feat: toggle foreign key constraint

conf/example.yaml

@@ -309,3 +309,14 @@ user:
       allow_self: true
       # The duration within which a user can reset their password.
       max_token_lifetime: 6h
+  root:
+    # Whether to enable the root user. When enabled, a root user is provisioned
+    # on startup using the email and password below. The root user cannot be
+    # deleted, updated, or have their password changed through the UI.
+    enabled: false
+    # The email address of the root user.
+    email: ""
+    # The password of the root user. Must meet password requirements.
+    password: ""
+    # The name of the organization to create or look up for the root user.
+    org_name: default

docs/api/openapi.yml

@@ -4678,6 +4678,8 @@ components:
           type: string
         id:
           type: string
+        isRoot:
+          type: boolean
         orgId:
           type: string
         role:

ee/query-service/app/api/api.go

@@ -45,7 +45,7 @@ type APIHandler struct {
 }
 
 // NewAPIHandler returns an APIHandler
-func NewAPIHandler(opts APIHandlerOptions, signoz *signoz.SigNoz) (*APIHandler, error) {
+func NewAPIHandler(opts APIHandlerOptions, signoz *signoz.SigNoz, config signoz.Config) (*APIHandler, error) {
 	baseHandler, err := baseapp.NewAPIHandler(baseapp.APIHandlerOpts{
 		Reader:                        opts.DataConnector,
 		RuleManager:                   opts.RulesManager,
@@ -58,7 +58,7 @@ func NewAPIHandler(opts APIHandlerOptions, signoz *signoz.SigNoz) (*APIHandler,
 		Signoz:                        signoz,
 		QuerierAPI:                    querierAPI.NewAPI(signoz.Instrumentation.ToProviderSettings(), signoz.Querier, signoz.Analytics),
 		QueryParserAPI:                queryparser.NewAPI(signoz.Instrumentation.ToProviderSettings(), signoz.QueryParser),
-	})
+	}, config)
 
 	if err != nil {
 		return nil, err

ee/query-service/app/server.go

@@ -175,7 +175,7 @@ func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {
 		GlobalConfig:                  config.Global,
 	}
 
-	apiHandler, err := api.NewAPIHandler(apiOpts, signoz)
+	apiHandler, err := api.NewAPIHandler(apiOpts, signoz, config)
 	if err != nil {
 		return nil, err
 	}

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -1542,6 +1542,10 @@ export interface TypesUserDTO {
 	 * @type string
 	 */
 	id?: string;
+	/**
+	 * @type boolean
+	 */
+	isRoot?: boolean;
 	/**
 	 * @type string
 	 */

frontend/src/container/DashboardContainer/visualization/panels/types.ts

@@ -14,6 +14,11 @@ export interface GraphVisibilityState {
 	dataIndex: SeriesVisibilityItem[];
 }
 
+export interface SeriesVisibilityState {
+	labels: string[];
+	visibility: boolean[];
+}
+
 /**
  * Context in which a panel is rendered. Used to vary behavior (e.g. persistence,
  * interactions) per context.

frontend/src/container/DashboardContainer/visualization/panels/utils/__tests__/legendVisibilityUtils.test.ts

@@ -62,10 +62,10 @@ describe('legendVisibilityUtils', () => {
 			const result = getStoredSeriesVisibility('widget-1');
 
 			expect(result).not.toBeNull();
-			expect(result).toEqual([
-				{ label: 'CPU', show: true },
-				{ label: 'Memory', show: false },
-			]);
+			expect(result).toEqual({
+				labels: ['CPU', 'Memory'],
+				visibility: [true, false],
+			});
 		});
 
 		it('returns visibility by index including duplicate labels', () => {
@@ -85,11 +85,10 @@ describe('legendVisibilityUtils', () => {
 			const result = getStoredSeriesVisibility('widget-1');
 
 			expect(result).not.toBeNull();
-			expect(result).toEqual([
-				{ label: 'CPU', show: true },
-				{ label: 'CPU', show: false },
-				{ label: 'Memory', show: false },
-			]);
+			expect(result).toEqual({
+				labels: ['CPU', 'CPU', 'Memory'],
+				visibility: [true, false, false],
+			});
 		});
 
 		it('returns null on malformed JSON in localStorage', () => {
@@ -128,10 +127,10 @@ describe('legendVisibilityUtils', () => {
 			const stored = getStoredSeriesVisibility('widget-1');
 
 			expect(stored).not.toBeNull();
-			expect(stored).toEqual([
-				{ label: 'CPU', show: true },
-				{ label: 'Memory', show: false },
-			]);
+			expect(stored).toEqual({
+				labels: ['CPU', 'Memory'],
+				visibility: [true, false],
+			});
 		});
 
 		it('adds a new widget entry when other widgets already exist', () => {
@@ -150,7 +149,7 @@ describe('legendVisibilityUtils', () => {
 			const stored = getStoredSeriesVisibility('widget-new');
 
 			expect(stored).not.toBeNull();
-			expect(stored).toEqual([{ label: 'CPU', show: false }]);
+			expect(stored).toEqual({ labels: ['CPU'], visibility: [false] });
 		});
 
 		it('updates existing widget visibility when entry already exists', () => {
@@ -176,10 +175,10 @@ describe('legendVisibilityUtils', () => {
 			const stored = getStoredSeriesVisibility('widget-1');
 
 			expect(stored).not.toBeNull();
-			expect(stored).toEqual([
-				{ label: 'CPU', show: false },
-				{ label: 'Memory', show: true },
-			]);
+			expect(stored).toEqual({
+				labels: ['CPU', 'Memory'],
+				visibility: [false, true],
+			});
 		});
 
 		it('silently handles malformed existing JSON without throwing', () => {
@@ -202,10 +201,10 @@ describe('legendVisibilityUtils', () => {
 
 			const stored = getStoredSeriesVisibility('widget-1');
 			expect(stored).not.toBeNull();
-			expect(stored).toEqual([
-				{ label: 'x-axis', show: true },
-				{ label: 'CPU', show: false },
-			]);
+			expect(stored).toEqual({
+				labels: ['x-axis', 'CPU'],
+				visibility: [true, false],
+			});
 			const expected = [
 				{
 					name: 'widget-1',
@@ -232,12 +231,14 @@ describe('legendVisibilityUtils', () => {
 				{ label: 'B', show: true },
 			]);
 
-			expect(getStoredSeriesVisibility('widget-a')).toEqual([
-				{ label: 'A', show: true },
-			]);
-			expect(getStoredSeriesVisibility('widget-b')).toEqual([
-				{ label: 'B', show: true },
-			]);
+			expect(getStoredSeriesVisibility('widget-a')).toEqual({
+				labels: ['A'],
+				visibility: [true],
+			});
+			expect(getStoredSeriesVisibility('widget-b')).toEqual({
+				labels: ['B'],
+				visibility: [true],
+			});
 		});
 
 		it('calls setItem with storage key and stringified visibility states', () => {

frontend/src/container/DashboardContainer/visualization/panels/utils/legendVisibilityUtils.ts

