Merge branch 'main' into feat/cloudintegration-module

fix: added download button in trace page (#10613 )
* fix: added download button in trace page * fix: update unit tests * fix: revert prepareQueryRangePayloadV5.ts * fix: addressed comments * fix: address commnets from aditya * fix: update tests
2026-03-24 13:20:27 +00:00 · 2026-03-23 20:57:18 +05:30 · 2026-03-23 14:49:18 +00:00 · 2026-03-23 14:25:32 +00:00 · 2026-03-23 14:03:35 +00:00 · 2026-03-23 13:36:20 +00:00
63 changed files with 3597 additions and 1068 deletions
--- a/docs/api/openapi.yml
+++ b/docs/api/openapi.yml
--- a/ee/query-service/app/api/cloudIntegrations.go
+++ b/ee/query-service/app/api/cloudIntegrations.go
@@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"

+	"log/slog"
+
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/user"
@@ -18,7 +20,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
-	"log/slog"
 )

 type CloudIntegrationConnectionParamsResponse struct {
@@ -126,7 +127,7 @@ func (ah *APIHandler) getOrCreateCloudIntegrationPAT(ctx context.Context, orgId
 		))
 	}

-	allPats, err := ah.Signoz.Modules.User.ListAPIKeys(ctx, orgIdUUID)
+	allPats, err := ah.Signoz.Modules.UserSetter.ListAPIKeys(ctx, orgIdUUID)
 	if err != nil {
 		return "", basemodel.InternalError(fmt.Errorf(
 			"couldn't list PATs: %w", err,
@@ -154,7 +155,7 @@ func (ah *APIHandler) getOrCreateCloudIntegrationPAT(ctx context.Context, orgId
 		))
 	}

-	err = ah.Signoz.Modules.User.CreateAPIKey(ctx, newPAT)
+	err = ah.Signoz.Modules.UserSetter.CreateAPIKey(ctx, newPAT)
 	if err != nil {
 		return "", basemodel.InternalError(fmt.Errorf(
 			"couldn't create cloud integration PAT: %w", err,
@@ -169,14 +170,19 @@ func (ah *APIHandler) getOrCreateCloudIntegrationUser(
 	cloudIntegrationUserName := fmt.Sprintf("%s-integration", cloudProvider)
 	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", cloudIntegrationUserName))

-	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, valuer.MustNewUUID(orgId), types.UserStatusActive)
+	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, valuer.MustNewUUID(orgId), types.UserStatusActive)
 	if err != nil {
 		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration user: %w", err))
 	}

 	password := types.MustGenerateFactorPassword(cloudIntegrationUser.ID.StringValue())

-	cloudIntegrationUser, err = ah.Signoz.Modules.User.GetOrCreateUser(ctx, cloudIntegrationUser, user.WithFactorPassword(password))
+	cloudIntegrationUser, err = ah.Signoz.Modules.UserSetter.GetOrCreateUser(
+		ctx,
+		cloudIntegrationUser,
+		user.WithFactorPassword(password),
+		user.WithRoleNames([]string{authtypes.SigNozViewerRoleName}),
+	)
 	if err != nil {
 		return nil, basemodel.InternalError(fmt.Errorf("couldn't look for integration user: %w", err))
 	}
--- a/frontend/.cursor/rules/state-management.mdc
+++ b/frontend/.cursor/rules/state-management.mdc
@@ -0,0 +1,97 @@
+---
+globs: **/*.store.ts
+alwaysApply: false
+---
+# State Management: React Query, nuqs, Zustand
+
+Use the following stack. Do **not** introduce or recommend Redux or React Context for shared/global state.
+
+## Server state → React Query
+
+- **Use for:** API responses, time-series data, caching, background refetch, retries, stale/refresh.
+- **Do not use Redux/Context** to store or mirror data that comes from React Query (e.g. do not dispatch API results into Redux).
+- Prefer generated React Query hooks from `frontend/src/api/generated` when available.
+- Keep server state in React Query; expose it via hooks that return the query result (and optionally memoized derived values). Do not duplicate it in Redux or Context.
+
+```tsx
+// ✅ GOOD: single source of truth from React Query
+export function useAppStateHook() {
+  const { data, isError } = useQuery(...)
+  const memoizedConfigs = useMemo(() => ({ ... }), [data?.configs])
+  return { configs: memoizedConfigs, isError, ... }
+}
+
+// ❌ BAD: copying React Query result into Redux
+dispatch({ type: UPDATE_LATEST_VERSION, payload: queryResponse.data })
+```
+
+## URL state → nuqs
+
+- **Use for:** shareable state, filters, time range, selected values, pagination, view state that belongs in the URL.
+- **Do not use Redux/Context** for state that should be shareable or reflected in the URL.
+- Use [nuqs](https://nuqs.dev/docs/basic-usage) for typed, type-safe URL search params. Avoid ad-hoc `useSearchParams` encoding/decoding.
+- Keep URL payload small; respect browser URL length limits (e.g. Chrome ~2k chars). Do not put large datasets or sensitive data in query params.
+
+```tsx
+// ✅ GOOD: nuqs for filters / time range / selection
+const [timeRange, setTimeRange] = useQueryState('timeRange', parseAsString.withDefault('1h'))
+const [page, setPage] = useQueryState('page', parseAsInteger.withDefault(1))
+
+// ❌ BAD: Redux/Context for shareable or URL-synced state
+const { timeRange } = useContext(SomeContext)
+```
+
+## Client state → Zustand
+
+- **Use for:** global/client state, cross-component state, feature flags, complex or large client objects (e.g. dashboard state, query builder state).
+- **Do not use Redux or React Context** for global or feature-level client state.
+- Prefer small, domain-scoped stores (e.g. DashboardStore, QueryBuilderStore).
+
+### Zustand best practices (align with eslint-plugin-zustand-rules)
+
+- **One store per module.** Do not define multiple `create()` calls in the same file; use one store per module (or compose slices into one store).
+- **Always use selectors.** Call the store hook with a selector so only the used slice triggers re-renders. Never use `useStore()` with no selector.
+
+```tsx
+// ✅ GOOD: selector — re-renders only when isDashboardLocked changes
+const isLocked = useDashboardStore(state => state.isDashboardLocked)
+
+// ❌ BAD: no selector — re-renders on any store change
+const state = useDashboardStore()
+```
+
+- **Never mutate state directly.** Update only via `set` or `setState` (or `getState()` + `set` for reads). No `state.foo = x` or `state.bears += 1` inside actions.
+
+```tsx
+// ✅ GOOD: use set
+increment: () => set(state => ({ bears: state.bears + 1 }))
+
+// ❌ BAD: direct mutation
+increment: () => { state.bears += 1 }
+```
+
+- **State properties before actions.** In the store object, list all state fields first, then action functions.
+- **Split into slices when state is large.** If a store has many top-level properties (e.g. more than 5–10), split into slice factories and combine with one `create()`.
+
+```tsx
+// ✅ GOOD: slices for large state
+const createBearSlice = set => ({ bears: 0, addBear: () => set(s => ({ bears: s.bears + 1 })) })
+const createFishSlice = set => ({ fish: 0, addFish: () => set(s => ({ fish: s.fish + 1 })) })
+const useStore = create(set => ({ ...createBearSlice(set), ...createFishSlice(set) }))
+```
+
+- **In projects using Zustand:** add `eslint-plugin-zustand-rules` and extend `plugin:zustand-rules/recommended` to enforce these rules automatically.
+
+## Local state → React state only
+
+- **Use useState/useReducer** for: component-local UI state, form inputs, toggles, hover state, data that never leaves the component.
+- Do not use Zustand, Redux, or Context for state that is purely local to one component or a small subtree.
+
+## Summary
+
+| State type        | Use              | Avoid              |
+|-------------------|------------------|--------------------|
+| Server / API      | React Query      | Redux, Context     |
+| URL / shareable   | nuqs             | Redux, Context     |
+| Global client     | Zustand          | Redux, Context     |
+| Local UI          | useState/useReducer | Zustand, Redux, Context |
--- a/frontend/.cursor/skills/migrate-state-management/SKILL.md
+++ b/frontend/.cursor/skills/migrate-state-management/SKILL.md
@@ -0,0 +1,150 @@
+---
+name: migrate-state-management
+description: Migrate Redux or React Context to the correct state option (React Query for server state, nuqs for URL/shareable state, Zustand for global client state). Use when refactoring away from Redux/Context, moving state to the right store, or when the user asks to migrate state management.
+---
+
+# Migrate State: Redux/Context → React Query, nuqs, Zustand
+
+Do **not** introduce or recommend Redux or React Context. Migrate existing usage to the stack below.
+
+## 1. Classify the state
+
+Before changing code, classify what the state represents:
+
+| If the state is… | Migrate to | Do not use |
+|------------------|------------|------------|
+| From API / server (versions, configs, fetched lists, time-series) | **React Query** | Redux, Context |
+| Shareable via URL (filters, time range, page, selected ids) | **nuqs** | Redux, Context |
+| Global/client UI (dashboard lock, query builder, feature flags, large client objects) | **Zustand** | Redux, Context |
+| Local to one component (inputs, toggles, hover) | **useState / useReducer** | Zustand, Redux, Context |
+
+If one slice mixes concerns (e.g. Redux has both API data and pagination), split: API → React Query, pagination → nuqs, rest → Zustand or local state.
+
+## 2. Migrate to React Query (server state)
+
+**When:** State comes from or mirrors an API response (e.g. `currentVersion`, `latestVersion`, `configs`, lists).
+
+**Steps:**
+
+1. Find where the data is fetched (existing `useQuery`/API call) and where it is dispatched or set in Context/Redux.
+2. Remove the dispatch/set that writes API results into Redux/Context.
+3. Expose a single hook that uses the query and returns the same shape consumers expect (use `useMemo` for derived objects like `configs` to avoid unnecessary re-renders).
+4. Replace Redux/Context consumption with the new hook. Prefer generated React Query hooks from `frontend/src/api/generated` when available.
+5. Configure cache/refetch (e.g. `refetchOnMount: false`, `staleTime`) so behavior matches previous “single source” expectations.
+
+**Before (Redux mirroring React Query):**
+
+```tsx
+if (getUserLatestVersionResponse.isFetched && getUserLatestVersionResponse.isSuccess && getUserLatestVersionResponse.data?.payload) {
+  dispatch({ type: UPDATE_LATEST_VERSION, payload: { latestVersion: getUserLatestVersionResponse.data.payload.tag_name } })
+}
+```
+
+**After (single source in React Query):**
+
+```tsx
+export function useAppStateHook() {
+  const { data, isError } = useQuery(...)
+  const memoizedConfigs = useMemo(() => ({ ... }), [data?.configs])
+  return {
+    latestVersion: data?.payload?.tag_name,
+    configs: memoizedConfigs,
+    isError,
+  }
+}
+```
+
+Consumers use `useAppStateHook()` instead of `useSelector` or Context. Do not copy React Query result into Redux or Context.
+
+## 3. Migrate to nuqs (URL / shareable state)
+
+**When:** State should be in the URL: filters, time range, pagination, selected values, view state. Keep payload small (e.g. Chrome ~2k chars); no large datasets or sensitive data.
+
+**Steps:**
+
+1. Identify which Redux/Context fields are shareable or already reflected in the URL (e.g. `currentPage`, `timeRange`, `selectedFilter`).
+2. Add nuqs (or use existing): `useQueryState('param', parseAsString.withDefault('…'))` (or `parseAsInteger`, etc.).
+3. Replace reads/writes of those fields with nuqs hooks. Use typed parsers; avoid ad-hoc `useSearchParams` encoding/decoding.
+4. Remove the same fields from Redux/Context and their reducers/providers.
+
+**Before (Context/Redux):**
+
+```tsx
+const { timeRange } = useContext(SomeContext)
+const [page, setPage] = useDispatch(...)
+```
+
+**After (nuqs):**
+
+```tsx
+const [timeRange, setTimeRange] = useQueryState('timeRange', parseAsString.withDefault('1h'))
+const [page, setPage] = useQueryState('page', parseAsInteger.withDefault(1))
+```
+
+## 4. Migrate to Zustand (global client state)
+
+**When:** State is global or cross-component client state: feature flags, dashboard state, query builder state, complex/large client objects (e.g. up to ~1.5–2MB). Not for server cache or local-only UI.
+
+**Steps:**
+
+1. Create one store per domain (e.g. `DashboardStore`, `QueryBuilderStore`). One `create()` per module; for large state use slice factories and combine.
+2. Put state properties first, then actions. Use `set` (or `setState` / `getState()` + `set`) for updates; never mutate state directly.
+3. Replace Context/Redux consumption with the store hook **and a selector** so only the used slice triggers re-renders.
+4. Remove the old Context provider / Redux slice and related dispatches.
+
+**Selector (required):**
+
+```tsx
+const isLocked = useDashboardStore(state => state.isDashboardLocked)
+```
+
+Never use `useStore()` with no selector. Never do `state.foo = x` inside actions; use `set(state => ({ ... }))`.
+
+**Before (Context/Redux):**
+
+```tsx
+const { isDashboardLocked, setLocked } = useContext(DashboardContext)
+```
+
+**After (Zustand):**
+
+```tsx
+const isLocked = useDashboardStore(state => state.isDashboardLocked)
+const setLocked = useDashboardStore(state => state.setLocked)
+```
+
+For large stores (many top-level fields), split into slices and combine:
+
+```tsx
+const createBearSlice = set => ({ bears: 0, addBear: () => set(s => ({ bears: s.bears + 1 })) })
+const useStore = create(set => ({ ...createBearSlice(set), ...createFishSlice(set) }))
+```
+
+Add `eslint-plugin-zustand-rules` with `plugin:zustand-rules/recommended` to enforce selectors and no direct mutation.
+
+## 5. Migrate to local state (useState / useReducer)
+
+**When:** State is used only inside one component or a small subtree (form inputs, toggles, hover, panel selection). No URL sync, no cross-feature sharing.
+
+**Steps:**
+
+1. Move the state into the component that owns it (or the smallest common parent).
+2. Use `useState` or `useReducer` (useReducer when multiple related fields change together).
+3. Remove from Redux/Context and any provider/slice.
+
+Do not use Zustand, Redux, or Context for purely local UI state.
+
+## 6. Migration checklist
+
+- [ ] Classify each piece of state (server / URL / global client / local).
+- [ ] Server state: move to React Query; expose via hook; remove Redux/Context mirroring.
+- [ ] URL state: move to nuqs; remove from Redux/Context; keep URL payload small.
+- [ ] Global client state: move to Zustand with selectors and immutable updates; one store per domain.
+- [ ] Local state: move to useState/useReducer in the owning component.
+- [ ] Remove old Redux slices / Context providers and all dispatches/consumers for migrated state.
+- [ ] Do not duplicate the same data in multiple places (e.g. React Query + Redux).
+
+## Additional resources
+
+- Project rule: [.cursor/rules/state-management.mdc](../../rules/state-management.mdc)
+- Detailed patterns and rationale: [reference.md](reference.md)
--- a/frontend/.cursor/skills/migrate-state-management/reference.md
+++ b/frontend/.cursor/skills/migrate-state-management/reference.md
@@ -0,0 +1,50 @@
+# State migration reference
+
+## Why migrate
+
+- **Context:** Re-renders all consumers on any change; no granular subscriptions; becomes brittle at scale.
+- **Redux:** Heavy boilerplate (actions, reducers, selectors, Provider); slower onboarding; often used to mirror React Query or URL state.
+- **Goal:** Fewer mechanisms, domain isolation, granular subscriptions, single source of truth per state type.
+
+## React Query migration (server state)
+
+Typical anti-pattern: API is called via React Query, then result is dispatched to Redux. Flow becomes: Component → useQueries → API → dispatch → Reducer → Redux state → useSelector.
+
+Correct flow: Component → useQuery (or custom hook wrapping it) → same component reads from hook. No Redux/Context in between.
+
+- Prefer generated hooks from `frontend/src/api/generated`.
+- For “app state” that is just API data (versions, configs), one hook that returns `{ ...data, configs: useMemo(...) }` is enough. No selectors needed for plain data; useMemo only where the value is used as dependency (e.g. in useState).
+- Set `staleTime` / `refetchOnMount` etc. so refetch behavior matches previous expectations.
+
+## nuqs migration (URL state)
+
+Redux/Context often hold pagination, filters, time range, selected values that are shareable. Those belong in the URL.
+
+- Use [nuqs](https://nuqs.dev/docs/basic-usage) for typed search params. Avoid ad-hoc `useSearchParams` + manual encoding.
+- Browser limits: Chrome ~2k chars practical; keep payload small; no large datasets or secrets in query params.
+- If the app uses TanStack Router, search params can be handled there; otherwise nuqs is the standard.
+
+## Zustand migration (client state)
+
+- One store per domain (e.g. DashboardStore, QueryBuilderStore). Multiple `create()` in one file is disallowed; use one store or composed slices.
+- Always use a selector: `useStore(s => s.field)` so only that field drives re-renders.
+- Never mutate: update only via `set(state => ({ ... }))` or `setState` / `getState()` + `set`.
+- State properties first, then actions. For 5–10+ top-level fields, split into slice factories and combine with one `create()`.
+- Large client objects: Zustand is for “large” in the ~1.5–2MB range; above that, optimize at API/store design.
+- Testing: no Provider; stores are plain functions; easy to reset and mock.
+
+## What not to use
+
+- **Redux / Context** for new or migrated shared/global state.
+- **Redux / Context** to store or mirror React Query results.
+- **Redux / Context** for state that should live in the URL (use nuqs).
+- **Zustand / Redux / Context** for component-local UI (use useState/useReducer).
+
+## Summary table
+
+| State type   | Use                | Avoid           |
+|-------------|--------------------|-----------------|
+| Server/API  | React Query        | Redux, Context  |
+| URL/shareable | nuqs             | Redux, Context  |
+| Global client | Zustand          | Redux, Context  |
+| Local UI    | useState/useReducer | Zustand, Redux, Context |
--- a/frontend/src/api/generated/services/sigNoz.schemas.ts
+++ b/frontend/src/api/generated/services/sigNoz.schemas.ts
@@ -2384,6 +2384,47 @@ export interface TypesChangePasswordRequestDTO {
 	userId?: string;
 }

+export interface TypesDeprecatedUserDTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: Date;
+	/**
+	 * @type string
+	 */
+	displayName?: string;
+	/**
+	 * @type string
+	 */
+	email?: string;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type boolean
+	 */
+	isRoot?: boolean;
+	/**
+	 * @type string
+	 */
+	orgId?: string;
+	/**
+	 * @type string
+	 */
+	role?: string;
+	/**
+	 * @type string
+	 */
+	status?: string;
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: Date;
+}
+
 export interface TypesGettableAPIKeyDTO {
 	/**
 	 * @type string
@@ -2682,10 +2723,6 @@ export interface TypesUserDTO {
 	 * @type string
 	 */
 	orgId?: string;
-	/**
-	 * @type string
-	 */
-	role?: string;
 	/**
 	 * @type string
 	 */
@@ -3266,7 +3303,7 @@ export type ListUsers200 = {
 	/**
 	 * @type array
 	 */
-	data: TypesUserDTO[];
+	data: TypesDeprecatedUserDTO[];
 	/**
 	 * @type string
 	 */
@@ -3280,7 +3317,7 @@ export type GetUserPathParameters = {
 	id: string;
 };
 export type GetUser200 = {
-	data: TypesUserDTO;
+	data: TypesDeprecatedUserDTO;
 	/**
 	 * @type string
 	 */
@@ -3291,7 +3328,7 @@ export type UpdateUserPathParameters = {
 	id: string;
 };
 export type UpdateUser200 = {
-	data: TypesUserDTO;
+	data: TypesDeprecatedUserDTO;
 	/**
 	 * @type string
 	 */
@@ -3299,7 +3336,7 @@ export type UpdateUser200 = {
 };

 export type GetMyUser200 = {
-	data: TypesUserDTO;
+	data: TypesDeprecatedUserDTO;
 	/**
 	 * @type string
 	 */
--- a/frontend/src/api/generated/services/users/index.ts
+++ b/frontend/src/api/generated/services/users/index.ts
@@ -34,13 +34,13 @@ import type {
 	RenderErrorResponseDTO,
 	RevokeAPIKeyPathParameters,
 	TypesChangePasswordRequestDTO,
+	TypesDeprecatedUserDTO,
 	TypesPostableAPIKeyDTO,
 	TypesPostableBulkInviteRequestDTO,
 	TypesPostableForgotPasswordDTO,
 	TypesPostableInviteDTO,
 	TypesPostableResetPasswordDTO,
 	TypesStorableAPIKeyDTO,
-	TypesUserDTO,
 	UpdateAPIKeyPathParameters,
 	UpdateUser200,
 	UpdateUserPathParameters,
@@ -1093,13 +1093,13 @@ export const invalidateGetUser = async (
 */
 export const updateUser = (
 	{ id }: UpdateUserPathParameters,
-	typesUserDTO: BodyType<TypesUserDTO>,
+	typesDeprecatedUserDTO: BodyType<TypesDeprecatedUserDTO>,
 ) => {
 	return GeneratedAPIInstance<UpdateUser200>({
 		url: `/api/v1/user/${id}`,
 		method: 'PUT',
 		headers: { 'Content-Type': 'application/json' },
-		data: typesUserDTO,
+		data: typesDeprecatedUserDTO,
 	});
 };

@@ -1110,13 +1110,19 @@ export const getUpdateUserMutationOptions = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof updateUser>>,
 		TError,
-		{ pathParams: UpdateUserPathParameters; data: BodyType<TypesUserDTO> },
+		{
+			pathParams: UpdateUserPathParameters;
+			data: BodyType<TypesDeprecatedUserDTO>;
+		},
 		TContext
 	>;
 }): UseMutationOptions<
 	Awaited<ReturnType<typeof updateUser>>,
 	TError,
-	{ pathParams: UpdateUserPathParameters; data: BodyType<TypesUserDTO> },
+	{
+		pathParams: UpdateUserPathParameters;
+		data: BodyType<TypesDeprecatedUserDTO>;
+	},
 	TContext
 > => {
 	const mutationKey = ['updateUser'];
@@ -1130,7 +1136,10 @@ export const getUpdateUserMutationOptions = <

 	const mutationFn: MutationFunction<
 		Awaited<ReturnType<typeof updateUser>>,
-		{ pathParams: UpdateUserPathParameters; data: BodyType<TypesUserDTO> }
+		{
+			pathParams: UpdateUserPathParameters;
+			data: BodyType<TypesDeprecatedUserDTO>;
+		}
 	> = (props) => {
 		const { pathParams, data } = props ?? {};

@@ -1143,7 +1152,7 @@ export const getUpdateUserMutationOptions = <
 export type UpdateUserMutationResult = NonNullable<
 	Awaited<ReturnType<typeof updateUser>>
 >;
-export type UpdateUserMutationBody = BodyType<TypesUserDTO>;
+export type UpdateUserMutationBody = BodyType<TypesDeprecatedUserDTO>;
 export type UpdateUserMutationError = ErrorType<RenderErrorResponseDTO>;

 /**
@@ -1156,13 +1165,19 @@ export const useUpdateUser = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof updateUser>>,
 		TError,
-		{ pathParams: UpdateUserPathParameters; data: BodyType<TypesUserDTO> },
+		{
+			pathParams: UpdateUserPathParameters;
+			data: BodyType<TypesDeprecatedUserDTO>;
+		},
 		TContext
 	>;
 }): UseMutationResult<
 	Awaited<ReturnType<typeof updateUser>>,
 	TError,
-	{ pathParams: UpdateUserPathParameters; data: BodyType<TypesUserDTO> },
+	{
+		pathParams: UpdateUserPathParameters;
+		data: BodyType<TypesDeprecatedUserDTO>;
+	},
 	TContext
 > => {
 	const mutationOptions = getUpdateUserMutationOptions(options);
--- a/frontend/src/api/v1/download/downloadExportData.ts
+++ b/frontend/src/api/v1/download/downloadExportData.ts
@@ -8,42 +8,32 @@ export const downloadExportData = async (
 	props: ExportRawDataProps,
 ): Promise<void> => {
 	try {
-		const queryParams = new URLSearchParams();
-
-		queryParams.append('start', String(props.start));
-		queryParams.append('end', String(props.end));
-		queryParams.append('filter', props.filter);
-		props.columns.forEach((col) => {
-			queryParams.append('columns', col);
-		});
-		queryParams.append('order_by', props.orderBy);
-		queryParams.append('limit', String(props.limit));
-		queryParams.append('format', props.format);
-
-		const response = await axios.get<Blob>(`export_raw_data?${queryParams}`, {
-			responseType: 'blob', // Important: tell axios to handle response as blob
-			decompress: true, // Enable automatic decompression
-			headers: {
-				Accept: 'application/octet-stream', // Tell server we expect binary data
+		const response = await axios.post<Blob>(
+			`export_raw_data?format=${encodeURIComponent(props.format)}`,
+			props.body,
+			{
+				responseType: 'blob',
+				decompress: true,
+				headers: {
+					Accept: 'application/octet-stream',
+					'Content-Type': 'application/json',
+				},
+				timeout: 0,
 			},
-			timeout: 0,
-		});
+		);

