteField: config.OpenFGA.MaxTuplesPerWrite,
+			MaxTuplesPerWriteField: 100,
 			MaxTypesPerModelField:  100,
 		})

--- a/pkg/authz/signozauthzapi/handler.go
+++ b/pkg/authz/signozauthzapi/handler.go
@@ -9,7 +9,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -98,20 +97,25 @@ func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
 		render.Error(rw, errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleInvalidInput, "relation is missing from the request"))
 		return
 	}
-
-	relation, err := coretypes.NewVerb(relationStr)
+	relation, err := authtypes.NewRelation(relationStr)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}

-	objects, err := handler.authz.GetObjects(ctx, valuer.MustNewUUID(claims.OrgID), roleID, authtypes.Relation{Verb: relation})
+	objects, err := handler.authz.GetObjects(ctx, valuer.MustNewUUID(claims.OrgID), roleID, relation)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}

-	render.Success(rw, http.StatusOK, coretypes.NewObjectGroupsFromObjects(objects))
+	render.Success(rw, http.StatusOK, authtypes.NewGettableObjects(objects))
+}
+
+func (handler *handler) GetResources(rw http.ResponseWriter, r *http.Request) {
+	resources := handler.authz.GetResources(r.Context())
+
+	render.Success(rw, http.StatusOK, authtypes.NewGettableResources(resources))
 }

 func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
@@ -186,7 +190,7 @@ func (handler *handler) PatchObjects(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	relation, err := coretypes.NewVerb(mux.Vars(r)["relation"])
+	relation, err := authtypes.NewRelation(mux.Vars(r)["relation"])
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -203,19 +207,19 @@ func (handler *handler) PatchObjects(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	req := new(coretypes.PatchableObjects)
+	req := new(authtypes.PatchableObjects)
 	if err := binding.JSON.BindBody(r.Body, req); err != nil {
 		render.Error(rw, err)
 		return
 	}

-	additions, deletions, err := coretypes.NewPatchableObjects(req.Additions, req.Deletions, relation)
+	additions, deletions, err := authtypes.NewPatchableObjects(req.Additions, req.Deletions, relation)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}

-	err = handler.authz.PatchObjects(ctx, valuer.MustNewUUID(claims.OrgID), role.Name, authtypes.Relation{Verb: relation}, additions, deletions)
+	err = handler.authz.PatchObjects(ctx, valuer.MustNewUUID(claims.OrgID), role.Name, relation, additions, deletions)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -262,7 +266,7 @@ func (handler *handler) Check(rw http.ResponseWriter, r *http.Request) {
 	}

 	orgID := valuer.MustNewUUID(claims.OrgID)
-	subject, err := authtypes.NewSubject(coretypes.NewResourceUser(), claims.UserID, orgID, nil)
+	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
 	if err != nil {
 		render.Error(rw, err)
 		return
--- a/pkg/factory/registry_test.go
+++ b/pkg/factory/registry_test.go
@@ -171,7 +171,7 @@ func TestAwaitHealthy(t *testing.T) {
 func TestAwaitHealthyWithFailure(t *testing.T) {
 	s1 := &failingHealthyService{
 		healthyC: make(chan struct{}),
-		err:      errors.Newf(errors.TypeInternal, errors.CodeInternal, "startup failed"),
+		err:      errors.Newf(errors.TypeInternal, errors.CodeInternal,"startup failed"),
 	}

 	registry, err := NewRegistry(context.Background(), slog.New(slog.DiscardHandler), NewNamedService(MustNewName("s1"), s1))
@@ -245,7 +245,7 @@ func TestDependsOnStartsAfterDependency(t *testing.T) {
 func TestDependsOnFailsWhenDependencyFails(t *testing.T) {
 	s1 := &failingHealthyService{
 		healthyC: make(chan struct{}),
-		err:      errors.Newf(errors.TypeInternal, errors.CodeInternal, "s1 crashed"),
+		err:      errors.Newf(errors.TypeInternal, errors.CodeInternal,"s1 crashed"),
 	}
 	s2 := newTestService(t)

@@ -291,7 +291,7 @@ func TestDependsOnUnknownServiceIsIgnored(t *testing.T) {
 func TestServiceStateFailed(t *testing.T) {
 	s1 := &failingHealthyService{
 		healthyC: make(chan struct{}),
-		err:      errors.Newf(errors.TypeInternal, errors.CodeInternal, "fatal error"),
+		err:      errors.Newf(errors.TypeInternal, errors.CodeInternal,"fatal error"),
 	}

 	registry, err := NewRegistry(context.Background(), slog.New(slog.DiscardHandler), NewNamedService(MustNewName("s1"), s1))
--- a/pkg/http/binding/query_test.go
+++ b/pkg/http/binding/query_test.go
@@ -15,24 +15,12 @@ func TestQueryBinding_BindQuery(t *testing.T) {
 		obj      any
 		expected any
 	}{
-		{name: "SingleIntField_NonEmptyValue", query: map[string][]string{"a": {"1"}}, obj: &struct {
-			A int `query:"a"`
-		}{}, expected: &struct{ A int }{A: 1}},
-		{name: "SingleIntField_EmptyValue", query: map[string][]string{"a": {""}}, obj: &struct {
-			A int `query:"a"`
-		}{}, expected: &struct{ A int }{A: 0}},
-		{name: "SingleIntField_MissingField", query: map[string][]string{}, obj: &struct {
-			A int `query:"a"`
-		}{}, expected: &struct{ A int }{A: 0}},
-		{name: "SinglePointerIntField_NonEmptyValue", query: map[string][]string{"a": {"1"}}, obj: &struct {
-			A *int `query:"a"`
-		}{}, expected: &struct{ A *int }{A: &one}},
-		{name: "SinglePointerIntField_EmptyValue", query: map[string][]string{"a": {""}}, obj: &struct {
-			A *int `query:"a"`
-		}{}, expected: &struct{ A *int }{A: &zero}},
-		{name: "SinglePointerIntField_MissingField", query: map[string][]string{}, obj: &struct {
-			A *int `query:"a"`
-		}{}, expected: &struct{ A *int }{A: nil}},
+		{name: "SingleIntField_NonEmptyValue", query: map[string][]string{"a": {"1"}}, obj: &struct{A int `query:"a"`}{}, expected: &struct{ A int }{A: 1}},
+		{name: "SingleIntField_EmptyValue", query: map[string][]string{"a": {""}}, obj: &struct{A int `query:"a"`}{}, expected: &struct{ A int }{A: 0}},
+		{name: "SingleIntField_MissingField", query: map[string][]string{}, obj: &struct{A int `query:"a"`}{}, expected: &struct{ A int }{A: 0}},
+		{name: "SinglePointerIntField_NonEmptyValue", query: map[string][]string{"a": {"1"}}, obj: &struct{A *int `query:"a"`}{}, expected: &struct{ A *int }{A: &one}},
+		{name: "SinglePointerIntField_EmptyValue", query: map[string][]string{"a": {""}}, obj: &struct{A *int `query:"a"`}{}, expected: &struct{ A *int }{A: &zero}},
+		{name: "SinglePointerIntField_MissingField", query: map[string][]string{}, obj: &struct{A *int `query:"a"`}{}, expected: &struct{ A *int }{A: nil}},
 	}

 	for _, testCase := range testCases {
--- a/pkg/http/handler/option.go
+++ b/pkg/http/handler/option.go
@@ -2,15 +2,14 @@ package handler

 import (
 	"github.com/SigNoz/signoz/pkg/types/audittypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 )