@@ -1,6 +1,10 @@
 import { LOCALSTORAGE } from 'constants/localStorage';
 
-import { GraphVisibilityState, SeriesVisibilityItem } from '../types';
+import {
+	GraphVisibilityState,
+	SeriesVisibilityItem,
+	SeriesVisibilityState,
+} from '../types';
 
 /**
  * Retrieves the stored series visibility for a specific widget from localStorage by index.
@@ -10,7 +14,7 @@ import { GraphVisibilityState, SeriesVisibilityItem } from '../types';
  */
 export function getStoredSeriesVisibility(
 	widgetId: string,
-): SeriesVisibilityItem[] | null {
+): SeriesVisibilityState | null {
 	try {
 		const storedData = localStorage.getItem(LOCALSTORAGE.GRAPH_VISIBILITY_STATES);
 
@@ -25,7 +29,10 @@ export function getStoredSeriesVisibility(
 			return null;
 		}
 
-		return widgetState.dataIndex;
+		return {
+			labels: widgetState.dataIndex.map((item) => item.label),
+			visibility: widgetState.dataIndex.map((item) => item.show),
+		};
 	} catch (error) {
 		if (error instanceof SyntaxError) {
 			// If the stored data is malformed, remove it

frontend/src/container/PanelWrapper/constants.ts

@@ -1,11 +1,11 @@
 import { PANEL_TYPES } from 'constants/queryBuilder';
-import BarPanel from 'container/DashboardContainer/visualization/panels/BarPanel/BarPanel';
 
 import TimeSeriesPanel from '../DashboardContainer/visualization/panels/TimeSeriesPanel/TimeSeriesPanel';
 import HistogramPanelWrapper from './HistogramPanelWrapper';
 import ListPanelWrapper from './ListPanelWrapper';
 import PiePanelWrapper from './PiePanelWrapper';
 import TablePanelWrapper from './TablePanelWrapper';
+import UplotPanelWrapper from './UplotPanelWrapper';
 import ValuePanelWrapper from './ValuePanelWrapper';
 
 export const PanelTypeVsPanelWrapper = {
@@ -16,7 +16,7 @@ export const PanelTypeVsPanelWrapper = {
 	[PANEL_TYPES.TRACE]: null,
 	[PANEL_TYPES.EMPTY_WIDGET]: null,
 	[PANEL_TYPES.PIE]: PiePanelWrapper,
-	[PANEL_TYPES.BAR]: BarPanel,
+	[PANEL_TYPES.BAR]: UplotPanelWrapper,
 	[PANEL_TYPES.HISTOGRAM]: HistogramPanelWrapper,
 };
 

frontend/src/lib/uPlotV2/config/UPlotConfigBuilder.ts

@@ -1,4 +1,4 @@
-import { SeriesVisibilityItem } from 'container/DashboardContainer/visualization/panels/types';
+import { SeriesVisibilityState } from 'container/DashboardContainer/visualization/panels/types';
 import { getStoredSeriesVisibility } from 'container/DashboardContainer/visualization/panels/utils/legendVisibilityUtils';
 import { ThresholdsDrawHookOptions } from 'lib/uPlotV2/hooks/types';
 import { thresholdsDrawHook } from 'lib/uPlotV2/hooks/useThresholdsDrawHook';
@@ -238,7 +238,7 @@ export class UPlotConfigBuilder extends ConfigBuilder<
 	/**
 	 * Returns stored series visibility by index from localStorage when preferences source is LOCAL_STORAGE, otherwise null.
 	 */
-	private getStoredVisibility(): SeriesVisibilityItem[] | null {
+	private getStoredVisibility(): SeriesVisibilityState | null {
 		if (
 			this.widgetId &&
 			this.selectionPreferencesSource === SelectionPreferencesSource.LOCAL_STORAGE
@@ -248,98 +248,14 @@ export class UPlotConfigBuilder extends ConfigBuilder<
 		return null;
 	}
 
-	/**
-	 * Derive visibility resolution state from stored preferences and current series:
-	 * - visibleStoredLabels: labels that should always be visible
-	 * - hiddenStoredLabels: labels that should always be hidden
-	 * - hasActivePreference: whether a "mix" preference applies to new labels
-	 */
-	// eslint-disable-next-line sonarjs/cognitive-complexity
-	private getVisibilityResolutionState(): {
-		visibleStoredLabels: Set<string>;
-		hiddenStoredLabels: Set<string>;
-		hasActivePreference: boolean;
-	} {
-		const seriesVisibilityState = this.getStoredVisibility();
-		if (!seriesVisibilityState || seriesVisibilityState.length === 0) {
-			return {
-				visibleStoredLabels: new Set<string>(),
-				hiddenStoredLabels: new Set<string>(),
-				hasActivePreference: false,
-			};
-		}
-
-		// Single pass over stored items to derive:
-		// - visibleStoredLabels: any label that is ever stored as visible
-		// - hiddenStoredLabels: labels that are only ever stored as hidden
-		// - hasMixPreference: there is at least one visible and one hidden entry
-		const visibleStoredLabels = new Set<string>();
-		const hiddenStoredLabels = new Set<string>();
-		let hasAnyVisible = false;
-		let hasAnyHidden = false;
-
-		for (const { label, show } of seriesVisibilityState) {
-			if (show) {
-				hasAnyVisible = true;
-				visibleStoredLabels.add(label);
-				// If a label is ever visible, it should not be treated as "only hidden"
-				if (hiddenStoredLabels.has(label)) {
-					hiddenStoredLabels.delete(label);
-				}
-			} else {
-				hasAnyHidden = true;
-				// Only track as hidden if we have not already seen it as visible
-				if (!visibleStoredLabels.has(label)) {
-					hiddenStoredLabels.add(label);
-				}
-			}
-		}
-
-		const hasMixPreference = hasAnyVisible && hasAnyHidden;
-
-		// Current series labels in this chart.
-		const currentSeriesLabels = this.series.map(
-			(s: UPlotSeriesBuilder) => s.getConfig().label ?? '',
-		);
-
-		// Check if any stored "visible" label exists in the current series list.
-		const hasVisibleIntersection =
-			visibleStoredLabels.size > 0 &&
-			currentSeriesLabels.some((label) => visibleStoredLabels.has(label));
-
-		// Active preference only when there is a mix AND at least one visible
-		// stored label is present in the current series list.
-		const hasActivePreference = hasMixPreference && hasVisibleIntersection;
-
-		// We apply stored visibility in two cases:
-		// - There is an active preference (mix + intersection), OR
-		// - There is no mix (all true or all false) – preserve legacy behavior.
-		const shouldApplyStoredVisibility = !hasMixPreference || hasActivePreference;
-
-		if (!shouldApplyStoredVisibility) {
-			return {
-				visibleStoredLabels: new Set<string>(),
-				hiddenStoredLabels: new Set<string>(),
-				hasActivePreference,
-			};
-		}
-
-		return {
-			visibleStoredLabels,
-			hiddenStoredLabels,
-			hasActivePreference,
-		};
-	}
-
 	/**
 	 * Get legend items with visibility state restored from localStorage if available
 	 */
 	getLegendItems(): Record<number, LegendItem> {
-		const {
-			visibleStoredLabels,
-			hiddenStoredLabels,
-			hasActivePreference,
-		} = this.getVisibilityResolutionState();
+		const seriesVisibilityState = this.getStoredVisibility();
+		const isAnySeriesHidden = !!seriesVisibilityState?.visibility?.some(
+			(show) => !show,
+		);
 
