fix: openapi specs

docs/api/openapi.yml

@@ -342,6 +342,34 @@ components:
         config:
           $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
       type: object
+    AuthtypesUserWithRoles:
+      properties:
+        createdAt:
+          format: date-time
+          type: string
+        displayName:
+          type: string
+        email:
+          type: string
+        id:
+          type: string
+        isRoot:
+          type: boolean
+        orgId:
+          type: string
+        roles:
+          items:
+            $ref: '#/components/schemas/AuthtypesRole'
+          nullable: true
+          type: array
+        status:
+          type: string
+        updatedAt:
+          format: date-time
+          type: string
+      required:
+      - id
+      type: object
     CloudintegrationtypesAWSAccountConfig:
       properties:
         regions:
@@ -2647,6 +2675,25 @@ components:
       required:
       - id
       type: object
+    TypesUpdatableSelfUser:
+      properties:
+        displayName:
+          type: string
+      required:
+      - displayName
+      type: object
+    TypesUpdatableUser:
+      properties:
+        displayName:
+          type: string
+        roleNames:
+          items:
+            type: string
+          type: array
+      required:
+      - displayName
+      - roleNames
+      type: object
     TypesUser:
       properties:
         createdAt:
@@ -7781,6 +7828,66 @@ paths:
       summary: Readiness check
       tags:
       - health
+  /api/v2/roles/{id}/users:
+    get:
+      deprecated: false
+      description: This endpoint returns the users having the role by role id
+      operationId: GetUsersByRoleID
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/TypesUser'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Get users by role id
+      tags:
+      - users
   /api/v2/sessions:
     delete:
       deprecated: false
@@ -7939,6 +8046,306 @@ paths:
       summary: Rotate session
       tags:
       - sessions
+  /api/v2/users:
+    get:
+      deprecated: false
+      description: This endpoint lists all users for the organization
+      operationId: ListUsersV2
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/TypesUser'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: List users v2
+      tags:
+      - users
+  /api/v2/users/{id}:
+    get:
+      deprecated: false
+      description: This endpoint returns the user by id
+      operationId: GetUserV2
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/TypesUser'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Get user by user id
+      tags:
+      - users
+    put:
+      deprecated: false
+      description: This endpoint updates the user by id
+      operationId: UpdateUserV2
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TypesUpdatableUser'
+      responses:
+        "204":
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Update user v2
+      tags:
+      - users
+  /api/v2/users/{id}/roles:
+    get:
+      deprecated: false
+      description: This endpoint returns the user roles by user id
+      operationId: GetUserRoles
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/AuthtypesRole'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Get user roles
+      tags:
+      - users
+  /api/v2/users/me:
+    get:
+      deprecated: false
+      description: This endpoint returns the user I belong to
+      operationId: GetMyUserV2
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/AuthtypesUserWithRoles'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - tokenizer: []
+      summary: Get my user v2
+      tags:
+      - users
+    put:
+      deprecated: false
+      description: This endpoint updates the user I belong to
+      operationId: UpdateMyUserV2
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TypesUpdatableSelfUser'
+      responses:
+        "204":
+          description: No Content
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - tokenizer: []
+      summary: Update my user v2
+      tags:
+      - users
   /api/v2/zeus/hosts:
     get:
       deprecated: false

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -437,6 +437,48 @@ export interface AuthtypesUpdateableAuthDomainDTO {
 	config?: AuthtypesAuthDomainConfigDTO;
 }
 
+export interface AuthtypesUserWithRolesDTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: Date;
+	/**
+	 * @type string
+	 */
+	displayName?: string;
+	/**
+	 * @type string
+	 */
+	email?: string;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type boolean
+	 */
+	isRoot?: boolean;
+	/**
+	 * @type string
+	 */
+	orgId?: string;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	roles?: AuthtypesRoleDTO[] | null;
+	/**
+	 * @type string
+	 */
+	status?: string;
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: Date;
+}
+
 export interface CloudintegrationtypesAWSAccountConfigDTO {
 	/**
 	 * @type array
@@ -3144,6 +3186,24 @@ export interface TypesStorableAPIKeyDTO {
 	userId?: string;
 }
 
+export interface TypesUpdatableSelfUserDTO {
+	/**
+	 * @type string
+	 */
+	displayName: string;
+}
+
+export interface TypesUpdatableUserDTO {
+	/**
+	 * @type string
+	 */
+	displayName: string;
+	/**
+	 * @type array
+	 */
+	roleNames: string[];
+}
+
 export interface TypesUserDTO {
 	/**
 	 * @type string
@@ -4183,6 +4243,20 @@ export type Readyz503 = {
 	status: string;
 };
 
+export type GetUsersByRoleIDPathParameters = {
+	id: string;
+};
+export type GetUsersByRoleID200 = {
+	/**
+	 * @type array
+	 */
+	data: TypesUserDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type GetSessionContext200 = {
 	data: AuthtypesSessionContextDTO;
 	/**
@@ -4207,6 +4281,53 @@ export type RotateSession200 = {
 	status: string;
 };
 
+export type ListUsersV2200 = {
+	/**
+	 * @type array
+	 */
+	data: TypesUserDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type GetUserV2PathParameters = {
+	id: string;
+};
+export type GetUserV2200 = {
+	data: TypesUserDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type UpdateUserV2PathParameters = {
+	id: string;
+};
+export type GetUserRolesPathParameters = {
+	id: string;
+};
+export type GetUserRoles200 = {
+	/**
+	 * @type array
+	 */
+	data: AuthtypesRoleDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type GetMyUserV2200 = {
+	data: AuthtypesUserWithRolesDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type GetHosts200 = {
 	data: ZeustypesGettableHostDTO;
 	/**

frontend/src/api/generated/services/users/index.ts

@@ -25,12 +25,20 @@ import type {
 	CreateInvite201,
 	DeleteUserPathParameters,
 	GetMyUser200,
+	GetMyUserV2200,
 	GetResetPasswordToken200,
 	GetResetPasswordTokenPathParameters,
 	GetUser200,
 	GetUserPathParameters,
+	GetUserRoles200,
+	GetUserRolesPathParameters,
+	GetUsersByRoleID200,
+	GetUsersByRoleIDPathParameters,
+	GetUserV2PathParameters,
+	GetUserV2200,
 	ListAPIKeys200,
 	ListUsers200,
+	ListUsersV2200,
 	RenderErrorResponseDTO,
 	RevokeAPIKeyPathParameters,
 	TypesChangePasswordRequestDTO,
@@ -41,9 +49,12 @@ import type {
 	TypesPostableInviteDTO,
 	TypesPostableResetPasswordDTO,
 	TypesStorableAPIKeyDTO,
+	TypesUpdatableSelfUserDTO,
+	TypesUpdatableUserDTO,
 	UpdateAPIKeyPathParameters,
 	UpdateUser200,
 	UpdateUserPathParameters,
+	UpdateUserV2PathParameters,
 } from '../sigNoz.schemas';
 