-		// Only proceed if the response status is 200
 		if (response.status !== 200) {
 			throw new Error(
 				`Failed to download data: server returned status ${response.status}`,
 			);
 		}
-		// Create blob URL from response data
+
 		const blob = new Blob([response.data], { type: 'application/octet-stream' });
 		const url = window.URL.createObjectURL(blob);

-		// Create and configure download link
 		const link = document.createElement('a');
 		link.href = url;

-		// Get filename from Content-Disposition header or generate timestamped default
 		const filename =
 			response.headers['content-disposition']
 				?.split('filename=')[1]
@@ -51,7 +41,6 @@ export const downloadExportData = async (

 		link.setAttribute('download', filename);

-		// Trigger download
 		document.body.appendChild(link);
 		link.click();
 		link.remove();
--- a/frontend/src/components/LogsDownloadOptionsMenu/LogsDownloadOptionsMenu.styles.scss
+++ b/frontend/src/components/LogsDownloadOptionsMenu/LogsDownloadOptionsMenu.styles.scss
@@ -1,11 +1,11 @@
-.logs-download-popover {
+.download-popover {
 	.ant-popover-inner {
 		border-radius: 4px;
-		border: 1px solid var(--bg-slate-400);
+		border: 1px solid var(--l3-border);
 		background: linear-gradient(
 			139deg,
-			var(--bg-ink-400) 0%,
-			var(--bg-ink-500) 98.68%
+			var(--l2-background) 0%,
+			var(--l3-background) 98.68%
 		);
 		box-shadow: 4px 10px 16px 2px rgba(0, 0, 0, 0.2);
 		backdrop-filter: blur(20px);
@@ -19,7 +19,7 @@

 		.title {
 			display: flex;
-			color: var(--bg-slate-50);
+			color: var(--l3-foreground);
 			font-family: Inter;
 			font-size: 11px;
 			font-style: normal;
@@ -38,7 +38,7 @@
 			flex-direction: column;

 			:global(.ant-radio-wrapper) {
-				color: var(--bg-vanilla-400);
+				color: var(--foreground);
 				font-family: Inter;
 				font-size: 13px;
 			}
@@ -46,7 +46,7 @@

 		.horizontal-line {
 			height: 1px;
-			background: var(--bg-slate-400);
+			background: var(--l3-border);
 		}

 		.export-button {
@@ -59,27 +59,27 @@
 }

 .lightMode {
-	.logs-download-popover {
+	.download-popover {
 		.ant-popover-inner {
-			border: 1px solid var(--bg-vanilla-300);
+			border: 1px solid var(--l2-border);
 			background: linear-gradient(
 				139deg,
-				var(--bg-vanilla-100) 0%,
-				var(--bg-vanilla-300) 98.68%
+				var(--background) 0%,
+				var(--l1-background) 98.68%
 			);
 			box-shadow: 4px 10px 16px 2px rgba(255, 255, 255, 0.2);
 		}
 		.export-options-container {
 			.title {
-				color: var(--bg-ink-200);
+				color: var(--l2-foreground);
 			}

 			:global(.ant-radio-wrapper) {
-				color: var(--bg-ink-400);
+				color: var(--foreground);
 			}

 			.horizontal-line {
-				background: var(--bg-vanilla-300);
+				background: var(--l2-border);
 			}
 		}
 	}
--- a/frontend/src/components/DownloadOptionsMenu/DownloadOptionsMenu.test.tsx
+++ b/frontend/src/components/DownloadOptionsMenu/DownloadOptionsMenu.test.tsx
@@ -0,0 +1,331 @@
+// eslint-disable-next-line no-restricted-imports
+import { Provider } from 'react-redux';
+import { fireEvent, render, screen, waitFor } from '@testing-library/react';
+import { message } from 'antd';
+import configureStore from 'redux-mock-store';
+import store from 'store';
+import { Query } from 'types/api/queryBuilder/queryBuilderData';
+import { EQueryType } from 'types/common/dashboard';
+import { DataSource, StringOperators } from 'types/common/queryBuilder';
+
+import '@testing-library/jest-dom';
+
+import { DownloadFormats, DownloadRowCounts } from './constants';
+import DownloadOptionsMenu from './DownloadOptionsMenu';
+
+const mockDownloadExportData = jest.fn().mockResolvedValue(undefined);
+jest.mock('api/v1/download/downloadExportData', () => ({
+	downloadExportData: (...args: any[]): any => mockDownloadExportData(...args),
+	default: (...args: any[]): any => mockDownloadExportData(...args),
+}));
+
+jest.mock('antd', () => {
+	const actual = jest.requireActual('antd');
+	return {
+		...actual,
+		message: {
+			success: jest.fn(),
+			error: jest.fn(),
+		},
+	};
+});
+
+const mockUseQueryBuilder = jest.fn();
+jest.mock('hooks/queryBuilder/useQueryBuilder', () => ({
+	useQueryBuilder: (): any => mockUseQueryBuilder(),
+}));
+
+const mockStore = configureStore([]);
+const createMockReduxStore = (): any =>
+	mockStore({
+		...store.getState(),
+	});
+
+const createMockStagedQuery = (dataSource: DataSource): Query => ({
+	id: 'test-query-id',
+	queryType: EQueryType.QUERY_BUILDER,
+	builder: {
+		queryData: [
+			{
+				queryName: 'A',
+				dataSource,
+				aggregateOperator: StringOperators.NOOP,
+				aggregateAttribute: {
+					id: '',
+					dataType: '' as any,
+					key: '',
+					type: '',
+				},
+				aggregations: [{ expression: 'count()' }],
+				functions: [],
+				filter: { expression: 'status = 200' },
+				filters: { items: [], op: 'AND' },
+				groupBy: [],
+				expression: 'A',
+				disabled: false,
+				having: { expression: '' } as any,
+				limit: null,
+				stepInterval: null,
+				orderBy: [{ columnName: 'timestamp', order: 'desc' }],
+				legend: '',
+				selectColumns: [],
+			},
+		],
+		queryFormulas: [],
+		queryTraceOperator: [],
+	},
+	promql: [],
+	clickhouse_sql: [],
+});
+
+const renderWithStore = (dataSource: DataSource): void => {
+	const mockReduxStore = createMockReduxStore();
+	render(
+		<Provider store={mockReduxStore}>
+			<DownloadOptionsMenu dataSource={dataSource} />
+		</Provider>,
+	);
+};
+
+describe.each([
+	[DataSource.LOGS, 'logs'],
+	[DataSource.TRACES, 'traces'],
+])('DownloadOptionsMenu for %s', (dataSource, signal) => {
+	const testId = `periscope-btn-download-${dataSource}`;
+
+	beforeEach(() => {
+		mockDownloadExportData.mockReset().mockResolvedValue(undefined);
+		(message.success as jest.Mock).mockReset();
+		(message.error as jest.Mock).mockReset();
+		mockUseQueryBuilder.mockReturnValue({
+			stagedQuery: createMockStagedQuery(dataSource),
+		});
+	});
+
+	it('renders download button', () => {
+		renderWithStore(dataSource);
+		const button = screen.getByTestId(testId);
+		expect(button).toBeInTheDocument();
+		expect(button).toHaveClass('periscope-btn', 'ghost');
+	});
+
+	it('shows popover with export options when download button is clicked', () => {
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+
+		expect(screen.getByRole('dialog')).toBeInTheDocument();
+		expect(screen.getByText('FORMAT')).toBeInTheDocument();
+		expect(screen.getByText('Number of Rows')).toBeInTheDocument();
+		expect(screen.getByText('Columns')).toBeInTheDocument();
+	});
+
+	it('allows changing export format', () => {
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+
+		const csvRadio = screen.getByRole('radio', { name: 'csv' });
+		const jsonlRadio = screen.getByRole('radio', { name: 'jsonl' });
+
+		expect(csvRadio).toBeChecked();
+		fireEvent.click(jsonlRadio);
+		expect(jsonlRadio).toBeChecked();
+		expect(csvRadio).not.toBeChecked();
+	});
+
+	it('allows changing row limit', () => {
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+
+		const tenKRadio = screen.getByRole('radio', { name: '10k' });
+		const fiftyKRadio = screen.getByRole('radio', { name: '50k' });
+
+		expect(tenKRadio).toBeChecked();
+		fireEvent.click(fiftyKRadio);
+		expect(fiftyKRadio).toBeChecked();
+		expect(tenKRadio).not.toBeChecked();
+	});
+
+	it('allows changing columns scope', () => {
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+
+		const allColumnsRadio = screen.getByRole('radio', { name: 'All' });
+		const selectedColumnsRadio = screen.getByRole('radio', { name: 'Selected' });
+
+		expect(allColumnsRadio).toBeChecked();
+		fireEvent.click(selectedColumnsRadio);
+		expect(selectedColumnsRadio).toBeChecked();
+		expect(allColumnsRadio).not.toBeChecked();
+	});
+
+	it('calls downloadExportData with correct format and POST body', async () => {
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+		fireEvent.click(screen.getByText('Export'));
+
+		await waitFor(() => {
+			expect(mockDownloadExportData).toHaveBeenCalledTimes(1);
+			const callArgs = mockDownloadExportData.mock.calls[0][0];
+			expect(callArgs.format).toBe(DownloadFormats.CSV);
+			expect(callArgs.body).toBeDefined();
+			expect(callArgs.body.requestType).toBe('raw');
+			expect(callArgs.body.compositeQuery.queries).toHaveLength(1);
+
+			const query = callArgs.body.compositeQuery.queries[0];
+			expect(query.type).toBe('builder_query');
+			expect(query.spec.signal).toBe(signal);
+			expect(query.spec.limit).toBe(DownloadRowCounts.TEN_K);
+		});
+	});
+
+	it('clears groupBy and having in the export payload', async () => {
+		const mockQuery = createMockStagedQuery(dataSource);
+		mockQuery.builder.queryData[0].groupBy = [
+			{ key: 'service', dataType: 'string' as any, type: '' },
+		];
+		mockQuery.builder.queryData[0].having = {
+			expression: 'count() > 10',
+		} as any;
+
+		mockUseQueryBuilder.mockReturnValue({ stagedQuery: mockQuery });
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+		fireEvent.click(screen.getByText('Export'));
+
+		await waitFor(() => {
+			expect(mockDownloadExportData).toHaveBeenCalledTimes(1);
+			const callArgs = mockDownloadExportData.mock.calls[0][0];
+			const query = callArgs.body.compositeQuery.queries[0];
+			expect(query.spec.groupBy).toBeUndefined();
+			expect(query.spec.having).toEqual({ expression: '' });
+		});
+	});
+
+	it('keeps selectColumns when column scope is Selected', async () => {
+		const mockQuery = createMockStagedQuery(dataSource);
+		mockQuery.builder.queryData[0].selectColumns = [
+			{ name: 'http.status', fieldDataType: 'int64', fieldContext: 'attribute' },
+		] as any;
+
+		mockUseQueryBuilder.mockReturnValue({ stagedQuery: mockQuery });
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+		fireEvent.click(screen.getByRole('radio', { name: 'Selected' }));
+		fireEvent.click(screen.getByText('Export'));
+
+		await waitFor(() => {
+			expect(mockDownloadExportData).toHaveBeenCalledTimes(1);
+			const callArgs = mockDownloadExportData.mock.calls[0][0];
+			const query = callArgs.body.compositeQuery.queries[0];
+			expect(query.spec.selectFields).toEqual([
+				expect.objectContaining({
+					name: 'http.status',
+					fieldDataType: 'int64',
+				}),
+			]);
+		});
+	});
+
+	it('sends no selectFields when column scope is All', async () => {
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+		fireEvent.click(screen.getByRole('radio', { name: 'All' }));
+		fireEvent.click(screen.getByText('Export'));
+
+		await waitFor(() => {
+			expect(mockDownloadExportData).toHaveBeenCalledTimes(1);
+			const callArgs = mockDownloadExportData.mock.calls[0][0];
+			const query = callArgs.body.compositeQuery.queries[0];
+			expect(query.spec.selectFields).toBeUndefined();
+		});
+	});
+
+	it('handles successful export with success message', async () => {
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+		fireEvent.click(screen.getByText('Export'));
+
+		await waitFor(() => {
+			expect(message.success).toHaveBeenCalledWith(
+				'Export completed successfully',
+			);
+		});
+	});
+
+	it('handles export failure with error message', async () => {
+		mockDownloadExportData.mockRejectedValueOnce(new Error('Server error'));
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+		fireEvent.click(screen.getByText('Export'));
+
+		await waitFor(() => {
+			expect(message.error).toHaveBeenCalledWith(
+				`Failed to export ${dataSource}. Please try again.`,
+			);
+		});
+	});
+
+	it('handles UI state correctly during export process', async () => {
+		let resolveDownload: () => void;
+		mockDownloadExportData.mockImplementationOnce(
+			() =>
+				new Promise<void>((resolve) => {
+					resolveDownload = resolve;
+				}),
+		);
+		renderWithStore(dataSource);
+
+		fireEvent.click(screen.getByTestId(testId));
+		expect(screen.getByRole('dialog')).toBeInTheDocument();
+
+		fireEvent.click(screen.getByText('Export'));
+
+		expect(screen.getByTestId(testId)).toBeDisabled();
+		expect(screen.queryByRole('dialog')).not.toBeInTheDocument();
+
+		resolveDownload!();
+
+		await waitFor(() => {
+			expect(screen.getByTestId(testId)).not.toBeDisabled();
+		});
+	});
+});
+
+describe('DownloadOptionsMenu for traces with queryTraceOperator', () => {
+	const dataSource = DataSource.TRACES;
+	const testId = `periscope-btn-download-${dataSource}`;
+
+	beforeEach(() => {
+		mockDownloadExportData.mockReset().mockResolvedValue(undefined);
+		(message.success as jest.Mock).mockReset();
+	});
+
+	it('applies limit and clears groupBy on queryTraceOperator entries', async () => {
+		const query = createMockStagedQuery(dataSource);
+		query.builder.queryTraceOperator = [
+			{
+				...query.builder.queryData[0],
+				queryName: 'TraceOp1',
+				expression: 'TraceOp1',
+				groupBy: [{ key: 'service', dataType: 'string' as any, type: '' }],
+			},
+		];
+
+		mockUseQueryBuilder.mockReturnValue({ stagedQuery: query });
+		renderWithStore(dataSource);
+		fireEvent.click(screen.getByTestId(testId));
+		fireEvent.click(screen.getByRole('radio', { name: '50k' }));
+		fireEvent.click(screen.getByText('Export'));
+
+		await waitFor(() => {
+			expect(mockDownloadExportData).toHaveBeenCalledTimes(1);
+			const callArgs = mockDownloadExportData.mock.calls[0][0];
+			const queries = callArgs.body.compositeQuery.queries;
+			const traceOpQuery = queries.find((q: any) => q.spec.name === 'TraceOp1');
+			if (traceOpQuery) {
+				expect(traceOpQuery.spec.limit).toBe(DownloadRowCounts.FIFTY_K);
+				expect(traceOpQuery.spec.groupBy).toBeUndefined();
+			}
+		});
+	});
+});
--- a/frontend/src/components/LogsDownloadOptionsMenu/LogsDownloadOptionsMenu.tsx
+++ b/frontend/src/components/LogsDownloadOptionsMenu/LogsDownloadOptionsMenu.tsx
@@ -1,8 +1,8 @@
 import { useCallback, useMemo, useState } from 'react';
-import { Button, message, Popover, Radio, Tooltip, Typography } from 'antd';
-import { downloadExportData } from 'api/v1/download/downloadExportData';
+import { Button, Popover, Radio, Tooltip, Typography } from 'antd';
+import { useExportRawData } from 'hooks/useDownloadOptionsMenu/useDownloadOptionsMenu';
 import { Download, DownloadIcon, Loader2 } from 'lucide-react';
-import { TelemetryFieldKey } from 'types/api/v5/queryRange';
+import { DataSource } from 'types/common/queryBuilder';

 import {
 	DownloadColumnsScopes,
@@ -10,75 +10,34 @@ import {
 	DownloadRowCounts,
 } from './constants';

-import './LogsDownloadOptionsMenu.styles.scss';
+import './DownloadOptionsMenu.styles.scss';

-function convertTelemetryFieldKeyToText(key: TelemetryFieldKey): string {
-	const prefix = key.fieldContext ? `${key.fieldContext}.` : '';
-	const suffix = key.fieldDataType ? `:${key.fieldDataType}` : '';
-	return `${prefix}${key.name}${suffix}`;
+interface DownloadOptionsMenuProps {
+	dataSource: DataSource;
 }

-interface LogsDownloadOptionsMenuProps {
-	startTime: number;
-	endTime: number;
-	filter: string;
-	columns: TelemetryFieldKey[];
-	orderBy: string;
-}
-
-export default function LogsDownloadOptionsMenu({
-	startTime,
-	endTime,
-	filter,
-	columns,
-	orderBy,
-}: LogsDownloadOptionsMenuProps): JSX.Element {
+export default function DownloadOptionsMenu({
+	dataSource,
+}: DownloadOptionsMenuProps): JSX.Element {
 	const [exportFormat, setExportFormat] = useState<string>(DownloadFormats.CSV);
 	const [rowLimit, setRowLimit] = useState<number>(DownloadRowCounts.TEN_K);
 	const [columnsScope, setColumnsScope] = useState<string>(
 		DownloadColumnsScopes.ALL,
 	);
-	const [isDownloading, setIsDownloading] = useState<boolean>(false);
 	const [isPopoverOpen, setIsPopoverOpen] = useState<boolean>(false);

-	const handleExportRawData = useCallback(async (): Promise<void> => {
-		setIsPopoverOpen(false);
-		try {
-			setIsDownloading(true);
-			const downloadOptions = {
-				source: 'logs',
-				start: startTime,
-				end: endTime,
-				columns:
-					columnsScope === DownloadColumnsScopes.SELECTED
-						? columns.map((col) => convertTelemetryFieldKeyToText(col))
-						: [],
-				filter,
-				orderBy,
-				format: exportFormat,
-				limit: rowLimit,
-			};
+	const { isDownloading, handleExportRawData } = useExportRawData({
+		dataSource,
+	});

-			await downloadExportData(downloadOptions);
-			message.success('Export completed successfully');
-		} catch (error) {
-			console.error('Error exporting logs:', error);
-			message.error('Failed to export logs. Please try again.');
-		} finally {
-			setIsDownloading(false);
-		}
-	}, [
-		startTime,
-		endTime,
-		columnsScope,
-		columns,
-		filter,
-		orderBy,
-		exportFormat,
-		rowLimit,
-		setIsDownloading,
-		setIsPopoverOpen,
-	]);
+	const handleExport = useCallback(async (): Promise<void> => {
+		setIsPopoverOpen(false);
+		await handleExportRawData({
+			format: exportFormat,
+			rowLimit,
+			clearSelectColumns: columnsScope === DownloadColumnsScopes.ALL,
+		});
+	}, [exportFormat, rowLimit, columnsScope, handleExportRawData]);

 	const popoverContent = useMemo(
 		() => (
@@ -129,7 +88,7 @@ export default function LogsDownloadOptionsMenu({
 				<Button
 					type="primary"
 					icon={<Download size={16} />}
-					onClick={handleExportRawData}
+					onClick={handleExport}
 					className="export-button"
 					disabled={isDownloading}
 					loading={isDownloading}
@@ -138,7 +97,7 @@ export default function LogsDownloadOptionsMenu({
 				</Button>
 			</div>
 		),
-		[exportFormat, rowLimit, columnsScope, isDownloading, handleExportRawData],
+		[exportFormat, rowLimit, columnsScope, isDownloading, handleExport],
 	);