 		return this.series.reduce((acc, s: UPlotSeriesBuilder, index: number) => {
 			const seriesConfig = s.getConfig();
@@ -347,11 +263,11 @@ export class UPlotConfigBuilder extends ConfigBuilder<
 			// +1 because uPlot series 0 is x-axis/time; data series are at 1, 2, ... (also matches stored visibility[0]=time, visibility[1]=first data, ...)
 			const seriesIndex = index + 1;
 			const show = resolveSeriesVisibility({
+				seriesIndex,
 				seriesShow: seriesConfig.show,
 				seriesLabel: label,
-				visibleStoredLabels,
-				hiddenStoredLabels,
-				hasActivePreference,
+				seriesVisibilityState,
+				isAnySeriesHidden,
 			});
 
 			acc[seriesIndex] = {
@@ -380,23 +296,22 @@ export class UPlotConfigBuilder extends ConfigBuilder<
 			...DEFAULT_PLOT_CONFIG,
 		};
 
-		const {
-			visibleStoredLabels,
-			hiddenStoredLabels,
-			hasActivePreference,
-		} = this.getVisibilityResolutionState();
+		const seriesVisibilityState = this.getStoredVisibility();
+		const isAnySeriesHidden = !!seriesVisibilityState?.visibility?.some(
+			(show) => !show,
+		);
 
 		config.series = [
 			{ value: (): string => '' }, // Base series for timestamp
-			...this.series.map((s) => {
+			...this.series.map((s, index) => {
 				const series = s.getConfig();
 				// Stored visibility[0] is x-axis/time; data series start at visibility[1]
 				const visible = resolveSeriesVisibility({
+					seriesIndex: index + 1,
 					seriesShow: series.show,
 					seriesLabel: series.label ?? '',
-					visibleStoredLabels,
-					hiddenStoredLabels,
-					hasActivePreference,
+					seriesVisibilityState,
+					isAnySeriesHidden,
 				});
 				return {
 					...series,

frontend/src/lib/uPlotV2/config/__tests__/UPlotConfigBuilder.test.ts

@@ -186,10 +186,11 @@ describe('UPlotConfigBuilder', () => {
 	});
 
 	it('restores visibility state from localStorage when selectionPreferencesSource is LOCAL_STORAGE', () => {
-		getStoredSeriesVisibilityMock.getStoredSeriesVisibility.mockReturnValue([
-			{ label: 'Requests', show: true },
-			{ label: 'Errors', show: false },
-		]);
+		// Index 0 = x-axis/time; indices 1,2 = data series (Requests, Errors). resolveSeriesVisibility matches by seriesIndex + seriesLabel.
+		getStoredSeriesVisibilityMock.getStoredSeriesVisibility.mockReturnValue({
+			labels: ['x-axis', 'Requests', 'Errors'],
+			visibility: [true, true, false],
+		});
 
 		const builder = new UPlotConfigBuilder({
 			widgetId: 'widget-1',
@@ -201,7 +202,7 @@ describe('UPlotConfigBuilder', () => {
 
 		const legendItems = builder.getLegendItems();
 
-		// When any series is hidden, visibility is driven by stored label-based preferences
+		// When any series is hidden, legend visibility is driven by the stored map
 		expect(legendItems[1].show).toBe(true);
 		expect(legendItems[2].show).toBe(false);
 
@@ -212,109 +213,6 @@ describe('UPlotConfigBuilder', () => {
 		expect(secondSeries?.show).toBe(false);
 	});
 
