feat: span mapper test endpoint

docs/api/openapi.yml

@@ -618,6 +618,13 @@ components:
         provider:
           $ref: '#/components/schemas/AuthtypesAuthNProvider'
       type: object
+    AuthtypesPatchableRole:
+      properties:
+        description:
+          type: string
+      required:
+      - description
+      type: object
     AuthtypesPostableAuthDomain:
       properties:
         config:
@@ -696,36 +703,6 @@ components:
         useRoleAttribute:
           type: boolean
       type: object
-    AuthtypesRoleWithTransactionGroups:
-      properties:
-        createdAt:
-          format: date-time
-          type: string
-        description:
-          type: string
-        id:
-          type: string
-        name:
-          type: string
-        orgId:
-          type: string
-        transactionGroups:
-          items:
-            $ref: '#/components/schemas/AuthtypesTransactionGroup'
-          type: array
-        type:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-      required:
-      - id
-      - name
-      - description
-      - type
-      - orgId
-      - transactionGroups
-      type: object
     AuthtypesSamlConfig:
       properties:
         attributeMapping:
@@ -759,37 +736,11 @@ components:
       - relation
       - object
       type: object
-    AuthtypesTransactionGroup:
-      properties:
-        objectGroup:
-          $ref: '#/components/schemas/CoretypesObjectGroup'
-        relation:
-          $ref: '#/components/schemas/AuthtypesRelation'
-      required:
-      - relation
-      - objectGroup
-      type: object
     AuthtypesUpdatableAuthDomain:
       properties:
         config:
           $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
       type: object
-    AuthtypesUpdatableRole:
-      properties:
-        description:
-          type: string
-      required:
-      - description
-      type: object
-    AuthtypesUpdatableTransactionGroups:
-      properties:
-        transactionGroups:
-          items:
-            $ref: '#/components/schemas/AuthtypesTransactionGroup'
-          type: array
-      required:
-      - transactionGroups
-      type: object
     AuthtypesUserRole:
       properties:
         createdAt:
@@ -7041,6 +6992,16 @@ components:
       required:
       - items
       type: object
+    SpantypesGettableSpanMapperTest:
+      properties:
+        spans:
+          items:
+            $ref: '#/components/schemas/SpantypesSpanMapperTestSpan'
+          nullable: true
+          type: array
+      required:
+      - spans
+      type: object
     SpantypesGettableTraceAggregations:
       properties:
         aggregations:
@@ -7128,6 +7089,39 @@ components:
       - name
       - condition
       type: object
+    SpantypesPostableSpanMapperTest:
+      properties:
+        groups:
+          items:
+            $ref: '#/components/schemas/SpantypesPostableSpanMapperTestGroup'
+          nullable: true
+          type: array
+        spans:
+          items:
+            $ref: '#/components/schemas/SpantypesSpanMapperTestSpan'
+          nullable: true
+          type: array
+      required:
+      - spans
+      - groups
+      type: object
+    SpantypesPostableSpanMapperTestGroup:
+      properties:
+        condition:
+          $ref: '#/components/schemas/SpantypesSpanMapperGroupCondition'
+        enabled:
+          type: boolean
+        mappers:
+          items:
+            $ref: '#/components/schemas/SpantypesPostableSpanMapper'
+          nullable: true
+          type: array
+        name:
+          type: string
+      required:
+      - name
+      - condition
+      type: object
     SpantypesPostableTraceAggregations:
       properties:
         aggregations:
@@ -7289,6 +7283,17 @@ components:
       - operation
       - priority
       type: object
+    SpantypesSpanMapperTestSpan:
+      properties:
+        attributes:
+          additionalProperties: {}
+          nullable: true
+          type: object
+        resource:
+          additionalProperties: {}
+          nullable: true
+          type: object
+      type: object
     SpantypesUpdatableSpanMapper:
       properties:
         config:
@@ -11107,7 +11112,7 @@ paths:
               schema:
                 properties:
                   data:
-                    $ref: '#/components/schemas/AuthtypesRoleWithTransactionGroups'
+                    $ref: '#/components/schemas/AuthtypesRole'
                   status:
                     type: string
                 required:
@@ -11141,10 +11146,10 @@ paths:
       summary: Get role
       tags:
       - role
-    put:
+    patch:
       deprecated: false
-      description: This endpoint updates a role
-      operationId: UpdateRole
+      description: This endpoint patches a role
+      operationId: PatchRole
       parameters:
       - in: path
         name: id
@@ -11155,7 +11160,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: '#/components/schemas/AuthtypesUpdatableRole'
+              $ref: '#/components/schemas/AuthtypesPatchableRole'
       responses:
         "204":
           description: No Content
@@ -11200,7 +11205,7 @@ paths:
         - role:update
       - tokenizer:
         - role:update
-      summary: Update role
+      summary: Patch role
       tags:
       - role
   /api/v1/roles/{id}/relations/{relation}/objects:
@@ -11282,7 +11287,7 @@ paths:
       tags:
       - role
     patch:
-      deprecated: true
+      deprecated: false
       description: Patches the objects connected to the specified role via a given
         relation type
       operationId: PatchObjects
@@ -11355,76 +11360,6 @@ paths:
       summary: Patch objects for a role by relation
       tags:
       - role
-  /api/v1/roles/{id}/transactions:
-    put:
-      deprecated: false
-      description: This endpoint reconciles a role's permissions to exactly the given
-        transaction groups
-      operationId: UpdateRoleTransactions
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/AuthtypesUpdatableTransactionGroups'
-      responses:
-        "204":
-          description: No Content
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "451":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unavailable For Legal Reasons
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-        "501":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Implemented
-      security:
-      - api_key:
-        - role:update
-      - tokenizer:
-        - role:update
-      summary: Update role transactions
-      tags:
-      - role
   /api/v1/route_policies:
     get:
       deprecated: false
@@ -12916,6 +12851,69 @@ paths:
       summary: Update a span mapper
       tags:
       - spanmapper
+  /api/v1/span_mapper_groups/test:
+    post:
+      deprecated: false
+      description: Tests how span mappers would transform sample spans
+      operationId: TestSpanMappers
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/SpantypesPostableSpanMapperTest'
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/SpantypesGettableSpanMapperTest'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - VIEWER
+      - tokenizer:
+        - VIEWER
+      summary: Test span mappers against sample spans
+      tags:
+      - spanmapper
   /api/v1/stats:
     get:
       deprecated: false

ee/authz/openfgaauthz/provider.go

@@ -213,30 +213,6 @@ func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, ro
 	return role, nil
 }
 
