chore: remove comments

* feat(authz): add http routes for authz

* feat(authz): update openapi spec

* feat(authz): update openapi spec

docs/api/openapi.yml

@@ -92,6 +92,19 @@ components:
         tokenType:
           type: string
       type: object
+    AuthtypesGettableTransaction:
+      properties:
+        authorized:
+          type: boolean
+        object:
+          $ref: '#/components/schemas/AuthtypesObject'
+        relation:
+          type: string
+      required:
+      - relation
+      - object
+      - authorized
+      type: object
     AuthtypesGoogleConfig:
       properties:
         allowedGroups:
@@ -117,6 +130,8 @@ components:
         serviceAccountJson:
           type: string
       type: object
+    AuthtypesName:
+      type: object
     AuthtypesOIDCConfig:
       properties:
         claimMapping:
@@ -134,6 +149,16 @@ components:
         issuerAlias:
           type: string
       type: object
+    AuthtypesObject:
+      properties:
+        resource:
+          $ref: '#/components/schemas/AuthtypesResource'
+        selector:
+          $ref: '#/components/schemas/AuthtypesSelector'
+      required:
+      - resource
+      - selector
+      type: object
     AuthtypesOrgSessionContext:
       properties:
         authNSupport:
@@ -171,6 +196,16 @@ components:
         refreshToken:
           type: string
       type: object
+    AuthtypesResource:
+      properties:
+        name:
+          $ref: '#/components/schemas/AuthtypesName'
+        type:
+          type: string
+      required:
+      - name
+      - type
+      type: object
     AuthtypesRoleMapping:
       properties:
         defaultRole:
@@ -196,6 +231,8 @@ components:
         samlIdp:
           type: string
       type: object
+    AuthtypesSelector:
+      type: object
     AuthtypesSessionContext:
       properties:
         exists:
@@ -206,6 +243,18 @@ components:
           nullable: true
           type: array
       type: object
+    AuthtypesTransaction:
+      properties:
+        id:
+          type: string
+        object:
+          $ref: '#/components/schemas/AuthtypesObject'
+        relation:
+          type: string
+      required:
+      - relation
+      - object
+      type: object
     AuthtypesUpdateableAuthDomain:
       properties:
         config:
@@ -1613,6 +1662,56 @@ components:
         status:
           type: string
       type: object
+    RoletypesGettableResources:
+      properties:
+        relations:
+          additionalProperties:
+            items:
+              type: string
+            type: array
+          nullable: true
+          type: object
+        resources:
+          items:
+            $ref: '#/components/schemas/AuthtypesResource'
+          nullable: true
+          type: array
+      required:
+      - resources
+      - relations
+      type: object
+    RoletypesPatchableObjects:
+      properties:
+        additions:
+          items:
+            $ref: '#/components/schemas/AuthtypesObject'
+          nullable: true
+          type: array
+        deletions:
+          items:
+            $ref: '#/components/schemas/AuthtypesObject'
+          nullable: true
+          type: array
+      required:
+      - additions
+      - deletions
+      type: object
+    RoletypesPatchableRole:
+      properties:
+        description:
+          type: string
+      required:
+      - description
+      type: object
+    RoletypesPostableRole:
+      properties:
+        description:
+          type: string
+        name:
+          type: string
+      required:
+      - name
+      type: object
     RoletypesRole:
       properties:
         createdAt:
@@ -1631,6 +1730,11 @@ components:
         updatedAt:
           format: date-time
           type: string
+      required:
+      - name
+      - description
+      - type
+      - orgId
       type: object
     TelemetrytypesFieldContext:
       enum:
@@ -2022,6 +2126,41 @@ info:
   version: ""
 openapi: 3.0.3
 paths:
+  /api/v1/authz/check:
+    post:
+      deprecated: false
+      description: Checks if the authenticated user has permissions for given transactions
+      operationId: AuthzCheck
+      requestBody:
+        content:
+          application/json:
+            schema:
+              items:
+                $ref: '#/components/schemas/AuthtypesTransaction'
+              type: array
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/AuthtypesGettableTransaction'
+                    type: array
+                  status:
+                    type: string
+                type: object
+          description: OK
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      summary: Check permissions
+      tags:
+      - authz
   /api/v1/changePassword/{id}:
     post:
       deprecated: false
@@ -3851,6 +3990,11 @@ paths:
       deprecated: false
       description: This endpoint creates a role
       operationId: CreateRole
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RoletypesPostableRole'
       responses:
         "201":
           content:
@@ -3863,6 +4007,12 @@ paths:
                     type: string
                 type: object
           description: Created
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
         "401":
           content:
             application/json:
@@ -3875,12 +4025,30 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
+        "409":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Conflict
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
         "500":
           content:
             application/json:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
       security:
       - api_key:
         - ADMIN
@@ -3919,12 +4087,30 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
         "500":
           content:
             application/json:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
       security:
       - api_key:
         - ADMIN
@@ -3991,6 +4177,11 @@ paths:
         required: true
         schema:
           type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RoletypesPatchableRole'
       responses:
         "204":
           content:
@@ -4010,6 +4201,220 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Patch role
+      tags:
+      - role
+  /api/v1/roles/{id}/relation/{relation}/objects:
+    get:
+      deprecated: false
+      description: Gets all objects connected to the specified role via a given relation
+        type
+      operationId: GetObjects
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      - in: path
+        name: relation
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/AuthtypesObject'
+                    type: array
+                  status:
+                    type: string
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Get objects for a role by relation
+      tags:
+      - role
+    patch:
+      deprecated: false
+      description: Patches the objects connected to the specified role via a given
+        relation type
+      operationId: PatchObjects
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      - in: path
+        name: relation
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RoletypesPatchableObjects'
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "451":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unavailable For Legal Reasons
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+        "501":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Implemented
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Patch objects for a role by relation
+      tags:
+      - role
+  /api/v1/roles/resources:
+    get:
+      deprecated: false
+      description: Gets all the available resources for role assignment
+      operationId: GetResources
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/RoletypesGettableResources'
+                  status:
+                    type: string
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
         "500":
           content:
             application/json:
@@ -4021,7 +4426,7 @@ paths:
         - ADMIN
       - tokenizer:
         - ADMIN
-      summary: Patch role
+      summary: Get resources
       tags:
       - role
   /api/v1/user:

ee/authz/openfgaauthz/provider.go

@@ -62,10 +62,6 @@ func (provider *provider) Stop(ctx context.Context) error {
 	return provider.openfgaServer.Stop(ctx)
 }
 
-func (provider *provider) Check(ctx context.Context, tuple *openfgav1.TupleKey) error {
-	return provider.openfgaServer.Check(ctx, tuple)
-}
-
 func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, roleSelectors []authtypes.Selector) error {
 	return provider.openfgaServer.CheckWithTupleCreation(ctx, claims, orgID, relation, typeable, selectors, roleSelectors)
 }
@@ -74,8 +70,8 @@ func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Contex
 	return provider.openfgaServer.CheckWithTupleCreationWithoutClaims(ctx, orgID, relation, typeable, selectors, roleSelectors)
 }
 
-func (provider *provider) BatchCheck(ctx context.Context, tuples []*openfgav1.TupleKey) error {
+func (provider *provider) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
-	return provider.openfgaServer.BatchCheck(ctx, tuples)
+	return provider.openfgaServer.BatchCheck(ctx, tupleReq)
 }
 
 func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {
@@ -187,6 +183,11 @@ func (provider *provider) GetResources(_ context.Context) []*authtypes.Resource
 }
 
 func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*authtypes.Object, error) {
+	_, err := provider.licensing.GetActive(ctx, orgID)
+	if err != nil {
+		return nil, errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
+	}
+
 	storableRole, err := provider.store.Get(ctx, orgID, id)
 	if err != nil {
 		return nil, err
@@ -198,7 +199,7 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 			resourceObjects, err := provider.
 				ListObjects(
 					ctx,
-					authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.ID.String(), orgID, &authtypes.RelationAssignee),
+					authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.Name, orgID, &authtypes.RelationAssignee),
 					relation,
 					authtypes.MustNewTypeableFromType(resource.Type, resource.Name),
 				)

ee/authz/openfgaserver/server.go

@@ -2,8 +2,10 @@ package openfgaserver
 
 import (
 	"context"
+	"strconv"
 
 	"github.com/SigNoz/signoz/pkg/authz"
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
@@ -28,27 +30,34 @@ func (server *Server) Stop(ctx context.Context) error {
 	return server.pkgAuthzService.Stop(ctx)
 }
 
-func (server *Server) Check(ctx context.Context, tuple *openfgav1.TupleKey) error {
-	return server.pkgAuthzService.Check(ctx, tuple)
-}
-
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
 	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
 	if err != nil {
 		return err
 	}
 
-	tuples, err := typeable.Tuples(subject, relation, selectors, orgID)
+	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
 func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
@@ -57,21 +66,32 @@ func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, o
 		return err
 	}
 