-	it('hides new series by default when there is a mixed preference and a visible label matches current series', () => {
-		getStoredSeriesVisibilityMock.getStoredSeriesVisibility.mockReturnValue([
-			{ label: 'Requests', show: true },
-			{ label: 'Errors', show: false },
-		]);
-
-		const builder = new UPlotConfigBuilder({
-			widgetId: 'widget-1',
-			selectionPreferencesSource: SelectionPreferencesSource.LOCAL_STORAGE,
-		});
-
-		builder.addSeries(createSeriesProps({ label: 'Requests' }));
-		builder.addSeries(createSeriesProps({ label: 'Errors' }));
-		builder.addSeries(createSeriesProps({ label: 'Latency' }));
-
-		const legendItems = builder.getLegendItems();
-
-		// Stored labels: Requests (visible), Errors (hidden).
-		// New label "Latency" should be hidden because there is a mixed preference
-		// and "Requests" (a visible stored label) is present in the current series.
-		expect(legendItems[1].label).toBe('Requests');
-		expect(legendItems[1].show).toBe(true);
-		expect(legendItems[2].label).toBe('Errors');
-		expect(legendItems[2].show).toBe(false);
-		expect(legendItems[3].label).toBe('Latency');
-		expect(legendItems[3].show).toBe(false);
-
-		const config = builder.getConfig();
-		const [, firstSeries, secondSeries, thirdSeries] = config.series ?? [];
-
-		expect(firstSeries?.label).toBe('Requests');
-		expect(firstSeries?.show).toBe(true);
-		expect(secondSeries?.label).toBe('Errors');
-		expect(secondSeries?.show).toBe(false);
-		expect(thirdSeries?.label).toBe('Latency');
-		expect(thirdSeries?.show).toBe(false);
-	});
-
-	it('shows all series when there is a mixed preference but no visible stored labels match current series', () => {
-		getStoredSeriesVisibilityMock.getStoredSeriesVisibility.mockReturnValue([
-			{ label: 'StoredVisible', show: true },
-			{ label: 'StoredHidden', show: false },
-		]);
-
-		const builder = new UPlotConfigBuilder({
-			widgetId: 'widget-1',
-			selectionPreferencesSource: SelectionPreferencesSource.LOCAL_STORAGE,
-		});
-
-		// None of these labels intersect with the stored visible label "StoredVisible"
-		builder.addSeries(createSeriesProps({ label: 'CPU' }));
-		builder.addSeries(createSeriesProps({ label: 'Memory' }));
-
-		const legendItems = builder.getLegendItems();
-
-		// Mixed preference exists in storage, but since no visible labels intersect
-		// with current series, stored preferences are ignored and all are visible.
-		expect(legendItems[1].label).toBe('CPU');
-		expect(legendItems[1].show).toBe(true);
-		expect(legendItems[2].label).toBe('Memory');
-		expect(legendItems[2].show).toBe(true);
-
-		const config = builder.getConfig();
-		const [, firstSeries, secondSeries] = config.series ?? [];
-
-		expect(firstSeries?.label).toBe('CPU');
-		expect(firstSeries?.show).toBe(true);
-		expect(secondSeries?.label).toBe('Memory');
-		expect(secondSeries?.show).toBe(true);
-	});
-
-	it('treats duplicate labels as visible when any stored entry for that label is visible', () => {
-		getStoredSeriesVisibilityMock.getStoredSeriesVisibility.mockReturnValue([
-			{ label: 'CPU', show: true },
-			{ label: 'CPU', show: false },
-		]);
-
-		const builder = new UPlotConfigBuilder({
-			widgetId: 'widget-dup',
-			selectionPreferencesSource: SelectionPreferencesSource.LOCAL_STORAGE,
-		});
-
-		// Two series with the same label; both should be visible because at least
-		// one stored entry for "CPU" is visible.
-		builder.addSeries(createSeriesProps({ label: 'CPU' }));
-		builder.addSeries(createSeriesProps({ label: 'CPU' }));
-
-		const legendItems = builder.getLegendItems();
-
-		expect(legendItems[1].label).toBe('CPU');
-		expect(legendItems[1].show).toBe(true);
-		expect(legendItems[2].label).toBe('CPU');
-		expect(legendItems[2].show).toBe(true);
-
-		const config = builder.getConfig();
-		const [, firstSeries, secondSeries] = config.series ?? [];
-
-		expect(firstSeries?.label).toBe('CPU');
-		expect(firstSeries?.show).toBe(true);
-		expect(secondSeries?.label).toBe('CPU');
-		expect(secondSeries?.show).toBe(true);
-	});
-
 	it('does not attempt to read stored visibility when using in-memory preferences', () => {
 		const builder = new UPlotConfigBuilder({
 			widgetId: 'widget-1',

frontend/src/lib/uPlotV2/utils/seriesVisibility.ts

@@ -1,44 +1,25 @@
-/**
- * Resolve the visibility of a single series based on:
- * - Stored per-series visibility (when applicable)
- * - Whether there is an "active preference" (mix of visible/hidden that matches current series)
- * - The series' own default show flag
- */
+import { SeriesVisibilityState } from 'container/DashboardContainer/visualization/panels/types';
+
 export function resolveSeriesVisibility({
+	seriesIndex,
 	seriesShow,
 	seriesLabel,
-	visibleStoredLabels,
-	hiddenStoredLabels,
-	hasActivePreference,
+	seriesVisibilityState,
+	isAnySeriesHidden,
 }: {
+	seriesIndex: number;
 	seriesShow: boolean | undefined | null;
 	seriesLabel: string;
-	visibleStoredLabels: Set<string> | null;
-	hiddenStoredLabels: Set<string> | null;
-	hasActivePreference: boolean;
+	seriesVisibilityState: SeriesVisibilityState | null;
+	isAnySeriesHidden: boolean;
 }): boolean {
-	const isStoredVisible = !!visibleStoredLabels?.has(seriesLabel);
-	const isStoredHidden = !!hiddenStoredLabels?.has(seriesLabel);
-
-	// If the label is explicitly stored as visible, always show it.
-	if (isStoredVisible) {
-		return true;
+	if (
+		isAnySeriesHidden &&
+		seriesVisibilityState?.visibility &&
+		seriesVisibilityState.labels.length > seriesIndex &&
+		seriesVisibilityState.labels[seriesIndex] === seriesLabel
+	) {
+		return seriesVisibilityState.visibility[seriesIndex] ?? false;
 	}
-
-	// If the label is explicitly stored as hidden (and never stored as visible),
-	// always hide it.
-	if (isStoredHidden) {
-		return false;
-	}
-
-	// "Active preference" means:
-	// - There is a mix of visible/hidden in storage, AND
-	// - At least one stored *visible* label exists in the current series list.
-	// For such a preference, any new/unknown series should be hidden by default.
-	if (hasActivePreference) {
-		return false;
-	}
-
-	// Otherwise fall back to the series' own config or show by default.
 	return seriesShow ?? true;
 }

frontend/src/providers/Dashboard/store/dashboardVariables/__tests__/dashboardVariablesStore.test.ts

@@ -204,78 +204,6 @@ describe('dashboardVariablesStore', () => {
 			expect(doAllVariablesHaveValuesSelected).toBe(true);
 		});
 
-		it('should treat DYNAMIC variable with allSelected=true and selectedValue=undefined as having a value', () => {
-			setDashboardVariablesStore({
-				dashboardId: 'dash-1',
-				variables: {
-					dyn1: createVariable({
-						name: 'dyn1',
-						type: 'DYNAMIC',
-						order: 0,
-						selectedValue: undefined,
-						allSelected: true,
-					}),
-					env: createVariable({
-						name: 'env',
-						type: 'QUERY',
-						order: 1,
-						selectedValue: 'prod',
-					}),
-				},
-			});
-
-			const { doAllVariablesHaveValuesSelected } = getVariableDependencyContext();
-			expect(doAllVariablesHaveValuesSelected).toBe(true);
-		});
-
-		it('should treat DYNAMIC variable with allSelected=true and empty string selectedValue as having a value', () => {
-			setDashboardVariablesStore({
-				dashboardId: 'dash-1',
-				variables: {
-					dyn1: createVariable({
-						name: 'dyn1',
-						type: 'DYNAMIC',
-						order: 0,
-						selectedValue: '',
-						allSelected: true,
-					}),
-					env: createVariable({
-						name: 'env',
-						type: 'QUERY',
-						order: 1,
-						selectedValue: 'prod',
-					}),
-				},
-			});
-
-			const { doAllVariablesHaveValuesSelected } = getVariableDependencyContext();
-			expect(doAllVariablesHaveValuesSelected).toBe(true);
-		});
-
-		it('should treat DYNAMIC variable with allSelected=true and empty array selectedValue as having a value', () => {
-			setDashboardVariablesStore({
-				dashboardId: 'dash-1',
-				variables: {
-					dyn1: createVariable({
-						name: 'dyn1',
-						type: 'DYNAMIC',
-						order: 0,
-						selectedValue: [] as any,
-						allSelected: true,
-					}),
-					env: createVariable({
-						name: 'env',
-						type: 'QUERY',
-						order: 1,
-						selectedValue: 'prod',
-					}),
-				},
-			});
-
-			const { doAllVariablesHaveValuesSelected } = getVariableDependencyContext();
-			expect(doAllVariablesHaveValuesSelected).toBe(true);
-		});
-
 		it('should report false when a DYNAMIC variable has empty selectedValue and allSelected is not true', () => {
 			setDashboardVariablesStore({
 				dashboardId: 'dash-1',

frontend/src/providers/Dashboard/store/dashboardVariables/dashboardVariablesStore.ts