 	return (
@@ -149,19 +108,19 @@ export default function LogsDownloadOptionsMenu({
 			arrow={false}
 			open={isPopoverOpen}
 			onOpenChange={setIsPopoverOpen}
-			rootClassName="logs-download-popover"
+			rootClassName="download-popover"
 		>
 			<Tooltip title="Download" placement="top">
 				<Button
 					className="periscope-btn ghost"
 					icon={
 						isDownloading ? (
-							<Loader2 size={18} className="animate-spin" />
+							<Loader2 size={14} className="animate-spin" />
 						) : (
-							<DownloadIcon size={15} />
+							<DownloadIcon size={14} />
 						)
 					}
-					data-testid="periscope-btn-download-options"
+					data-testid={`periscope-btn-download-${dataSource}`}
 					disabled={isDownloading}
 				/>
 			</Tooltip>
--- a/frontend/src/components/LogsDownloadOptionsMenu/constants.ts
+++ b/frontend/src/components/LogsDownloadOptionsMenu/constants.ts
--- a/frontend/src/components/LogsDownloadOptionsMenu/LogsDownloadOptionsMenu.test.tsx
+++ b/frontend/src/components/LogsDownloadOptionsMenu/LogsDownloadOptionsMenu.test.tsx
@@ -1,341 +0,0 @@
-import { fireEvent, render, screen, waitFor } from '@testing-library/react';
-import { message } from 'antd';
-import { ENVIRONMENT } from 'constants/env';
-import { server } from 'mocks-server/server';
-import { rest } from 'msw';
-import { TelemetryFieldKey } from 'types/api/v5/queryRange';
-
-import '@testing-library/jest-dom';
-
-import { DownloadFormats, DownloadRowCounts } from './constants';
-import LogsDownloadOptionsMenu from './LogsDownloadOptionsMenu';
-
-// Mock antd message
-jest.mock('antd', () => {
-	const actual = jest.requireActual('antd');
-	return {
-		...actual,
-		message: {
-			success: jest.fn(),
-			error: jest.fn(),
-		},
-	};
-});
-
-const TEST_IDS = {
-	DOWNLOAD_BUTTON: 'periscope-btn-download-options',
-} as const;
-
-interface TestProps {
-	startTime: number;
-	endTime: number;
-	filter: string;
-	columns: TelemetryFieldKey[];
-	orderBy: string;
-}
-
-const createTestProps = (): TestProps => ({
-	startTime: 1631234567890,
-	endTime: 1631234567999,
-	filter: 'status = 200',
-	columns: [
-		{
-			name: 'http.status',
-			fieldContext: 'attribute',
-			fieldDataType: 'int64',
-		} as TelemetryFieldKey,
-	],
-	orderBy: 'timestamp:desc',
-});
-
-const testRenderContent = (props: TestProps): void => {
-	render(
-		<LogsDownloadOptionsMenu
-			startTime={props.startTime}
-			endTime={props.endTime}
-			filter={props.filter}
-			columns={props.columns}
-			orderBy={props.orderBy}
-		/>,
-	);
-};
-
-const testSuccessResponse = (res: any, ctx: any): any =>
-	res(
-		ctx.status(200),
-		ctx.set('Content-Type', 'application/octet-stream'),
-		ctx.set('Content-Disposition', 'attachment; filename="export.csv"'),
-		ctx.body('id,value\n1,2\n'),
-	);
-
-describe('LogsDownloadOptionsMenu', () => {
-	const BASE_URL = ENVIRONMENT.baseURL;
-	const EXPORT_URL = `${BASE_URL}/api/v1/export_raw_data`;
-	let requestSpy: jest.Mock<any, any>;
-	const setupDefaultServer = (): void => {
-		server.use(
-			rest.get(EXPORT_URL, (req, res, ctx) => {
-				const params = req.url.searchParams;
-				const payload = {
-					start: Number(params.get('start')),
-					end: Number(params.get('end')),
-					filter: params.get('filter'),
-					columns: params.getAll('columns'),
-					order_by: params.get('order_by'),
-					limit: Number(params.get('limit')),
-					format: params.get('format'),
-				};
-				requestSpy(payload);
-				return testSuccessResponse(res, ctx);
-			}),
-		);
-	};
-
-	// Mock URL.createObjectURL used by download logic
-	const originalCreateObjectURL = URL.createObjectURL;
-	const originalRevokeObjectURL = URL.revokeObjectURL;
-
-	beforeEach(() => {
-		requestSpy = jest.fn();
-		setupDefaultServer();
-		(message.success as jest.Mock).mockReset();
-		(message.error as jest.Mock).mockReset();
-		// jsdom doesn't implement it by default
-		((URL as unknown) as {
-			createObjectURL: (b: Blob) => string;
-		}).createObjectURL = jest.fn(() => 'blob:mock');
-		((URL as unknown) as {
-			revokeObjectURL: (u: string) => void;
-		}).revokeObjectURL = jest.fn();
-	});
-
-	beforeAll(() => {
-		server.listen();
-	});
-
-	afterEach(() => {
-		server.resetHandlers();
-	});
-
-	afterAll(() => {
-		server.close();
-		// restore
-		URL.createObjectURL = originalCreateObjectURL;
-		URL.revokeObjectURL = originalRevokeObjectURL;
-	});
-
-	it('renders download button', () => {
-		const props = createTestProps();
-		testRenderContent(props);
-
-		const button = screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON);
-		expect(button).toBeInTheDocument();
-		expect(button).toHaveClass('periscope-btn', 'ghost');
-	});
-
-	it('shows popover with export options when download button is clicked', () => {
-		const props = createTestProps();
-		render(
-			<LogsDownloadOptionsMenu
-				startTime={props.startTime}
-				endTime={props.endTime}
-				filter={props.filter}
-				columns={props.columns}
-				orderBy={props.orderBy}
-			/>,
-		);
-
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-
-		expect(screen.getByRole('dialog')).toBeInTheDocument();
-		expect(screen.getByText('FORMAT')).toBeInTheDocument();
-		expect(screen.getByText('Number of Rows')).toBeInTheDocument();
-		expect(screen.getByText('Columns')).toBeInTheDocument();
-	});
-
-	it('allows changing export format', () => {
-		const props = createTestProps();
-		testRenderContent(props);
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-
-		const csvRadio = screen.getByRole('radio', { name: 'csv' });
-		const jsonlRadio = screen.getByRole('radio', { name: 'jsonl' });
-
-		expect(csvRadio).toBeChecked();
-		fireEvent.click(jsonlRadio);
-		expect(jsonlRadio).toBeChecked();
-		expect(csvRadio).not.toBeChecked();
-	});
-
-	it('allows changing row limit', () => {
-		const props = createTestProps();
-		testRenderContent(props);
-
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-
-		const tenKRadio = screen.getByRole('radio', { name: '10k' });
-		const fiftyKRadio = screen.getByRole('radio', { name: '50k' });
-
-		expect(tenKRadio).toBeChecked();
-		fireEvent.click(fiftyKRadio);
-		expect(fiftyKRadio).toBeChecked();
-		expect(tenKRadio).not.toBeChecked();
-	});
-
-	it('allows changing columns scope', () => {
-		const props = createTestProps();
-		testRenderContent(props);
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-
-		const allColumnsRadio = screen.getByRole('radio', { name: 'All' });
-		const selectedColumnsRadio = screen.getByRole('radio', { name: 'Selected' });
-
-		expect(allColumnsRadio).toBeChecked();
-		fireEvent.click(selectedColumnsRadio);
-		expect(selectedColumnsRadio).toBeChecked();
-		expect(allColumnsRadio).not.toBeChecked();
-	});
-
-	it('calls downloadExportData with correct parameters when export button is clicked (Selected columns)', async () => {
-		const props = createTestProps();
-		testRenderContent(props);
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-		fireEvent.click(screen.getByRole('radio', { name: 'Selected' }));
-		fireEvent.click(screen.getByText('Export'));
-
-		await waitFor(() => {
-			expect(requestSpy).toHaveBeenCalledWith(
-				expect.objectContaining({
-					start: props.startTime,
-					end: props.endTime,
-					columns: ['attribute.http.status:int64'],
-					filter: props.filter,
-					order_by: props.orderBy,
-					format: DownloadFormats.CSV,
-					limit: DownloadRowCounts.TEN_K,
-				}),
-			);
-		});
-	});
-
-	it('calls downloadExportData with correct parameters when export button is clicked', async () => {
-		const props = createTestProps();
-		testRenderContent(props);
-
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-		fireEvent.click(screen.getByRole('radio', { name: 'All' }));
-		fireEvent.click(screen.getByText('Export'));
-
-		await waitFor(() => {
-			expect(requestSpy).toHaveBeenCalledWith(
-				expect.objectContaining({
-					start: props.startTime,
-					end: props.endTime,
-					columns: [],
-					filter: props.filter,
-					order_by: props.orderBy,
-					format: DownloadFormats.CSV,
-					limit: DownloadRowCounts.TEN_K,
-				}),
-			);
-		});
-	});
-
-	it('handles successful export with success message', async () => {
-		const props = createTestProps();
-		testRenderContent(props);
-
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-		fireEvent.click(screen.getByText('Export'));
-
-		await waitFor(() => {
-			expect(message.success).toHaveBeenCalledWith(
-				'Export completed successfully',
-			);
-		});
-	});
-
-	it('handles export failure with error message', async () => {
-		// Override handler to return 500 for this test
-		server.use(rest.get(EXPORT_URL, (_req, res, ctx) => res(ctx.status(500))));
-		const props = createTestProps();
-		testRenderContent(props);
-
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-		fireEvent.click(screen.getByText('Export'));
-
-		await waitFor(() => {
-			expect(message.error).toHaveBeenCalledWith(
-				'Failed to export logs. Please try again.',
-			);
-		});
-	});
-
-	it('handles UI state correctly during export process', async () => {
-		server.use(
-			rest.get(EXPORT_URL, (_req, res, ctx) => testSuccessResponse(res, ctx)),
-		);
-		const props = createTestProps();
-		testRenderContent(props);
-
-		// Open popover
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-		expect(screen.getByRole('dialog')).toBeInTheDocument();
-
-		// Start export
-		fireEvent.click(screen.getByText('Export'));
-
-		// Check button is disabled during export
-		expect(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON)).toBeDisabled();
-
-		// Check popover is closed immediately after export starts
-		expect(screen.queryByRole('dialog')).not.toBeInTheDocument();
-
-		// Wait for export to complete and verify button is enabled again
-		await waitFor(() => {
-			expect(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON)).not.toBeDisabled();
-		});
-	});
-
-	it('uses filename from Content-Disposition and triggers download click', async () => {
-		server.use(
-			rest.get(EXPORT_URL, (_req, res, ctx) =>
-				res(
-					ctx.status(200),
-					ctx.set('Content-Type', 'application/octet-stream'),
-					ctx.set('Content-Disposition', 'attachment; filename="report.jsonl"'),
-					ctx.body('row\n'),
-				),
-			),
-		);
-
-		const originalCreateElement = document.createElement.bind(document);
-		const anchorEl = originalCreateElement('a') as HTMLAnchorElement;
-		const setAttrSpy = jest.spyOn(anchorEl, 'setAttribute');
-		const clickSpy = jest.spyOn(anchorEl, 'click');
-		const removeSpy = jest.spyOn(anchorEl, 'remove');
-		const createElSpy = jest
-			.spyOn(document, 'createElement')
-			.mockImplementation((tagName: any): any =>
-				tagName === 'a' ? anchorEl : originalCreateElement(tagName),
-			);
-		const appendSpy = jest.spyOn(document.body, 'appendChild');
-
-		const props = createTestProps();
-		testRenderContent(props);
-
-		fireEvent.click(screen.getByTestId(TEST_IDS.DOWNLOAD_BUTTON));
-		fireEvent.click(screen.getByText('Export'));
-
-		await waitFor(() => {
-			expect(appendSpy).toHaveBeenCalledWith(anchorEl);
-			expect(setAttrSpy).toHaveBeenCalledWith('download', 'report.jsonl');
-			expect(clickSpy).toHaveBeenCalled();
-			expect(removeSpy).toHaveBeenCalled();
-		});
-		expect(anchorEl.getAttribute('download')).toBe('report.jsonl');
-
-		createElSpy.mockRestore();
-		appendSpy.mockRestore();
-	});
-});
--- a/frontend/src/container/LogsExplorerViews/LogsActionsContainer.tsx
+++ b/frontend/src/container/LogsExplorerViews/LogsActionsContainer.tsx
@@ -1,5 +1,5 @@
 import { Switch, Typography } from 'antd';
-import LogsDownloadOptionsMenu from 'components/LogsDownloadOptionsMenu/LogsDownloadOptionsMenu';
+import DownloadOptionsMenu from 'components/DownloadOptionsMenu/DownloadOptionsMenu';
 import LogsFormatOptionsMenu from 'components/LogsFormatOptionsMenu/LogsFormatOptionsMenu';
 import ListViewOrderBy from 'components/OrderBy/ListViewOrderBy';
 import { LOCALSTORAGE } from 'constants/localStorage';
@@ -21,8 +21,6 @@ function LogsActionsContainer({
 	isLoading,
 	isError,
 	isSuccess,
-	minTime,
-	maxTime,
 }: {
 	listQuery: any;
 	selectedPanelType: PANEL_TYPES;
@@ -34,8 +32,6 @@ function LogsActionsContainer({
 	isLoading: boolean;
 	isError: boolean;
 	isSuccess: boolean;
-	minTime: number;
-	maxTime: number;
 }): JSX.Element {
 	const { options, config } = useOptionsMenu({
 		storageKey: LOCALSTORAGE.LOGS_LIST_OPTIONS,
@@ -96,13 +92,7 @@ function LogsActionsContainer({
 								/>
 							</div>
 							<div className="download-options-container">
-								<LogsDownloadOptionsMenu
-									startTime={minTime}
-									endTime={maxTime}
-									filter={listQuery?.filter?.expression || ''}
-									columns={config.addColumn?.value || []}
-									orderBy={orderBy}
-								/>
+								<DownloadOptionsMenu dataSource={DataSource.LOGS} />
 							</div>
 							<div className="format-options-container">
 								<LogsFormatOptionsMenu
--- a/frontend/src/container/LogsExplorerViews/index.tsx
+++ b/frontend/src/container/LogsExplorerViews/index.tsx
@@ -444,8 +444,6 @@ function LogsExplorerViewsContainer({
 						isLoading={isLoading}
 						isError={isError}
 						isSuccess={isSuccess}
-						minTime={minTime}
-						maxTime={maxTime}
 					/>
 				)}

--- a/frontend/src/container/LogsExplorerViews/tests/LogsExplorerViews.test.tsx
+++ b/frontend/src/container/LogsExplorerViews/tests/LogsExplorerViews.test.tsx
@@ -168,7 +168,7 @@ describe('LogsExplorerViews -', () => {
 		lodsQueryServerRequest();
 		const { queryByTestId } = renderer();

-		const periscopeDownloadButtonTestId = 'periscope-btn-download-options';
+		const periscopeDownloadButtonTestId = 'periscope-btn-download-logs';
 		const periscopeFormatButtonTestId = 'periscope-btn-format-options';

 		// Test that the periscope button is present
--- a/frontend/src/container/TracesExplorer/ListView/ListView.styles.scss
+++ b/frontend/src/container/TracesExplorer/ListView/ListView.styles.scss
@@ -1,6 +1,7 @@
 .trace-explorer-controls {
 	display: flex;
 	justify-content: flex-end;
+	align-items: center;
 	gap: 8px;

 	.order-by-container {
--- a/frontend/src/container/TracesExplorer/ListView/index.tsx
+++ b/frontend/src/container/TracesExplorer/ListView/index.tsx
@@ -11,6 +11,7 @@ import {
 // eslint-disable-next-line no-restricted-imports
 import { useSelector } from 'react-redux';
 import logEvent from 'api/common/logEvent';
+import DownloadOptionsMenu from 'components/DownloadOptionsMenu/DownloadOptionsMenu';
 import ErrorInPlace from 'components/ErrorInPlace/ErrorInPlace';
 import ListViewOrderBy from 'components/OrderBy/ListViewOrderBy';
 import { ResizeTable } from 'components/ResizeTable';
@@ -238,6 +239,8 @@ function ListView({
 					/>
 				</div>

+				<DownloadOptionsMenu dataSource={DataSource.TRACES} />
+
 				<TraceExplorerControls
 					isLoading={isFetching}
 					totalCount={totalCount}
--- a/frontend/src/hooks/useDownloadOptionsMenu/useDownloadOptionsMenu.ts
+++ b/frontend/src/hooks/useDownloadOptionsMenu/useDownloadOptionsMenu.ts
@@ -0,0 +1,95 @@
+import { useCallback, useState } from 'react';
+// eslint-disable-next-line no-restricted-imports
+import { useSelector } from 'react-redux';
+import { message } from 'antd';
+import { downloadExportData } from 'api/v1/download/downloadExportData';
+import { prepareQueryRangePayloadV5 } from 'api/v5/v5';
+import { PANEL_TYPES } from 'constants/queryBuilder';
+import { useQueryBuilder } from 'hooks/queryBuilder/useQueryBuilder';
+import { AppState } from 'store/reducers';
+import { DataSource } from 'types/common/queryBuilder';
+import { GlobalReducer } from 'types/reducer/globalTime';
+
+interface ExportOptions {
+	format: string;
+	rowLimit: number;
+	clearSelectColumns: boolean;
+}
+
+interface UseExportRawDataProps {
+	dataSource: DataSource;
+}
+
+interface UseExportRawDataReturn {
+	isDownloading: boolean;
+	handleExportRawData: (options: ExportOptions) => Promise<void>;
+}
+
+export function useExportRawData({
+	dataSource,
+}: UseExportRawDataProps): UseExportRawDataReturn {
+	const [isDownloading, setIsDownloading] = useState<boolean>(false);
+
+	const { stagedQuery } = useQueryBuilder();
+
+	const { selectedTime: globalSelectedInterval } = useSelector<
+		AppState,
+		GlobalReducer
+	>((state) => state.globalTime);
+
+	const handleExportRawData = useCallback(
+		async ({
+			format,
+			rowLimit,
+			clearSelectColumns,
+		}: ExportOptions): Promise<void> => {
+			if (!stagedQuery) {
+				return;
+			}
+
+			try {
+				setIsDownloading(true);
+
+				const exportQuery = {
+					...stagedQuery,
+					builder: {
+						...stagedQuery.builder,
+						queryData: stagedQuery.builder.queryData.map((qd) => ({
+							...qd,
+							groupBy: [],
+							having: { expression: '' },
+							limit: rowLimit,
+							...(clearSelectColumns && { selectColumns: [] }),
+						})),
+						queryTraceOperator: (stagedQuery.builder.queryTraceOperator || []).map(
+							(traceOp) => ({
+								...traceOp,
+								groupBy: [],
+								having: { expression: '' },
+								limit: rowLimit,
+								...(clearSelectColumns && { selectColumns: [] }),
+							}),
+						),
+					},
+				};
+
+				const { queryPayload } = prepareQueryRangePayloadV5({
+					query: exportQuery,
+					graphType: PANEL_TYPES.LIST,
+					selectedTime: 'GLOBAL_TIME',
+					globalSelectedInterval,
+				});
+
+				await downloadExportData({ format, body: queryPayload });
+				message.success('Export completed successfully');
+			} catch (error) {
+				message.error(`Failed to export ${dataSource}. Please try again.`);
+			} finally {
+				setIsDownloading(false);
+			}
+		},
+		[stagedQuery, globalSelectedInterval, dataSource],
+	);
+
+	return { isDownloading, handleExportRawData };
+}
--- a/frontend/src/types/api/exportRawData/getExportRawData.ts
+++ b/frontend/src/types/api/exportRawData/getExportRawData.ts
@@ -1,10 +1,6 @@
+import { QueryRangePayloadV5 } from 'types/api/v5/queryRange';
+
 export interface ExportRawDataProps {
-	source: string;
 	format: string;
-	start: number;
-	end: number;
-	columns: string[];
-	filter: string;
-	orderBy: string;
-	limit: number;
+	body: QueryRangePayloadV5;
 }
--- a/pkg/apiserver/signozapiserver/cloudintegration.go
+++ b/pkg/apiserver/signozapiserver/cloudintegration.go
@@ -0,0 +1,216 @@
+package signozapiserver
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/SigNoz/signoz/pkg/types"
+	citypes "github.com/SigNoz/signoz/pkg/types/cloudintegrationtypes"
+	"github.com/gorilla/mux"
+)
+
+func (provider *provider) addCloudIntegrationRoutes(router *mux.Router) error {
+	if err := router.Handle("/api/v1/cloud_integrations/{cloud_provider}/accounts/connection_artifact", handler.New(
+		provider.authZ.AdminAccess(provider.cloudIntegrationHandler.GetConnectionArtifact),
+		handler.OpenAPIDef{
+			ID:                  "GetConnectionArtifact",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "Get connection artifact",
+			Description:         "This endpoint returns a connection artifact for the specified cloud provider and creates new cloud integration account",
+			Request:             new(citypes.PostableConnectionArtifact),
+			RequestContentType:  "application/json",
+			Response:            new(citypes.GettableConnectionArtifact),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		},
+	)).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/cloud_integrations/{cloud_provider}/accounts", handler.New(
+		provider.authZ.AdminAccess(provider.cloudIntegrationHandler.ListAccounts),
+		handler.OpenAPIDef{
+			ID:                  "ListAccounts",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "List accounts",
+			Description:         "This endpoint lists the accounts for the specified cloud provider",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new(citypes.GettableAccounts),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		},
+	)).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/cloud_integrations/{cloud_provider}/accounts/{id}", handler.New(
+		provider.authZ.AdminAccess(provider.cloudIntegrationHandler.GetAccount),
+		handler.OpenAPIDef{
+			ID:                  "GetAccount",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "Get account",
+			Description:         "This endpoint gets an account for the specified cloud provider",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new(citypes.GettableAccount),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		},
+	)).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/cloud_integrations/{cloud_provider}/accounts/{id}", handler.New(
+		provider.authZ.AdminAccess(provider.cloudIntegrationHandler.UpdateAccount),
+		handler.OpenAPIDef{
+			ID:                  "UpdateAccount",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "Update account",
+			Description:         "This endpoint updates an account for the specified cloud provider",
+			Request:             new(citypes.UpdatableAccount),
+			RequestContentType:  "application/json",
+			Response:            nil,
+			ResponseContentType: "",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		},
+	)).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/cloud_integrations/{cloud_provider}/accounts/{id}", handler.New(
+		provider.authZ.AdminAccess(provider.cloudIntegrationHandler.DisconnectAccount),
+		handler.OpenAPIDef{
+			ID:                  "DisconnectAccount",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "Disconnect account",
+			Description:         "This endpoint disconnects an account for the specified cloud provider",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		},
+	)).Methods(http.MethodDelete).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/cloud_integrations/{cloud_provider}/services", handler.New(
+		provider.authZ.AdminAccess(provider.cloudIntegrationHandler.ListServicesMetadata),
+		handler.OpenAPIDef{
+			ID:                  "ListServicesMetadata",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "List services metadata",
+			Description:         "This endpoint lists the services metadata for the specified cloud provider",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new(citypes.GettableServicesMetadata),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		},
+	)).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/cloud_integrations/{cloud_provider}/services/{service_id}", handler.New(
+		provider.authZ.AdminAccess(provider.cloudIntegrationHandler.GetService),
+		handler.OpenAPIDef{
+			ID:                  "GetService",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "Get service",
+			Description:         "This endpoint gets a service for the specified cloud provider",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            new(citypes.GettableService),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		},
+	)).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/cloud_integrations/{cloud_provider}/services/{service_id}", handler.New(
+		provider.authZ.AdminAccess(provider.cloudIntegrationHandler.UpdateService),
+		handler.OpenAPIDef{
+			ID:                  "UpdateService",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "Update service",
+			Description:         "This endpoint updates a service for the specified cloud provider",
+			Request:             new(citypes.UpdatableService),
+			RequestContentType:  "application/json",
+			Response:            nil,
+			ResponseContentType: "",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		},
+	)).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
+	// Agent check-in endpoint is kept same as older one to maintain backward compatibility with already deployed agents.
+	// In the future, this endpoint will be deprecated and a new endpoint will be introduced for consistency with above endpoints.
+	if err := router.Handle("/api/v1/cloud-integrations/{cloud_provider}/agent-check-in", handler.New(
+		provider.authZ.ViewAccess(provider.cloudIntegrationHandler.AgentCheckIn),
+		handler.OpenAPIDef{
+			ID:                  "AgentCheckInDeprecated",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "Agent check-in",
+			Description:         "[Deprecated] This endpoint is called by the deployed agent to check in",
+			Request:             new(citypes.PostableAgentCheckInRequest),
+			RequestContentType:  "application/json",
+			Response:            new(citypes.GettableAgentCheckInResponse),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          true,                                 // this endpoint will be deprecated in future
+			SecuritySchemes:     newSecuritySchemes(types.RoleViewer), // agent role is viewer
+		},
+	)).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/cloud_integrations/{cloud_provider}/accounts/check_in", handler.New(
+		provider.authZ.ViewAccess(provider.cloudIntegrationHandler.AgentCheckIn),
+		handler.OpenAPIDef{
+			ID:                  "AgentCheckIn",
+			Tags:                []string{"cloudintegration"},
+			Summary:             "Agent check-in",
+			Description:         "This endpoint is called by the deployed agent to check in",
+			Request:             new(citypes.PostableAgentCheckInRequest),
+			RequestContentType:  "application/json",
+			Response:            new(citypes.GettableAgentCheckInResponse),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleViewer), // agent role is viewer
+		},
+	)).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/pkg/apiserver/signozapiserver/provider.go
+++ b/pkg/apiserver/signozapiserver/provider.go
@@ -12,6 +12,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/http/middleware"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
+	"github.com/SigNoz/signoz/pkg/modules/cloudintegration"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/fields"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer"
@@ -50,6 +51,8 @@ type provider struct {
 	zeusHandler            zeus.Handler
 	querierHandler         querier.Handler
 	serviceAccountHandler  serviceaccount.Handler
+	// TODO: wire up later
+	cloudIntegrationHandler cloudintegration.Handler //nolint:unused
 }

 func NewFactory(
@@ -72,6 +75,7 @@ func NewFactory(
 	zeusHandler zeus.Handler,
 	querierHandler querier.Handler,
 	serviceAccountHandler serviceaccount.Handler,
+	cloudIntegrationHandler cloudintegration.Handler,
 ) factory.ProviderFactory[apiserver.APIServer, apiserver.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("signoz"), func(ctx context.Context, providerSettings factory.ProviderSettings, config apiserver.Config) (apiserver.APIServer, error) {
 		return newProvider(
@@ -97,6 +101,7 @@ func NewFactory(
 			zeusHandler,
 			querierHandler,
 			serviceAccountHandler,
+			cloudIntegrationHandler,
 		)
 	})
 }
@@ -124,31 +129,33 @@ func newProvider(
 	zeusHandler zeus.Handler,
 	querierHandler querier.Handler,
 	serviceAccountHandler serviceaccount.Handler,
+	cloudIntegrationHandler cloudintegration.Handler,
 ) (apiserver.APIServer, error) {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/apiserver/signozapiserver")
 	router := mux.NewRouter().UseEncodedPath()

 	provider := &provider{
-		config:                 config,
-		settings:               settings,
-		router:                 router,
-		orgHandler:             orgHandler,
-		userHandler:            userHandler,
-		sessionHandler:         sessionHandler,
-		authDomainHandler:      authDomainHandler,
-		preferenceHandler:      preferenceHandler,
-		globalHandler:          globalHandler,
-		promoteHandler:         promoteHandler,
-		flaggerHandler:         flaggerHandler,
-		dashboardModule:        dashboardModule,
-		dashboardHandler:       dashboardHandler,
-		metricsExplorerHandler: metricsExplorerHandler,
-		gatewayHandler:         gatewayHandler,
-		fieldsHandler:          fieldsHandler,
-		authzHandler:           authzHandler,
-		zeusHandler:            zeusHandler,
-		querierHandler:         querierHandler,
-		serviceAccountHandler:  serviceAccountHandler,
+		config:                  config,
+		settings:                settings,
+		router:                  router,
+		orgHandler:              orgHandler,
+		userHandler:             userHandler,
+		sessionHandler:          sessionHandler,
+		authDomainHandler:       authDomainHandler,
+		preferenceHandler:       preferenceHandler,
+		globalHandler:           globalHandler,
+		promoteHandler:          promoteHandler,
+		flaggerHandler:          flaggerHandler,
+		dashboardModule:         dashboardModule,
+		dashboardHandler:        dashboardHandler,
+		metricsExplorerHandler:  metricsExplorerHandler,
+		gatewayHandler:          gatewayHandler,
+		fieldsHandler:           fieldsHandler,
+		authzHandler:            authzHandler,
+		zeusHandler:             zeusHandler,
+		querierHandler:          querierHandler,
+		serviceAccountHandler:   serviceAccountHandler,
+		cloudIntegrationHandler: cloudIntegrationHandler,
 	}

 	provider.authZ = middleware.NewAuthZ(settings.Logger(), orgGetter, authz)
@@ -233,6 +240,10 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}

+	if err := provider.addCloudIntegrationRoutes(router); err != nil {
+		return err
+	}
+
 	return nil
 }

--- a/pkg/apiserver/signozapiserver/user.go
+++ b/pkg/apiserver/signozapiserver/user.go
@@ -118,7 +118,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint lists all users",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            make([]*types.GettableUser, 0),
+		Response:            make([]*types.DeprecatedUser, 0),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -135,7 +135,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user I belong to",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.DeprecatedUser),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -152,7 +152,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user by id",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.DeprecatedUser),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
@@ -167,9 +167,9 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Tags:                []string{"users"},
 		Summary:             "Update user",
 		Description:         "This endpoint updates the user by id",
-		Request:             new(types.User),
+		Request:             new(types.DeprecatedUser),
 		RequestContentType:  "application/json",
-		Response:            new(types.GettableUser),
+		Response:            new(types.DeprecatedUser),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
--- a/pkg/authn/authnstore/sqlauthnstore/store.go
+++ b/pkg/authn/authnstore/sqlauthnstore/store.go
@@ -3,6 +3,7 @@ package sqlauthnstore
 import (
 	"context"

+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
@@ -17,7 +18,7 @@ func NewStore(sqlstore sqlstore.SQLStore) authtypes.AuthNStore {
 	return &store{sqlstore: sqlstore}
 }

-func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error) {
+func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, []*authtypes.UserRole, error) {
 	user := new(types.User)
 	factorPassword := new(types.FactorPassword)