 /**
@@ -1345,3 +1356,648 @@ export const useForgotPassword = <
 
 	return useMutation(mutationOptions);
 };
+/**
+ * This endpoint returns the users having the role by role id
+ * @summary Get users by role id
+ */
+export const getUsersByRoleID = (
+	{ id }: GetUsersByRoleIDPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetUsersByRoleID200>({
+		url: `/api/v2/roles/${id}/users`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetUsersByRoleIDQueryKey = ({
+	id,
+}: GetUsersByRoleIDPathParameters) => {
+	return [`/api/v2/roles/${id}/users`] as const;
+};
+
+export const getGetUsersByRoleIDQueryOptions = <
+	TData = Awaited<ReturnType<typeof getUsersByRoleID>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUsersByRoleIDPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getUsersByRoleID>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetUsersByRoleIDQueryKey({ id });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getUsersByRoleID>>> = ({
+		signal,
+	}) => getUsersByRoleID({ id }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!id,
+		...queryOptions,
+	} as UseQueryOptions<
+		Awaited<ReturnType<typeof getUsersByRoleID>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetUsersByRoleIDQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getUsersByRoleID>>
+>;
+export type GetUsersByRoleIDQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get users by role id
+ */
+
+export function useGetUsersByRoleID<
+	TData = Awaited<ReturnType<typeof getUsersByRoleID>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUsersByRoleIDPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getUsersByRoleID>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetUsersByRoleIDQueryOptions({ id }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get users by role id
+ */
+export const invalidateGetUsersByRoleID = async (
+	queryClient: QueryClient,
+	{ id }: GetUsersByRoleIDPathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetUsersByRoleIDQueryKey({ id }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint lists all users for the organization
+ * @summary List users v2
+ */
+export const listUsersV2 = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<ListUsersV2200>({
+		url: `/api/v2/users`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getListUsersV2QueryKey = () => {
+	return [`/api/v2/users`] as const;
+};
+
+export const getListUsersV2QueryOptions = <
+	TData = Awaited<ReturnType<typeof listUsersV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof listUsersV2>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getListUsersV2QueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof listUsersV2>>> = ({
+		signal,
+	}) => listUsersV2(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof listUsersV2>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type ListUsersV2QueryResult = NonNullable<
+	Awaited<ReturnType<typeof listUsersV2>>
+>;
+export type ListUsersV2QueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary List users v2
+ */
+
+export function useListUsersV2<
+	TData = Awaited<ReturnType<typeof listUsersV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof listUsersV2>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getListUsersV2QueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary List users v2
+ */
+export const invalidateListUsersV2 = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getListUsersV2QueryKey() },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint returns the user by id
+ * @summary Get user by user id
+ */
+export const getUserV2 = (
+	{ id }: GetUserV2PathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetUserV2200>({
+		url: `/api/v2/users/${id}`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetUserV2QueryKey = ({ id }: GetUserV2PathParameters) => {
+	return [`/api/v2/users/${id}`] as const;
+};
+
+export const getGetUserV2QueryOptions = <
+	TData = Awaited<ReturnType<typeof getUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUserV2PathParameters,
+	options?: {
+		query?: UseQueryOptions<Awaited<ReturnType<typeof getUserV2>>, TError, TData>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetUserV2QueryKey({ id });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getUserV2>>> = ({
+		signal,
+	}) => getUserV2({ id }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!id,
+		...queryOptions,
+	} as UseQueryOptions<Awaited<ReturnType<typeof getUserV2>>, TError, TData> & {
+		queryKey: QueryKey;
+	};
+};
+
+export type GetUserV2QueryResult = NonNullable<
+	Awaited<ReturnType<typeof getUserV2>>
+>;
+export type GetUserV2QueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get user by user id
+ */
+
+export function useGetUserV2<
+	TData = Awaited<ReturnType<typeof getUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUserV2PathParameters,
+	options?: {
+		query?: UseQueryOptions<Awaited<ReturnType<typeof getUserV2>>, TError, TData>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetUserV2QueryOptions({ id }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get user by user id
+ */
+export const invalidateGetUserV2 = async (
+	queryClient: QueryClient,
+	{ id }: GetUserV2PathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetUserV2QueryKey({ id }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint updates the user by id
+ * @summary Update user v2
+ */
+export const updateUserV2 = (
+	{ id }: UpdateUserV2PathParameters,
+	typesUpdatableUserDTO: BodyType<TypesUpdatableUserDTO>,
+) => {
+	return GeneratedAPIInstance<void>({
+		url: `/api/v2/users/${id}`,
+		method: 'PUT',
+		headers: { 'Content-Type': 'application/json' },
+		data: typesUpdatableUserDTO,
+	});
+};
+
+export const getUpdateUserV2MutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateUserV2>>,
+		TError,
+		{
+			pathParams: UpdateUserV2PathParameters;
+			data: BodyType<TypesUpdatableUserDTO>;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof updateUserV2>>,
+	TError,
+	{
+		pathParams: UpdateUserV2PathParameters;
+		data: BodyType<TypesUpdatableUserDTO>;
+	},
+	TContext
+> => {
+	const mutationKey = ['updateUserV2'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof updateUserV2>>,
+		{
+			pathParams: UpdateUserV2PathParameters;
+			data: BodyType<TypesUpdatableUserDTO>;
+		}
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return updateUserV2(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type UpdateUserV2MutationResult = NonNullable<
+	Awaited<ReturnType<typeof updateUserV2>>
+>;
+export type UpdateUserV2MutationBody = BodyType<TypesUpdatableUserDTO>;
+export type UpdateUserV2MutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Update user v2
+ */
+export const useUpdateUserV2 = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateUserV2>>,
+		TError,
+		{
+			pathParams: UpdateUserV2PathParameters;
+			data: BodyType<TypesUpdatableUserDTO>;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof updateUserV2>>,
+	TError,
+	{
+		pathParams: UpdateUserV2PathParameters;
+		data: BodyType<TypesUpdatableUserDTO>;
+	},
+	TContext
+> => {
+	const mutationOptions = getUpdateUserV2MutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint returns the user roles by user id
+ * @summary Get user roles
+ */
+export const getUserRoles = (
+	{ id }: GetUserRolesPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetUserRoles200>({
+		url: `/api/v2/users/${id}/roles`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetUserRolesQueryKey = ({ id }: GetUserRolesPathParameters) => {
+	return [`/api/v2/users/${id}/roles`] as const;
+};
+
+export const getGetUserRolesQueryOptions = <
+	TData = Awaited<ReturnType<typeof getUserRoles>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUserRolesPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getUserRoles>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetUserRolesQueryKey({ id });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getUserRoles>>> = ({
+		signal,
+	}) => getUserRoles({ id }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!id,
+		...queryOptions,
+	} as UseQueryOptions<
+		Awaited<ReturnType<typeof getUserRoles>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetUserRolesQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getUserRoles>>
+>;
+export type GetUserRolesQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get user roles
+ */
+
+export function useGetUserRoles<
+	TData = Awaited<ReturnType<typeof getUserRoles>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUserRolesPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getUserRoles>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetUserRolesQueryOptions({ id }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get user roles
+ */
+export const invalidateGetUserRoles = async (
+	queryClient: QueryClient,
+	{ id }: GetUserRolesPathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetUserRolesQueryKey({ id }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint returns the user I belong to
+ * @summary Get my user v2
+ */
+export const getMyUserV2 = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<GetMyUserV2200>({
+		url: `/api/v2/users/me`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetMyUserV2QueryKey = () => {
+	return [`/api/v2/users/me`] as const;
+};
+
+export const getGetMyUserV2QueryOptions = <
+	TData = Awaited<ReturnType<typeof getMyUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getMyUserV2>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetMyUserV2QueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getMyUserV2>>> = ({
+		signal,
+	}) => getMyUserV2(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof getMyUserV2>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetMyUserV2QueryResult = NonNullable<
+	Awaited<ReturnType<typeof getMyUserV2>>
+>;
+export type GetMyUserV2QueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get my user v2
+ */
+
+export function useGetMyUserV2<
+	TData = Awaited<ReturnType<typeof getMyUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getMyUserV2>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetMyUserV2QueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get my user v2
+ */
+export const invalidateGetMyUserV2 = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetMyUserV2QueryKey() },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint updates the user I belong to
+ * @summary Update my user v2
+ */
+export const updateMyUserV2 = (
+	typesUpdatableSelfUserDTO: BodyType<TypesUpdatableSelfUserDTO>,
+) => {
+	return GeneratedAPIInstance<void>({
+		url: `/api/v2/users/me`,
+		method: 'PUT',
+		headers: { 'Content-Type': 'application/json' },
+		data: typesUpdatableSelfUserDTO,
+	});
+};
+
+export const getUpdateMyUserV2MutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateMyUserV2>>,
+		TError,
+		{ data: BodyType<TypesUpdatableSelfUserDTO> },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof updateMyUserV2>>,
+	TError,
+	{ data: BodyType<TypesUpdatableSelfUserDTO> },
+	TContext
+> => {
+	const mutationKey = ['updateMyUserV2'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof updateMyUserV2>>,
+		{ data: BodyType<TypesUpdatableSelfUserDTO> }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return updateMyUserV2(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type UpdateMyUserV2MutationResult = NonNullable<
+	Awaited<ReturnType<typeof updateMyUserV2>>
+>;
+export type UpdateMyUserV2MutationBody = BodyType<TypesUpdatableSelfUserDTO>;
+export type UpdateMyUserV2MutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Update my user v2
+ */
+export const useUpdateMyUserV2 = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateMyUserV2>>,
+		TError,
+		{ data: BodyType<TypesUpdatableSelfUserDTO> },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof updateMyUserV2>>,
+	TError,
+	{ data: BodyType<TypesUpdatableSelfUserDTO> },
+	TContext
+> => {
+	const mutationOptions = getUpdateMyUserV2MutationOptions(options);
+
+	return useMutation(mutationOptions);
+};

