fix: handle url.full and http.url in third-party API endpoint count

Use two queries combined via formula to count distinct endpoints
across both semconv versions (url.full and http.url).
This avoids missing count for endpoint if only url.full is used.

Alternative a simple coalesce in count_distinct would have fixed
this but it would require substantial query builder refactoring
since it's not supported currently.

.github/workflows/build-enterprise.yaml

@@ -70,7 +70,6 @@ jobs:
           echo 'PYLON_APP_ID="${{ secrets.PYLON_APP_ID }}"' >> frontend/.env
           echo 'APPCUES_APP_ID="${{ secrets.APPCUES_APP_ID }}"' >> frontend/.env
           echo 'PYLON_IDENTITY_SECRET="${{ secrets.PYLON_IDENTITY_SECRET }}"' >> frontend/.env
-          echo 'DOCS_BASE_URL="https://signoz.io"' >> frontend/.env
       - name: cache-dotenv
         uses: actions/cache@v4
         with:

.github/workflows/build-staging.yaml

@@ -69,7 +69,6 @@ jobs:
           echo 'PYLON_APP_ID="${{ secrets.NP_PYLON_APP_ID }}"' >> frontend/.env
           echo 'APPCUES_APP_ID="${{ secrets.NP_APPCUES_APP_ID }}"' >> frontend/.env
           echo 'PYLON_IDENTITY_SECRET="${{ secrets.NP_PYLON_IDENTITY_SECRET }}"' >> frontend/.env
-          echo 'DOCS_BASE_URL="https://staging.signoz.io"' >> frontend/.env
       - name: cache-dotenv
         uses: actions/cache@v4
         with:

.github/workflows/gor-signoz.yaml

@@ -3,8 +3,8 @@ name: gor-signoz
 on:
   push:
     tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
-      - "v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+'
 
 permissions:
   contents: write
@@ -36,9 +36,8 @@ jobs:
           echo 'PYLON_APP_ID="${{ secrets.PYLON_APP_ID }}"' >> .env
           echo 'APPCUES_APP_ID="${{ secrets.APPCUES_APP_ID }}"' >> .env
           echo 'PYLON_IDENTITY_SECRET="${{ secrets.PYLON_IDENTITY_SECRET }}"' >> .env
-          echo 'DOCS_BASE_URL="https://signoz.io"' >> .env
       - name: build-frontend
-        run: make js-build
+        run:  make js-build
       - name: upload-frontend-artifact
         uses: actions/upload-artifact@v4
         with:
@@ -105,7 +104,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser-pro
-          version: "~> v2"
+          version: '~> v2'
           args: release --config ${{ env.CONFIG_PATH }} --clean --split
           workdir: .
         env:
@@ -162,7 +161,7 @@ jobs:
         if: steps.cache-linux.outputs.cache-hit == 'true' && steps.cache-darwin.outputs.cache-hit == 'true' # only run if caches hit
         with:
           distribution: goreleaser-pro
-          version: "~> v2"
+          version: '~> v2'
           args: continue --merge
           workdir: .
         env:

.vscode/settings.json

@@ -1,7 +1,5 @@
 {
-	"eslint.workingDirectories": [
-		"./frontend"
-	],
+	"eslint.workingDirectories": ["./frontend"],
 	"editor.formatOnSave": true,
 	"editor.defaultFormatter": "esbenp.prettier-vscode",
 	"editor.codeActionsOnSave": {

cmd/community/server.go

@@ -19,7 +19,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/role"
-	"github.com/SigNoz/signoz/pkg/modules/role/implrole"
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/query-service/app"
 	"github.com/SigNoz/signoz/pkg/queryparser"
@@ -81,15 +80,12 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 		func(ctx context.Context, sqlstore sqlstore.SQLStore) factory.ProviderFactory[authz.AuthZ, authz.Config] {
 			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx))
 		},
-		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, _ role.Setter, _ role.Granter, queryParser queryparser.QueryParser, _ querier.Querier, _ licensing.Licensing) dashboard.Module {
+		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, _ role.Module, queryParser queryparser.QueryParser, _ querier.Querier, _ licensing.Licensing) dashboard.Module {
 			return impldashboard.NewModule(impldashboard.NewStore(store), settings, analytics, orgGetter, queryParser)
 		},
 		func(_ licensing.Licensing) factory.ProviderFactory[gateway.Gateway, gateway.Config] {
 			return noopgateway.NewProviderFactory()
 		},
-		func(store sqlstore.SQLStore, authz authz.AuthZ, licensing licensing.Licensing, _ []role.RegisterTypeable) role.Setter {
-			return implrole.NewSetter(implrole.NewStore(store), authz)
-		},
 	)
 	if err != nil {
 		logger.ErrorContext(ctx, "failed to create signoz", "error", err)

cmd/enterprise/server.go

@@ -14,7 +14,6 @@ import (
 	enterpriselicensing "github.com/SigNoz/signoz/ee/licensing"
 	"github.com/SigNoz/signoz/ee/licensing/httplicensing"
 	"github.com/SigNoz/signoz/ee/modules/dashboard/impldashboard"
-	"github.com/SigNoz/signoz/ee/modules/role/implrole"
 	enterpriseapp "github.com/SigNoz/signoz/ee/query-service/app"
 	"github.com/SigNoz/signoz/ee/sqlschema/postgressqlschema"
 	"github.com/SigNoz/signoz/ee/sqlstore/postgressqlstore"
@@ -30,7 +29,6 @@ import (
 	pkgimpldashboard "github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/role"
-	pkgimplrole "github.com/SigNoz/signoz/pkg/modules/role/implrole"
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/signoz"
@@ -121,17 +119,13 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 		func(ctx context.Context, sqlstore sqlstore.SQLStore) factory.ProviderFactory[authz.AuthZ, authz.Config] {
 			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx))
 		},
-		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, roleSetter role.Setter, granter role.Granter, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing) dashboard.Module {
-			return impldashboard.NewModule(pkgimpldashboard.NewStore(store), settings, analytics, orgGetter, roleSetter, granter, queryParser, querier, licensing)
+		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, role role.Module, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing) dashboard.Module {
+			return impldashboard.NewModule(pkgimpldashboard.NewStore(store), settings, analytics, orgGetter, role, queryParser, querier, licensing)
 		},
 		func(licensing licensing.Licensing) factory.ProviderFactory[gateway.Gateway, gateway.Config] {
 			return httpgateway.NewProviderFactory(licensing)
 		},
-		func(store sqlstore.SQLStore, authz authz.AuthZ, licensing licensing.Licensing, registry []role.RegisterTypeable) role.Setter {
-			return implrole.NewSetter(pkgimplrole.NewStore(store), authz, licensing, registry)
-		},
 	)
-
 	if err != nil {
 		logger.ErrorContext(ctx, "failed to create signoz", "error", err)
 		return err

conf/example.yaml

@@ -291,12 +291,3 @@ flagger:
     float:
     integer:
     object:
-
-##################### User #####################
-user:
-  password:
-    reset:
-      # Whether to allow users to reset their password themselves.
-      allow_self: true
-      # The duration within which a user can reset their password.
-      max_token_lifetime: 6h

docs/api/openapi.yml

@@ -209,7 +209,7 @@ paths:
   /api/v1/dashboards/{id}/public:
     delete:
       deprecated: false
-      description: This endpoint deletes the public sharing config and disables the
+      description: This endpoints deletes the public sharing config and disables the
         public sharing of a dashboard
       operationId: DeletePublicDashboard
       parameters:
@@ -253,7 +253,7 @@ paths:
       - dashboard
     get:
       deprecated: false
-      description: This endpoint returns public sharing config for a dashboard
+      description: This endpoints returns public sharing config for a dashboard
       operationId: GetPublicDashboard
       parameters:
       - in: path
@@ -301,7 +301,7 @@ paths:
       - dashboard
     post:
       deprecated: false
-      description: This endpoint creates public sharing config and enables public
+      description: This endpoints creates public sharing config and enables public
         sharing of the dashboard
       operationId: CreatePublicDashboard
       parameters:
@@ -355,7 +355,7 @@ paths:
       - dashboard
     put:
       deprecated: false
-      description: This endpoint updates the public sharing config for a dashboard
+      description: This endpoints updates the public sharing config for a dashboard
       operationId: UpdatePublicDashboard
       parameters:
       - in: path
@@ -671,7 +671,7 @@ paths:
   /api/v1/global/config:
     get:
       deprecated: false
-      description: This endpoint returns global config
+      description: This endpoints returns global config
       operationId: GetGlobalConfig
       responses:
         "200":
@@ -1447,7 +1447,8 @@ paths:
   /api/v1/public/dashboards/{id}:
     get:
       deprecated: false
-      description: This endpoint returns the sanitized dashboard data for public access
+      description: This endpoints returns the sanitized dashboard data for public
+        access
       operationId: GetPublicDashboardData
       parameters:
       - in: path
@@ -1578,228 +1579,6 @@ paths:
       summary: Reset password
       tags:
       - users
-  /api/v1/roles:
-    get:
-      deprecated: false
-      description: This endpoint lists all roles
-      operationId: ListRoles
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    items:
-                      $ref: '#/components/schemas/RoletypesRole'
-                    type: array
-                  status:
-                    type: string
-                type: object
-          description: OK
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: List roles
-      tags:
-      - role
-    post:
-      deprecated: false
-      description: This endpoint creates a role
-      operationId: CreateRole
-      responses:
-        "201":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/TypesIdentifiable'
-                  status:
-                    type: string
-                type: object
-          description: Created
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Create role
-      tags:
-      - role
-  /api/v1/roles/{id}:
-    delete:
-      deprecated: false
-      description: This endpoint deletes a role
-      operationId: DeleteRole
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Delete role
-      tags:
-      - role
-    get:
-      deprecated: false
-      description: This endpoint gets a role
-      operationId: GetRole
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/RoletypesRole'
-                  status:
-                    type: string
-                type: object
-          description: OK
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Get role
-      tags:
-      - role
-    patch:
-      deprecated: false
-      description: This endpoint patches a role
-      operationId: PatchRole
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Patch role
-      tags:
-      - role
   /api/v1/user:
     get:
       deprecated: false
@@ -2206,35 +1985,6 @@ paths:
       summary: Update user preference
       tags:
       - preferences
-  /api/v2/factor_password/forgot:
-    post:
-      deprecated: false
-      description: This endpoint initiates the forgot password flow by sending a reset
-        password email
-      operationId: ForgotPassword
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/TypesPostableForgotPassword'
-      responses:
-        "204":
-          description: No Content
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      summary: Forgot password
-      tags:
-      - users
   /api/v2/features:
     get:
       deprecated: false
@@ -4109,25 +3859,6 @@ components:
         status:
           type: string
       type: object
-    RoletypesRole:
-      properties:
-        createdAt:
-          format: date-time
-          type: string
-        description:
-          type: string
-        id:
-          type: string
-        name:
-          type: string
-        orgId:
-          type: string
-        type:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-      type: object
     TypesChangePasswordRequest:
       properties:
         newPassword:
@@ -4248,15 +3979,6 @@ components:
         token:
           type: string
       type: object
-    TypesPostableForgotPassword:
-      properties:
-        email:
-          type: string
-        frontendBaseURL:
-          type: string
-        orgId:
-          type: string
-      type: object
     TypesPostableInvite:
       properties:
         email:
@@ -4277,9 +3999,6 @@ components:
       type: object
     TypesResetPasswordToken:
       properties:
-        expiresAt:
-          format: date-time
-          type: string
         id:
           type: string
         passwordId:

ee/authz/openfgaauthz/provider.go

@@ -47,7 +47,7 @@ func (provider *provider) Check(ctx context.Context, tuple *openfgav1.TupleKey)
 	return provider.pkgAuthzService.Check(ctx, tuple)
 }
 
-func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
+func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, _ authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector) error {
 	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
 	if err != nil {
 		return err
@@ -66,7 +66,7 @@ func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims aut
 	return nil
 }
 
-func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
+func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, _ authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector) error {
 	subject, err := authtypes.NewSubject(authtypes.TypeableAnonymous, authtypes.AnonymousUser.String(), orgID, nil)
 	if err != nil {
 		return err

ee/modules/dashboard/impldashboard/module.go

@@ -26,13 +26,12 @@ type module struct {
 	pkgDashboardModule dashboard.Module
 	store              dashboardtypes.Store
 	settings           factory.ScopedProviderSettings
-	roleSetter         role.Setter
-	granter            role.Granter
+	role               role.Module
 	querier            querier.Querier
 	licensing          licensing.Licensing
 }
 
-func NewModule(store dashboardtypes.Store, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, roleSetter role.Setter, granter role.Granter, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing) dashboard.Module {
+func NewModule(store dashboardtypes.Store, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, role role.Module, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing) dashboard.Module {
 	scopedProviderSettings := factory.NewScopedProviderSettings(settings, "github.com/SigNoz/signoz/ee/modules/dashboard/impldashboard")
 	pkgDashboardModule := pkgimpldashboard.NewModule(store, settings, analytics, orgGetter, queryParser)
 
@@ -40,8 +39,7 @@ func NewModule(store dashboardtypes.Store, settings factory.ProviderSettings, an
 		pkgDashboardModule: pkgDashboardModule,
 		store:              store,
 		settings:           scopedProviderSettings,
-		roleSetter:         roleSetter,
-		granter:            granter,
+		role:               role,
 		querier:            querier,
 		licensing:          licensing,
 	}
@@ -61,12 +59,12 @@ func (module *module) CreatePublic(ctx context.Context, orgID valuer.UUID, publi
 		return errors.Newf(errors.TypeAlreadyExists, dashboardtypes.ErrCodePublicDashboardAlreadyExists, "dashboard with id %s is already public", storablePublicDashboard.DashboardID)
 	}
 
-	role, err := module.roleSetter.GetOrCreate(ctx, orgID, roletypes.NewRole(roletypes.SigNozAnonymousRoleName, roletypes.SigNozAnonymousRoleDescription, roletypes.RoleTypeManaged, orgID))
+	role, err := module.role.GetOrCreate(ctx, roletypes.NewRole(roletypes.AnonymousUserRoleName, roletypes.AnonymousUserRoleDescription, roletypes.RoleTypeManaged.StringValue(), orgID))
 	if err != nil {
 		return err
 	}
 
-	err = module.granter.Grant(ctx, orgID, roletypes.SigNozAnonymousRoleName, authtypes.MustNewSubject(authtypes.TypeableAnonymous, authtypes.AnonymousUser.StringValue(), orgID, nil))
+	err = module.role.Assign(ctx, role.ID, orgID, authtypes.MustNewSubject(authtypes.TypeableAnonymous, authtypes.AnonymousUser.StringValue(), orgID, nil))
 	if err != nil {
 		return err
 	}
@@ -79,7 +77,7 @@ func (module *module) CreatePublic(ctx context.Context, orgID valuer.UUID, publi
 		authtypes.MustNewSelector(authtypes.TypeMetaResource, publicDashboard.ID.String()),
 	)
 
