fix: add userauditable to ttl setting

2026-05-11 12:40:36 +01:00 · 2026-05-11 10:28:38 +05:30
32 changed files with 212 additions and 1338 deletions
--- a/cmd/enterprise/server.go
+++ b/cmd/enterprise/server.go
@@ -8,7 +8,6 @@ import (
 	"github.com/spf13/cobra"

 	"github.com/SigNoz/signoz/cmd"
-	"github.com/SigNoz/signoz/ee/auditor/fileauditor"
 	"github.com/SigNoz/signoz/ee/auditor/otlphttpauditor"
 	"github.com/SigNoz/signoz/ee/authn/callbackauthn/oidccallbackauthn"
 	"github.com/SigNoz/signoz/ee/authn/callbackauthn/samlcallbackauthn"
@@ -156,9 +155,6 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 			if err := factories.Add(otlphttpauditor.NewFactory(licensing, version.Info)); err != nil {
 				panic(err)
 			}
-			if err := factories.Add(fileauditor.NewFactory(licensing, version.Info)); err != nil {
-				panic(err)
-			}
 			return factories
 		},
 		func(ps factory.ProviderSettings, q querier.Querier, a analytics.Analytics) querier.Handler {
--- a/docs/api/openapi.yml
+++ b/docs/api/openapi.yml
@@ -2599,54 +2599,6 @@ components:
      - requiredMetricsCheck
      - endTimeBeforeRetention
      type: object
-    InframonitoringtypesNamespaceRecord:
-      properties:
-        meta:
-          additionalProperties:
-            type: string
-          nullable: true
-          type: object
-        namespaceCPU:
-          format: double
-          type: number
-        namespaceMemory:
-          format: double
-          type: number
-        namespaceName:
-          type: string
-        podCountsByPhase:
-          $ref: '#/components/schemas/InframonitoringtypesPodCountsByPhase'
-      required:
-      - namespaceName
-      - namespaceCPU
-      - namespaceMemory
-      - podCountsByPhase
-      - meta
-      type: object
-    InframonitoringtypesNamespaces:
-      properties:
-        endTimeBeforeRetention:
-          type: boolean
-        records:
-          items:
-            $ref: '#/components/schemas/InframonitoringtypesNamespaceRecord'
-          nullable: true
-          type: array
-        requiredMetricsCheck:
-          $ref: '#/components/schemas/InframonitoringtypesRequiredMetricsCheck'
-        total:
-          type: integer
-        type:
-          $ref: '#/components/schemas/InframonitoringtypesResponseType'
-        warning:
-          $ref: '#/components/schemas/Querybuildertypesv5QueryWarnData'
-      required:
-      - type
-      - records
-      - total
-      - requiredMetricsCheck
-      - endTimeBeforeRetention
-      type: object
    InframonitoringtypesNodeCondition:
      enum:
      - ready
@@ -2850,32 +2802,6 @@ components:
      - end
      - limit
      type: object
-    InframonitoringtypesPostableNamespaces:
-      properties:
-        end:
-          format: int64
-          type: integer
-        filter:
-          $ref: '#/components/schemas/Querybuildertypesv5Filter'
-        groupBy:
-          items:
-            $ref: '#/components/schemas/Querybuildertypesv5GroupByKey'
-          nullable: true
-          type: array
-        limit:
-          type: integer
-        offset:
-          type: integer
-        orderBy:
-          $ref: '#/components/schemas/Querybuildertypesv5OrderBy'
-        start:
-          format: int64
-          type: integer
-      required:
-      - start
-      - end
-      - limit
-      type: object
    InframonitoringtypesPostableNodes:
      properties:
        end:
@@ -11814,74 +11740,6 @@ paths:
      summary: List Hosts for Infra Monitoring
      tags:
      - inframonitoring
-  /api/v2/infra_monitoring/namespaces:
-    post:
-      deprecated: false
-      description: 'Returns a paginated list of Kubernetes namespaces with key aggregated
-        pod metrics: CPU usage and memory working set (summed across pods in the group),
-        plus per-group podCountsByPhase ({ pending, running, succeeded, failed, unknown
-        } from each pod''s latest k8s.pod.phase value in the window). Each namespace
-        includes metadata attributes (k8s.namespace.name, k8s.cluster.name). The response
-        type is ''list'' for the default k8s.namespace.name grouping or ''grouped_list''
-        for custom groupBy keys; in both modes every row aggregates pods in the group.
-        Supports filtering via a filter expression, custom groupBy, ordering by cpu
-        / memory, and pagination via offset/limit. Also reports missing required metrics
-        and whether the requested time range falls before the data retention boundary.
-        Numeric metric fields (namespaceCPU, namespaceMemory) return -1 as a sentinel
-        when no data is available for that field.'
-      operationId: ListNamespaces
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/InframonitoringtypesPostableNamespaces'
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/InframonitoringtypesNamespaces'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - VIEWER
-      - tokenizer:
-        - VIEWER
-      summary: List Namespaces for Infra Monitoring
-      tags:
-      - inframonitoring
  /api/v2/infra_monitoring/nodes:
    post:
      deprecated: false
--- a/ee/auditor/fileauditor/export.go
+++ b/ee/auditor/fileauditor/export.go
@@ -1,33 +0,0 @@
-package fileauditor
-
-import (
-	"context"
-	"log/slog"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/types/audittypes"
-)
-
-func (provider *provider) export(ctx context.Context, events []audittypes.AuditEvent) error {
-	logs := audittypes.NewPLogsFromAuditEvents(events, "signoz", provider.build.Version(), "signoz.audit")
-
-	payload, err := provider.marshaler.MarshalLogs(logs)
-	if err != nil {
-		return err
-	}
-
-	// Combine the payload and trailing newline into one Write call so the line
-	// is emitted in a single syscall — concurrent readers see either the full
-	// line or nothing, never a torn JSON object.
-	payload = append(payload, '\n')
-
-	provider.mu.Lock()
-	defer provider.mu.Unlock()
-
-	if _, err := provider.file.Write(payload); err != nil {
-		provider.settings.Logger().ErrorContext(ctx, "audit export failed", errors.Attr(err), slog.Int("dropped_log_records", len(events)))
-		return err
-	}
-
-	return provider.file.Sync()
-}
--- a/ee/auditor/fileauditor/provider.go
+++ b/ee/auditor/fileauditor/provider.go
@@ -1,100 +0,0 @@
-package fileauditor
-
-import (
-	"context"
-	"os"
-	"sync"
-
-	"github.com/SigNoz/signoz/pkg/auditor"
-	"github.com/SigNoz/signoz/pkg/auditor/auditorserver"
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/licensing"
-	"github.com/SigNoz/signoz/pkg/types/audittypes"
-	"github.com/SigNoz/signoz/pkg/version"
-	"go.opentelemetry.io/collector/pdata/plog"
-)
-
-var _ auditor.Auditor = (*provider)(nil)
-
-type provider struct {
-	settings  factory.ScopedProviderSettings
-	config    auditor.Config
-	licensing licensing.Licensing
-	build     version.Build
-	server    *auditorserver.Server
-	marshaler plog.JSONMarshaler
-	file      *os.File
-	mu        sync.Mutex
-}
-
-func NewFactory(licensing licensing.Licensing, build version.Build) factory.ProviderFactory[auditor.Auditor, auditor.Config] {
-	return factory.NewProviderFactory(factory.MustNewName("file"), func(ctx context.Context, providerSettings factory.ProviderSettings, config auditor.Config) (auditor.Auditor, error) {
-		return newProvider(ctx, providerSettings, config, licensing, build)
-	})
-}
-
-func newProvider(_ context.Context, providerSettings factory.ProviderSettings, config auditor.Config, licensing licensing.Licensing, build version.Build) (auditor.Auditor, error) {
-	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/ee/auditor/fileauditor")
-
-	file, err := os.OpenFile(config.File.Path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
-	if err != nil {
-		return nil, errors.Wrapf(err, errors.TypeInvalidInput, auditor.ErrCodeAuditExportFailed, "failed to open audit file %q", config.File.Path)
-	}
-
-	provider := &provider{
-		settings:  settings,
-		config:    config,
-		licensing: licensing,
-		build:     build,
-		marshaler: plog.JSONMarshaler{},
-		file:      file,
-	}
-
-	server, err := auditorserver.New(settings,
-		auditorserver.Config{
-			BufferSize:    config.BufferSize,
-			BatchSize:     config.BatchSize,
-			FlushInterval: config.FlushInterval,
-		},
-		provider.export,
-	)
-	if err != nil {
-		_ = file.Close()
-		return nil, err
-	}
-
-	provider.server = server
-	return provider, nil
-}
-
-func (provider *provider) Start(ctx context.Context) error {
-	return provider.server.Start(ctx)
-}
-
-func (provider *provider) Audit(ctx context.Context, event audittypes.AuditEvent) {
-	if event.PrincipalAttributes.PrincipalOrgID.IsZero() {
-		provider.settings.Logger().WarnContext(ctx, "audit event dropped as org_id is zero")
-		return
-	}
-
-	if _, err := provider.licensing.GetActive(ctx, event.PrincipalAttributes.PrincipalOrgID); err != nil {
-		return
-	}
-
-	provider.server.Add(ctx, event)
-}
-
-func (provider *provider) Healthy() <-chan struct{} {
-	return provider.server.Healthy()
-}
-
-func (provider *provider) Stop(ctx context.Context) error {
-	serverErr := provider.server.Stop(ctx)
-	fileErr := provider.file.Close()
-	if serverErr != nil {
-		return serverErr
-	}
-
-	return fileErr
-}
--- a/frontend/src/api/generated/services/inframonitoring/index.ts
+++ b/frontend/src/api/generated/services/inframonitoring/index.ts
@@ -13,11 +13,9 @@ import type {

 import type {
 	InframonitoringtypesPostableHostsDTO,
-	InframonitoringtypesPostableNamespacesDTO,
 	InframonitoringtypesPostableNodesDTO,
 	InframonitoringtypesPostablePodsDTO,
 	ListHosts200,
-	ListNamespaces200,
 	ListNodes200,
 	ListPods200,
 	RenderErrorResponseDTO,
@@ -110,90 +108,6 @@ export const useListHosts = <