pkg/apiserver/signozapiserver/user.go

@@ -111,7 +111,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/user", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListUsers), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/user", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListUsersDeprecated), handler.OpenAPIDef{
 		ID:                  "ListUsers",
 		Tags:                []string{"users"},
 		Summary:             "List users",
@@ -128,7 +128,24 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/user/me", handler.New(provider.authZ.OpenAccess(provider.userHandler.GetMyUser), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/users", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListUsers), handler.OpenAPIDef{
+		ID:                  "ListUsersV2",
+		Tags:                []string{"users"},
+		Summary:             "List users v2",
+		Description:         "This endpoint lists all users for the organization",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*types.User, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/user/me", handler.New(provider.authZ.OpenAccess(provider.userHandler.GetMyUserDeprecated), handler.OpenAPIDef{
 		ID:                  "GetMyUser",
 		Tags:                []string{"users"},
 		Summary:             "Get my user",
@@ -145,7 +162,41 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.SelfAccess(provider.userHandler.GetUser), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/users/me", handler.New(provider.authZ.OpenAccess(provider.userHandler.GetMyUser), handler.OpenAPIDef{
+		ID:                  "GetMyUserV2",
+		Tags:                []string{"users"},
+		Summary:             "Get my user v2",
+		Description:         "This endpoint returns the user I belong to",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(authtypes.UserWithRoles),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     []handler.OpenAPISecurityScheme{{Name: authtypes.IdentNProviderTokenizer.StringValue()}},
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v2/users/me", handler.New(provider.authZ.OpenAccess(provider.userHandler.UpdateMyUser), handler.OpenAPIDef{
+		ID:                  "UpdateMyUserV2",
+		Tags:                []string{"users"},
+		Summary:             "Update my user v2",
+		Description:         "This endpoint updates the user I belong to",
+		Request:             new(types.UpdatableSelfUser),
+		RequestContentType:  "application/json",
+		Response:            nil,
+		ResponseContentType: "",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     []handler.OpenAPISecurityScheme{{Name: authtypes.IdentNProviderTokenizer.StringValue()}},
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.SelfAccess(provider.userHandler.GetUserDeprecated), handler.OpenAPIDef{
 		ID:                  "GetUser",
 		Tags:                []string{"users"},
 		Summary:             "Get user",
@@ -162,7 +213,24 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.SelfAccess(provider.userHandler.UpdateUser), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/users/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.GetUser), handler.OpenAPIDef{
+		ID:                  "GetUserV2",
+		Tags:                []string{"users"},
+		Summary:             "Get user by user id",
+		Description:         "This endpoint returns the user by id",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(types.User),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.SelfAccess(provider.userHandler.UpdateUserDeprecated), handler.OpenAPIDef{
 		ID:                  "UpdateUser",
 		Tags:                []string{"users"},
 		Summary:             "Update user",
@@ -179,6 +247,23 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v2/users/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.UpdateUser), handler.OpenAPIDef{
+		ID:                  "UpdateUserV2",
+		Tags:                []string{"users"},
+		Summary:             "Update user v2",
+		Description:         "This endpoint updates the user by id",
+		Request:             new(types.UpdatableUser),
+		RequestContentType:  "application/json",
+		Response:            nil,
+		ResponseContentType: "",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.DeleteUser), handler.OpenAPIDef{
 		ID:                  "DeleteUser",
 		Tags:                []string{"users"},
@@ -264,5 +349,39 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v2/users/{id}/roles", handler.New(provider.authZ.AdminAccess(provider.userHandler.GetUserRoles), handler.OpenAPIDef{
+		ID:                  "GetUserRoles",
+		Tags:                []string{"users"},
+		Summary:             "Get user roles",
+		Description:         "This endpoint returns the user roles by user id",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*authtypes.Role, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v2/roles/{id}/users", handler.New(provider.authZ.AdminAccess(provider.userHandler.GetUsersByRoleID), handler.OpenAPIDef{
+		ID:                  "GetUsersByRoleID",
+		Tags:                []string{"users"},
+		Summary:             "Get users by role id",
+		Description:         "This endpoint returns the users having the role by role id",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*types.User, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	return nil
 }

pkg/modules/user/impluser/getter.go

@@ -37,7 +37,7 @@ func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID)
 	return rootUser, userRoles, nil
 }
 
-func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.DeprecatedUser, error) {
+func (module *getter) ListByOrgIDDeprecated(ctx context.Context, orgID valuer.UUID) ([]*types.DeprecatedUser, error) {
 	users, err := module.store.ListUsersByOrgID(ctx, orgID)
 	if err != nil {
 		return nil, err
@@ -84,6 +84,23 @@ func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*ty
 	return deprecatedUsers, nil
 }
 
+func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
+	users, err := module.store.ListUsersByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	// filter root users if feature flag `hide_root_users` is true
+	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
+	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
+
+	if hideRootUsers {
+		users = slices.DeleteFunc(users, func(user *types.User) bool { return user.IsRoot })
+	}
+
+	return users, nil
+}
+
 func (module *getter) GetDeprecatedUserByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.DeprecatedUser, error) {
 	user, err := module.store.GetByOrgIDAndID(ctx, orgID, id)
 	if err != nil {
@@ -99,11 +116,19 @@ func (module *getter) GetDeprecatedUserByOrgIDAndID(ctx context.Context, orgID v
 		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
 	}
 