-	err = module.roleSetter.PatchObjects(ctx, orgID, role.ID, authtypes.RelationRead, []*authtypes.Object{additionObject}, nil)
+	err = module.role.PatchObjects(ctx, orgID, role.ID, authtypes.RelationRead, []*authtypes.Object{additionObject}, nil)
 	if err != nil {
 		return err
 	}
@@ -195,7 +193,7 @@ func (module *module) DeletePublic(ctx context.Context, orgID valuer.UUID, dashb
 		return err
 	}
 
-	role, err := module.roleSetter.GetOrCreate(ctx, orgID, roletypes.NewRole(roletypes.SigNozAnonymousRoleName, roletypes.SigNozAnonymousRoleDescription, roletypes.RoleTypeManaged, orgID))
+	role, err := module.role.GetOrCreate(ctx, roletypes.NewRole(roletypes.AnonymousUserRoleName, roletypes.AnonymousUserRoleDescription, roletypes.RoleTypeManaged.StringValue(), orgID))
 	if err != nil {
 		return err
 	}
@@ -208,7 +206,7 @@ func (module *module) DeletePublic(ctx context.Context, orgID valuer.UUID, dashb
 		authtypes.MustNewSelector(authtypes.TypeMetaResource, publicDashboard.ID.String()),
 	)
 
-	err = module.roleSetter.PatchObjects(ctx, orgID, role.ID, authtypes.RelationRead, nil, []*authtypes.Object{deletionObject})
+	err = module.role.PatchObjects(ctx, orgID, role.ID, authtypes.RelationRead, nil, []*authtypes.Object{deletionObject})
 	if err != nil {
 		return err
 	}
@@ -272,7 +270,7 @@ func (module *module) deletePublic(ctx context.Context, orgID valuer.UUID, dashb
 		return err
 	}
 
-	role, err := module.roleSetter.GetOrCreate(ctx, orgID, roletypes.NewRole(roletypes.SigNozAnonymousRoleName, roletypes.SigNozAnonymousRoleDescription, roletypes.RoleTypeManaged, orgID))
+	role, err := module.role.GetOrCreate(ctx, roletypes.NewRole(roletypes.AnonymousUserRoleName, roletypes.AnonymousUserRoleDescription, roletypes.RoleTypeManaged.StringValue(), orgID))
 	if err != nil {
 		return err
 	}
@@ -285,7 +283,7 @@ func (module *module) deletePublic(ctx context.Context, orgID valuer.UUID, dashb
 		authtypes.MustNewSelector(authtypes.TypeMetaResource, publicDashboard.ID.String()),
 	)
 
-	err = module.roleSetter.PatchObjects(ctx, orgID, role.ID, authtypes.RelationRead, nil, []*authtypes.Object{deletionObject})
+	err = module.role.PatchObjects(ctx, orgID, role.ID, authtypes.RelationRead, nil, []*authtypes.Object{deletionObject})
 	if err != nil {
 		return err
 	}

ee/modules/role/implrole/setter.go

@@ -1,165 +0,0 @@
-package implrole
-
-import (
-	"context"
-	"slices"
-
-	"github.com/SigNoz/signoz/pkg/authz"
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/licensing"
-	"github.com/SigNoz/signoz/pkg/modules/role"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type setter struct {
-	store     roletypes.Store
-	authz     authz.AuthZ
-	licensing licensing.Licensing
-	registry  []role.RegisterTypeable
-}
-
-func NewSetter(store roletypes.Store, authz authz.AuthZ, licensing licensing.Licensing, registry []role.RegisterTypeable) role.Setter {
-	return &setter{
-		store:     store,
-		authz:     authz,
-		licensing: licensing,
-		registry:  registry,
-	}
-}
-
-func (setter *setter) Create(ctx context.Context, orgID valuer.UUID, role *roletypes.Role) error {
-	_, err := setter.licensing.GetActive(ctx, orgID)
-	if err != nil {
-		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
-	}
-
-	return setter.store.Create(ctx, roletypes.NewStorableRoleFromRole(role))
-}
-
-func (setter *setter) GetOrCreate(ctx context.Context, orgID valuer.UUID, role *roletypes.Role) (*roletypes.Role, error) {
-	_, err := setter.licensing.GetActive(ctx, orgID)
-	if err != nil {
-		return nil, errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
-	}
-
-	existingRole, err := setter.store.GetByOrgIDAndName(ctx, role.OrgID, role.Name)
-	if err != nil {
-		if !errors.Ast(err, errors.TypeNotFound) {
-			return nil, err
-		}
-	}
-
-	if existingRole != nil {
-		return roletypes.NewRoleFromStorableRole(existingRole), nil
-	}
-
-	err = setter.store.Create(ctx, roletypes.NewStorableRoleFromRole(role))
-	if err != nil {
-		return nil, err
-	}
-
-	return role, nil
-}
-
-func (setter *setter) GetResources(_ context.Context) []*authtypes.Resource {
-	typeables := make([]authtypes.Typeable, 0)
-	for _, register := range setter.registry {
-		typeables = append(typeables, register.MustGetTypeables()...)
-	}
-	// role module cannot self register itself!
-	typeables = append(typeables, setter.MustGetTypeables()...)
-
-	resources := make([]*authtypes.Resource, 0)
-	for _, typeable := range typeables {
-		resources = append(resources, &authtypes.Resource{Name: typeable.Name(), Type: typeable.Type()})
-	}
-
-	return resources
-}
-
-func (setter *setter) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*authtypes.Object, error) {
-	storableRole, err := setter.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	objects := make([]*authtypes.Object, 0)
-	for _, resource := range setter.GetResources(ctx) {
-		if slices.Contains(authtypes.TypeableRelations[resource.Type], relation) {
-			resourceObjects, err := setter.
-				authz.
-				ListObjects(
-					ctx,
-					authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.ID.String(), orgID, &authtypes.RelationAssignee),
-					relation,
-					authtypes.MustNewTypeableFromType(resource.Type, resource.Name),
-				)
-			if err != nil {
-				return nil, err
-			}
-
-			objects = append(objects, resourceObjects...)
-		}
-	}
-
-	return objects, nil
-}
-
-func (setter *setter) Patch(ctx context.Context, orgID valuer.UUID, role *roletypes.Role) error {
-	_, err := setter.licensing.GetActive(ctx, orgID)
-	if err != nil {
-		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
-	}
-
-	return setter.store.Update(ctx, orgID, roletypes.NewStorableRoleFromRole(role))
-}
-
-func (setter *setter) PatchObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation, additions, deletions []*authtypes.Object) error {
-	_, err := setter.licensing.GetActive(ctx, orgID)
-	if err != nil {
-		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
-	}
-
-	additionTuples, err := roletypes.GetAdditionTuples(id, orgID, relation, additions)
-	if err != nil {
-		return err
-	}
-
-	deletionTuples, err := roletypes.GetDeletionTuples(id, orgID, relation, deletions)
-	if err != nil {
-		return err
-	}
-
-	err = setter.authz.Write(ctx, additionTuples, deletionTuples)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (setter *setter) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
-	_, err := setter.licensing.GetActive(ctx, orgID)
-	if err != nil {
-		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
-	}
-
-	storableRole, err := setter.store.Get(ctx, orgID, id)
-	if err != nil {
-		return err
-	}
-
-	role := roletypes.NewRoleFromStorableRole(storableRole)
-	err = role.CanEditDelete()
-	if err != nil {
-		return err
-	}
-
-	return setter.store.Delete(ctx, orgID, id)
-}
-
-func (setter *setter) MustGetTypeables() []authtypes.Typeable {
-	return []authtypes.Typeable{authtypes.TypeableRole, roletypes.TypeableResourcesRoles}
-}

ee/query-service/app/server.go

@@ -211,7 +211,7 @@ func (s Server) HealthCheckStatus() chan healthcheck.Status {
 
 func (s *Server) createPublicServer(apiHandler *api.APIHandler, web web.Web) (*http.Server, error) {
 	r := baseapp.NewRouter()
-	am := middleware.NewAuthZ(s.signoz.Instrumentation.Logger(), s.signoz.Modules.OrgGetter, s.signoz.Authz, s.signoz.Modules.RoleGetter)
+	am := middleware.NewAuthZ(s.signoz.Instrumentation.Logger(), s.signoz.Modules.OrgGetter, s.signoz.Authz)
 
 	r.Use(otelmux.Middleware(
 		"apiserver",

frontend/src/container/ApiMonitoring/Explorer/Domains/DomainList.tsx

@@ -26,7 +26,6 @@ import { ApiMonitoringHardcodedAttributeKeys } from '../../constants';
 import { DEFAULT_PARAMS, useApiMonitoringParams } from '../../queryParams';
 import { columnsConfig, formatDataForTable } from '../../utils';
 import DomainDetails from './DomainDetails/DomainDetails';
-import DOCLINKS from 'utils/docLinks';
 
 function DomainList(): JSX.Element {
 	const [params, setParams] = useApiMonitoringParams();
@@ -146,17 +145,7 @@ function DomainList(): JSX.Element {
 									/>
 
 									<Typography.Text className="no-filtered-domains-message">
-										No External API calls detected. To automatically detect them, ensure
-										Client spans are being sent with required attributes.
-										<br />
-										Read more about <span> </span>
-										<a
-											href={DOCLINKS.EXTERNAL_API_MONITORING}
-											target="_blank"
-											rel="noreferrer"
-										>
-											configuring External API monitoring.
-										</a>
+										This query had no results. Edit your query and try again!
 									</Typography.Text>
 								</div>
 							</div>

frontend/src/utils/docLinks.ts

@@ -6,8 +6,6 @@ const DOCLINKS = {
 		'https://signoz.io/docs/product-features/trace-explorer/?utm_source=product&utm_medium=traces-explorer-trace-tab#traces-view',
 	METRICS_EXPLORER_EMPTY_STATE:
 		'https://signoz.io/docs/userguide/send-metrics-cloud/',
-	EXTERNAL_API_MONITORING:
-		'https://signoz.io/docs/external-api-monitoring/overview/',
 };
 
 export default DOCLINKS;

pkg/apiserver/signozapiserver/dashboard.go

@@ -17,7 +17,7 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 		ID:                  "CreatePublicDashboard",
 		Tags:                []string{"dashboard"},
 		Summary:             "Create public dashboard",
-		Description:         "This endpoint creates public sharing config and enables public sharing of the dashboard",
+		Description:         "This endpoints creates public sharing config and enables public sharing of the dashboard",
 		Request:             new(dashboardtypes.PostablePublicDashboard),
 		RequestContentType:  "",
 		Response:            new(types.Identifiable),
@@ -34,7 +34,7 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 		ID:                  "GetPublicDashboard",
 		Tags:                []string{"dashboard"},
 		Summary:             "Get public dashboard",
-		Description:         "This endpoint returns public sharing config for a dashboard",
+		Description:         "This endpoints returns public sharing config for a dashboard",
 		Request:             nil,
 		RequestContentType:  "",
 		Response:            new(dashboardtypes.GettablePublicDasbhboard),
@@ -51,7 +51,7 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 		ID:                  "UpdatePublicDashboard",
 		Tags:                []string{"dashboard"},
 		Summary:             "Update public dashboard",
-		Description:         "This endpoint updates the public sharing config for a dashboard",
+		Description:         "This endpoints updates the public sharing config for a dashboard",
 		Request:             new(dashboardtypes.UpdatablePublicDashboard),
 		RequestContentType:  "",
 		Response:            nil,
@@ -68,7 +68,7 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 		ID:                  "DeletePublicDashboard",
 		Tags:                []string{"dashboard"},
 		Summary:             "Delete public dashboard",
-		Description:         "This endpoint deletes the public sharing config and disables the public sharing of a dashboard",
+		Description:         "This endpoints deletes the public sharing config and disables the public sharing of a dashboard",
 		Request:             nil,
 		RequestContentType:  "",
 		Response:            nil,
@@ -83,7 +83,7 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 
 	if err := router.Handle("/api/v1/public/dashboards/{id}", handler.New(provider.authZ.CheckWithoutClaims(
 		provider.dashboardHandler.GetPublicData,
-		authtypes.RelationRead,
+		authtypes.RelationRead, authtypes.RelationRead,
 		dashboardtypes.TypeableMetaResourcePublicDashboard,
 		func(req *http.Request, orgs []*types.Organization) ([]authtypes.Selector, valuer.UUID, error) {
 			id, err := valuer.NewUUID(mux.Vars(req)["id"])
@@ -92,11 +92,11 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 			}
 
 			return provider.dashboardModule.GetPublicDashboardSelectorsAndOrg(req.Context(), id, orgs)
-		}, []string{}), handler.OpenAPIDef{
+		}), handler.OpenAPIDef{
 		ID:                  "GetPublicDashboardData",
 		Tags:                []string{"dashboard"},
 		Summary:             "Get public dashboard data",
-		Description:         "This endpoint returns the sanitized dashboard data for public access",
+		Description:         "This endpoints returns the sanitized dashboard data for public access",
 		Request:             nil,
 		RequestContentType:  "",
 		Response:            new(dashboardtypes.GettablePublicDashboardData),
@@ -111,7 +111,7 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 
 	if err := router.Handle("/api/v1/public/dashboards/{id}/widgets/{idx}/query_range", handler.New(provider.authZ.CheckWithoutClaims(
 		provider.dashboardHandler.GetPublicWidgetQueryRange,
-		authtypes.RelationRead,
+		authtypes.RelationRead, authtypes.RelationRead,
 		dashboardtypes.TypeableMetaResourcePublicDashboard,
 		func(req *http.Request, orgs []*types.Organization) ([]authtypes.Selector, valuer.UUID, error) {
 			id, err := valuer.NewUUID(mux.Vars(req)["id"])
@@ -120,7 +120,7 @@ func (provider *provider) addDashboardRoutes(router *mux.Router) error {
 			}
 
 			return provider.dashboardModule.GetPublicDashboardSelectorsAndOrg(req.Context(), id, orgs)
-		}, []string{}), handler.OpenAPIDef{
+		}), handler.OpenAPIDef{
 		ID:                  "GetPublicDashboardWidgetQueryRange",
 		Tags:                []string{"dashboard"},
 		Summary:             "Get query range result",

pkg/apiserver/signozapiserver/global.go

@@ -13,7 +13,7 @@ func (provider *provider) addGlobalRoutes(router *mux.Router) error {
 		ID:                  "GetGlobalConfig",
 		Tags:                []string{"global"},
 		Summary:             "Get global config",
-		Description:         "This endpoint returns global config",
+		Description:         "This endpoints returns global config",
 		Request:             nil,
 		RequestContentType:  "",
 		Response:            new(types.GettableGlobalConfig),

pkg/apiserver/signozapiserver/provider.go

@@ -17,7 +17,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/preference"
 	"github.com/SigNoz/signoz/pkg/modules/promote"
-	"github.com/SigNoz/signoz/pkg/modules/role"
 	"github.com/SigNoz/signoz/pkg/modules/session"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -42,8 +41,6 @@ type provider struct {
 	dashboardHandler       dashboard.Handler
 	metricsExplorerHandler metricsexplorer.Handler
 	gatewayHandler         gateway.Handler
-	roleGetter             role.Getter
-	roleHandler            role.Handler
 }
 
 func NewFactory(
@@ -61,11 +58,9 @@ func NewFactory(
 	dashboardHandler dashboard.Handler,
 	metricsExplorerHandler metricsexplorer.Handler,
 	gatewayHandler gateway.Handler,
-	roleGetter role.Getter,
-	roleHandler role.Handler,
 ) factory.ProviderFactory[apiserver.APIServer, apiserver.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("signoz"), func(ctx context.Context, providerSettings factory.ProviderSettings, config apiserver.Config) (apiserver.APIServer, error) {
-		return newProvider(ctx, providerSettings, config, orgGetter, authz, orgHandler, userHandler, sessionHandler, authDomainHandler, preferenceHandler, globalHandler, promoteHandler, flaggerHandler, dashboardModule, dashboardHandler, metricsExplorerHandler, gatewayHandler, roleGetter, roleHandler)
+		return newProvider(ctx, providerSettings, config, orgGetter, authz, orgHandler, userHandler, sessionHandler, authDomainHandler, preferenceHandler, globalHandler, promoteHandler, flaggerHandler, dashboardModule, dashboardHandler, metricsExplorerHandler, gatewayHandler)
 	})
 }
 