 	return useMutation(mutationOptions);
 };
-/**
- * Returns a paginated list of Kubernetes namespaces with key aggregated pod metrics: CPU usage and memory working set (summed across pods in the group), plus per-group podCountsByPhase ({ pending, running, succeeded, failed, unknown } from each pod's latest k8s.pod.phase value in the window). Each namespace includes metadata attributes (k8s.namespace.name, k8s.cluster.name). The response type is 'list' for the default k8s.namespace.name grouping or 'grouped_list' for custom groupBy keys; in both modes every row aggregates pods in the group. Supports filtering via a filter expression, custom groupBy, ordering by cpu / memory, and pagination via offset/limit. Also reports missing required metrics and whether the requested time range falls before the data retention boundary. Numeric metric fields (namespaceCPU, namespaceMemory) return -1 as a sentinel when no data is available for that field.
- * @summary List Namespaces for Infra Monitoring
- */
-export const listNamespaces = (
-	inframonitoringtypesPostableNamespacesDTO: BodyType<InframonitoringtypesPostableNamespacesDTO>,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<ListNamespaces200>({
-		url: `/api/v2/infra_monitoring/namespaces`,
-		method: 'POST',
-		headers: { 'Content-Type': 'application/json' },
-		data: inframonitoringtypesPostableNamespacesDTO,
-		signal,
-	});
-};
-
-export const getListNamespacesMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof listNamespaces>>,
-		TError,
-		{ data: BodyType<InframonitoringtypesPostableNamespacesDTO> },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof listNamespaces>>,
-	TError,
-	{ data: BodyType<InframonitoringtypesPostableNamespacesDTO> },
-	TContext
-> => {
-	const mutationKey = ['listNamespaces'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-			'mutationKey' in options.mutation &&
-			options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof listNamespaces>>,
-		{ data: BodyType<InframonitoringtypesPostableNamespacesDTO> }
-	> = (props) => {
-		const { data } = props ?? {};
-
-		return listNamespaces(data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type ListNamespacesMutationResult = NonNullable<
-	Awaited<ReturnType<typeof listNamespaces>>
->;
-export type ListNamespacesMutationBody =
-	BodyType<InframonitoringtypesPostableNamespacesDTO>;
-export type ListNamespacesMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary List Namespaces for Infra Monitoring
- */
-export const useListNamespaces = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof listNamespaces>>,
-		TError,
-		{ data: BodyType<InframonitoringtypesPostableNamespacesDTO> },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof listNamespaces>>,
-	TError,
-	{ data: BodyType<InframonitoringtypesPostableNamespacesDTO> },
-	TContext
-> => {
-	const mutationOptions = getListNamespacesMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
 /**
 * Returns a paginated list of Kubernetes nodes with key metrics: CPU usage, CPU allocatable, memory working set, memory allocatable, per-group nodeCountsByReadiness ({ ready, notReady } from each node's latest k8s.node.condition_ready in the window) and per-group podCountsByPhase ({ pending, running, succeeded, failed, unknown } for pods scheduled on the listed nodes). Each node includes metadata attributes (k8s.node.uid, k8s.cluster.name). The response type is 'list' for the default k8s.node.name grouping (each row is one node with its current condition string: ready / not_ready / no_data) or 'grouped_list' for custom groupBy keys (each row aggregates nodes in the group; condition stays no_data). Supports filtering via a filter expression, custom groupBy, ordering by cpu / cpu_allocatable / memory / memory_allocatable, and pagination via offset/limit. Also reports missing required metrics and whether the requested time range falls before the data retention boundary. Numeric metric fields (nodeCPU, nodeCPUAllocatable, nodeMemory, nodeMemoryAllocatable) return -1 as a sentinel when no data is available for that field.
 * @summary List Nodes for Infra Monitoring
--- a/frontend/src/api/generated/services/sigNoz.schemas.ts
+++ b/frontend/src/api/generated/services/sigNoz.schemas.ts
@@ -4653,55 +4653,6 @@ export interface InframonitoringtypesHostsDTO {
 	warning?: Querybuildertypesv5QueryWarnDataDTO;
 }

-/**
- * @nullable
- */
-export type InframonitoringtypesNamespaceRecordDTOMeta = {
-	[key: string]: string;
-} | null;
-
-export interface InframonitoringtypesNamespaceRecordDTO {
-	/**
-	 * @type object
-	 * @nullable true
-	 */
-	meta: InframonitoringtypesNamespaceRecordDTOMeta;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	namespaceCPU: number;
-	/**
-	 * @type number
-	 * @format double
-	 */
-	namespaceMemory: number;
-	/**
-	 * @type string
-	 */
-	namespaceName: string;
-	podCountsByPhase: InframonitoringtypesPodCountsByPhaseDTO;
-}
-
-export interface InframonitoringtypesNamespacesDTO {
-	/**
-	 * @type boolean
-	 */
-	endTimeBeforeRetention: boolean;
-	/**
-	 * @type array
-	 * @nullable true
-	 */
-	records: InframonitoringtypesNamespaceRecordDTO[] | null;
-	requiredMetricsCheck: InframonitoringtypesRequiredMetricsCheckDTO;
-	/**
-	 * @type integer
-	 */
-	total: number;
-	type: InframonitoringtypesResponseTypeDTO;
-	warning?: Querybuildertypesv5QueryWarnDataDTO;
-}
-
 export enum InframonitoringtypesNodeConditionDTO {
 	ready = 'ready',
 	not_ready = 'not_ready',
@@ -4913,34 +4864,6 @@ export interface InframonitoringtypesPostableHostsDTO {
 	start: number;
 }

-export interface InframonitoringtypesPostableNamespacesDTO {
-	/**
-	 * @type integer
-	 * @format int64
-	 */
-	end: number;
-	filter?: Querybuildertypesv5FilterDTO;
-	/**
-	 * @type array
-	 * @nullable true
-	 */
-	groupBy?: Querybuildertypesv5GroupByKeyDTO[] | null;
-	/**
-	 * @type integer
-	 */
-	limit: number;
-	/**
-	 * @type integer
-	 */
-	offset?: number;
-	orderBy?: Querybuildertypesv5OrderByDTO;
-	/**
-	 * @type integer
-	 * @format int64
-	 */
-	start: number;
-}
-
 export interface InframonitoringtypesPostableNodesDTO {
 	/**
 	 * @type integer
@@ -9332,14 +9255,6 @@ export type ListHosts200 = {
 	status: string;
 };

-export type ListNamespaces200 = {
-	data: InframonitoringtypesNamespacesDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
 export type ListNodes200 = {
 	data: InframonitoringtypesNodesDTO;
 	/**
--- a/frontend/src/components/ServiceAccountDrawer/OverviewTab.tsx
+++ b/frontend/src/components/ServiceAccountDrawer/OverviewTab.tsx
@@ -16,8 +16,8 @@ interface OverviewTabProps {
 	account: ServiceAccountRow;
 	localName: string;
 	onNameChange: (v: string) => void;
-	localRoles: string[];
-	onRolesChange: (v: string[]) => void;
+	localRole: string;
+	onRoleChange: (v: string | undefined) => void;
 	isDisabled: boolean;
 	availableRoles: AuthtypesRoleDTO[];
 	rolesLoading?: boolean;
@@ -31,8 +31,8 @@ function OverviewTab({
 	account,
 	localName,
 	onNameChange,
-	localRoles,
-	onRolesChange,
+	localRole,
+	onRoleChange,
 	isDisabled,
 	availableRoles,
 	rolesLoading,
@@ -95,15 +95,10 @@ function OverviewTab({
 				{isDisabled ? (
 					<div className="sa-drawer__input-wrapper sa-drawer__input-wrapper--disabled">
 						<div className="sa-drawer__disabled-roles">
-							{localRoles.length > 0 ? (
-								localRoles.map((roleId) => {
-									const role = availableRoles.find((r) => r.id === roleId);
-									return (
-										<Badge key={roleId} color="vanilla">
-											{role?.name ?? roleId}
-										</Badge>
-									);
-								})
+							{localRole ? (
+								<Badge color="vanilla">
+									{availableRoles.find((r) => r.id === localRole)?.name ?? localRole}
+								</Badge>
 							) : (
 								<span className="sa-drawer__input-text">—</span>
 							)}
@@ -113,15 +108,14 @@ function OverviewTab({
 				) : (
 					<RolesSelect
 						id="sa-roles"
-						mode="multiple"
 						roles={availableRoles}
 						loading={rolesLoading}
 						isError={rolesError}
 						error={rolesErrorObj}
 						onRefetch={onRefetchRoles}
-						value={localRoles}
-						onChange={onRolesChange}
-						placeholder="Select roles"
+						value={localRole}
+						onChange={onRoleChange}
+						placeholder="Select role"
 					/>
 				)}
 			</div>
--- a/frontend/src/components/ServiceAccountDrawer/ServiceAccountDrawer.tsx
+++ b/frontend/src/components/ServiceAccountDrawer/ServiceAccountDrawer.tsx
@@ -8,7 +8,9 @@ import { ToggleGroup, ToggleGroupItem } from '@signozhq/ui/toggle-group';
 import { Pagination, Skeleton } from 'antd';
 import { convertToApiError } from 'api/ErrorResponseHandlerForGeneratedAPIs';
 import {
+	getGetServiceAccountRolesQueryKey,
 	getListServiceAccountsQueryKey,
+	useDeleteServiceAccountRole,
 	useGetServiceAccount,
 	useListServiceAccountKeys,
 	useUpdateServiceAccount,
@@ -35,7 +37,7 @@ import {
 	useQueryState,
 } from 'nuqs';
 import APIError from 'types/api/error';
-import { toAPIError } from 'utils/errorUtils';
+import { retryOn429, toAPIError } from 'utils/errorUtils';

 import AddKeyModal from './AddKeyModal';
 import DeleteAccountModal from './DeleteAccountModal';
@@ -90,7 +92,7 @@ function ServiceAccountDrawer({
 		parseAsBoolean.withDefault(false),
 	);
 	const [localName, setLocalName] = useState('');
-	const [localRoles, setLocalRoles] = useState<string[]>([]);
+	const [localRole, setLocalRole] = useState('');
 	const [isSaving, setIsSaving] = useState(false);
 	const [saveErrors, setSaveErrors] = useState<SaveError[]>([]);