+	if userRoles[0].Role == nil {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeRoleNotFound, "role not found for user role entry")
+	}
+
 	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
 
 	return types.NewDeprecatedUserFromUserAndRole(user, role), nil
 }
 
+func (module *getter) GetUserByOrgIDAndID(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) (*types.User, error) {
+	return module.store.GetByOrgIDAndID(ctx, orgID, userID)
+}
+
 func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.DeprecatedUser, error) {
 	user, err := module.store.GetUser(ctx, id)
 	if err != nil {
@@ -119,6 +144,10 @@ func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.Deprecate
 		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
 	}
 
+	if userRoles[0].Role == nil {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeRoleNotFound, "role not found for user role entry")
+	}
+
 	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
 
 	return types.NewDeprecatedUserFromUserAndRole(user, role), nil
@@ -180,5 +209,15 @@ func (module *getter) GetUserRoles(ctx context.Context, userID valuer.UUID) ([]*
 		return nil, err
 	}
 
+	for _, ur := range userRoles {
+		if ur.Role == nil {
+			return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeRoleNotFound, "role not found for user role entry")
+		}
+	}
+
 	return userRoles, nil
 }
+
+func (module *getter) GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*types.User, error) {
+	return module.store.GetUsersByOrgIDAndRoleID(ctx, orgID, roleID)
+}

pkg/modules/user/impluser/handler.go

@@ -85,7 +85,7 @@ func (h *handler) CreateBulkInvite(rw http.ResponseWriter, r *http.Request) {
 	render.Success(rw, http.StatusCreated, nil)
 }
 
-func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetUserDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -106,7 +106,28 @@ func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, user)
 }
 
-func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	userID := mux.Vars(r)["id"]
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	user, err := h.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusOK, user)
+}
+
+func (h *handler) GetMyUserDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -125,6 +146,85 @@ func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, user)
 }
 
+func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	user, err := h.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	userRoles, err := h.getter.GetUserRoles(ctx, user.ID)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	roles := make([]*authtypes.Role, len(userRoles))
+	for idx, userRole := range userRoles {
+		roles[idx] = authtypes.NewRoleFromStorableRole(userRole.Role)
+	}
+
+	userWithRoles := &authtypes.UserWithRoles{
+		User:  user,
+		Roles: roles,
+	}
+
+	render.Success(w, http.StatusOK, userWithRoles)
+}
+
+func (h *handler) UpdateMyUser(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	updatableSelfUser := new(types.UpdatableSelfUser)
+	if err := json.NewDecoder(r.Body).Decode(&updatableSelfUser); err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	_, err = h.setter.UpdateMyUser(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), updatableSelfUser)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusNoContent, nil)
+}
+
+func (h *handler) ListUsersDeprecated(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	users, err := h.getter.ListByOrgIDDeprecated(ctx, valuer.MustNewUUID(claims.OrgID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusOK, users)
+}
+
 func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
@@ -144,7 +244,7 @@ func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, users)
 }
 
-func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) UpdateUserDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
@@ -162,7 +262,7 @@ func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	updatedUser, err := h.setter.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), id, &user, claims.UserID)
+	updatedUser, err := h.setter.UpdateUserDeprecated(ctx, valuer.MustNewUUID(claims.OrgID), id, &user, claims.UserID)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -171,6 +271,33 @@ func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, updatedUser)
 }
 
+func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	userID := mux.Vars(r)["id"]
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	updatableUser := new(types.UpdatableUser)
+	if err := json.NewDecoder(r.Body).Decode(&updatableUser); err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	_, err = h.setter.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID), updatableUser, valuer.MustNewUUID(claims.UserID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusNoContent, nil)
+}
+
 func (h *handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
@@ -443,3 +570,56 @@ func (h *handler) RevokeAPIKey(w http.ResponseWriter, r *http.Request) {
 
 	render.Success(w, http.StatusNoContent, nil)
 }
+
+func (h *handler) GetUserRoles(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	userID := mux.Vars(r)["id"]
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	user, err := h.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	userRoles, err := h.getter.GetUserRoles(ctx, user.ID)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	roles := make([]*authtypes.Role, len(userRoles))
+	for idx, userRole := range userRoles {
+		roles[idx] = authtypes.NewRoleFromStorableRole(userRole.Role)
+	}
+
+	render.Success(w, http.StatusOK, roles)
+}
+
+func (h *handler) GetUsersByRoleID(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	roleID := mux.Vars(r)["id"]
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	users, err := h.getter.GetUsersByOrgIDAndRoleID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(roleID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusOK, users)
+}

pkg/modules/user/impluser/service.go

@@ -156,9 +156,7 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		existingUser.PromoteToRoot()
 
 		err = s.store.RunInTx(ctx, func(ctx context.Context) error {
-			// update users table
-			deprecatedUser := types.NewDeprecatedUserFromUserAndRole(existingUser, types.RoleAdmin)
-			if err := s.setter.UpdateAnyUser(ctx, orgID, deprecatedUser); err != nil {
+			if err := s.setter.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
 				return err
 			}
 
@@ -201,8 +199,7 @@ func (s *service) updateExistingRootUser(ctx context.Context, orgID valuer.UUID,
 
 	if existingRoot.Email != s.config.Email {
 		existingRoot.UpdateEmail(s.config.Email)
-		deprecatedUser := types.NewDeprecatedUserFromUserAndRole(existingRoot, types.RoleAdmin)
-		if err := s.setter.UpdateAnyUser(ctx, orgID, deprecatedUser); err != nil {
+		if err := s.setter.UpdateAnyUser(ctx, orgID, existingRoot); err != nil {
 			return err
 		}
 	}

pkg/modules/user/impluser/setter.go

@@ -220,7 +220,7 @@ func (module *setter) CreateUser(ctx context.Context, user *types.User, opts ...
 	return nil
 }
 
-func (module *setter) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error) {
+func (module *setter) UpdateUserDeprecated(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error) {
 	existingUser, err := module.getter.GetDeprecatedUserByOrgIDAndID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return nil, err
@@ -265,7 +265,7 @@ func (module *setter) UpdateUser(ctx context.Context, orgID valuer.UUID, id stri
 	existingUser.Update(user.DisplayName, user.Role)
 
 	// update the user - idempotent (this does analytics too so keeping it outside txn)
-	if err := module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+	if err := module.UpdateAnyUserDeprecated(ctx, orgID, existingUser); err != nil {
 		return nil, err
 	}
 
@@ -291,7 +291,113 @@ func (module *setter) UpdateUser(ctx context.Context, orgID valuer.UUID, id stri
 	return existingUser, nil
 }
 