-func (provider *provider) GetWithTransactionGroups(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.RoleWithTransactionGroups, error) {
-	_, err := provider.licensing.GetActive(ctx, orgID)
-	if err != nil {
-		return nil, errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
-	}
-
-	role, err := provider.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	tuples, err := provider.readAllTuplesForRole(ctx, role.Name, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	transactionGroups, err := authtypes.NewTransactionGroupsFromTuples(tuples)
-	if err != nil {
-		return nil, err
-	}
-
-	return authtypes.MakeRoleWithTransactionGroups(role, transactionGroups), nil
-}
-
 func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*coretypes.Object, error) {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
@@ -271,36 +247,7 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 	return objects, nil
 }
 
-func (provider *provider) UpdateTransactions(ctx context.Context, orgID valuer.UUID, id valuer.UUID, transactionGroups []*authtypes.TransactionGroup) error {
-	_, err := provider.licensing.GetActive(ctx, orgID)
-	if err != nil {
-		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
-	}
-
-	role, err := provider.store.Get(ctx, orgID, id)
-	if err != nil {
-		return err
-	}
-
-	if err := role.ErrIfManaged(); err != nil {
-		return err
-	}
-
-	desiredTuples, err := authtypes.NewTuplesFromTransactionGroups(role.Name, orgID, transactionGroups)
-	if err != nil {
-		return err
-	}
-
-	currentTuples, err := provider.readAllTuplesForRole(ctx, role.Name, orgID)
-	if err != nil {
-		return err
-	}
-
-	additions, deletions := diffTuples(currentTuples, desiredTuples)
-	return provider.chunkedTuplesWrite(ctx, additions, deletions)
-}
-
-func (provider *provider) Update(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) error {
+func (provider *provider) Patch(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) error {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
@@ -414,7 +361,7 @@ func (provider *provider) getManagedRoleTransactionTuples(orgID valuer.UUID) []*
 	return tuples
 }
 
-func (provider *provider) readAllTuplesForRole(ctx context.Context, roleName string, orgID valuer.UUID) ([]*openfgav1.TupleKey, error) {
+func (provider *provider) deleteTuples(ctx context.Context, roleName string, orgID valuer.UUID) error {
 	subject := authtypes.MustNewSubject(coretypes.NewResourceRole(), roleName, orgID, &coretypes.VerbAssignee)
 
 	tuples := make([]*openfgav1.TupleKey, 0)
@@ -424,76 +371,26 @@ func (provider *provider) readAllTuplesForRole(ctx context.Context, roleName str
 			Object: objectType.StringValue() + ":",
 		})
 		if err != nil {
-			return nil, err
+			return err
 		}
 		tuples = append(tuples, typeTuples...)
 	}
 
-	return tuples, nil
-}
-
-func (provider *provider) chunkedTuplesWrite(ctx context.Context, additions, deletions []*openfgav1.TupleKey) error {
-	maxTuplesPerWrite := provider.config.OpenFGA.MaxTuplesPerWrite
-
-	for idx := 0; idx < len(additions); idx += maxTuplesPerWrite {
-		end := idx + maxTuplesPerWrite
-		if end > len(additions) {
-			end = len(additions)
-		}
-		if err := provider.Write(ctx, additions[idx:end], nil); err != nil {
-			return err
-		}
-	}
-
-	for idx := 0; idx < len(deletions); idx += maxTuplesPerWrite {
-		end := idx + maxTuplesPerWrite
-		if end > len(deletions) {
-			end = len(deletions)
-		}
-		if err := provider.Write(ctx, nil, deletions[idx:end]); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func diffTuples(current, desired []*openfgav1.TupleKey) (additions, deletions []*openfgav1.TupleKey) {
-	key := func(tuple *openfgav1.TupleKey) string {
-		return tuple.GetUser() + "|" + tuple.GetRelation() + "|" + tuple.GetObject()
-	}
-
-	currentKeys := make(map[string]struct{}, len(current))
-	for _, tuple := range current {
-		currentKeys[key(tuple)] = struct{}{}
-	}
-
-	desiredKeys := make(map[string]struct{}, len(desired))
-	for _, tuple := range desired {
-		desiredKeys[key(tuple)] = struct{}{}
-		if _, ok := currentKeys[key(tuple)]; !ok {
-			additions = append(additions, tuple)
-		}
-	}
-
-	for _, tuple := range current {
-		if _, ok := desiredKeys[key(tuple)]; !ok {
-			deletions = append(deletions, tuple)
-		}
-	}
-
-	return additions, deletions
-}
-
-func (provider *provider) deleteTuples(ctx context.Context, roleName string, orgID valuer.UUID) error {
-	tuples, err := provider.readAllTuplesForRole(ctx, roleName, orgID)
-	if err != nil {
-		return err
-	}
-
 	if len(tuples) == 0 {
 		return nil
 	}
 
-	return provider.chunkedTuplesWrite(ctx, nil, tuples)
+	for idx := 0; idx < len(tuples); idx += provider.config.OpenFGA.MaxTuplesPerWrite {
+		end := idx + provider.config.OpenFGA.MaxTuplesPerWrite
+		if end > len(tuples) {
+			end = len(tuples)
+		}
+
+		err := provider.Write(ctx, nil, tuples[idx:end])
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
 }

frontend/src/api/generated/services/role/index.ts

@@ -18,9 +18,8 @@ import type {
 } from 'react-query';
 
 import type {
+	AuthtypesPatchableRoleDTO,
 	AuthtypesPostableRoleDTO,
-	AuthtypesUpdatableRoleDTO,
-	AuthtypesUpdatableTransactionGroupsDTO,
 	CoretypesPatchableObjectsDTO,
 	CreateRole201,
 	DeleteRolePathParameters,
@@ -30,9 +29,8 @@ import type {
 	GetRolePathParameters,
 	ListRoles200,
 	PatchObjectsPathParameters,
+	PatchRolePathParameters,
 	RenderErrorResponseDTO,
-	UpdateRolePathParameters,
-	UpdateRoleTransactionsPathParameters,
 } from '../sigNoz.schemas';
 
 import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
@@ -366,46 +364,46 @@ export const invalidateGetRole = async (
 };
 