@@ -138,7 +140,7 @@ function ServiceAccountDrawer({
 		if (!account?.id) {
 			roleSessionRef.current = null;
 		} else if (account.id !== roleSessionRef.current && !isRolesLoading) {
-			setLocalRoles(currentRoles.map((r) => r.id).filter(Boolean) as string[]);
+			setLocalRole(currentRoles[0]?.id ?? '');
 			roleSessionRef.current = account.id;
 		}
 	}, [account?.id, currentRoles, isRolesLoading]);
@@ -149,13 +151,7 @@ function ServiceAccountDrawer({
 	const isDirty =
 		account !== null &&
 		(localName !== (account.name ?? '') ||
-			JSON.stringify([...localRoles].sort()) !==
-				JSON.stringify(
-					currentRoles
-						.map((r) => r.id)
-						.filter(Boolean)
-						.sort(),
-				));
+			localRole !== (currentRoles[0]?.id ?? ''));

 	const {
 		roles: availableRoles,
@@ -183,6 +179,27 @@ function ServiceAccountDrawer({

 	// the retry for this mutation is safe due to the api being idempotent on backend
 	const { mutateAsync: updateMutateAsync } = useUpdateServiceAccount();
+	const { mutateAsync: deleteRole } = useDeleteServiceAccountRole({
+		mutation: {
+			retry: retryOn429,
+		},
+	});
+
+	const executeRolesOperation = useCallback(
+		async (accountId: string): Promise<RoleUpdateFailure[]> => {
+			if (localRole === '' && currentRoles[0]?.id) {
+				await deleteRole({
+					pathParams: { id: accountId, rid: currentRoles[0].id },
+				});
+				await queryClient.invalidateQueries(
+					getGetServiceAccountRolesQueryKey({ id: accountId }),
+				);
+				return [];
+			}
+			return applyDiff([localRole].filter(Boolean), availableRoles);
+		},
+		[localRole, currentRoles, availableRoles, applyDiff, deleteRole, queryClient],
+	);

 	const retryNameUpdate = useCallback(async (): Promise<void> => {
 		if (!account) {
@@ -250,7 +267,7 @@ function ServiceAccountDrawer({

 	const retryRolesUpdate = useCallback(async (): Promise<void> => {
 		try {
-			const failures = await applyDiff([...localRoles], availableRoles);
+			const failures = await executeRolesOperation(selectedAccountId ?? '');
 			if (failures.length === 0) {
 				setSaveErrors((prev) => prev.filter((e) => e.context !== 'Roles update'));
 			} else {
@@ -266,7 +283,7 @@ function ServiceAccountDrawer({
 				),
 			);
 		}
-	}, [localRoles, availableRoles, applyDiff, failuresToSaveErrors]);
+	}, [selectedAccountId, executeRolesOperation, failuresToSaveErrors]);

 	const handleSave = useCallback(async (): Promise<void> => {
 		if (!account || !isDirty) {
@@ -285,7 +302,7 @@ function ServiceAccountDrawer({

 			const [nameResult, rolesResult] = await Promise.allSettled([
 				namePromise,
-				applyDiff([...localRoles], availableRoles),
+				executeRolesOperation(account.id),
 			]);

 			const errors: SaveError[] = [];
@@ -326,10 +343,8 @@ function ServiceAccountDrawer({
 		account,
 		isDirty,
 		localName,
-		localRoles,
-		availableRoles,
 		updateMutateAsync,
-		applyDiff,
+		executeRolesOperation,
 		refetchAccount,
 		onSuccess,
 		queryClient,
@@ -428,9 +443,9 @@ function ServiceAccountDrawer({
 								account={account}
 								localName={localName}
 								onNameChange={handleNameChange}
-								localRoles={localRoles}
-								onRolesChange={(roles): void => {
-									setLocalRoles(roles);
+								localRole={localRole}
+								onRoleChange={(role): void => {
+									setLocalRole(role ?? '');
 									clearRoleErrors();
 								}}
 								isDisabled={isDeleted}
--- a/frontend/src/components/ServiceAccountDrawer/tests/ServiceAccountDrawer.test.tsx
+++ b/frontend/src/components/ServiceAccountDrawer/tests/ServiceAccountDrawer.test.tsx
@@ -151,7 +151,7 @@ describe('ServiceAccountDrawer', () => {
 		});
 	});

-	it('adding a role fires POST for the new role and no DELETE for existing roles', async () => {
+	it('changing roles enables Save; clicking Save sends role add request without delete', async () => {
 		const roleSpy = jest.fn();
 		const deleteSpy = jest.fn();
 		const user = userEvent.setup({ pointerEventsCheck: 0 });
@@ -171,7 +171,6 @@ describe('ServiceAccountDrawer', () => {

 		await screen.findByDisplayValue('CI Bot');

-		// Add signoz-viewer while keeping signoz-admin selected
 		await user.click(screen.getByLabelText('Roles'));
 		await user.click(await screen.findByTitle('signoz-viewer'));

@@ -189,43 +188,6 @@ describe('ServiceAccountDrawer', () => {
 		});
 	});

-	it('removing a role fires DELETE for the removed role and no POST', async () => {
-		const roleSpy = jest.fn();
-		const deleteSpy = jest.fn();
-		const user = userEvent.setup({ pointerEventsCheck: 0 });
-
-		server.use(
-			rest.post(SA_ROLES_ENDPOINT, async (req, res, ctx) => {
-				roleSpy(await req.json());
-				return res(ctx.status(200), ctx.json({ status: 'success', data: {} }));
-			}),
-			rest.delete(SA_ROLE_DELETE_ENDPOINT, (_, res, ctx) => {
-				deleteSpy();
-				return res(ctx.status(200), ctx.json({ status: 'success', data: {} }));
-			}),
-		);
-
-		renderDrawer();
-
-		await screen.findByDisplayValue('CI Bot');
-
-		// Remove the signoz-admin tag from the multi-select
-		const adminTag = await screen.findByTitle('signoz-admin');
-		const removeBtn = adminTag.querySelector(
-			'.ant-select-selection-item-remove',
-		) as Element;
-		await user.click(removeBtn);
-
-		const saveBtn = screen.getByRole('button', { name: /Save Changes/i });
-		await waitFor(() => expect(saveBtn).not.toBeDisabled());
-		await user.click(saveBtn);
-
-		await waitFor(() => {
-			expect(deleteSpy).toHaveBeenCalled();
-			expect(roleSpy).not.toHaveBeenCalled();
-		});
-	});
-
 	it('"Delete Service Account" opens confirm dialog; confirming sends delete request', async () => {
 		const deleteSpy = jest.fn();
 		const user = userEvent.setup({ pointerEventsCheck: 0 });
--- a/frontend/src/components/TanStackTableView/tests/useTableParams.test.tsx
+++ b/frontend/src/components/TanStackTableView/tests/useTableParams.test.tsx
@@ -398,7 +398,7 @@ describe('useTableParams (selective URL mode — partial config object)', () =>
 			.filter(Boolean)
 			.pop();
 		expect(lastExpanded).toBeDefined();
-		expect(JSON.parse(lastExpanded!)).toStrictEqual(
+		expect(JSON.parse(lastExpanded!)).toEqual(
 			expect.arrayContaining(['row-1', 'row-2']),
 		);

--- a/frontend/src/hooks/serviceAccount/useServiceAccountRoleManager.ts
+++ b/frontend/src/hooks/serviceAccount/useServiceAccountRoleManager.ts
@@ -3,7 +3,6 @@ import { useQueryClient } from 'react-query';
 import {
 	getGetServiceAccountRolesQueryKey,
 	useCreateServiceAccountRole,
-	useDeleteServiceAccountRole,
 	useGetServiceAccountRoles,
 } from 'api/generated/services/serviceaccount';
 import type { AuthtypesRoleDTO } from 'api/generated/services/sigNoz.schemas';
@@ -45,9 +44,6 @@ export function useServiceAccountRoleManager(
 	const { mutateAsync: createRole } = useCreateServiceAccountRole({
 		mutation: { retry: retryOn429 },
 	});
-	const { mutateAsync: deleteRole } = useDeleteServiceAccountRole({
-		mutation: { retry: retryOn429 },
-	});

 	const invalidateRoles = useCallback(
 		() =>
@@ -72,21 +68,14 @@ export function useServiceAccountRoleManager(
 			const addedRoles = availableRoles.filter(
 				(r) => r.id && desiredRoleIds.has(r.id) && !currentRoleIds.has(r.id),
 			);
-			const removedRoles = currentRoles.filter(
-				(r) => r.id && !desiredRoleIds.has(r.id),
-			);

+			// TODO: re-enable deletes once BE for this is streamlined
 			const allOperations = [
 				...addedRoles.map((role) => ({
 					role,
 					run: (): ReturnType<typeof createRole> =>
 						createRole({ pathParams: { id: accountId }, data: { id: role.id } }),
 				})),
-				...removedRoles.map((role) => ({
-					role,
-					run: (): ReturnType<typeof deleteRole> =>
-						deleteRole({ pathParams: { id: accountId, rid: role.id ?? '' } }),
-				})),
 			];

 			const results = await Promise.allSettled(
@@ -117,7 +106,7 @@ export function useServiceAccountRoleManager(

 			return failures;
 		},
-		[accountId, currentRoles, createRole, deleteRole, invalidateRoles],
+		[accountId, currentRoles, createRole, invalidateRoles],
 	);

 	return {
--- a/pkg/apiserver/signozapiserver/inframonitoring.go
+++ b/pkg/apiserver/signozapiserver/inframonitoring.go
@@ -67,24 +67,5 @@ func (provider *provider) addInfraMonitoringRoutes(router *mux.Router) error {
 		return err
 	}