-func (module *setter) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, deprecateUser *types.DeprecatedUser) error {
+func (module *setter) UpdateMyUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, updatable *types.UpdatableSelfUser) (*types.User, error) {
+	existingUser, err := module.getter.GetUserByOrgIDAndID(ctx, orgID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := existingUser.ErrIfRoot(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update root user")
+	}
+
+	if err := existingUser.ErrIfDeleted(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update deleted user")
+	}
+
+	existingUser.Update(updatable.DisplayName)
+	if err := module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+		return nil, err
+	}
+
+	return existingUser, nil
+}
+
+func (module *setter) UpdateUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, updatable *types.UpdatableUser, updatedBy valuer.UUID) (*types.User, error) {
+	existingUser, err := module.getter.GetUserByOrgIDAndID(ctx, orgID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := existingUser.ErrIfRoot(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update root user")
+	}
+
+	if err := existingUser.ErrIfDeleted(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update deleted user")
+	}
+
+	existingUserRoles, err := module.getter.GetUserRoles(ctx, existingUser.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	existingUserRoleNames := roleNamesFromUserRoles(existingUserRoles)
+
+	var grants, revokes []string
+	var rolesChanged bool
+	if len(updatable.RoleNames) > 0 {
+		// validate that all requested role names exist before making any changes
+		_, err := module.authz.ListByOrgIDAndNames(ctx, orgID, updatable.RoleNames)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	grants, revokes = module.patchRolesNames(existingUserRoleNames, updatable.RoleNames)
+	rolesChanged = (len(grants) > 0) || (len(revokes) > 0)
+
+	if rolesChanged && existingUser.ID == updatedBy {
+		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot change self roles")
+	}
+
+	if rolesChanged {
+		err = module.authz.ModifyGrant(
+			ctx,
+			orgID,
+			revokes,
+			grants,
+			authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil),
+		)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	existingUser.Update(updatable.DisplayName)
+
+	if err := module.UpdateAnyUser(ctx, existingUser.OrgID, existingUser); err != nil {
+		return nil, err
+	}
+
+	if rolesChanged {
+		// this by default runs in txn
+		if err := module.UpdateUserRoles(ctx, existingUser.OrgID, existingUser.ID, updatable.RoleNames); err != nil {
+			return nil, err
+		}
+	}
+
+	return existingUser, nil
+}
+
+func (module *setter) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
+	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
+		return err
+	}
+
+	if err := module.tokenizer.DeleteIdentity(ctx, user.ID); err != nil {
+		return err
+	}
+
+	// stats collector things
+	traits := types.NewTraitsFromUser(user)
+	module.analytics.IdentifyUser(ctx, user.OrgID.String(), user.ID.String(), traits)
+	module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Updated", traits)
+
+	return nil
+}
+
+func (module *setter) UpdateAnyUserDeprecated(ctx context.Context, orgID valuer.UUID, deprecateUser *types.DeprecatedUser) error {
 	user := types.NewUserFromDeprecatedUser(deprecateUser)
 	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
 		return err
@@ -801,13 +907,17 @@ func (module *setter) activatePendingUser(ctx context.Context, user *types.User,
 
 func (module *setter) UpdateUserRoles(ctx context.Context, orgID, userID valuer.UUID, finalRoleNames []string) error {
 	return module.store.RunInTx(ctx, func(ctx context.Context) error {
-		// delete old user_role entries and create new ones from SSO
+		// delete old user_role entries
 		if err := module.userRoleStore.DeleteUserRoles(ctx, userID); err != nil {
 			return err
 		}
 
-		// create fresh ones
-		return module.createUserRoleEntries(ctx, orgID, userID, finalRoleNames)
+		// create fresh ones only if there are roles to assign
+		if len(finalRoleNames) > 0 {
+			return module.createUserRoleEntries(ctx, orgID, userID, finalRoleNames)
+		}
+
+		return nil
 	})
 }
 
@@ -820,3 +930,33 @@ func roleNamesFromUserRoles(userRoles []*authtypes.UserRole) []string {
 	}
 	return names
 }
+
+func (module *setter) patchRolesNames(currentRolesNames, targetRoleNames []string) ([]string, []string) {
+	currentRolesSet := make(map[string]struct{}, len(currentRolesNames))
+	targetRolesSet := make(map[string]struct{}, len(targetRoleNames))
+
+	for _, role := range currentRolesNames {
+		currentRolesSet[role] = struct{}{}
+	}
+	for _, role := range targetRoleNames {
+		targetRolesSet[role] = struct{}{}
+	}
+
+	// additions: roles present in input but not in current
+	additions := []string{}
+	for _, role := range targetRoleNames {
+		if _, exists := currentRolesSet[role]; !exists {
+			additions = append(additions, role)
+		}
+	}
+
+	// deletions: roles present in current but not in input
+	deletions := []string{}
+	for _, role := range currentRolesNames {
+		if _, exists := targetRolesSet[role]; !exists {
+			deletions = append(deletions, role)
+		}
+	}
+
+	return additions, deletions
+}

pkg/modules/user/impluser/store.go

@@ -667,3 +667,22 @@ func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID
 
 	return users, nil
 }
+
+func (store *store) GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*types.User, error) {
+	users := []*types.User{}
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&users).
+		Join(`JOIN user_role ON user_role.user_id = "users".id`).
+		Where(`"users".org_id = ?`, orgID).
+		Where("user_role.role_id = ?", roleID).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}

pkg/modules/user/user.go

@@ -34,10 +34,13 @@ type Setter interface {
 	// Initiate forgot password flow for a user
 	ForgotPassword(ctx context.Context, orgID valuer.UUID, email valuer.Email, frontendBaseURL string) error
 
-	UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error)
+	UpdateUserDeprecated(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error)
+	UpdateMyUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, updatable *types.UpdatableSelfUser) (*types.User, error)
+	UpdateUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, updatable *types.UpdatableUser, updatedBy valuer.UUID) (*types.User, error)
 
 	// UpdateAnyUser updates a user and persists the changes to the database along with the analytics and identity deletion.
-	UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.DeprecatedUser) error
+	UpdateAnyUserDeprecated(ctx context.Context, orgID valuer.UUID, deprecateUser *types.DeprecatedUser) error
+	UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error
 	DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error
 
 	// invite
@@ -60,11 +63,13 @@ type Getter interface {
 	// Get root user by org id.
 	GetRootUserByOrgID(context.Context, valuer.UUID) (*types.User, []*authtypes.UserRole, error)
 
-	// Get gets the users based on the given id
-	ListByOrgID(context.Context, valuer.UUID) ([]*types.DeprecatedUser, error)
+	// Get gets the users based on the given org id
+	ListByOrgIDDeprecated(context.Context, valuer.UUID) ([]*types.DeprecatedUser, error)
+	ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error)
 
 	// Get deprecated user object by orgID and id.
 	GetDeprecatedUserByOrgIDAndID(context.Context, valuer.UUID, valuer.UUID) (*types.DeprecatedUser, error)
+	GetUserByOrgIDAndID(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) (*types.User, error)
 
 	// Get user by id.
 	Get(context.Context, valuer.UUID) (*types.DeprecatedUser, error)
@@ -86,6 +91,9 @@ type Getter interface {
 
 	// Gets user_role with roles entries from db
 	GetUserRoles(ctx context.Context, userID valuer.UUID) ([]*authtypes.UserRole, error)
+
+	// Gets all the user with role using role id in an org id
+	GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*types.User, error)
 }
 
 type Handler interface {
@@ -93,11 +101,19 @@ type Handler interface {
 	CreateInvite(http.ResponseWriter, *http.Request)
 	CreateBulkInvite(http.ResponseWriter, *http.Request)
 
+	// users
+	ListUsersDeprecated(http.ResponseWriter, *http.Request)
 	ListUsers(http.ResponseWriter, *http.Request)
+	UpdateUserDeprecated(http.ResponseWriter, *http.Request)
 	UpdateUser(http.ResponseWriter, *http.Request)
 	DeleteUser(http.ResponseWriter, *http.Request)
+	GetUserDeprecated(http.ResponseWriter, *http.Request)
 	GetUser(http.ResponseWriter, *http.Request)
+	GetMyUserDeprecated(http.ResponseWriter, *http.Request)
 	GetMyUser(http.ResponseWriter, *http.Request)
+	UpdateMyUser(http.ResponseWriter, *http.Request)
+	GetUserRoles(http.ResponseWriter, *http.Request)
+	GetUsersByRoleID(http.ResponseWriter, *http.Request)
 