 /**
- * This endpoint updates a role
- * @summary Update role
+ * This endpoint patches a role
+ * @summary Patch role
  */
-export const updateRole = (
-	{ id }: UpdateRolePathParameters,
-	authtypesUpdatableRoleDTO?: BodyType<AuthtypesUpdatableRoleDTO>,
+export const patchRole = (
+	{ id }: PatchRolePathParameters,
+	authtypesPatchableRoleDTO?: BodyType<AuthtypesPatchableRoleDTO>,
 	signal?: AbortSignal,
 ) => {
 	return GeneratedAPIInstance<void>({
 		url: `/api/v1/roles/${id}`,
-		method: 'PUT',
+		method: 'PATCH',
 		headers: { 'Content-Type': 'application/json' },
-		data: authtypesUpdatableRoleDTO,
+		data: authtypesPatchableRoleDTO,
 		signal,
 	});
 };
 
-export const getUpdateRoleMutationOptions = <
+export const getPatchRoleMutationOptions = <
 	TError = ErrorType<RenderErrorResponseDTO>,
 	TContext = unknown,
 >(options?: {
 	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateRole>>,
+		Awaited<ReturnType<typeof patchRole>>,
 		TError,
 		{
-			pathParams: UpdateRolePathParameters;
-			data?: BodyType<AuthtypesUpdatableRoleDTO>;
+			pathParams: PatchRolePathParameters;
+			data?: BodyType<AuthtypesPatchableRoleDTO>;
 		},
 		TContext
 	>;
 }): UseMutationOptions<
-	Awaited<ReturnType<typeof updateRole>>,
+	Awaited<ReturnType<typeof patchRole>>,
 	TError,
 	{
-		pathParams: UpdateRolePathParameters;
-		data?: BodyType<AuthtypesUpdatableRoleDTO>;
+		pathParams: PatchRolePathParameters;
+		data?: BodyType<AuthtypesPatchableRoleDTO>;
 	},
 	TContext
 > => {
-	const mutationKey = ['updateRole'];
+	const mutationKey = ['patchRole'];
 	const { mutation: mutationOptions } = options
 		? options.mutation &&
 			'mutationKey' in options.mutation &&
@@ -415,54 +413,54 @@ export const getUpdateRoleMutationOptions = <
 		: { mutation: { mutationKey } };
 
 	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateRole>>,
+		Awaited<ReturnType<typeof patchRole>>,
 		{
-			pathParams: UpdateRolePathParameters;
-			data?: BodyType<AuthtypesUpdatableRoleDTO>;
+			pathParams: PatchRolePathParameters;
+			data?: BodyType<AuthtypesPatchableRoleDTO>;
 		}
 	> = (props) => {
 		const { pathParams, data } = props ?? {};
 
-		return updateRole(pathParams, data);
+		return patchRole(pathParams, data);
 	};
 
 	return { mutationFn, ...mutationOptions };
 };
 
-export type UpdateRoleMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateRole>>
+export type PatchRoleMutationResult = NonNullable<
+	Awaited<ReturnType<typeof patchRole>>
 >;
-export type UpdateRoleMutationBody =
-	| BodyType<AuthtypesUpdatableRoleDTO>
+export type PatchRoleMutationBody =
+	| BodyType<AuthtypesPatchableRoleDTO>
 	| undefined;
-export type UpdateRoleMutationError = ErrorType<RenderErrorResponseDTO>;
+export type PatchRoleMutationError = ErrorType<RenderErrorResponseDTO>;
 
 /**
- * @summary Update role
+ * @summary Patch role
  */
-export const useUpdateRole = <
+export const usePatchRole = <
 	TError = ErrorType<RenderErrorResponseDTO>,
 	TContext = unknown,
 >(options?: {
 	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateRole>>,
+		Awaited<ReturnType<typeof patchRole>>,
 		TError,
 		{
-			pathParams: UpdateRolePathParameters;
-			data?: BodyType<AuthtypesUpdatableRoleDTO>;
+			pathParams: PatchRolePathParameters;
+			data?: BodyType<AuthtypesPatchableRoleDTO>;
 		},
 		TContext
 	>;
 }): UseMutationResult<
-	Awaited<ReturnType<typeof updateRole>>,
+	Awaited<ReturnType<typeof patchRole>>,
 	TError,
 	{
-		pathParams: UpdateRolePathParameters;
-		data?: BodyType<AuthtypesUpdatableRoleDTO>;
+		pathParams: PatchRolePathParameters;
+		data?: BodyType<AuthtypesPatchableRoleDTO>;
 	},
 	TContext
 > => {
-	return useMutation(getUpdateRoleMutationOptions(options));
+	return useMutation(getPatchRoleMutationOptions(options));
 };
 /**
  * Gets all objects connected to the specified role via a given relation type
@@ -567,7 +565,6 @@ export const invalidateGetObjects = async (
 
 /**
  * Patches the objects connected to the specified role via a given relation type
- * @deprecated
  * @summary Patch objects for a role by relation
  */
 export const patchObjects = (
@@ -639,7 +636,6 @@ export type PatchObjectsMutationBody =
 export type PatchObjectsMutationError = ErrorType<RenderErrorResponseDTO>;
 