@@ -87,8 +82,6 @@ func newProvider(
 	dashboardHandler dashboard.Handler,
 	metricsExplorerHandler metricsexplorer.Handler,
 	gatewayHandler gateway.Handler,
-	roleGetter role.Getter,
-	roleHandler role.Handler,
 ) (apiserver.APIServer, error) {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/apiserver/signozapiserver")
 	router := mux.NewRouter().UseEncodedPath()
@@ -109,11 +102,9 @@ func newProvider(
 		dashboardHandler:       dashboardHandler,
 		metricsExplorerHandler: metricsExplorerHandler,
 		gatewayHandler:         gatewayHandler,
-		roleGetter:             roleGetter,
-		roleHandler:            roleHandler,
 	}
 
-	provider.authZ = middleware.NewAuthZ(settings.Logger(), orgGetter, authz, roleGetter)
+	provider.authZ = middleware.NewAuthZ(settings.Logger(), orgGetter, authz)
 
 	if err := provider.AddToRouter(router); err != nil {
 		return nil, err
@@ -171,10 +162,6 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}
 
-	if err := provider.addRoleRoutes(router); err != nil {
-		return err
-	}
-
 	return nil
 }
 

pkg/apiserver/signozapiserver/role.go

@@ -1,99 +0,0 @@
-package signozapiserver
-
-import (
-	"net/http"
-
-	"github.com/SigNoz/signoz/pkg/http/handler"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
-	"github.com/gorilla/mux"
-)
-
-func (provider *provider) addRoleRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v1/roles", handler.New(provider.authZ.AdminAccess(provider.roleHandler.Create), handler.OpenAPIDef{
-		ID:                  "CreateRole",
-		Tags:                []string{"role"},
-		Summary:             "Create role",
-		Description:         "This endpoint creates a role",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(types.Identifiable),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPost).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/roles", handler.New(provider.authZ.AdminAccess(provider.roleHandler.List), handler.OpenAPIDef{
-		ID:                  "ListRoles",
-		Tags:                []string{"role"},
-		Summary:             "List roles",
-		Description:         "This endpoint lists all roles",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*roletypes.Role, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authZ.AdminAccess(provider.roleHandler.Get), handler.OpenAPIDef{
-		ID:                  "GetRole",
-		Tags:                []string{"role"},
-		Summary:             "Get role",
-		Description:         "This endpoint gets a role",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(roletypes.Role),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authZ.AdminAccess(provider.roleHandler.Patch), handler.OpenAPIDef{
-		ID:                  "PatchRole",
-		Tags:                []string{"role"},
-		Summary:             "Patch role",
-		Description:         "This endpoint patches a role",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPatch).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authZ.AdminAccess(provider.roleHandler.Delete), handler.OpenAPIDef{
-		ID:                  "DeleteRole",
-		Tags:                []string{"role"},
-		Summary:             "Delete role",
-		Description:         "This endpoint deletes a role",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
-		return err
-	}
-
-	return nil
-}

pkg/apiserver/signozapiserver/user.go

@@ -315,22 +315,5 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v2/factor_password/forgot", handler.New(provider.authZ.OpenAccess(provider.userHandler.ForgotPassword), handler.OpenAPIDef{
-		ID:                  "ForgotPassword",
-		Tags:                []string{"users"},
-		Summary:             "Forgot password",
-		Description:         "This endpoint initiates the forgot password flow by sending a reset password email",
-		Request:             new(types.PostableForgotPassword),
-		RequestContentType:  "application/json",
-		Response:            nil,
-		ResponseContentType: "",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusBadRequest},
-		Deprecated:          false,
-		SecuritySchemes:     []handler.OpenAPISecurityScheme{},
-	})).Methods(http.MethodPost).GetError(); err != nil {
-		return err
-	}
-
 	return nil
 }

pkg/authz/authz.go

@@ -16,10 +16,9 @@ type AuthZ interface {
 	Check(context.Context, *openfgav1.TupleKey) error
 
 	// CheckWithTupleCreation takes upon the responsibility for generating the tuples alongside everything Check does.
-	CheckWithTupleCreation(context.Context, authtypes.Claims, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error
+	CheckWithTupleCreation(context.Context, authtypes.Claims, valuer.UUID, authtypes.Relation, authtypes.Relation, authtypes.Typeable, []authtypes.Selector) error
 
-	// CheckWithTupleCreationWithoutClaims checks permissions for anonymous users.
-	CheckWithTupleCreationWithoutClaims(context.Context, valuer.UUID, authtypes.Relation, authtypes.Typeable, []authtypes.Selector, []authtypes.Selector) error
+	CheckWithTupleCreationWithoutClaims(context.Context, valuer.UUID, authtypes.Relation, authtypes.Relation, authtypes.Typeable, []authtypes.Selector) error
 
 	// Batch Check returns error when the upstream authorization server is unavailable or for all the tuples of subject (s) doesn't have relation (r) on object (o).
 	BatchCheck(context.Context, []*openfgav1.TupleKey) error

pkg/authz/openfgaauthz/provider.go

@@ -152,17 +152,17 @@ func (provider *provider) BatchCheck(ctx context.Context, tupleReq []*openfgav1.
 		}
 	}
 
-	return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "none of the subjects are allowed for requested access")
+	return errors.New(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "")
 
 }
 
-func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
+func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, translation authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector) error {
 	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
 	if err != nil {
 		return err
 	}
 
-	tuples, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	tuples, err := authtypes.TypeableOrganization.Tuples(subject, translation, []authtypes.Selector{authtypes.MustNewSelector(authtypes.TypeOrganization, orgID.StringValue())}, orgID)
 	if err != nil {
 		return err
 	}
@@ -175,13 +175,13 @@ func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims aut
 	return nil
 }
 
-func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
+func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, _ authtypes.Relation, translation authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector) error {
 	subject, err := authtypes.NewSubject(authtypes.TypeableAnonymous, authtypes.AnonymousUser.String(), orgID, nil)
 	if err != nil {
 		return err
 	}
 
-	tuples, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)
+	tuples, err := authtypes.TypeableOrganization.Tuples(subject, translation, []authtypes.Selector{authtypes.MustNewSelector(authtypes.TypeOrganization, orgID.StringValue())}, orgID)
 	if err != nil {
 		return err
 	}
@@ -195,10 +195,6 @@ func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Contex
 }
 
 func (provider *provider) Write(ctx context.Context, additions []*openfgav1.TupleKey, deletions []*openfgav1.TupleKey) error {
-	if len(additions) == 0 && len(deletions) == 0 {
-		return nil
-	}
-
 	storeID, modelID := provider.getStoreIDandModelID()
 	deletionTuplesWithoutCondition := make([]*openfgav1.TupleKeyWithoutCondition, len(deletions))
 	for idx, tuple := range deletions {

pkg/authz/openfgaauthz/provider_test.go

@@ -34,11 +34,11 @@ func TestProviderStartStop(t *testing.T) {
 	sqlstore.Mock().ExpectQuery("SELECT authorization_model_id, schema_version, type, type_definition, serialized_protobuf FROM authorization_model WHERE authorization_model_id = (.+)  AND store = (.+)").WithArgs("01K44QQKXR6F729W160NFCJT58", "01K3V0NTN47MPTMEV1PD5ST6ZC").WillReturnRows(modelRows)
 
 	sqlstore.Mock().ExpectExec("INSERT INTO authorization_model (.+) VALUES (.+)").WillReturnResult(sqlmock.NewResult(1, 1))
-
 	go func() {
 		err := provider.Start(context.Background())
 		require.NoError(t, err)
 	}()
+
 	// wait for the service to start
 	time.Sleep(time.Second * 2)
 

pkg/http/middleware/authz.go

@@ -7,7 +7,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/role"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
@@ -21,15 +20,14 @@ type AuthZ struct {
 	logger       *slog.Logger
 	orgGetter    organization.Getter
 	authzService authz.AuthZ
-	roleGetter   role.Getter
 }
 
-func NewAuthZ(logger *slog.Logger, orgGetter organization.Getter, authzService authz.AuthZ, roleGetter role.Getter) *AuthZ {
+func NewAuthZ(logger *slog.Logger, orgGetter organization.Getter, authzService authz.AuthZ) *AuthZ {
 	if logger == nil {
 		panic("cannot build authz middleware, logger is empty")
 	}
 
-	return &AuthZ{logger: logger, orgGetter: orgGetter, authzService: authzService, roleGetter: roleGetter}
+	return &AuthZ{logger: logger, orgGetter: orgGetter, authzService: authzService}
 }
 
 func (middleware *AuthZ) ViewAccess(next http.HandlerFunc) http.HandlerFunc {
@@ -111,10 +109,9 @@ func (middleware *AuthZ) OpenAccess(next http.HandlerFunc) http.HandlerFunc {
 	})
 }
 
-func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, typeable authtypes.Typeable, cb authtypes.SelectorCallbackWithClaimsFn, roles []string) http.HandlerFunc {
+func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, translation authtypes.Relation, typeable authtypes.Typeable, cb authtypes.SelectorCallbackWithClaimsFn) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		ctx := req.Context()
-		claims, err := authtypes.ClaimsFromContext(ctx)
+		claims, err := authtypes.ClaimsFromContext(req.Context())
 		if err != nil {
 			render.Error(rw, err)
 			return
@@ -132,18 +129,7 @@ func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relatio
 			return
 		}
 
-		roles, err := middleware.roleGetter.ListByOrgIDAndNames(req.Context(), orgId, roles)
-		if err != nil {
-			render.Error(rw, err)
-			return
-		}
-
-		roleSelectors := []authtypes.Selector{}
-		for _, role := range roles {
-			selectors = append(selectors, authtypes.MustNewSelector(authtypes.TypeRole, role.ID.String()))
-		}
-
-		err = middleware.authzService.CheckWithTupleCreation(ctx, claims, orgId, relation, typeable, selectors, roleSelectors)
+		err = middleware.authzService.CheckWithTupleCreation(req.Context(), claims, orgId, relation, translation, typeable, selectors)
 		if err != nil {
 			render.Error(rw, err)
 			return
@@ -153,7 +139,7 @@ func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relatio
 	})
 }
 
-func (middleware *AuthZ) CheckWithoutClaims(next http.HandlerFunc, relation authtypes.Relation, typeable authtypes.Typeable, cb authtypes.SelectorCallbackWithoutClaimsFn, roles []string) http.HandlerFunc {
+func (middleware *AuthZ) CheckWithoutClaims(next http.HandlerFunc, relation authtypes.Relation, translation authtypes.Relation, typeable authtypes.Typeable, cb authtypes.SelectorCallbackWithoutClaimsFn) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
 		orgs, err := middleware.orgGetter.ListByOwnedKeyRange(ctx)
@@ -168,7 +154,7 @@ func (middleware *AuthZ) CheckWithoutClaims(next http.HandlerFunc, relation auth
 			return
 		}
 