-	if err := router.Handle("/api/v2/infra_monitoring/namespaces", handler.New(
-		provider.authzMiddleware.ViewAccess(provider.infraMonitoringHandler.ListNamespaces),
-		handler.OpenAPIDef{
-			ID:                  "ListNamespaces",
-			Tags:                []string{"inframonitoring"},
-			Summary:             "List Namespaces for Infra Monitoring",
-			Description:         "Returns a paginated list of Kubernetes namespaces with key aggregated pod metrics: CPU usage and memory working set (summed across pods in the group), plus per-group podCountsByPhase ({ pending, running, succeeded, failed, unknown } from each pod's latest k8s.pod.phase value in the window). Each namespace includes metadata attributes (k8s.namespace.name, k8s.cluster.name). The response type is 'list' for the default k8s.namespace.name grouping or 'grouped_list' for custom groupBy keys; in both modes every row aggregates pods in the group. Supports filtering via a filter expression, custom groupBy, ordering by cpu / memory, and pagination via offset/limit. Also reports missing required metrics and whether the requested time range falls before the data retention boundary. Numeric metric fields (namespaceCPU, namespaceMemory) return -1 as a sentinel when no data is available for that field.",
-			Request:             new(inframonitoringtypes.PostableNamespaces),
-			RequestContentType:  "application/json",
-			Response:            new(inframonitoringtypes.Namespaces),
-			ResponseContentType: "application/json",
-			SuccessStatusCode:   http.StatusOK,
-			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusUnauthorized},
-			Deprecated:          false,
-			SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
-		})).Methods(http.MethodPost).GetError(); err != nil {
-		return err
-	}
-
 	return nil
 }
--- a/pkg/auditor/config.go
+++ b/pkg/auditor/config.go
@@ -25,8 +25,6 @@ type Config struct {
 	FlushInterval time.Duration `mapstructure:"flush_interval"`

 	OTLPHTTP OTLPHTTPConfig `mapstructure:"otlphttp"`
-
-	File FileConfig `mapstructure:"file"`
 }

 // OTLPHTTPConfig holds configuration for the OTLP HTTP exporter provider.
@@ -48,12 +46,6 @@ type OTLPHTTPConfig struct {
 	Retry RetryConfig `mapstructure:"retry"`
 }

-type FileConfig struct {
-	// Path is the absolute path to the audit log file. The file is opened with
-	// O_APPEND|O_CREATE|O_WRONLY; existing contents are preserved across runs.
-	Path string `mapstructure:"path"`
-}
-
 // RetryConfig configures exponential backoff for the OTLP HTTP exporter.
 type RetryConfig struct {
 	// Enabled controls whether retries are attempted on transient failures.
@@ -119,11 +111,5 @@ func (c Config) Validate() error {
 		}
 	}

-	if c.Provider == "file" {
-		if c.File.Path == "" {
-			return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "auditor::file::path must be set when provider is file")
-		}
-	}
-
 	return nil
 }
--- a/pkg/modules/inframonitoring/implinframonitoring/handler.go
+++ b/pkg/modules/inframonitoring/implinframonitoring/handler.go
@@ -93,27 +93,3 @@ func (h *handler) ListNodes(rw http.ResponseWriter, req *http.Request) {

 	render.Success(rw, http.StatusOK, result)
 }
-
-func (h *handler) ListNamespaces(rw http.ResponseWriter, req *http.Request) {
-	claims, err := authtypes.ClaimsFromContext(req.Context())
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	orgID := valuer.MustNewUUID(claims.OrgID)
-
-	var parsedReq inframonitoringtypes.PostableNamespaces
-	if err := binding.JSON.BindBody(req.Body, &parsedReq); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	result, err := h.module.ListNamespaces(req.Context(), orgID, &parsedReq)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, result)
-}
--- a/pkg/modules/inframonitoring/implinframonitoring/module.go
+++ b/pkg/modules/inframonitoring/implinframonitoring/module.go
@@ -337,92 +337,3 @@ func (m *module) ListNodes(ctx context.Context, orgID valuer.UUID, req *inframon