-	tuples, err := typeable.Tuples(subject, relation, selectors, orgID)
+	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
-func (server *Server) BatchCheck(ctx context.Context, tuples []*openfgav1.TupleKey) error {
+func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
-	return server.pkgAuthzService.BatchCheck(ctx, tuples)
+	return server.pkgAuthzService.BatchCheck(ctx, tupleReq)
 }
 
 func (server *Server) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {

ee/modules/dashboard/impldashboard/module.go

@@ -220,6 +220,7 @@ func (module *module) MustGetManagedRoleTransactions() map[string][]*authtypes.T
 	return map[string][]*authtypes.Transaction{
 		roletypes.SigNozAnonymousRoleName: {
 			{
+				ID:       valuer.GenerateUUID(),
 				Relation: authtypes.RelationRead,
 				Object: *authtypes.MustNewObject(
 					authtypes.Resource{

frontend/src/api/generated/services/authz/index.ts

@@ -0,0 +1,107 @@
+/**
+ * ! Do not edit manually
+ * * The file has been auto-generated using Orval for SigNoz
+ * * regenerate with 'yarn generate:api'
+ * SigNoz
+ */
+import type {
+	MutationFunction,
+	UseMutationOptions,
+	UseMutationResult,
+} from 'react-query';
+import { useMutation } from 'react-query';
+
+import { GeneratedAPIInstance } from '../../../index';
+import type {
+	AuthtypesTransactionDTO,
+	AuthzCheck200,
+	RenderErrorResponseDTO,
+} from '../sigNoz.schemas';
+
+type AwaitedInput<T> = PromiseLike<T> | T;
+
+type Awaited<O> = O extends AwaitedInput<infer T> ? T : never;
+
+/**
+ * Checks if the authenticated user has permissions for given transactions
+ * @summary Check permissions
+ */
+export const authzCheck = (
+	authtypesTransactionDTO: AuthtypesTransactionDTO[],
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<AuthzCheck200>({
+		url: `/api/v1/authz/check`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: authtypesTransactionDTO,
+		signal,
+	});
+};
+
+export const getAuthzCheckMutationOptions = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof authzCheck>>,
+		TError,
+		{ data: AuthtypesTransactionDTO[] },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof authzCheck>>,
+	TError,
+	{ data: AuthtypesTransactionDTO[] },
+	TContext
+> => {
+	const mutationKey = ['authzCheck'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof authzCheck>>,
+		{ data: AuthtypesTransactionDTO[] }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return authzCheck(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type AuthzCheckMutationResult = NonNullable<
+	Awaited<ReturnType<typeof authzCheck>>
+>;
+export type AuthzCheckMutationBody = AuthtypesTransactionDTO[];
+export type AuthzCheckMutationError = RenderErrorResponseDTO;
+
+/**
+ * @summary Check permissions
+ */
+export const useAuthzCheck = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof authzCheck>>,
+		TError,
+		{ data: AuthtypesTransactionDTO[] },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof authzCheck>>,
+	TError,
+	{ data: AuthtypesTransactionDTO[] },
+	TContext
+> => {
+	const mutationOptions = getAuthzCheckMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};

frontend/src/api/generated/services/role/index.ts

@@ -21,11 +21,18 @@ import { GeneratedAPIInstance } from '../../../index';
 import type {
 	CreateRole201,
 	DeleteRolePathParameters,
+	GetObjects200,
+	GetObjectsPathParameters,
+	GetResources200,
 	GetRole200,
 	GetRolePathParameters,
 	ListRoles200,
+	PatchObjectsPathParameters,
 	PatchRolePathParameters,
 	RenderErrorResponseDTO,
+	RoletypesPatchableObjectsDTO,
+	RoletypesPatchableRoleDTO,
+	RoletypesPostableRoleDTO,
 } from '../sigNoz.schemas';
 
 type AwaitedInput<T> = PromiseLike<T> | T;
@@ -114,10 +121,15 @@ export const invalidateListRoles = async (
  * This endpoint creates a role
  * @summary Create role
  */
-export const createRole = (signal?: AbortSignal) => {
+export const createRole = (
+	roletypesPostableRoleDTO: RoletypesPostableRoleDTO,
+	signal?: AbortSignal,
+) => {
 	return GeneratedAPIInstance<CreateRole201>({
 		url: `/api/v1/roles`,
 		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: roletypesPostableRoleDTO,
 		signal,
 	});
 };
@@ -129,13 +141,13 @@ export const getCreateRoleMutationOptions = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createRole>>,
 		TError,
-		void,
+		{ data: RoletypesPostableRoleDTO },
 		TContext
 	>;
 }): UseMutationOptions<
 	Awaited<ReturnType<typeof createRole>>,
 	TError,
-	void,
+	{ data: RoletypesPostableRoleDTO },
 	TContext
 > => {
 	const mutationKey = ['createRole'];
@@ -149,9 +161,11 @@ export const getCreateRoleMutationOptions = <
 
 	const mutationFn: MutationFunction<
 		Awaited<ReturnType<typeof createRole>>,
-		void
+		{ data: RoletypesPostableRoleDTO }
-	> = () => {
+	> = (props) => {
-		return createRole();
+		const { data } = props ?? {};
+
+		return createRole(data);
 	};
 
 	return { mutationFn, ...mutationOptions };
@@ -160,7 +174,7 @@ export const getCreateRoleMutationOptions = <
 export type CreateRoleMutationResult = NonNullable<
 	Awaited<ReturnType<typeof createRole>>
 >;
-
+export type CreateRoleMutationBody = RoletypesPostableRoleDTO;
 export type CreateRoleMutationError = RenderErrorResponseDTO;
 
 /**
@@ -173,13 +187,13 @@ export const useCreateRole = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createRole>>,
 		TError,
-		void,
+		{ data: RoletypesPostableRoleDTO },
 		TContext
 	>;
 }): UseMutationResult<
 	Awaited<ReturnType<typeof createRole>>,
 	TError,
-	void,
+	{ data: RoletypesPostableRoleDTO },
 	TContext
 > => {
 	const mutationOptions = getCreateRoleMutationOptions(options);
@@ -358,10 +372,15 @@ export const invalidateGetRole = async (
  * This endpoint patches a role
  * @summary Patch role
  */
-export const patchRole = ({ id }: PatchRolePathParameters) => {
+export const patchRole = (
+	{ id }: PatchRolePathParameters,
+	roletypesPatchableRoleDTO: RoletypesPatchableRoleDTO,
+) => {
 	return GeneratedAPIInstance<string>({
 		url: `/api/v1/roles/${id}`,
 		method: 'PATCH',
+		headers: { 'Content-Type': 'application/json' },
+		data: roletypesPatchableRoleDTO,
 	});
 };
 
@@ -372,13 +391,13 @@ export const getPatchRoleMutationOptions = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof patchRole>>,
 		TError,
-		{ pathParams: PatchRolePathParameters },
+		{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 		TContext
 	>;
 }): UseMutationOptions<
 	Awaited<ReturnType<typeof patchRole>>,
 	TError,
-	{ pathParams: PatchRolePathParameters },
+	{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 	TContext
 > => {
 	const mutationKey = ['patchRole'];
@@ -392,11 +411,11 @@ export const getPatchRoleMutationOptions = <
 
 	const mutationFn: MutationFunction<
 		Awaited<ReturnType<typeof patchRole>>,
-		{ pathParams: PatchRolePathParameters }
+		{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO }
 	> = (props) => {
-		const { pathParams } = props ?? {};
+		const { pathParams, data } = props ?? {};
 
-		return patchRole(pathParams);
+		return patchRole(pathParams, data);
 	};
 
 	return { mutationFn, ...mutationOptions };
@@ -405,7 +424,7 @@ export const getPatchRoleMutationOptions = <
 export type PatchRoleMutationResult = NonNullable<
 	Awaited<ReturnType<typeof patchRole>>
 >;
-
+export type PatchRoleMutationBody = RoletypesPatchableRoleDTO;
 export type PatchRoleMutationError = RenderErrorResponseDTO;
 
 /**
@@ -418,16 +437,292 @@ export const usePatchRole = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof patchRole>>,
 		TError,
-		{ pathParams: PatchRolePathParameters },
+		{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 		TContext
 	>;
 }): UseMutationResult<
 	Awaited<ReturnType<typeof patchRole>>,
 	TError,
-	{ pathParams: PatchRolePathParameters },
+	{ pathParams: PatchRolePathParameters; data: RoletypesPatchableRoleDTO },
 	TContext
 > => {
 	const mutationOptions = getPatchRoleMutationOptions(options);
 