@@ -31,7 +32,7 @@ func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Co
 		Where("status = ?", types.UserStatusActive.StringValue()).
 		Scan(ctx)
 	if err != nil {
-		return nil, nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user with email %s in org %s not found", email, orgID)
+		return nil, nil, nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user with email %s in org %s not found", email, orgID)
 	}

 	err = store.
@@ -42,10 +43,22 @@ func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Co
 		Where("user_id = ?", user.ID).
 		Scan(ctx)
 	if err != nil {
-		return nil, nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodePasswordNotFound, "user with email %s in org %s does not have password", email, orgID)
+		return nil, nil, nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodePasswordNotFound, "user with email %s in org %s does not have password", email, orgID)
 	}

-	return user, factorPassword, nil
+	userRoles := make([]*authtypes.UserRole, 0)
+	err = store.sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&userRoles).
+		Where("user_id = ?", user.ID).
+		Relation("Role").
+		Scan(ctx)
+	if err != nil {
+		return nil, nil, nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "failed to get user roles for user %s in org %s", email, orgID)
+	}
+
+	return user, factorPassword, userRoles, nil
 }

 func (store *store) GetAuthDomainFromID(ctx context.Context, domainID valuer.UUID) (*authtypes.AuthDomain, error) {
--- a/pkg/authn/passwordauthn/emailpasswordauthn/authn.go
+++ b/pkg/authn/passwordauthn/emailpasswordauthn/authn.go
@@ -21,7 +21,7 @@ func New(store authtypes.AuthNStore) *AuthN {
 }

 func (a *AuthN) Authenticate(ctx context.Context, email string, password string, orgID valuer.UUID) (*authtypes.Identity, error) {
-	user, factorPassword, err := a.store.GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx, email, orgID)
+	user, factorPassword, userRoles, err := a.store.GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		return nil, err
 	}
@@ -30,5 +30,11 @@ func (a *AuthN) Authenticate(ctx context.Context, email string, password string,
 		return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email or password")
 	}

-	return authtypes.NewIdentity(user.ID, orgID, user.Email, user.Role, authtypes.IdentNProviderTokenizer), nil
+	if len(userRoles) == 0 {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
+	}
+
+	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
+
+	return authtypes.NewIdentity(user.ID, orgID, user.Email, role, authtypes.IdentNProviderTokenizer), nil
 }
--- a/pkg/identn/impersonationidentn/provider.go
+++ b/pkg/identn/impersonationidentn/provider.go
@@ -79,16 +79,22 @@ func (provider *provider) GetIdentity(req *http.Request) (*authtypes.Identity, e
 		return nil, err
 	}

-	rootUser, err := provider.userGetter.GetRootUserByOrgID(ctx, org.ID)
+	rootUser, userRoles, err := provider.userGetter.GetRootUserByOrgID(ctx, org.ID)
 	if err != nil {
 		return nil, err
 	}

+	if len(userRoles) == 0 {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
+	}
+
+	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
+
 	provider.identity = authtypes.NewIdentity(
 		rootUser.ID,
 		rootUser.OrgID,
 		rootUser.Email,
-		rootUser.Role,
+		role,
 		authtypes.IdentNProviderImpersonation,
 	)

--- a/pkg/modules/cloudintegration/cloudintegration.go
+++ b/pkg/modules/cloudintegration/cloudintegration.go
@@ -53,6 +53,7 @@ type Module interface {
 }

 type Handler interface {
+	// GetConnectionArtifact creates a new cloud integration account and returns the connection artifact
 	GetConnectionArtifact(http.ResponseWriter, *http.Request)
 	ListAccounts(http.ResponseWriter, *http.Request)
 	GetAccount(http.ResponseWriter, *http.Request)
--- a/pkg/modules/cloudintegration/implcloudintegration/handler.go
+++ b/pkg/modules/cloudintegration/implcloudintegration/handler.go
@@ -0,0 +1,58 @@
+package implcloudintegration
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/modules/cloudintegration"
+)
+
+type handler struct{}
+
+func NewHandler() cloudintegration.Handler {
+	return &handler{}
+}
+
+func (h handler) GetConnectionArtifact(writer http.ResponseWriter, request *http.Request) {
+	// TODO implement me
+	panic("implement me")
+}
+
+func (h handler) ListAccounts(writer http.ResponseWriter, request *http.Request) {
+	// TODO implement me
+	panic("implement me")
+}
+
+func (h handler) GetAccount(writer http.ResponseWriter, request *http.Request) {
+	// TODO implement me
+	panic("implement me")
+}
+
+func (h handler) UpdateAccount(writer http.ResponseWriter, request *http.Request) {
+	// TODO implement me
+	panic("implement me")
+}
+
+func (h handler) DisconnectAccount(writer http.ResponseWriter, request *http.Request) {
+	// TODO implement me
+	panic("implement me")
+}
+
+func (h handler) ListServicesMetadata(writer http.ResponseWriter, request *http.Request) {
+	// TODO implement me
+	panic("implement me")
+}
+
+func (h handler) GetService(writer http.ResponseWriter, request *http.Request) {
+	// TODO implement me
+	panic("implement me")
+}
+
+func (h handler) UpdateService(writer http.ResponseWriter, request *http.Request) {
+	// TODO implement me
+	panic("implement me")
+}
+
+func (h handler) AgentCheckIn(writer http.ResponseWriter, request *http.Request) {
+	// TODO implement me
+	panic("implement me")
+}
--- a/pkg/modules/cloudintegration/implcloudintegration/store.go
+++ b/pkg/modules/cloudintegration/implcloudintegration/store.go
@@ -0,0 +1,174 @@
+package implcloudintegration
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/cloudintegrationtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type store struct {
+	store sqlstore.SQLStore
+}
+
+func NewStore(sqlStore sqlstore.SQLStore) cloudintegrationtypes.Store {
+	return &store{store: sqlStore}
+}
+
+func (store *store) GetAccountByID(ctx context.Context, orgID, id valuer.UUID, provider cloudintegrationtypes.CloudProviderType) (*cloudintegrationtypes.StorableCloudIntegration, error) {
+	account := new(cloudintegrationtypes.StorableCloudIntegration)
+	err := store.
+		store.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(account).
+		Where("id = ?", id).
+		Where("org_id = ?", orgID).
+		Where("provider = ?", provider).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.store.WrapNotFoundErrf(err, cloudintegrationtypes.ErrCodeCloudIntegrationNotFound, "cloud integration account with id %s not found", id)
+	}
+	return account, nil
+}
+
+func (store *store) ListConnectedAccounts(ctx context.Context, orgID valuer.UUID, provider cloudintegrationtypes.CloudProviderType) ([]*cloudintegrationtypes.StorableCloudIntegration, error) {
+	var accounts []*cloudintegrationtypes.StorableCloudIntegration
+	err := store.
+		store.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&accounts).
+		Where("org_id = ?", orgID).
+		Where("provider = ?", provider).
+		Where("removed_at IS NULL").
+		Where("account_id IS NOT NULL").
+		Where("last_agent_report IS NOT NULL").
+		Order("created_at ASC").
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return accounts, nil
+}
+
+func (store *store) CreateAccount(ctx context.Context, account *cloudintegrationtypes.StorableCloudIntegration) error {
+	_, err := store.
+		store.
+		BunDBCtx(ctx).
+		NewInsert().
+		Model(account).
+		Exec(ctx)
+	if err != nil {
+		return store.store.WrapAlreadyExistsErrf(err, cloudintegrationtypes.ErrCodeCloudIntegrationAlreadyExists, "cloud integration account with id %s already exists", account.ID)
+	}
+
+	return nil
+}
+
+func (store *store) UpdateAccount(ctx context.Context, account *cloudintegrationtypes.StorableCloudIntegration) error {
+	_, err := store.
+		store.
+		BunDBCtx(ctx).
+		NewUpdate().
+		Model(account).
+		WherePK().
+		Where("org_id = ?", account.OrgID).
+		Where("provider = ?", account.Provider).
+		Exec(ctx)
+
+	return err
+}
+
+func (store *store) RemoveAccount(ctx context.Context, orgID, id valuer.UUID, provider cloudintegrationtypes.CloudProviderType) error {
+	_, err := store.
+		store.
+		BunDBCtx(ctx).
+		NewUpdate().
+		Model(new(cloudintegrationtypes.StorableCloudIntegration)).
+		Set("removed_at = ?", time.Now()).
+		Where("id = ?", id).
+		Where("org_id = ?", orgID).
+		Where("provider = ?", provider).
+		Exec(ctx)
+	return err
+}
+
+func (store *store) GetConnectedAccount(ctx context.Context, orgID valuer.UUID, provider cloudintegrationtypes.CloudProviderType, providerAccountID string) (*cloudintegrationtypes.StorableCloudIntegration, error) {
+	account := new(cloudintegrationtypes.StorableCloudIntegration)
+	err := store.
+		store.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(account).
+		Where("org_id = ?", orgID).
+		Where("provider = ?", provider).
+		Where("account_id = ?", providerAccountID).
+		Where("last_agent_report IS NOT NULL").
+		Where("removed_at IS NULL").
+		Scan(ctx)
+	if err != nil {
+		return nil, store.store.WrapNotFoundErrf(err, cloudintegrationtypes.ErrCodeCloudIntegrationNotFound, "connected account with provider account id %s not found", providerAccountID)
+	}
+	return account, nil
+}
+
+func (store *store) GetServiceByServiceID(ctx context.Context, cloudIntegrationID valuer.UUID, serviceID cloudintegrationtypes.ServiceID) (*cloudintegrationtypes.StorableCloudIntegrationService, error) {
+	service := new(cloudintegrationtypes.StorableCloudIntegrationService)
+	err := store.
+		store.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(service).
+		Where("cloud_integration_id = ?", cloudIntegrationID).
+		Where("type = ?", serviceID).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.store.WrapNotFoundErrf(err, cloudintegrationtypes.ErrCodeCloudIntegrationServiceNotFound, "cloud integration service with id %s not found", serviceID)
+	}
+	return service, nil
+}
+
+func (store *store) ListServices(ctx context.Context, cloudIntegrationID valuer.UUID) ([]*cloudintegrationtypes.StorableCloudIntegrationService, error) {
+	var services []*cloudintegrationtypes.StorableCloudIntegrationService
+	err := store.
+		store.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&services).
+		Where("cloud_integration_id = ?", cloudIntegrationID).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return services, nil
+}
+
+func (store *store) CreateService(ctx context.Context, service *cloudintegrationtypes.StorableCloudIntegrationService) error {
+	_, err := store.
+		store.
+		BunDBCtx(ctx).
+		NewInsert().
+		Model(service).
+		Exec(ctx)
+	if err != nil {
+		return store.store.WrapAlreadyExistsErrf(err, cloudintegrationtypes.ErrCodeCloudIntegrationServiceAlreadyExists, "cloud integration service with id %s already exists for integration account", service.Type)
+	}
+
+	return nil
+}
+
+func (store *store) UpdateService(ctx context.Context, service *cloudintegrationtypes.StorableCloudIntegrationService) error {
+	_, err := store.
+		store.
+		BunDBCtx(ctx).
+		NewUpdate().
+		Model(service).
+		WherePK().
+		Where("cloud_integration_id = ?", service.CloudIntegrationID).
+		Where("type = ?", service.Type).
+		Exec(ctx)
+	return err
+}
--- a/pkg/modules/session/implsession/module.go
+++ b/pkg/modules/session/implsession/module.go
@@ -24,18 +24,18 @@ import (
 type module struct {
 	settings   factory.ScopedProviderSettings
 	authNs     map[authtypes.AuthNProvider]authn.AuthN
-	user       user.Module
+	userSetter user.Setter
 	userGetter user.Getter
 	authDomain authdomain.Module
 	tokenizer  tokenizer.Tokenizer
 	orgGetter  organization.Getter
 }

-func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter) session.Module {
+func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, userSetter user.Setter, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter) session.Module {
 	return &module{
 		settings:   factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/session/implsession"),
 		authNs:     authNs,
-		user:       user,
+		userSetter: userSetter,
 		userGetter: userGetter,
 		authDomain: authDomain,
 		tokenizer:  tokenizer,
@@ -144,22 +144,34 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi

 	roleMapping := authDomain.AuthDomainConfig().RoleMapping
 	role := roleMapping.NewRoleFromCallbackIdentity(callbackIdentity)
+	signozManagedRole := authtypes.MustGetSigNozManagedRoleFromExistingRole(role)

-	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, role, callbackIdentity.OrgID, types.UserStatusActive)
+	newUser, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, callbackIdentity.OrgID, types.UserStatusActive)
 	if err != nil {
 		return "", err
 	}

-	user, err = module.user.GetOrCreateUser(ctx, user)
+	newUser, err = module.userSetter.GetOrCreateUser(ctx, newUser, user.WithRoleNames([]string{signozManagedRole}))
 	if err != nil {
 		return "", err
 	}

-	if err := user.ErrIfRoot(); err != nil {
+	if err := newUser.ErrIfRoot(); err != nil {
 		return "", errors.WithAdditionalf(err, "root user can only authenticate via password")
 	}

-	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, user.Role, authtypes.IdentNProviderTokenizer), map[string]string{})
+	userRoles, err := module.userGetter.GetUserRoles(ctx, newUser.ID)
+	if err != nil {
+		return "", err
+	}
+
+	if len(userRoles) == 0 {
+		return "", errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
+	}
+
+	finalRole := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
+
+	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(newUser.ID, newUser.OrgID, newUser.Email, finalRole, authtypes.IdentNProviderTokenizer), map[string]string{})
 	if err != nil {
 		return "", err
 	}
--- a/pkg/modules/user/impluser/getter.go
+++ b/pkg/modules/user/impluser/getter.go
@@ -4,27 +4,40 @@ import (
 	"context"
 	"slices"

+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )

 type getter struct {
-	store   types.UserStore
-	flagger flagger.Flagger
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	flagger       flagger.Flagger
 }

-func NewGetter(store types.UserStore, flagger flagger.Flagger) user.Getter {
-	return &getter{store: store, flagger: flagger}
+func NewGetter(store types.UserStore, userRoleStore authtypes.UserRoleStore, flagger flagger.Flagger) user.Getter {
+	return &getter{store: store, userRoleStore: userRoleStore, flagger: flagger}
 }

-func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	return module.store.GetRootUserByOrgID(ctx, orgID)
+func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, []*authtypes.UserRole, error) {
+	rootUser, err := module.store.GetRootUserByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	userRoles, err := module.userRoleStore.GetUserRolesByUserID(ctx, rootUser.ID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return rootUser, userRoles, nil
 }

-func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
+func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.DeprecatedUser, error) {
 	users, err := module.store.ListUsersByOrgID(ctx, orgID)
 	if err != nil {
 		return nil, err
@@ -38,43 +51,81 @@ func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*ty
 		users = slices.DeleteFunc(users, func(user *types.User) bool { return user.IsRoot })
 	}

-	return users, nil
-}
+	userIDs := make([]valuer.UUID, len(users))
+	for idx, user := range users {
+		userIDs[idx] = user.ID
+	}

-func (module *getter) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	users, err := module.store.GetUsersByEmail(ctx, email)
+	userRoles, err := module.userRoleStore.ListUserRolesByOrgIDAndUserIDs(ctx, orgID, userIDs)
 	if err != nil {
 		return nil, err
 	}

-	return users, nil
+	// Build userID → role name mapping directly from the joined Role
+	userIDToRoleNames := make(map[valuer.UUID][]string)
+	for _, ur := range userRoles {
+		if ur.Role != nil {
+			userIDToRoleNames[ur.UserID] = append(userIDToRoleNames[ur.UserID], ur.Role.Name)
+		}
+	}
+
+	deprecatedUsers := make([]*types.DeprecatedUser, 0, len(users))
+	for _, user := range users {
+		roleNames := userIDToRoleNames[user.ID]
+
+		if len(roleNames) == 0 {
+			return nil, errors.Newf(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found for user: %s", user.ID.String())
+		}
+
+		role := authtypes.SigNozManagedRoleToExistingLegacyRole[roleNames[0]]
+		deprecatedUsers = append(deprecatedUsers, types.NewDeprecatedUserFromUserAndRole(user, role))
+	}
+
+	return deprecatedUsers, nil
 }

-func (module *getter) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
+func (module *getter) GetDeprecatedUserByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.DeprecatedUser, error) {
 	user, err := module.store.GetByOrgIDAndID(ctx, orgID, id)
 	if err != nil {
 		return nil, err
 	}

-	return user, nil
+	userRoles, err := module.GetUserRoles(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(userRoles) == 0 {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
+	}
+
+	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
+
+	return types.NewDeprecatedUserFromUserAndRole(user, role), nil
 }

-func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.User, error) {
+func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.DeprecatedUser, error) {
 	user, err := module.store.GetUser(ctx, id)
 	if err != nil {
 		return nil, err
 	}

-	return user, nil
-}
-
-func (module *getter) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	users, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
+	userRoles, err := module.GetUserRoles(ctx, id)
 	if err != nil {
 		return nil, err
 	}

-	return users, nil
+	if len(userRoles) == 0 {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
+	}
+
+	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
+
+	return types.NewDeprecatedUserFromUserAndRole(user, role), nil
+}
+
+func (module *getter) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
+	return module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
 }

 func (module *getter) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
@@ -103,3 +154,31 @@ func (module *getter) GetFactorPasswordByUserID(ctx context.Context, userID valu

 	return factorPassword, nil
 }
+
+// this function restricts that only one non-deleted user email can exist for an org ID, if found more, it throws an error
+func (module *getter) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error) {
+	existingUsers, err := module.store.GetNonDeletedUsersByEmailAndOrgID(ctx, email, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(existingUsers) > 1 {
+		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "Multiple non-deleted users found for email %s in org_id: %s", email.StringValue(), orgID.StringValue())
+	}
+
+	if len(existingUsers) == 1 {
+		return existingUsers[0], nil
+	}
+
+	return nil, errors.Newf(errors.TypeNotFound, errors.CodeNotFound, "No non-deleted user found with email %s in org_id: %s", email.StringValue(), orgID.StringValue())
+
+}
+
+func (module *getter) GetUserRoles(ctx context.Context, userID valuer.UUID) ([]*authtypes.UserRole, error) {
+	userRoles, err := module.userRoleStore.GetUserRolesByUserID(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	return userRoles, nil
+}
--- a/pkg/modules/user/impluser/handler.go
+++ b/pkg/modules/user/impluser/handler.go
@@ -19,12 +19,12 @@ import (
 )

 type handler struct {
-	module root.Module
+	setter root.Setter
 	getter root.Getter
 }

-func NewHandler(module root.Module, getter root.Getter) root.Handler {
-	return &handler{module: module, getter: getter}
+func NewHandler(setter root.Setter, getter root.Getter) root.Handler {
+	return &handler{setter: setter, getter: getter}
 }

 func (h *handler) CreateInvite(rw http.ResponseWriter, r *http.Request) {
@@ -43,7 +43,7 @@ func (h *handler) CreateInvite(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	invites, err := h.module.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), &types.PostableBulkInviteRequest{
+	invites, err := h.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), &types.PostableBulkInviteRequest{
 		Invites: []types.PostableInvite{req},
 	})
 	if err != nil {
@@ -76,7 +76,7 @@ func (h *handler) CreateBulkInvite(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	_, err = h.module.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), &req)
+	_, err = h.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), &req)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -97,7 +97,7 @@ func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
+	user, err := h.getter.GetDeprecatedUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -116,7 +116,7 @@ func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	user, err := h.getter.GetDeprecatedUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -156,13 +156,13 @@ func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	var user types.User
+	user := types.DeprecatedUser{User: &types.User{}}
 	if err := json.NewDecoder(r.Body).Decode(&user); err != nil {
 		render.Error(w, err)
 		return
 	}

-	updatedUser, err := h.module.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), id, &user, claims.UserID)
+	updatedUser, err := h.setter.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), id, &user, claims.UserID)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -183,7 +183,7 @@ func (h *handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := h.module.DeleteUser(ctx, valuer.MustNewUUID(claims.OrgID), id, claims.UserID); err != nil {
+	if err := h.setter.DeleteUser(ctx, valuer.MustNewUUID(claims.OrgID), id, claims.UserID); err != nil {
 		render.Error(w, err)
 		return
 	}
@@ -203,13 +203,13 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 		return
 	}

-	user, err := handler.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
+	user, err := handler.getter.GetDeprecatedUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
 	if err != nil {
 		render.Error(w, err)
 		return
 	}

-	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, user.ID)
+	token, err := handler.setter.GetOrCreateResetPasswordToken(ctx, user.ID)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -228,7 +228,7 @@ func (handler *handler) ResetPassword(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	err := handler.module.UpdatePasswordByResetPasswordToken(ctx, req.Token, req.Password)
+	err := handler.setter.UpdatePasswordByResetPasswordToken(ctx, req.Token, req.Password)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -247,7 +247,7 @@ func (handler *handler) ChangePassword(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	err := handler.module.UpdatePassword(ctx, req.UserID, req.OldPassword, req.NewPassword)
+	err := handler.setter.UpdatePassword(ctx, req.UserID, req.OldPassword, req.NewPassword)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -266,7 +266,7 @@ func (h *handler) ForgotPassword(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	err := h.module.ForgotPassword(ctx, req.OrgID, req.Email, req.FrontendBaseURL)
+	err := h.setter.ForgotPassword(ctx, req.OrgID, req.Email, req.FrontendBaseURL)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -302,13 +302,13 @@ func (h *handler) CreateAPIKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	err = h.module.CreateAPIKey(ctx, apiKey)
+	err = h.setter.CreateAPIKey(ctx, apiKey)
 	if err != nil {
 		render.Error(w, err)
 		return
 	}

-	createdApiKey, err := h.module.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), apiKey.ID)
+	createdApiKey, err := h.setter.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), apiKey.ID)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -328,7 +328,7 @@ func (h *handler) ListAPIKeys(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	apiKeys, err := h.module.ListAPIKeys(ctx, valuer.MustNewUUID(claims.OrgID))
+	apiKeys, err := h.setter.ListAPIKeys(ctx, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -373,7 +373,7 @@ func (h *handler) UpdateAPIKey(w http.ResponseWriter, r *http.Request) {
 	}

 	//get the API Key
-	existingAPIKey, err := h.module.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	existingAPIKey, err := h.setter.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), id)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -391,7 +391,7 @@ func (h *handler) UpdateAPIKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	err = h.module.UpdateAPIKey(ctx, id, &req, valuer.MustNewUUID(claims.UserID))
+	err = h.setter.UpdateAPIKey(ctx, id, &req, valuer.MustNewUUID(claims.UserID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -418,7 +418,7 @@ func (h *handler) RevokeAPIKey(w http.ResponseWriter, r *http.Request) {
 	}

 	//get the API Key
-	existingAPIKey, err := h.module.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	existingAPIKey, err := h.setter.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), id)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -436,7 +436,7 @@ func (h *handler) RevokeAPIKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := h.module.RevokeAPIKey(ctx, id, valuer.MustNewUUID(claims.UserID)); err != nil {
+	if err := h.setter.RevokeAPIKey(ctx, id, valuer.MustNewUUID(claims.UserID)); err != nil {
 		render.Error(w, err)
 		return
 	}
--- a/pkg/modules/user/impluser/service.go
+++ b/pkg/modules/user/impluser/service.go
@@ -17,7 +17,8 @@ import (
 type service struct {
 	settings  factory.ScopedProviderSettings
 	store     types.UserStore
-	module    user.Module
+	getter    user.Getter
+	setter    user.Setter
 	orgGetter organization.Getter
 	authz     authz.AuthZ
 	config    user.RootConfig
@@ -27,7 +28,8 @@ type service struct {
 func NewService(
 	providerSettings factory.ProviderSettings,
 	store types.UserStore,
-	module user.Module,
+	getter user.Getter,
+	setter user.Setter,
 	orgGetter organization.Getter,
 	authz authz.AuthZ,
 	config user.RootConfig,
@@ -35,7 +37,8 @@ func NewService(
 	return &service{
 		settings:  factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
 		store:     store,
-		module:    module,
+		getter:    getter,
+		setter:    setter,
 		orgGetter: orgGetter,
 		authz:     authz,
 		config:    config,
@@ -85,12 +88,12 @@ func (s *service) reconcile(ctx context.Context) error {

 		if s.config.Org.ID.IsZero() {
 			newOrg := types.NewOrganization(s.config.Org.Name, s.config.Org.Name)
-			_, err := s.module.CreateFirstUser(ctx, newOrg, s.config.Email.String(), s.config.Email, s.config.Password)
+			_, err := s.setter.CreateFirstUser(ctx, newOrg, s.config.Email.String(), s.config.Email, s.config.Password)
 			return err
 		}

 		newOrg := types.NewOrganizationWithID(s.config.Org.ID, s.config.Org.Name, s.config.Org.Name)
-		_, err = s.module.CreateFirstUser(ctx, newOrg, s.config.Email.String(), s.config.Email, s.config.Password)
+		_, err = s.setter.CreateFirstUser(ctx, newOrg, s.config.Email.String(), s.config.Email, s.config.Password)
 		return err
 	}

@@ -103,44 +106,72 @@ func (s *service) reconcile(ctx context.Context) error {
 }

 func (s *service) reconcileRootUser(ctx context.Context, orgID valuer.UUID) error {
-	existingRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	existingStorableRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
 	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
 		return err
 	}

-	if existingRoot == nil {
+	if existingStorableRoot == nil {
 		return s.createOrPromoteRootUser(ctx, orgID)
 	}