 	return resp, nil
 }
-
-func (m *module) ListNamespaces(ctx context.Context, orgID valuer.UUID, req *inframonitoringtypes.PostableNamespaces) (*inframonitoringtypes.Namespaces, error) {
-	if err := req.Validate(); err != nil {
-		return nil, err
-	}
-
-	resp := &inframonitoringtypes.Namespaces{}
-
-	if req.OrderBy == nil {
-		req.OrderBy = &qbtypes.OrderBy{
-			Key: qbtypes.OrderByKey{
-				TelemetryFieldKey: telemetrytypes.TelemetryFieldKey{
-					Name: inframonitoringtypes.NamespacesOrderByCPU,
-				},
-			},
-			Direction: qbtypes.OrderDirectionDesc,
-		}
-	}
-
-	if len(req.GroupBy) == 0 {
-		req.GroupBy = []qbtypes.GroupByKey{namespaceNameGroupByKey}
-		resp.Type = inframonitoringtypes.ResponseTypeList
-	} else {
-		resp.Type = inframonitoringtypes.ResponseTypeGroupedList
-	}
-
-	missingMetrics, minFirstReportedUnixMilli, err := m.getMetricsExistenceAndEarliestTime(ctx, namespacesTableMetricNamesList)
-	if err != nil {
-		return nil, err
-	}
-	if len(missingMetrics) > 0 {
-		resp.RequiredMetricsCheck = inframonitoringtypes.RequiredMetricsCheck{MissingMetrics: missingMetrics}
-		resp.Records = []inframonitoringtypes.NamespaceRecord{}
-		resp.Total = 0
-		return resp, nil
-	}
-	if req.End < int64(minFirstReportedUnixMilli) {
-		resp.EndTimeBeforeRetention = true
-		resp.Records = []inframonitoringtypes.NamespaceRecord{}
-		resp.Total = 0
-		return resp, nil
-	}
-	resp.RequiredMetricsCheck = inframonitoringtypes.RequiredMetricsCheck{MissingMetrics: []string{}}
-
-	metadataMap, err := m.getNamespacesTableMetadata(ctx, req)
-	if err != nil {
-		return nil, err
-	}
-
-	resp.Total = len(metadataMap)
-
-	pageGroups, err := m.getTopNamespaceGroups(ctx, orgID, req, metadataMap)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(pageGroups) == 0 {
-		resp.Records = []inframonitoringtypes.NamespaceRecord{}
-		return resp, nil
-	}
-
-	filterExpr := ""
-	if req.Filter != nil {
-		filterExpr = req.Filter.Expression
-	}
-
-	fullQueryReq := buildFullQueryRequest(req.Start, req.End, filterExpr, req.GroupBy, pageGroups, m.newNamespacesTableListQuery())
-	queryResp, err := m.querier.QueryRange(ctx, orgID, fullQueryReq)
-	if err != nil {
-		return nil, err
-	}
-
-	// Reuse the pods phase-counts CTE function via a temp struct — it reads only
-	// Start/End/Filter/GroupBy from PostablePods.
-	phaseCounts, err := m.getPerGroupPodPhaseCounts(ctx, &inframonitoringtypes.PostablePods{
-		Start:   req.Start,
-		End:     req.End,
-		Filter:  req.Filter,
-		GroupBy: req.GroupBy,
-	}, pageGroups)
-	if err != nil {
-		return nil, err
-	}
-
-	resp.Records = buildNamespaceRecords(queryResp, pageGroups, req.GroupBy, metadataMap, phaseCounts)
-	resp.Warning = queryResp.Warning
-
-	return resp, nil
-}
--- a/pkg/modules/inframonitoring/implinframonitoring/namespaces.go
+++ b/pkg/modules/inframonitoring/implinframonitoring/namespaces.go
@@ -1,123 +0,0 @@
-package implinframonitoring
-
-import (
-	"context"
-	"slices"
-
-	"github.com/SigNoz/signoz/pkg/types/inframonitoringtypes"
-	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-// buildNamespaceRecords assembles the page records. Pod phase counts come from
-// phaseCounts in both modes; every row is a group of pods, so there's no
-// per-row "current phase" concept (unlike pods/nodes list mode).
-func buildNamespaceRecords(
-	resp *qbtypes.QueryRangeResponse,
-	pageGroups []map[string]string,
-	groupBy []qbtypes.GroupByKey,
-	metadataMap map[string]map[string]string,
-	phaseCounts map[string]podPhaseCounts,
-) []inframonitoringtypes.NamespaceRecord {
-	metricsMap := parseFullQueryResponse(resp, groupBy)
-
-	records := make([]inframonitoringtypes.NamespaceRecord, 0, len(pageGroups))
-	for _, labels := range pageGroups {
-		compositeKey := compositeKeyFromLabels(labels, groupBy)
-		namespaceName := labels[namespaceNameAttrKey]
-
-		record := inframonitoringtypes.NamespaceRecord{ // initialize with default values
-			NamespaceName:   namespaceName,
-			NamespaceCPU:    -1,
-			NamespaceMemory: -1,
-			Meta:            map[string]string{},
-		}
-
-		if metrics, ok := metricsMap[compositeKey]; ok {
-			if v, exists := metrics["A"]; exists {
-				record.NamespaceCPU = v
-			}
-			if v, exists := metrics["D"]; exists {
-				record.NamespaceMemory = v
-			}
-		}
-
-		if phaseCountsForGroup, ok := phaseCounts[compositeKey]; ok {
-			record.PodCountsByPhase = inframonitoringtypes.PodCountsByPhase{
-				Pending:   phaseCountsForGroup.Pending,
-				Running:   phaseCountsForGroup.Running,
-				Succeeded: phaseCountsForGroup.Succeeded,
-				Failed:    phaseCountsForGroup.Failed,
-				Unknown:   phaseCountsForGroup.Unknown,
-			}
-		}
-
-		if attrs, ok := metadataMap[compositeKey]; ok {
-			for k, v := range attrs {
-				record.Meta[k] = v
-			}
-		}
-
-		records = append(records, record)
-	}
-	return records
-}
-
-func (m *module) getTopNamespaceGroups(
-	ctx context.Context,
-	orgID valuer.UUID,
-	req *inframonitoringtypes.PostableNamespaces,
-	metadataMap map[string]map[string]string,
-) ([]map[string]string, error) {
-	orderByKey := req.OrderBy.Key.Name
-	queryNamesForOrderBy := orderByToNamespacesQueryNames[orderByKey]
-	rankingQueryName := queryNamesForOrderBy[len(queryNamesForOrderBy)-1]
-
-	topReq := &qbtypes.QueryRangeRequest{
-		Start:       uint64(req.Start),
-		End:         uint64(req.End),
-		RequestType: qbtypes.RequestTypeScalar,
-		CompositeQuery: qbtypes.CompositeQuery{
-			Queries: make([]qbtypes.QueryEnvelope, 0, len(queryNamesForOrderBy)),
-		},
-	}
-
-	for _, envelope := range m.newNamespacesTableListQuery().CompositeQuery.Queries {
-		if !slices.Contains(queryNamesForOrderBy, envelope.GetQueryName()) {
-			continue
-		}
-		copied := envelope
-		if copied.Type == qbtypes.QueryTypeBuilder {
-			existingExpr := ""
-			if f := copied.GetFilter(); f != nil {
-				existingExpr = f.Expression
-			}
-			reqFilterExpr := ""
-			if req.Filter != nil {
-				reqFilterExpr = req.Filter.Expression
-			}
-			merged := mergeFilterExpressions(existingExpr, reqFilterExpr)
-			copied.SetFilter(&qbtypes.Filter{Expression: merged})
-			copied.SetGroupBy(req.GroupBy)
-		}
-		topReq.CompositeQuery.Queries = append(topReq.CompositeQuery.Queries, copied)
-	}
-
-	resp, err := m.querier.QueryRange(ctx, orgID, topReq)
-	if err != nil {
-		return nil, err
-	}
-
-	allMetricGroups := parseAndSortGroups(resp, rankingQueryName, req.GroupBy, req.OrderBy.Direction)
-	return paginateWithBackfill(allMetricGroups, metadataMap, req.GroupBy, req.Offset, req.Limit), nil
-}
-
-func (m *module) getNamespacesTableMetadata(ctx context.Context, req *inframonitoringtypes.PostableNamespaces) (map[string]map[string]string, error) {
-	var nonGroupByAttrs []string
-	for _, key := range namespaceAttrKeysForMetadata {
-		if !isKeyInGroupByAttrs(req.GroupBy, key) {
-			nonGroupByAttrs = append(nonGroupByAttrs, key)
-		}
-	}
-	return m.getMetadata(ctx, namespacesTableMetricNamesList, req.GroupBy, nonGroupByAttrs, req.Filter, req.Start, req.End)
-}
--- a/pkg/modules/inframonitoring/implinframonitoring/namespaces_constants.go
+++ b/pkg/modules/inframonitoring/implinframonitoring/namespaces_constants.go
@@ -1,92 +0,0 @@
-package implinframonitoring
-
-import (
-	"github.com/SigNoz/signoz/pkg/types/inframonitoringtypes"
-	"github.com/SigNoz/signoz/pkg/types/metrictypes"
-	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
-	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
-)
-
-const (
-	namespaceNameAttrKey = "k8s.namespace.name"
-)
-
-var namespaceNameGroupByKey = qbtypes.GroupByKey{
-	TelemetryFieldKey: telemetrytypes.TelemetryFieldKey{
-		Name:          namespaceNameAttrKey,
-		FieldContext:  telemetrytypes.FieldContextResource,
-		FieldDataType: telemetrytypes.FieldDataTypeString,
-	},
-}
-
-// namespacesTableMetricNamesList drives the existence/retention check.
-// Includes k8s.pod.phase so the response short-circuits cleanly when a
-// cluster doesn't ship the metric — even though phase isn't part of the
-// QB composite query (it's queried separately via getPerGroupPodPhaseCounts).
-var namespacesTableMetricNamesList = []string{
-	"k8s.pod.cpu.usage",
-	"k8s.pod.memory.working_set",
-	"k8s.pod.phase",
-}
-
-var namespaceAttrKeysForMetadata = []string{
-	"k8s.namespace.name",
-	"k8s.cluster.name",
-}
-
-var orderByToNamespacesQueryNames = map[string][]string{
-	inframonitoringtypes.NamespacesOrderByCPU:    {"A"},
-	inframonitoringtypes.NamespacesOrderByMemory: {"D"},
-}
-
-// newNamespacesTableListQuery builds the composite QB v5 request for the namespaces list.
-// Pod phase counts are derived separately via getPerGroupPodPhaseCounts (works for both
-// list and grouped_list modes), so no phase query is included here.
-// Query letters A and D are kept aligned with the v1 implementation.
-func (m *module) newNamespacesTableListQuery() *qbtypes.QueryRangeRequest {
-	queries := []qbtypes.QueryEnvelope{
-		// Query A: CPU usage — sum of pod CPU within the group.
-		{
-			Type: qbtypes.QueryTypeBuilder,
-			Spec: qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation]{
-				Name:   "A",
-				Signal: telemetrytypes.SignalMetrics,
-				Aggregations: []qbtypes.MetricAggregation{
-					{
-						MetricName:       "k8s.pod.cpu.usage",
-						TimeAggregation:  metrictypes.TimeAggregationAvg,
-						SpaceAggregation: metrictypes.SpaceAggregationSum,
-						ReduceTo:         qbtypes.ReduceToAvg,
-					},
-				},
-				GroupBy:  []qbtypes.GroupByKey{namespaceNameGroupByKey},
-				Disabled: false,
-			},
-		},
-		// Query D: Memory working set — sum of pod memory within the group.
-		{
-			Type: qbtypes.QueryTypeBuilder,
-			Spec: qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation]{
-				Name:   "D",
-				Signal: telemetrytypes.SignalMetrics,
-				Aggregations: []qbtypes.MetricAggregation{
-					{
-						MetricName:       "k8s.pod.memory.working_set",
-						TimeAggregation:  metrictypes.TimeAggregationAvg,
-						SpaceAggregation: metrictypes.SpaceAggregationSum,
-						ReduceTo:         qbtypes.ReduceToAvg,
-					},
-				},
-				GroupBy:  []qbtypes.GroupByKey{namespaceNameGroupByKey},
-				Disabled: false,
-			},
-		},
-	}
-
-	return &qbtypes.QueryRangeRequest{
-		RequestType: qbtypes.RequestTypeScalar,
-		CompositeQuery: qbtypes.CompositeQuery{
-			Queries: queries,
-		},
-	}
-}
--- a/pkg/modules/inframonitoring/inframonitoring.go
+++ b/pkg/modules/inframonitoring/inframonitoring.go
@@ -12,12 +12,10 @@ type Handler interface {
 	ListHosts(http.ResponseWriter, *http.Request)
 	ListPods(http.ResponseWriter, *http.Request)
 	ListNodes(http.ResponseWriter, *http.Request)
-	ListNamespaces(http.ResponseWriter, *http.Request)
 }

 type Module interface {
 	ListHosts(ctx context.Context, orgID valuer.UUID, req *inframonitoringtypes.PostableHosts) (*inframonitoringtypes.Hosts, error)
 	ListPods(ctx context.Context, orgID valuer.UUID, req *inframonitoringtypes.PostablePods) (*inframonitoringtypes.Pods, error)
 	ListNodes(ctx context.Context, orgID valuer.UUID, req *inframonitoringtypes.PostableNodes) (*inframonitoringtypes.Nodes, error)
-	ListNamespaces(ctx context.Context, orgID valuer.UUID, req *inframonitoringtypes.PostableNamespaces) (*inframonitoringtypes.Namespaces, error)
 }
--- a/pkg/modules/serviceaccount/implserviceaccount/module.go
+++ b/pkg/modules/serviceaccount/implserviceaccount/module.go
@@ -377,7 +377,7 @@ func (module *module) getOrGetSetIdentity(ctx context.Context, serviceAccountID
 }

 func (module *module) setRole(ctx context.Context, orgID valuer.UUID, id valuer.UUID, role *authtypes.Role) error {
-	serviceAccount, err := module.Get(ctx, orgID, id)
+	serviceAccount, err := module.GetWithRoles(ctx, orgID, id)
 	if err != nil {
 		return err
 	}
@@ -387,12 +387,24 @@ func (module *module) setRole(ctx context.Context, orgID valuer.UUID, id valuer.
 		return err
 	}

-	err = module.authz.Grant(ctx, orgID, []string{role.Name}, authtypes.MustNewSubject(coretypes.NewResourceServiceAccount(), id.String(), orgID, nil))
+	err = module.authz.ModifyGrant(ctx, orgID, serviceAccount.RoleNames(), []string{role.Name}, authtypes.MustNewSubject(coretypes.NewResourceServiceAccount(), id.String(), orgID, nil))
 	if err != nil {
 		return err
 	}

-	err = module.store.CreateServiceAccountRole(ctx, serviceAccountRole)
+	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
+		err = module.store.DeleteServiceAccountRoles(ctx, serviceAccount.ID)
+		if err != nil {
+			return err
+		}
+
+		err = module.store.CreateServiceAccountRole(ctx, serviceAccountRole)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
 	if err != nil {
 		return err
 	}
--- a/pkg/modules/serviceaccount/implserviceaccount/store.go
+++ b/pkg/modules/serviceaccount/implserviceaccount/store.go
@@ -207,6 +207,21 @@ func (store *store) CreateServiceAccountRole(ctx context.Context, serviceAccount
 	return nil
 }