 /**
- * @deprecated
  * @summary Patch objects for a role by relation
  */
 export const usePatchObjects = <
@@ -666,103 +662,3 @@ export const usePatchObjects = <
 > => {
 	return useMutation(getPatchObjectsMutationOptions(options));
 };
-/**
- * This endpoint reconciles a role's permissions to exactly the given transaction groups
- * @summary Update role transactions
- */
-export const updateRoleTransactions = (
-	{ id }: UpdateRoleTransactionsPathParameters,
-	authtypesUpdatableTransactionGroupsDTO?: BodyType<AuthtypesUpdatableTransactionGroupsDTO>,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<void>({
-		url: `/api/v1/roles/${id}/transactions`,
-		method: 'PUT',
-		headers: { 'Content-Type': 'application/json' },
-		data: authtypesUpdatableTransactionGroupsDTO,
-		signal,
-	});
-};
-
-export const getUpdateRoleTransactionsMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateRoleTransactions>>,
-		TError,
-		{
-			pathParams: UpdateRoleTransactionsPathParameters;
-			data?: BodyType<AuthtypesUpdatableTransactionGroupsDTO>;
-		},
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof updateRoleTransactions>>,
-	TError,
-	{
-		pathParams: UpdateRoleTransactionsPathParameters;
-		data?: BodyType<AuthtypesUpdatableTransactionGroupsDTO>;
-	},
-	TContext
-> => {
-	const mutationKey = ['updateRoleTransactions'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-			'mutationKey' in options.mutation &&
-			options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateRoleTransactions>>,
-		{
-			pathParams: UpdateRoleTransactionsPathParameters;
-			data?: BodyType<AuthtypesUpdatableTransactionGroupsDTO>;
-		}
-	> = (props) => {
-		const { pathParams, data } = props ?? {};
-
-		return updateRoleTransactions(pathParams, data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type UpdateRoleTransactionsMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateRoleTransactions>>
->;
-export type UpdateRoleTransactionsMutationBody =
-	| BodyType<AuthtypesUpdatableTransactionGroupsDTO>
-	| undefined;
-export type UpdateRoleTransactionsMutationError =
-	ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Update role transactions
- */
-export const useUpdateRoleTransactions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown,
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateRoleTransactions>>,
-		TError,
-		{
-			pathParams: UpdateRoleTransactionsPathParameters;
-			data?: BodyType<AuthtypesUpdatableTransactionGroupsDTO>;
-		},
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof updateRoleTransactions>>,
-	TError,
-	{
-		pathParams: UpdateRoleTransactionsPathParameters;
-		data?: BodyType<AuthtypesUpdatableTransactionGroupsDTO>;
-	},
-	TContext
-> => {
-	return useMutation(getUpdateRoleTransactionsMutationOptions(options));
-};

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -2194,6 +2194,13 @@ export interface AuthtypesOrgSessionContextDTO {
 	warning?: ErrorsJSONDTO;
 }
 
+export interface AuthtypesPatchableRoleDTO {
+	/**
+	 * @type string
+	 */
+	description: string;
+}
+
 export interface AuthtypesPostableAuthDomainDTO {
 	config?: AuthtypesAuthDomainConfigDTO;
 	/**
@@ -2268,56 +2275,6 @@ export interface AuthtypesRoleDTO {
 	updatedAt?: string;
 }
 
-export interface CoretypesObjectGroupDTO {
-	resource: CoretypesResourceRefDTO;
-	/**
-	 * @type array
-	 */
-	selectors: string[];
-}
-
-export interface AuthtypesTransactionGroupDTO {
-	objectGroup: CoretypesObjectGroupDTO;
-	relation: AuthtypesRelationDTO;
-}
-
-export interface AuthtypesRoleWithTransactionGroupsDTO {
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: string;
-	/**
-	 * @type string
-	 */
-	description: string;
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type string
-	 */
-	name: string;
-	/**
-	 * @type string
-	 */
-	orgId: string;
-	/**
-	 * @type array
-	 */
-	transactionGroups: AuthtypesTransactionGroupDTO[];
-	/**
-	 * @type string
-	 */
-	type: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	updatedAt?: string;
-}
-
 export interface AuthtypesSessionContextDTO {
 	/**
 	 * @type boolean
@@ -2338,20 +2295,6 @@ export interface AuthtypesUpdatableAuthDomainDTO {
 	config?: AuthtypesAuthDomainConfigDTO;
 }
 
-export interface AuthtypesUpdatableRoleDTO {
-	/**
-	 * @type string
-	 */
-	description: string;
-}
-
-export interface AuthtypesUpdatableTransactionGroupsDTO {
-	/**
-	 * @type array
-	 */
-	transactionGroups: AuthtypesTransactionGroupDTO[];
-}
-
 export interface AuthtypesUserRoleDTO {
 	/**
 	 * @type string
@@ -3122,6 +3065,14 @@ export interface CommonJSONRefDTO {
 	$ref?: string;
 }
 
+export interface CoretypesObjectGroupDTO {
+	resource: CoretypesResourceRefDTO;
+	/**
+	 * @type array
+	 */
+	selectors: string[];
+}
+
 export interface CoretypesPatchableObjectsDTO {
 	/**
 	 * @type array,null
@@ -8184,6 +8135,44 @@ export interface SpantypesGettableSpanMapperGroupsDTO {
 	items: SpantypesSpanMapperGroupDTO[];
 }
 
+export type SpantypesSpanMapperTestSpanDTOAttributesAnyOf = {
+	[key: string]: unknown;
+};
+
+/**
+ * @nullable
+ */
+export type SpantypesSpanMapperTestSpanDTOAttributes =
+	SpantypesSpanMapperTestSpanDTOAttributesAnyOf | null;
+
+export type SpantypesSpanMapperTestSpanDTOResourceAnyOf = {
+	[key: string]: unknown;
+};
+
+/**
+ * @nullable
+ */
+export type SpantypesSpanMapperTestSpanDTOResource =
+	SpantypesSpanMapperTestSpanDTOResourceAnyOf | null;
+
+export interface SpantypesSpanMapperTestSpanDTO {
+	/**
+	 * @type object,null
+	 */
+	attributes?: SpantypesSpanMapperTestSpanDTOAttributes;
+	/**
+	 * @type object,null
+	 */
+	resource?: SpantypesSpanMapperTestSpanDTOResource;
+}
+
+export interface SpantypesGettableSpanMapperTestDTO {
+	/**
+	 * @type array,null
+	 */
+	spans: SpantypesSpanMapperTestSpanDTO[] | null;
+}
+
 export enum SpantypesSpanAggregationTypeDTO {
 	span_count = 'span_count',
 	execution_time_percentage = 'execution_time_percentage',
@@ -8479,6 +8468,33 @@ export interface SpantypesPostableSpanMapperGroupDTO {
 	name: string;
 }
 