 	return useMutation(mutationOptions);
 };
+/**
+ * Gets all objects connected to the specified role via a given relation type
+ * @summary Get objects for a role by relation
+ */
+export const getObjects = (
+	{ id, relation }: GetObjectsPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetObjects200>({
+		url: `/api/v1/roles/${id}/relation/${relation}/objects`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetObjectsQueryKey = ({
+	id,
+	relation,
+}: GetObjectsPathParameters) => {
+	return ['getObjects'] as const;
+};
+
+export const getGetObjectsQueryOptions = <
+	TData = Awaited<ReturnType<typeof getObjects>>,
+	TError = RenderErrorResponseDTO
+>(
+	{ id, relation }: GetObjectsPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getObjects>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey =
+		queryOptions?.queryKey ?? getGetObjectsQueryKey({ id, relation });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getObjects>>> = ({
+		signal,
+	}) => getObjects({ id, relation }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!(id && relation),
+		...queryOptions,
+	} as UseQueryOptions<Awaited<ReturnType<typeof getObjects>>, TError, TData> & {
+		queryKey: QueryKey;
+	};
+};
+
+export type GetObjectsQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getObjects>>
+>;
+export type GetObjectsQueryError = RenderErrorResponseDTO;
+
+/**
+ * @summary Get objects for a role by relation
+ */
+
+export function useGetObjects<
+	TData = Awaited<ReturnType<typeof getObjects>>,
+	TError = RenderErrorResponseDTO
+>(
+	{ id, relation }: GetObjectsPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getObjects>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetObjectsQueryOptions({ id, relation }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get objects for a role by relation
+ */
+export const invalidateGetObjects = async (
+	queryClient: QueryClient,
+	{ id, relation }: GetObjectsPathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetObjectsQueryKey({ id, relation }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * Patches the objects connected to the specified role via a given relation type
+ * @summary Patch objects for a role by relation
+ */
+export const patchObjects = (
+	{ id, relation }: PatchObjectsPathParameters,
+	roletypesPatchableObjectsDTO: RoletypesPatchableObjectsDTO,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/roles/${id}/relation/${relation}/objects`,
+		method: 'PATCH',
+		headers: { 'Content-Type': 'application/json' },
+		data: roletypesPatchableObjectsDTO,
+	});
+};
+
+export const getPatchObjectsMutationOptions = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof patchObjects>>,
+		TError,
+		{
+			pathParams: PatchObjectsPathParameters;
+			data: RoletypesPatchableObjectsDTO;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof patchObjects>>,
+	TError,
+	{ pathParams: PatchObjectsPathParameters; data: RoletypesPatchableObjectsDTO },
+	TContext
+> => {
+	const mutationKey = ['patchObjects'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof patchObjects>>,
+		{ pathParams: PatchObjectsPathParameters; data: RoletypesPatchableObjectsDTO }
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return patchObjects(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type PatchObjectsMutationResult = NonNullable<
+	Awaited<ReturnType<typeof patchObjects>>
+>;
+export type PatchObjectsMutationBody = RoletypesPatchableObjectsDTO;
+export type PatchObjectsMutationError = RenderErrorResponseDTO;
+
+/**
+ * @summary Patch objects for a role by relation
+ */
+export const usePatchObjects = <
+	TError = RenderErrorResponseDTO,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof patchObjects>>,
+		TError,
+		{
+			pathParams: PatchObjectsPathParameters;
+			data: RoletypesPatchableObjectsDTO;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof patchObjects>>,
+	TError,
+	{ pathParams: PatchObjectsPathParameters; data: RoletypesPatchableObjectsDTO },
+	TContext
+> => {
+	const mutationOptions = getPatchObjectsMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * Gets all the available resources for role assignment
+ * @summary Get resources
+ */
+export const getResources = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<GetResources200>({
+		url: `/api/v1/roles/resources`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetResourcesQueryKey = () => {
+	return ['getResources'] as const;
+};
+
+export const getGetResourcesQueryOptions = <
+	TData = Awaited<ReturnType<typeof getResources>>,
+	TError = RenderErrorResponseDTO
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getResources>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetResourcesQueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getResources>>> = ({
+		signal,
+	}) => getResources(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof getResources>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetResourcesQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getResources>>
+>;
+export type GetResourcesQueryError = RenderErrorResponseDTO;
+
+/**
+ * @summary Get resources
+ */
+
+export function useGetResources<
+	TData = Awaited<ReturnType<typeof getResources>>,
+	TError = RenderErrorResponseDTO
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getResources>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetResourcesQueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get resources
+ */
+export const invalidateGetResources = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetResourcesQueryKey() },
+		options,
+	);
+
+	return queryClient;
+};

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -127,6 +127,18 @@ export interface AuthtypesGettableTokenDTO {
 	tokenType?: string;
 }
 
+export interface AuthtypesGettableTransactionDTO {
+	/**
+	 * @type boolean
+	 */
+	authorized: boolean;
+	object: AuthtypesObjectDTO;
+	/**
+	 * @type string
+	 */
+	relation: string;
+}
+
 export type AuthtypesGoogleConfigDTODomainToAdminEmail = {
 	[key: string]: string;
 };
@@ -170,6 +182,10 @@ export interface AuthtypesGoogleConfigDTO {
 	serviceAccountJson?: string;
 }
 
+export interface AuthtypesNameDTO {
+	[key: string]: unknown;
+}
+
 export interface AuthtypesOIDCConfigDTO {
 	claimMapping?: AuthtypesAttributeMappingDTO;
 	/**
@@ -198,6 +214,11 @@ export interface AuthtypesOIDCConfigDTO {
 	issuerAlias?: string;
 }
 
+export interface AuthtypesObjectDTO {
+	resource: AuthtypesResourceDTO;
+	selector: AuthtypesSelectorDTO;
+}
+
 export interface AuthtypesOrgSessionContextDTO {
 	authNSupport?: AuthtypesAuthNSupportDTO;
 	/**
@@ -248,6 +269,14 @@ export interface AuthtypesPostableRotateTokenDTO {
 	refreshToken?: string;
 }
 
+export interface AuthtypesResourceDTO {
+	name: AuthtypesNameDTO;
+	/**
+	 * @type string
+	 */
+	type: string;
+}
+
 /**
  * @nullable
  */
@@ -291,6 +320,10 @@ export interface AuthtypesSamlConfigDTO {
 	samlIdp?: string;
 }
 
+export interface AuthtypesSelectorDTO {
+	[key: string]: unknown;
+}
+
 export interface AuthtypesSessionContextDTO {
 	/**
 	 * @type boolean
@@ -303,6 +336,18 @@ export interface AuthtypesSessionContextDTO {
 	orgs?: AuthtypesOrgSessionContextDTO[] | null;
 }
 
+export interface AuthtypesTransactionDTO {
+	/**
+	 * @type string
+	 */
+	id?: string;
+	object: AuthtypesObjectDTO;
+	/**
+	 * @type string
+	 */
+	relation: string;
+}
+
 export interface AuthtypesUpdateableAuthDomainDTO {
 	config?: AuthtypesAuthDomainConfigDTO;
 }
@@ -1947,6 +1992,57 @@ export interface RenderErrorResponseDTO {
 	status?: string;
 }
 
+/**
+ * @nullable
+ */
+export type RoletypesGettableResourcesDTORelations = {
+	[key: string]: string[];
+} | null;
+
+export interface RoletypesGettableResourcesDTO {
+	/**
+	 * @type object
+	 * @nullable true
+	 */
+	relations: RoletypesGettableResourcesDTORelations;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	resources: AuthtypesResourceDTO[] | null;
+}
+
+export interface RoletypesPatchableObjectsDTO {
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	additions: AuthtypesObjectDTO[] | null;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	deletions: AuthtypesObjectDTO[] | null;
+}
+
+export interface RoletypesPatchableRoleDTO {
+	/**
+	 * @type string
+	 */
+	description: string;
+}
+
+export interface RoletypesPostableRoleDTO {
+	/**
+	 * @type string
+	 */
+	description?: string;
+	/**
+	 * @type string
+	 */
+	name: string;
+}
+
 export interface RoletypesRoleDTO {
 	/**
 	 * @type string
@@ -1956,7 +2052,7 @@ export interface RoletypesRoleDTO {
 	/**
 	 * @type string
 	 */
-	description?: string;
+	description: string;
 	/**
 	 * @type string
 	 */
@@ -1964,15 +2060,15 @@ export interface RoletypesRoleDTO {
 	/**
 	 * @type string
 	 */
-	name?: string;
+	name: string;
 	/**
 	 * @type string
 	 */
-	orgId?: string;
+	orgId: string;
 	/**
 	 * @type string
 	 */
-	type?: string;
+	type: string;
 	/**
 	 * @type string
 	 * @format date-time
@@ -2499,6 +2595,17 @@ export interface ZeustypesPostableProfileDTO {
 	where_did_you_discover_signoz: string;
 }
 
+export type AuthzCheck200 = {
+	/**
+	 * @type array
+	 */
+	data?: AuthtypesGettableTransactionDTO[];
+	/**
+	 * @type string
+	 */
+	status?: string;
+};
+
 export type ChangePasswordPathParameters = {
 	id: string;
 };
@@ -2902,6 +3009,33 @@ export type GetRole200 = {
 export type PatchRolePathParameters = {
 	id: string;
 };
+export type GetObjectsPathParameters = {
+	id: string;
+	relation: string;
+};
+export type GetObjects200 = {
+	/**
+	 * @type array
+	 */
+	data?: AuthtypesObjectDTO[];
+	/**
+	 * @type string
+	 */
+	status?: string;
+};
+
+export type PatchObjectsPathParameters = {
+	id: string;
+	relation: string;
+};
+export type GetResources200 = {
+	data?: RoletypesGettableResourcesDTO;
+	/**
+	 * @type string
+	 */
+	status?: string;
+};
+
 export type ListUsers200 = {
 	/**
 	 * @type array

frontend/src/container/InfraMonitoringK8s/Clusters/K8sClustersList.tsx

@@ -27,7 +27,7 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 
 import { FeatureKeys } from '../../../constants/features';
 import { useAppContext } from '../../../providers/App/App';
-import { getOrderByFromParams } from '../commonUtils';
+import { getOrderByFromParams, safeParseJSON } from '../commonUtils';
 import {
 	GetK8sEntityToAggregateAttribute,
 	INFRA_MONITORING_K8S_PARAMS_KEYS,
@@ -103,9 +103,10 @@ function K8sClustersList({
 	const [groupBy, setGroupBy] = useState<IBuilderQuery['groupBy']>(() => {
 		const groupBy = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.GROUP_BY);
 		if (groupBy) {
-			const decoded = decodeURIComponent(groupBy);
+			const parsed = safeParseJSON<IBuilderQuery['groupBy']>(groupBy);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			return parsed as IBuilderQuery['groupBy'];
+				return parsed;
+			}
 		}
 		return [];
 	});

frontend/src/container/InfraMonitoringK8s/DaemonSets/K8sDaemonSetsList.tsx

@@ -28,7 +28,7 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 
 import { FeatureKeys } from '../../../constants/features';
 import { useAppContext } from '../../../providers/App/App';
-import { getOrderByFromParams } from '../commonUtils';
+import { getOrderByFromParams, safeParseJSON } from '../commonUtils';
 import {
 	GetK8sEntityToAggregateAttribute,
 	INFRA_MONITORING_K8S_PARAMS_KEYS,
@@ -105,9 +105,10 @@ function K8sDaemonSetsList({
 	const [groupBy, setGroupBy] = useState<IBuilderQuery['groupBy']>(() => {
 		const groupBy = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.GROUP_BY);
 		if (groupBy) {
-			const decoded = decodeURIComponent(groupBy);
+			const parsed = safeParseJSON<IBuilderQuery['groupBy']>(groupBy);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			return parsed as IBuilderQuery['groupBy'];
+				return parsed;
+			}
 		}
 		return [];
 	});