@@ -76,7 +76,7 @@ export function getVariableDependencyContext(): VariableFetchContext {
 		(variable) => {
 			if (
 				variable.type === 'DYNAMIC' &&
-				(variable.selectedValue === null || isEmpty(variable.selectedValue)) &&
+				variable.selectedValue === null &&
 				variable.allSelected === true
 			) {
 				return true;

pkg/modules/organization/implorganization/getter.go

@@ -30,3 +30,7 @@ func (module *getter) ListByOwnedKeyRange(ctx context.Context) ([]*types.Organiz
 
 	return module.store.ListByKeyRange(ctx, start, end)
 }
+
+func (module *getter) GetByName(ctx context.Context, name string) (*types.Organization, error) {
+	return module.store.GetByName(ctx, name)
+}

pkg/modules/organization/implorganization/store.go

@@ -47,6 +47,22 @@ func (store *store) Get(ctx context.Context, id valuer.UUID) (*types.Organizatio
 	return organization, nil
 }
 
+func (store *store) GetByName(ctx context.Context, name string) (*types.Organization, error) {
+	organization := new(types.Organization)
+	err := store.
+		sqlstore.
+		BunDB().
+		NewSelect().
+		Model(organization).
+		Where("name = ?", name).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrOrganizationNotFound, "organization with name %s does not exist", name)
+	}
+
+	return organization, nil
+}
+
 func (store *store) GetAll(ctx context.Context) ([]*types.Organization, error) {
 	organizations := make([]*types.Organization, 0)
 	err := store.

pkg/modules/organization/organization.go

@@ -14,6 +14,9 @@ type Getter interface {
 
 	// ListByOwnedKeyRange gets all the organizations owned by the instance
 	ListByOwnedKeyRange(context.Context) ([]*types.Organization, error)
+
+	// Gets the organization by name
+	GetByName(context.Context, string) (*types.Organization, error)
 }
 
 type Setter interface {

pkg/modules/session/implsession/module.go

@@ -151,6 +151,10 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 		return "", err
 	}
 
+	if err := user.ErrIfRoot(); err != nil {
+		return "", errors.WithAdditionalf(err, "root user can only authenticate via password")
+	}
+
 	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, user.Role), map[string]string{})
 	if err != nil {
 		return "", err

pkg/modules/user/config.go

@@ -5,11 +5,22 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type Config struct {
 	Password PasswordConfig `mapstructure:"password"`
+	Root     RootConfig     `mapstructure:"root"`
 }
+
+type RootConfig struct {
+	Enabled  bool         `mapstructure:"enabled"`
+	Email    valuer.Email `mapstructure:"email"`
+	Password string       `mapstructure:"password"`
+	OrgName  string       `mapstructure:"org_name"`
+}
+
 type PasswordConfig struct {
 	Reset ResetConfig `mapstructure:"reset"`
 }
@@ -31,6 +42,10 @@ func newConfig() factory.Config {
 				MaxTokenLifetime: 6 * time.Hour,
 			},
 		},
+		Root: RootConfig{
+			Enabled: false,
+			OrgName: "default",
+		},
 	}
 }
 
@@ -39,5 +54,17 @@ func (c Config) Validate() error {
 		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "user::password::reset::max_token_lifetime must be positive")
 	}
 
+	if c.Root.Enabled {
+		if c.Root.Email.IsZero() {
+			return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "user::root::email is required when root user is enabled")
+		}
+		if c.Root.Password == "" {
+			return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "user::root::password is required when root user is enabled")
+		}
+		if !types.IsPasswordValid(c.Root.Password) {
+			return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "user::root::password does not meet password requirements")
+		}
+	}
+
 	return nil
 }

pkg/modules/user/impluser/getter.go

@@ -16,6 +16,10 @@ func NewGetter(store types.UserStore) user.Getter {
 	return &getter{store: store}
 }
 
+func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
+	return module.store.GetRootUserByOrgID(ctx, orgID)
+}
+
 func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
 	users, err := module.store.ListUsersByOrgID(ctx, orgID)
 	if err != nil {

pkg/modules/user/impluser/module.go

@@ -103,6 +103,12 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 			return nil, err
 		}
 
+		if existingUser != nil {
+			if err := existingUser.ErrIfRoot(); err != nil {
+				return nil, errors.WithAdditionalf(err, "cannot send invite to root user")
+			}
+		}
+
 		if existingUser != nil {
 			return nil, errors.New(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with the same email")
 		}
@@ -202,27 +208,21 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		return nil, err
 	}
 
+	if err := existingUser.ErrIfRoot(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update root user")
+	}
+
 	requestor, err := m.store.GetUser(ctx, valuer.MustNewUUID(updatedBy))
 	if err != nil {
 		return nil, err
 	}
 
-	// only displayName, role can be updated
-	if user.DisplayName == "" {
-		user.DisplayName = existingUser.DisplayName
-	}
-
-	if user.Role == "" {
-		user.Role = existingUser.Role
-	}
-
-	if user.Role != existingUser.Role && requestor.Role != types.RoleAdmin {
+	if user.Role != "" && user.Role != existingUser.Role && requestor.Role != types.RoleAdmin {
 		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can change roles")
 	}
 
-	// Make sure that th e request is not demoting the last admin user.
-	// also an admin user can only change role of their own or other user
-	if user.Role != existingUser.Role && existingUser.Role == types.RoleAdmin {
+	// Make sure that the request is not demoting the last admin user.
+	if user.Role != "" && user.Role != existingUser.Role && existingUser.Role == types.RoleAdmin {
 		adminUsers, err := m.store.GetUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
 		if err != nil {
 			return nil, err
@@ -233,7 +233,7 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		}
 	}
 
-	if user.Role != existingUser.Role {
+	if user.Role != "" && user.Role != existingUser.Role {
 		err = m.authz.ModifyGrant(ctx,
 			orgID,
 			roletypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role),
@@ -245,23 +245,28 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		}
 	}
 
-	user.UpdatedAt = time.Now()
-	updatedUser, err := m.store.UpdateUser(ctx, orgID, id, user)
-	if err != nil {
+	existingUser.Update(user.DisplayName, user.Role)
+	if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
 		return nil, err
 	}
 