+export interface SpantypesPostableSpanMapperTestGroupDTO {
+	condition: SpantypesSpanMapperGroupConditionDTO | null;
+	/**
+	 * @type boolean
+	 */
+	enabled?: boolean;
+	/**
+	 * @type array,null
+	 */
+	mappers?: SpantypesPostableSpanMapperDTO[] | null;
+	/**
+	 * @type string
+	 */
+	name: string;
+}
+
+export interface SpantypesPostableSpanMapperTestDTO {
+	/**
+	 * @type array,null
+	 */
+	groups: SpantypesPostableSpanMapperTestGroupDTO[] | null;
+	/**
+	 * @type array,null
+	 */
+	spans: SpantypesSpanMapperTestSpanDTO[] | null;
+}
+
 export interface SpantypesSpanAggregationDTO {
 	aggregation: SpantypesSpanAggregationTypeDTO;
 	field: TelemetrytypesTelemetryFieldKeyDTO;
@@ -9608,14 +9624,14 @@ export type GetRolePathParameters = {
 	id: string;
 };
 export type GetRole200 = {
-	data: AuthtypesRoleWithTransactionGroupsDTO;
+	data: AuthtypesRoleDTO;
 	/**
 	 * @type string
 	 */
 	status: string;
 };
 
-export type UpdateRolePathParameters = {
+export type PatchRolePathParameters = {
 	id: string;
 };
 export type GetObjectsPathParameters = {
@@ -9637,9 +9653,6 @@ export type PatchObjectsPathParameters = {
 	id: string;
 	relation: string;
 };
-export type UpdateRoleTransactionsPathParameters = {
-	id: string;
-};
 export type GetAllRoutePolicies200 = {
 	/**
 	 * @type array
@@ -9850,6 +9863,14 @@ export type UpdateSpanMapperPathParameters = {
 	groupId: string;
 	mapperId: string;
 };
+export type TestSpanMappers200 = {
+	data: SpantypesGettableSpanMapperTestDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type GetStats200Data = { [key: string]: unknown };
 
 export type GetStats200 = {

frontend/src/api/generated/services/spanmapper/index.ts

@@ -30,8 +30,10 @@ import type {
 	RenderErrorResponseDTO,
 	SpantypesPostableSpanMapperDTO,
 	SpantypesPostableSpanMapperGroupDTO,
+	SpantypesPostableSpanMapperTestDTO,
 	SpantypesUpdatableSpanMapperDTO,
 	SpantypesUpdatableSpanMapperGroupDTO,
+	TestSpanMappers200,
 	UpdateSpanMapperGroupPathParameters,
 	UpdateSpanMapperPathParameters,
 } from '../sigNoz.schemas';
@@ -780,3 +782,86 @@ export const useUpdateSpanMapper = <
 > => {
 	return useMutation(getUpdateSpanMapperMutationOptions(options));
 };
+/**
+ * Tests how span mappers would transform sample spans
+ * @summary Test span mappers against sample spans
+ */
+export const testSpanMappers = (
+	spantypesPostableSpanMapperTestDTO?: BodyType<SpantypesPostableSpanMapperTestDTO>,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<TestSpanMappers200>({
+		url: `/api/v1/span_mapper_groups/test`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: spantypesPostableSpanMapperTestDTO,
+		signal,
+	});
+};
+
+export const getTestSpanMappersMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof testSpanMappers>>,
+		TError,
+		{ data?: BodyType<SpantypesPostableSpanMapperTestDTO> },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof testSpanMappers>>,
+	TError,
+	{ data?: BodyType<SpantypesPostableSpanMapperTestDTO> },
+	TContext
+> => {
+	const mutationKey = ['testSpanMappers'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+			'mutationKey' in options.mutation &&
+			options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof testSpanMappers>>,
+		{ data?: BodyType<SpantypesPostableSpanMapperTestDTO> }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return testSpanMappers(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type TestSpanMappersMutationResult = NonNullable<
+	Awaited<ReturnType<typeof testSpanMappers>>
+>;
+export type TestSpanMappersMutationBody =
+	| BodyType<SpantypesPostableSpanMapperTestDTO>
+	| undefined;
+export type TestSpanMappersMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Test span mappers against sample spans
+ */
+export const useTestSpanMappers = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof testSpanMappers>>,
+		TError,
+		{ data?: BodyType<SpantypesPostableSpanMapperTestDTO> },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof testSpanMappers>>,
+	TError,
+	{ data?: BodyType<SpantypesPostableSpanMapperTestDTO> },
+	TContext
+> => {
+	return useMutation(getTestSpanMappersMutationOptions(options));
+};

frontend/src/container/RolesSettings/RolesComponents/CreateRoleModal.tsx

@@ -10,7 +10,7 @@ import {
 	invalidateGetRole,
 	invalidateListRoles,
 	useCreateRole,
-	useUpdateRole,
+	usePatchRole,
 } from 'api/generated/services/role';
 import {
 	AuthtypesPostableRoleDTO,
@@ -98,7 +98,7 @@ function CreateRoleModal({
 		},
 	});
 