-		err = middleware.authzService.CheckWithTupleCreationWithoutClaims(ctx, orgID, relation, typeable, selectors, selectors)
+		err = middleware.authzService.CheckWithTupleCreationWithoutClaims(ctx, orgID, relation, translation, typeable, selectors)
 		if err != nil {
 			render.Error(rw, err)
 			return

pkg/modules/role/implrole/getter.go

@@ -1,63 +0,0 @@
-package implrole
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/modules/role"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type getter struct {
-	store roletypes.Store
-}
-
-func NewGetter(store roletypes.Store) role.Getter {
-	return &getter{store: store}
-}
-
-func (getter *getter) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*roletypes.Role, error) {
-	storableRole, err := getter.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return roletypes.NewRoleFromStorableRole(storableRole), nil
-}
-
-func (getter *getter) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*roletypes.Role, error) {
-	storableRole, err := getter.store.GetByOrgIDAndName(ctx, orgID, name)
-	if err != nil {
-		return nil, err
-	}
-
-	return roletypes.NewRoleFromStorableRole(storableRole), nil
-}
-
-func (getter *getter) List(ctx context.Context, orgID valuer.UUID) ([]*roletypes.Role, error) {
-	storableRoles, err := getter.store.List(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	roles := make([]*roletypes.Role, len(storableRoles))
-	for idx, storableRole := range storableRoles {
-		roles[idx] = roletypes.NewRoleFromStorableRole(storableRole)
-	}
-
-	return roles, nil
-}
-
-func (getter *getter) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*roletypes.Role, error) {
-	storableRoles, err := getter.store.ListByOrgIDAndNames(ctx, orgID, names)
-	if err != nil {
-		return nil, err
-	}
-
-	roles := make([]*roletypes.Role, len(storableRoles))
-	for idx, storable := range storableRoles {
-		roles[idx] = roletypes.NewRoleFromStorableRole(storable)
-	}
-
-	return roles, nil
-}

pkg/modules/role/implrole/granter.go

@@ -1,108 +0,0 @@
-package implrole
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/authz"
-	"github.com/SigNoz/signoz/pkg/modules/role"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type granter struct {
-	store roletypes.Store
-	authz authz.AuthZ
-}
-
-func NewGranter(store roletypes.Store, authz authz.AuthZ) role.Granter {
-	return &granter{store: store, authz: authz}
-}
-
-func (granter *granter) Grant(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
-	role, err := granter.store.GetByOrgIDAndName(ctx, orgID, name)
-	if err != nil {
-		return err
-	}
-
-	tuples, err := authtypes.TypeableRole.Tuples(
-		subject,
-		authtypes.RelationAssignee,
-		[]authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, role.ID.StringValue()),
-		},
-		orgID,
-	)
-	if err != nil {
-		return err
-	}
-	return granter.authz.Write(ctx, tuples, nil)
-}
-
-func (granter *granter) GrantByID(ctx context.Context, orgID valuer.UUID, id valuer.UUID, subject string) error {
-	tuples, err := authtypes.TypeableRole.Tuples(
-		subject,
-		authtypes.RelationAssignee,
-		[]authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, id.StringValue()),
-		},
-		orgID,
-	)
-	if err != nil {
-		return err
-	}
-	return granter.authz.Write(ctx, tuples, nil)
-}
-
-func (granter *granter) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleName string, updatedRoleName string, subject string) error {
-	err := granter.Revoke(ctx, orgID, existingRoleName, subject)
-	if err != nil {
-		return err
-	}
-
-	err = granter.Grant(ctx, orgID, updatedRoleName, subject)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (granter *granter) Revoke(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
-	role, err := granter.store.GetByOrgIDAndName(ctx, orgID, name)
-	if err != nil {
-		return err
-	}
-
-	tuples, err := authtypes.TypeableRole.Tuples(
-		subject,
-		authtypes.RelationAssignee,
-		[]authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, role.ID.StringValue()),
-		},
-		orgID,
-	)
-	if err != nil {
-		return err
-	}
-	return granter.authz.Write(ctx, nil, tuples)
-}
-
-func (granter *granter) CreateManagedRoles(ctx context.Context, _ valuer.UUID, managedRoles []*roletypes.Role) error {
-	err := granter.store.RunInTx(ctx, func(ctx context.Context) error {
-		for _, role := range managedRoles {
-			err := granter.store.Create(ctx, roletypes.NewStorableRoleFromRole(role))
-			if err != nil {
-				return err
-			}
-		}
-
-		return nil
-	})
-
-	if err != nil {
-		return err
-	}
-
-	return nil
-}

pkg/modules/role/implrole/handler.go

@@ -14,12 +14,11 @@ import (
 )
 
 type handler struct {
-	setter role.Setter
-	getter role.Getter
+	module role.Module
 }
 
-func NewHandler(setter role.Setter, getter role.Getter) role.Handler {
-	return &handler{setter: setter, getter: getter}
+func NewHandler(module role.Module) role.Handler {
+	return &handler{module: module}
 }
 
 func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
@@ -36,7 +35,7 @@ func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = handler.setter.Create(ctx, valuer.MustNewUUID(claims.OrgID), roletypes.NewRole(req.Name, req.Description, roletypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID)))
+	err = handler.module.Create(ctx, roletypes.NewRole(req.Name, req.Description, roletypes.RoleTypeCustom.StringValue(), valuer.MustNewUUID(claims.OrgID)))
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -64,7 +63,7 @@ func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	role, err := handler.getter.Get(ctx, valuer.MustNewUUID(claims.OrgID), roleID)
+	role, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), roleID)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -103,7 +102,7 @@ func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	objects, err := handler.setter.GetObjects(ctx, valuer.MustNewUUID(claims.OrgID), roleID, relation)
+	objects, err := handler.module.GetObjects(ctx, valuer.MustNewUUID(claims.OrgID), roleID, relation)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -114,7 +113,7 @@ func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
 
 func (handler *handler) GetResources(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	resources := handler.setter.GetResources(ctx)
+	resources := handler.module.GetResources(ctx)
 
 	var resourceRelations = struct {
 		Resources []*authtypes.Resource                   `json:"resources"`
@@ -134,7 +133,7 @@ func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	roles, err := handler.getter.List(ctx, valuer.MustNewUUID(claims.OrgID))
+	roles, err := handler.module.List(ctx, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -163,19 +162,14 @@ func (handler *handler) Patch(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	role, err := handler.getter.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	role, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	err = role.PatchMetadata(req.Name, req.Description)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.setter.Patch(ctx, valuer.MustNewUUID(claims.OrgID), role)
+	role.PatchMetadata(req.Name, req.Description)
+	err = handler.module.Patch(ctx, valuer.MustNewUUID(claims.OrgID), role)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -210,19 +204,13 @@ func (handler *handler) PatchObjects(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	role, err := handler.getter.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	patchableObjects, err := roletypes.NewPatchableObjects(req.Additions, req.Deletions, relation)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	patchableObjects, err := role.NewPatchableObjects(req.Additions, req.Deletions, relation)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.setter.PatchObjects(ctx, valuer.MustNewUUID(claims.OrgID), id, relation, patchableObjects.Additions, patchableObjects.Deletions)
+	err = handler.module.PatchObjects(ctx, valuer.MustNewUUID(claims.OrgID), id, relation, patchableObjects.Additions, patchableObjects.Deletions)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -245,7 +233,7 @@ func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = handler.setter.Delete(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	err = handler.module.Delete(ctx, valuer.MustNewUUID(claims.OrgID), id)
 	if err != nil {
 		render.Error(rw, err)
 		return

pkg/modules/role/implrole/module.go

@@ -0,0 +1,164 @@
+package implrole
+
+import (
+	"context"
+	"slices"
+
+	"github.com/SigNoz/signoz/pkg/authz"
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/modules/role"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type module struct {
+	store    roletypes.Store
+	registry []role.RegisterTypeable
+	authz    authz.AuthZ
+}
+
+func NewModule(store roletypes.Store, authz authz.AuthZ, registry []role.RegisterTypeable) role.Module {
+	return &module{
+		store:    store,
+		authz:    authz,
+		registry: registry,
+	}
+}
+
+func (module *module) Create(ctx context.Context, role *roletypes.Role) error {
+	return module.store.Create(ctx, roletypes.NewStorableRoleFromRole(role))
+}
+
+func (module *module) GetOrCreate(ctx context.Context, role *roletypes.Role) (*roletypes.Role, error) {
+	existingRole, err := module.store.GetByNameAndOrgID(ctx, role.Name, role.OrgID)
+	if err != nil {
+		if !errors.Ast(err, errors.TypeNotFound) {
+			return nil, err
+		}
+	}
+
+	if existingRole != nil {
+		return roletypes.NewRoleFromStorableRole(existingRole), nil
+	}
+
+	err = module.store.Create(ctx, roletypes.NewStorableRoleFromRole(role))
+	if err != nil {
+		return nil, err
+	}
+
+	return role, nil
+}
+
+func (module *module) GetResources(_ context.Context) []*authtypes.Resource {
+	typeables := make([]authtypes.Typeable, 0)
+	for _, register := range module.registry {
+		typeables = append(typeables, register.MustGetTypeables()...)
+	}
+	// role module cannot self register itself!
+	typeables = append(typeables, module.MustGetTypeables()...)
+
+	resources := make([]*authtypes.Resource, 0)
+	for _, typeable := range typeables {
+		resources = append(resources, &authtypes.Resource{Name: typeable.Name(), Type: typeable.Type()})
+	}
+
+	return resources
+}
+
+func (module *module) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*roletypes.Role, error) {
+	storableRole, err := module.store.Get(ctx, orgID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	return roletypes.NewRoleFromStorableRole(storableRole), nil
+}
+
+func (module *module) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*authtypes.Object, error) {
+	storableRole, err := module.store.Get(ctx, orgID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	objects := make([]*authtypes.Object, 0)
+	for _, resource := range module.GetResources(ctx) {
+		if slices.Contains(authtypes.TypeableRelations[resource.Type], relation) {
+			resourceObjects, err := module.
+				authz.
+				ListObjects(
+					ctx,
+					authtypes.MustNewSubject(authtypes.TypeableRole, storableRole.ID.String(), orgID, &authtypes.RelationAssignee),
+					relation,
+					authtypes.MustNewTypeableFromType(resource.Type, resource.Name),
+				)
+			if err != nil {
+				return nil, err
+			}
+
+			objects = append(objects, resourceObjects...)
+		}
+	}
+
+	return objects, nil
+}
+
+func (module *module) List(ctx context.Context, orgID valuer.UUID) ([]*roletypes.Role, error) {
+	storableRoles, err := module.store.List(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	roles := make([]*roletypes.Role, len(storableRoles))
+	for idx, storableRole := range storableRoles {
+		roles[idx] = roletypes.NewRoleFromStorableRole(storableRole)
+	}
+
+	return roles, nil
+}
+
+func (module *module) Patch(ctx context.Context, orgID valuer.UUID, role *roletypes.Role) error {
+	return module.store.Update(ctx, orgID, roletypes.NewStorableRoleFromRole(role))
+}
+
+func (module *module) PatchObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation, additions, deletions []*authtypes.Object) error {
+	additionTuples, err := roletypes.GetAdditionTuples(id, orgID, relation, additions)
+	if err != nil {
+		return err
+	}
+
+	deletionTuples, err := roletypes.GetDeletionTuples(id, orgID, relation, deletions)
+	if err != nil {
+		return err
+	}
+
+	err = module.authz.Write(ctx, additionTuples, deletionTuples)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (module *module) Assign(ctx context.Context, id valuer.UUID, orgID valuer.UUID, subject string) error {
+	tuples, err := authtypes.TypeableRole.Tuples(
+		subject,
+		authtypes.RelationAssignee,
+		[]authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, id.StringValue()),
+		},
+		orgID,
+	)
+	if err != nil {
+		return err
+	}
+	return module.authz.Write(ctx, tuples, nil)
+}
+
+func (module *module) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
+	return module.store.Delete(ctx, orgID, id)
+}
+
+func (module *module) MustGetTypeables() []authtypes.Typeable {
+	return []authtypes.Typeable{authtypes.TypeableRole, roletypes.TypeableResourcesRoles}
+}

pkg/modules/role/implrole/setter.go

@@ -1,53 +0,0 @@
-package implrole
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/authz"
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/modules/role"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type setter struct {
-	store roletypes.Store
-	authz authz.AuthZ
-}
-
-func NewSetter(store roletypes.Store, authz authz.AuthZ) role.Setter {
-	return &setter{store: store, authz: authz}
-}
-
-func (setter *setter) Create(_ context.Context, _ valuer.UUID, _ *roletypes.Role) error {
-	return errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
-}
-
-func (setter *setter) GetOrCreate(_ context.Context, _ valuer.UUID, _ *roletypes.Role) (*roletypes.Role, error) {
-	return nil, errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
-}
-
-func (setter *setter) GetResources(_ context.Context) []*authtypes.Resource {
-	return nil
-}
-
-func (setter *setter) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*authtypes.Object, error) {
-	return nil, errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
-}
-
-func (setter *setter) Patch(_ context.Context, _ valuer.UUID, _ *roletypes.Role) error {
-	return errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
-}
-
-func (setter *setter) PatchObjects(_ context.Context, _ valuer.UUID, _ valuer.UUID, _ authtypes.Relation, _, _ []*authtypes.Object) error {
-	return errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
-}
-
-func (setter *setter) Delete(_ context.Context, _ valuer.UUID, _ valuer.UUID) error {
-	return errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
-}
-
-func (setter *setter) MustGetTypeables() []authtypes.Typeable {
-	return nil
-}

pkg/modules/role/implrole/store.go

@@ -7,7 +7,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/uptrace/bun"
 )
 
 type store struct {
@@ -21,7 +20,7 @@ func NewStore(sqlstore sqlstore.SQLStore) roletypes.Store {
 func (store *store) Create(ctx context.Context, role *roletypes.StorableRole) error {
 	_, err := store.
 		sqlstore.
-		BunDBCtx(ctx).
+		BunDB().
 		NewInsert().
 		Model(role).
 		Exec(ctx)
@@ -36,7 +35,7 @@ func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID)
 	role := new(roletypes.StorableRole)
 	err := store.
 		sqlstore.
-		BunDBCtx(ctx).
+		BunDB().
 		NewSelect().
 		Model(role).
 		Where("org_id = ?", orgID).
@@ -49,11 +48,11 @@ func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID)
 	return role, nil
 }
 
-func (store *store) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*roletypes.StorableRole, error) {
+func (store *store) GetByNameAndOrgID(ctx context.Context, name string, orgID valuer.UUID) (*roletypes.StorableRole, error) {
 	role := new(roletypes.StorableRole)
 	err := store.
 		sqlstore.
-		BunDBCtx(ctx).
+		BunDB().
 		NewSelect().
 		Model(role).
 		Where("org_id = ?", orgID).
@@ -70,30 +69,13 @@ func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*roletypes.S
 	roles := make([]*roletypes.StorableRole, 0)
 	err := store.
 		sqlstore.
-		BunDBCtx(ctx).
+		BunDB().
 		NewSelect().
 		Model(&roles).
 		Where("org_id = ?", orgID).
 		Scan(ctx)
 	if err != nil {
-		return nil, err
-	}
-
-	return roles, nil
-}
-
-func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*roletypes.StorableRole, error) {
-	roles := make([]*roletypes.StorableRole, 0)
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&roles).
-		Where("org_id = ?", orgID).
-		Where("name IN (?)", bun.In(names)).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
+		return nil, store.sqlstore.WrapNotFoundErrf(err, roletypes.ErrCodeRoleNotFound, "no roles found in org_id: %s", orgID)
 	}
 
 	return roles, nil
@@ -102,7 +84,7 @@ func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID,
 func (store *store) Update(ctx context.Context, orgID valuer.UUID, role *roletypes.StorableRole) error {
 	_, err := store.
 		sqlstore.
-		BunDBCtx(ctx).
+		BunDB().
 		NewUpdate().
 		Model(role).
 		WherePK().
@@ -118,7 +100,7 @@ func (store *store) Update(ctx context.Context, orgID valuer.UUID, role *roletyp
 func (store *store) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
 	_, err := store.
 		sqlstore.
-		BunDBCtx(ctx).
+		BunDB().
 		NewDelete().
 		Model(new(roletypes.StorableRole)).
 		Where("org_id = ?", orgID).