 	// Reset Password
 	GetResetPasswordToken(http.ResponseWriter, *http.Request)

pkg/query-service/app/traces/tracedetail/waterfall.go

@@ -67,7 +67,7 @@ func getPathFromRootToSelectedSpanId(node *model.Span, selectedSpanId string, un
 	spansFromRootToNode := []string{}
 
 	if node.SpanID == selectedSpanId {
-		if isSelectedSpanIDUnCollapsed && !slices.Contains(uncollapsedSpans, node.SpanID) {
+		if isSelectedSpanIDUnCollapsed {
 			spansFromRootToNode = append(spansFromRootToNode, node.SpanID)
 		}
 		return true, spansFromRootToNode
@@ -88,15 +88,7 @@ func getPathFromRootToSelectedSpanId(node *model.Span, selectedSpanId string, un
 	return isPresentInSubtreeForTheNode, spansFromRootToNode
 }
 
-// traverseOpts holds the traversal configuration that remains constant
-// throughout the recursion. Per-call state (level, isPartOfPreOrder, etc.)
-// is passed as direct arguments.
-type traverseOpts struct {
-	uncollapsedSpans []string
-	selectedSpanID   string
-}
-
-func traverseTrace(span *model.Span, opts traverseOpts, level uint64, isPartOfPreOrder bool, hasSibling bool) []*model.Span {
+func traverseTrace(span *model.Span, uncollapsedSpans []string, level uint64, isPartOfPreOrder bool, hasSibling bool, selectedSpanId string) []*model.Span {
 	preOrderTraversal := []*model.Span{}
 
 	// sort the children to maintain the order across requests
@@ -134,9 +126,8 @@ func traverseTrace(span *model.Span, opts traverseOpts, level uint64, isPartOfPr
 		preOrderTraversal = append(preOrderTraversal, &nodeWithoutChildren)
 	}
 
-	isAlreadyUncollapsed := slices.Contains(opts.uncollapsedSpans, span.SpanID)
 	for index, child := range span.Children {
-		_childTraversal := traverseTrace(child, opts, level+1, isPartOfPreOrder && isAlreadyUncollapsed, index != (len(span.Children)-1))
+		_childTraversal := traverseTrace(child, uncollapsedSpans, level+1, isPartOfPreOrder && slices.Contains(uncollapsedSpans, span.SpanID), index != (len(span.Children)-1), selectedSpanId)
 		preOrderTraversal = append(preOrderTraversal, _childTraversal...)
 		nodeWithoutChildren.SubTreeNodeCount += child.SubTreeNodeCount + 1
 		span.SubTreeNodeCount += child.SubTreeNodeCount + 1
@@ -177,11 +168,7 @@ func GetSelectedSpans(uncollapsedSpans []string, selectedSpanID string, traceRoo
 			_, spansFromRootToNode := getPathFromRootToSelectedSpanId(rootNode, selectedSpanID, updatedUncollapsedSpans, isSelectedSpanIDUnCollapsed)
 			updatedUncollapsedSpans = append(updatedUncollapsedSpans, spansFromRootToNode...)
 
-			opts := traverseOpts{
-				uncollapsedSpans: updatedUncollapsedSpans,
-				selectedSpanID:   selectedSpanID,
-			}
-			_preOrderTraversal := traverseTrace(rootNode, opts, 0, true, false)
+			_preOrderTraversal := traverseTrace(rootNode, updatedUncollapsedSpans, 0, true, false, selectedSpanID)
 			_selectedSpanIndex := findIndexForSelectedSpanFromPreOrder(_preOrderTraversal, selectedSpanID)
 