frontend/src/container/InfraMonitoringK8s/Deployments/K8sDeploymentsList.tsx

@@ -28,7 +28,7 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 
 import { FeatureKeys } from '../../../constants/features';
 import { useAppContext } from '../../../providers/App/App';
-import { getOrderByFromParams } from '../commonUtils';
+import { getOrderByFromParams, safeParseJSON } from '../commonUtils';
 import {
 	GetK8sEntityToAggregateAttribute,
 	INFRA_MONITORING_K8S_PARAMS_KEYS,
@@ -106,9 +106,10 @@ function K8sDeploymentsList({
 	const [groupBy, setGroupBy] = useState<IBuilderQuery['groupBy']>(() => {
 		const groupBy = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.GROUP_BY);
 		if (groupBy) {
-			const decoded = decodeURIComponent(groupBy);
+			const parsed = safeParseJSON<IBuilderQuery['groupBy']>(groupBy);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			return parsed as IBuilderQuery['groupBy'];
+				return parsed;
+			}
 		}
 		return [];
 	});

frontend/src/container/InfraMonitoringK8s/Jobs/K8sJobsList.tsx

@@ -28,7 +28,7 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 
 import { FeatureKeys } from '../../../constants/features';
 import { useAppContext } from '../../../providers/App/App';
-import { getOrderByFromParams } from '../commonUtils';
+import { getOrderByFromParams, safeParseJSON } from '../commonUtils';
 import {
 	GetK8sEntityToAggregateAttribute,
 	INFRA_MONITORING_K8S_PARAMS_KEYS,
@@ -101,9 +101,10 @@ function K8sJobsList({
 	const [groupBy, setGroupBy] = useState<IBuilderQuery['groupBy']>(() => {
 		const groupBy = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.GROUP_BY);
 		if (groupBy) {
-			const decoded = decodeURIComponent(groupBy);
+			const parsed = safeParseJSON<IBuilderQuery['groupBy']>(groupBy);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			return parsed as IBuilderQuery['groupBy'];
+				return parsed;
+			}
 		}
 		return [];
 	});

frontend/src/container/InfraMonitoringK8s/K8sHeader.tsx

@@ -10,6 +10,7 @@ import { BaseAutocompleteData } from 'types/api/queryBuilder/queryAutocompleteRe
 import { IBuilderQuery } from 'types/api/queryBuilder/queryBuilderData';
 import { DataSource } from 'types/common/queryBuilder';
 
+import { safeParseJSON } from './commonUtils';
 import { INFRA_MONITORING_K8S_PARAMS_KEYS, K8sCategory } from './constants';
 import K8sFiltersSidePanel from './K8sFiltersSidePanel/K8sFiltersSidePanel';
 import { IEntityColumn } from './utils';
@@ -58,9 +59,10 @@ function K8sHeader({
 		const urlFilters = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.FILTERS);
 		let { filters } = currentQuery.builder.queryData[0];
 		if (urlFilters) {
-			const decoded = decodeURIComponent(urlFilters);
+			const parsed = safeParseJSON<IBuilderQuery['filters']>(urlFilters);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			filters = parsed;
+				filters = parsed;
+			}
 		}
 		return {
 			...currentQuery,

frontend/src/container/InfraMonitoringK8s/Namespaces/K8sNamespacesList.tsx

@@ -27,7 +27,7 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 
 import { FeatureKeys } from '../../../constants/features';
 import { useAppContext } from '../../../providers/App/App';
-import { getOrderByFromParams } from '../commonUtils';
+import { getOrderByFromParams, safeParseJSON } from '../commonUtils';
 import {
 	GetK8sEntityToAggregateAttribute,
 	INFRA_MONITORING_K8S_PARAMS_KEYS,
@@ -104,9 +104,10 @@ function K8sNamespacesList({
 	const [groupBy, setGroupBy] = useState<IBuilderQuery['groupBy']>(() => {
 		const groupBy = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.GROUP_BY);
 		if (groupBy) {
-			const decoded = decodeURIComponent(groupBy);
+			const parsed = safeParseJSON<IBuilderQuery['groupBy']>(groupBy);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			return parsed as IBuilderQuery['groupBy'];
+				return parsed;
+			}
 		}
 		return [];
 	});

frontend/src/container/InfraMonitoringK8s/Nodes/K8sNodesList.tsx

@@ -27,7 +27,7 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 
 import { FeatureKeys } from '../../../constants/features';
 import { useAppContext } from '../../../providers/App/App';
-import { getOrderByFromParams } from '../commonUtils';
+import { getOrderByFromParams, safeParseJSON } from '../commonUtils';
 import {
 	GetK8sEntityToAggregateAttribute,
 	INFRA_MONITORING_K8S_PARAMS_KEYS,
@@ -99,9 +99,10 @@ function K8sNodesList({
 	const [groupBy, setGroupBy] = useState<IBuilderQuery['groupBy']>(() => {
 		const groupBy = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.GROUP_BY);
 		if (groupBy) {
-			const decoded = decodeURIComponent(groupBy);
+			const parsed = safeParseJSON<IBuilderQuery['groupBy']>(groupBy);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			return parsed as IBuilderQuery['groupBy'];
+				return parsed;
+			}
 		}
 		return [];
 	});

frontend/src/container/InfraMonitoringK8s/Pods/K8sPodLists.tsx

@@ -29,7 +29,7 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 
 import { FeatureKeys } from '../../../constants/features';
 import { useAppContext } from '../../../providers/App/App';
-import { getOrderByFromParams } from '../commonUtils';
+import { getOrderByFromParams, safeParseJSON } from '../commonUtils';
 import {
 	GetK8sEntityToAggregateAttribute,
 	INFRA_MONITORING_K8S_PARAMS_KEYS,
@@ -92,9 +92,10 @@ function K8sPodsList({
 	const [groupBy, setGroupBy] = useState<IBuilderQuery['groupBy']>(() => {
 		const groupBy = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.GROUP_BY);
 		if (groupBy) {
-			const decoded = decodeURIComponent(groupBy);
+			const parsed = safeParseJSON<IBuilderQuery['groupBy']>(groupBy);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			return parsed as IBuilderQuery['groupBy'];
+				return parsed;
+			}
 		}
 		return [];
 	});

frontend/src/container/InfraMonitoringK8s/StatefulSets/K8sStatefulSetsList.tsx

@@ -28,7 +28,7 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 
 import { FeatureKeys } from '../../../constants/features';
 import { useAppContext } from '../../../providers/App/App';
-import { getOrderByFromParams } from '../commonUtils';
+import { getOrderByFromParams, safeParseJSON } from '../commonUtils';
 import {
 	GetK8sEntityToAggregateAttribute,
 	INFRA_MONITORING_K8S_PARAMS_KEYS,
@@ -105,9 +105,10 @@ function K8sStatefulSetsList({
 	const [groupBy, setGroupBy] = useState<IBuilderQuery['groupBy']>(() => {
 		const groupBy = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.GROUP_BY);
 		if (groupBy) {
-			const decoded = decodeURIComponent(groupBy);
+			const parsed = safeParseJSON<IBuilderQuery['groupBy']>(groupBy);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			return parsed as IBuilderQuery['groupBy'];
+				return parsed;
+			}
 		}
 		return [];
 	});

frontend/src/container/InfraMonitoringK8s/Volumes/K8sVolumesList.tsx

@@ -28,7 +28,7 @@ import { GlobalReducer } from 'types/reducer/globalTime';
 
 import { FeatureKeys } from '../../../constants/features';
 import { useAppContext } from '../../../providers/App/App';
-import { getOrderByFromParams } from '../commonUtils';
+import { getOrderByFromParams, safeParseJSON } from '../commonUtils';
 import {
 	GetK8sEntityToAggregateAttribute,
 	INFRA_MONITORING_K8S_PARAMS_KEYS,
@@ -105,9 +105,10 @@ function K8sVolumesList({
 	const [groupBy, setGroupBy] = useState<IBuilderQuery['groupBy']>(() => {
 		const groupBy = searchParams.get(INFRA_MONITORING_K8S_PARAMS_KEYS.GROUP_BY);
 		if (groupBy) {
-			const decoded = decodeURIComponent(groupBy);
+			const parsed = safeParseJSON<IBuilderQuery['groupBy']>(groupBy);
-			const parsed = JSON.parse(decoded);
+			if (parsed) {
-			return parsed as IBuilderQuery['groupBy'];
+				return parsed;
+			}
 		}
 		return [];
 	});

frontend/src/container/InfraMonitoringK8s/commonUtils.tsx

@@ -5,6 +5,7 @@
 /* eslint-disable prefer-destructuring */
 
 import { useMemo } from 'react';
+import * as Sentry from '@sentry/react';
 import { Color } from '@signozhq/design-tokens';
 import { Table, Tooltip, Typography } from 'antd';
 import { Progress } from 'antd/lib';
@@ -260,6 +261,19 @@ export const filterDuplicateFilters = (
 	return uniqueFilters;
 };
 