pkg/modules/role/role.go

@@ -9,16 +9,22 @@ import (
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
-type Setter interface {
+type Module interface {
 	// Creates the role.
-	Create(context.Context, valuer.UUID, *roletypes.Role) error
+	Create(context.Context, *roletypes.Role) error
 
 	// Gets the role if it exists or creates one.
-	GetOrCreate(context.Context, valuer.UUID, *roletypes.Role) (*roletypes.Role, error)
+	GetOrCreate(context.Context, *roletypes.Role) (*roletypes.Role, error)
+
+	// Gets the role
+	Get(context.Context, valuer.UUID, valuer.UUID) (*roletypes.Role, error)
 
 	// Gets the objects associated with the given role and relation.
 	GetObjects(context.Context, valuer.UUID, valuer.UUID, authtypes.Relation) ([]*authtypes.Object, error)
 
+	// Lists all the roles for the organization.
+	List(context.Context, valuer.UUID) ([]*roletypes.Role, error)
+
 	// Gets all the typeable resources registered from role registry.
 	GetResources(context.Context) []*authtypes.Resource
 
@@ -31,40 +37,12 @@ type Setter interface {
 	// Deletes the role and tuples in authorization server.
 	Delete(context.Context, valuer.UUID, valuer.UUID) error
 
+	// Assigns role to the given subject.
+	Assign(context.Context, valuer.UUID, valuer.UUID, string) error
+
 	RegisterTypeable
 }
 
-type Getter interface {
-	// Gets the role
-	Get(context.Context, valuer.UUID, valuer.UUID) (*roletypes.Role, error)
-
-	// Gets the role by org_id and name
-	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*roletypes.Role, error)
-
-	// Lists all the roles for the organization.
-	List(context.Context, valuer.UUID) ([]*roletypes.Role, error)
-
-	//  Lists all the roles for the organization filtered by name
-	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*roletypes.Role, error)
-}
-
-type Granter interface {
-	// Grants a role to the subject based on role name.
-	Grant(context.Context, valuer.UUID, string, string) error
-
-	// Grants a role to the subject based on role id.
-	GrantByID(context.Context, valuer.UUID, valuer.UUID, string) error
-
-	// Revokes a granted role from the subject based on role name.
-	Revoke(context.Context, valuer.UUID, string, string) error
-
-	// Changes the granted role for the subject based on role name.
-	ModifyGrant(context.Context, valuer.UUID, string, string, string) error
-
-	// Bootstrap the managed roles.
-	CreateManagedRoles(context.Context, valuer.UUID, []*roletypes.Role) error
-}
-
 type RegisterTypeable interface {
 	MustGetTypeables() []authtypes.Typeable
 }

pkg/modules/thirdpartyapi/translator.go

@@ -81,8 +81,10 @@ func FilterIntermediateColumns(result *qbtypes.QueryRangeResponse) *qbtypes.Quer
 		// Filter out columns for intermediate queries used only in formulas
 		filteredColumns := make([]*qbtypes.ColumnDescriptor, 0)
 		intermediateQueryNames := map[string]bool{
-			"error":      true,
-			"total_span": true,
+			"error":             true,
+			"total_span":        true,
+			"endpoints_current": true,
+			"endpoints_legacy":  true,
 		}
 
 		columnIndices := make([]int, 0)
@@ -296,15 +298,15 @@ func BuildDomainList(req *thirdpartyapitypes.ThirdPartyApiRequest) (*qbtypes.Que
 		return nil, err
 	}
 
-	queries := []qbtypes.QueryEnvelope{
-		buildEndpointsQuery(req),
+	queries := buildEndpointsQueries(req)
+	queries = append(queries,
 		buildLastSeenQuery(req),
 		buildRpsQuery(req),
 		buildErrorQuery(req),
 		buildTotalSpanQuery(req),
 		buildP99Query(req),
 		buildErrorRateFormula(),
-	}
+	)
 
 	return &qbtypes.QueryRangeRequest{
 		SchemaVersion: "v5",
@@ -346,20 +348,58 @@ func BuildDomainInfo(req *thirdpartyapitypes.ThirdPartyApiRequest) (*qbtypes.Que
 	}, nil
 }
 
-func buildEndpointsQuery(req *thirdpartyapitypes.ThirdPartyApiRequest) qbtypes.QueryEnvelope {
-	return qbtypes.QueryEnvelope{
+// buildEndpointsQueries returns queries for counting distinct URLs with semconv fallback.
+// It uses two queries with mutually exclusive filters:
+// - endpoints_current: count_distinct(url.full) WHERE url.full EXISTS
+// - endpoints_legacy: count_distinct(http.url) WHERE url.full NOT EXISTS
+// And a formula to combine them: endpoints_current + endpoints_legacy
+func buildEndpointsQueries(req *thirdpartyapitypes.ThirdPartyApiRequest) []qbtypes.QueryEnvelope {
+	// Query for current semconv (url.full)
+	currentFilter := buildBaseFilter(req.Filter)
+	currentFilter.Expression = fmt.Sprintf("(%s) AND %s EXISTS", currentFilter.Expression, urlPathKey)
+
+	endpointsCurrent := qbtypes.QueryEnvelope{
 		Type: qbtypes.QueryTypeBuilder,
 		Spec: qbtypes.QueryBuilderQuery[qbtypes.TraceAggregation]{
-			Name:         "endpoints",
+			Name:         "endpoints_current",
 			Signal:       telemetrytypes.SignalTraces,
 			StepInterval: qbtypes.Step{Duration: defaultStepInterval},
 			Aggregations: []qbtypes.TraceAggregation{
-				{Expression: "count_distinct(http.url)"},
+				{Expression: fmt.Sprintf("count_distinct(%s)", urlPathKey)},
 			},
-			Filter:  buildBaseFilter(req.Filter),
+			Filter:  currentFilter,
 			GroupBy: mergeGroupBy(dualSemconvGroupByKeys["server"], req.GroupBy),
 		},
 	}
+
+	// Query for legacy semconv (http.url) - only when url.full doesn't exist
+	legacyFilter := buildBaseFilter(req.Filter)
+	legacyFilter.Expression = fmt.Sprintf("(%s) AND %s NOT EXISTS", legacyFilter.Expression, urlPathKey)
+
+	endpointsLegacy := qbtypes.QueryEnvelope{
+		Type: qbtypes.QueryTypeBuilder,
+		Spec: qbtypes.QueryBuilderQuery[qbtypes.TraceAggregation]{
+			Name:         "endpoints_legacy",
+			Signal:       telemetrytypes.SignalTraces,
+			StepInterval: qbtypes.Step{Duration: defaultStepInterval},
+			Aggregations: []qbtypes.TraceAggregation{
+				{Expression: fmt.Sprintf("count_distinct(%s)", urlPathKeyLegacy)},
+			},
+			Filter:  legacyFilter,
+			GroupBy: mergeGroupBy(dualSemconvGroupByKeys["server"], req.GroupBy),
+		},
+	}
+
+	// Formula to combine both counts
+	endpointsFormula := qbtypes.QueryEnvelope{
+		Type: qbtypes.QueryTypeFormula,
+		Spec: qbtypes.QueryBuilderFormula{
+			Name:       "endpoints",
+			Expression: "endpoints_current + endpoints_legacy",
+		},
+	}
+
+	return []qbtypes.QueryEnvelope{endpointsCurrent, endpointsLegacy, endpointsFormula}
 }
 
 func buildLastSeenQuery(req *thirdpartyapitypes.ThirdPartyApiRequest) qbtypes.QueryEnvelope {

pkg/modules/user/config.go

@@ -1,43 +0,0 @@
-package user
-
-import (
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/factory"
-)
-
-type Config struct {
-	Password PasswordConfig `mapstructure:"password"`
-}
-type PasswordConfig struct {
-	Reset ResetConfig `mapstructure:"reset"`
-}
-
-type ResetConfig struct {
-	AllowSelf        bool          `mapstructure:"allow_self"`
-	MaxTokenLifetime time.Duration `mapstructure:"max_token_lifetime"`
-}
-
-func NewConfigFactory() factory.ConfigFactory {
-	return factory.NewConfigFactory(factory.MustNewName("user"), newConfig)
-}
-
-func newConfig() factory.Config {
-	return &Config{
-		Password: PasswordConfig{
-			Reset: ResetConfig{
-				AllowSelf:        false,
-				MaxTokenLifetime: 6 * time.Hour,
-			},
-		},
-	}
-}
-
-func (c Config) Validate() error {
-	if c.Password.Reset.MaxTokenLifetime <= 0 {
-		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "user::password::reset::max_token_lifetime must be positive")
-	}
-
-	return nil
-}

pkg/modules/user/impluser/handler.go

@@ -332,25 +332,6 @@ func (handler *handler) ChangePassword(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusNoContent, nil)
 }
 
-func (h *handler) ForgotPassword(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	req := new(types.PostableForgotPassword)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	err := h.module.ForgotPassword(ctx, req.OrgID, req.Email, req.FrontendBaseURL)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	render.Success(w, http.StatusNoContent, nil)
-}
-
 func (h *handler) CreateAPIKey(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()

pkg/modules/user/impluser/module.go

@@ -12,14 +12,11 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/role"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/emailtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/dustin/go-humanize"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 )
@@ -30,13 +27,11 @@ type Module struct {
 	emailing  emailing.Emailing
 	settings  factory.ScopedProviderSettings
 	orgSetter organization.Setter
-	granter   role.Granter
 	analytics analytics.Analytics
-	config    user.Config
 }
 
 // This module is a WIP, don't take inspiration from this.
-func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, granter role.Granter, analytics analytics.Analytics, config user.Config) root.Module {
+func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, analytics analytics.Analytics) root.Module {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/user/impluser")
 	return &Module{
 		store:     store,
@@ -45,8 +40,6 @@ func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing em
 		settings:  settings,
 		orgSetter: orgSetter,
 		analytics: analytics,
-		granter:   granter,
-		config:    config,
 	}
 }
 
@@ -230,6 +223,7 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 	}
 
 	user.UpdatedAt = time.Now()
+
 	updatedUser, err := m.store.UpdateUser(ctx, orgID, id, user)
 	if err != nil {
 		return nil, err
@@ -260,8 +254,8 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 	return updatedUser, nil
 }
 
-func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
-	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(id))
+func (m *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
+	user, err := m.store.GetUser(ctx, valuer.MustNewUUID(id))
 	if err != nil {
 		return err
 	}
@@ -271,7 +265,7 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	}
 
 	// don't allow to delete the last admin user
-	adminUsers, err := module.store.GetUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	adminUsers, err := m.store.GetUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
 	if err != nil {
 		return err
 	}
@@ -280,11 +274,11 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot delete the last admin")
 	}
 
-	if err := module.store.DeleteUser(ctx, orgID.String(), user.ID.StringValue()); err != nil {
+	if err := m.store.DeleteUser(ctx, orgID.String(), user.ID.StringValue()); err != nil {
 		return err
 	}
 
-	module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Deleted", map[string]any{
+	m.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Deleted", map[string]any{
 		"deleted_by": deletedBy,
 	})
 
@@ -308,91 +302,33 @@ func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, userID
 		}
 	}
 
-	// check if a token already exists for this password id
-	existingResetPasswordToken, err := module.store.GetResetPasswordTokenByPasswordID(ctx, password.ID)
-	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
-		return nil, err // return the error if it is not a not found error
+	resetPasswordToken, err := types.NewResetPasswordToken(password.ID)
+	if err != nil {
+		return nil, err
 	}
 
-	// return the existing token if it is not expired
-	if existingResetPasswordToken != nil && !existingResetPasswordToken.IsExpired() {
-		return existingResetPasswordToken, nil // return the existing token if it is not expired
-	}
+	err = module.store.CreateResetPasswordToken(ctx, resetPasswordToken)
+	if err != nil {
+		if !errors.Ast(err, errors.TypeAlreadyExists) {
+			return nil, err
+		}
 
-	// delete the existing token entry
-	if existingResetPasswordToken != nil {
-		if err := module.store.DeleteResetPasswordTokenByPasswordID(ctx, password.ID); err != nil {
+		// if the token already exists, we return the existing token
+		resetPasswordToken, err = module.store.GetResetPasswordTokenByPasswordID(ctx, password.ID)
+		if err != nil {
 			return nil, err
 		}
 	}
 
-	// create a new token
-	resetPasswordToken, err := types.NewResetPasswordToken(password.ID, time.Now().Add(module.config.Password.Reset.MaxTokenLifetime))
-	if err != nil {
-		return nil, err
-	}
-
-	// create a new token
-	err = module.store.CreateResetPasswordToken(ctx, resetPasswordToken)
-	if err != nil {
-		return nil, err
-	}
-
 	return resetPasswordToken, nil
 }
 
-func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, email valuer.Email, frontendBaseURL string) error {
-	if !module.config.Password.Reset.AllowSelf {
-		return errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "users are not allowed to reset their password themselves, please contact an admin to reset your password")
-	}
-
-	user, err := module.store.GetUserByEmailAndOrgID(ctx, email, orgID)
-	if err != nil {
-		if errors.Ast(err, errors.TypeNotFound) {
-			return nil // for security reasons
-		}
-		return err
-	}
-
-	token, err := module.GetOrCreateResetPasswordToken(ctx, user.ID)
-	if err != nil {
-		module.settings.Logger().ErrorContext(ctx, "failed to create reset password token", "error", err)
-		return err
-	}
-
-	resetLink := fmt.Sprintf("%s/password-reset?token=%s", frontendBaseURL, token.Token)
-
-	tokenLifetime := module.config.Password.Reset.MaxTokenLifetime
-	humanizedTokenLifetime := strings.TrimSpace(humanize.RelTime(time.Now(), time.Now().Add(tokenLifetime), "", ""))
-
-	if err := module.emailing.SendHTML(
-		ctx,
-		user.Email.String(),
-		"Reset your SigNoz password",
-		emailtypes.TemplateNameResetPassword,
-		map[string]any{
-			"Name":   user.DisplayName,
-			"Link":   resetLink,
-			"Expiry": humanizedTokenLifetime,
-		},
-	); err != nil {
-		module.settings.Logger().ErrorContext(ctx, "failed to send reset password email", "error", err)
-		return nil
-	}
-
-	return nil
-}
-
 func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, token string, passwd string) error {
 	resetPasswordToken, err := module.store.GetResetPasswordToken(ctx, token)
 	if err != nil {
 		return err
 	}
 