 // Option configures optional behaviour on a handler created by New.
 type Option func(*handler)

 type AuditDef struct {
-	ResourceKind    coretypes.Kind            //  Typeable.Kind() value, e.g. "dashboard", "user".
-	Action          coretypes.Verb            // create, update, delete, etc.
+	ResourceKind    string                    // AuthZ Typeable.Kind() value, e.g. "dashboard", "user".
+	Action          audittypes.Action         // create, update, delete, login, etc.
 	Category        audittypes.ActionCategory // access_control, configuration_change, etc.
 	ResourceIDParam string                    // Gorilla mux path param name for the resource ID.
 }
--- a/pkg/http/middleware/authz.go
+++ b/pkg/http/middleware/authz.go
@@ -9,7 +9,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -41,18 +40,18 @@ func (middleware *AuthZ) ViewAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}

-		selectors := []coretypes.Selector{
-			coretypes.TypeRole.MustSelector(authtypes.SigNozAdminRoleName),
-			coretypes.TypeRole.MustSelector(authtypes.SigNozEditorRoleName),
-			coretypes.TypeRole.MustSelector(authtypes.SigNozViewerRoleName),
+		selectors := []authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozEditorRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozViewerRoleName),
 		}

 		err = middleware.authzService.CheckWithTupleCreation(
 			ctx,
 			claims,
 			valuer.MustNewUUID(claims.OrgID),
-			authtypes.Relation{Verb: coretypes.VerbAssignee},
-			coretypes.NewResourceRole(),
+			authtypes.RelationAssignee,
+			authtypes.TypeableRole,
 			selectors,
 			selectors,
 		)
@@ -80,17 +79,17 @@ func (middleware *AuthZ) EditAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}

-		selectors := []coretypes.Selector{
-			coretypes.TypeRole.MustSelector(authtypes.SigNozAdminRoleName),
-			coretypes.TypeRole.MustSelector(authtypes.SigNozEditorRoleName),
+		selectors := []authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozEditorRoleName),
 		}

 		err = middleware.authzService.CheckWithTupleCreation(
 			ctx,
 			claims,
 			valuer.MustNewUUID(claims.OrgID),
-			authtypes.Relation{Verb: coretypes.VerbAssignee},
-			coretypes.NewResourceRole(),
+			authtypes.RelationAssignee,
+			authtypes.TypeableRole,
 			selectors,
 			selectors,
 		)
@@ -118,16 +117,16 @@ func (middleware *AuthZ) AdminAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}

-		selectors := []coretypes.Selector{
-			coretypes.TypeRole.MustSelector(authtypes.SigNozAdminRoleName),
+		selectors := []authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
 		}

 		err = middleware.authzService.CheckWithTupleCreation(
 			ctx,
 			claims,
 			valuer.MustNewUUID(claims.OrgID),
-			authtypes.Relation{Verb: coretypes.VerbAssignee},
-			coretypes.NewResourceRole(),
+			authtypes.RelationAssignee,
+			authtypes.TypeableRole,
 			selectors,
 			selectors,
 		)
@@ -154,16 +153,16 @@ func (middleware *AuthZ) SelfAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}

-		selectors := []coretypes.Selector{
-			coretypes.TypeRole.MustSelector(authtypes.SigNozAdminRoleName),
+		selectors := []authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
 		}

 		err = middleware.authzService.CheckWithTupleCreation(
 			req.Context(),
 			claims,
 			valuer.MustNewUUID(claims.OrgID),
-			authtypes.Relation{Verb: coretypes.VerbAssignee},
-			coretypes.NewResourceRole(),
+			authtypes.RelationAssignee,
+			authtypes.TypeableRole,
 			selectors,
 			selectors,
 		)
@@ -186,7 +185,7 @@ func (middleware *AuthZ) OpenAccess(next http.HandlerFunc) http.HandlerFunc {
 	})
 }

-func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb authtypes.SelectorCallbackWithClaimsFn, roles []string) http.HandlerFunc {
+func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, typeable authtypes.Typeable, cb authtypes.SelectorCallbackWithClaimsFn, roles []string) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
 		claims, err := authtypes.ClaimsFromContext(ctx)
@@ -201,9 +200,9 @@ func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relatio
 			return
 		}

-		roleSelectors := []coretypes.Selector{}
+		roleSelectors := []authtypes.Selector{}
 		for _, role := range roles {
-			roleSelectors = append(roleSelectors, coretypes.TypeRole.MustSelector(role))
+			roleSelectors = append(roleSelectors, authtypes.MustNewSelector(authtypes.TypeRole, role))
 		}

 		err = middleware.authzService.CheckWithTupleCreation(ctx, claims, valuer.MustNewUUID(claims.OrgID), relation, typeable, selectors, roleSelectors)
@@ -216,7 +215,7 @@ func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relatio
 	})
 }

-func (middleware *AuthZ) CheckWithoutClaims(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb authtypes.SelectorCallbackWithoutClaimsFn, roles []string) http.HandlerFunc {
+func (middleware *AuthZ) CheckWithoutClaims(next http.HandlerFunc, relation authtypes.Relation, typeable authtypes.Typeable, cb authtypes.SelectorCallbackWithoutClaimsFn, roles []string) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
 		orgs, err := middleware.orgGetter.ListByOwnedKeyRange(ctx)
@@ -231,9 +230,9 @@ func (middleware *AuthZ) CheckWithoutClaims(next http.HandlerFunc, relation auth
 			return
 		}

-		roleSelectors := []coretypes.Selector{}
+		roleSelectors := []authtypes.Selector{}
 		for _, role := range roles {
-			roleSelectors = append(roleSelectors, coretypes.TypeRole.MustSelector(role))
+			roleSelectors = append(roleSelectors, authtypes.MustNewSelector(authtypes.TypeRole, role))
 		}

 		err = middleware.authzService.CheckWithTupleCreationWithoutClaims(ctx, orgId, relation, typeable, selectors, roleSelectors)
--- a/pkg/modules/dashboard/dashboard.go
+++ b/pkg/modules/dashboard/dashboard.go
@@ -4,9 +4,10 @@ import (
 	"context"
 	"net/http"

+	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/statsreporter"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
 	"github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -26,7 +27,7 @@ type Module interface {
 	GetPublicWidgetQueryRange(context.Context, valuer.UUID, uint64, uint64, uint64) (*querybuildertypesv5.QueryRangeResponse, error)

 	// gets the selectors and org for the given public dashboard
-	GetPublicDashboardSelectorsAndOrg(context.Context, valuer.UUID, []*types.Organization) ([]coretypes.Selector, valuer.UUID, error)
+	GetPublicDashboardSelectorsAndOrg(context.Context, valuer.UUID, []*types.Organization) ([]authtypes.Selector, valuer.UUID, error)