-	traits := types.NewTraitsFromUser(updatedUser)
-	m.analytics.IdentifyUser(ctx, user.OrgID.String(), user.ID.String(), traits)
+	return existingUser, nil
+}
 
-	traits["updated_by"] = updatedBy
-	m.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Updated", traits)
-
-	if err := m.tokenizer.DeleteIdentity(ctx, valuer.MustNewUUID(id)); err != nil {
-		return nil, err
+func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
+	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
+		return err
 	}
 
-	return updatedUser, nil
+	traits := types.NewTraitsFromUser(user)
+	module.analytics.IdentifyUser(ctx, user.OrgID.String(), user.ID.String(), traits)
+	module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Updated", traits)
+
+	if err := module.tokenizer.DeleteIdentity(ctx, user.ID); err != nil {
+		return err
+	}
+
+	return nil
 }
 
 func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
@@ -270,6 +275,10 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 		return err
 	}
 
+	if err := user.ErrIfRoot(); err != nil {
+		return errors.WithAdditionalf(err, "cannot delete root user")
+	}
+
 	if slices.Contains(types.AllIntegrationUserEmails, types.IntegrationUserEmail(user.Email.String())) {
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "integration user cannot be deleted")
 	}
@@ -364,6 +373,10 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 		return err
 	}
 
+	if err := user.ErrIfRoot(); err != nil {
+		return errors.WithAdditionalf(err, "cannot reset password for root user")
+	}
+
 	token, err := module.GetOrCreateResetPasswordToken(ctx, user.ID)
 	if err != nil {
 		module.settings.Logger().ErrorContext(ctx, "failed to create reset password token", "error", err)
@@ -407,6 +420,15 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}
 
+	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
+	if err != nil {
+		return err
+	}
+
+	if err := user.ErrIfRoot(); err != nil {
+		return errors.WithAdditionalf(err, "cannot reset password for root user")
+	}
+
 	if err := password.Update(passwd); err != nil {
 		return err
 	}
@@ -415,6 +437,15 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 }
 
 func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, oldpasswd string, passwd string) error {
+	user, err := module.store.GetUser(ctx, userID)
+	if err != nil {
+		return err
+	}
+
+	if err := user.ErrIfRoot(); err != nil {
+		return errors.WithAdditionalf(err, "cannot change password for root user")
+	}
+
 	password, err := module.store.GetPasswordByUserID(ctx, userID)
 	if err != nil {
 		return err
@@ -476,7 +507,7 @@ func (m *Module) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UU
 }
 
 func (module *Module) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
-	user, err := types.NewUser(name, email, types.RoleAdmin, organization.ID)
+	user, err := types.NewRootUser(name, email, organization.ID)
 	if err != nil {
 		return nil, err
 	}

pkg/modules/user/impluser/service.go

@@ -0,0 +1,187 @@
+package impluser
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/authz"
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/modules/organization"
+	"github.com/SigNoz/signoz/pkg/modules/user"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type service struct {
+	settings  factory.ScopedProviderSettings
+	store     types.UserStore
+	module    user.Module
+	orgGetter organization.Getter
+	authz     authz.AuthZ
+	config    user.RootConfig
+	stopC     chan struct{}
+}
+
+func NewService(
+	providerSettings factory.ProviderSettings,
+	store types.UserStore,
+	module user.Module,
+	orgGetter organization.Getter,
+	authz authz.AuthZ,
+	config user.RootConfig,
+) user.Service {
+	return &service{
+		settings:  factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
+		store:     store,
+		module:    module,
+		orgGetter: orgGetter,
+		authz:     authz,
+		config:    config,
+		stopC:     make(chan struct{}),
+	}
+}
+
+func (s *service) Start(ctx context.Context) error {
+	if !s.config.Enabled {
+		<-s.stopC
+		return nil
+	}
+
+	ticker := time.NewTicker(10 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		err := s.reconcile(ctx)
+		if err == nil {
+			s.settings.Logger().InfoContext(ctx, "root user reconciliation completed successfully")
+			<-s.stopC
+			return nil
+		}
+
+		s.settings.Logger().WarnContext(ctx, "root user reconciliation failed, retrying", "error", err)
+
+		select {
+		case <-s.stopC:
+			return nil
+		case <-ticker.C:
+			continue
+		}
+	}
+}
+
+func (s *service) Stop(ctx context.Context) error {
+	close(s.stopC)
+	return nil
+}
+
+func (s *service) reconcile(ctx context.Context) error {
+	org, err := s.orgGetter.GetByName(ctx, s.config.OrgName)
+	if err != nil {
+		if errors.Ast(err, errors.TypeNotFound) {
+			newOrg := types.NewOrganizationWithName(s.config.OrgName)
+			_, err := s.module.CreateFirstUser(ctx, newOrg, s.config.Email.String(), s.config.Email, s.config.Password)
+			return err
+		}
+
+		return err
+	}
+
+	return s.reconcileRootUser(ctx, org.ID)
+}
+
+func (s *service) reconcileRootUser(ctx context.Context, orgID valuer.UUID) error {
+	existingRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
+		return err
+	}
+
+	if existingRoot == nil {
+		return s.createOrPromoteRootUser(ctx, orgID)
+	}
+
+	return s.updateExistingRootUser(ctx, orgID, existingRoot)
+}
+
+func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID) error {
+	existingUser, err := s.store.GetUserByEmailAndOrgID(ctx, s.config.Email, orgID)
+	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
+		return err
+	}
+
+	if existingUser != nil {
+		oldRole := existingUser.Role
+
+		existingUser.PromoteToRoot()
+		if err := s.module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+			return err
+		}
+
+		if oldRole != types.RoleAdmin {
+			if err := s.authz.ModifyGrant(ctx,
+				orgID,
+				roletypes.MustGetSigNozManagedRoleFromExistingRole(oldRole),
+				roletypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin),
+				authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
+			); err != nil {
+				return err
+			}
+		}
+
+		return s.setPassword(ctx, existingUser.ID)
+	}
+
+	// Create new root user
+	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID)
+	if err != nil {
+		return err
+	}
+
+	factorPassword, err := types.NewFactorPassword(s.config.Password, newUser.ID.StringValue())
+	if err != nil {
+		return err
+	}
+
+	return s.module.CreateUser(ctx, newUser, user.WithFactorPassword(factorPassword))
+}
+
+func (s *service) updateExistingRootUser(ctx context.Context, orgID valuer.UUID, existingRoot *types.User) error {
+	existingRoot.PromoteToRoot()
+
+	if existingRoot.Email != s.config.Email {
+		existingRoot.UpdateEmail(s.config.Email)
+		if err := s.module.UpdateAnyUser(ctx, orgID, existingRoot); err != nil {
+			return err
+		}
+	}
+
+	return s.setPassword(ctx, existingRoot.ID)
+}
+
+func (s *service) setPassword(ctx context.Context, userID valuer.UUID) error {
+	password, err := s.store.GetPasswordByUserID(ctx, userID)
+	if err != nil {
+		if !errors.Ast(err, errors.TypeNotFound) {
+			return err
+		}
+
+		factorPassword, err := types.NewFactorPassword(s.config.Password, userID.StringValue())
+		if err != nil {
+			return err
+		}
+
+		return s.store.CreatePassword(ctx, factorPassword)
+	}
+
+	if !password.Equals(s.config.Password) {
+		if err := password.Update(s.config.Password); err != nil {
+			return err
+		}
+
+		return s.store.UpdatePassword(ctx, password)
+	}
+
+	return nil
+}

pkg/modules/user/impluser/store.go

@@ -210,20 +210,24 @@ func (store *store) GetUsersByRoleAndOrgID(ctx context.Context, role types.Role,
 	return users, nil
 }
 