+func (store *store) DeleteServiceAccountRoles(ctx context.Context, serviceAccountID valuer.UUID) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewDelete().
+		Model(new(serviceaccounttypes.ServiceAccountRole)).
+		Where("service_account_id = ?", serviceAccountID).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (store *store) DeleteServiceAccountRole(ctx context.Context, serviceAccountID valuer.UUID, roleID valuer.UUID) error {
 	_, err := store.
 		sqlstore.
--- a/pkg/query-service/app/clickhouseReader/reader.go
+++ b/pkg/query-service/app/clickhouseReader/reader.go
@@ -1343,7 +1343,7 @@ func getLocalTableName(tableName string) string {

 }

-func (r *ClickHouseReader) setTTLLogs(ctx context.Context, orgID string, params *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError) {
+func (r *ClickHouseReader) setTTLLogs(ctx context.Context, orgID string, userID string, params *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError) {
 	ctx = ctxtypes.NewContextWithCommentVals(ctx, map[string]string{
 		instrumentationtypes.TelemetrySignal:  telemetrytypes.SignalLogs.StringValue(),
 		instrumentationtypes.CodeNamespace:    "clickhouse-reader",
@@ -1434,6 +1434,10 @@ func (r *ClickHouseReader) setTTLLogs(ctx context.Context, orgID string, params
 					CreatedAt: time.Now(),
 					UpdatedAt: time.Now(),
 				},
+				UserAuditable: types.UserAuditable{
+					CreatedBy: userID,
+					UpdatedBy: userID,
+				},
 				TransactionID:  uuid,
 				TableName:      tableName,
 				TTL:            int(params.DelDuration),
@@ -1511,7 +1515,7 @@ func (r *ClickHouseReader) setTTLLogs(ctx context.Context, orgID string, params
 	return &model.SetTTLResponseItem{Message: "move ttl has been successfully set up"}, nil
 }

-func (r *ClickHouseReader) setTTLTraces(ctx context.Context, orgID string, params *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError) {
+func (r *ClickHouseReader) setTTLTraces(ctx context.Context, orgID string, userID string, params *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError) {
 	ctx = ctxtypes.NewContextWithCommentVals(ctx, map[string]string{
 		instrumentationtypes.TelemetrySignal:  telemetrytypes.SignalTraces.StringValue(),
 		instrumentationtypes.CodeNamespace:    "clickhouse-reader",
@@ -1572,6 +1576,10 @@ func (r *ClickHouseReader) setTTLTraces(ctx context.Context, orgID string, param
 					CreatedAt: time.Now(),
 					UpdatedAt: time.Now(),
 				},
+				UserAuditable: types.UserAuditable{
+					CreatedBy: userID,
+					UpdatedBy: userID,
+				},
 				TransactionID:  uuid,
 				TableName:      tableName,
 				TTL:            int(params.DelDuration),
@@ -1687,7 +1695,7 @@ func (r *ClickHouseReader) hasCustomRetentionColumn(ctx context.Context) (bool,
 	return true, nil
 }

-func (r *ClickHouseReader) SetTTLV2(ctx context.Context, orgID string, params *model.CustomRetentionTTLParams) (*model.CustomRetentionTTLResponse, error) {
+func (r *ClickHouseReader) SetTTLV2(ctx context.Context, orgID string, userID string, params *model.CustomRetentionTTLParams) (*model.CustomRetentionTTLResponse, error) {

 	ctx = ctxtypes.NewContextWithCommentVals(ctx, map[string]string{
 		instrumentationtypes.TelemetrySignal:  telemetrytypes.SignalLogs.StringValue(),
@@ -1718,7 +1726,7 @@ func (r *ClickHouseReader) SetTTLV2(ctx context.Context, orgID string, params *m
 			ttlParams.ToColdStorageDuration = 0
 		}

-		ttlResult, apiErr := r.SetTTL(ctx, orgID, ttlParams)
+		ttlResult, apiErr := r.SetTTL(ctx, orgID, userID, ttlParams)
 		if apiErr != nil {
 			return nil, errorsV2.Wrapf(apiErr.Err, errorsV2.TypeInternal, errorsV2.CodeInternal, "failed to set standard TTL")
 		}
@@ -1847,6 +1855,10 @@ func (r *ClickHouseReader) SetTTLV2(ctx context.Context, orgID string, params *m
 				CreatedAt: time.Now(),
 				UpdatedAt: time.Now(),
 			},
+			UserAuditable: types.UserAuditable{
+				CreatedBy: userID,
+				UpdatedBy: userID,
+			},
 			TransactionID:  uuid,
 			TableName:      tableName,
 			TTL:            params.DefaultTTLDays,
@@ -2185,24 +2197,24 @@ func (r *ClickHouseReader) validateTTLConditions(ctx context.Context, ttlConditi
 // SetTTL sets the TTL for traces or metrics or logs tables.
 // This is an async API which creates goroutines to set TTL.
 // Status of TTL update is tracked with ttl_status table in sqlite db.
-func (r *ClickHouseReader) SetTTL(ctx context.Context, orgID string, params *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError) {
+func (r *ClickHouseReader) SetTTL(ctx context.Context, orgID string, userID string, params *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError) {
 	// Keep only latest 100 transactions/requests
 	r.deleteTtlTransactions(ctx, orgID, 100)

 	switch params.Type {
 	case constants.TraceTTL:
-		return r.setTTLTraces(ctx, orgID, params)
+		return r.setTTLTraces(ctx, orgID, userID, params)
 	case constants.MetricsTTL:
-		return r.setTTLMetrics(ctx, orgID, params)
+		return r.setTTLMetrics(ctx, orgID, userID, params)
 	case constants.LogsTTL:
-		return r.setTTLLogs(ctx, orgID, params)
+		return r.setTTLLogs(ctx, orgID, userID, params)
 	default:
 		return nil, &model.ApiError{Typ: model.ErrorExec, Err: fmt.Errorf("error while setting ttl. ttl type should be <metrics|traces>, got %v", params.Type)}
 	}

 }

-func (r *ClickHouseReader) setTTLMetrics(ctx context.Context, orgID string, params *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError) {
+func (r *ClickHouseReader) setTTLMetrics(ctx context.Context, orgID string, userID string, params *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError) {
 	ctx = ctxtypes.NewContextWithCommentVals(ctx, map[string]string{
 		instrumentationtypes.TelemetrySignal:  telemetrytypes.SignalMetrics.StringValue(),
 		instrumentationtypes.CodeNamespace:    "clickhouse-reader",
@@ -2244,6 +2256,10 @@ func (r *ClickHouseReader) setTTLMetrics(ctx context.Context, orgID string, para
 				CreatedAt: time.Now(),
 				UpdatedAt: time.Now(),
 			},
+			UserAuditable: types.UserAuditable{
+				CreatedBy: userID,
+				UpdatedBy: userID,
+			},
 			TransactionID:  uuid,
 			TableName:      tableName,
 			TTL:            int(params.DelDuration),
--- a/pkg/query-service/app/http_handler.go
+++ b/pkg/query-service/app/http_handler.go
@@ -1655,7 +1655,7 @@ func (aH *APIHandler) setTTL(w http.ResponseWriter, r *http.Request) {
 	}

 	// Context is not used here as TTL is long duration DB operation
-	result, apiErr := aH.reader.SetTTL(context.Background(), claims.OrgID, ttlParams)
+	result, apiErr := aH.reader.SetTTL(context.Background(), claims.OrgID, claims.UserID, ttlParams)
 	if apiErr != nil {
 		if apiErr.Typ == model.ErrorConflict {
 			aH.HandleError(w, apiErr.Err, http.StatusConflict)
@@ -1684,7 +1684,7 @@ func (aH *APIHandler) setCustomRetentionTTL(w http.ResponseWriter, r *http.Reque
 	}

 	// Context is not used here as TTL is long duration DB operation
-	result, apiErr := aH.reader.SetTTLV2(context.Background(), claims.OrgID, &params)
+	result, apiErr := aH.reader.SetTTLV2(context.Background(), claims.OrgID, claims.UserID, &params)
 	if apiErr != nil {
 		render.Error(w, errorsV2.New(errorsV2.TypeInvalidInput, errorsV2.CodeInternal, apiErr.Error()))
 		return
--- a/pkg/query-service/interfaces/interface.go
+++ b/pkg/query-service/interfaces/interface.go
@@ -46,8 +46,8 @@ type Reader interface {
 	GetFlamegraphSpansForTrace(ctx context.Context, orgID valuer.UUID, traceID string, req *model.GetFlamegraphSpansForTraceParams) (*model.GetFlamegraphSpansForTraceResponse, error)

 	// Setter Interfaces
-	SetTTL(ctx context.Context, orgID string, ttlParams *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError)
-	SetTTLV2(ctx context.Context, orgID string, params *model.CustomRetentionTTLParams) (*model.CustomRetentionTTLResponse, error)
+	SetTTL(ctx context.Context, orgID string, userID string, ttlParams *model.TTLParams) (*model.SetTTLResponseItem, *model.ApiError)
+	SetTTLV2(ctx context.Context, orgID string, userID string, params *model.CustomRetentionTTLParams) (*model.CustomRetentionTTLResponse, error)

 	FetchTemporality(ctx context.Context, orgID valuer.UUID, metricNames []string) (map[string]map[v3.Temporality]bool, error)
 	GetMetricAggregateAttributes(ctx context.Context, orgID valuer.UUID, req *v3.AggregateAttributeRequest, skipSignozMetrics bool) (*v3.AggregateAttributeResponse, error)
--- a/pkg/signoz/provider.go
+++ b/pkg/signoz/provider.go
@@ -196,6 +196,7 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewDropUserDeletedAtFactory(sqlstore, sqlschema),
 		sqlmigration.NewMigrateAWSAllRegionsFactory(sqlstore),
 		sqlmigration.NewAddServiceAccountManagedRoleTransactionsFactory(sqlstore),
+		sqlmigration.NewUpdateTTLSettingUserAuditFactory(sqlstore, sqlschema),
 	)
 }