 			if _selectedSpanIndex != -1 {

pkg/query-service/app/traces/tracedetail/waterfall_test.go

@@ -1,370 +0,0 @@
-// Package tracedetail tests — waterfall
-//
-// # Background
-//
-// The waterfall view renders a trace as a scrollable list of spans in
-// pre-order (parent before children, siblings left-to-right). Because a trace
-// can have thousands of spans, only a window of ~500 is returned per request.
-// The window is centred on the selected span.
-//
-// # Key concepts
-//
-// uncollapsedSpans
-//
-//	The set of span IDs the user has manually expanded in the UI.
-//	Only the direct children of an uncollapsed span are included in the
-//	output; grandchildren stay hidden until their parent is also uncollapsed.
-//	When multiple spans are uncollapsed their children are all visible at once.
-//
-// selectedSpanID
-//
-//	The span currently focused — set when the user clicks a span in the
-//	waterfall or selects one from the flamegraph.  The output window is always
-//	centred on this span.  The path from the trace root down to the selected
-//	span is automatically uncollapsed so ancestors are visible even if they are
-//	not in uncollapsedSpans.
-//
-// isSelectedSpanIDUnCollapsed
-//
-//	Controls whether the selected span's own children are shown:
-//	  true  — user expanded the span (click-to-open in waterfall or flamegraph);
-//	          direct children of the selected span are included.
-//	  false — user selected without expanding;
-//	          the span is visible but its children remain hidden.
-//
-// traceRoots
-//
-//	Root spans of the trace — spans with no parent in the current dataset.
-//	Normally one, but multiple roots are common when upstream services are
-//	not instrumented or their spans were not sampled/exported.
-
-package tracedetail
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/SigNoz/signoz/pkg/query-service/model"
-	"github.com/stretchr/testify/assert"
-)
-
-// Pre-order traversal is preserved: parent before children, siblings left-to-right.
-func TestGetSelectedSpans_PreOrderTraversal(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("child1", "svc", mkSpan("grandchild", "svc")),
-		mkSpan("child2", "svc"),
-	)
-	spanMap := buildSpanMap(root)
-	spans, _, _, _ := GetSelectedSpans([]string{"root", "child1"}, "root", []*model.Span{root}, spanMap, false)
-
-	assert.Equal(t, []string{"root", "child1", "grandchild", "child2"}, spanIDs(spans))
-}
-
-// Multiple roots: both trees are flattened into a single pre-order list with
-// root1's subtree before root2's. Service/entry-point come from the first root.
-//
-//	root1 svc-a          ← selected
-//	  └─ child1
-//	root2 svc-b
-//	  └─ child2
-//
-// Expected output order: root1 → child1 → root2 → child2
-func TestGetSelectedSpans_MultipleRoots(t *testing.T) {
-	root1 := mkSpan("root1", "svc-a", mkSpan("child1", "svc-a"))
-	root2 := mkSpan("root2", "svc-b", mkSpan("child2", "svc-b"))
-	spanMap := buildSpanMap(root1, root2)
-
-	spans, _, svcName, entryPoint := GetSelectedSpans([]string{"root1", "root2"}, "root1", []*model.Span{root1, root2}, spanMap, false)
-
-	assert.Equal(t, []string{"root1", "child1", "root2", "child2"}, spanIDs(spans), "root1 subtree must precede root2 subtree")
-	assert.Equal(t, "svc-a", svcName, "metadata comes from first root")
-	assert.Equal(t, "root1-op", entryPoint, "metadata comes from first root")
-}
-
-// isSelectedSpanIDUnCollapsed=true opens only the selected span's direct children,
-// not deeper descendants.
-//
-//	root → selected (expanded)
-//	          ├─ child1 ✓
-//	          │    └─ grandchild ✗  (only one level opened)
-//	          └─ child2 ✓
-func TestGetSelectedSpans_ExpandedSelectedSpan(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("selected", "svc",
-			mkSpan("child1", "svc", mkSpan("grandchild", "svc")),
-			mkSpan("child2", "svc"),
-		),
-	)
-	spanMap := buildSpanMap(root)
-	spans, _, _, _ := GetSelectedSpans([]string{}, "selected", []*model.Span{root}, spanMap, true)
-
-	// root and selected are on the auto-uncollapsed path; child1/child2 are direct
-	// children of the expanded selected span; grandchild stays hidden.
-	assert.Equal(t, []string{"root", "selected", "child1", "child2"}, spanIDs(spans))
-}
-
-// Multiple spans uncollapsed simultaneously: children of all uncollapsed spans
-// are visible at once.
-//
-//	root
-//	  ├─ childA (uncollapsed) → grandchildA ✓
-//	  └─ childB (uncollapsed) → grandchildB ✓
-func TestGetSelectedSpans_MultipleUncollapsed(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("childA", "svc", mkSpan("grandchildA", "svc")),
-		mkSpan("childB", "svc", mkSpan("grandchildB", "svc")),
-	)
-	spanMap := buildSpanMap(root)
-	spans, _, _, _ := GetSelectedSpans([]string{"root", "childA", "childB"}, "root", []*model.Span{root}, spanMap, false)
-
-	assert.Equal(t, []string{"root", "childA", "grandchildA", "childB", "grandchildB"}, spanIDs(spans))
-}
-
-// The selected span is always present in the output window.
-func TestGetSelectedSpans_SelectedSpanAlwaysInWindow(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("A", "svc",
-			mkSpan("B", "svc",
-				mkSpan("selected", "svc"),
-			),
-		),
-	)
-	spanMap := buildSpanMap(root)
-	spans, _, _, _ := GetSelectedSpans([]string{}, "selected", []*model.Span{root}, spanMap, false)
-
-	assert.Equal(t, []string{"root", "A", "B", "selected"}, spanIDs(spans))
-}
-
-// Collapsing a span with other uncollapsed spans
-//
-// root
-// ├─ childA  (previously expanded — in uncollapsedSpans)
-// │    ├─ grandchild1 ✓
-// │    │    └─ greatGrandchild ✗  (grandchild1 not in uncollapsedSpans)
-// │    └─ grandchild2 ✓
-// └─ childB                        ← selected (not expanded)
-func TestGetSelectedSpans_ManualUncollapse(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("childA", "svc",
-			mkSpan("grandchild1", "svc", mkSpan("greatGrandchild", "svc")),
-			mkSpan("grandchild2", "svc"),
-		),
-		mkSpan("childB", "svc"),
-	)
-	spanMap := buildSpanMap(root)
-	// childA was expanded in a previous interaction; childB is now selected without expanding
-	spans, _, _, _ := GetSelectedSpans([]string{"childA"}, "childB", []*model.Span{root}, spanMap, false)
-
-	// path to childB auto-uncollpases root → childA and childB appear; childA is in
-	// uncollapsedSpans so its children appear; greatGrandchild stays hidden.
-	assert.Equal(t, []string{"root", "childA", "grandchild1", "grandchild2", "childB"}, spanIDs(spans))
-}
-
-// A collapsed span hides all children.
-func TestGetSelectedSpans_CollapsedSpan(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("child1", "svc"),
-		mkSpan("child2", "svc"),
-	)
-	spanMap := buildSpanMap(root)
-	spans, _, _, _ := GetSelectedSpans([]string{}, "root", []*model.Span{root}, spanMap, false)
-
-	assert.Equal(t, []string{"root"}, spanIDs(spans))
-}
-
-// Selecting a span auto-uncollpases the path from root to that span so it is visible.
-//
-//	root → parent → selected
-func TestGetSelectedSpans_PathToSelectedIsUncollapsed(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("parent", "svc",
-			mkSpan("selected", "svc"),
-		),
-	)
-	spanMap := buildSpanMap(root)
-	// no manually uncollapsed spans — path should still be opened
-	spans, _, _, _ := GetSelectedSpans([]string{}, "selected", []*model.Span{root}, spanMap, false)
-
-	assert.Equal(t, []string{"root", "parent", "selected"}, spanIDs(spans))
-}
-
-// The path-to-selected spans are returned in updatedUncollapsedSpans.
-func TestGetSelectedSpans_PathReturnedInUncollapsed(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("parent", "svc",
-			mkSpan("selected", "svc"),
-		),
-	)
-	spanMap := buildSpanMap(root)
-	spans, uncollapsed, _, _ := GetSelectedSpans([]string{}, "selected", []*model.Span{root}, spanMap, false)
-
-	assert.Equal(t, []string{"root", "parent"}, uncollapsed)
-	assert.Equal(t, []string{"root", "parent", "selected"}, spanIDs(spans))
-}
-
-// Siblings of ancestors are rendered as collapsed nodes but their subtrees
-// must NOT be expanded.
-//
-//	root
-//	  ├─ unrelated → unrelated-child (✗)
-//	  └─ parent → selected
-func TestGetSelectedSpans_SiblingsNotExpanded(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("unrelated", "svc", mkSpan("unrelated-child", "svc")),
-		mkSpan("parent", "svc",
-			mkSpan("selected", "svc"),
-		),
-	)
-	spanMap := buildSpanMap(root)
-	spans, uncollapsed, _, _ := GetSelectedSpans([]string{}, "selected", []*model.Span{root}, spanMap, false)
-
-	// children of root sort alphabetically: parent < unrelated; unrelated-child stays hidden
-	assert.Equal(t, []string{"root", "parent", "selected", "unrelated"}, spanIDs(spans))
-	// only the path nodes are tracked as uncollapsed — unrelated is not
-	assert.Equal(t, []string{"root", "parent"}, uncollapsed)
-}
-
-// An unknown selectedSpanID must not panic; returns a window from index 0.
-func TestGetSelectedSpans_UnknownSelectedSpan(t *testing.T) {
-	root := mkSpan("root", "svc", mkSpan("child", "svc"))
-	spanMap := buildSpanMap(root)
-	spans, _, _, _ := GetSelectedSpans([]string{}, "nonexistent", []*model.Span{root}, spanMap, false)
-	assert.Equal(t, []string{"root"}, spanIDs(spans))
-}
-
-// Test to check if Level, HasChildren, HasSiblings, and SubTreeNodeCount are populated correctly.
-//
-//	root          level=0, hasChildren=true,  hasSiblings=false, subTree=4
-//	  child1      level=1, hasChildren=true,  hasSiblings=true,  subTree=2
-//	    grandchild level=2, hasChildren=false, hasSiblings=false, subTree=1
-//	  child2      level=1, hasChildren=false, hasSiblings=false, subTree=1
-func TestGetSelectedSpans_SpanMetadata(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("child1", "svc", mkSpan("grandchild", "svc")),
-		mkSpan("child2", "svc"),
-	)
-	spanMap := buildSpanMap(root)
-	spans, _, _, _ := GetSelectedSpans([]string{"root", "child1"}, "root", []*model.Span{root}, spanMap, false)
-
-	byID := map[string]*model.Span{}
-	for _, s := range spans {
-		byID[s.SpanID] = s
-	}
-
-	assert.Equal(t, uint64(0), byID["root"].Level)
-	assert.Equal(t, uint64(1), byID["child1"].Level)
-	assert.Equal(t, uint64(1), byID["child2"].Level)
-	assert.Equal(t, uint64(2), byID["grandchild"].Level)
-
-	assert.True(t, byID["root"].HasChildren)
-	assert.True(t, byID["child1"].HasChildren)
-	assert.False(t, byID["child2"].HasChildren)
-	assert.False(t, byID["grandchild"].HasChildren)
-
-	assert.False(t, byID["root"].HasSiblings, "root has no siblings")
-	assert.True(t, byID["child1"].HasSiblings, "child1 has sibling child2")
-	assert.False(t, byID["child2"].HasSiblings, "child2 is the last child")
-	assert.False(t, byID["grandchild"].HasSiblings, "grandchild has no siblings")
-
-	assert.Equal(t, uint64(4), byID["root"].SubTreeNodeCount)
-	assert.Equal(t, uint64(2), byID["child1"].SubTreeNodeCount)
-	assert.Equal(t, uint64(1), byID["grandchild"].SubTreeNodeCount)
-	assert.Equal(t, uint64(1), byID["child2"].SubTreeNodeCount)
-}
-
-// If the selected span is already in uncollapsedSpans AND isSelectedSpanIDUnCollapsed=true,
-func TestGetSelectedSpans_DuplicateInUncollapsed(t *testing.T) {
-	root := mkSpan("root", "svc",
-		mkSpan("selected", "svc", mkSpan("child", "svc")),
-	)
-	spanMap := buildSpanMap(root)
-	_, uncollapsed, _, _ := GetSelectedSpans(
-		[]string{"selected"}, // already present
-		"selected",
-		[]*model.Span{root}, spanMap,
-		true,
-	)
-
-	count := 0
-	for _, id := range uncollapsed {
-		if id == "selected" {
-			count++
-		}
-	}
-	assert.Equal(t, 1, count, "should appear once")
-}
-
-// makeChain builds a linear trace: span0 → span1 → … → span(n-1).
-// All span IDs are "span0", "span1", … so the caller can reference them by index.
-func makeChain(n int) (*model.Span, map[string]*model.Span, []string) {
-	spans := make([]*model.Span, n)
-	for i := n - 1; i >= 0; i-- {
-		if i == n-1 {
-			spans[i] = mkSpan(fmt.Sprintf("span%d", i), "svc")
-		} else {
-			spans[i] = mkSpan(fmt.Sprintf("span%d", i), "svc", spans[i+1])
-		}
-	}
-	uncollapsed := make([]string, n)
-	for i := range spans {
-		uncollapsed[i] = fmt.Sprintf("span%d", i)
-	}
-	return spans[0], buildSpanMap(spans[0]), uncollapsed
-}
-
-// The selected span is centred: 200 spans before it, 300 after (0.4 / 0.6 split).
-func TestGetSelectedSpans_WindowCentredOnSelected(t *testing.T) {
-	root, spanMap, uncollapsed := makeChain(600)
-	spans, _, _, _ := GetSelectedSpans(uncollapsed, "span300", []*model.Span{root}, spanMap, false)
-
-	assert.Equal(t, 500, len(spans), "window should be 500 spans")
-	// window is [100, 600): span300 lands at position 200 (300 - 100)
-	assert.Equal(t, "span100", spans[0].SpanID, "window starts 200 before selected")
-	assert.Equal(t, "span300", spans[200].SpanID, "selected span at position 200 in window")
-	assert.Equal(t, "span599", spans[499].SpanID, "window ends 300 after selected")
-}
-
-// When the selected span is near the start, the window shifts right so no
-// negative index is used — the result is still 500 spans.
-func TestGetSelectedSpans_WindowShiftsAtStart(t *testing.T) {
-	root, spanMap, uncollapsed := makeChain(600)
-	spans, _, _, _ := GetSelectedSpans(uncollapsed, "span10", []*model.Span{root}, spanMap, false)
-
-	assert.Equal(t, 500, len(spans))
-	assert.Equal(t, "span0", spans[0].SpanID, "window clamped to start of trace")
-	assert.Equal(t, "span10", spans[10].SpanID, "selected span still in window")
-}
-
-func mkSpan(id, service string, children ...*model.Span) *model.Span {
-	return &model.Span{
-		SpanID:      id,
-		ServiceName: service,
-		Name:        id + "-op",
-		Children:    children,
-	}
-}
-
-// spanIDs returns SpanIDs in order.
-func spanIDs(spans []*model.Span) []string {
-	ids := make([]string, len(spans))
-	for i, s := range spans {
-		ids[i] = s.SpanID
-	}
-	return ids
-}
-
-// buildSpanMap indexes every span in a set of trees by SpanID.
-func buildSpanMap(roots ...*model.Span) map[string]*model.Span {
-	m := map[string]*model.Span{}
-	var walk func(*model.Span)
-	walk = func(s *model.Span) {
-		m[s.SpanID] = s
-		for _, c := range s.Children {
-			walk(c)
-		}
-	}
-	for _, r := range roots {
-		walk(r)
-	}
-	return m
-}