-	return s.updateExistingRootUser(ctx, orgID, existingRoot)
+	return s.updateExistingRootUser(ctx, orgID, existingStorableRoot)
 }

 func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID) error {
-	existingUser, err := s.module.GetNonDeletedUserByEmailAndOrgID(ctx, s.config.Email, orgID)
+	existingUser, err := s.getter.GetNonDeletedUserByEmailAndOrgID(ctx, s.config.Email, orgID)
 	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
 		return err
 	}

 	if existingUser != nil {
-		oldRole := existingUser.Role
-
-		existingUser.PromoteToRoot()
-		if err := s.module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+		userRoles, err := s.getter.GetUserRoles(ctx, existingUser.ID)
+		if err != nil {
 			return err
 		}

-		if oldRole != types.RoleAdmin {
-			if err := s.authz.ModifyGrant(ctx,
-				orgID,
-				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(oldRole)},
-				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin)},
-				authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
+		existingUserRoleNames := make([]string, len(userRoles))
+		for idx, userRole := range userRoles {
+			existingUserRoleNames[idx] = userRole.Role.Name
+		}
+
+		// idempotent - safe to retry can't put this in a txn
+		if err := s.authz.ModifyGrant(ctx,
+			orgID,
+			existingUserRoleNames,
+			[]string{authtypes.SigNozAdminRoleName},
+			authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
+		); err != nil {
+			return err
+		}
+
+		existingUser.PromoteToRoot()
+
+		err = s.store.RunInTx(ctx, func(ctx context.Context) error {
+			// update users table
+			deprecatedUser := types.NewDeprecatedUserFromUserAndRole(existingUser, types.RoleAdmin)
+			if err := s.setter.UpdateAnyUser(ctx, orgID, deprecatedUser); err != nil {
+				return err
+			}
+
+			// update user_role entries
+			if err := s.setter.UpdateUserRoles(
+				ctx,
+				existingUser.OrgID,
+				existingUser.ID,
+				[]string{authtypes.SigNozAdminRoleName},
 			); err != nil {
 				return err
 			}
+
+			// set password
+			return s.setPassword(ctx, existingUser.ID)
+		})
+		if err != nil {
+			return err
 		}

-		return s.setPassword(ctx, existingUser.ID)
+		return nil
 	}

 	// Create new root user
@@ -154,7 +185,7 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		return err
 	}

-	return s.module.CreateUser(ctx, newUser, user.WithFactorPassword(factorPassword))
+	return s.setter.CreateUser(ctx, newUser, user.WithFactorPassword(factorPassword), user.WithRoleNames([]string{authtypes.SigNozAdminRoleName}))
 }

 func (s *service) updateExistingRootUser(ctx context.Context, orgID valuer.UUID, existingRoot *types.User) error {
@@ -162,7 +193,8 @@ func (s *service) updateExistingRootUser(ctx context.Context, orgID valuer.UUID,

 	if existingRoot.Email != s.config.Email {
 		existingRoot.UpdateEmail(s.config.Email)
-		if err := s.module.UpdateAnyUser(ctx, orgID, existingRoot); err != nil {
+		deprecatedUser := types.NewDeprecatedUserFromUserAndRole(existingRoot, types.RoleAdmin)
+		if err := s.setter.UpdateAnyUser(ctx, orgID, deprecatedUser); err != nil {
 			return err
 		}
 	}
--- a/pkg/modules/user/impluser/setter.go
+++ b/pkg/modules/user/impluser/setter.go
@@ -25,35 +25,39 @@ import (
 	"github.com/SigNoz/signoz/pkg/valuer"
 )

-type Module struct {
-	store     types.UserStore
-	tokenizer tokenizer.Tokenizer
-	emailing  emailing.Emailing
-	settings  factory.ScopedProviderSettings
-	orgSetter organization.Setter
-	authz     authz.AuthZ
-	analytics analytics.Analytics
-	config    user.Config
+type setter struct {
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	tokenizer     tokenizer.Tokenizer
+	emailing      emailing.Emailing
+	settings      factory.ScopedProviderSettings
+	orgSetter     organization.Setter
+	authz         authz.AuthZ
+	analytics     analytics.Analytics
+	config        user.Config
+	getter        root.Getter
 }

 // This module is a WIP, don't take inspiration from this.
-func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config user.Config) root.Module {
+func NewSetter(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config user.Config, userRoleStore authtypes.UserRoleStore, getter root.Getter) root.Setter {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/user/impluser")
-	return &Module{
-		store:     store,
-		tokenizer: tokenizer,
-		emailing:  emailing,
-		settings:  settings,
-		orgSetter: orgSetter,
-		analytics: analytics,
-		authz:     authz,
-		config:    config,
+	return &setter{
+		store:         store,
+		userRoleStore: userRoleStore,
+		tokenizer:     tokenizer,
+		emailing:      emailing,
+		settings:      settings,
+		orgSetter:     orgSetter,
+		analytics:     analytics,
+		authz:         authz,
+		config:        config,
+		getter:        getter,
 	}
 }

 // CreateBulk implements invite.Module.
-func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error) {
-	creator, err := m.store.GetUser(ctx, userID)
+func (module *setter) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error) {
+	creator, err := module.store.GetUser(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -63,7 +67,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 	for idx, invite := range bulkInvites.Invites {
 		emails[idx] = invite.Email.StringValue()
 	}
-	users, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
+	users, err := module.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
 	if err != nil {
 		return nil, err
 	}
@@ -83,39 +87,36 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 	type userWithResetToken struct {
 		User               *types.User
 		ResetPasswordToken *types.ResetPasswordToken
+		Role               types.Role
 	}

 	newUsersWithResetToken := make([]*userWithResetToken, len(bulkInvites.Invites))

-	if err := m.store.RunInTx(ctx, func(ctx context.Context) error {
+	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
 		for idx, invite := range bulkInvites.Invites {
-			role, err := types.NewRole(invite.Role.String())
-			if err != nil {
-				return err
-			}
-
 			// create a new user with pending invite status
-			newUser, err := types.NewUser(invite.Name, invite.Email, role, orgID, types.UserStatusPendingInvite)
+			newUser, err := types.NewUser(invite.Name, invite.Email, orgID, types.UserStatusPendingInvite)
 			if err != nil {
 				return err
 			}

 			// store the user and password in db
-			err = m.createUserWithoutGrant(ctx, newUser)
+			err = module.createUserWithoutGrant(ctx, newUser, root.WithRoleNames([]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(invite.Role)}))
 			if err != nil {
 				return err
 			}

 			// generate reset password token
-			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.ID)
+			resetPasswordToken, err := module.GetOrCreateResetPasswordToken(ctx, newUser.ID)
 			if err != nil {
-				m.settings.Logger().ErrorContext(ctx, "failed to create reset password token for invited user", errors.Attr(err))
+				module.settings.Logger().ErrorContext(ctx, "failed to create reset password token for invited user", errors.Attr(err))
 				return err
 			}

 			newUsersWithResetToken[idx] = &userWithResetToken{
 				User:               newUser,
 				ResetPasswordToken: resetPasswordToken,
+				Role:               invite.Role,
 			}
 		}
 		return nil
@@ -127,9 +128,9 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID

 	// send password reset emails to all the invited users
 	for idx, userWithToken := range newUsersWithResetToken {
-		m.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{
+		module.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{
 			"invitee_email": userWithToken.User.Email,
-			"invitee_role":  userWithToken.User.Role,
+			"invitee_role":  userWithToken.Role,
 		})

 		invite := &types.Invite{
@@ -139,7 +140,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 			Name:  userWithToken.User.DisplayName,
 			Email: userWithToken.User.Email,
 			Token: userWithToken.ResetPasswordToken.Token,
-			Role:  userWithToken.User.Role,
+			Role:  userWithToken.Role,
 			OrgID: userWithToken.User.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: userWithToken.User.CreatedAt,
@@ -151,38 +152,45 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID

 		frontendBaseUrl := bulkInvites.Invites[idx].FrontendBaseUrl
 		if frontendBaseUrl == "" {
-			m.settings.Logger().InfoContext(ctx, "frontend base url is not provided, skipping email", slog.Any("invitee_email", userWithToken.User.Email))
+			module.settings.Logger().InfoContext(ctx, "frontend base url is not provided, skipping email", slog.Any("invitee_email", userWithToken.User.Email))
 			continue
 		}

 		resetLink := userWithToken.ResetPasswordToken.FactorPasswordResetLink(frontendBaseUrl)

-		tokenLifetime := m.config.Password.Invite.MaxTokenLifetime
+		tokenLifetime := module.config.Password.Invite.MaxTokenLifetime
 		humanizedTokenLifetime := strings.TrimSpace(humanize.RelTime(time.Now(), time.Now().Add(tokenLifetime), "", ""))

-		if err := m.emailing.SendHTML(ctx, userWithToken.User.Email.String(), "You're Invited to Join SigNoz", emailtypes.TemplateNameInvitationEmail, map[string]any{
+		if err := module.emailing.SendHTML(ctx, userWithToken.User.Email.String(), "You're Invited to Join SigNoz", emailtypes.TemplateNameInvitationEmail, map[string]any{
 			"inviter_email": creator.Email,
 			"link":          resetLink,
 			"Expiry":        humanizedTokenLifetime,
 		}); err != nil {
-			m.settings.Logger().ErrorContext(ctx, "failed to send invite email", errors.Attr(err))
+			module.settings.Logger().ErrorContext(ctx, "failed to send invite email", errors.Attr(err))
 		}
 	}

 	return invites, nil
 }

-func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
+func (module *setter) CreateUser(ctx context.Context, user *types.User, opts ...root.CreateUserOption) error {
 	createUserOpts := root.NewCreateUserOptions(opts...)

 	// since assign is idempotant multiple calls to assign won't cause issues in case of retries.
-	err := module.authz.Grant(ctx, input.OrgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(input.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
-	if err != nil {
-		return err
+	if len(createUserOpts.RoleNames) > 0 {
+		err := module.authz.Grant(
+			ctx,
+			user.OrgID,
+			createUserOpts.RoleNames,
+			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
+		)
+		if err != nil {
+			return err
+		}
 	}

 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, user); err != nil {
 			return err
 		}

@@ -192,20 +200,28 @@ func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ..
 			}
 		}

+		// create user_role entries
+		if len(createUserOpts.RoleNames) > 0 {
+			err := module.createUserRoleEntries(ctx, user.OrgID, user.ID, createUserOpts.RoleNames)
+			if err != nil {
+				return err
+			}
+		}
+
 		return nil
 	}); err != nil {
 		return err
 	}

-	traitsOrProperties := types.NewTraitsFromUser(input)
-	module.analytics.IdentifyUser(ctx, input.OrgID.String(), input.ID.String(), traitsOrProperties)
-	module.analytics.TrackUser(ctx, input.OrgID.String(), input.ID.String(), "User Created", traitsOrProperties)
+	traitsOrProperties := types.NewTraitsFromUser(user)
+	module.analytics.IdentifyUser(ctx, user.OrgID.String(), user.ID.String(), traitsOrProperties)
+	module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Created", traitsOrProperties)

 	return nil
 }

-func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User, updatedBy string) (*types.User, error) {
-	existingUser, err := m.store.GetUser(ctx, valuer.MustNewUUID(id))
+func (module *setter) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error) {
+	existingUser, err := module.getter.GetDeprecatedUserByOrgIDAndID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return nil, err
 	}
@@ -218,29 +234,24 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		return nil, errors.WithAdditionalf(err, "cannot update deleted user")
 	}

-	requestor, err := m.store.GetUser(ctx, valuer.MustNewUUID(updatedBy))
+	requestor, err := module.getter.GetDeprecatedUserByOrgIDAndID(ctx, orgID, valuer.MustNewUUID(updatedBy))
 	if err != nil {
 		return nil, err
 	}

-	if user.Role != "" && user.Role != existingUser.Role && requestor.Role != types.RoleAdmin {
+	roleChange := user.Role != "" && user.Role != existingUser.Role
+
+	if roleChange && requestor.Role != types.RoleAdmin {
 		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can change roles")
 	}

-	// Make sure that the request is not demoting the last admin user.
-	if user.Role != "" && user.Role != existingUser.Role && existingUser.Role == types.RoleAdmin {
-		adminUsers, err := m.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
-		if err != nil {
-			return nil, err
-		}
-
-		if len(adminUsers) == 1 {
-			return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot demote the last admin")
-		}
+	// make sure the user is not demoting self from admin
+	if roleChange && existingUser.ID == requestor.ID && existingUser.Role == types.RoleAdmin && user.Role != types.RoleAdmin {
+		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot change self role")
 	}

-	if user.Role != "" && user.Role != existingUser.Role {
-		err = m.authz.ModifyGrant(ctx,
+	if roleChange {
+		err = module.authz.ModifyGrant(ctx,
 			orgID,
 			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role)},
 			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
@@ -252,19 +263,41 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 	}

 	existingUser.Update(user.DisplayName, user.Role)
-	if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+
+	// update the user - idempotent (this does analytics too so keeping it outside txn)
+	if err := module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+		return nil, err
+	}
+
+	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
+		if roleChange {
+			// delete old role entries and create new ones
+			if err := module.userRoleStore.DeleteUserRoles(ctx, existingUser.ID); err != nil {
+				return err
+			}
+
+			// create new ones
+			if err := module.createUserRoleEntries(ctx, existingUser.OrgID, existingUser.ID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}); err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
 		return nil, err
 	}

 	return existingUser, nil
 }

-func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
+func (module *setter) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, deprecateUser *types.DeprecatedUser) error {
+	user := types.NewUserFromDeprecatedUser(deprecateUser)
 	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
 		return err
 	}

-	traits := types.NewTraitsFromUser(user)
+	traits := types.NewTraitsFromDeprecatedUser(deprecateUser)
 	module.analytics.IdentifyUser(ctx, user.OrgID.String(), user.ID.String(), traits)
 	module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Updated", traits)

@@ -275,7 +308,7 @@ func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user
 	return nil
 }

-func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
+func (module *setter) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
 	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(id))
 	if err != nil {
 		return err
@@ -293,18 +326,29 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "integration user cannot be deleted")
 	}

-	// don't allow to delete the last admin user
-	adminUsers, err := module.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	deleter, err := module.store.GetUser(ctx, valuer.MustNewUUID(deletedBy))
 	if err != nil {
 		return err
 	}

-	if len(adminUsers) == 1 && user.Role == types.RoleAdmin {
-		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot delete the last admin")
+	if deleter.ID == user.ID {
+		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot self delete")
 	}

+	userRoles, err := module.getter.GetUserRoles(ctx, user.ID)
+	if err != nil {
+		return err
+	}
+
+	roleNames := roleNamesFromUserRoles(userRoles)
+
 	// since revoke is idempotant multiple calls to revoke won't cause issues in case of retries
-	err = module.authz.Revoke(ctx, orgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
+	err = module.authz.Revoke(
+		ctx,
+		orgID,
+		roleNames,
+		authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
+	)
 	if err != nil {
 		return err
 	}
@@ -321,7 +365,7 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	return nil
 }

-func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error) {
+func (module *setter) GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error) {
 	user, err := module.store.GetUser(ctx, userID)
 	if err != nil {
 		return nil, err
@@ -388,12 +432,12 @@ func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, userID
 	return resetPasswordToken, nil
 }

-func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, email valuer.Email, frontendBaseURL string) error {
+func (module *setter) ForgotPassword(ctx context.Context, orgID valuer.UUID, email valuer.Email, frontendBaseURL string) error {
 	if !module.config.Password.Reset.AllowSelf {
 		return errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "Users are not allowed to reset their password themselves, please contact an admin to reset your password.")
 	}

-	user, err := module.GetNonDeletedUserByEmailAndOrgID(ctx, email, orgID)
+	user, err := module.getter.GetNonDeletedUserByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		if errors.Ast(err, errors.TypeNotFound) {
 			return nil // for security reasons
@@ -436,7 +480,7 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 	return nil
 }

-func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, token string, passwd string) error {
+func (module *setter) UpdatePasswordByResetPasswordToken(ctx context.Context, token string, passwd string) error {
 	resetPasswordToken, err := module.store.GetResetPasswordToken(ctx, token)
 	if err != nil {
 		return err
@@ -469,16 +513,26 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}

+	userRoles, err := module.getter.GetUserRoles(ctx, user.ID)
+	if err != nil {
+		return err
+	}
+
+	roleNames := roleNamesFromUserRoles(userRoles)
+
 	// since grant is idempotent, multiple calls won't cause issues in case of retries
 	if user.Status == types.UserStatusPendingInvite {
 		if err = module.authz.Grant(
 			ctx,
 			user.OrgID,
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+			roleNames,
 			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 		); err != nil {
 			return err
 		}
+
+		traitsOrProperties := types.NewTraitsFromUser(user)
+		module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Activated", traitsOrProperties)
 	}

 	return module.store.RunInTx(ctx, func(ctx context.Context) error {
@@ -503,7 +557,7 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 	})
 }

-func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, oldpasswd string, passwd string) error {
+func (module *setter) UpdatePassword(ctx context.Context, userID valuer.UUID, oldpasswd string, passwd string) error {
 	user, err := module.store.GetUser(ctx, userID)
 	if err != nil {
 		return err
@@ -547,8 +601,10 @@ func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, ol
 	return module.tokenizer.DeleteTokensByUserID(ctx, userID)
 }

-func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opts ...root.CreateUserOption) (*types.User, error) {
-	existingUser, err := module.GetNonDeletedUserByEmailAndOrgID(ctx, user.Email, user.OrgID)
+func (module *setter) GetOrCreateUser(ctx context.Context, user *types.User, opts ...root.CreateUserOption) (*types.User, error) {
+	createUserOpts := root.NewCreateUserOptions(opts...)
+
+	existingUser, err := module.getter.GetNonDeletedUserByEmailAndOrgID(ctx, user.Email, user.OrgID)
 	if err != nil {
 		if !errors.Ast(err, errors.TypeNotFound) {
 			return nil, err
@@ -556,12 +612,8 @@ func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opt
 	}

 	if existingUser != nil {
-		// for users logging through SSO flow but are having status as pending_invite
 		if existingUser.Status == types.UserStatusPendingInvite {
-			// respect the role coming from the SSO
-			existingUser.Update("", user.Role)
-			// activate the user
-			if err = module.activatePendingUser(ctx, existingUser); err != nil {
+			if err = module.activatePendingUser(ctx, existingUser, root.WithRoleNames(createUserOpts.RoleNames)); err != nil {
 				return nil, err
 			}
 		}
@@ -569,35 +621,34 @@ func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opt
 		return existingUser, nil
 	}

-	err = module.CreateUser(ctx, user, opts...)
-	if err != nil {
+	if err := module.CreateUser(ctx, user, opts...); err != nil {
 		return nil, err
 	}

 	return user, nil
 }

-func (m *Module) CreateAPIKey(ctx context.Context, apiKey *types.StorableAPIKey) error {
-	return m.store.CreateAPIKey(ctx, apiKey)
+func (module *setter) CreateAPIKey(ctx context.Context, apiKey *types.StorableAPIKey) error {
+	return module.store.CreateAPIKey(ctx, apiKey)
 }

-func (m *Module) UpdateAPIKey(ctx context.Context, id valuer.UUID, apiKey *types.StorableAPIKey, updaterID valuer.UUID) error {
-	return m.store.UpdateAPIKey(ctx, id, apiKey, updaterID)
+func (module *setter) UpdateAPIKey(ctx context.Context, id valuer.UUID, apiKey *types.StorableAPIKey, updaterID valuer.UUID) error {
+	return module.store.UpdateAPIKey(ctx, id, apiKey, updaterID)
 }

-func (m *Module) ListAPIKeys(ctx context.Context, orgID valuer.UUID) ([]*types.StorableAPIKeyUser, error) {
-	return m.store.ListAPIKeys(ctx, orgID)
+func (module *setter) ListAPIKeys(ctx context.Context, orgID valuer.UUID) ([]*types.StorableAPIKeyUser, error) {
+	return module.store.ListAPIKeys(ctx, orgID)
 }

-func (m *Module) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*types.StorableAPIKeyUser, error) {
-	return m.store.GetAPIKey(ctx, orgID, id)
+func (module *setter) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*types.StorableAPIKeyUser, error) {
+	return module.store.GetAPIKey(ctx, orgID, id)
 }

-func (m *Module) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UUID) error {
-	return m.store.RevokeAPIKey(ctx, id, removedByUserID)
+func (module *setter) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UUID) error {
+	return module.store.RevokeAPIKey(ctx, id, removedByUserID)
 }

-func (module *Module) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
+func (module *setter) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
 	user, err := types.NewRootUser(name, email, organization.ID)
 	if err != nil {
 		return nil, err
@@ -614,6 +665,8 @@ func (module *Module) CreateFirstUser(ctx context.Context, organization *types.O
 		return nil, err
 	}

+	roleNames := []string{authtypes.SigNozAdminRoleName}
+
 	if err = module.store.RunInTx(ctx, func(ctx context.Context) error {
 		err = module.orgSetter.Create(ctx, organization, func(ctx context.Context, orgID valuer.UUID) error {
 			err = module.authz.CreateManagedRoles(ctx, orgID, managedRoles)
@@ -627,7 +680,7 @@ func (module *Module) CreateFirstUser(ctx context.Context, organization *types.O
 			return err
 		}

-		err = module.createUserWithoutGrant(ctx, user, root.WithFactorPassword(password))
+		err = module.CreateUser(ctx, user, root.WithFactorPassword(password), root.WithRoleNames(roleNames))
 		if err != nil {
 			return err
 		}
@@ -640,7 +693,7 @@ func (module *Module) CreateFirstUser(ctx context.Context, organization *types.O
 	return user, nil
 }

-func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {
+func (module *setter) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {
 	stats := make(map[string]any)
 	counts, err := module.store.CountByOrgIDAndStatuses(ctx, orgID, []string{types.UserStatusActive.StringValue(), types.UserStatusDeleted.StringValue(), types.UserStatusPendingInvite.StringValue()})
 	if err == nil {
@@ -658,32 +711,10 @@ func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 	return stats, nil
 }

-// this function restricts that only one non-deleted user email can exist for an org ID, if found more, it throws an error
-func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error) {
-	existingUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	// filter out the deleted users
-	existingUsers = slices.DeleteFunc(existingUsers, func(user *types.User) bool { return user.ErrIfDeleted() != nil })
-
-	if len(existingUsers) > 1 {
-		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "Multiple non-deleted users found for email %s in org_id: %s", email.StringValue(), orgID.StringValue())
-	}
-
-	if len(existingUsers) == 1 {
-		return existingUsers[0], nil
-	}
-
-	return nil, errors.Newf(errors.TypeNotFound, errors.CodeNotFound, "No non-deleted user found with email %s in org_id: %s", email.StringValue(), orgID.StringValue())
-
-}
-
-func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
+func (module *setter) createUserWithoutGrant(ctx context.Context, user *types.User, opts ...root.CreateUserOption) error {
 	createUserOpts := root.NewCreateUserOptions(opts...)
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, user); err != nil {
 			return err
 		}

@@ -693,36 +724,99 @@ func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.U
 			}
 		}

+		// create user_role entries
+		if len(createUserOpts.RoleNames) > 0 {
+			err := module.createUserRoleEntries(ctx, user.OrgID, user.ID, createUserOpts.RoleNames)
+			if err != nil {
+				return err
+			}
+		}
+
 		return nil
 	}); err != nil {
 		return err
 	}

-	traitsOrProperties := types.NewTraitsFromUser(input)
-	module.analytics.IdentifyUser(ctx, input.OrgID.String(), input.ID.String(), traitsOrProperties)
-	module.analytics.TrackUser(ctx, input.OrgID.String(), input.ID.String(), "User Created", traitsOrProperties)
+	traitsOrProperties := types.NewTraitsFromUser(user)
+	module.analytics.IdentifyUser(ctx, user.OrgID.String(), user.ID.String(), traitsOrProperties)
+	module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Created", traitsOrProperties)

 	return nil
 }

-func (module *Module) activatePendingUser(ctx context.Context, user *types.User) error {
-	err := module.authz.Grant(
-		ctx,
-		user.OrgID,
-		[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
-		authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
-	)
+func (module *setter) createUserRoleEntries(ctx context.Context, orgID, userId valuer.UUID, roleNames []string) error {
+	roles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, roleNames)
 	if err != nil {
 		return err
 	}

+	userRoles := authtypes.NewUserRoles(userId, roles)
+	return module.userRoleStore.CreateUserRoles(ctx, userRoles)
+}
+
+func (module *setter) activatePendingUser(ctx context.Context, user *types.User, opts ...root.CreateUserOption) error {
+	createUserOpts := root.NewCreateUserOptions(opts...)
+
+	if len(createUserOpts.RoleNames) > 0 {
+		err := module.authz.Grant(
+			ctx,
+			user.OrgID,
+			createUserOpts.RoleNames,
+			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
+		)
+		if err != nil {
+			return err
+		}
+	}
+
 	if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 		return err
 	}
-	err = module.store.UpdateUser(ctx, user.OrgID, user)
+
+	err := module.store.RunInTx(ctx, func(ctx context.Context) error {
+		if err := module.store.UpdateUser(ctx, user.OrgID, user); err != nil {
+			return err
+		}
+
+		if len(createUserOpts.RoleNames) > 0 {
+			// delete old user_role entries and create new ones from SSO
+			if err := module.userRoleStore.DeleteUserRoles(ctx, user.ID); err != nil {
+				return err
+			}
+
+			return module.createUserRoleEntries(ctx, user.OrgID, user.ID, createUserOpts.RoleNames)
+		}
+
+		return nil
+	})
 	if err != nil {
 		return err
 	}