 	// updates the public sharing config for a dashboard
 	UpdatePublic(context.Context, valuer.UUID, *dashboardtypes.PublicDashboard) error
@@ -49,6 +50,8 @@ type Module interface {
 	GetByMetricNames(ctx context.Context, orgID valuer.UUID, metricNames []string) (map[string][]map[string]string, error)

 	statsreporter.StatsCollector
+
+	authz.RegisterTypeable
 }

 type Handler interface {
--- a/pkg/modules/dashboard/impldashboard/handler.go
+++ b/pkg/modules/dashboard/impldashboard/handler.go
@@ -16,7 +16,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/transition"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
@@ -159,15 +158,15 @@ func (handler *handler) LockUnlock(rw http.ResponseWriter, r *http.Request) {
 	}

 	isAdmin := false
-	selectors := []coretypes.Selector{
-		coretypes.TypeRole.MustSelector(authtypes.SigNozAdminRoleName),
+	selectors := []authtypes.Selector{
+		authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
 	}
 	err = handler.authz.CheckWithTupleCreation(
 		ctx,
 		claims,
 		valuer.MustNewUUID(claims.OrgID),
-		authtypes.Relation{Verb: coretypes.VerbAssignee},
-		coretypes.NewResourceRole(),
+		authtypes.RelationAssignee,
+		authtypes.TypeableRole,
 		selectors,
 		selectors,
 	)
--- a/pkg/modules/dashboard/impldashboard/module.go
+++ b/pkg/modules/dashboard/impldashboard/module.go
@@ -12,7 +12,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -202,6 +202,14 @@ func (module *module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 	return dashboardtypes.NewStatsFromStorableDashboards(dashboards), nil
 }

+func (module *module) MustGetTypeables() []authtypes.Typeable {
+	return []authtypes.Typeable{dashboardtypes.TypeableMetaResourceDashboard, dashboardtypes.TypeableMetaResourcesDashboards}
+}
+
+func (module *module) MustGetManagedRoleTransactions() map[string][]*authtypes.Transaction {
+	return nil
+}
+
 // CreatePublic is not supported.
 func (module *module) CreatePublic(ctx context.Context, orgID valuer.UUID, publicDashboard *dashboardtypes.PublicDashboard) error {
 	return errors.Newf(errors.TypeUnsupported, dashboardtypes.ErrCodePublicDashboardUnsupported, "not implemented")
@@ -219,7 +227,7 @@ func (module *module) GetPublicWidgetQueryRange(context.Context, valuer.UUID, ui
 	return nil, errors.Newf(errors.TypeUnsupported, dashboardtypes.ErrCodePublicDashboardUnsupported, "not implemented")
 }

-func (module *module) GetPublicDashboardSelectorsAndOrg(_ context.Context, _ valuer.UUID, _ []*types.Organization) ([]coretypes.Selector, valuer.UUID, error) {
+func (module *module) GetPublicDashboardSelectorsAndOrg(_ context.Context, _ valuer.UUID, _ []*types.Organization) ([]authtypes.Selector, valuer.UUID, error) {
 	return nil, valuer.UUID{}, errors.Newf(errors.TypeUnsupported, dashboardtypes.ErrCodePublicDashboardUnsupported, "not implemented")
 }

--- a/pkg/modules/serviceaccount/implserviceaccount/module.go
+++ b/pkg/modules/serviceaccount/implserviceaccount/module.go
@@ -12,7 +12,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/cachetypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
@@ -145,7 +144,7 @@ func (module *module) DeleteRole(ctx context.Context, orgID valuer.UUID, id valu
 		return err
 	}

-	err = module.authz.Revoke(ctx, orgID, []string{role.Name}, authtypes.MustNewSubject(coretypes.NewResourceServiceAccount(), id.String(), orgID, nil))
+	err = module.authz.Revoke(ctx, orgID, []string{role.Name}, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, id.String(), orgID, nil))
 	if err != nil {
 		return err
 	}
@@ -188,7 +187,7 @@ func (module *module) Delete(ctx context.Context, orgID valuer.UUID, id valuer.U
 		return err
 	}

-	err = module.authz.Revoke(ctx, orgID, serviceAccount.RoleNames(), authtypes.MustNewSubject(coretypes.NewResourceServiceAccount(), id.StringValue(), orgID, nil))
+	err = module.authz.Revoke(ctx, orgID, serviceAccount.RoleNames(), authtypes.MustNewSubject(authtypes.TypeableServiceAccount, id.StringValue(), orgID, nil))
 	if err != nil {
 		return err
 	}
@@ -387,7 +386,7 @@ func (module *module) setRole(ctx context.Context, orgID valuer.UUID, id valuer.
 		return err
 	}

-	err = module.authz.ModifyGrant(ctx, orgID, serviceAccount.RoleNames(), []string{role.Name}, authtypes.MustNewSubject(coretypes.NewResourceServiceAccount(), id.String(), orgID, nil))
+	err = module.authz.ModifyGrant(ctx, orgID, serviceAccount.RoleNames(), []string{role.Name}, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, id.String(), orgID, nil))
 	if err != nil {
 		return err
 	}
--- a/pkg/modules/tracefunnel/tracefunnel.go
+++ b/pkg/modules/tracefunnel/tracefunnel.go
@@ -2,9 +2,8 @@ package tracefunnel

 import (
 	"context"
-	"net/http"
-
 	"github.com/SigNoz/signoz/pkg/valuer"
+	"net/http"

 	traceFunnels "github.com/SigNoz/signoz/pkg/types/tracefunneltypes"
 )
--- a/pkg/modules/user/impluser/service.go
+++ b/pkg/modules/user/impluser/service.go
@@ -11,7 +11,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )

@@ -44,8 +43,8 @@ func NewService(
 		orgGetter: orgGetter,
 		authz:     authz,
 		config:    config,
-		stopC:     make(chan struct{}),
-		healthyC:  make(chan struct{}),
+		stopC:    make(chan struct{}),
+		healthyC: make(chan struct{}),
 	}
 }

@@ -149,7 +148,7 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 			orgID,
 			existingUserRoleNames,
 			[]string{authtypes.SigNozAdminRoleName},
-			authtypes.MustNewSubject(coretypes.NewResourceUser(), existingUser.ID.StringValue(), orgID, nil),
+			authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
 		); err != nil {
 			return err
 		}
--- a/pkg/modules/user/impluser/setter.go
+++ b/pkg/modules/user/impluser/setter.go
@@ -19,7 +19,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/types/emailtypes"
 	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -177,7 +176,7 @@ func (module *setter) CreateUser(ctx context.Context, user *types.User, opts ...
 			ctx,
 			user.OrgID,
 			createUserOpts.RoleNames,
-			authtypes.MustNewSubject(coretypes.NewResourceUser(), user.ID.StringValue(), user.OrgID, nil),
+			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 		)
 		if err != nil {
 			return err
@@ -237,15 +236,15 @@ func (module *setter) UpdateUserDeprecated(ctx context.Context, orgID valuer.UUI
 	roleChange := user.Role != "" && user.Role != existingUser.Role

 	if roleChange {
-		selectors := []coretypes.Selector{
-			coretypes.TypeRole.MustSelector(authtypes.SigNozAdminRoleName),
+		selectors := []authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
 		}
 		err = module.authz.CheckWithTupleCreation(
 			ctx,
 			claims,
 			valuer.MustNewUUID(claims.OrgID),
-			authtypes.Relation{Verb: coretypes.VerbAssignee},
-			coretypes.NewResourceRole(),
+			authtypes.RelationAssignee,
+			authtypes.TypeableRole,
 			selectors,
 			selectors,
 		)
@@ -265,7 +264,7 @@ func (module *setter) UpdateUserDeprecated(ctx context.Context, orgID valuer.UUI
 			orgID,
 			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role)},
 			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
-			authtypes.MustNewSubject(coretypes.NewResourceUser(), id, orgID, nil),
+			authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
 		)
 		if err != nil {
 			return nil, err
@@ -401,7 +400,7 @@ func (module *setter) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 		ctx,
 		orgID,
 		roleNames,
-		authtypes.MustNewSubject(coretypes.NewResourceUser(), id, orgID, nil),
+		authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
 	)
 	if err != nil {
 		return err
@@ -587,7 +586,7 @@ func (module *setter) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 			ctx,
 			user.OrgID,
 			roleNames,
-			authtypes.MustNewSubject(coretypes.NewResourceUser(), user.ID.StringValue(), user.OrgID, nil),
+			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 		); err != nil {
 			return err
 		}
@@ -720,7 +719,7 @@ func (module *setter) CreateFirstUser(ctx context.Context, organization *types.O
 			return err
 		}