pkg/statsreporter/analyticsstatsreporter/provider.go

@@ -178,7 +178,7 @@ func (provider *provider) Report(ctx context.Context) error {
 		}
 
 		for _, user := range users {
-			traits := types.NewTraitsFromDeprecatedUser(user)
+			traits := types.NewTraitsFromUser(user)
 			if maxLastObservedAt, ok := maxLastObservedAtPerUserID[user.ID]; ok {
 				traits["auth_token.last_observed_at.max.time"] = maxLastObservedAt.UTC()
 				traits["auth_token.last_observed_at.max.time_unix"] = maxLastObservedAt.Unix()

pkg/types/authtypes/user_role.go

@@ -5,13 +5,14 @@ import (
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
 )
 
 var (
 	ErrCodeUserRoleAlreadyExists = errors.MustNewCode("user_role_already_exists")
-	ErrCodeUserRolesNotFound      = errors.MustNewCode("user_roles_not_found")
+	ErrCodeUserRolesNotFound     = errors.MustNewCode("user_roles_not_found")
 )
 
 type UserRole struct {
@@ -47,6 +48,11 @@ func NewUserRoles(userID valuer.UUID, roles []*Role) []*UserRole {
 	return userRoles
 }
 
+type UserWithRoles struct {
+	*types.User
+	Roles []*Role `json:"roles"`
+}
+
 type UserRoleStore interface {
 	// create user roles in bulk
 	CreateUserRoles(ctx context.Context, userRoles []*UserRole) error

pkg/types/user.go

@@ -51,6 +51,15 @@ type DeprecatedUser struct {
 	Role Role `json:"role"`
 }
 
+type UpdatableSelfUser struct {
+	DisplayName string `json:"displayName" required:"true"`
+}
+
+type UpdatableUser struct {
+	DisplayName string   `json:"displayName" required:"true"`
+	RoleNames   []string `json:"roleNames" required:"true" nullable:"false"`
+}
+
 type PostableRegisterOrgAndAdmin struct {
 	Name           string       `json:"name"`
 	Email          valuer.Email `json:"email"`
@@ -298,6 +307,9 @@ type UserStore interface {
 	// Get user by reset password token
 	GetUserByResetPasswordToken(ctx context.Context, token string) (*User, error)
 
+	// Get users having role by org id and role id
+	GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*User, error)
+
 	// Transaction
 	RunInTx(ctx context.Context, cb func(ctx context.Context) error) error
 }