-func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User) (*types.User, error) {
-	user.UpdatedAt = time.Now()
-	_, err := store.sqlstore.BunDB().NewUpdate().
+func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewUpdate().
 		Model(user).
 		Column("display_name").
+		Column("email").
 		Column("role").
+		Column("is_root").
 		Column("updated_at").
-		Where("id = ?", id).
 		Where("org_id = ?", orgID).
+		Where("id = ?", user.ID).
 		Exec(ctx)
 	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user with id: %s does not exist in org: %s", id, orgID)
+		return store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user does not exist in org: %s", orgID)
 	}
-	return user, nil
+	return nil
 }
 
 func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.GettableUser, error) {
@@ -602,6 +606,22 @@ func (store *store) RunInTx(ctx context.Context, cb func(ctx context.Context) er
 	})
 }
 
+func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
+	user := new(types.User)
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(user).
+		Where("org_id = ?", orgID).
+		Where("is_root = ?", true).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "root user for org %s not found", orgID)
+	}
+	return user, nil
+}
+
 func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
 	users := []*types.User{}
 	err := store.

pkg/modules/user/service.go

@@ -0,0 +1,7 @@
+package user
+
+import "github.com/SigNoz/signoz/pkg/factory"
+
+type Service interface {
+	factory.Service
+}

pkg/modules/user/user.go

@@ -34,6 +34,9 @@ type Module interface {
 	ForgotPassword(ctx context.Context, orgID valuer.UUID, email valuer.Email, frontendBaseURL string) error
 
 	UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User, updatedBy string) (*types.User, error)
+
+	// UpdateAnyUser updates a user and persists the changes to the database along with the analytics and identity deletion.
+	UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error
 	DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error
 
 	// invite
@@ -54,6 +57,9 @@ type Module interface {
 }
 
 type Getter interface {
+	// Get root user by org id.
+	GetRootUserByOrgID(context.Context, valuer.UUID) (*types.User, error)
+
 	// Get gets the users based on the given id
 	ListByOrgID(context.Context, valuer.UUID) ([]*types.User, error)
 

pkg/query-service/app/http_handler.go

@@ -183,7 +183,7 @@ type APIHandlerOpts struct {
 }
 
 // NewAPIHandler returns an APIHandler
-func NewAPIHandler(opts APIHandlerOpts) (*APIHandler, error) {
+func NewAPIHandler(opts APIHandlerOpts, config signoz.Config) (*APIHandler, error) {
 	querierOpts := querier.QuerierOptions{
 		Reader:       opts.Reader,
 		Cache:        opts.Signoz.Cache,
@@ -270,6 +270,11 @@ func NewAPIHandler(opts APIHandlerOpts) (*APIHandler, error) {
 		}
 	}
 
+	// If the root user is enabled, the setup is complete
+	if config.User.Root.Enabled {
+		aH.SetupCompleted = true
+	}
+
 	aH.Upgrader = &websocket.Upgrader{
 		CheckOrigin: func(r *http.Request) bool {
 			return true

pkg/query-service/app/server.go

@@ -135,7 +135,7 @@ func NewServer(config signoz.Config, signoz *signoz.SigNoz) (*Server, error) {
 		Signoz:                        signoz,
 		QuerierAPI:                    querierAPI.NewAPI(signoz.Instrumentation.ToProviderSettings(), signoz.Querier, signoz.Analytics),
 		QueryParserAPI:                queryparser.NewAPI(signoz.Instrumentation.ToProviderSettings(), signoz.QueryParser),
-	})
+	}, config)
 	if err != nil {
 		return nil, err
 	}

pkg/signoz/provider.go

@@ -167,6 +167,7 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewMigrateRbacToAuthzFactory(sqlstore),
 		sqlmigration.NewMigratePublicDashboardsFactory(sqlstore),
 		sqlmigration.NewAddAnonymousPublicDashboardTransactionFactory(sqlstore),
+		sqlmigration.NewAddRootUserFactory(sqlstore, sqlschema),
 	)
 }
 

pkg/signoz/signoz.go

@@ -389,6 +389,8 @@ func New(
 	// Initialize all modules
 	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard)
 
+	userService := impluser.NewService(providerSettings, impluser.NewStore(sqlstore, providerSettings), modules.User, orgGetter, authz, config.User.Root)
+
 	// Initialize all handlers for the modules
 	handlers := NewHandlers(modules, providerSettings, querier, licensing, global, flagger, gateway, telemetryMetadataStore, authz)
 
@@ -438,6 +440,7 @@ func New(
 		factory.NewNamedService(factory.MustNewName("statsreporter"), statsReporter),
 		factory.NewNamedService(factory.MustNewName("tokenizer"), tokenizer),
 		factory.NewNamedService(factory.MustNewName("authz"), authz),
+		factory.NewNamedService(factory.MustNewName("user"), userService),
 	)
 	if err != nil {
 		return nil, err

pkg/sqlmigration/064_add_root_user.go

@@ -0,0 +1,80 @@
+package sqlmigration
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addRootUser struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+func NewAddRootUserFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_root_user"), func(ctx context.Context, providerSettings factory.ProviderSettings, config Config) (SQLMigration, error) {
+		return &addRootUser{
+			sqlstore:  sqlstore,
+			sqlschema: sqlschema,
+		}, nil
+	})
+}
+
+func (migration *addRootUser) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addRootUser) Up(ctx context.Context, db *bun.DB) error {
+	if err := migration.sqlschema.ToggleFKEnforcement(ctx, db, false); err != nil {
+		return err
+	}
+
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	table, uniqueConstraints, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("users"))
+	if err != nil {
+		return err
+	}
+
+	column := &sqlschema.Column{
+		Name:     sqlschema.ColumnName("is_root"),
+		DataType: sqlschema.DataTypeBoolean,
+		Nullable: false,
+	}
+
+	sqls := migration.sqlschema.Operator().AddColumn(table, uniqueConstraints, column, false)
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	if err := migration.sqlschema.ToggleFKEnforcement(ctx, db, true); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addRootUser) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}

pkg/types/organization.go

@@ -41,6 +41,22 @@ func NewOrganization(displayName string) *Organization {
 	}
 }
 