-		err = module.createUserWithoutGrant(ctx, user, root.WithFactorPassword(password), root.WithRoleNames(roleNames))
+		err = module.CreateUser(ctx, user, root.WithFactorPassword(password), root.WithRoleNames(roleNames))
 		if err != nil {
 			return err
 		}
@@ -797,7 +796,7 @@ func (module *setter) activatePendingUser(ctx context.Context, user *types.User,
 			ctx,
 			user.OrgID,
 			createUserOpts.RoleNames,
-			authtypes.MustNewSubject(coretypes.NewResourceUser(), user.ID.StringValue(), user.OrgID, nil),
+			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 		)
 		if err != nil {
 			return err
@@ -891,7 +890,7 @@ func (module *setter) AddUserRole(ctx context.Context, orgID, userID valuer.UUID
 		orgID,
 		existingRoles,
 		[]string{roleName},
-		authtypes.MustNewSubject(coretypes.NewResourceUser(), existingUser.ID.StringValue(), existingUser.OrgID, nil),
+		authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), existingUser.OrgID, nil),
 	); err != nil {
 		return err
 	}
@@ -954,7 +953,7 @@ func (module *setter) RemoveUserRole(ctx context.Context, orgID, userID valuer.U
 		ctx,
 		orgID,
 		[]string{roleName},
-		authtypes.MustNewSubject(coretypes.NewResourceUser(), existingUser.ID.StringValue(), existingUser.OrgID, nil),
+		authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), existingUser.OrgID, nil),
 	); err != nil {
 		return err
 	}
--- a/pkg/parser/filterquery/grammar/filterquery_lexer.go
+++ b/pkg/parser/filterquery/grammar/filterquery_lexer.go
@@ -4,10 +4,9 @@ package parser

 import (
 	"fmt"
+	"github.com/antlr4-go/antlr/v4"
 	"sync"
 	"unicode"
-
-	"github.com/antlr4-go/antlr/v4"
 )

 // Suppress unused import error
--- a/pkg/parser/havingexpression/grammar/havingexpression_lexer.go
+++ b/pkg/parser/havingexpression/grammar/havingexpression_lexer.go
@@ -4,10 +4,9 @@ package parser

 import (
 	"fmt"
+	"github.com/antlr4-go/antlr/v4"
 	"sync"
 	"unicode"
-
-	"github.com/antlr4-go/antlr/v4"
 )

 // Suppress unused import error
--- a/pkg/prometheus/clickhouseprometheus/client_query_test.go
+++ b/pkg/prometheus/clickhouseprometheus/client_query_test.go
@@ -2,12 +2,11 @@ package clickhouseprometheus

 import (
 	"context"
-	"sort"
-	"testing"
-
 	"github.com/SigNoz/signoz/pkg/telemetrystore/telemetrystoretest"
 	cmock "github.com/srikanthccv/ClickHouse-go-mock"
 	"github.com/stretchr/testify/require"
+	"sort"
+	"testing"

 	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/SigNoz/signoz/pkg/telemetrystore"
--- a/pkg/prometheus/prometheustest/utils_test.go
+++ b/pkg/prometheus/prometheustest/utils_test.go
@@ -1,11 +1,10 @@
 package prometheustest

 import (
-	"testing"
-
 	"github.com/SigNoz/signoz/pkg/prometheus"
 	"github.com/prometheus/prometheus/model/labels"
 	"github.com/prometheus/prometheus/promql"
+	"testing"
 )

 func TestRemoveExtraLabels(t *testing.T) {
--- a/pkg/querier/promql_query_test.go
+++ b/pkg/querier/promql_query_test.go
@@ -251,10 +251,10 @@ func TestEnhancePromQLError(t *testing.T) {

 	t.Run("quoted metric outside braces patterns", func(t *testing.T) {
 		tests := []struct {
-			name             string
-			query            string
-			wantHint         bool
-			wantMetricInHint string
+			name               string
+			query              string
+			wantHint           bool
+			wantMetricInHint   string
 		}{
 			{
 				name:             "quoted metric name followed by selector",
--- a/pkg/query-service/app/clickhouseReader/reader.go
+++ b/pkg/query-service/app/clickhouseReader/reader.go
@@ -24,7 +24,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	"github.com/SigNoz/signoz/pkg/types/instrumentationtypes"
-	"github.com/SigNoz/signoz/pkg/types/retentiontypes"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 	"github.com/SigNoz/signoz/pkg/valuer"

@@ -1426,7 +1425,7 @@ func (r *ClickHouseReader) setTTLLogs(ctx context.Context, orgID string, params
 			// we will change ttl for only the new parts and not the old ones
 			query += " SETTINGS materialize_ttl_after_modify=0"

-			ttl := retentiontypes.TTLSetting{
+			ttl := types.TTLSetting{
 				Identifiable: types.Identifiable{
 					ID: valuer.GenerateUUID(),
 				},
@@ -1461,7 +1460,7 @@ func (r *ClickHouseReader) setTTLLogs(ctx context.Context, orgID string, params
 						sqlDB.
 						BunDB().
 						NewUpdate().
-						Model(new(retentiontypes.TTLSetting)).
+						Model(new(types.TTLSetting)).
 						Set("updated_at = ?", time.Now()).
 						Set("status = ?", constants.StatusFailed).
 						Where("id = ?", statusItem.ID.StringValue()).
@@ -1481,7 +1480,7 @@ func (r *ClickHouseReader) setTTLLogs(ctx context.Context, orgID string, params
 					sqlDB.
 					BunDB().
 					NewUpdate().
-					Model(new(retentiontypes.TTLSetting)).
+					Model(new(types.TTLSetting)).
 					Set("updated_at = ?", time.Now()).
 					Set("status = ?", constants.StatusFailed).
 					Where("id = ?", statusItem.ID.StringValue()).
@@ -1496,7 +1495,7 @@ func (r *ClickHouseReader) setTTLLogs(ctx context.Context, orgID string, params
 				sqlDB.
 				BunDB().
 				NewUpdate().
-				Model(new(retentiontypes.TTLSetting)).
+				Model(new(types.TTLSetting)).
 				Set("updated_at = ?", time.Now()).
 				Set("status = ?", constants.StatusSuccess).
 				Where("id = ?", statusItem.ID.StringValue()).
@@ -1564,7 +1563,7 @@ func (r *ClickHouseReader) setTTLTraces(ctx context.Context, orgID string, param
 				timestamp = "end"
 			}