+export const safeParseJSON = <T,>(value: string): T | null => {
+	if (!value) {
+		return null;
+	}
+	try {
+		return JSON.parse(value) as T;
+	} catch (e) {
+		console.error('Error parsing JSON from URL parameter:', e);
+		// TODO: Should we capture this error in Sentry?
+		return null;
+	}
+};
+
 export const getOrderByFromParams = (
 	searchParams: URLSearchParams,
 	returnNullAsDefault = false,
@@ -271,9 +285,12 @@ export const getOrderByFromParams = (
 		INFRA_MONITORING_K8S_PARAMS_KEYS.ORDER_BY,
 	);
 	if (orderByFromParams) {
-		const decoded = decodeURIComponent(orderByFromParams);
+		const parsed = safeParseJSON<{ columnName: string; order: 'asc' | 'desc' }>(
-		const parsed = JSON.parse(decoded);
+			orderByFromParams,
-		return parsed as { columnName: string; order: 'asc' | 'desc' };
+		);
+		if (parsed) {
+			return parsed;
+		}
 	}
 	if (returnNullAsDefault) {
 		return null;
@@ -287,13 +304,7 @@ export const getFiltersFromParams = (
 ): IBuilderQuery['filters'] | null => {
 	const filtersFromParams = searchParams.get(queryKey);
 	if (filtersFromParams) {
-		try {
+		return safeParseJSON<IBuilderQuery['filters']>(filtersFromParams);
-			const decoded = decodeURIComponent(filtersFromParams);
-			const parsed = JSON.parse(decoded);
-			return parsed as IBuilderQuery['filters'];
-		} catch (error) {
-			return null;
-		}
 	}
 	return null;
 };

frontend/src/container/OnboardingQuestionaire/InviteTeamMembers/InviteTeamMembers.tsx

@@ -88,10 +88,7 @@ function InviteTeamMembers({
 		setTeamMembersToInvite((prev) => (prev || []).filter((m) => m.id !== id));
 	};
 
-	const isMemberTouched = (member: TeamMember): boolean =>
+	// Validation function to check all users
-		member.email.trim() !== '' ||
-		Boolean(member.role && member.role.trim() !== '');
-
 	const validateAllUsers = (): boolean => {
 		let isValid = true;
 		let hasEmailErrors = false;
@@ -99,9 +96,7 @@ function InviteTeamMembers({
 
 		const updatedEmailValidity: Record<string, boolean> = {};
 
-		const touchedMembers = teamMembersToInvite?.filter(isMemberTouched) ?? [];
+		teamMembersToInvite?.forEach((member) => {
-
-		touchedMembers?.forEach((member) => {
 			const emailValid = /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(member.email);
 			const roleValid = Boolean(member.role && member.role.trim() !== '');
 
@@ -155,12 +150,12 @@ function InviteTeamMembers({
 
 	const handleNext = (): void => {
 		if (validateAllUsers()) {
-			setTeamMembers(teamMembersToInvite?.filter(isMemberTouched) ?? []);
+			setTeamMembers(teamMembersToInvite || []);
 			setHasInvalidEmails(false);
 			setHasInvalidRoles(false);
 			setInviteError(null);
 			sendInvites({
-				invites: teamMembersToInvite?.filter(isMemberTouched) ?? [],
+				invites: teamMembersToInvite || [],
 			});
 		}
 	};
@@ -235,12 +230,12 @@ function InviteTeamMembers({
 
 	const getValidationErrorMessage = (): string => {
 		if (hasInvalidEmails && hasInvalidRoles) {
-			return 'Please enter valid emails and select roles for team members';
+			return 'Please enter valid emails and select roles for all team members';
 		}
 		if (hasInvalidEmails) {
-			return 'Please enter valid emails for team members';
+			return 'Please enter valid emails for all team members';
 		}
-		return 'Please select roles for team members';
+		return 'Please select roles for all team members';
 	};
 
 	const handleDoLater = (): void => {

frontend/src/container/OnboardingQuestionaire/InviteTeamMembers/__tests__/InviteTeamMembers.test.tsx