+	traitsOrProperties := types.NewTraitsFromUser(user)
+	module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Activated", traitsOrProperties)
+
 	return nil
 }
+
+func (module *setter) UpdateUserRoles(ctx context.Context, orgID, userID valuer.UUID, finalRoleNames []string) error {
+	return module.store.RunInTx(ctx, func(ctx context.Context) error {
+		// delete old user_role entries and create new ones from SSO
+		if err := module.userRoleStore.DeleteUserRoles(ctx, userID); err != nil {
+			return err
+		}
+
+		// create fresh ones
+		return module.createUserRoleEntries(ctx, orgID, userID, finalRoleNames)
+	})
+}
+
+func roleNamesFromUserRoles(userRoles []*authtypes.UserRole) []string {
+	names := make([]string, 0, len(userRoles))
+	for _, ur := range userRoles {
+		if ur.Role != nil {
+			names = append(names, ur.Role.Name)
+		}
+	}
+	return names
+}
--- a/pkg/modules/user/impluser/store.go
+++ b/pkg/modules/user/impluser/store.go
@@ -52,23 +52,6 @@ func (store *store) CreateUser(ctx context.Context, user *types.User) error {
 	return nil
 }

-func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	var users []*types.User
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&users).
-		Where("email = ?", email).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
 func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, error) {
 	user := new(types.User)

@@ -104,7 +87,7 @@ func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id v
 	return user, nil
 }

-func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.User, error) {
+func (store *store) GetNonDeletedUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.User, error) {
 	var users []*types.User

 	err := store.
@@ -114,25 +97,7 @@ func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Em
 		Model(&users).
 		Where("org_id = ?", orgID).
 		Where("email = ?", email).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
-func (store *store) GetActiveUsersByRoleAndOrgID(ctx context.Context, role types.Role, orgID valuer.UUID) ([]*types.User, error) {
-	var users []*types.User
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&users).
-		Where("org_id = ?", orgID).
-		Where("role = ?", role).
-		Where("status = ?", types.UserStatusActive.StringValue()).
+		Where("status != ?", types.UserStatusDeleted).
 		Scan(ctx)
 	if err != nil {
 		return nil, err
@@ -149,7 +114,6 @@ func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *typ
 		Model(user).
 		Column("display_name").
 		Column("email").
-		Column("role").
 		Column("is_root").
 		Column("updated_at").
 		Column("status").
@@ -162,7 +126,7 @@ func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *typ
 	return nil
 }

-func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.GettableUser, error) {
+func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
 	users := []*types.User{}

 	err := store.
--- a/pkg/modules/user/impluser/user_role_store.go
+++ b/pkg/modules/user/impluser/user_role_store.go
@@ -0,0 +1,83 @@
+package impluser
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+type userRoleStore struct {
+	sqlstore sqlstore.SQLStore
+	settings factory.ProviderSettings
+}
+
+func NewUserRoleStore(sqlstore sqlstore.SQLStore, settings factory.ProviderSettings) authtypes.UserRoleStore {
+	return &userRoleStore{sqlstore: sqlstore, settings: settings}
+}
+
+func (store *userRoleStore) ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*authtypes.UserRole, error) {
+	userRoles := make([]*authtypes.UserRole, 0)
+
+	err := store.sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&userRoles).
+		Join("JOIN users").
+		JoinOn("users.id = user_role.user_id").
+		Where("users.org_id = ?", orgID).
+		Where("users.id IN (?)", bun.In(userIDs)).
+		Relation("Role").
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return userRoles, nil
+}
+
+func (store *userRoleStore) CreateUserRoles(ctx context.Context, userRoles []*authtypes.UserRole) error {
+	_, err := store.sqlstore.
+		BunDBCtx(ctx).
+		NewInsert().
+		Model(&userRoles).
+		Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, authtypes.ErrCodeUserRoleAlreadyExists, "duplicate role assignments for user")
+	}
+	return nil
+}
+
+func (store *userRoleStore) DeleteUserRoles(ctx context.Context, userID valuer.UUID) error {
+	_, err := store.sqlstore.
+		BunDBCtx(ctx).
+		NewDelete().
+		Model(new(authtypes.UserRole)).
+		Where("user_id = ?", userID).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *userRoleStore) GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*authtypes.UserRole, error) {
+	userRoles := make([]*authtypes.UserRole, 0)
+
+	err := store.sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&userRoles).
+		Where("user_id = ?", userID).
+		Relation("Role").
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return userRoles, nil
+}
--- a/pkg/modules/user/option.go
+++ b/pkg/modules/user/option.go
@@ -7,6 +7,7 @@ import (

 type createUserOptions struct {
 	FactorPassword *types.FactorPassword
+	RoleNames      []string
 }

 type CreateUserOption func(*createUserOptions)
@@ -17,9 +18,16 @@ func WithFactorPassword(factorPassword *types.FactorPassword) CreateUserOption {
 	}
 }

+func WithRoleNames(roleNames []string) CreateUserOption {
+	return func(o *createUserOptions) {
+		o.RoleNames = roleNames
+	}
+}
+
 func NewCreateUserOptions(opts ...CreateUserOption) *createUserOptions {
 	o := &createUserOptions{
 		FactorPassword: nil,
+		RoleNames:      nil,
 	}

 	for _, opt := range opts {
--- a/pkg/modules/user/user.go
+++ b/pkg/modules/user/user.go
@@ -6,10 +6,11 @@ import (

 	"github.com/SigNoz/signoz/pkg/statsreporter"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )

-type Module interface {
+type Setter interface {
 	// Creates the organization and the first user of that organization.
 	CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, password string) (*types.User, error)

@@ -33,10 +34,10 @@ type Module interface {
 	// Initiate forgot password flow for a user
 	ForgotPassword(ctx context.Context, orgID valuer.UUID, email valuer.Email, frontendBaseURL string) error

-	UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User, updatedBy string) (*types.User, error)
+	UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error)

 	// UpdateAnyUser updates a user and persists the changes to the database along with the analytics and identity deletion.
-	UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error
+	UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.DeprecatedUser) error
 	DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error

 	// invite
@@ -49,26 +50,24 @@ type Module interface {
 	RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UUID) error
 	GetAPIKey(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.StorableAPIKeyUser, error)

-	GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error)
+	// Roles
+	UpdateUserRoles(ctx context.Context, orgID, userID valuer.UUID, finalRoleNames []string) error

 	statsreporter.StatsCollector
 }

 type Getter interface {
 	// Get root user by org id.
-	GetRootUserByOrgID(context.Context, valuer.UUID) (*types.User, error)
+	GetRootUserByOrgID(context.Context, valuer.UUID) (*types.User, []*authtypes.UserRole, error)

 	// Get gets the users based on the given id
-	ListByOrgID(context.Context, valuer.UUID) ([]*types.User, error)
+	ListByOrgID(context.Context, valuer.UUID) ([]*types.DeprecatedUser, error)

-	// Get users by email.
-	GetUsersByEmail(context.Context, valuer.Email) ([]*types.User, error)
-
-	// Get user by orgID and id.
-	GetByOrgIDAndID(context.Context, valuer.UUID, valuer.UUID) (*types.User, error)
+	// Get deprecated user object by orgID and id.
+	GetDeprecatedUserByOrgIDAndID(context.Context, valuer.UUID, valuer.UUID) (*types.DeprecatedUser, error)

 	// Get user by id.
-	Get(context.Context, valuer.UUID) (*types.User, error)
+	Get(context.Context, valuer.UUID) (*types.DeprecatedUser, error)

 	// List users by email and org ids.
 	ListUsersByEmailAndOrgIDs(context.Context, valuer.Email, []valuer.UUID) ([]*types.User, error)
@@ -81,6 +80,12 @@ type Getter interface {

 	// Get factor password by user id.
 	GetFactorPasswordByUserID(context.Context, valuer.UUID) (*types.FactorPassword, error)
+
+	// Gets single Non-Deleted user by email and org id
+	GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error)
+
+	// Gets user_role with roles entries from db
+	GetUserRoles(ctx context.Context, userID valuer.UUID) ([]*authtypes.UserRole, error)
 }

 type Handler interface {
--- a/pkg/query-service/app/http_handler.go
+++ b/pkg/query-service/app/http_handler.go
@@ -2042,7 +2042,7 @@ func (aH *APIHandler) registerUser(w http.ResponseWriter, r *http.Request) {
 	}

 	organization := types.NewOrganization(req.OrgDisplayName, req.OrgName)
-	user, errv2 := aH.Signoz.Modules.User.CreateFirstUser(r.Context(), organization, req.Name, req.Email, req.Password)
+	user, errv2 := aH.Signoz.Modules.UserSetter.CreateFirstUser(r.Context(), organization, req.Name, req.Email, req.Password)
 	if errv2 != nil {
 		render.Error(w, errv2)
 		return
--- a/pkg/query-service/app/logparsingpipeline/controller.go
+++ b/pkg/query-service/app/logparsingpipeline/controller.go
@@ -132,38 +132,32 @@ func (ic *LogParsingPipelineController) ValidatePipelines(ctx context.Context,
 	return err
 }

-func (ic *LogParsingPipelineController) getDefaultPipelines() ([]pipelinetypes.GettablePipeline, error) {
-	defaultPipelines := []pipelinetypes.GettablePipeline{}
-	if querybuilder.BodyJSONQueryEnabled {
-		preprocessingPipeline := pipelinetypes.GettablePipeline{
-			StoreablePipeline: pipelinetypes.StoreablePipeline{
-				Name:    "Default Pipeline - PreProcessing Body",
-				Alias:   "NormalizeBodyDefault",
-				Enabled: true,
-			},
-			Filter: &v3.FilterSet{
-				Items: []v3.FilterItem{
-					{
-						Key: v3.AttributeKey{
-							Key: "body",
-						},
-						Operator: v3.FilterOperatorExists,
-					},
-				},
-			},
-			Config: []pipelinetypes.PipelineOperator{
+func (ic *LogParsingPipelineController) getNormalizePipeline() pipelinetypes.GettablePipeline {
+	return pipelinetypes.GettablePipeline{
+		StoreablePipeline: pipelinetypes.StoreablePipeline{
+			Name:    "Default Pipeline - PreProcessing Body",
+			Alias:   "NormalizeBodyDefault",
+			Enabled: true,
+		},
+		Filter: &v3.FilterSet{
+			Items: []v3.FilterItem{
 				{
-					ID:      uuid.NewString(),
-					Type:    "normalize",
-					Enabled: true,
-					If:      "body != nil",
+					Key: v3.AttributeKey{
+						Key: "body",
+					},
+					Operator: v3.FilterOperatorExists,
 				},
 			},
-		}
-
-		defaultPipelines = append(defaultPipelines, preprocessingPipeline)
+		},
+		Config: []pipelinetypes.PipelineOperator{
+			{
+				ID:      uuid.NewString(),
+				Type:    "normalize",
+				Enabled: true,
+				If:      "body != nil",
+			},
+		},
 	}
-	return defaultPipelines, nil
 }

 // Returns effective list of pipelines including user created
@@ -279,6 +273,17 @@ func (pc *LogParsingPipelineController) AgentFeatureType() agentConf.AgentFeatur
 }

 // Implements agentConf.AgentFeature interface.
+// RecommendAgentConfig generates the collector config to be sent to agents.
+// The normalize pipeline (when BodyJSONQueryEnabled) is injected here, after
+// rawPipelineData is serialized. So it is only present in the config sent to
+// the collector and never persisted to the database as part of the user's pipeline list.
+//
+// NOTE: The configId sent to agents is derived from the pipeline version number
+// (e.g. "LogPipelines:5"), not the YAML content. If server-side logic changes
+// the generated YAML without bumping the version (e.g. toggling BodyJSONQueryEnabled
+// or updating operator IfExpressions), agents that already applied that version will
+// not re-apply the new config. In such cases, users must save a new pipeline version
+// via the API to force agents to pick up the change.
 func (pc *LogParsingPipelineController) RecommendAgentConfig(
 	orgId valuer.UUID,
 	currentConfYaml []byte,
@@ -296,22 +301,20 @@ func (pc *LogParsingPipelineController) RecommendAgentConfig(
 		return nil, "", err
 	}

-	// recommend default pipelines along with user created pipelines
-	defaultPipelines, err := pc.getDefaultPipelines()
+	rawPipelineData, err := json.Marshal(pipelinesResp.Pipelines)
 	if err != nil {
-		return nil, "", model.InternalError(fmt.Errorf("failed to get default pipelines: %w", err))
+		return nil, "", errors.WrapInternalf(err, CodeRawPipelinesMarshalFailed, "could not serialize pipelines to JSON")
+	}
+
+	if querybuilder.BodyJSONQueryEnabled {
+		// add default normalize pipeline at the beginning, only for sending to collector
+		pipelinesResp.Pipelines = append([]pipelinetypes.GettablePipeline{pc.getNormalizePipeline()}, pipelinesResp.Pipelines...)
 	}
-	pipelinesResp.Pipelines = append(pipelinesResp.Pipelines, defaultPipelines...)

 	updatedConf, err := GenerateCollectorConfigWithPipelines(currentConfYaml, pipelinesResp.Pipelines)
 	if err != nil {
 		return nil, "", err
 	}

-	rawPipelineData, err := json.Marshal(pipelinesResp.Pipelines)
-	if err != nil {
-		return nil, "", errors.WrapInternalf(err, CodeRawPipelinesMarshalFailed, "could not serialize pipelines to JSON")
-	}
-
 	return updatedConf, string(rawPipelineData), nil
 }
--- a/pkg/signoz/handler.go
+++ b/pkg/signoz/handler.go
@@ -12,6 +12,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/licensing"
 	"github.com/SigNoz/signoz/pkg/modules/apdex"
 	"github.com/SigNoz/signoz/pkg/modules/apdex/implapdex"
+	"github.com/SigNoz/signoz/pkg/modules/cloudintegration"
+	"github.com/SigNoz/signoz/pkg/modules/cloudintegration/implcloudintegration"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/fields"
@@ -38,23 +40,24 @@ import (
 )

 type Handlers struct {
-	SavedView             savedview.Handler
-	Apdex                 apdex.Handler
-	Dashboard             dashboard.Handler
-	QuickFilter           quickfilter.Handler
-	TraceFunnel           tracefunnel.Handler
-	RawDataExport         rawdataexport.Handler
-	SpanPercentile        spanpercentile.Handler
-	Services              services.Handler
-	MetricsExplorer       metricsexplorer.Handler
-	Global                global.Handler
-	FlaggerHandler        flagger.Handler
-	GatewayHandler        gateway.Handler
-	Fields                fields.Handler
-	AuthzHandler          authz.Handler
-	ZeusHandler           zeus.Handler
-	QuerierHandler        querier.Handler
-	ServiceAccountHandler serviceaccount.Handler
+	SavedView               savedview.Handler
+	Apdex                   apdex.Handler
+	Dashboard               dashboard.Handler
+	QuickFilter             quickfilter.Handler
+	TraceFunnel             tracefunnel.Handler
+	RawDataExport           rawdataexport.Handler
+	SpanPercentile          spanpercentile.Handler
+	Services                services.Handler
+	MetricsExplorer         metricsexplorer.Handler
+	Global                  global.Handler
+	FlaggerHandler          flagger.Handler
+	GatewayHandler          gateway.Handler
+	Fields                  fields.Handler
+	AuthzHandler            authz.Handler
+	ZeusHandler             zeus.Handler
+	QuerierHandler          querier.Handler
+	ServiceAccountHandler   serviceaccount.Handler
+	CloudIntegrationHandler cloudintegration.Handler
 }

 func NewHandlers(
@@ -71,22 +74,23 @@ func NewHandlers(
 	zeusService zeus.Zeus,
 ) Handlers {
 	return Handlers{
-		SavedView:             implsavedview.NewHandler(modules.SavedView),
-		Apdex:                 implapdex.NewHandler(modules.Apdex),
-		Dashboard:             impldashboard.NewHandler(modules.Dashboard, providerSettings),
-		QuickFilter:           implquickfilter.NewHandler(modules.QuickFilter),
-		TraceFunnel:           impltracefunnel.NewHandler(modules.TraceFunnel),
-		RawDataExport:         implrawdataexport.NewHandler(modules.RawDataExport),
-		Services:              implservices.NewHandler(modules.Services),
-		MetricsExplorer:       implmetricsexplorer.NewHandler(modules.MetricsExplorer),
-		SpanPercentile:        implspanpercentile.NewHandler(modules.SpanPercentile),
-		Global:                signozglobal.NewHandler(global),
-		FlaggerHandler:        flagger.NewHandler(flaggerService),
-		GatewayHandler:        gateway.NewHandler(gatewayService),
-		Fields:                implfields.NewHandler(providerSettings, telemetryMetadataStore),
-		AuthzHandler:          signozauthzapi.NewHandler(authz),
-		ZeusHandler:           zeus.NewHandler(zeusService, licensing),
-		QuerierHandler:        querierHandler,
-		ServiceAccountHandler: implserviceaccount.NewHandler(modules.ServiceAccount),
+		SavedView:               implsavedview.NewHandler(modules.SavedView),
+		Apdex:                   implapdex.NewHandler(modules.Apdex),
+		Dashboard:               impldashboard.NewHandler(modules.Dashboard, providerSettings),
+		QuickFilter:             implquickfilter.NewHandler(modules.QuickFilter),
+		TraceFunnel:             impltracefunnel.NewHandler(modules.TraceFunnel),
+		RawDataExport:           implrawdataexport.NewHandler(modules.RawDataExport),
+		Services:                implservices.NewHandler(modules.Services),
+		MetricsExplorer:         implmetricsexplorer.NewHandler(modules.MetricsExplorer),
+		SpanPercentile:          implspanpercentile.NewHandler(modules.SpanPercentile),
+		Global:                  signozglobal.NewHandler(global),
+		FlaggerHandler:          flagger.NewHandler(flaggerService),
+		GatewayHandler:          gateway.NewHandler(gatewayService),
+		Fields:                  implfields.NewHandler(providerSettings, telemetryMetadataStore),
+		AuthzHandler:            signozauthzapi.NewHandler(authz),
+		ZeusHandler:             zeus.NewHandler(zeusService, licensing),
+		QuerierHandler:          querierHandler,
+		ServiceAccountHandler:   implserviceaccount.NewHandler(modules.ServiceAccount),
+		CloudIntegrationHandler: implcloudintegration.NewHandler(),
 	}
 }
--- a/pkg/signoz/handler_test.go
+++ b/pkg/signoz/handler_test.go
@@ -48,9 +48,11 @@ func TestNewHandlers(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)

-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)

-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), userRoleStore, flagger)
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore)

 	querierHandler := querier.NewHandler(providerSettings, nil, nil)
 	handlers := NewHandlers(modules, providerSettings, nil, querierHandler, nil, nil, nil, nil, nil, nil, nil)
--- a/pkg/signoz/module.go
+++ b/pkg/signoz/module.go
@@ -54,7 +54,7 @@ type Modules struct {
 	OrgGetter       organization.Getter
 	OrgSetter       organization.Setter
 	Preference      preference.Module
-	User            user.Module
+	UserSetter      user.Setter
 	UserGetter      user.Getter
 	SavedView       savedview.Module
 	Apdex           apdex.Module
@@ -89,10 +89,11 @@ func NewModules(
 	config Config,
 	dashboard dashboard.Module,
 	userGetter user.Getter,
+	userRoleStore authtypes.UserRoleStore,
 ) Modules {
 	quickfilter := implquickfilter.NewModule(implquickfilter.NewStore(sqlstore))
 	orgSetter := implorganization.NewSetter(implorganization.NewStore(sqlstore), alertmanager, quickfilter)
-	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User)
+	userSetter := impluser.NewSetter(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User, userRoleStore, userGetter)
 	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)

 	return Modules{
@@ -102,13 +103,13 @@ func NewModules(
 		SavedView:       implsavedview.NewModule(sqlstore),
 		Apdex:           implapdex.NewModule(sqlstore),
 		Dashboard:       dashboard,
-		User:            user,
+		UserSetter:      userSetter,
 		UserGetter:      userGetter,
 		QuickFilter:     quickfilter,
 		TraceFunnel:     impltracefunnel.NewModule(impltracefunnel.NewStore(sqlstore)),
 		RawDataExport:   implrawdataexport.NewModule(querier),
 		AuthDomain:      implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs),
-		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter),
+		Session:         implsession.NewModule(providerSettings, authNs, userSetter, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter),
 		SpanPercentile:  implspanpercentile.NewModule(querier, providerSettings),
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),
--- a/pkg/signoz/module_test.go
+++ b/pkg/signoz/module_test.go
@@ -47,9 +47,11 @@ func TestNewModules(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)

-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)

-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), userRoleStore, flagger)
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore)

 	reflectVal := reflect.ValueOf(modules)
 	for i := 0; i < reflectVal.NumField(); i++ {
--- a/pkg/signoz/openapi.go
+++ b/pkg/signoz/openapi.go
@@ -16,6 +16,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/instrumentation"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
+	"github.com/SigNoz/signoz/pkg/modules/cloudintegration"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/fields"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer"
@@ -61,6 +62,7 @@ func NewOpenAPI(ctx context.Context, instrumentation instrumentation.Instrumenta
 		struct{ zeus.Handler }{},
 		struct{ querier.Handler }{},
 		struct{ serviceaccount.Handler }{},
+		struct{ cloudintegration.Handler }{},
 	).New(ctx, instrumentation.ToProviderSettings(), apiserver.Config{})
 	if err != nil {
 		return nil, err
--- a/pkg/signoz/provider.go
+++ b/pkg/signoz/provider.go
@@ -188,6 +188,8 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewDeprecateUserInviteFactory(sqlstore, sqlschema),
 		sqlmigration.NewUpdateCloudIntegrationUniqueIndexFactory(sqlstore, sqlschema),
 		sqlmigration.NewUpdatePlannedMaintenanceRuleFactory(sqlstore, sqlschema),
+		sqlmigration.NewAddUserRoleFactory(sqlstore, sqlschema),
+		sqlmigration.NewDropUserRoleColumnFactory(sqlstore, sqlschema),
 	)
 }

@@ -259,7 +261,7 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			orgGetter,
 			authz,
 			implorganization.NewHandler(modules.OrgGetter, modules.OrgSetter),
-			impluser.NewHandler(modules.User, modules.UserGetter),
+			impluser.NewHandler(modules.UserSetter, modules.UserGetter),
 			implsession.NewHandler(modules.Session),
 			implauthdomain.NewHandler(modules.AuthDomain),
 			implpreference.NewHandler(modules.Preference),
@@ -275,6 +277,7 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			handlers.ZeusHandler,
 			handlers.QuerierHandler,
 			handlers.ServiceAccountHandler,
+			handlers.CloudIntegrationHandler,
 		),
 	)
 }
--- a/pkg/signoz/provider_test.go
+++ b/pkg/signoz/provider_test.go
@@ -22,6 +22,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/tokenizer/tokenizertest"
 	"github.com/SigNoz/signoz/pkg/version"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 // This is a test to ensure that provider factories can be created without panicking since
@@ -77,12 +78,13 @@ func TestNewProviderFactories(t *testing.T) {
 	})

 	assert.NotPanics(t, func() {
-		flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
-		if err != nil {
-			panic(err)
-		}
+		providerSettings := instrumentationtest.New().ToProviderSettings()
+		ss := sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual)
+		userRoleStore := impluser.NewUserRoleStore(ss, providerSettings)
+		flagger, err := flagger.New(context.Background(), providerSettings, flagger.Config{}, flagger.MustNewRegistry())
+		require.NoError(t, err)

-		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()), flagger)
+		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()), userRoleStore, flagger)
 		orgGetter := implorganization.NewGetter(implorganization.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual)), nil)
 		telemetryStore := telemetrystoretest.New(telemetrystore.Config{Provider: "clickhouse"}, sqlmock.QueryMatcherEqual)
 		NewStatsReporterProviderFactories(telemetryStore, []statsreporter.StatsCollector{}, orgGetter, userGetter, tokenizertest.NewMockTokenizer(t), version.Build{}, analytics.Config{Enabled: true})
--- a/pkg/signoz/signoz.go
+++ b/pkg/signoz/signoz.go
@@ -293,8 +293,11 @@ func New(
 		return nil, err
 	}

-	// Initialize user getter
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	// Initialize user store
+	userStore := impluser.NewStore(sqlstore, providerSettings)
+
+	// Initialize user role store
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)

 	licensingProviderFactory := licenseProviderFactory(sqlstore, zeus, orgGetter, analytics)
 	licensing, err := licensingProviderFactory.New(
@@ -319,6 +322,9 @@ func New(
 		return nil, err
 	}