-			ttl := retentiontypes.TTLSetting{
+			ttl := types.TTLSetting{
 				Identifiable: types.Identifiable{
 					ID: valuer.GenerateUUID(),
 				},
@@ -1611,7 +1610,7 @@ func (r *ClickHouseReader) setTTLTraces(ctx context.Context, orgID string, param
 						sqlDB.
 						BunDB().
 						NewUpdate().
-						Model(new(retentiontypes.TTLSetting)).
+						Model(new(types.TTLSetting)).
 						Set("updated_at = ?", time.Now()).
 						Set("status = ?", constants.StatusFailed).
 						Where("id = ?", statusItem.ID.StringValue()).
@@ -1632,7 +1631,7 @@ func (r *ClickHouseReader) setTTLTraces(ctx context.Context, orgID string, param
 					sqlDB.
 					BunDB().
 					NewUpdate().
-					Model(new(retentiontypes.TTLSetting)).
+					Model(new(types.TTLSetting)).
 					Set("updated_at = ?", time.Now()).
 					Set("status = ?", constants.StatusFailed).
 					Where("id = ?", statusItem.ID.StringValue()).
@@ -1647,7 +1646,7 @@ func (r *ClickHouseReader) setTTLTraces(ctx context.Context, orgID string, param
 				sqlDB.
 				BunDB().
 				NewUpdate().
-				Model(new(retentiontypes.TTLSetting)).
+				Model(new(types.TTLSetting)).
 				Set("updated_at = ?", time.Now()).
 				Set("status = ?", constants.StatusSuccess).
 				Where("id = ?", statusItem.ID.StringValue()).
@@ -1839,7 +1838,7 @@ func (r *ClickHouseReader) SetTTLV2(ctx context.Context, orgID string, params *m
 	}

 	for tableName, queries := range ttlPayload {
-		customTTL := retentiontypes.TTLSetting{
+		customTTL := types.TTLSetting{
 			Identifiable: types.Identifiable{
 				ID: valuer.GenerateUUID(),
 			},
@@ -1978,7 +1977,7 @@ func (r *ClickHouseReader) GetCustomRetentionTTL(ctx context.Context, orgID stri
 		response.Version = "v2"

 		// Get the latest custom retention TTL setting
-		customTTL := new(retentiontypes.TTLSetting)
+		customTTL := new(types.TTLSetting)
 		err := r.sqlDB.BunDB().NewSelect().
 			Model(customTTL).
 			Where("org_id = ?", orgID).
@@ -2047,8 +2046,8 @@ func (r *ClickHouseReader) GetCustomRetentionTTL(ctx context.Context, orgID stri
 	return response, nil
 }

-func (r *ClickHouseReader) checkCustomRetentionTTLStatusItem(ctx context.Context, orgID string, tableName string) (*retentiontypes.TTLSetting, error) {
-	ttl := new(retentiontypes.TTLSetting)
+func (r *ClickHouseReader) checkCustomRetentionTTLStatusItem(ctx context.Context, orgID string, tableName string) (*types.TTLSetting, error) {
+	ttl := new(types.TTLSetting)
 	err := r.sqlDB.BunDB().NewSelect().
 		Model(ttl).
 		Where("table_name = ?", tableName).
@@ -2069,7 +2068,7 @@ func (r *ClickHouseReader) updateCustomRetentionTTLStatus(ctx context.Context, o
 	statusItem, apiErr := r.checkCustomRetentionTTLStatusItem(ctx, orgID, tableName)
 	if apiErr == nil && statusItem != nil {
 		_, dbErr := r.sqlDB.BunDB().NewUpdate().
-			Model(new(retentiontypes.TTLSetting)).
+			Model(new(types.TTLSetting)).
 			Set("updated_at = ?", time.Now()).
 			Set("status = ?", status).
 			Where("id = ?", statusItem.ID.StringValue()).
@@ -2236,7 +2235,7 @@ func (r *ClickHouseReader) setTTLMetrics(ctx context.Context, orgID string, para
 		}
 	}
 	metricTTL := func(tableName string) {
-		ttl := retentiontypes.TTLSetting{
+		ttl := types.TTLSetting{
 			Identifiable: types.Identifiable{
 				ID: valuer.GenerateUUID(),
 			},
@@ -2283,7 +2282,7 @@ func (r *ClickHouseReader) setTTLMetrics(ctx context.Context, orgID string, para
 					sqlDB.
 					BunDB().
 					NewUpdate().
-					Model(new(retentiontypes.TTLSetting)).
+					Model(new(types.TTLSetting)).
 					Set("updated_at = ?", time.Now()).
 					Set("status = ?", constants.StatusFailed).
 					Where("id = ?", statusItem.ID.StringValue()).
@@ -2304,7 +2303,7 @@ func (r *ClickHouseReader) setTTLMetrics(ctx context.Context, orgID string, para
 				sqlDB.
 				BunDB().
 				NewUpdate().
-				Model(new(retentiontypes.TTLSetting)).
+				Model(new(types.TTLSetting)).
 				Set("updated_at = ?", time.Now()).
 				Set("status = ?", constants.StatusFailed).
 				Where("id = ?", statusItem.ID.StringValue()).
@@ -2319,7 +2318,7 @@ func (r *ClickHouseReader) setTTLMetrics(ctx context.Context, orgID string, para
 			sqlDB.
 			BunDB().
 			NewUpdate().
-			Model(new(retentiontypes.TTLSetting)).
+			Model(new(types.TTLSetting)).
 			Set("updated_at = ?", time.Now()).
 			Set("status = ?", constants.StatusSuccess).
 			Where("id = ?", statusItem.ID.StringValue()).
@@ -2342,7 +2341,7 @@ func (r *ClickHouseReader) deleteTtlTransactions(ctx context.Context, orgID stri
 		BunDB().
 		NewSelect().
 		Column("transaction_id").
-		Model(new(retentiontypes.TTLSetting)).
+		Model(new(types.TTLSetting)).
 		Where("org_id = ?", orgID).
 		Group("transaction_id").
 		OrderExpr("MAX(created_at) DESC").
@@ -2357,7 +2356,7 @@ func (r *ClickHouseReader) deleteTtlTransactions(ctx context.Context, orgID stri
 		sqlDB.
 		BunDB().
 		NewDelete().
-		Model(new(retentiontypes.TTLSetting)).
+		Model(new(types.TTLSetting)).
 		Where("transaction_id NOT IN (?)", bun.In(limitTransactions)).
 		Exec(ctx)
 	if err != nil {
@@ -2366,9 +2365,9 @@ func (r *ClickHouseReader) deleteTtlTransactions(ctx context.Context, orgID stri
 }