@@ -1,485 +0,0 @@
-import { rest, server } from 'mocks-server/server';
-import {
-	fireEvent,
-	render,
-	screen,
-	userEvent,
-	waitFor,
-} from 'tests/test-utils';
-
-import InviteTeamMembers from '../InviteTeamMembers';
-
-jest.mock('api/common/logEvent', () => ({
-	__esModule: true,
-	default: jest.fn(),
-}));
-
-const mockNotificationSuccess = jest.fn() as jest.MockedFunction<
-	(args: { message: string }) => void
->;
-const mockNotificationError = jest.fn() as jest.MockedFunction<
-	(args: { message: string }) => void
->;
-
-jest.mock('hooks/useNotifications', () => ({
-	useNotifications: (): any => ({
-		notifications: {
-			success: mockNotificationSuccess,
-			error: mockNotificationError,
-		},
-	}),
-}));
-
-const INVITE_USERS_ENDPOINT = '*/api/v1/invite/bulk';
-
-interface TeamMember {
-	email: string;
-	role: string;
-	name: string;
-	frontendBaseUrl: string;
-	id: string;
-}
-
-interface InviteRequestBody {
-	invites: { email: string; role: string }[];
-}
-
-interface RenderProps {
-	isLoading?: boolean;
-	teamMembers?: TeamMember[] | null;
-}
-
-const mockOnNext = jest.fn() as jest.MockedFunction<() => void>;
-const mockSetTeamMembers = jest.fn() as jest.MockedFunction<
-	(members: TeamMember[]) => void
->;
-
-function renderComponent({
-	isLoading = false,
-	teamMembers = null,
-}: RenderProps = {}): ReturnType<typeof render> {
-	return render(
-		<InviteTeamMembers
-			isLoading={isLoading}
-			teamMembers={teamMembers}
-			setTeamMembers={mockSetTeamMembers}
-			onNext={mockOnNext}
-		/>,
-	);
-}
-
-async function selectRole(
-	user: ReturnType<typeof userEvent.setup>,
-	selectIndex: number,
-	optionLabel: string,
-): Promise<void> {
-	const placeholders = screen.getAllByText(/select roles/i);
-	await user.click(placeholders[selectIndex]);
-	const optionContent = await screen.findByText(optionLabel);
-	fireEvent.click(optionContent);
-}
-
-describe('InviteTeamMembers', () => {
-	beforeEach(() => {
-		jest.clearAllMocks();
-
-		server.use(
-			rest.post(INVITE_USERS_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ status: 'success' })),
-			),
-		);
-	});
-
-	afterEach(() => {
-		jest.useRealTimers();
-		server.resetHandlers();
-	});
-
-	describe('Initial rendering', () => {
-		it('renders the page header, column labels, default rows, and action buttons', () => {
-			renderComponent();
-
-			expect(
-				screen.getByRole('heading', { name: /invite your team/i }),
-			).toBeInTheDocument();
-			expect(
-				screen.getByText(/signoz is a lot more useful with collaborators/i),
-			).toBeInTheDocument();
-			expect(
-				screen.getAllByPlaceholderText(/e\.g\. john@signoz\.io/i),
-			).toHaveLength(3);
-			expect(screen.getByText('Email address')).toBeInTheDocument();
-			expect(screen.getByText('Roles')).toBeInTheDocument();
-			expect(
-				screen.getByRole('button', { name: /complete/i }),
-			).toBeInTheDocument();
-			expect(
-				screen.getByRole('button', { name: /i'll do this later/i }),
-			).toBeInTheDocument();
-		});
-
-		it('disables both action buttons while isLoading is true', () => {
-			renderComponent({ isLoading: true });
-
-			expect(screen.getByRole('button', { name: /complete/i })).toBeDisabled();
-			expect(
-				screen.getByRole('button', { name: /i'll do this later/i }),
-			).toBeDisabled();
-		});
-	});
-
-	describe('Row management', () => {
-		it('adds a new empty row when "Add another" is clicked', async () => {
-			const user = userEvent.setup({ pointerEventsCheck: 0 });
-			renderComponent();
-
-			expect(
-				screen.getAllByPlaceholderText(/e\.g\. john@signoz\.io/i),
-			).toHaveLength(3);
-
-			await user.click(screen.getByRole('button', { name: /add another/i }));
-
-			expect(
-				screen.getAllByPlaceholderText(/e\.g\. john@signoz\.io/i),
-			).toHaveLength(4);
-		});
-
-		it('removes the correct row when its trash icon is clicked', async () => {
-			const user = userEvent.setup({ pointerEventsCheck: 0 });
-			renderComponent();
-
-			const emailInputs = screen.getAllByPlaceholderText(
-				/e\.g\. john@signoz\.io/i,
-			);
-			await user.type(emailInputs[0], 'first@example.com');
-			await screen.findByDisplayValue('first@example.com');
-
-			await user.click(
-				screen.getAllByRole('button', { name: /remove team member/i })[0],
-			);
-
-			await waitFor(() => {
-				expect(
-					screen.queryByDisplayValue('first@example.com'),
-				).not.toBeInTheDocument();
-				expect(
-					screen.getAllByPlaceholderText(/e\.g\. john@signoz\.io/i),
-				).toHaveLength(2);
-			});
-		});
-
-		it('hides remove buttons when only one row remains', async () => {
-			renderComponent();
-			const user = userEvent.setup({ pointerEventsCheck: 0 });
-
-			let removeButtons = screen.getAllByRole('button', {
-				name: /remove team member/i,
-			});
-			while (removeButtons.length > 0) {
-				await user.click(removeButtons[0]);
-				removeButtons = screen.queryAllByRole('button', {
-					name: /remove team member/i,
-				});
-			}
-
-			expect(
-				screen.queryByRole('button', { name: /remove team member/i }),
-			).not.toBeInTheDocument();
-		});
-	});
-
-	describe('Inline email validation', () => {
-		it('shows an inline error after typing an invalid email and clears it when a valid email is entered', async () => {
-			jest.useFakeTimers();
-			const user = userEvent.setup({
-				advanceTimers: (ms) => jest.advanceTimersByTime(ms),
-			});
-			renderComponent();
-
-			const [firstInput] = screen.getAllByPlaceholderText(
-				/e\.g\. john@signoz\.io/i,
-			);
-
-			await user.type(firstInput, 'not-an-email');
-			jest.advanceTimersByTime(600);
-			await waitFor(() => {
-				expect(screen.getByText(/invalid email address/i)).toBeInTheDocument();
-			});
-
-			await user.clear(firstInput);
-			await user.type(firstInput, 'good@example.com');
-			jest.advanceTimersByTime(600);
-			await waitFor(() => {
-				expect(
-					screen.queryByText(/invalid email address/i),
-				).not.toBeInTheDocument();
-			});
-		});
-
-		it('does not show an inline error when the field is cleared back to empty', async () => {
-			jest.useFakeTimers();
-			const user = userEvent.setup({
-				advanceTimers: (ms) => jest.advanceTimersByTime(ms),
-			});
-			renderComponent();
-
-			const [firstInput] = screen.getAllByPlaceholderText(
-				/e\.g\. john@signoz\.io/i,
-			);
-			await user.type(firstInput, 'a');
-			await user.clear(firstInput);
-			jest.advanceTimersByTime(600);
-
-			await waitFor(() => {
-				expect(
-					screen.queryByText(/invalid email address/i),
-				).not.toBeInTheDocument();
-			});
-		});
-	});
-
-	describe('Validation callout on Complete', () => {
-		it('shows the correct callout message for each combination of email/role validity', async () => {
-			const user = userEvent.setup({ pointerEventsCheck: 0 });
-			renderComponent();
-
-			const removeButtons = screen.getAllByRole('button', {
-				name: /remove team member/i,
-			});
-			await user.click(removeButtons[0]);
-			await user.click(
-				screen.getAllByRole('button', { name: /remove team member/i })[0],
-			);
-
-			const [firstInput] = screen.getAllByPlaceholderText(
-				/e\.g\. john@signoz\.io/i,
-			);
-
-			await user.type(firstInput, 'bad-email');
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-			await waitFor(() => {
-				expect(
-					screen.getByText(
-						/please enter valid emails and select roles for team members/i,
-					),
-				).toBeInTheDocument();
-				expect(
-					screen.queryByText(/please enter valid emails for team members/i),
-				).not.toBeInTheDocument();
-				expect(
-					screen.queryByText(/please select roles for team members/i),
-				).not.toBeInTheDocument();
-			});
-
-			await selectRole(user, 0, 'Viewer');
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-			await waitFor(() => {
-				expect(
-					screen.getByText(/please enter valid emails for team members/i),
-				).toBeInTheDocument();
-				expect(
-					screen.queryByText(/please select roles for team members/i),
-				).not.toBeInTheDocument();
-				expect(
-					screen.queryByText(/please enter valid emails and select roles/i),
-				).not.toBeInTheDocument();
-			});
-
-			await user.clear(firstInput);
-			await user.type(firstInput, 'valid@example.com');
-			await user.click(screen.getByRole('button', { name: /add another/i }));
-			const allInputs = screen.getAllByPlaceholderText(/e\.g\. john@signoz\.io/i);
-			await user.type(allInputs[1], 'norole@example.com');
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-			await waitFor(() => {
-				expect(
-					screen.getByText(/please select roles for team members/i),
-				).toBeInTheDocument();
-				expect(
-					screen.queryByText(/please enter valid emails for team members/i),
-				).not.toBeInTheDocument();
-				expect(
-					screen.queryByText(/please enter valid emails and select roles/i),
-				).not.toBeInTheDocument();
-			});
-		});
-
-		it('treats whitespace as untouched, clears the callout on fix-and-resubmit, and clears role error on role select', async () => {
-			const user = userEvent.setup({ pointerEventsCheck: 0 });
-			renderComponent();
-
-			const removeButtons = screen.getAllByRole('button', {
-				name: /remove team member/i,
-			});
-			await user.click(removeButtons[0]);
-			await user.click(
-				screen.getAllByRole('button', { name: /remove team member/i })[0],
-			);
-
-			const [firstInput] = screen.getAllByPlaceholderText(
-				/e\.g\. john@signoz\.io/i,
-			);
-
-			await user.type(firstInput, '   ');
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-			await waitFor(() => {
-				expect(
-					screen.queryByText(/please enter valid emails/i),
-				).not.toBeInTheDocument();
-				expect(screen.queryByText(/please select roles/i)).not.toBeInTheDocument();
-			});
-
-			await user.clear(firstInput);
-			await user.type(firstInput, 'bad-email');
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-			await waitFor(() => {
-				expect(
-					screen.getByText(
-						/please enter valid emails and select roles for team members/i,
-					),
-				).toBeInTheDocument();
-				expect(
-					screen.queryByText(/please enter valid emails for team members/i),
-				).not.toBeInTheDocument();
-				expect(
-					screen.queryByText(/please select roles for team members/i),
-				).not.toBeInTheDocument();
-			});
-
-			await user.clear(firstInput);
-			await user.type(firstInput, 'good@example.com');
-			await selectRole(user, 0, 'Admin');
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-			await waitFor(() => {
-				expect(
-					screen.queryByText(/please enter valid emails and select roles/i),
-				).not.toBeInTheDocument();
-				expect(
-					screen.queryByText(/please enter valid emails for team members/i),
-				).not.toBeInTheDocument();
-				expect(
-					screen.queryByText(/please select roles for team members/i),
-				).not.toBeInTheDocument();
-			});
-
-			await waitFor(() => expect(mockOnNext).toHaveBeenCalledTimes(1), {
-				timeout: 1200,
-			});
-		});
-
-		it('does not show a validation callout when all rows are untouched (empty)', async () => {
-			const user = userEvent.setup({ pointerEventsCheck: 0 });
-			renderComponent();
-
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-
-			await waitFor(() => {
-				expect(
-					screen.queryByText(/please enter valid emails/i),
-				).not.toBeInTheDocument();
-				expect(screen.queryByText(/please select roles/i)).not.toBeInTheDocument();
-			});
-
-			await waitFor(
-				() => {
-					expect(mockOnNext).toHaveBeenCalled();
-				},
-				{ timeout: 1200 },
-			);
-		});
-	});
-
-	describe('API integration', () => {
-		it('only sends touched (non-empty) rows — empty rows are excluded from the invite payload', async () => {
-			let capturedBody: InviteRequestBody | null = null;
-
-			server.use(
-				rest.post(INVITE_USERS_ENDPOINT, async (req, res, ctx) => {
-					capturedBody = await req.json<InviteRequestBody>();
-					return res(ctx.status(200), ctx.json({ status: 'success' }));
-				}),
-			);
-
-			const user = userEvent.setup({ pointerEventsCheck: 0 });
-			renderComponent();
-
-			const [firstInput] = screen.getAllByPlaceholderText(
-				/e\.g\. john@signoz\.io/i,
-			);
-			await user.type(firstInput, 'only@example.com');
-			await selectRole(user, 0, 'Admin');
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-
-			await waitFor(() => {
-				expect(capturedBody).not.toBeNull();
-				expect(capturedBody?.invites).toHaveLength(1);
-				expect(capturedBody?.invites[0]).toMatchObject({
-					email: 'only@example.com',
-					role: 'ADMIN',
-				});
-			});
-			await waitFor(() => expect(mockOnNext).toHaveBeenCalled(), {
-				timeout: 1200,
-			});
-		});
-
-		it('calls the invite API, shows a success notification, and calls onNext after the 1 s delay', async () => {
-			const user = userEvent.setup({ pointerEventsCheck: 0 });
-			renderComponent();
-
-			const [firstInput] = screen.getAllByPlaceholderText(
-				/e\.g\. john@signoz\.io/i,
-			);
-			await user.type(firstInput, 'alice@example.com');
-			await selectRole(user, 0, 'Admin');
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-
-			await waitFor(() => {
-				expect(mockNotificationSuccess).toHaveBeenCalledWith(
-					expect.objectContaining({ message: 'Invites sent successfully!' }),
-				);
-			});
-
-			await waitFor(
-				() => {
-					expect(mockOnNext).toHaveBeenCalledTimes(1);
-				},
-				{ timeout: 1200 },
-			);
-		});
-
-		it('renders an API error container when the invite request fails', async () => {
-			server.use(
-				rest.post(INVITE_USERS_ENDPOINT, (_, res, ctx) =>
-					res(
-						ctx.status(500),
-						ctx.json({
-							errors: [{ code: 'INTERNAL_ERROR', msg: 'Something went wrong' }],
-						}),
-					),
-				),
-			);
-
-			const user = userEvent.setup({ pointerEventsCheck: 0 });
-			renderComponent();
-
-			const [firstInput] = screen.getAllByPlaceholderText(
-				/e\.g\. john@signoz\.io/i,
-			);
-			await user.type(firstInput, 'fail@example.com');
-			await selectRole(user, 0, 'Viewer');
-			await user.click(screen.getByRole('button', { name: /complete/i }));
-
-			await waitFor(() => {
-				expect(document.querySelector('.auth-error-container')).toBeInTheDocument();
-			});
-
-			await user.type(firstInput, 'x');
-			await waitFor(() => {
-				expect(
-					document.querySelector('.auth-error-container'),
-				).not.toBeInTheDocument();
-			});
-		});
-	});
-});

pkg/apiserver/signozapiserver/authz.go

@@ -0,0 +1,30 @@
+package signozapiserver
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/gorilla/mux"
+)
+
+func (provider *provider) addAuthzRoutes(router *mux.Router) error {
+	if err := router.Handle("/api/v1/authz/check", handler.New(provider.authzHandler.Check, handler.OpenAPIDef{
+		ID:                  "AuthzCheck",
+		Tags:                []string{"authz"},
+		Summary:             "Check permissions",
+		Description:         "Checks if the authenticated user has permissions for given transactions",
+		Request:             make([]*authtypes.Transaction, 0),
+		RequestContentType:  "",
+		Response:            make([]*authtypes.GettableTransaction, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     nil,
+	})).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/apiserver/signozapiserver/provider.go