+	// Initialize user getter
+	userGetter := impluser.NewGetter(userStore, userRoleStore, flagger)
+
 	// Initialize notification manager from the available notification manager provider factories
 	nfManager, err := factory.NewProviderFromNamedMap(
 		ctx,
@@ -402,7 +408,7 @@ func New(
 	}

 	// Initialize all modules
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter, userRoleStore)

 	// Initialize identN resolver
 	identNFactories := NewIdentNProviderFactories(sqlstore, tokenizer, orgGetter, userGetter, config.User)
@@ -411,7 +417,7 @@ func New(
 		return nil, err
 	}

-	userService := impluser.NewService(providerSettings, impluser.NewStore(sqlstore, providerSettings), modules.User, orgGetter, authz, config.User.Root)
+	userService := impluser.NewService(providerSettings, impluser.NewStore(sqlstore, providerSettings), modules.UserGetter, modules.UserSetter, orgGetter, authz, config.User.Root)

 	// Initialize the querier handler via callback (allows EE to decorate with anomaly detection)
 	querierHandler := querierHandlerCallback(providerSettings, querier, analytics)
@@ -437,7 +443,7 @@ func New(
 		ruler,
 		modules.Dashboard,
 		modules.SavedView,
-		modules.User,
+		modules.UserSetter,
 		licensing,
 		tokenizer,
 		config,
--- a/pkg/sqlmigration/071_add_user_role.go
+++ b/pkg/sqlmigration/071_add_user_role.go
@@ -0,0 +1,195 @@
+package sqlmigration
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+var (
+	userRoleToSigNozManagedRoleMap = map[string]string{
+		"ADMIN":  "signoz-admin",
+		"EDITOR": "signoz-editor",
+		"VIEWER": "signoz-viewer",
+	}
+)
+
+type userRow struct {
+	ID    string `bun:"id"`
+	Role  string `bun:"role"`
+	OrgID string `bun:"org_id"`
+}
+
+type roleRow struct {
+	ID    string `bun:"id"`
+	Name  string `bun:"name"`
+	OrgID string `bun:"org_id"`
+}
+
+type orgRoleKey struct {
+	OrgID    string
+	RoleName string
+}
+
+type addUserRole struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+type userRoleRow struct {
+	bun.BaseModel `bun:"table:user_role"`
+
+	types.Identifiable
+	UserID string `bun:"user_id"`
+	RoleID string `bun:"role_id"`
+	types.TimeAuditable
+}
+
+func NewAddUserRoleFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_user_role"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addUserRole{
+			sqlstore:  sqlstore,
+			sqlschema: sqlschema,
+		}, nil
+	})
+}
+
+func (migration *addUserRole) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRole) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	sqls := [][]byte{}
+
+	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "user_role",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "user_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "role_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("user_id"),
+				ReferencedTableName:   sqlschema.TableName("users"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+			{
+				ReferencingColumnName: sqlschema.ColumnName("role_id"),
+				ReferencedTableName:   sqlschema.TableName("role"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+
+	sqls = append(sqls, tableSQLs...)
+
+	indexSQLs := migration.sqlschema.Operator().CreateIndex(
+		&sqlschema.UniqueIndex{
+			TableName:   "user_role",
+			ColumnNames: []sqlschema.ColumnName{"user_id", "role_id"},
+		},
+	)
+
+	sqls = append(sqls, indexSQLs...)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	// fill the new user_role table for existing users
+	var users []userRow
+	err = tx.NewSelect().TableExpr("users").ColumnExpr("id, role, org_id").Scan(ctx, &users)
+	if err != nil {
+		return err
+	}
+
+	if len(users) == 0 {
+		return tx.Commit()
+	}
+
+	orgIDs := make(map[string]struct{})
+	for _, u := range users {
+		orgIDs[u.OrgID] = struct{}{}
+	}
+
+	orgIDList := make([]string, 0, len(orgIDs))
+	for oid := range orgIDs {
+		orgIDList = append(orgIDList, oid)
+	}
+
+	var roles []roleRow
+	err = tx.NewSelect().TableExpr("role").ColumnExpr("id, name, org_id").Where("org_id IN (?)", bun.In(orgIDList)).Scan(ctx, &roles)
+	if err != nil {
+		return err
+	}
+
+	roleMap := make(map[orgRoleKey]string)
+	for _, r := range roles {
+		roleMap[orgRoleKey{OrgID: r.OrgID, RoleName: r.Name}] = r.ID
+	}
+
+	now := time.Now()
+	userRoles := make([]*userRoleRow, 0, len(users))
+	for _, u := range users {
+		managedRoleName, ok := userRoleToSigNozManagedRoleMap[u.Role]
+		if !ok {
+			managedRoleName = "signoz-viewer" // fallback
+		}
+
+		roleID := roleMap[orgRoleKey{OrgID: u.OrgID, RoleName: managedRoleName}]
+
+		userRoles = append(userRoles, &userRoleRow{
+			Identifiable: types.Identifiable{ID: valuer.GenerateUUID()},
+			UserID:       u.ID,
+			RoleID:       roleID,
+			TimeAuditable: types.TimeAuditable{
+				CreatedAt: now,
+				UpdatedAt: now,
+			},
+		})
+	}
+
+	if len(userRoles) > 0 {
+		if _, err := tx.NewInsert().Model(&userRoles).Exec(ctx); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRole) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}
--- a/pkg/sqlmigration/072_drop_user_role_column.go
+++ b/pkg/sqlmigration/072_drop_user_role_column.go
@@ -0,0 +1,73 @@
+package sqlmigration
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type dropUserRoleColumn struct {
+	sqlStore  sqlstore.SQLStore
+	sqlSchema sqlschema.SQLSchema
+}
+
+func NewDropUserRoleColumnFactory(sqlStore sqlstore.SQLStore, sqlSchema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("drop_user_role_column"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &dropUserRoleColumn{
+			sqlStore:  sqlStore,
+			sqlSchema: sqlSchema,
+		}, nil
+	})
+}
+
+func (migration *dropUserRoleColumn) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *dropUserRoleColumn) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	table, _, err := migration.sqlSchema.GetTable(ctx, sqlschema.TableName("users"))
+	if err != nil {
+		return err
+	}
+
+	roleColumn := &sqlschema.Column{
+		Name:     sqlschema.ColumnName("role"),
+		DataType: sqlschema.DataTypeText,
+		Nullable: false,
+	}
+
+	sqls := migration.sqlSchema.Operator().DropColumn(table, roleColumn)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *dropUserRoleColumn) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}
--- a/pkg/statsreporter/analyticsstatsreporter/provider.go
+++ b/pkg/statsreporter/analyticsstatsreporter/provider.go
@@ -178,7 +178,7 @@ func (provider *provider) Report(ctx context.Context) error {
 		}

 		for _, user := range users {
-			traits := types.NewTraitsFromUser(user)
+			traits := types.NewTraitsFromDeprecatedUser(user)
 			if maxLastObservedAt, ok := maxLastObservedAtPerUserID[user.ID]; ok {
 				traits["auth_token.last_observed_at.max.time"] = maxLastObservedAt.UTC()
 				traits["auth_token.last_observed_at.max.time_unix"] = maxLastObservedAt.Unix()
--- a/pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go
+++ b/pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go
@@ -3,6 +3,7 @@ package sqltokenizerstore
 import (
 	"context"

+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
@@ -35,7 +36,6 @@ func (store *store) Create(ctx context.Context, token *authtypes.StorableToken)

 func (store *store) GetIdentityByUserID(ctx context.Context, userID valuer.UUID) (*authtypes.Identity, error) {
 	user := new(types.User)
-
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -47,7 +47,25 @@ func (store *store) GetIdentityByUserID(ctx context.Context, userID valuer.UUID)
 		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user with id: %s does not exist", userID)
 	}

-	return authtypes.NewIdentity(userID, user.OrgID, user.Email, types.Role(user.Role), authtypes.IdentNProviderTokenizer), nil
+	userRoles := make([]*authtypes.UserRole, 0)
+	err = store.sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&userRoles).
+		Where("user_id = ?", userID).
+		Relation("Role").
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(userRoles) == 0 {
+		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "no roles found for user with id: %s", userID)
+	}
+
+	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
+
+	return authtypes.NewIdentity(userID, user.OrgID, user.Email, role, authtypes.IdentNProviderTokenizer), nil
 }

 func (store *store) GetByAccessToken(ctx context.Context, accessToken string) (*authtypes.StorableToken, error) {
--- a/pkg/types/authtypes/authn.go
+++ b/pkg/types/authtypes/authn.go
@@ -128,7 +128,7 @@ func (typ *Identity) ToClaims() Claims {

 type AuthNStore interface {
 	// Get user and factor password by email and orgID.
-	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error)
+	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, []*UserRole, error)

 	// Get org domain from id.
 	GetAuthDomainFromID(ctx context.Context, domainID valuer.UUID) (*AuthDomain, error)
--- a/pkg/types/authtypes/role.go
+++ b/pkg/types/authtypes/role.go
@@ -48,6 +48,12 @@ var (
 		types.RoleEditor: SigNozEditorRoleName,
 		types.RoleViewer: SigNozViewerRoleName,
 	}
+
+	SigNozManagedRoleToExistingLegacyRole = map[string]types.Role{
+		SigNozAdminRoleName:  types.RoleAdmin,
+		SigNozEditorRoleName: types.RoleEditor,
+		SigNozViewerRoleName: types.RoleViewer,
+	}
 )

 var (
--- a/pkg/types/authtypes/user_role.go
+++ b/pkg/types/authtypes/user_role.go
@@ -0,0 +1,62 @@
+package authtypes
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+var (
+	ErrCodeUserRoleAlreadyExists = errors.MustNewCode("user_role_already_exists")
+	ErrCodeUserRolesNotFound      = errors.MustNewCode("user_roles_not_found")
+)
+
+type UserRole struct {
+	bun.BaseModel `bun:"table:user_role,alias:user_role"`
+
+	ID        valuer.UUID `bun:"id,pk,type:text" json:"id" required:"true"`
+	UserID    valuer.UUID `bun:"user_id" json:"user_id"`
+	RoleID    valuer.UUID `bun:"role_id" json:"role_id"`
+	CreatedAt time.Time   `bun:"created_at" json:"createdAt"`
+	UpdatedAt time.Time   `bun:"updated_at" json:"updatedAt"`
+
+	// read only fields
+	Role *StorableRole `bun:"rel:belongs-to,join:role_id=id" json:"role"`
+}
+
+func newUserRole(userID valuer.UUID, roleID valuer.UUID) *UserRole {
+	return &UserRole{
+		ID:        valuer.GenerateUUID(),
+		UserID:    userID,
+		RoleID:    roleID,
+		CreatedAt: time.Now(),
+		UpdatedAt: time.Now(),
+	}
+}
+
+func NewUserRoles(userID valuer.UUID, roles []*Role) []*UserRole {
+	userRoles := make([]*UserRole, len(roles))
+
+	for idx, role := range roles {
+		userRoles[idx] = newUserRole(userID, role.ID)
+	}
+
+	return userRoles
+}
+
+type UserRoleStore interface {
+	// create user roles in bulk
+	CreateUserRoles(ctx context.Context, userRoles []*UserRole) error
+
+	// get user roles by user id
+	GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*UserRole, error)
+
+	// list all user_role entries for
+	ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*UserRole, error)
+
+	// delete user role entries by user id
+	DeleteUserRoles(ctx context.Context, userID valuer.UUID) error
+}
--- a/pkg/types/cloudintegrationtypes/account.go
+++ b/pkg/types/cloudintegrationtypes/account.go
@@ -10,34 +10,35 @@ import (
 type Account struct {
 	types.Identifiable
 	types.TimeAuditable
-	ProviderAccountId *string           `json:"providerAccountID,omitempty"`
-	Provider          CloudProviderType `json:"provider"`
-	RemovedAt         *time.Time        `json:"removedAt,omitempty"`
-	AgentReport       *AgentReport      `json:"agentReport,omitempty"`
-	OrgID             valuer.UUID       `json:"orgID"`
-	Config            *AccountConfig    `json:"config,omitempty"`
+	ProviderAccountID *string           `json:"providerAccountId" required:"true" nullable:"true"`
+	Provider          CloudProviderType `json:"provider" required:"true"`
+	RemovedAt         *time.Time        `json:"removedAt,omitempty" required:"true" nullable:"true"`
+	AgentReport       *AgentReport      `json:"agentReport,omitempty" required:"true" nullable:"true"`
+	OrgID             valuer.UUID       `json:"orgId" required:"true"`
+	Config            *AccountConfig    `json:"config,omitempty" required:"true" nullable:"false"`
 }

 // AgentReport represents heartbeats sent by the agent.
 type AgentReport struct {
-	TimestampMillis int64          `json:"timestampMillis"`
-	Data            map[string]any `json:"data"`
+	TimestampMillis int64          `json:"timestampMillis" required:"true"`
+	Data            map[string]any `json:"data" required:"true" nullable:"true"`
+}
+
+type AccountConfig struct {
+	// required till new providers are added
+	AWS *AWSAccountConfig `json:"aws,omitempty" required:"true" nullable:"false"`
 }

 type GettableAccounts struct {
-	Accounts []*Account `json:"accounts"`
+	Accounts []*Account `json:"accounts" required:"true" nullable:"false"`
 }

 type GettableAccount = Account

 type UpdatableAccount struct {
-	Config *AccountConfig `json:"config"`
-}
-
-type AccountConfig struct {
-	AWS *AWSAccountConfig `json:"aws,omitempty"`
+	Config *AccountConfig `json:"config" required:"true" nullable:"false"`
 }

 type AWSAccountConfig struct {
-	Regions []string `json:"regions"`
+	Regions []string `json:"regions" required:"true" nullable:"false"`
 }
--- a/pkg/types/cloudintegrationtypes/cloudintegration.go
+++ b/pkg/types/cloudintegrationtypes/cloudintegration.go
@@ -13,7 +13,10 @@ import (
 )

 var (
-	ErrCodeCloudIntegrationNotFound = errors.MustNewCode("cloud_integration_not_found")
+	ErrCodeCloudIntegrationNotFound             = errors.MustNewCode("cloud_integration_not_found")
+	ErrCodeCloudIntegrationAlreadyExists        = errors.MustNewCode("cloud_integration_already_exists")
+	ErrCodeCloudIntegrationServiceNotFound      = errors.MustNewCode("cloud_integration_service_not_found")
+	ErrCodeCloudIntegrationServiceAlreadyExists = errors.MustNewCode("cloud_integration_service_already_exists")
 )

 // StorableCloudIntegration represents a cloud integration stored in the database.
--- a/pkg/types/cloudintegrationtypes/connection.go
+++ b/pkg/types/cloudintegrationtypes/connection.go
@@ -1,88 +1,74 @@
 package cloudintegrationtypes

-import "github.com/SigNoz/signoz/pkg/types/integrationtypes"
+import "time"

 type ConnectionArtifactRequest struct {
-	Aws *AWSConnectionArtifactRequest `json:"aws"`
+	// required till new providers are added
+	Aws *AWSConnectionArtifactRequest `json:"aws" required:"true" nullable:"false"`
 }

 type AWSConnectionArtifactRequest struct {
-	DeploymentRegion string   `json:"deploymentRegion"`
-	Regions          []string `json:"regions"`
+	DeploymentRegion string   `json:"deploymentRegion" required:"true"`
+	Regions          []string `json:"regions" required:"true" nullable:"false"`
 }

 type PostableConnectionArtifact = ConnectionArtifactRequest

 type ConnectionArtifact struct {
-	Aws *AWSConnectionArtifact `json:"aws"`
+	// required till new providers are added
+	Aws *AWSConnectionArtifact `json:"aws" required:"true" nullable:"false"`
 }

 type AWSConnectionArtifact struct {
-	ConnectionUrl string `json:"connectionURL"`
+	ConnectionURL string `json:"connectionURL" required:"true"`
 }

 type GettableConnectionArtifact = ConnectionArtifact

-type AccountStatus struct {
-	Id                string                         `json:"id"`
-	ProviderAccountId *string                        `json:"providerAccountID,omitempty"`
-	Status            integrationtypes.AccountStatus `json:"status"`
-}
-
-type GettableAccountStatus = AccountStatus
-
 type AgentCheckInRequest struct {
-	// older backward compatible fields are mapped to new fields
-	// CloudIntegrationId string `json:"cloudIntegrationId"`
-	// AccountId          string `json:"accountId"`
+	ProviderAccountID  string `json:"providerAccountId" required:"false"`
+	CloudIntegrationID string `json:"cloudIntegrationId" required:"false"`

-	// New fields
-	ProviderAccountId string `json:"providerAccountId"`
-	CloudAccountId    string `json:"cloudAccountId"`
-
-	Data map[string]any `json:"data,omitempty"`
+	Data map[string]any `json:"data,omitempty" required:"true" nullable:"true"`
 }

 type PostableAgentCheckInRequest struct {
 	AgentCheckInRequest
 	// following are backward compatible fields for older running agents
 	// which gets mapped to new fields in AgentCheckInRequest
-	CloudIntegrationId string `json:"cloud_integration_id"`
-	CloudAccountId     string `json:"cloud_account_id"`
-}
-
-type GettableAgentCheckInResponse struct {
-	AgentCheckInResponse
-
-	// For backward compatibility
-	CloudIntegrationId string `json:"cloud_integration_id"`
-	AccountId          string `json:"account_id"`
+	ID        string `json:"account_id" required:"false"`       // => CloudIntegrationID
+	AccountID string `json:"cloud_account_id" required:"false"` // => ProviderAccountID
 }

 type AgentCheckInResponse struct {
-	// Older fields for backward compatibility are mapped to new fields below
-	// CloudIntegrationId string `json:"cloud_integration_id"`
-	// AccountId          string `json:"account_id"`
-
-	// New fields
-	ProviderAccountId string `json:"providerAccountId"`
-	CloudAccountId    string `json:"cloudAccountId"`
-
-	// IntegrationConfig populates data related to integration that is required for an agent
-	// to start collecting telemetry data
-	// keeping JSON key snake_case for backward compatibility
-	IntegrationConfig *IntegrationConfig `json:"integration_config,omitempty"`
+	CloudIntegrationID string                     `json:"cloudIntegrationId" required:"true"`
+	ProviderAccountID  string                     `json:"providerAccountId" required:"true"`
+	IntegrationConfig  *ProviderIntegrationConfig `json:"integrationConfig" required:"true"`
+	RemovedAt          *time.Time                 `json:"removedAt" required:"true" nullable:"true"`
 }

-type IntegrationConfig struct {
-	EnabledRegions []string               `json:"enabledRegions"`      // backward compatible
-	Telemetry      *AWSCollectionStrategy `json:"telemetry,omitempty"` // backward compatible
+type GettableAgentCheckInResponse struct {
+	// Older fields for backward compatibility with existing AWS agents
+	AccountID              string             `json:"account_id" required:"true"`
+	CloudAccountID         string             `json:"cloud_account_id" required:"true"`
+	OlderIntegrationConfig *IntegrationConfig `json:"integration_config" required:"true" nullable:"true"`
+	OlderRemovedAt         *time.Time         `json:"removed_at" required:"true" nullable:"true"`

-	// new fields
-	AWS *AWSIntegrationConfig `json:"aws,omitempty"`
+	AgentCheckInResponse
+}
+
+// IntegrationConfig older integration config struct for backward compatibility,
+// this will be eventually removed once agents are updated to use new struct.
+type IntegrationConfig struct {
+	EnabledRegions []string               `json:"enabledRegions" required:"true" nullable:"false"`      // backward compatible
+	Telemetry      *AWSCollectionStrategy `json:"telemetry,omitempty" required:"true" nullable:"false"` // backward compatible
+}
+
+type ProviderIntegrationConfig struct {
+	AWS *AWSIntegrationConfig `json:"aws,omitempty" required:"true" nullable:"false"`
 }

 type AWSIntegrationConfig struct {
-	EnabledRegions []string               `json:"enabledRegions"`
-	Telemetry      *AWSCollectionStrategy `json:"telemetry,omitempty"`
+	EnabledRegions []string               `json:"enabledRegions" required:"true" nullable:"false"`
+	Telemetry      *AWSCollectionStrategy `json:"telemetry,omitempty" required:"true" nullable:"false"`
 }
--- a/pkg/types/cloudintegrationtypes/service.go
+++ b/pkg/types/cloudintegrationtypes/service.go
@@ -11,19 +11,20 @@ import (
 )

 var (
-	S3Sync = valuer.NewString("s3sync")
-	// ErrCodeInvalidServiceID is the error code for invalid service id.
 	ErrCodeInvalidServiceID = errors.MustNewCode("invalid_service_id")
 )

-type ServiceID struct{ valuer.String }
-
 type CloudIntegrationService struct {
 	types.Identifiable
 	types.TimeAuditable
 	Type               ServiceID      `json:"type"`
 	Config             *ServiceConfig `json:"config"`
-	CloudIntegrationID valuer.UUID    `json:"cloudIntegrationID"`
+	CloudIntegrationID valuer.UUID    `json:"cloudIntegrationId"`
+}
+
+type ServiceConfig struct {
+	// required till new providers are added
+	AWS *AWSServiceConfig `json:"aws,omitempty" required:"true" nullable:"false"`
 }

 // ServiceMetadata helps to quickly list available services and whether it is enabled or not.
@@ -32,26 +33,56 @@ type CloudIntegrationService struct {
 type ServiceMetadata struct {
 	ServiceDefinitionMetadata
 	// if the service is enabled for the account
-	Enabled bool `json:"enabled"`
+	Enabled bool `json:"enabled" required:"true"`
+}
+
+// ServiceDefinitionMetadata represents service definition metadata. This is useful for showing service tab in frontend.
+type ServiceDefinitionMetadata struct {
+	Id    string `json:"id" required:"true"`
+	Title string `json:"title" required:"true"`
+	Icon  string `json:"icon" required:"true"`
 }

 type GettableServicesMetadata struct {
-	Services []*ServiceMetadata `json:"services"`
+	Services []*ServiceMetadata `json:"services" required:"true" nullable:"false"`
 }

 type Service struct {
 	ServiceDefinition
-	ServiceConfig *ServiceConfig `json:"serviceConfig"`
+	ServiceConfig *ServiceConfig `json:"serviceConfig" required:"false" nullable:"false"`
 }

 type GettableService = Service

 type UpdatableService struct {
-	Config *ServiceConfig `json:"config"`
+	Config *ServiceConfig `json:"config" required:"true" nullable:"false"`
 }

-type ServiceConfig struct {
-	AWS *AWSServiceConfig `json:"aws,omitempty"`
+type ServiceDefinition struct {
+	ServiceDefinitionMetadata
+	Overview         string              `json:"overview" required:"true"` // markdown
+	Assets           Assets              `json:"assets" required:"true"`
+	SupportedSignals SupportedSignals    `json:"supported_signals" required:"true"`
+	DataCollected    DataCollected       `json:"dataCollected" required:"true"`
+	Strategy         *CollectionStrategy `json:"telemetryCollectionStrategy" required:"true" nullable:"false"`
+}
+
+// SupportedSignals for cloud provider's service.
+type SupportedSignals struct {
+	Logs    bool `json:"logs"`
+	Metrics bool `json:"metrics"`
+}
+
+// DataCollected is curated static list of metrics and logs, this is shown as part of service overview.
+type DataCollected struct {
+	Logs    []CollectedLogAttribute `json:"logs"`
+	Metrics []CollectedMetric       `json:"metrics"`
+}
+
+// CollectionStrategy is cloud provider specific configuration for signal collection,
+// this is used by agent to understand the nitty-gritty for collecting telemetry for the cloud provider.
+type CollectionStrategy struct {
+	AWS *AWSCollectionStrategy `json:"aws,omitempty"`
 }

 type AWSServiceConfig struct {
@@ -70,45 +101,11 @@ type AWSServiceMetricsConfig struct {
 	Enabled bool `json:"enabled"`
 }

-// ServiceDefinitionMetadata represents service definition metadata. This is useful for showing service tab in frontend.
-type ServiceDefinitionMetadata struct {
-	Id    string `json:"id"`
-	Title string `json:"title"`
-	Icon  string `json:"icon"`
-}
-
-type ServiceDefinition struct {
-	ServiceDefinitionMetadata
-	Overview         string              `json:"overview"` // markdown
-	Assets           Assets              `json:"assets"`
-	SupportedSignals SupportedSignals    `json:"supported_signals"`
-	DataCollected    DataCollected       `json:"dataCollected"`
-	Strategy         *CollectionStrategy `json:"telemetryCollectionStrategy"`
-}
-
-// CollectionStrategy is cloud provider specific configuration for signal collection,
-// this is used by agent to understand the nitty-gritty for collecting telemetry for the cloud provider.
-type CollectionStrategy struct {
-	AWS *AWSCollectionStrategy `json:"aws,omitempty"`
-}
-
 // Assets represents the collection of dashboards.
 type Assets struct {
 	Dashboards []Dashboard `json:"dashboards"`
 }

-// SupportedSignals for cloud provider's service.
-type SupportedSignals struct {
-	Logs    bool `json:"logs"`
-	Metrics bool `json:"metrics"`
-}
-
-// DataCollected is curated static list of metrics and logs, this is shown as part of service overview.
-type DataCollected struct {
-	Logs    []CollectedLogAttribute `json:"logs"`
-	Metrics []CollectedMetric       `json:"metrics"`
-}
-
 // CollectedLogAttribute represents a log attribute that is present in all log entries for a service,
 // this is shown as part of service overview.
 type CollectedLogAttribute struct {
@@ -175,39 +172,6 @@ type Dashboard struct {
 	Definition  dashboardtypes.StorableDashboardData `json:"definition,omitempty"`
 }