-	const { mutate: patchRole, isLoading: isPatching } = useUpdateRole({
+	const { mutate: patchRole, isLoading: isPatching } = usePatchRole({
 		mutation: {
 			onSuccess: () => handleSuccess('Role updated successfully'),
 			onError: handleError,

pkg/apiserver/signozapiserver/role.go

@@ -73,7 +73,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 			Description:         "This endpoint gets a role",
 			Request:             nil,
 			RequestContentType:  "",
-			Response:            new(authtypes.RoleWithTransactionGroups),
+			Response:            new(authtypes.Role),
 			ResponseContentType: "application/json",
 			SuccessStatusCode:   http.StatusOK,
 			ErrorStatusCodes:    []int{},
@@ -91,60 +91,6 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/roles/{id}/transactions", handler.New(
-		provider.authzMiddleware.CheckResources(provider.authzHandler.UpdateTransactions, authtypes.SigNozAdminRoleName),
-		handler.OpenAPIDef{
-			ID:                  "UpdateRoleTransactions",
-			Tags:                []string{"role"},
-			Summary:             "Update role transactions",
-			Description:         "This endpoint reconciles a role's permissions to exactly the given transaction groups",
-			Request:             new(authtypes.UpdatableTransactionGroups),
-			RequestContentType:  "",
-			Response:            nil,
-			ResponseContentType: "application/json",
-			SuccessStatusCode:   http.StatusNoContent,
-			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-			Deprecated:          false,
-			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
-		},
-		handler.WithResourceDefs(handler.BasicResourceDef{
-			Resource: coretypes.ResourceRole,
-			Verb:     coretypes.VerbUpdate,
-			Category: coretypes.ActionCategoryAccessControl,
-			ID:       coretypes.PathParam("id"),
-			Selector: provider.roleSelector,
-		}),
-	)).Methods(http.MethodPut).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/roles/{id}", handler.New(
-		provider.authzMiddleware.CheckResources(provider.authzHandler.Delete, authtypes.SigNozAdminRoleName),
-		handler.OpenAPIDef{
-			ID:                  "DeleteRole",
-			Tags:                []string{"role"},
-			Summary:             "Delete role",
-			Description:         "This endpoint deletes a role",
-			Request:             nil,
-			RequestContentType:  "",
-			Response:            nil,
-			ResponseContentType: "application/json",
-			SuccessStatusCode:   http.StatusNoContent,
-			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-			Deprecated:          false,
-			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),
-		},
-		handler.WithResourceDefs(handler.BasicResourceDef{
-			Resource: coretypes.ResourceRole,
-			Verb:     coretypes.VerbDelete,
-			Category: coretypes.ActionCategoryAccessControl,
-			ID:       coretypes.PathParam("id"),
-			Selector: provider.roleSelector,
-		}),
-	)).Methods(http.MethodDelete).GetError(); err != nil {
-		return err
-	}
-
 	if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(
 		provider.authzMiddleware.CheckResources(provider.authzHandler.GetObjects, authtypes.SigNozAdminRoleName),
 		handler.OpenAPIDef{
@@ -173,13 +119,13 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 	}
 
 	if err := router.Handle("/api/v1/roles/{id}", handler.New(
-		provider.authzMiddleware.CheckResources(provider.authzHandler.Update, authtypes.SigNozAdminRoleName),
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Patch, authtypes.SigNozAdminRoleName),
 		handler.OpenAPIDef{
-			ID:                  "UpdateRole",
+			ID:                  "PatchRole",
 			Tags:                []string{"role"},
-			Summary:             "Update role",
-			Description:         "This endpoint updates a role",
-			Request:             new(authtypes.UpdatableRole),
+			Summary:             "Patch role",
+			Description:         "This endpoint patches a role",
+			Request:             new(authtypes.PatchableRole),
 			RequestContentType:  "",
 			Response:            nil,
 			ResponseContentType: "application/json",
@@ -195,7 +141,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 			ID:       coretypes.PathParam("id"),
 			Selector: provider.roleSelector,
 		}),
-	)).Methods(http.MethodPut).GetError(); err != nil {
+	)).Methods(http.MethodPatch).GetError(); err != nil {
 		return err
 	}
 
@@ -212,7 +158,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 			ResponseContentType: "application/json",
 			SuccessStatusCode:   http.StatusNoContent,
 			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
-			Deprecated:          true,
+			Deprecated:          false,
 			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),
 		},
 		handler.WithResourceDefs(handler.BasicResourceDef{
@@ -226,5 +172,32 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/roles/{id}", handler.New(
+		provider.authzMiddleware.CheckResources(provider.authzHandler.Delete, authtypes.SigNozAdminRoleName),
+		handler.OpenAPIDef{
+			ID:                  "DeleteRole",
+			Tags:                []string{"role"},
+			Summary:             "Delete role",
+			Description:         "This endpoint deletes a role",
+			Request:             nil,
+			RequestContentType:  "",
+			Response:            nil,
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusNoContent,
+			ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},
+			Deprecated:          false,
+			SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),
+		},
+		handler.WithResourceDefs(handler.BasicResourceDef{
+			Resource: coretypes.ResourceRole,
+			Verb:     coretypes.VerbDelete,
+			Category: coretypes.ActionCategoryAccessControl,
+			ID:       coretypes.PathParam("id"),
+			Selector: provider.roleSelector,
+		}),
+	)).Methods(http.MethodDelete).GetError(); err != nil {
+		return err
+	}
+
 	return nil
 }

pkg/apiserver/signozapiserver/spanmapper.go

@@ -51,6 +51,26 @@ func (provider *provider) addSpanMapperRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/span_mapper_groups/test", handler.New(
+		provider.authzMiddleware.ViewAccess(provider.spanMapperHandler.TestMappers),
+		handler.OpenAPIDef{
+			ID:                  "TestSpanMappers",
+			Tags:                []string{"spanmapper"},
+			Summary:             "Test span mappers against sample spans",
+			Description:         "Tests how span mappers would transform sample spans",
+			Request:             new(spantypes.PostableSpanMapperTest),
+			RequestContentType:  "application/json",
+			Response:            new(spantypes.GettableSpanMapperTest),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+			Deprecated:          false,
+			SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
+		},
+	)).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/span_mapper_groups/{groupId}", handler.New(
 		provider.authzMiddleware.AdminAccess(provider.spanMapperHandler.UpdateGroup),
 		handler.OpenAPIDef{

pkg/authz/authz.go

@@ -30,21 +30,30 @@ type AuthZ interface {
 	// Write accepts the insertion tuples and the deletion tuples.
 	Write(context.Context, []*openfgav1.TupleKey, []*openfgav1.TupleKey) error
 