@@ -207,6 +207,10 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}
 
+	if err := provider.addAuthzRoutes(router); err != nil {
+		return err
+	}
+
 	if err := provider.addFieldsRoutes(router); err != nil {
 		return err
 	}

pkg/apiserver/signozapiserver/role.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/gorilla/mux"
 )
@@ -15,12 +16,12 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Tags:                []string{"role"},
 		Summary:             "Create role",
 		Description:         "This endpoint creates a role",
-		Request:             nil,
+		Request:             new(roletypes.PostableRole),
 		RequestContentType:  "",
 		Response:            new(types.Identifiable),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{},
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodPost).GetError(); err != nil {
@@ -44,6 +45,23 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/roles/resources", handler.New(provider.authZ.AdminAccess(provider.authzHandler.GetResources), handler.OpenAPIDef{
+		ID:                  "GetResources",
+		Tags:                []string{"role"},
+		Summary:             "Get resources",
+		Description:         "Gets all the available resources for role assignment",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(roletypes.GettableResources),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authZ.AdminAccess(provider.authzHandler.Get), handler.OpenAPIDef{
 		ID:                  "GetRole",
 		Tags:                []string{"role"},
@@ -61,17 +79,51 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/roles/{id}/relation/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.GetObjects), handler.OpenAPIDef{
+		ID:                  "GetObjects",
+		Tags:                []string{"role"},
+		Summary:             "Get objects for a role by relation",
+		Description:         "Gets all objects connected to the specified role via a given relation type",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*authtypes.Object, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authZ.AdminAccess(provider.authzHandler.Patch), handler.OpenAPIDef{
 		ID:                  "PatchRole",
 		Tags:                []string{"role"},
 		Summary:             "Patch role",
 		Description:         "This endpoint patches a role",
-		Request:             nil,
+		Request:             new(roletypes.PatchableRole),
 		RequestContentType:  "",
 		Response:            nil,
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPatch).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/roles/{id}/relation/{relation}/objects", handler.New(provider.authZ.AdminAccess(provider.authzHandler.PatchObjects), handler.OpenAPIDef{
+		ID:                  "PatchObjects",
+		Tags:                []string{"role"},
+		Summary:             "Patch objects for a role by relation",
+		Description:         "Patches the objects connected to the specified role via a given relation type",
+		Request:             new(roletypes.PatchableObjects),
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodPatch).GetError(); err != nil {
@@ -88,7 +140,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Response:            nil,
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
 		Deprecated:          false,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodDelete).GetError(); err != nil {

pkg/authz/authz.go

@@ -14,17 +14,14 @@ import (
 type AuthZ interface {
 	factory.Service
 
-	// Check returns error when the upstream authorization server is unavailable or the subject (s) doesn't have relation (r) on object (o).
-	Check(context.Context, *openfgav1.TupleKey) error
-
 	// CheckWithTupleCreation takes upon the responsibility for generating the tuples alongside everything Check does.
 	CheckWithTupleCreation(context.Context, authtypes.Claims, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error
 
 	// CheckWithTupleCreationWithoutClaims checks permissions for anonymous users.
 	CheckWithTupleCreationWithoutClaims(context.Context, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error
 
-	// Batch Check returns error when the upstream authorization server is unavailable or for all the tuples of subject (s) doesn't have relation (r) on object (o).
+	// BatchCheck accepts a map of ID → tuple and returns a map of ID → authorization result.
-	BatchCheck(context.Context, []*openfgav1.TupleKey) error
+	BatchCheck(context.Context, map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error)
 
 	// Write accepts the insertion tuples and the deletion tuples.
 	Write(context.Context, []*openfgav1.TupleKey, []*openfgav1.TupleKey) error
@@ -102,5 +99,7 @@ type Handler interface {
 
 	PatchObjects(http.ResponseWriter, *http.Request)
 
+	Check(http.ResponseWriter, *http.Request)
+
 	Delete(http.ResponseWriter, *http.Request)
 }

pkg/authz/authzstore/sqlauthzstore/store.go

@@ -26,7 +26,7 @@ func (store *store) Create(ctx context.Context, role *roletypes.StorableRole) er
 		Model(role).
 		Exec(ctx)
 	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, errors.CodeAlreadyExists, "role with id: %s already exists", role.ID)
+		return store.sqlstore.WrapAlreadyExistsErrf(err, errors.CodeAlreadyExists, "role with name: %s already exists", role.Name)
 	}
 
 	return nil

pkg/authz/openfgaauthz/provider.go

@@ -48,11 +48,7 @@ func (provider *provider) Stop(ctx context.Context) error {
 	return provider.server.Stop(ctx)
 }
 
-func (provider *provider) Check(ctx context.Context, tupleReq *openfgav1.TupleKey) error {
+func (provider *provider) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
-	return provider.server.Check(ctx, tupleReq)
-}
-
-func (provider *provider) BatchCheck(ctx context.Context, tupleReq []*openfgav1.TupleKey) error {
 	return provider.server.BatchCheck(ctx, tupleReq)
 }
 
@@ -181,10 +177,6 @@ func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID,
 	return nil
 }
 
-func (provider *provider) SetManagedRoleTransactions(context.Context, valuer.UUID) error {
-	return nil
-}
-
 func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) error {
 	return provider.Grant(ctx, orgID, roletypes.SigNozAdminRoleName, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
 }

pkg/authz/openfgaserver/server.go

@@ -90,42 +90,18 @@ func (server *Server) Stop(ctx context.Context) error {
 	return nil
 }
 
-func (server *Server) Check(ctx context.Context, tupleReq *openfgav1.TupleKey) error {
+func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openfgav1.TupleKey) (map[string]*authtypes.TupleKeyAuthorization, error) {
 	storeID, modelID := server.getStoreIDandModelID()
-	checkResponse, err := server.openfgaServer.Check(
+	batchCheckItems := make([]*openfgav1.BatchCheckItem, 0, len(tupleReq))
-		ctx,
+	for id, tuple := range tupleReq {
-		&openfgav1.CheckRequest{
-			StoreId:              storeID,
-			AuthorizationModelId: modelID,
-			TupleKey: &openfgav1.CheckRequestTupleKey{
-				User:     tupleReq.User,
-				Relation: tupleReq.Relation,
-				Object:   tupleReq.Object,
-			},
-		})
-	if err != nil {
-		return errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "authorization server is unavailable").WithAdditional(err.Error())
-	}
-
-	if !checkResponse.Allowed {
-		return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subject %s cannot %s object %s", tupleReq.User, tupleReq.Relation, tupleReq.Object)
-	}
-
-	return nil
-}
-
-func (server *Server) BatchCheck(ctx context.Context, tupleReq []*openfgav1.TupleKey) error {
-	storeID, modelID := server.getStoreIDandModelID()
-	batchCheckItems := make([]*openfgav1.BatchCheckItem, 0)
-	for idx, tuple := range tupleReq {
 		batchCheckItems = append(batchCheckItems, &openfgav1.BatchCheckItem{
 			TupleKey: &openfgav1.CheckRequestTupleKey{
 				User:     tuple.User,
 				Relation: tuple.Relation,
 				Object:   tuple.Object,
 			},
-			// the batch check response is map[string] keyed by correlationID.
+			// Use transaction ID as correlation ID for deterministic mapping
-			CorrelationId: strconv.Itoa(idx),
+			CorrelationId: id,
 		})
 	}
 
@@ -137,17 +113,18 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq []*openfgav1.Tupl
 			Checks:               batchCheckItems,
 		})
 	if err != nil {
-		return errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "authorization server is unavailable").WithAdditional(err.Error())
+		return nil, errors.Newf(errors.TypeInternal, authtypes.ErrCodeAuthZUnavailable, "authorization server is unavailable").WithAdditional(err.Error())
 	}
 
-	for _, checkResponse := range checkResponse.Result {
+	response := make(map[string]*authtypes.TupleKeyAuthorization, len(tupleReq))
-		if checkResponse.GetAllowed() {
+	for id, tuple := range tupleReq {
-			return nil
+		response[id] = &authtypes.TupleKeyAuthorization{
+			Tuple:      tuple,
+			Authorized: checkResponse.Result[id].GetAllowed(),
 		}
 	}
 
-	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
+	return response, nil
-
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
@@ -156,17 +133,29 @@ func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtyp
 		return err
 	}
 
-	tuples, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	// Convert slice to map with generated IDs for internal use
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
 func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
@@ -175,17 +164,29 @@ func (server *Server) CheckWithTupleCreationWithoutClaims(ctx context.Context, o
 		return err
 	}
 
-	tuples, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
 	if err != nil {
 		return err
 	}
 