-// SupportedServices is the map of supported services for each cloud provider.
-var SupportedServices = map[CloudProviderType][]ServiceID{
-	CloudProviderTypeAWS: {
-		{valuer.NewString("alb")},
-		{valuer.NewString("api-gateway")},
-		{valuer.NewString("dynamodb")},
-		{valuer.NewString("ec2")},
-		{valuer.NewString("ecs")},
-		{valuer.NewString("eks")},
-		{valuer.NewString("elasticache")},
-		{valuer.NewString("lambda")},
-		{valuer.NewString("msk")},
-		{valuer.NewString("rds")},
-		{valuer.NewString("s3sync")},
-		{valuer.NewString("sns")},
-		{valuer.NewString("sqs")},
-	},
-}
-
-// NewServiceID returns a new ServiceID from a string, validated against the supported services for the given cloud provider.
-func NewServiceID(provider CloudProviderType, service string) (ServiceID, error) {
-	services, ok := SupportedServices[provider]
-	if !ok {
-		return ServiceID{}, errors.NewInvalidInputf(ErrCodeInvalidServiceID, "no services defined for cloud provider: %s", provider)
-	}
-	for _, s := range services {
-		if s.StringValue() == service {
-			return s, nil
-		}
-	}
-	return ServiceID{}, errors.NewInvalidInputf(ErrCodeInvalidServiceID, "invalid service id %q for cloud provider %s", service, provider)
-}
-
 // UTILS

 // GetCloudIntegrationDashboardID returns the dashboard id for a cloud integration, given the cloud provider, service id, and dashboard id.
--- a/pkg/types/cloudintegrationtypes/serviceid.go
+++ b/pkg/types/cloudintegrationtypes/serviceid.go
@@ -0,0 +1,75 @@
+package cloudintegrationtypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type ServiceID struct{ valuer.String }
+
+var (
+	AWSServiceALB         = ServiceID{valuer.NewString("alb")}
+	AWSServiceAPIGateway  = ServiceID{valuer.NewString("api-gateway")}
+	AWSServiceDynamoDB    = ServiceID{valuer.NewString("dynamodb")}
+	AWSServiceEC2         = ServiceID{valuer.NewString("ec2")}
+	AWSServiceECS         = ServiceID{valuer.NewString("ecs")}
+	AWSServiceEKS         = ServiceID{valuer.NewString("eks")}
+	AWSServiceElastiCache = ServiceID{valuer.NewString("elasticache")}
+	AWSServiceLambda      = ServiceID{valuer.NewString("lambda")}
+	AWSServiceMSK         = ServiceID{valuer.NewString("msk")}
+	AWSServiceRDS         = ServiceID{valuer.NewString("rds")}
+	AWSServiceS3Sync      = ServiceID{valuer.NewString("s3sync")}
+	AWSServiceSNS         = ServiceID{valuer.NewString("sns")}
+	AWSServiceSQS         = ServiceID{valuer.NewString("sqs")}
+)
+
+func (ServiceID) Enum() []any {
+	return []any{
+		AWSServiceALB,
+		AWSServiceAPIGateway,
+		AWSServiceDynamoDB,
+		AWSServiceEC2,
+		AWSServiceECS,
+		AWSServiceEKS,
+		AWSServiceElastiCache,
+		AWSServiceLambda,
+		AWSServiceMSK,
+		AWSServiceRDS,
+		AWSServiceS3Sync,
+		AWSServiceSNS,
+		AWSServiceSQS,
+	}
+}
+
+// SupportedServices is the map of supported services for each cloud provider.
+var SupportedServices = map[CloudProviderType][]ServiceID{
+	CloudProviderTypeAWS: {
+		AWSServiceALB,
+		AWSServiceAPIGateway,
+		AWSServiceDynamoDB,
+		AWSServiceEC2,
+		AWSServiceECS,
+		AWSServiceEKS,
+		AWSServiceElastiCache,
+		AWSServiceLambda,
+		AWSServiceMSK,
+		AWSServiceRDS,
+		AWSServiceS3Sync,
+		AWSServiceSNS,
+		AWSServiceSQS,
+	},
+}
+
+// NewServiceID returns a new ServiceID from a string, validated against the supported services for the given cloud provider.
+func NewServiceID(provider CloudProviderType, service string) (ServiceID, error) {
+	services, ok := SupportedServices[provider]
+	if !ok {
+		return ServiceID{}, errors.NewInvalidInputf(ErrCodeInvalidServiceID, "no services defined for cloud provider: %s", provider)
+	}
+	for _, s := range services {
+		if s.StringValue() == service {
+			return s, nil
+		}
+	}
+	return ServiceID{}, errors.NewInvalidInputf(ErrCodeInvalidServiceID, "invalid service id %q for cloud provider %s", service, provider)
+}
--- a/pkg/types/cloudintegrationtypes/store.go
+++ b/pkg/types/cloudintegrationtypes/store.go
@@ -10,8 +10,14 @@ type Store interface {
 	// GetAccountByID returns a cloud integration account by id
 	GetAccountByID(ctx context.Context, orgID, id valuer.UUID, provider CloudProviderType) (*StorableCloudIntegration, error)

+	// GetConnectedAccount for a given provider
+	GetConnectedAccount(ctx context.Context, orgID valuer.UUID, provider CloudProviderType, providerAccountID string) (*StorableCloudIntegration, error)
+
+	// ListConnectedAccounts returns all the cloud integration accounts for the org and cloud provider
+	ListConnectedAccounts(ctx context.Context, orgID valuer.UUID, provider CloudProviderType) ([]*StorableCloudIntegration, error)
+
 	// CreateAccount creates a new cloud integration account
-	CreateAccount(ctx context.Context, account *StorableCloudIntegration) (*StorableCloudIntegration, error)
+	CreateAccount(ctx context.Context, account *StorableCloudIntegration) error

 	// UpdateAccount updates an existing cloud integration account
 	UpdateAccount(ctx context.Context, account *StorableCloudIntegration) error
@@ -19,23 +25,17 @@ type Store interface {
 	// RemoveAccount marks a cloud integration account as removed by setting the RemovedAt field
 	RemoveAccount(ctx context.Context, orgID, id valuer.UUID, provider CloudProviderType) error

-	// ListConnectedAccounts returns all the cloud integration accounts for the org and cloud provider
-	ListConnectedAccounts(ctx context.Context, orgID valuer.UUID, provider CloudProviderType) ([]*StorableCloudIntegration, error)
-
-	// GetConnectedAccount for a given provider
-	GetConnectedAccount(ctx context.Context, orgID valuer.UUID, provider CloudProviderType, providerAccountID string) (*StorableCloudIntegration, error)
-
 	// cloud_integration_service related methods

 	// GetServiceByServiceID returns the cloud integration service for the given cloud integration id and service id
 	GetServiceByServiceID(ctx context.Context, cloudIntegrationID valuer.UUID, serviceID ServiceID) (*StorableCloudIntegrationService, error)

+	// ListServices returns all the cloud integration services for the given cloud integration id
+	ListServices(ctx context.Context, cloudIntegrationID valuer.UUID) ([]*StorableCloudIntegrationService, error)
+
 	// CreateService creates a new cloud integration service
-	CreateService(ctx context.Context, service *StorableCloudIntegrationService) (*StorableCloudIntegrationService, error)
+	CreateService(ctx context.Context, service *StorableCloudIntegrationService) error

 	// UpdateService updates an existing cloud integration service
 	UpdateService(ctx context.Context, service *StorableCloudIntegrationService) error
-
-	// ListServices returns all the cloud integration services for the given cloud integration id
-	ListServices(ctx context.Context, cloudIntegrationID valuer.UUID) ([]*StorableCloudIntegrationService, error)
 }
--- a/pkg/types/user.go
+++ b/pkg/types/user.go
@@ -33,15 +33,12 @@ var (
 	ValidUserStatus         = []valuer.String{UserStatusPendingInvite, UserStatusActive, UserStatusDeleted}
 )

-type GettableUser = User
-
 type User struct {
-	bun.BaseModel `bun:"table:users"`
+	bun.BaseModel `bun:"table:users,alias:users"`

 	Identifiable
 	DisplayName string        `bun:"display_name" json:"displayName"`
 	Email       valuer.Email  `bun:"email" json:"email"`
-	Role        Role          `bun:"role" json:"role"`
 	OrgID       valuer.UUID   `bun:"org_id" json:"orgId"`
 	IsRoot      bool          `bun:"is_root" json:"isRoot"`
 	Status      valuer.String `bun:"status" json:"status"`
@@ -49,6 +46,11 @@ type User struct {
 	TimeAuditable
 }

+type DeprecatedUser struct {
+	*User
+	Role Role `json:"role"`
+}
+
 type PostableRegisterOrgAndAdmin struct {
 	Name           string       `json:"name"`
 	Email          valuer.Email `json:"email"`
@@ -57,15 +59,11 @@ type PostableRegisterOrgAndAdmin struct {
 	OrgName        string       `json:"orgName"`
 }

-func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUID, status valuer.String) (*User, error) {
+func NewUser(displayName string, email valuer.Email, orgID valuer.UUID, status valuer.String) (*User, error) {
 	if email.IsZero() {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
 	}

-	if role == "" {
-		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "role is required")
-	}
-
 	if orgID.IsZero() {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "orgID is required")
 	}
@@ -80,7 +78,6 @@ func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUI
 		},
 		DisplayName: displayName,
 		Email:       email,
-		Role:        role,
 		OrgID:       orgID,
 		IsRoot:      false,
 		Status:      status,
@@ -106,7 +103,6 @@ func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*Us
 		},
 		DisplayName: displayName,
 		Email:       email,
-		Role:        RoleAdmin,
 		OrgID:       orgID,
 		IsRoot:      true,
 		Status:      UserStatusActive,
@@ -117,9 +113,36 @@ func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*Us
 	}, nil
 }

+func NewDeprecatedUserFromUserAndRole(user *User, role Role) *DeprecatedUser {
+	return &DeprecatedUser{
+		user,
+		role,
+	}
+}
+
+func NewUserFromDeprecatedUser(deprecatedUser *DeprecatedUser) *User {
+	return &User{
+		Identifiable:  deprecatedUser.Identifiable,
+		DisplayName:   deprecatedUser.DisplayName,
+		Email:         deprecatedUser.Email,
+		OrgID:         deprecatedUser.OrgID,
+		IsRoot:        deprecatedUser.IsRoot,
+		Status:        deprecatedUser.Status,
+		DeletedAt:     deprecatedUser.DeletedAt,
+		TimeAuditable: deprecatedUser.TimeAuditable,
+	}
+}
+
 // Update applies mutable fields from the input to the user. Immutable fields
 // (email, is_root, org_id, id) are preserved. Only non-zero input fields are applied.
-func (u *User) Update(displayName string, role Role) {
+func (u *User) Update(displayName string) {
+	if displayName != "" {
+		u.DisplayName = displayName
+	}
+	u.UpdatedAt = time.Now()
+}
+
+func (u *DeprecatedUser) Update(displayName string, role Role) {
 	if displayName != "" {
 		u.DisplayName = displayName
 	}
@@ -149,7 +172,6 @@ func (u *User) UpdateStatus(status valuer.String) error {
 // PromoteToRoot promotes the user to a root user with admin role.
 func (u *User) PromoteToRoot() {
 	u.IsRoot = true
-	u.Role = RoleAdmin
 	u.UpdatedAt = time.Now()
 }

@@ -187,6 +209,16 @@ func (u *User) ErrIfPending() error {
 }

 func NewTraitsFromUser(user *User) map[string]any {
+	return map[string]any{
+		"name":         user.DisplayName,
+		"email":        user.Email.String(),
+		"display_name": user.DisplayName,
+		"status":       user.Status,
+		"created_at":   user.CreatedAt,
+	}
+}
+
+func NewTraitsFromDeprecatedUser(user *DeprecatedUser) map[string]any {
 	return map[string]any{
 		"name":         user.DisplayName,
 		"role":         user.Role,
@@ -224,13 +256,7 @@ type UserStore interface {
 	GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*User, error)

 	// Get user by email and orgID.
-	GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*User, error)
-
-	// Get users by email.
-	GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*User, error)
-
-	// Get users by role and org.
-	GetActiveUsersByRoleAndOrgID(ctx context.Context, role Role, orgID valuer.UUID) ([]*User, error)
+	GetNonDeletedUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*User, error)

 	// List users by org.
 	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*User, error)
--- a/tests/integration/src/passwordauthn/08_user_unique_index.py
+++ b/tests/integration/src/passwordauthn/08_user_unique_index.py
@@ -117,15 +117,14 @@ def test_unique_index_allows_multiple_deleted_rows(
        conn.execute(
            sql.text(
                "INSERT INTO users"
-                " (id, display_name, email, role, org_id, is_root, status, created_at, updated_at, deleted_at)"
-                " VALUES (:id, :display_name, :email, :role, :org_id,"
+                " (id, display_name, email, org_id, is_root, status, created_at, updated_at, deleted_at)"
+                " VALUES (:id, :display_name, :email, :org_id,"
                "         false, 'active', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, :zero_time)"
            ),
            {
                "id": active_id,
                "display_name": "first active row",
                "email": UNIQUE_INDEX_USER_EMAIL,
-                "role": "EDITOR",
                "org_id": org_id,
                "zero_time": "0001-01-01 00:00:00",
            },
@@ -137,15 +136,14 @@ def test_unique_index_allows_multiple_deleted_rows(
            conn.execute(
                sql.text(
                    "INSERT INTO users"
-                    " (id, display_name, email, role, org_id, is_root, status, created_at, updated_at, deleted_at)"
-                    " VALUES (:id, :display_name, :email, :role, :org_id,"
+                    " (id, display_name, email, org_id, is_root, status, created_at, updated_at, deleted_at)"
+                    " VALUES (:id, :display_name, :email, :org_id,"
                    "         false, 'active', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, :zero_time)"
                ),
                {
                    "id": str(uuid.uuid4()),
                    "display_name": "should violate index",
                    "email": UNIQUE_INDEX_USER_EMAIL,
-                    "role": "EDITOR",
                    "org_id": org_id,
                    "zero_time": "0001-01-01 00:00:00",
                },
@@ -156,15 +154,14 @@ def test_unique_index_allows_multiple_deleted_rows(
        conn.execute(
            sql.text(
                "INSERT INTO users"
-                " (id, display_name, email, role, org_id, is_root, status, created_at, updated_at, deleted_at)"
-                " VALUES (:id, :display_name, :email, :role, :org_id,"
+                " (id, display_name, email, org_id, is_root, status, created_at, updated_at, deleted_at)"
+                " VALUES (:id, :display_name, :email, :org_id,"
                "         false, 'deleted', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)"
            ),
            {
                "id": str(uuid.uuid4()),
                "display_name": "third deleted row",
                "email": UNIQUE_INDEX_USER_EMAIL,
-                "role": "EDITOR",
                "org_id": org_id,
            },
        )
Author	SHA1	Message	Date
swapnil-signoz	42300bd0a0	Merge branch 'main' into feat/cloudintegration-module	2026-03-23 20:57:18 +05:30
Tushar Vats	79b4c2e4b0	fix: added download button in trace page (#10613 ) * fix: added download button in trace page * fix: update unit tests * fix: revert prepareQueryRangePayloadV5.ts * fix: addressed comments * fix: address commnets from aditya * fix: update tests	2026-03-23 14:49:18 +00:00
swapnil-signoz	866e541e29	refactor: cloud integration store implementation (#10469 ) * feat: adding cloud integration type for refactor * refactor: store interfaces to use local types and error * feat: adding sql store implementation * refactor: removing interface check * feat: adding updated types for cloud integration * refactor: using struct for map * refactor: update cloud integration types and module interface * fix: correct GetService signature and remove shadowed Data field * feat: implement cloud integration store * refactor: adding comments and removed wrong code * refactor: streamlining types * refactor: add comments for backward compatibility in PostableAgentCheckInRequest * refactor: update Dashboard struct comments and remove unused fields * refactor: split upsert store method * feat: adding integration test * refactor: clean up types * refactor: renaming service type to service id * refactor: using serviceID type * feat: adding method for service id creation * refactor: updating store methods * refactor: clean up * refactor: clean up * refactor: review comments * refactor: clean up * fix: update error code for service not found * refactor: returning error only for create methods * refactor: method chaining formatting	2026-03-23 14:25:32 +00:00
Vinicius Lourenço	b1efb66197	chore(cursor): add rules & skills to help migration (#10405 )	2026-03-23 14:03:35 +00:00
Karan Balani	b0eec8132b	feat: introduce user_role table (#10664 ) * feat: introduce user_role table * fix: golint and register migrations * fix: user types and order of update user * feat: add migration to drop role column from users table * fix: raw queries pointing to role column in users table * chore: remove storable user struct and minor other changes * chore: remove refs of calling vars as storable users * chore: user 0th role instead of highest * chore: address pr comments * chore: rename userrolestore to user_role_store * chore: return userroles with user in getter where possible * chore: move user module as user setter * chore: arrange getter and setter methods * fix: nil pointer for update user in integration test due to half payload being passed * chore: update openapi specs * fix: nil errors without making frontend changes * fix: empty array check everywhere for user roles array and minor other changes * fix: imports * fix: rebase changes * chore: renaming functions * chore: simplified getorcreateuser user setter method and call sites * fix: golint * fix: remove redundant authz migration, remove fk enforcement for drop migration * fix: add new event for user activation	2026-03-23 13:36:20 +00:00
Piyush Singariya	efbeca23cf	chore: prepend normalize pipeline (#10627 ) * fix: prepend normalize pipeline * fix: don't save normalize pipeline in config	2026-03-23 12:50:27 +00:00
swapnil-signoz	6e52f2c8f0	Merge branch 'refactor/cloud-integration-impl-store' into refactor/cloud-integration-handlers	2026-03-22 17:13:53 +05:30
swapnil-signoz	d9f8a4ae5a	Merge branch 'main' into refactor/cloud-integration-impl-store	2026-03-22 17:13:40 +05:30
swapnil-signoz	eefe3edffd	Merge branch 'main' into refactor/cloud-integration-handlers	2026-03-22 17:13:02 +05:30
swapnil-signoz	2051861a03	feat: adding handler skeleton	2026-03-22 17:12:35 +05:30
swapnil-signoz	4b01a40fb9	Merge branch 'refactor/cloud-integration-impl-store' into refactor/cloud-integration-handlers	2026-03-20 20:53:54 +05:30
swapnil-signoz	2d8a00bf18	fix: update error code for service not found	2026-03-20 20:53:33 +05:30
swapnil-signoz	f1b26b310f	Merge branch 'main' into refactor/cloud-integration-impl-store	2026-03-20 20:51:44 +05:30
swapnil-signoz	2c438b6c32	Merge branch 'refactor/cloud-integration-impl-store' into refactor/cloud-integration-handlers	2026-03-20 20:48:34 +05:30
swapnil-signoz	1814c2d13c	Merge branch 'main' into refactor/cloud-integration-handlers	2026-03-20 17:52:31 +05:30
swapnil-signoz	e6cd771f11	Merge `origin/main` into `refactor/cloud-integration-handlers`	2026-03-20 16:46:36 +05:30
swapnil-signoz	6b94f87ca0	Merge branch 'main' into refactor/cloud-integration-handlers	2026-03-19 11:43:21 +05:30
swapnil-signoz	bf315253ae	fix: lint issues	2026-03-19 11:43:09 +05:30
swapnil-signoz	668ff7bc39	fix: lint and ci issues	2026-03-19 11:34:27 +05:30
swapnil-signoz	07f2aa52fd	feat: adding handlers	2026-03-19 01:35:01 +05:30
swapnil-signoz	3416b3ad55	Merge branch 'main' into refactor/cloud-integration-handlers	2026-03-18 21:50:40 +05:30
swapnil-signoz	d6caa4f2c7	Merge branch 'main' into refactor/cloud-integration-impl-store	2026-03-18 14:08:14 +05:30
swapnil-signoz	f86371566d	refactor: clean up	2026-03-18 13:45:31 +05:30
swapnil-signoz	9115803084	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-18 13:42:43 +05:30
swapnil-signoz	0c14d8f966	refactor: review comments	2026-03-18 13:40:17 +05:30
swapnil-signoz	7afb461af8	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-18 11:14:33 +05:30
swapnil-signoz	a21fbb4ee0	refactor: clean up	2026-03-18 11:14:05 +05:30
swapnil-signoz	0369842f3d	refactor: clean up	2026-03-17 23:40:14 +05:30
swapnil-signoz	59cd96562a	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-17 23:10:54 +05:30
swapnil-signoz	cc4475cab7	refactor: updating store methods	2026-03-17 23:10:15 +05:30
swapnil-signoz	ac8c648420	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-17 21:09:47 +05:30
swapnil-signoz	bede6be4b8	feat: adding method for service id creation	2026-03-17 21:09:26 +05:30
swapnil-signoz	dd3d60e6df	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-17 20:49:31 +05:30
swapnil-signoz	538ab686d2	refactor: using serviceID type	2026-03-17 20:49:17 +05:30
swapnil-signoz	936a325cb9	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-17 17:25:58 +05:30
swapnil-signoz	c6cdcd0143	refactor: renaming service type to service id	2026-03-17 17:25:29 +05:30
swapnil-signoz	cd9211d718	refactor: clean up types	2026-03-17 17:04:27 +05:30
swapnil-signoz	0601c28782	feat: adding integration test	2026-03-17 11:02:46 +05:30
swapnil-signoz	580610dbfa	Merge branch 'main' into refactor/cloud-integration-impl-store	2026-03-16 23:02:19 +05:30
swapnil-signoz	2d2aa02a81	refactor: split upsert store method	2026-03-16 18:27:42 +05:30
swapnil-signoz	dd9723ad13	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-16 17:42:03 +05:30
swapnil-signoz	3651469416	Merge branch 'main' of https://github.com/SigNoz/signoz into refactor/cloud-integration-types	2026-03-16 17:41:52 +05:30
swapnil-signoz	febce75734	refactor: update Dashboard struct comments and remove unused fields	2026-03-16 17:41:28 +05:30
swapnil-signoz	e1616f3487	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-16 17:36:15 +05:30
swapnil-signoz	4b94287ac7	refactor: add comments for backward compatibility in PostableAgentCheckInRequest	2026-03-16 15:48:20 +05:30
swapnil-signoz	1575c7c54c	refactor: streamlining types	2026-03-16 15:39:32 +05:30
swapnil-signoz	8def3f835b	refactor: adding comments and removed wrong code	2026-03-16 11:10:53 +05:30
swapnil-signoz	11ed15f4c5	feat: implement cloud integration store	2026-03-14 17:05:02 +05:30
swapnil-signoz	f47877cca9	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-14 17:01:51 +05:30
swapnil-signoz	bb2b9215ba	fix: correct GetService signature and remove shadowed Data field	2026-03-14 16:59:07 +05:30
swapnil-signoz	3111904223	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-14 16:36:35 +05:30
swapnil-signoz	003e2c30d8	Merge branch 'main' into refactor/cloud-integration-types	2026-03-14 16:25:35 +05:30
swapnil-signoz	00fe516d10	refactor: update cloud integration types and module interface	2026-03-14 16:25:16 +05:30
swapnil-signoz	0305f4f7db	refactor: using struct for map	2026-03-13 16:09:26 +05:30
swapnil-signoz	c60019a6dc	Merge branch 'main' into refactor/cloud-integration-types	2026-03-12 23:41:22 +05:30
swapnil-signoz	acde2a37fa	feat: adding updated types for cloud integration	2026-03-12 23:40:44 +05:30
swapnil-signoz	945241a52a	Merge branch 'main' into refactor/cloud-integration-types	2026-03-12 19:45:50 +05:30
swapnil-signoz	e967f80c86	Merge branch 'main' into refactor/cloud-integration-types	2026-03-02 16:39:42 +05:30
swapnil-signoz	a09dc325de	Merge branch 'main' into refactor/cloud-integration-impl-store	2026-03-02 16:39:20 +05:30
swapnil-signoz	379b4f7fc4	refactor: removing interface check	2026-03-02 14:50:37 +05:30
swapnil-signoz	5e536ae077	Merge branch 'refactor/cloud-integration-types' into refactor/cloud-integration-impl-store	2026-03-02 14:49:35 +05:30
swapnil-signoz	234585e642	Merge branch 'main' into refactor/cloud-integration-types	2026-03-02 14:49:19 +05:30
swapnil-signoz	2cc14f1ad4	Merge branch 'main' into refactor/cloud-integration-impl-store	2026-03-02 14:49:00 +05:30
swapnil-signoz	dc4ed4d239	feat: adding sql store implementation	2026-03-02 14:44:56 +05:30
swapnil-signoz	7281c36873	refactor: store interfaces to use local types and error	2026-03-02 13:27:46 +05:30
swapnil-signoz	40288776e8	feat: adding cloud integration type for refactor	2026-02-28 16:59:14 +05:30