-	if resetPasswordToken.IsExpired() {
-		return errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "reset password token has expired")
-	}
-
 	password, err := module.store.GetPassword(ctx, resetPasswordToken.PasswordID)
 	if err != nil {
 		return err
@@ -478,7 +414,7 @@ func (module *Module) CreateFirstUser(ctx context.Context, organization *types.O
 	}
 
 	if err = module.store.RunInTx(ctx, func(ctx context.Context) error {
-		err = module.orgSetter.Create(ctx, organization)
+		err := module.orgSetter.Create(ctx, organization)
 		if err != nil {
 			return err
 		}

pkg/modules/user/impluser/store.go

@@ -391,18 +391,6 @@ func (store *store) GetResetPasswordTokenByPasswordID(ctx context.Context, passw
 	return resetPasswordToken, nil
 }
 
-func (store *store) DeleteResetPasswordTokenByPasswordID(ctx context.Context, passwordID valuer.UUID) error {
-	_, err := store.sqlstore.BunDB().NewDelete().
-		Model(&types.ResetPasswordToken{}).
-		Where("password_id = ?", passwordID).
-		Exec(ctx)
-	if err != nil {
-		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete reset password token")
-	}
-
-	return nil
-}
-
 func (store *store) GetResetPasswordToken(ctx context.Context, token string) (*types.ResetPasswordToken, error) {
 	resetPasswordRequest := new(types.ResetPasswordToken)
 

pkg/modules/user/user.go

@@ -30,9 +30,6 @@ type Module interface {
 	// Updates password of user to the new password. It also deletes all reset password tokens for the user.
 	UpdatePassword(ctx context.Context, userID valuer.UUID, oldPassword string, password string) error
 
-	// Initiate forgot password flow for a user
-	ForgotPassword(ctx context.Context, orgID valuer.UUID, email valuer.Email, frontendBaseURL string) error
-
 	UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User, updatedBy string) (*types.User, error)
 	DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error
 
@@ -95,7 +92,6 @@ type Handler interface {
 	GetResetPasswordToken(http.ResponseWriter, *http.Request)
 	ResetPassword(http.ResponseWriter, *http.Request)
 	ChangePassword(http.ResponseWriter, *http.Request)
-	ForgotPassword(http.ResponseWriter, *http.Request)
 
 	// API KEY
 	CreateAPIKey(http.ResponseWriter, *http.Request)

pkg/query-service/app/server.go

@@ -209,7 +209,7 @@ func (s *Server) createPublicServer(api *APIHandler, web web.Web) (*http.Server,
 	r.Use(middleware.NewLogging(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes).Wrap)
 	r.Use(middleware.NewComment().Wrap)
 
-	am := middleware.NewAuthZ(s.signoz.Instrumentation.Logger(), s.signoz.Modules.OrgGetter, s.signoz.Authz, s.signoz.Modules.RoleGetter)
+	am := middleware.NewAuthZ(s.signoz.Instrumentation.Logger(), s.signoz.Modules.OrgGetter, s.signoz.Authz)
 
 	api.RegisterRoutes(r, am)
 	api.RegisterLogsRoutes(r, am)

pkg/signoz/config.go

@@ -22,7 +22,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/global"
 	"github.com/SigNoz/signoz/pkg/instrumentation"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/prometheus"
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/ruler"
@@ -110,9 +109,6 @@ type Config struct {
 
 	// Flagger config
 	Flagger flagger.Config `mapstructure:"flagger"`
-
-	// User config
-	User user.Config `mapstructure:"user"`
 }
 
 // DeprecatedFlags are the flags that are deprecated and scheduled for removal.
@@ -175,7 +171,6 @@ func NewConfig(ctx context.Context, logger *slog.Logger, resolverConfig config.R
 		tokenizer.NewConfigFactory(),
 		metricsexplorer.NewConfigFactory(),
 		flagger.NewConfigFactory(),
-		user.NewConfigFactory(),
 	}
 
 	conf, err := config.New(ctx, resolverConfig, configFactories)

pkg/signoz/handler.go

@@ -17,8 +17,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/quickfilter/implquickfilter"
 	"github.com/SigNoz/signoz/pkg/modules/rawdataexport"
 	"github.com/SigNoz/signoz/pkg/modules/rawdataexport/implrawdataexport"
-	"github.com/SigNoz/signoz/pkg/modules/role"
-	"github.com/SigNoz/signoz/pkg/modules/role/implrole"
 	"github.com/SigNoz/signoz/pkg/modules/savedview"
 	"github.com/SigNoz/signoz/pkg/modules/savedview/implsavedview"
 	"github.com/SigNoz/signoz/pkg/modules/services"
@@ -43,7 +41,6 @@ type Handlers struct {
 	Global          global.Handler
 	FlaggerHandler  flagger.Handler
 	GatewayHandler  gateway.Handler
-	Role            role.Handler
 }
 
 func NewHandlers(modules Modules, providerSettings factory.ProviderSettings, querier querier.Querier, licensing licensing.Licensing, global global.Global, flaggerService flagger.Flagger, gatewayService gateway.Gateway) Handlers {
@@ -60,6 +57,5 @@ func NewHandlers(modules Modules, providerSettings factory.ProviderSettings, que
 		Global:          signozglobal.NewHandler(global),
 		FlaggerHandler:  flagger.NewHandler(flaggerService),
 		GatewayHandler:  gateway.NewHandler(gatewayService),
-		Role:            implrole.NewHandler(modules.RoleSetter, modules.RoleGetter),
 	}
 }

pkg/signoz/handler_test.go

@@ -13,7 +13,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/factory/factorytest"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
-	"github.com/SigNoz/signoz/pkg/modules/role/implrole"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/sharder"
 	"github.com/SigNoz/signoz/pkg/sharder/noopsharder"
@@ -41,10 +40,7 @@ func TestNewHandlers(t *testing.T) {
 	queryParser := queryparser.New(providerSettings)
 	require.NoError(t, err)
 	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
-	roleSetter := implrole.NewSetter(implrole.NewStore(sqlstore), nil)
-	roleGetter := implrole.NewGetter(implrole.NewStore(sqlstore))
-	grantModule := implrole.NewGranter(implrole.NewStore(sqlstore), nil)
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, roleSetter, roleGetter, grantModule)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule)
 
 	handlers := NewHandlers(modules, providerSettings, nil, nil, nil, nil, nil)
 

pkg/signoz/module.go

@@ -25,7 +25,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/quickfilter/implquickfilter"
 	"github.com/SigNoz/signoz/pkg/modules/rawdataexport"
 	"github.com/SigNoz/signoz/pkg/modules/rawdataexport/implrawdataexport"
-	"github.com/SigNoz/signoz/pkg/modules/role"
 	"github.com/SigNoz/signoz/pkg/modules/savedview"
 	"github.com/SigNoz/signoz/pkg/modules/savedview/implsavedview"
 	"github.com/SigNoz/signoz/pkg/modules/services"
@@ -67,9 +66,6 @@ type Modules struct {
 	SpanPercentile  spanpercentile.Module
 	MetricsExplorer metricsexplorer.Module
 	Promote         promote.Module
-	RoleSetter      role.Setter
-	RoleGetter      role.Getter
-	Granter         role.Granter
 }
 
 func NewModules(
@@ -89,13 +85,10 @@ func NewModules(
 	queryParser queryparser.QueryParser,
 	config Config,
 	dashboard dashboard.Module,
-	roleSetter role.Setter,
-	roleGetter role.Getter,
-	granter role.Granter,
 ) Modules {
 	quickfilter := implquickfilter.NewModule(implquickfilter.NewStore(sqlstore))
 	orgSetter := implorganization.NewSetter(implorganization.NewStore(sqlstore), alertmanager, quickfilter)
-	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, granter, analytics, config.User)
+	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, analytics)
 	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
 	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)
 
@@ -117,8 +110,5 @@ func NewModules(
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),
 		Promote:         implpromote.NewModule(telemetryMetadataStore, telemetryStore),
-		RoleSetter:      roleSetter,
-		RoleGetter:      roleGetter,
-		Granter:         granter,
 	}
 }

pkg/signoz/module_test.go

@@ -13,7 +13,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/factory/factorytest"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
-	"github.com/SigNoz/signoz/pkg/modules/role/implrole"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/sharder"
 	"github.com/SigNoz/signoz/pkg/sharder/noopsharder"
@@ -41,10 +40,7 @@ func TestNewModules(t *testing.T) {
 	queryParser := queryparser.New(providerSettings)
 	require.NoError(t, err)
 	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
-	roleSetter := implrole.NewSetter(implrole.NewStore(sqlstore), nil)
-	roleGetter := implrole.NewGetter(implrole.NewStore(sqlstore))
-	grantModule := implrole.NewGranter(implrole.NewStore(sqlstore), nil)
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, roleSetter, roleGetter, grantModule)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule)
 
 	reflectVal := reflect.ValueOf(modules)
 	for i := 0; i < reflectVal.NumField(); i++ {

pkg/signoz/openapi.go

@@ -19,7 +19,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/preference"
 	"github.com/SigNoz/signoz/pkg/modules/promote"
-	"github.com/SigNoz/signoz/pkg/modules/role"
 	"github.com/SigNoz/signoz/pkg/modules/session"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
@@ -50,8 +49,6 @@ func NewOpenAPI(ctx context.Context, instrumentation instrumentation.Instrumenta
 		struct{ dashboard.Handler }{},
 		struct{ metricsexplorer.Handler }{},
 		struct{ gateway.Handler }{},
-		struct{ role.Getter }{},
-		struct{ role.Handler }{},
 	).New(ctx, instrumentation.ToProviderSettings(), apiserver.Config{})
 	if err != nil {
 		return nil, err

pkg/signoz/provider.go

@@ -161,7 +161,6 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewUpdateUserPreferenceFactory(sqlstore, sqlschema),
 		sqlmigration.NewUpdateOrgPreferenceFactory(sqlstore, sqlschema),
 		sqlmigration.NewRenameOrgDomainsFactory(sqlstore, sqlschema),
-		sqlmigration.NewAddResetPasswordTokenExpiryFactory(sqlstore, sqlschema),
 	)
 }
 
@@ -243,8 +242,6 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			handlers.Dashboard,
 			handlers.MetricsExplorer,
 			handlers.GatewayHandler,
-			modules.RoleGetter,
-			handlers.Role,
 		),
 	)
 }

pkg/signoz/signoz.go

@@ -90,9 +90,8 @@ func New(
 	telemetrystoreProviderFactories factory.NamedMap[factory.ProviderFactory[telemetrystore.TelemetryStore, telemetrystore.Config]],
 	authNsCallback func(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing) (map[authtypes.AuthNProvider]authn.AuthN, error),
 	authzCallback func(context.Context, sqlstore.SQLStore) factory.ProviderFactory[authz.AuthZ, authz.Config],
-	dashboardModuleCallback func(sqlstore.SQLStore, factory.ProviderSettings, analytics.Analytics, organization.Getter, role.Setter, role.Granter, queryparser.QueryParser, querier.Querier, licensing.Licensing) dashboard.Module,
+	dashboardModuleCallback func(sqlstore.SQLStore, factory.ProviderSettings, analytics.Analytics, organization.Getter, role.Module, queryparser.QueryParser, querier.Querier, licensing.Licensing) dashboard.Module,
 	gatewayProviderFactory func(licensing.Licensing) factory.ProviderFactory[gateway.Gateway, gateway.Config],
-	roleSetterCallback func(sqlstore.SQLStore, authz.AuthZ, licensing.Licensing, []role.RegisterTypeable) role.Setter,
 ) (*SigNoz, error) {
 	// Initialize instrumentation
 	instrumentation, err := instrumentation.New(ctx, config.Instrumentation, version.Info, "signoz")
@@ -281,12 +280,6 @@ func New(
 		return nil, err
 	}
 
-	// Initialize user getter
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
-
-	// Initialize the role getter
-	roleGetter := implrole.NewGetter(implrole.NewStore(sqlstore))
-
 	// Initialize authz
 	authzProviderFactory := authzCallback(ctx, sqlstore)
 	authz, err := authzProviderFactory.New(ctx, providerSettings, authz.Config{})
@@ -294,6 +287,9 @@ func New(
 		return nil, err
 	}
 
+	// Initialize user getter
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
+
 	// Initialize notification manager from the available notification manager provider factories
 	nfManager, err := factory.NewProviderFromNamedMap(
 		ctx,
@@ -390,10 +386,9 @@ func New(
 	}
 
 	// Initialize all modules
-	roleSetter := roleSetterCallback(sqlstore, authz, licensing, nil)
-	granter := implrole.NewGranter(implrole.NewStore(sqlstore), authz)
-	dashboard := dashboardModuleCallback(sqlstore, providerSettings, analytics, orgGetter, roleSetter, granter, queryParser, querier, licensing)
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, roleSetter, roleGetter, granter)
+	roleModule := implrole.NewModule(implrole.NewStore(sqlstore), authz, nil)
+	dashboardModule := dashboardModuleCallback(sqlstore, providerSettings, analytics, orgGetter, roleModule, queryParser, querier, licensing)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboardModule)
 