--- a/pkg/sqlmigration/079_update_ttl_setting_user_audit.go
+++ b/pkg/sqlmigration/079_update_ttl_setting_user_audit.go
@@ -0,0 +1,84 @@
+package sqlmigration
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type updateTTLSettingUserAudit struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+func NewUpdateTTLSettingUserAuditFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("update_ttl_setting_user_audit"), func(ctx context.Context, providerSettings factory.ProviderSettings, config Config) (SQLMigration, error) {
+		return newUpdateTTLSettingUserAudit(ctx, providerSettings, config, sqlstore, sqlschema)
+	})
+}
+
+func newUpdateTTLSettingUserAudit(_ context.Context, _ factory.ProviderSettings, _ Config, sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) (SQLMigration, error) {
+	return &updateTTLSettingUserAudit{
+		sqlstore:  sqlstore,
+		sqlschema: sqlschema,
+	}, nil
+}
+
+func (migration *updateTTLSettingUserAudit) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (migration *updateTTLSettingUserAudit) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	table, uniqueConstraints, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("ttl_setting"))
+	if err != nil {
+		return err
+	}
+
+	columns := []*sqlschema.Column{
+		{
+			Name:     sqlschema.ColumnName("created_by"),
+			DataType: sqlschema.DataTypeText,
+			Nullable: true,
+		},
+		{
+			Name:     sqlschema.ColumnName("updated_by"),
+			DataType: sqlschema.DataTypeText,
+			Nullable: true,
+		},
+	}
+
+	for _, column := range columns {
+		sqls := migration.sqlschema.Operator().AddColumn(table, uniqueConstraints, column, nil)
+		for _, sql := range sqls {
+			if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+				return err
+			}
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *updateTTLSettingUserAudit) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}
--- a/pkg/types/inframonitoringtypes/namespaces.go
+++ b/pkg/types/inframonitoringtypes/namespaces.go
@@ -1,99 +0,0 @@
-package inframonitoringtypes
-
-import (
-	"encoding/json"
-	"slices"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
-)
-
-type Namespaces struct {
-	Type                   ResponseType           `json:"type" required:"true"`
-	Records                []NamespaceRecord      `json:"records" required:"true"`
-	Total                  int                    `json:"total" required:"true"`
-	RequiredMetricsCheck   RequiredMetricsCheck   `json:"requiredMetricsCheck" required:"true"`
-	EndTimeBeforeRetention bool                   `json:"endTimeBeforeRetention" required:"true"`
-	Warning                *qbtypes.QueryWarnData `json:"warning,omitempty"`
-}
-
-type NamespaceRecord struct {
-	NamespaceName    string            `json:"namespaceName" required:"true"`
-	NamespaceCPU     float64           `json:"namespaceCPU" required:"true"`
-	NamespaceMemory  float64           `json:"namespaceMemory" required:"true"`
-	PodCountsByPhase PodCountsByPhase  `json:"podCountsByPhase" required:"true"`
-	Meta             map[string]string `json:"meta" required:"true"`
-}
-
-// PostableNamespaces is the request body for the v2 namespaces list API.
-type PostableNamespaces struct {
-	Start   int64                `json:"start" required:"true"`
-	End     int64                `json:"end" required:"true"`
-	Filter  *qbtypes.Filter      `json:"filter"`
-	GroupBy []qbtypes.GroupByKey `json:"groupBy"`
-	OrderBy *qbtypes.OrderBy     `json:"orderBy"`
-	Offset  int                  `json:"offset"`
-	Limit   int                  `json:"limit" required:"true"`
-}
-
-// Validate ensures PostableNamespaces contains acceptable values.
-func (req *PostableNamespaces) Validate() error {
-	if req == nil {
-		return errors.NewInvalidInputf(errors.CodeInvalidInput, "request is nil")
-	}
-
-	if req.Start <= 0 {
-		return errors.NewInvalidInputf(
-			errors.CodeInvalidInput,
-			"invalid start time %d: start must be greater than 0",
-			req.Start,
-		)
-	}
-
-	if req.End <= 0 {
-		return errors.NewInvalidInputf(
-			errors.CodeInvalidInput,
-			"invalid end time %d: end must be greater than 0",
-			req.End,
-		)
-	}
-
-	if req.Start >= req.End {
-		return errors.NewInvalidInputf(
-			errors.CodeInvalidInput,
-			"invalid time range: start (%d) must be less than end (%d)",
-			req.Start,
-			req.End,
-		)
-	}
-
-	if req.Limit < 1 || req.Limit > 5000 {
-		return errors.NewInvalidInputf(errors.CodeInvalidInput, "limit must be between 1 and 5000")
-	}
-
-	if req.Offset < 0 {
-		return errors.NewInvalidInputf(errors.CodeInvalidInput, "offset cannot be negative")
-	}
-
-	if req.OrderBy != nil {
-		if !slices.Contains(NamespacesValidOrderByKeys, req.OrderBy.Key.Name) {
-			return errors.NewInvalidInputf(errors.CodeInvalidInput, "invalid order by key: %s", req.OrderBy.Key.Name)
-		}
-		if req.OrderBy.Direction != qbtypes.OrderDirectionAsc && req.OrderBy.Direction != qbtypes.OrderDirectionDesc {
-			return errors.NewInvalidInputf(errors.CodeInvalidInput, "invalid order by direction: %s", req.OrderBy.Direction)
-		}
-	}
-
-	return nil
-}
-
-// UnmarshalJSON validates input immediately after decoding.
-func (req *PostableNamespaces) UnmarshalJSON(data []byte) error {
-	type raw PostableNamespaces
-	var decoded raw
-	if err := json.Unmarshal(data, &decoded); err != nil {
-		return err
-	}
-	*req = PostableNamespaces(decoded)
-	return req.Validate()
-}
--- a/pkg/types/inframonitoringtypes/namespaces_constants.go
+++ b/pkg/types/inframonitoringtypes/namespaces_constants.go
@@ -1,11 +0,0 @@
-package inframonitoringtypes
-
-const (
-	NamespacesOrderByCPU    = "cpu"
-	NamespacesOrderByMemory = "memory"
-)
-
-var NamespacesValidOrderByKeys = []string{
-	NamespacesOrderByCPU,
-	NamespacesOrderByMemory,
-}
--- a/pkg/types/inframonitoringtypes/namespaces_test.go
+++ b/pkg/types/inframonitoringtypes/namespaces_test.go
@@ -1,237 +0,0 @@
-package inframonitoringtypes
-
-import (
-	"testing"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
-	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/stretchr/testify/require"
-)
-
-func TestPostableNamespaces_Validate(t *testing.T) {
-	tests := []struct {
-		name    string
-		req     *PostableNamespaces
-		wantErr bool
-	}{
-		{
-			name: "valid request",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  100,
-				Offset: 0,
-			},
-			wantErr: false,
-		},
-		{
-			name:    "nil request",
-			req:     nil,
-			wantErr: true,
-		},
-		{
-			name: "start time zero",
-			req: &PostableNamespaces{
-				Start:  0,
-				End:    2000,
-				Limit:  100,
-				Offset: 0,
-			},
-			wantErr: true,
-		},
-		{
-			name: "start time negative",
-			req: &PostableNamespaces{
-				Start:  -1000,
-				End:    2000,
-				Limit:  100,
-				Offset: 0,
-			},
-			wantErr: true,
-		},
-		{
-			name: "end time zero",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    0,
-				Limit:  100,
-				Offset: 0,
-			},
-			wantErr: true,
-		},
-		{
-			name: "start time greater than end time",
-			req: &PostableNamespaces{
-				Start:  2000,
-				End:    1000,
-				Limit:  100,
-				Offset: 0,
-			},
-			wantErr: true,
-		},
-		{
-			name: "start time equal to end time",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    1000,
-				Limit:  100,
-				Offset: 0,
-			},
-			wantErr: true,
-		},
-		{
-			name: "limit zero",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  0,
-				Offset: 0,
-			},
-			wantErr: true,
-		},
-		{
-			name: "limit negative",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  -10,
-				Offset: 0,
-			},
-			wantErr: true,
-		},
-		{
-			name: "limit exceeds max",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  5001,
-				Offset: 0,
-			},
-			wantErr: true,
-		},
-		{
-			name: "offset negative",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  100,
-				Offset: -5,
-			},
-			wantErr: true,
-		},
-		{
-			name: "orderBy nil is valid",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  100,
-				Offset: 0,
-			},
-			wantErr: false,
-		},
-		{
-			name: "orderBy with valid key cpu and direction asc",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  100,
-				Offset: 0,
-				OrderBy: &qbtypes.OrderBy{
-					Key: qbtypes.OrderByKey{
-						TelemetryFieldKey: telemetrytypes.TelemetryFieldKey{
-							Name: NamespacesOrderByCPU,
-						},
-					},
-					Direction: qbtypes.OrderDirectionAsc,
-				},
-			},
-			wantErr: false,
-		},
-		{
-			name: "orderBy with valid key memory and direction desc",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  100,
-				Offset: 0,
-				OrderBy: &qbtypes.OrderBy{
-					Key: qbtypes.OrderByKey{
-						TelemetryFieldKey: telemetrytypes.TelemetryFieldKey{
-							Name: NamespacesOrderByMemory,
-						},
-					},
-					Direction: qbtypes.OrderDirectionDesc,
-				},
-			},
-			wantErr: false,
-		},
-		{
-			name: "orderBy with pod_phase key is rejected",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  100,
-				Offset: 0,
-				OrderBy: &qbtypes.OrderBy{
-					Key: qbtypes.OrderByKey{
-						TelemetryFieldKey: telemetrytypes.TelemetryFieldKey{
-							Name: "pod_phase",
-						},
-					},
-					Direction: qbtypes.OrderDirectionDesc,
-				},
-			},
-			wantErr: true,
-		},
-		{
-			name: "orderBy with invalid key",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  100,
-				Offset: 0,
-				OrderBy: &qbtypes.OrderBy{
-					Key: qbtypes.OrderByKey{
-						TelemetryFieldKey: telemetrytypes.TelemetryFieldKey{
-							Name: "unknown",
-						},
-					},
-					Direction: qbtypes.OrderDirectionDesc,
-				},
-			},
-			wantErr: true,
-		},
-		{
-			name: "orderBy with valid key but invalid direction",
-			req: &PostableNamespaces{
-				Start:  1000,
-				End:    2000,
-				Limit:  100,
-				Offset: 0,
-				OrderBy: &qbtypes.OrderBy{
-					Key: qbtypes.OrderByKey{
-						TelemetryFieldKey: telemetrytypes.TelemetryFieldKey{
-							Name: NamespacesOrderByMemory,
-						},
-					},
-					Direction: qbtypes.OrderDirection{String: valuer.NewString("invalid")},
-				},
-			},
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := tt.req.Validate()
-			if tt.wantErr {
-				require.Error(t, err)
-				require.True(t, errors.Ast(err, errors.TypeInvalidInput), "expected error to be of type InvalidInput")
-			} else {
-				require.NoError(t, err)
-			}
-		})
-	}
-}
--- a/pkg/types/retentiontypes/ttl.go
+++ b/pkg/types/retentiontypes/ttl.go
@@ -9,6 +9,7 @@ type TTLSetting struct {
 	bun.BaseModel `bun:"table:ttl_setting"`
 	types.Identifiable
 	types.TimeAuditable
+	types.UserAuditable
 	TransactionID  string `bun:"transaction_id,type:text,notnull"`
 	TableName      string `bun:"table_name,type:text,notnull"`
 	TTL            int    `bun:"ttl,notnull,default:0"`
--- a/pkg/types/serviceaccounttypes/service_acccount.go
+++ b/pkg/types/serviceaccounttypes/service_acccount.go
@@ -245,6 +245,7 @@ type Store interface {