+func NewOrganizationWithName(name string) *Organization {
+	id := valuer.GenerateUUID()
+	return &Organization{
+		Identifiable: Identifiable{
+			ID: id,
+		},
+		TimeAuditable: TimeAuditable{
+			CreatedAt: time.Now(),
+			UpdatedAt: time.Now(),
+		},
+		Name:        name,
+		DisplayName: name,
+		Key:         NewOrganizationKey(id),
+	}
+}
+
 func NewOrganizationKey(orgID valuer.UUID) uint32 {
 	hasher := fnv.New32a()
 
@@ -74,6 +90,7 @@ type TTLSetting struct {
 type OrganizationStore interface {
 	Create(context.Context, *Organization) error
 	Get(context.Context, valuer.UUID) (*Organization, error)
+	GetByName(context.Context, string) (*Organization, error)
 	GetAll(context.Context) ([]*Organization, error)
 	ListByKeyRange(context.Context, uint32, uint32) ([]*Organization, error)
 	Update(context.Context, *Organization) error

pkg/types/user.go

@@ -11,15 +11,16 @@ import (
 )
 
 var (
-	ErrCodeUserNotFound                = errors.MustNewCode("user_not_found")
-	ErrCodeAmbiguousUser               = errors.MustNewCode("ambiguous_user")
-	ErrUserAlreadyExists               = errors.MustNewCode("user_already_exists")
-	ErrPasswordAlreadyExists           = errors.MustNewCode("password_already_exists")
-	ErrResetPasswordTokenAlreadyExists = errors.MustNewCode("reset_password_token_already_exists")
-	ErrPasswordNotFound                = errors.MustNewCode("password_not_found")
-	ErrResetPasswordTokenNotFound      = errors.MustNewCode("reset_password_token_not_found")
-	ErrAPIKeyAlreadyExists             = errors.MustNewCode("api_key_already_exists")
-	ErrAPIKeyNotFound                  = errors.MustNewCode("api_key_not_found")
+	ErrCodeUserNotFound                 = errors.MustNewCode("user_not_found")
+	ErrCodeAmbiguousUser                = errors.MustNewCode("ambiguous_user")
+	ErrUserAlreadyExists                = errors.MustNewCode("user_already_exists")
+	ErrPasswordAlreadyExists            = errors.MustNewCode("password_already_exists")
+	ErrResetPasswordTokenAlreadyExists  = errors.MustNewCode("reset_password_token_already_exists")
+	ErrPasswordNotFound                 = errors.MustNewCode("password_not_found")
+	ErrResetPasswordTokenNotFound       = errors.MustNewCode("reset_password_token_not_found")
+	ErrAPIKeyAlreadyExists              = errors.MustNewCode("api_key_already_exists")
+	ErrAPIKeyNotFound                   = errors.MustNewCode("api_key_not_found")
+	ErrCodeRootUserOperationUnsupported = errors.MustNewCode("root_user_operation_unsupported")
 )
 
 type GettableUser = User
@@ -29,9 +30,10 @@ type User struct {
 
 	Identifiable
 	DisplayName string       `bun:"display_name" json:"displayName"`
-	Email       valuer.Email `bun:"email,type:text" json:"email"`
-	Role        Role         `bun:"role,type:text" json:"role"`
-	OrgID       valuer.UUID  `bun:"org_id,type:text" json:"orgId"`
+	Email       valuer.Email `bun:"email" json:"email"`
+	Role        Role         `bun:"role" json:"role"`
+	OrgID       valuer.UUID  `bun:"org_id" json:"orgId"`
+	IsRoot      bool         `bun:"is_root" json:"isRoot"`
 	TimeAuditable
 }
 
@@ -64,6 +66,7 @@ func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUI
 		Email:       email,
 		Role:        role,
 		OrgID:       orgID,
+		IsRoot:      false,
 		TimeAuditable: TimeAuditable{
 			CreatedAt: time.Now(),
 			UpdatedAt: time.Now(),
@@ -71,6 +74,65 @@ func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUI
 	}, nil
 }
 
+func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*User, error) {
+	if email.IsZero() {
+		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
+	}
+
+	if orgID.IsZero() {
+		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "orgID is required")
+	}
+
+	return &User{
+		Identifiable: Identifiable{
+			ID: valuer.GenerateUUID(),
+		},
+		DisplayName: displayName,
+		Email:       email,
+		Role:        RoleAdmin,
+		OrgID:       orgID,
+		IsRoot:      true,
+		TimeAuditable: TimeAuditable{
+			CreatedAt: time.Now(),
+			UpdatedAt: time.Now(),
+		},
+	}, nil
+}
+
+// Update applies mutable fields from the input to the user. Immutable fields
+// (email, is_root, org_id, id) are preserved. Only non-zero input fields are applied.
+func (u *User) Update(displayName string, role Role) {
+	if displayName != "" {
+		u.DisplayName = displayName
+	}
+	if role != "" {
+		u.Role = role
+	}
+	u.UpdatedAt = time.Now()
+}
+
+// PromoteToRoot promotes the user to a root user with admin role.
+func (u *User) PromoteToRoot() {
+	u.IsRoot = true
+	u.Role = RoleAdmin
+	u.UpdatedAt = time.Now()
+}
+
+// UpdateEmail updates the email of the user.
+func (u *User) UpdateEmail(email valuer.Email) {
+	u.Email = email
+	u.UpdatedAt = time.Now()
+}
+
+// ErrIfRoot returns an error if the user is a root user. The caller should
+// enrich the error with the specific operation using errors.WithAdditionalf.
+func (u *User) ErrIfRoot() error {
+	if u.IsRoot {
+		return errors.New(errors.TypeUnsupported, ErrCodeRootUserOperationUnsupported, "this operation is not supported for the root user")
+	}
+	return nil
+}
+
 func NewTraitsFromUser(user *User) map[string]any {
 	return map[string]any{
 		"name":         user.DisplayName,
@@ -133,7 +195,7 @@ type UserStore interface {
 	// List users by email and org ids.
 	ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*User, error)
 
-	UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *User) (*User, error)
+	UpdateUser(ctx context.Context, orgID valuer.UUID, user *User) error
 	DeleteUser(ctx context.Context, orgID string, id string) error
 
 	// Creates a password.
@@ -156,6 +218,9 @@ type UserStore interface {
 
 	CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error)
 
+	// Get root user by org.
+	GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*User, error)
+
 	// Transaction
 	RunInTx(ctx context.Context, cb func(ctx context.Context) error) error
 }