 	// Initialize all handlers for the modules
 	handlers := NewHandlers(modules, providerSettings, querier, licensing, global, flagger, gateway)

pkg/sqlmigration/058_add_reset_password_token_expiry.go

@@ -1,83 +0,0 @@
-package sqlmigration
-
-import (
-	"context"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/sqlschema"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/uptrace/bun"
-	"github.com/uptrace/bun/migrate"
-)
-
-type addResetPasswordTokenExpiry struct {
-	sqlstore  sqlstore.SQLStore
-	sqlschema sqlschema.SQLSchema
-}
-
-func NewAddResetPasswordTokenExpiryFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
-	return factory.NewProviderFactory(factory.MustNewName("add_reset_password_token_expiry"), func(ctx context.Context, providerSettings factory.ProviderSettings, config Config) (SQLMigration, error) {
-		return newAddResetPasswordTokenExpiry(ctx, providerSettings, config, sqlstore, sqlschema)
-	})
-}
-
-func newAddResetPasswordTokenExpiry(_ context.Context, _ factory.ProviderSettings, _ Config, sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) (SQLMigration, error) {
-	return &addResetPasswordTokenExpiry{
-		sqlstore:  sqlstore,
-		sqlschema: sqlschema,
-	}, nil
-}
-
-func (migration *addResetPasswordTokenExpiry) Register(migrations *migrate.Migrations) error {
-	if err := migrations.Register(migration.Up, migration.Down); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (migration *addResetPasswordTokenExpiry) Up(ctx context.Context, db *bun.DB) error {
-	tx, err := db.BeginTx(ctx, nil)
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		_ = tx.Rollback()
-	}()
-
-	// get the reset_password_token table
-	table, uniqueConstraints, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("reset_password_token"))
-	if err != nil {
-		return err
-	}
-
-	// add a new column `expires_at`
-	column := &sqlschema.Column{
-		Name:     sqlschema.ColumnName("expires_at"),
-		DataType: sqlschema.DataTypeTimestamp,
-		Nullable: true,
-	}
-
-	// for existing rows set
-	defaultValueForExistingRows := time.Now()
-
-	sqls := migration.sqlschema.Operator().AddColumn(table, uniqueConstraints, column, defaultValueForExistingRows)
-
-	for _, sql := range sqls {
-		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
-			return err
-		}
-	}
-
-	if err := tx.Commit(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (migration *addResetPasswordTokenExpiry) Down(ctx context.Context, db *bun.DB) error {
-	return nil
-}

pkg/types/authtypes/selector.go

@@ -24,7 +24,7 @@ var (
 	typeRoleSelectorRegex         = regexp.MustCompile(`^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$`)
 	typeAnonymousSelectorRegex    = regexp.MustCompile(`^\*$`)
 	typeOrganizationSelectorRegex = regexp.MustCompile(`^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$`)
-	typeMetaResourceSelectorRegex = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
+	typeMetaResourceSelectorRegex = regexp.MustCompile(`^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$`)
 	// metaresources selectors are used to select either all or none
 	typeMetaResourcesSelectorRegex = regexp.MustCompile(`^\*$`)
 )

pkg/types/emailtypes/template.go

@@ -12,13 +12,12 @@ import (
 var (
 	// Templates is a list of all the templates that are supported by the emailing service.
 	// This list should be updated whenever a new template is added.
-	Templates = []TemplateName{TemplateNameInvitationEmail, TemplateNameUpdateRole, TemplateNameResetPassword}
+	Templates = []TemplateName{TemplateNameInvitationEmail, TemplateNameUpdateRole}
 )
 
 var (
 	TemplateNameInvitationEmail = TemplateName{valuer.NewString("invitation_email")}
 	TemplateNameUpdateRole      = TemplateName{valuer.NewString("update_role")}
-	TemplateNameResetPassword   = TemplateName{valuer.NewString("reset_password_email")}
 )
 
 type TemplateName struct{ valuer.String }
@@ -29,8 +28,6 @@ func NewTemplateName(name string) (TemplateName, error) {
 		return TemplateNameInvitationEmail, nil
 	case TemplateNameUpdateRole.StringValue():
 		return TemplateNameUpdateRole, nil
-	case TemplateNameResetPassword.StringValue():
-		return TemplateNameResetPassword, nil
 	default:
 		return TemplateName{}, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "invalid template name: %s", name)
 	}

pkg/types/factor_password.go

@@ -35,19 +35,12 @@ type ChangePasswordRequest struct {
 	NewPassword string      `json:"newPassword"`
 }
 
-type PostableForgotPassword struct {
-	OrgID           valuer.UUID  `json:"orgId"`
-	Email           valuer.Email `json:"email"`
-	FrontendBaseURL string       `json:"frontendBaseURL"`
-}
-
 type ResetPasswordToken struct {
 	bun.BaseModel `bun:"table:reset_password_token"`
 
 	Identifiable
 	Token      string      `bun:"token,type:text,notnull" json:"token"`
 	PasswordID valuer.UUID `bun:"password_id,type:text,notnull,unique" json:"passwordId"`
-	ExpiresAt  time.Time   `bun:"expires_at,type:timestamptz,nullzero" json:"expiresAt"`
 }
 
 type FactorPassword struct {
@@ -143,14 +136,13 @@ func NewHashedPassword(password string) (string, error) {
 	return string(hashedPassword), nil
 }
 
-func NewResetPasswordToken(passwordID valuer.UUID, expiresAt time.Time) (*ResetPasswordToken, error) {
+func NewResetPasswordToken(passwordID valuer.UUID) (*ResetPasswordToken, error) {
 	return &ResetPasswordToken{
 		Identifiable: Identifiable{
 			ID: valuer.GenerateUUID(),
 		},
 		Token:      valuer.GenerateUUID().String(),
 		PasswordID: passwordID,
-		ExpiresAt:  expiresAt,
 	}, nil
 }
 
@@ -216,7 +208,3 @@ func (f *FactorPassword) Equals(password string) bool {
 func comparePassword(hashedPassword string, password string) bool {
 	return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password)) == nil
 }
-
-func (r *ResetPasswordToken) IsExpired() bool {
-	return r.ExpiresAt.Before(time.Now())
-}

pkg/types/querybuildertypes/querybuildertypesv5/builder_elements.go

@@ -553,18 +553,6 @@ func (f Function) Copy() Function {
 	return c
 }
 
-// Validate validates the name and args for the function
-func (f Function) Validate() error {
-	if err := f.Name.Validate(); err != nil {
-		return err
-	}
-	// Validate args for function
-	if err := f.ValidateArgs(); err != nil {
-		return err
-	}
-	return nil
-}
-
 type LimitBy struct {
 	// keys to limit by
 	Keys []string `json:"keys"`

pkg/types/querybuildertypes/querybuildertypesv5/formula.go

@@ -73,43 +73,6 @@ func (f *QueryBuilderFormula) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// Validate checks if the QueryBuilderFormula fields are valid
-func (f QueryBuilderFormula) Validate() error {
-	// Validate name is not blank
-	if strings.TrimSpace(f.Name) == "" {
-		return errors.NewInvalidInputf(
-			errors.CodeInvalidInput,
-			"formula name cannot be blank",
-		)
-	}
-
-	// Validate expression is not blank
-	if strings.TrimSpace(f.Expression) == "" {
-		return errors.NewInvalidInputf(
-			errors.CodeInvalidInput,
-			"formula expression cannot be blank",
-		)
-	}
-
-	// Validate functions if present
-	for i, fn := range f.Functions {
-		if err := fn.Validate(); err != nil {
-			fnId := fmt.Sprintf("function #%d", i+1)
-			if f.Name != "" {
-				fnId = fmt.Sprintf("function #%d in formula '%s'", i+1, f.Name)
-			}
-			return errors.NewInvalidInputf(
-				errors.CodeInvalidInput,
-				"invalid %s: %s",
-				fnId,
-				err.Error(),
-			)
-		}
-	}
-
-	return nil
-}
-
 // small container to store the query name and index or alias reference
 // for a variable in the formula expression
 // read below for more details on aggregation references

pkg/types/querybuildertypes/querybuildertypesv5/functions.go

@@ -1,13 +1,10 @@
 package querybuildertypesv5
 
 import (
-	"fmt"
 	"math"
 	"slices"
 	"strconv"
-	"strings"
 
-	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
@@ -36,46 +33,6 @@ var (
 	FunctionNameFillZero      = FunctionName{valuer.NewString("fillZero")}
 )
 
-// Validate checks if the FunctionName is valid and one of the known types
-func (fn FunctionName) Validate() error {
-	validFunctions := []FunctionName{
-		FunctionNameCutOffMin,
-		FunctionNameCutOffMax,
-		FunctionNameClampMin,
-		FunctionNameClampMax,
-		FunctionNameAbsolute,
-		FunctionNameRunningDiff,
-		FunctionNameLog2,
-		FunctionNameLog10,
-		FunctionNameCumulativeSum,
-		FunctionNameEWMA3,
-		FunctionNameEWMA5,
-		FunctionNameEWMA7,
-		FunctionNameMedian3,
-		FunctionNameMedian5,
-		FunctionNameMedian7,
-		FunctionNameTimeShift,
-		FunctionNameAnomaly,
-		FunctionNameFillZero,
-	}
-
-	if slices.Contains(validFunctions, fn) {
-		return nil
-	}
-
-	// Format valid functions as comma-separated string
-	var validFunctionNames []string
-	for _, fn := range validFunctions {
-		validFunctionNames = append(validFunctionNames, fn.StringValue())
-	}
-
-	return errors.NewInvalidInputf(
-		errors.CodeInvalidInput,
-		"invalid function name: %s",
-		fn.StringValue(),
-	).WithAdditional(fmt.Sprintf("valid functions are: %s", strings.Join(validFunctionNames, ", ")))
-}
-
 // ApplyFunction applies the given function to the result data
 func ApplyFunction(fn Function, result *TimeSeries) *TimeSeries {
 	// Extract the function name and arguments
@@ -155,61 +112,6 @@ func ApplyFunction(fn Function, result *TimeSeries) *TimeSeries {
 	return result
 }
 
-// ValidateArgs validates the arguments for the given function
-func (fn Function) ValidateArgs() error {
-	// Extract the function name and arguments
-	name := fn.Name
-	args := fn.Args
-
-	switch name {
-	case FunctionNameCutOffMin, FunctionNameCutOffMax, FunctionNameClampMin, FunctionNameClampMax:
-		if len(args) == 0 {
-			return errors.NewInvalidInputf(
-				errors.CodeInvalidInput,
-				"threshold value is required for function %s",
-				name.StringValue(),
-			)
-		}
-		_, err := parseFloat64Arg(args[0].Value)
-		if err != nil {
-			return errors.NewInvalidInputf(
-				errors.CodeInvalidInput,
-				"threshold value must be a floating value for function %s",
-				name.StringValue(),
-			)
-		}
-	case FunctionNameEWMA3, FunctionNameEWMA5, FunctionNameEWMA7:
-		if len(args) == 0 {
-			return nil // alpha is optional for EWMA functions
-		}
-		_, err := parseFloat64Arg(args[0].Value)
-		if err != nil {
-			return errors.NewInvalidInputf(
-				errors.CodeInvalidInput,
-				"alpha value must be a floating value for function %s",
-				name.StringValue(),
-			)
-		}
-	case FunctionNameTimeShift:
-		if len(args) == 0 {
-			return errors.NewInvalidInputf(
-				errors.CodeInvalidInput,
-				"time shift value is required for function %s",
-				name.StringValue(),
-			)
-		}
-		_, err := parseFloat64Arg(args[0].Value)
-		if err != nil {
-			return errors.NewInvalidInputf(
-				errors.CodeInvalidInput,
-				"time shift value must be a floating value for function %s",
-				name.StringValue(),
-			)
-		}
-	}
-	return nil
-}
-
 // parseFloat64Arg parses an argument to float64
 func parseFloat64Arg(value any) (float64, error) {
 	switch v := value.(type) {

pkg/types/querybuildertypes/querybuildertypesv5/validation.go

@@ -65,6 +65,46 @@ const (
 	MaxQueryLimit = 10000
 )
 
+// ValidateFunctionName checks if the function name is valid
+func ValidateFunctionName(name FunctionName) error {
+	validFunctions := []FunctionName{
+		FunctionNameCutOffMin,
+		FunctionNameCutOffMax,
+		FunctionNameClampMin,
+		FunctionNameClampMax,
+		FunctionNameAbsolute,
+		FunctionNameRunningDiff,
+		FunctionNameLog2,
+		FunctionNameLog10,
+		FunctionNameCumulativeSum,
+		FunctionNameEWMA3,
+		FunctionNameEWMA5,
+		FunctionNameEWMA7,
+		FunctionNameMedian3,
+		FunctionNameMedian5,
+		FunctionNameMedian7,
+		FunctionNameTimeShift,
+		FunctionNameAnomaly,
+		FunctionNameFillZero,
+	}
+
+	if slices.Contains(validFunctions, name) {
+		return nil
+	}
+
+	// Format valid functions as comma-separated string
+	var validFunctionNames []string
+	for _, fn := range validFunctions {
+		validFunctionNames = append(validFunctionNames, fn.StringValue())
+	}
+
+	return errors.NewInvalidInputf(
+		errors.CodeInvalidInput,
+		"invalid function name: %s",
+		name.StringValue(),
+	).WithAdditional(fmt.Sprintf("valid functions are: %s", strings.Join(validFunctionNames, ", ")))
+}
+
 // Validate performs preliminary validation on QueryBuilderQuery
 func (q *QueryBuilderQuery[T]) Validate(requestType RequestType) error {
 	// Validate signal
@@ -271,7 +311,7 @@ func (q *QueryBuilderQuery[T]) validateLimitAndPagination() error {
 
 func (q *QueryBuilderQuery[T]) validateFunctions() error {
 	for i, fn := range q.Functions {
-		if err := fn.Validate(); err != nil {
+		if err := ValidateFunctionName(fn.Name); err != nil {
 			fnId := fmt.Sprintf("function #%d", i+1)
 			if q.Name != "" {
 				fnId = fmt.Sprintf("function #%d in query '%s'", i+1, q.Name)

pkg/types/roletypes/role.go

@@ -20,7 +20,6 @@ var (
 	ErrCodeInvalidTypeRelation              = errors.MustNewCode("role_invalid_type_relation")
 	ErrCodeRoleNotFound                     = errors.MustNewCode("role_not_found")
 	ErrCodeRoleFailedTransactionsFromString = errors.MustNewCode("role_failed_transactions_from_string")
-	ErrCodeRoleUnsupported                  = errors.MustNewCode("role_unsupported")
 )
 
 var (
@@ -33,22 +32,8 @@ var (
 )
 
 var (
-	SigNozAnonymousRoleName        = "signoz-anonymous"
-	SigNozAnonymousRoleDescription = "Role assigned to anonymous users for access to public resources."
-	SigNozAdminRoleName            = "signoz-admin"
-	SigNozAdminRoleDescription     = "Role assigned to users who have full administrative access to SigNoz resources."
-	SigNozEditorRoleName           = "signoz-editor"
-	SigNozEditorRoleDescription    = "Role assigned to users who can create, edit, and manage SigNoz resources but do not have full administrative privileges."
-	SigNozViewerRoleName           = "signoz-viewer"
-	SigNozViewerRoleDescription    = "Role assigned to users who have read-only access to SigNoz resources."
-)
-
-var (
-	ExistingRoleToSigNozManagedRoleMap = map[types.Role]string{
-		types.RoleAdmin:  SigNozAdminRoleName,
-		types.RoleEditor: SigNozEditorRoleName,
-		types.RoleViewer: SigNozViewerRoleName,
-	}
+	AnonymousUserRoleName        = "signoz-anonymous"
+	AnonymousUserRoleDescription = "Role assigned to anonymous users for access to public resources."
 )
 
 var (
@@ -69,10 +54,10 @@ type StorableRole struct {
 type Role struct {
 	types.Identifiable
 	types.TimeAuditable
-	Name        string        `json:"name"`
-	Description string        `json:"description"`
-	Type        valuer.String `json:"type"`
-	OrgID       valuer.UUID   `json:"orgId"`
+	Name        string      `json:"name"`
+	Description string      `json:"description"`
+	Type        string      `json:"type"`
+	OrgID       valuer.UUID `json:"org_id"`
 }
 
 type PostableRole struct {
@@ -96,7 +81,7 @@ func NewStorableRoleFromRole(role *Role) *StorableRole {
 		TimeAuditable: role.TimeAuditable,
 		Name:          role.Name,
 		Description:   role.Description,
-		Type:          role.Type.String(),
+		Type:          role.Type,
 		OrgID:         role.OrgID.StringValue(),
 	}
 }
@@ -107,12 +92,12 @@ func NewRoleFromStorableRole(storableRole *StorableRole) *Role {
 		TimeAuditable: storableRole.TimeAuditable,
 		Name:          storableRole.Name,
 		Description:   storableRole.Description,
-		Type:          valuer.NewString(storableRole.Type),
+		Type:          storableRole.Type,
 		OrgID:         valuer.MustNewUUID(storableRole.OrgID),
 	}
 }
 