-	// Creates the role (metadata only; transactions are set via PutTransactions).
-	Create(context.Context, valuer.UUID, *authtypes.Role) error
+	// Lists the selectors for objects assigned to subject (s) with relation (r) on resource (s)
+	ListObjects(context.Context, string, authtypes.Relation, coretypes.Type) ([]*coretypes.Object, error)
 
-	// PutTransactions reconciles a role's authz tuples to exactly the given transaction groups.
-	UpdateTransactions(context.Context, valuer.UUID, valuer.UUID, []*authtypes.TransactionGroup) error
+	// Creates the role.
+	Create(context.Context, valuer.UUID, *authtypes.Role) error
 
 	// Gets the role if it exists or creates one.
 	GetOrCreate(context.Context, valuer.UUID, *authtypes.Role) (*authtypes.Role, error)
 
+	// Gets the objects associated with the given role and relation.
+	GetObjects(context.Context, valuer.UUID, valuer.UUID, authtypes.Relation) ([]*coretypes.Object, error)
+
+	// Patches the role.
+	Patch(context.Context, valuer.UUID, *authtypes.Role) error
+
+	// Patches the objects in authorization server associated with the given role and relation
+	PatchObjects(context.Context, valuer.UUID, string, authtypes.Relation, []*coretypes.Object, []*coretypes.Object) error
+
+	// Deletes the role and tuples in authorization server.
+	Delete(context.Context, valuer.UUID, valuer.UUID) error
+
 	// Gets the role
 	Get(context.Context, valuer.UUID, valuer.UUID) (*authtypes.Role, error)
 
-	// Gets the role with transaction groups
-	GetWithTransactionGroups(context.Context, valuer.UUID, valuer.UUID) (*authtypes.RoleWithTransactionGroups, error)
-
 	// Gets the role by org_id and name
 	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*authtypes.Role, error)
 
@@ -57,9 +66,6 @@ type AuthZ interface {
 	//  Lists all the roles for the organization filtered by ids
 	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*authtypes.Role, error)
 
-	// Deletes the role and tuples in authorization server.
-	Delete(context.Context, valuer.UUID, valuer.UUID) error
-
 	// Grants a role to the subject based on role name.
 	Grant(context.Context, valuer.UUID, []string, string) error
 
@@ -77,18 +83,6 @@ type AuthZ interface {
 
 	// ReadTuples reads tuples from the authorization server matching the given tuple key filter.
 	ReadTuples(context.Context, *openfgav1.ReadRequestTupleKey) ([]*openfgav1.TupleKey, error)
-
-	// Lists the selectors for objects assigned to subject (s) with relation (r) on resource (s)
-	ListObjects(context.Context, string, authtypes.Relation, coretypes.Type) ([]*coretypes.Object, error)
-
-	// Updates the role metadata.
-	Update(context.Context, valuer.UUID, *authtypes.Role) error
-
-	// Patches the objects in authorization server associated with the given role and relation
-	PatchObjects(context.Context, valuer.UUID, string, authtypes.Relation, []*coretypes.Object, []*coretypes.Object) error
-
-	// Gets the objects associated with the given role and relation.
-	GetObjects(context.Context, valuer.UUID, valuer.UUID, authtypes.Relation) ([]*coretypes.Object, error)
 }
 
 // OnBeforeRoleDelete is a callback invoked before a role is deleted.
@@ -99,17 +93,15 @@ type Handler interface {
 
 	Get(http.ResponseWriter, *http.Request)
 
+	GetObjects(http.ResponseWriter, *http.Request)
+
 	List(http.ResponseWriter, *http.Request)
 
-	UpdateTransactions(http.ResponseWriter, *http.Request)
+	Patch(http.ResponseWriter, *http.Request)
 
-	Delete(http.ResponseWriter, *http.Request)
+	PatchObjects(http.ResponseWriter, *http.Request)
 
 	Check(http.ResponseWriter, *http.Request)
 
-	GetObjects(http.ResponseWriter, *http.Request)
-
-	Update(http.ResponseWriter, *http.Request)
-
-	PatchObjects(http.ResponseWriter, *http.Request)
+	Delete(http.ResponseWriter, *http.Request)
 }

pkg/authz/openfgaauthz/provider.go

@@ -83,15 +83,6 @@ func (provider *provider) Get(ctx context.Context, orgID valuer.UUID, id valuer.
 	return provider.store.Get(ctx, orgID, id)
 }
 
-func (provider *provider) GetWithTransactionGroups(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.RoleWithTransactionGroups, error) {
-	role, err := provider.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return &authtypes.RoleWithTransactionGroups{Role: role, TransactionGroups: nil}, nil
-}
-
 func (provider *provider) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*authtypes.Role, error) {
 	return provider.store.GetByOrgIDAndName(ctx, orgID, name)
 }
@@ -189,11 +180,7 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 	return nil, errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
 
-func (provider *provider) UpdateTransactions(_ context.Context, _ valuer.UUID, _ valuer.UUID, _ []*authtypes.TransactionGroup) error {
-	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
-}
-
-func (provider *provider) Update(_ context.Context, _ valuer.UUID, _ *authtypes.Role) error {
+func (provider *provider) Patch(_ context.Context, _ valuer.UUID, _ *authtypes.Role) error {
 	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
 

pkg/authz/signozauthzapi/handler.go

@@ -65,13 +65,53 @@ func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	roleWithTransactionGroups, err := handler.authz.GetWithTransactionGroups(ctx, valuer.MustNewUUID(claims.OrgID), roleID)
+	role, err := handler.authz.Get(ctx, valuer.MustNewUUID(claims.OrgID), roleID)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	render.Success(rw, http.StatusOK, roleWithTransactionGroups)
+	render.Success(rw, http.StatusOK, role)
+}
+
+func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, ok := mux.Vars(r)["id"]
+	if !ok {
+		render.Error(rw, errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleInvalidInput, "id is missing from the request"))
+		return
+	}
+	roleID, err := valuer.NewUUID(id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	relationStr, ok := mux.Vars(r)["relation"]
+	if !ok {
+		render.Error(rw, errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleInvalidInput, "relation is missing from the request"))
+		return
+	}
+
+	relation, err := coretypes.NewVerb(relationStr)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	objects, err := handler.authz.GetObjects(ctx, valuer.MustNewUUID(claims.OrgID), roleID, authtypes.Relation{Verb: relation})
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, coretypes.NewObjectGroupsFromObjects(objects))
 }
 
 func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
@@ -91,7 +131,7 @@ func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
 	render.Success(rw, http.StatusOK, roles)
 }
 