 // checkTTLStatusItem checks if ttl_status table has an entry for the given table name
-func (r *ClickHouseReader) checkTTLStatusItem(ctx context.Context, orgID string, tableName string) (*retentiontypes.TTLSetting, *model.ApiError) {
+func (r *ClickHouseReader) checkTTLStatusItem(ctx context.Context, orgID string, tableName string) (*types.TTLSetting, *model.ApiError) {
 	r.logger.Info("checkTTLStatusItem query", "tableName", tableName)
-	ttl := new(retentiontypes.TTLSetting)
+	ttl := new(types.TTLSetting)
 	err := r.
 		sqlDB.
 		BunDB().
@@ -2392,7 +2391,7 @@ func (r *ClickHouseReader) getTTLQueryStatus(ctx context.Context, orgID string,
 	status := constants.StatusSuccess
 	for _, tableName := range tableNameArray {
 		statusItem, apiErr := r.checkTTLStatusItem(ctx, orgID, tableName)
-		emptyStatusStruct := new(retentiontypes.TTLSetting)
+		emptyStatusStruct := new(types.TTLSetting)
 		if statusItem == emptyStatusStruct {
 			return "", nil
 		}
--- a/pkg/query-service/app/inframetrics/hosts.go
+++ b/pkg/query-service/app/inframetrics/hosts.go
@@ -9,8 +9,6 @@ import (
 	"strings"
 	"time"

-	"log/slog"
-
 	"github.com/SigNoz/signoz/pkg/query-service/app/metrics/v4/helpers"
 	"github.com/SigNoz/signoz/pkg/query-service/common"
 	"github.com/SigNoz/signoz/pkg/query-service/constants"
@@ -19,6 +17,7 @@ import (
 	v3 "github.com/SigNoz/signoz/pkg/query-service/model/v3"
 	"github.com/SigNoz/signoz/pkg/query-service/postprocess"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
+	"log/slog"

 	"github.com/SigNoz/signoz/pkg/types/instrumentationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
--- a/pkg/query-service/app/metrics/v4/helpers/series_agg_helper.go
+++ b/pkg/query-service/app/metrics/v4/helpers/series_agg_helper.go
@@ -2,7 +2,6 @@ package helpers

 import (
 	"fmt"
-
 	v3 "github.com/SigNoz/signoz/pkg/query-service/model/v3"
 )

--- a/pkg/query-service/app/querier/querier_test.go
+++ b/pkg/query-service/app/querier/querier_test.go
@@ -3,9 +3,9 @@ package querier
 import (
 	"context"
 	"fmt"
-	"log/slog"
 	"math"
 	"strings"
+	"log/slog"
 	"testing"
 	"time"

--- a/pkg/query-service/app/querier/v2/querier_test.go
+++ b/pkg/query-service/app/querier/v2/querier_test.go
@@ -3,9 +3,9 @@ package v2
 import (
 	"context"
 	"fmt"
-	"log/slog"
 	"math"
 	"strings"
+	"log/slog"
 	"testing"
 	"time"

--- a/pkg/query-service/app/server.go
+++ b/pkg/query-service/app/server.go
@@ -115,7 +115,7 @@ func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {

 	s := &Server{
 		config:             config,
-		signoz:             signoz,
+		signoz:       signoz,
 		httpHostPort:       constants.HTTPHostPort,
 		unavailableChannel: make(chan healthcheck.Status),
 	}
@@ -297,3 +297,4 @@ func (s *Server) Stop(ctx context.Context) error {

 	return nil
 }
+
--- a/pkg/query-service/model/response_easyjson.go
+++ b/pkg/query-service/model/response_easyjson.go
@@ -4,7 +4,6 @@ package model

 import (
 	json "encoding/json"
-
 	easyjson "github.com/mailru/easyjson"
 	jlexer "github.com/mailru/easyjson/jlexer"
 	jwriter "github.com/mailru/easyjson/jwriter"
--- a/pkg/query-service/utils/format.go
+++ b/pkg/query-service/utils/format.go
@@ -247,11 +247,7 @@ func ClickHouseFormattedMetricNames(v interface{}) string {

 func AddBackTickToFormatTag(str string) string {
 	if strings.Contains(str, ".") || strings.Contains(str, "-") {
-		if strings.HasPrefix(str, "`") && strings.HasSuffix(str, "`") {
-			return str
-		} else {
-			return "`" + str + "`"
-		}
+		if strings.HasPrefix(str, "`") && strings.HasSuffix(str, "`") { return str } else { return "`" + str + "`" }
 	} else {
 		return str
 	}
--- a/pkg/signoz/signoz.go
+++ b/pkg/signoz/signoz.go
@@ -100,7 +100,7 @@ func New(
 	sqlstoreProviderFactories factory.NamedMap[factory.ProviderFactory[sqlstore.SQLStore, sqlstore.Config]],
 	telemetrystoreProviderFactories factory.NamedMap[factory.ProviderFactory[telemetrystore.TelemetryStore, telemetrystore.Config]],
 	authNsCallback func(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing) (map[authtypes.AuthNProvider]authn.AuthN, error),
-	authzCallback func(context.Context, sqlstore.SQLStore, authz.Config, licensing.Licensing, []authz.OnBeforeRoleDelete) (factory.ProviderFactory[authz.AuthZ, authz.Config], error),
+	authzCallback func(context.Context, sqlstore.SQLStore, licensing.Licensing, []authz.OnBeforeRoleDelete, dashboard.Module) (factory.ProviderFactory[authz.AuthZ, authz.Config], error),
 	dashboardModuleCallback func(sqlstore.SQLStore, factory.ProviderSettings, analytics.Analytics, organization.Getter, queryparser.QueryParser, querier.Querier, licensing.Licensing) dashboard.Module,
 	gatewayProviderFactory func(licensing.Licensing) factory.ProviderFactory[gateway.Gateway, gateway.Config],
 	auditorProviderFactories func(licensing.Licensing) factory.NamedMap[factory.ProviderFactory[auditor.Auditor, auditor.Config]],
@@ -325,7 +325,7 @@ func New(
 	// Initialize query parser (needed for dashboard module)
 	queryParser := queryparser.New(providerSettings)

-	// Initialize dashboard module
+	// Initialize dashboard module (needed for authz registry)
 	dashboard := dashboardModuleCallback(sqlstore, providerSettings, analytics, orgGetter, queryParser, querier, licensing)

 	// Initialize user getter
@@ -341,7 +341,7 @@ func New(
 	}

 	// Initialize authz
-	authzProviderFactory, err := authzCallback(ctx, sqlstore, config.Authz, licensing, onBeforeRoleDelete)
+	authzProviderFactory, err := authzCallback(ctx, sqlstore, licensing, onBeforeRoleDelete, dashboard)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/sqlmigration/037_add_trace_funnels.go
+++ b/pkg/sqlmigration/037_add_trace_funnels.go
@@ -2,7 +2,6 @@ package sqlmigration

 import (
 	"context"
-
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
--- a/pkg/sqlmigration/049_add_route_policy.go
+++ b/pkg/sqlmigration/049_add_route_policy.go
@@ -5,9 +5,6 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
-	"log/slog"
-	"time"
-
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlschema"
@@ -17,6 +14,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bun/migrate"
+	"log/slog"
+	"time"
 )