-	err = server.BatchCheck(ctx, tuples)
+	// Convert slice to map with generated IDs for internal use
+	tuples := make(map[string]*openfgav1.TupleKey, len(tupleSlice))
+	for idx, tuple := range tupleSlice {
+		tuples[strconv.Itoa(idx)] = tuple
+	}
+
+	response, err := server.BatchCheck(ctx, tuples)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	for _, resp := range response {
+		if resp.Authorized {
+			return nil
+		}
+	}
+
+	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "subjects are not authorized for requested access")
 }
 
 func (server *Server) Write(ctx context.Context, additions []*openfgav1.TupleKey, deletions []*openfgav1.TupleKey) error {

pkg/authz/signozauthzapi/handler.go

@@ -7,6 +7,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/binding"
 	"github.com/SigNoz/signoz/pkg/http/render"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -35,13 +36,14 @@ func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = handler.authz.Create(ctx, valuer.MustNewUUID(claims.OrgID), roletypes.NewRole(req.Name, req.Description, roletypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID)))
+	role := roletypes.NewRole(req.Name, req.Description, roletypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID))
+	err = handler.authz.Create(ctx, valuer.MustNewUUID(claims.OrgID), role)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	render.Success(rw, http.StatusCreated, nil)
+	render.Success(rw, http.StatusCreated, types.Identifiable{ID: role.ID})
 }
 
 func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
@@ -112,17 +114,9 @@ func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
 }
 
 func (handler *handler) GetResources(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	resources := handler.authz.GetResources(r.Context())
-	resources := handler.authz.GetResources(ctx)
 
-	var resourceRelations = struct {
+	render.Success(rw, http.StatusOK, roletypes.NewGettableResources(resources))
-		Resources []*authtypes.Resource                   `json:"resources"`
-		Relations map[authtypes.Type][]authtypes.Relation `json:"relations"`
-	}{
-		Resources: resources,
-		Relations: authtypes.TypeableRelations,
-	}
-	render.Success(rw, http.StatusOK, resourceRelations)
 }
 
 func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
@@ -227,7 +221,7 @@ func (handler *handler) PatchObjects(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	render.Success(rw, http.StatusAccepted, nil)
+	render.Success(rw, http.StatusNoContent, nil)
 }
 
 func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
@@ -252,3 +246,39 @@ func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
 
 	render.Success(rw, http.StatusNoContent, nil)
 }
+
+func (handler *handler) Check(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	transactions := make([]*authtypes.Transaction, 0)
+	if err := binding.JSON.BindBody(r.Body, &transactions); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	orgID := valuer.MustNewUUID(claims.OrgID)
+	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	tuples, err := authtypes.NewTuplesFromTransactions(transactions, subject, orgID)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	results, err := handler.authz.BatchCheck(ctx, tuples)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, authtypes.NewGettableTransaction(transactions, results))
+}

pkg/types/authtypes/relation.go

@@ -15,15 +15,14 @@ var (
 	RelationUpdate   = Relation{valuer.NewString("update")}
 	RelationDelete   = Relation{valuer.NewString("delete")}
 	RelationList     = Relation{valuer.NewString("list")}
-	RelationBlock    = Relation{valuer.NewString("block")}
 	RelationAssignee = Relation{valuer.NewString("assignee")}
 )
 
 var TypeableRelations = map[Type][]Relation{
 	TypeUser:          {RelationRead, RelationUpdate, RelationDelete},
 	TypeRole:          {RelationAssignee, RelationRead, RelationUpdate, RelationDelete},
-	TypeOrganization:  {RelationCreate, RelationRead, RelationUpdate, RelationDelete, RelationList},
+	TypeOrganization:  {RelationRead, RelationUpdate, RelationDelete},
-	TypeMetaResource:  {RelationRead, RelationUpdate, RelationDelete, RelationBlock},
+	TypeMetaResource:  {RelationRead, RelationUpdate, RelationDelete},
 	TypeMetaResources: {RelationCreate, RelationList},
 }
 
@@ -41,8 +40,6 @@ func NewRelation(relation string) (Relation, error) {
 		return RelationDelete, nil
 	case "list":
 		return RelationList, nil
-	case "block":
-		return RelationBlock, nil
 	case "assignee":
 		return RelationAssignee, nil
 	default:

pkg/types/authtypes/transaction.go

@@ -6,21 +6,29 @@ import (
 	"strings"
 
 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type Resource struct {
-	Name Name `json:"name"`
+	Name Name `json:"name" required:"true"`
-	Type Type `json:"type"`
+	Type Type `json:"type" required:"true"`
 }
 
 type Object struct {
-	Resource Resource `json:"resource"`
+	Resource Resource `json:"resource" required:"true"`
-	Selector Selector `json:"selector"`
+	Selector Selector `json:"selector" required:"true"`
 }
 
 type Transaction struct {
-	Relation Relation `json:"relation"`
+	ID       valuer.UUID `json:"id"`
-	Object   Object   `json:"object"`
+	Relation Relation    `json:"relation" required:"true"`
+	Object   Object      `json:"object" required:"true"`
+}
+
+type GettableTransaction struct {
+	Relation   Relation `json:"relation" required:"true"`
+	Object     Object   `json:"object" required:"true"`
+	Authorized bool     `json:"authorized" required:"true"`
 }
 
 func NewObject(resource Resource, selector Selector) (*Object, error) {
@@ -75,7 +83,21 @@ func NewTransaction(relation Relation, object Object) (*Transaction, error) {
 		return nil, errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidRelation, "invalid relation %s for type %s", relation.StringValue(), object.Resource.Type.StringValue())
 	}
 
-	return &Transaction{Relation: relation, Object: object}, nil
+	return &Transaction{ID: valuer.GenerateUUID(), Relation: relation, Object: object}, nil
+}
+
+func NewGettableTransaction(transactions []*Transaction, results map[string]*TupleKeyAuthorization) []*GettableTransaction {
+	gettableTransactions := make([]*GettableTransaction, len(transactions))
+	for i, txn := range transactions {
+		result := results[txn.ID.StringValue()]
+		gettableTransactions[i] = &GettableTransaction{
+			Relation:   txn.Relation,
+			Object:     txn.Object,
+			Authorized: result.Authorized,
+		}
+	}
+
+	return gettableTransactions
 }
 
 func (object *Object) UnmarshalJSON(data []byte) error {

pkg/types/authtypes/tuple.go

@@ -0,0 +1,31 @@
+package authtypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/valuer"
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
+)
+
+type TupleKeyAuthorization struct {
+	Tuple      *openfgav1.TupleKey
+	Authorized bool
+}
+
+func NewTuplesFromTransactions(transactions []*Transaction, subject string, orgID valuer.UUID) (map[string]*openfgav1.TupleKey, error) {
+	tuples := make(map[string]*openfgav1.TupleKey, len(transactions))
+	for _, txn := range transactions {
+		typeable, err := NewTypeableFromType(txn.Object.Resource.Type, txn.Object.Resource.Name)
+		if err != nil {
+			return nil, err
+		}
+
+		txnTuples, err := typeable.Tuples(subject, txn.Relation, []Selector{txn.Object.Selector}, orgID)
+		if err != nil {
+			return nil, err
+		}
+
+		// Each transaction produces one tuple, keyed by transaction ID
+		tuples[txn.ID.StringValue()] = txnTuples[0]
+	}
+
+	return tuples, nil
+}

pkg/types/roletypes/role.go

@@ -69,24 +69,29 @@ type StorableRole struct {
 type Role struct {
 	types.Identifiable
 	types.TimeAuditable
-	Name        string        `json:"name"`
+	Name        string        `json:"name" required:"true"`
-	Description string        `json:"description"`
+	Description string        `json:"description" required:"true"`
-	Type        valuer.String `json:"type"`
+	Type        valuer.String `json:"type" required:"true"`
-	OrgID       valuer.UUID   `json:"orgId"`
+	OrgID       valuer.UUID   `json:"orgId" required:"true"`
 }
 
 type PostableRole struct {
-	Name        string `json:"name"`
+	Name        string `json:"name" required:"true"`
 	Description string `json:"description"`
 }
 
 type PatchableRole struct {
-	Description *string `json:"description"`
+	Description string `json:"description" required:"true"`
 }
 
 type PatchableObjects struct {
-	Additions []*authtypes.Object `json:"additions"`
+	Additions []*authtypes.Object `json:"additions" required:"true"`
-	Deletions []*authtypes.Object `json:"deletions"`
+	Deletions []*authtypes.Object `json:"deletions" required:"true"`
+}
+
+type GettableResources struct {
+	Resources []*authtypes.Resource                   `json:"resources" required:"true"`
+	Relations map[authtypes.Type][]authtypes.Relation `json:"relations" required:"true"`
 }
 
 func NewStorableRoleFromRole(role *Role) *StorableRole {
@@ -137,15 +142,20 @@ func NewManagedRoles(orgID valuer.UUID) []*Role {
 
 }
 
-func (role *Role) PatchMetadata(description *string) error {
+func NewGettableResources(resources []*authtypes.Resource) *GettableResources {
+	return &GettableResources{
+		Resources: resources,
+		Relations: authtypes.TypeableRelations,
+	}
+}
+
+func (role *Role) PatchMetadata(description string) error {
 	err := role.CanEditDelete()
 	if err != nil {
 		return err
 	}
 
-	if description != nil {
+	role.Description = description
-		role.Description = *description
-	}
 	role.UpdatedAt = time.Now()
 	return nil
 }
@@ -210,7 +220,7 @@ func (role *PostableRole) UnmarshalJSON(data []byte) error {
 
 func (role *PatchableRole) UnmarshalJSON(data []byte) error {
 	type shadowPatchableRole struct {
-		Description *string `json:"description"`
+		Description string `json:"description"`
 	}
 
 	var shadowRole shadowPatchableRole
@@ -218,7 +228,7 @@ func (role *PatchableRole) UnmarshalJSON(data []byte) error {
 		return err
 	}
 
-	if shadowRole.Description == nil {
+	if shadowRole.Description == "" {
 		return errors.New(errors.TypeInvalidInput, ErrCodeRoleEmptyPatch, "empty role patch request received, description must be present")
 	}