-func NewRole(name, description string, roleType valuer.String, orgID valuer.UUID) *Role {
+func NewRole(name, description string, roleType string, orgID valuer.UUID) *Role {
 	return &Role{
 		Identifiable: types.Identifiable{
 			ID: valuer.GenerateUUID(),
@@ -128,38 +113,7 @@ func NewRole(name, description string, roleType valuer.String, orgID valuer.UUID
 	}
 }
 
-func NewManagedRoles(orgID valuer.UUID) []*Role {
-	return []*Role{
-		NewRole(SigNozAdminRoleName, SigNozAdminRoleDescription, RoleTypeManaged, orgID),
-		NewRole(SigNozEditorRoleName, SigNozEditorRoleDescription, RoleTypeManaged, orgID),
-		NewRole(SigNozViewerRoleName, SigNozViewerRoleDescription, RoleTypeManaged, orgID),
-		NewRole(SigNozAnonymousRoleName, SigNozAnonymousRoleDescription, RoleTypeManaged, orgID),
-	}
-
-}
-
-func (role *Role) PatchMetadata(name, description *string) error {
-	err := role.CanEditDelete()
-	if err != nil {
-		return err
-	}
-
-	if name != nil {
-		role.Name = *name
-	}
-	if description != nil {
-		role.Description = *description
-	}
-	role.UpdatedAt = time.Now()
-	return nil
-}
-
-func (role *Role) NewPatchableObjects(additions []*authtypes.Object, deletions []*authtypes.Object, relation authtypes.Relation) (*PatchableObjects, error) {
-	err := role.CanEditDelete()
-	if err != nil {
-		return nil, err
-	}
-
+func NewPatchableObjects(additions []*authtypes.Object, deletions []*authtypes.Object, relation authtypes.Relation) (*PatchableObjects, error) {
 	if len(additions) == 0 && len(deletions) == 0 {
 		return nil, errors.New(errors.TypeInvalidInput, ErrCodeRoleEmptyPatch, "empty object patch request received, at least one of additions or deletions must be present")
 	}
@@ -179,12 +133,14 @@ func (role *Role) NewPatchableObjects(additions []*authtypes.Object, deletions [
 	return &PatchableObjects{Additions: additions, Deletions: deletions}, nil
 }
 
-func (role *Role) CanEditDelete() error {
-	if role.Type == RoleTypeManaged {
-		return errors.Newf(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "cannot edit/delete managed role: %s", role.Name)
+func (role *Role) PatchMetadata(name, description *string) {
+	if name != nil {
+		role.Name = *name
 	}
-
-	return nil
+	if description != nil {
+		role.Description = *description
+	}
+	role.UpdatedAt = time.Now()
 }
 
 func (role *PostableRole) UnmarshalJSON(data []byte) error {
@@ -290,12 +246,3 @@ func GetDeletionTuples(id valuer.UUID, orgID valuer.UUID, relation authtypes.Rel
 
 	return tuples, nil
 }
-
-func MustGetSigNozManagedRoleFromExistingRole(role types.Role) string {
-	managedRole, ok := ExistingRoleToSigNozManagedRoleMap[role]
-	if !ok {
-		panic(errors.Newf(errors.TypeInternal, errors.CodeInternal, "invalid role: %s", role.String()))
-	}
-
-	return managedRole
-}

pkg/types/roletypes/store.go

@@ -9,9 +9,8 @@ import (
 type Store interface {
 	Create(context.Context, *StorableRole) error
 	Get(context.Context, valuer.UUID, valuer.UUID) (*StorableRole, error)
-	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*StorableRole, error)
+	GetByNameAndOrgID(context.Context, string, valuer.UUID) (*StorableRole, error)
 	List(context.Context, valuer.UUID) ([]*StorableRole, error)
-	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*StorableRole, error)
 	Update(context.Context, valuer.UUID, *StorableRole) error
 	Delete(context.Context, valuer.UUID, valuer.UUID) error
 	RunInTx(context.Context, func(ctx context.Context) error) error

pkg/types/user.go

@@ -143,7 +143,6 @@ type UserStore interface {
 	GetPasswordByUserID(ctx context.Context, userID valuer.UUID) (*FactorPassword, error)
 	GetResetPasswordToken(ctx context.Context, token string) (*ResetPasswordToken, error)
 	GetResetPasswordTokenByPasswordID(ctx context.Context, passwordID valuer.UUID) (*ResetPasswordToken, error)
-	DeleteResetPasswordTokenByPasswordID(ctx context.Context, passwordID valuer.UUID) error
 	UpdatePassword(ctx context.Context, password *FactorPassword) error
 
 	// API KEY

templates/email/reset_password_email.gotmpl

@@ -1,13 +0,0 @@
-<!DOCTYPE html>
-<html>
-<body>
-    <p>Hello {{.Name}},</p>
-    <p>You requested a password reset for your SigNoz account.</p>
-    <p>Click the link below to reset your password:</p>
-    <a href="{{.Link}}">Reset Password</a>
-    <p>This link will expire in {{.Expiry}}.</p>
-    <p>If you didn't request this, please ignore this email. Your password will remain unchanged.</p>
-    <br>
-    <p>Best regards,<br>The SigNoz Team</p>
-</body>
-</html>

tests/integration/fixtures/auth.py

@@ -20,10 +20,6 @@ USER_ADMIN_NAME = "admin"
 USER_ADMIN_EMAIL = "admin@integration.test"
 USER_ADMIN_PASSWORD = "password123Z$"
 
-USER_EDITOR_NAME = 'editor'
-USER_EDITOR_EMAIL = 'editor@integration.test'
-USER_EDITOR_PASSWORD = 'password123Z$'
-
 
 @pytest.fixture(name="create_user_admin", scope="package")
 def create_user_admin(

tests/integration/fixtures/signoz.py

@@ -67,8 +67,6 @@ def signoz(  # pylint: disable=too-many-arguments,too-many-positional-arguments
                 "SIGNOZ_GATEWAY_URL": gateway.container_configs["8080"].base(),
                 "SIGNOZ_TOKENIZER_JWT_SECRET": "secret",
                 "SIGNOZ_GLOBAL_INGESTION__URL": "https://ingest.test.signoz.cloud",
-                "SIGNOZ_USER_PASSWORD_RESET_ALLOW__SELF": True,
-                "SIGNOZ_USER_PASSWORD_RESET_MAX__TOKEN__LIFETIME": "6h",
             }
             | sqlstore.env
             | clickhouse.env

tests/integration/src/passwordauthn/04_password.py

@@ -7,8 +7,6 @@ from sqlalchemy import sql
 from fixtures import types
 from fixtures.logger import setup_logger
 
-from datetime import datetime, timedelta, timezone
-
 logger = setup_logger(__name__)
 
 
@@ -242,261 +240,3 @@ def test_reset_password_with_no_password(
 
     token = get_token("admin+password@integration.test", "FINALPASSword123!#[")
     assert token is not None
-
-def test_forgot_password_returns_204_for_nonexistent_email(
-    signoz: types.SigNoz,
-) -> None:
-    """
-    Test that forgotPassword returns 204 even for non-existent emails
-    (for security reasons - doesn't reveal if user exists).
-    """
-    # Get org ID first (needed for the forgot password request)
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v2/sessions/context"),
-        params={
-            "email": "admin@integration.test",
-            "ref": f"{signoz.self.host_configs['8080'].base()}",
-        },
-        timeout=5,
-    )
-    assert response.status_code == HTTPStatus.OK
-    org_id = response.json()["data"]["orgs"][0]["id"]
-
-    # Call forgot password with a non-existent email
-    response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v2/factor_password/forgot"),
-        json={
-            "email": "nonexistent@integration.test",
-            "orgId": org_id,
-            "frontendBaseURL": signoz.self.host_configs["8080"].base(),
-        },
-        timeout=5,
-    )
-
-    # Should return 204 even for non-existent email (security)
-    assert response.status_code == HTTPStatus.NO_CONTENT
-
-
-def test_forgot_password_creates_reset_token(
-    signoz: types.SigNoz, get_token: Callable[[str, str], str]
-) -> None:
-    """
-    Test the full forgot password flow:
-    1. Call forgotPassword endpoint for existing user
-    2. Verify reset password token is created in database
-    3. Use the token to reset password
-    4. Verify user can login with new password
-    """
-    admin_token = get_token("admin@integration.test", "password123Z$")
-
-    # Create a user specifically for testing forgot password
-    response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite"),
-        json={"email": "forgot@integration.test", "role": "EDITOR", "name": "forgotpassword user"},
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    assert response.status_code == HTTPStatus.CREATED
-
-    # Get the invite token
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/invite"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    invite_response = response.json()["data"]
-    found_invite = next(
-        (
-            invite
-            for invite in invite_response
-            if invite["email"] == "forgot@integration.test"
-        ),
-        None,
-    )
-
-    # Accept the invite to create the user
-    response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/invite/accept"),
-        json={
-            "password": "originalPassword123Z$",
-            "displayName": "forgotpassword user",
-            "token": f"{found_invite['token']}",
-        },
-        timeout=2,
-    )
-    assert response.status_code == HTTPStatus.CREATED
-
-    # Get org ID
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v2/sessions/context"),
-        params={
-            "email": "forgot@integration.test",
-            "ref": f"{signoz.self.host_configs['8080'].base()}",
-        },
-        timeout=5,
-    )
-    assert response.status_code == HTTPStatus.OK
-    org_id = response.json()["data"]["orgs"][0]["id"]
-
-    # Call forgot password endpoint
-    response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v2/factor_password/forgot"),
-        json={
-            "email": "forgot@integration.test",
-            "orgId": org_id,
-            "frontendBaseURL": signoz.self.host_configs["8080"].base(),
-        },
-        timeout=5,
-    )
-    assert response.status_code == HTTPStatus.NO_CONTENT
-
-    # Verify reset password token was created by querying the database
-    # First, get the user ID
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    assert response.status_code == HTTPStatus.OK
-    user_response = response.json()["data"]
-    found_user = next(
-        (
-            user
-            for user in user_response
-            if user["email"] == "forgot@integration.test"
-        ),
-        None,
-    )
-    assert found_user is not None
-
-    reset_token = None
-    # Query the database directly to get the reset password token
-    # First get the password_id from factor_password, then get the token
-    with signoz.sqlstore.conn.connect() as conn:
-        result = conn.execute(
-            sql.text("""
-                SELECT rpt.token 
-                FROM reset_password_token rpt
-                JOIN factor_password fp ON rpt.password_id = fp.id
-                WHERE fp.user_id = :user_id
-            """),
-            {"user_id": found_user["id"]},
-        )
-        row = result.fetchone()
-        assert row is not None, "Reset password token should exist after calling forgotPassword"
-        reset_token = row[0]
-
-    assert reset_token is not None
-    assert reset_token != ""
-
-    # Reset password with a valid strong password
-    response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
-        json={"password": "newSecurePassword123Z$!", "token": reset_token},
-        timeout=2,
-    )
-    assert response.status_code == HTTPStatus.NO_CONTENT
-
-    # Verify user can login with the new password
-    user_token = get_token("forgot@integration.test", "newSecurePassword123Z$!")
-    assert user_token is not None
-
-    # Verify old password no longer works
-    try:
-        get_token("forgot@integration.test", "originalPassword123Z$")
-        assert False, "Old password should not work after reset"
-    except AssertionError:
-        pass  # Expected - old password should fail
-
-
-def test_reset_password_with_expired_token(
-    signoz: types.SigNoz, get_token: Callable[[str, str], str]
-) -> None:
-    """
-    Test that resetting password with an expired token fails.
-    """
-    admin_token = get_token("admin@integration.test", "password123Z$")
-
-    # Get user ID for the forgot@integration.test user
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    assert response.status_code == HTTPStatus.OK
-    user_response = response.json()["data"]
-    found_user = next(
-        (
-            user
-            for user in user_response
-            if user["email"] == "forgot@integration.test"
-        ),
-        None,
-    )
-    assert found_user is not None
-
-    # Get org ID
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v2/sessions/context"),
-        params={
-            "email": "forgot@integration.test",
-            "ref": f"{signoz.self.host_configs['8080'].base()}",
-        },
-        timeout=5,
-    )
-    assert response.status_code == HTTPStatus.OK
-    org_id = response.json()["data"]["orgs"][0]["id"]
-
-    # Call forgot password to generate a new token
-    response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v2/factor_password/forgot"),
-        json={
-            "email": "forgot@integration.test",
-            "orgId": org_id,
-            "frontendBaseURL": signoz.self.host_configs["8080"].base(),
-        },
-        timeout=5,
-    )
-    assert response.status_code == HTTPStatus.NO_CONTENT
-
-    # Query the database to get the token and then expire it
-    reset_token = None
-    with signoz.sqlstore.conn.connect() as conn:
-        # First get the token
-        result = conn.execute(
-            sql.text("""
-                SELECT rpt.token, rpt.id
-                FROM reset_password_token rpt
-                JOIN factor_password fp ON rpt.password_id = fp.id
-                WHERE fp.user_id = :user_id
-            """),
-            {"user_id": found_user["id"]},
-        )
-        row = result.fetchone()
-        assert row is not None, "Reset password token should exist"
-        reset_token = row[0]
-        token_id = row[1]
-
-        # Now expire the token by setting expires_at to a past time
-        conn.execute(
-            sql.text("""
-                UPDATE reset_password_token 
-                SET expires_at = :expired_time 
-                WHERE id = :token_id
-            """),
-            {
-                "expired_time": "2020-01-01 00:00:00",
-                "token_id": token_id,
-            },
-        )
-        conn.commit()
-
-    assert reset_token is not None
-
-    # Try to use the expired token - should fail with 401 Unauthorized
-    response = requests.post(
-        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
-        json={"password": "expiredTokenPassword123Z$!", "token": reset_token},
-        timeout=2,
-    )
-    assert response.status_code == HTTPStatus.UNAUTHORIZED