 // Shared types for migration
--- a/pkg/sqlmigration/061_migrate_rbac_to_authz.go
+++ b/pkg/sqlmigration/061_migrate_rbac_to_authz.go
@@ -8,7 +8,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/oklog/ulid/v2"
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bun/dialect"
@@ -125,7 +125,7 @@ func (migration *migrateRbacToAuthz) Up(ctx context.Context, db *bun.DB) error {

 		tuples = append(tuples, tuple{
 			OrgID:    orgID,
-			ID:       coretypes.AnonymousUser.StringValue(),
+			ID:       authtypes.AnonymousUser.StringValue(),
 			Type:     "anonymous",
 			RoleName: "signoz-anonymous",
 		})
--- a/pkg/sqlmigration/070_update_planned_maintenance_rule.go
+++ b/pkg/sqlmigration/070_update_planned_maintenance_rule.go
@@ -2,7 +2,6 @@ package sqlmigration

 import (
 	"context"
-
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlschema"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
--- a/pkg/sqlschema/index.go
+++ b/pkg/sqlschema/index.go
@@ -232,3 +232,4 @@ func (index *PartialUniqueIndex) ToDropSQL(fmter SQLFormatter) []byte {

 	return sql
 }
+
--- a/pkg/telemetrystore/telemetrystore.go
+++ b/pkg/telemetrystore/telemetrystore.go
@@ -19,6 +19,7 @@ type TelemetryStoreHook interface {
 	AfterQuery(ctx context.Context, event *QueryEvent)
 }

+
 func WrapBeforeQuery(hooks []TelemetryStoreHook, ctx context.Context, event *QueryEvent) context.Context {
 	for _, hook := range hooks {
 		ctx = hook.BeforeQuery(ctx, event)
--- a/pkg/telemetrystore/telemetrystorehook/settings.go
+++ b/pkg/telemetrystore/telemetrystorehook/settings.go
@@ -10,7 +10,7 @@ import (
 )

 type provider struct {
-	settings telemetrystore.QuerySettings
+	settings          telemetrystore.QuerySettings
 }

 func NewSettingsFactory() factory.ProviderFactory[telemetrystore.TelemetryStoreHook, telemetrystore.Config] {
@@ -21,7 +21,7 @@ func NewSettingsFactory() factory.ProviderFactory[telemetrystore.TelemetryStoreH

 func NewSettings(ctx context.Context, providerSettings factory.ProviderSettings, config telemetrystore.Config) (telemetrystore.TelemetryStoreHook, error) {
 	return &provider{
-		settings: config.Clickhouse.QuerySettings,
+		settings:          config.Clickhouse.QuerySettings,
 	}, nil
 }

--- a/pkg/types/alertmanagertypes/expressionroute.go
+++ b/pkg/types/alertmanagertypes/expressionroute.go
@@ -2,9 +2,8 @@ package alertmanagertypes

 import (
 	"context"
-	"time"
-
 	"github.com/expr-lang/expr"
+	"time"

 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types"
--- a/pkg/types/audittypes/action.go
+++ b/pkg/types/audittypes/action.go
@@ -0,0 +1,28 @@
+package audittypes
+
+import "github.com/SigNoz/signoz/pkg/valuer"
+
+// Action represents what was done.
+type Action struct {
+	valuer.String
+	pastTense string
+}
+
+var (
+	ActionCreate = Action{valuer.NewString("create"), "created"}
+	ActionUpdate = Action{valuer.NewString("update"), "updated"}
+	ActionDelete = Action{valuer.NewString("delete"), "deleted"}
+)
+
+func (Action) Enum() []any {
+	return []any{
+		ActionCreate,
+		ActionUpdate,
+		ActionDelete,
+	}
+}
+
+// PastTense returns the past-tense form of the action for use in EventName.
+func (a Action) PastTense() string {
+	return a.pastTense
+}
--- a/pkg/types/audittypes/attributes.go
+++ b/pkg/types/audittypes/attributes.go
@@ -5,7 +5,6 @@ import (
 	"strings"

 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"go.opentelemetry.io/collector/pdata/pcommon"
 	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
@@ -13,13 +12,13 @@ import (

 // Audit attributes — Action (What).
 type AuditAttributes struct {
-	Action         coretypes.Verb // guaranteed to be present
+	Action         Action         // guaranteed to be present
 	ActionCategory ActionCategory // guaranteed to be present
 	Outcome        Outcome        // guaranteed to be present
 	IdentNProvider authtypes.IdentNProvider
 }

-func NewAuditAttributesFromHTTP(statusCode int, action coretypes.Verb, category ActionCategory, claims authtypes.Claims) AuditAttributes {
+func NewAuditAttributesFromHTTP(statusCode int, action Action, category ActionCategory, claims authtypes.Claims) AuditAttributes {
 	outcome := OutcomeFailure
 	if statusCode >= 200 && statusCode < 400 {
 		outcome = OutcomeSuccess
@@ -72,10 +71,10 @@ func (attributes PrincipalAttributes) Put(dest pcommon.Map) {
 // These are OTel resource attributes (placed on the Resource, not event attributes).
 type ResourceAttributes struct {
 	ResourceID   string
-	ResourceKind coretypes.Kind // guaranteed to be present
+	ResourceKind string // guaranteed to be present
 }

-func NewResourceAttributes(resourceID string, resourceKind coretypes.Kind) ResourceAttributes {
+func NewResourceAttributes(resourceID, resourceKind string) ResourceAttributes {
 	return ResourceAttributes{
 		ResourceID:   resourceID,
 		ResourceKind: resourceKind,
@@ -86,7 +85,7 @@ func NewResourceAttributes(resourceID string, resourceKind coretypes.Kind) Resou
 // These are resource-level attributes (stored in the resource JSON column),
 // not event-level attributes (stored in attributes_string).
 func (attributes ResourceAttributes) PutResource(dest pcommon.Map) {
-	putStrIfNotEmpty(dest, "signoz.audit.resource.kind", attributes.ResourceKind.String())
+	putStrIfNotEmpty(dest, "signoz.audit.resource.kind", attributes.ResourceKind)
 	putStrIfNotEmpty(dest, "signoz.audit.resource.id", attributes.ResourceID)
 }

@@ -193,7 +192,7 @@ func newBody(auditAttributes AuditAttributes, principalAttributes PrincipalAttri

 	// Resource: " kind (id)" or " kind".
 	b.WriteString(" ")
-	b.WriteString(resourceAttributes.ResourceKind.String())
+	b.WriteString(resourceAttributes.ResourceKind)
 	if resourceAttributes.ResourceID != "" {
 		b.WriteString(" (")
 		b.WriteString(resourceAttributes.ResourceID)
--- a/pkg/types/audittypes/attributes_test.go
+++ b/pkg/types/audittypes/attributes_test.go
@@ -4,7 +4,6 @@ import (
 	"testing"