 	// Service Account Role
 	CreateServiceAccountRole(context.Context, *ServiceAccountRole) error
+	DeleteServiceAccountRoles(context.Context, valuer.UUID) error
 	DeleteServiceAccountRole(context.Context, valuer.UUID, valuer.UUID) error

 	// Service Account Factor API Key
--- a/tests/fixtures/serviceaccount.py
+++ b/tests/fixtures/serviceaccount.py
@@ -73,30 +73,6 @@ def get_first_key_id(signoz: types.SigNoz, token: str, service_account_id: str)
    return resp.json()["data"][0]["id"]


-def create_service_account_with_roles(signoz: types.SigNoz, token: str, name: str, roles: list[str]) -> str:
-    """Create a service account and assign multiple roles."""
-    resp = requests.post(
-        signoz.self.host_configs["8080"].get(SERVICE_ACCOUNT_BASE),
-        json={"name": name},
-        headers={"Authorization": f"Bearer {token}"},
-        timeout=5,
-    )
-    assert resp.status_code == HTTPStatus.CREATED, resp.text
-    service_account_id = resp.json()["data"]["id"]
-
-    for role in roles:
-        role_id = find_role_by_name(signoz, token, role)
-        role_resp = requests.post(
-            signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles"),
-            json={"id": role_id},
-            headers={"Authorization": f"Bearer {token}"},
-            timeout=5,
-        )
-        assert role_resp.status_code == HTTPStatus.NO_CONTENT, role_resp.text
-
-    return service_account_id
-
-
 def find_service_account_by_name(signoz: types.SigNoz, token: str, name: str) -> dict:
    """Find a service account by name from the list endpoint."""
    list_resp = requests.get(
--- a/tests/integration/tests/serviceaccount/04_roles.py
+++ b/tests/integration/tests/serviceaccount/04_roles.py
@@ -44,13 +44,13 @@ def test_assign_role_to_service_account(
    create_user_admin: types.Operation,  # pylint: disable=unused-argument
    get_token: Callable[[str, str], str],
 ):
-    """POST /{id}/roles adds a role alongside existing ones."""
+    """POST /{id}/roles replaces existing role, verify via GET."""
    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

    # create service account with viewer role
    service_account_id = create_service_account(signoz, token, "sa-assign-role", role="signoz-viewer")

-    # assign editor role (additive — viewer stays)
+    # assign editor role (replaces viewer)
    editor_role_id = find_role_by_name(signoz, token, "signoz-editor")
    assign_resp = requests.post(
        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles"),
@@ -60,7 +60,7 @@ def test_assign_role_to_service_account(
    )
    assert assign_resp.status_code == HTTPStatus.NO_CONTENT, assign_resp.text

-    # verify both viewer and editor roles are present
+    # verify only editor role is present (viewer was replaced)
    roles_resp = requests.get(
        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles"),
        headers={"Authorization": f"Bearer {token}"},
@@ -68,31 +68,9 @@ def test_assign_role_to_service_account(
    )
    assert roles_resp.status_code == HTTPStatus.OK, roles_resp.text
    role_names = [r["name"] for r in roles_resp.json()["data"]]
-    assert len(role_names) == 2
-    assert "signoz-viewer" in role_names
+    assert len(role_names) == 1
    assert "signoz-editor" in role_names
-
-    # assign admin role — all three should be present
-    admin_role_id = find_role_by_name(signoz, token, "signoz-admin")
-    assign_resp = requests.post(
-        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles"),
-        json={"id": admin_role_id},
-        headers={"Authorization": f"Bearer {token}"},
-        timeout=5,
-    )
-    assert assign_resp.status_code == HTTPStatus.NO_CONTENT, assign_resp.text
-
-    roles_resp = requests.get(
-        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles"),
-        headers={"Authorization": f"Bearer {token}"},
-        timeout=5,
-    )
-    assert roles_resp.status_code == HTTPStatus.OK, roles_resp.text
-    role_names = [r["name"] for r in roles_resp.json()["data"]]
-    assert len(role_names) == 3
-    assert "signoz-viewer" in role_names
-    assert "signoz-editor" in role_names
-    assert "signoz-admin" in role_names
+    assert "signoz-viewer" not in role_names


 def test_assign_role_idempotent(
@@ -125,16 +103,16 @@ def test_assign_role_idempotent(
    assert role_names.count("signoz-viewer") == 1


-def test_assign_role_expands_access(
+def test_assign_role_replaces_access(
    signoz: types.SigNoz,
    create_user_admin: types.Operation,  # pylint: disable=unused-argument
    get_token: Callable[[str, str], str],
 ):
-    """Adding a higher-privilege role expands the SA's access."""
+    """After role replacement, SA loses old permissions and gains new ones."""
    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

    # create SA with viewer role and an API key
-    service_account_id, api_key = create_service_account_with_key(signoz, token, "sa-role-expand-access", role="signoz-viewer")
+    service_account_id, api_key = create_service_account_with_key(signoz, token, "sa-role-replace-access", role="signoz-viewer")

    # viewer should get 403 on admin-only endpoint
    resp = requests.get(
@@ -144,7 +122,7 @@ def test_assign_role_expands_access(
    )
    assert resp.status_code == HTTPStatus.FORBIDDEN, f"Expected 403 for viewer on admin endpoint, got {resp.status_code}: {resp.text}"

-    # assign admin role (additive — viewer stays)
+    # assign admin role (replaces viewer)
    admin_role_id = find_role_by_name(signoz, token, "signoz-admin")
    assign_resp = requests.post(
        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles"),
@@ -160,9 +138,9 @@ def test_assign_role_expands_access(
        headers={"SIGNOZ-API-KEY": api_key},
        timeout=5,
    )
-    assert resp.status_code == HTTPStatus.OK, f"Expected 200 after adding admin role, got {resp.status_code}: {resp.text}"
+    assert resp.status_code == HTTPStatus.OK, f"Expected 200 for admin on admin endpoint, got {resp.status_code}: {resp.text}"

-    # verify both roles are present
+    # verify only admin role is present
    roles_resp = requests.get(
        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles"),
        headers={"Authorization": f"Bearer {token}"},
@@ -170,9 +148,9 @@ def test_assign_role_expands_access(
    )
    assert roles_resp.status_code == HTTPStatus.OK, roles_resp.text
    role_names = [r["name"] for r in roles_resp.json()["data"]]
-    assert len(role_names) == 2
+    assert len(role_names) == 1
    assert "signoz-admin" in role_names
-    assert "signoz-viewer" in role_names
+    assert "signoz-viewer" not in role_names


 def test_remove_role_from_service_account(
@@ -180,22 +158,13 @@ def test_remove_role_from_service_account(
    create_user_admin: types.Operation,  # pylint: disable=unused-argument
    get_token: Callable[[str, str], str],
 ):
-    """DELETE /{id}/roles/{rid} revokes one role while keeping others."""
+    """DELETE /{id}/roles/{rid} revokes a role."""
    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
    service_account_id = create_service_account(signoz, token, "sa-remove-role", role="signoz-editor")

-    # add admin role (now has editor + admin)
-    admin_role_id = find_role_by_name(signoz, token, "signoz-admin")
-    assign_resp = requests.post(
-        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles"),
-        json={"id": admin_role_id},
-        headers={"Authorization": f"Bearer {token}"},
-        timeout=5,
-    )
-    assert assign_resp.status_code == HTTPStatus.NO_CONTENT, assign_resp.text
-
-    # remove editor role
    editor_role_id = find_role_by_name(signoz, token, "signoz-editor")
+
+    # remove the role
    resp = requests.delete(
        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles/{editor_role_id}"),
        headers={"Authorization": f"Bearer {token}"},
@@ -203,7 +172,7 @@ def test_remove_role_from_service_account(
    )
    assert resp.status_code == HTTPStatus.NO_CONTENT, resp.text

-    # verify editor is gone but admin remains
+    # verify role is gone
    roles_resp = requests.get(
        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/roles"),
        headers={"Authorization": f"Bearer {token}"},
@@ -212,7 +181,6 @@ def test_remove_role_from_service_account(
    assert roles_resp.status_code == HTTPStatus.OK, roles_resp.text
    role_names = [r["name"] for r in roles_resp.json()["data"]]
    assert "signoz-editor" not in role_names
-    assert "signoz-admin" in role_names


 def test_remove_role_verify_access_lost(