 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/stretchr/testify/assert"
 )
@@ -36,7 +35,7 @@ func TestNewAuditAttributesFromHTTP_OutcomeBoundary(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			attrs := NewAuditAttributesFromHTTP(testCase.statusCode, coretypes.VerbUpdate, ActionCategoryConfigurationChange, claims)
+			attrs := NewAuditAttributesFromHTTP(testCase.statusCode, ActionUpdate, ActionCategoryConfigurationChange, claims)
 			assert.Equal(t, testCase.expectedOutcome, attrs.Outcome)
 		})
 	}
@@ -54,7 +53,7 @@ func TestNewBody(t *testing.T) {
 		{
 			name: "Success_EmptyResourceID",
 			auditAttributes: AuditAttributes{
-				Action:         coretypes.VerbDelete,
+				Action:         ActionDelete,
 				ActionCategory: ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
@@ -64,7 +63,7 @@ func TestNewBody(t *testing.T) {
 			},
 			resourceAttributes: ResourceAttributes{
 				ResourceID:   "",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceKind: "dashboard",
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "test@acme.com (019a1234-abcd-7000-8000-567800000001) deleted dashboard",
@@ -72,7 +71,7 @@ func TestNewBody(t *testing.T) {
 		{
 			name: "Success_EmptyPrincipalEmail",
 			auditAttributes: AuditAttributes{
-				Action:         coretypes.VerbDelete,
+				Action:         ActionDelete,
 				ActionCategory: ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
@@ -82,7 +81,7 @@ func TestNewBody(t *testing.T) {
 			},
 			resourceAttributes: ResourceAttributes{
 				ResourceID:   "abd",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceKind: "dashboard",
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "019a1234-abcd-7000-8000-567800000001 deleted dashboard (abd)",
@@ -90,7 +89,7 @@ func TestNewBody(t *testing.T) {
 		{
 			name: "Success_EmptyPrincipalIDandEmail",
 			auditAttributes: AuditAttributes{
-				Action:         coretypes.VerbDelete,
+				Action:         ActionDelete,
 				ActionCategory: ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
@@ -100,7 +99,7 @@ func TestNewBody(t *testing.T) {
 			},
 			resourceAttributes: ResourceAttributes{
 				ResourceID:   "abd",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceKind: "dashboard",
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "deleted dashboard (abd)",
@@ -108,7 +107,7 @@ func TestNewBody(t *testing.T) {
 		{
 			name: "Success_AllPresent",
 			auditAttributes: AuditAttributes{
-				Action:         coretypes.VerbCreate,
+				Action:         ActionCreate,
 				ActionCategory: ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
@@ -118,7 +117,7 @@ func TestNewBody(t *testing.T) {
 			},
 			resourceAttributes: ResourceAttributes{
 				ResourceID:   "019b-5678",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceKind: "dashboard",
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "alice@acme.com (019a1234-abcd-7000-8000-567800000001) created dashboard (019b-5678)",
@@ -126,13 +125,13 @@ func TestNewBody(t *testing.T) {
 		{
 			name: "Success_EmptyEverythingOptional",
 			auditAttributes: AuditAttributes{
-				Action:         coretypes.VerbUpdate,
+				Action:         ActionUpdate,
 				ActionCategory: ActionCategoryConfigurationChange,
 				Outcome:        OutcomeSuccess,
 			},
 			principalAttributes: PrincipalAttributes{},
 			resourceAttributes: ResourceAttributes{
-				ResourceKind: coretypes.MustNewKind("alert-rule"),
+				ResourceKind: "alert-rule",
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "updated alert-rule",
@@ -140,7 +139,7 @@ func TestNewBody(t *testing.T) {
 		{
 			name: "Failure_AllPresent",
 			auditAttributes: AuditAttributes{
-				Action:         coretypes.VerbUpdate,
+				Action:         ActionUpdate,
 				ActionCategory: ActionCategoryConfigurationChange,
 				Outcome:        OutcomeFailure,
 			},
@@ -150,7 +149,7 @@ func TestNewBody(t *testing.T) {
 			},
 			resourceAttributes: ResourceAttributes{
 				ResourceID:   "019b-5678",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceKind: "dashboard",
 			},
 			errorAttributes: ErrorAttributes{
 				ErrorType: "forbidden",
@@ -161,7 +160,7 @@ func TestNewBody(t *testing.T) {
 		{
 			name: "Failure_ErrorTypeOnly",
 			auditAttributes: AuditAttributes{
-				Action:  coretypes.VerbDelete,
+				Action:  ActionDelete,
 				Outcome: OutcomeFailure,
 			},
 			principalAttributes: PrincipalAttributes{
@@ -169,7 +168,7 @@ func TestNewBody(t *testing.T) {
 				PrincipalEmail: valuer.MustNewEmail("test@acme.com"),
 			},
 			resourceAttributes: ResourceAttributes{
-				ResourceKind: coretypes.MustNewKind("user"),
+				ResourceKind: "user",
 			},
 			errorAttributes: ErrorAttributes{
 				ErrorType: "not-found",
@@ -179,7 +178,7 @@ func TestNewBody(t *testing.T) {
 		{
 			name: "Failure_NoErrorDetails",
 			auditAttributes: AuditAttributes{
-				Action:  coretypes.VerbCreate,
+				Action:  ActionCreate,
 				Outcome: OutcomeFailure,
 			},
 			principalAttributes: PrincipalAttributes{
@@ -188,7 +187,7 @@ func TestNewBody(t *testing.T) {
 			},
 			resourceAttributes: ResourceAttributes{
 				ResourceID:   "019b-5678",
-				ResourceKind: coretypes.MustNewKind("dashboard"),
+				ResourceKind: "dashboard",
 			},
 			errorAttributes: ErrorAttributes{},
 			expectedBody:    "test@acme.com (019a1234-abcd-7000-8000-567800000001) failed to create dashboard (019b-5678)",
--- a/pkg/types/audittypes/event.go
+++ b/pkg/types/audittypes/event.go
@@ -5,7 +5,6 @@ import (
 	"time"

 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"go.opentelemetry.io/collector/pdata/pcommon"
 	"go.opentelemetry.io/collector/pdata/plog"
 	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
@@ -50,11 +49,11 @@ func NewAuditEventFromHTTPRequest(
 	statusCode int,
 	traceID oteltrace.TraceID,
 	spanID oteltrace.SpanID,
-	action coretypes.Verb,
+	action Action,
 	actionCategory ActionCategory,
 	claims authtypes.Claims,
 	resourceID string,
-	resourceKind coretypes.Kind,
+	resourceKind string,
 	errorType string,
 	errorCode string,
 ) AuditEvent {
@@ -89,7 +88,7 @@ func NewPLogsFromAuditEvents(events []AuditEvent, name string, version string, s
 	groups := make(map[resourceKey][]int)
 	order := make([]resourceKey, 0)
 	for i, event := range events {
-		key := resourceKey{kind: event.ResourceAttributes.ResourceKind.String(), id: event.ResourceAttributes.ResourceID}
+		key := resourceKey{kind: event.ResourceAttributes.ResourceKind, id: event.ResourceAttributes.ResourceID}
 		if _, exists := groups[key]; !exists {
 			order = append(order, key)
 		}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Abhi kumar	0b1aba04f4	Merge branch 'main' into feat/service-map	2026-05-05 17:10:46 +05:30
Abhi Kumar	5c8d33290b	chore: updated particle color + added service icon	2026-05-05 17:08:40 +05:30
Abhi kumar	30424a3829	Merge branch 'main' into feat/service-map	2026-05-05 14:13:01 +05:30
Abhi Kumar	d2ede7bb16	chore: added changes related to edge color and node size	2026-05-05 14:04:54 +05:30
Abhi Kumar	c622bbd112	Merge branch 'feat/service-map' of https://github.com/SigNoz/signoz into feat/service-map	2026-05-05 11:15:12 +05:30
Abhi kumar	b92d5e934b	Merge branch 'main' into feat/service-map	2026-05-05 02:34:43 +05:30
Abhi Kumar	c20520da5f	chore: fixed bgcolor	2026-05-05 02:28:03 +05:30
Abhi Kumar	0ccb26cbfc	feat: revamped the service map component	2026-05-05 02:14:13 +05:30