-func (handler *handler) UpdateTransactions(rw http.ResponseWriter, r *http.Request) {
+func (handler *handler) Patch(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	claims, err := authtypes.ClaimsFromContext(ctx)
 	if err != nil {
@@ -105,13 +145,77 @@ func (handler *handler) UpdateTransactions(rw http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	req := new(authtypes.UpdatableTransactionGroups)
+	req := new(authtypes.PatchableRole)
 	if err := binding.JSON.BindBody(r.Body, req); err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	err = handler.authz.UpdateTransactions(ctx, valuer.MustNewUUID(claims.OrgID), id, req.TransactionGroups)
+	role, err := handler.authz.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	err = role.PatchMetadata(req.Description)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	err = handler.authz.Patch(ctx, valuer.MustNewUUID(claims.OrgID), role)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusNoContent, nil)
+}
+
+func (handler *handler) PatchObjects(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	relation, err := coretypes.NewVerb(mux.Vars(r)["relation"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	role, err := handler.authz.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	if err := role.ErrIfManaged(); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	req := new(coretypes.PatchableObjects)
+	if err := binding.JSON.BindBody(r.Body, req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	additions, deletions, err := coretypes.NewPatchableObjects(req.Additions, req.Deletions, relation)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	err = handler.authz.PatchObjects(ctx, valuer.MustNewUUID(claims.OrgID), role.Name, authtypes.Relation{Verb: relation}, additions, deletions)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -172,136 +276,3 @@ func (handler *handler) Check(rw http.ResponseWriter, r *http.Request) {
 
 	render.Success(rw, http.StatusOK, authtypes.NewGettableTransaction(results))
 }
-
-func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, ok := mux.Vars(r)["id"]
-	if !ok {
-		render.Error(rw, errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleInvalidInput, "id is missing from the request"))
-		return
-	}
-	roleID, err := valuer.NewUUID(id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	relationStr, ok := mux.Vars(r)["relation"]
-	if !ok {
-		render.Error(rw, errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleInvalidInput, "relation is missing from the request"))
-		return
-	}
-
-	relation, err := coretypes.NewVerb(relationStr)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	objects, err := handler.authz.GetObjects(ctx, valuer.MustNewUUID(claims.OrgID), roleID, authtypes.Relation{Verb: relation})
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, coretypes.NewObjectGroupsFromObjects(objects))
-}
-
-func (handler *handler) Update(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	req := new(authtypes.UpdatableRole)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	role, err := handler.authz.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = role.Update(req.Description)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.authz.Update(ctx, valuer.MustNewUUID(claims.OrgID), role)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
-func (handler *handler) PatchObjects(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	relation, err := coretypes.NewVerb(mux.Vars(r)["relation"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	role, err := handler.authz.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	if err := role.ErrIfManaged(); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	req := new(coretypes.PatchableObjects)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	additions, deletions, err := coretypes.NewPatchableObjects(req.Additions, req.Deletions, relation)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.authz.PatchObjects(ctx, valuer.MustNewUUID(claims.OrgID), role.Name, authtypes.Relation{Verb: relation}, additions, deletions)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}

pkg/modules/spanmapper/implspanmapper/handler.go

@@ -273,6 +273,35 @@ func (h *handler) DeleteMapper(rw http.ResponseWriter, r *http.Request) {
 	render.Success(rw, http.StatusNoContent, nil)
 }
 
+// TestMappers handles POST /api/v1/span_mapper_groups/test.
+func (h *handler) TestMappers(rw http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	orgID := valuer.MustNewUUID(claims.OrgID)
+
+	req := new(spantypes.PostableSpanMapperTest)
+	if err := binding.JSON.BindBody(r.Body, req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	groups := spantypes.NewSpanMapperGroupsWithMappersFromPostable(orgID, req.Groups)
+	out, err := h.module.TestMappers(ctx, orgID, req.Spans, groups)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, &spantypes.GettableSpanMapperTest{Spans: out})
+}
+
 // groupIDFromPath extracts and validates the {id} or {groupId} path variable.
 func groupIDFromPath(r *http.Request) (valuer.UUID, error) {
 	vars := mux.Vars(r)

pkg/modules/spanmapper/implspanmapper/module.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/modules/spanmapper"
 	"github.com/SigNoz/signoz/pkg/query-service/agentConf"
 	"github.com/SigNoz/signoz/pkg/types/opamptypes"
@@ -102,6 +103,54 @@ func (module *module) DeleteMapper(ctx context.Context, orgID, groupID, id value
 	return nil
 }
 
+func (module *module) TestMappers(ctx context.Context, orgID valuer.UUID, spans []spantypes.SpanMapperTestSpan, groups []*spantypes.SpanMapperGroupWithMappers) ([]spantypes.SpanMapperTestSpan, error) {
+	if len(spans) == 0 {
+		return nil, errors.New(errors.TypeInvalidInput, spantypes.ErrCodeMappingInvalidInput, "'spans' must contain at least one span")
+	}
+
+	_, err := module.backfillMappers(ctx, orgID, groups)
+	if err != nil {
+		return nil, err
+	}
+
+	// out, _, err := spantypes.SimulateSpanMappersProcessing(ctx, resolved, spans)
+	// if err != nil {
+	// 	return nil, err
+	// }
+	// return out, nil
+	return nil, nil
+}
+
+// backfillMappers loads saved mappers for any group whose Mappers is nil.
+func (module *module) backfillMappers(ctx context.Context, orgID valuer.UUID, groups []*spantypes.SpanMapperGroupWithMappers) ([]*spantypes.SpanMapperGroupWithMappers, error) {
+	// Load all the saved groups for this org, so we can look up by name.
+	savedGroups, err := module.store.ListGroups(ctx, orgID, &spantypes.ListSpanMapperGroupsQuery{})
+	if err != nil {
+		return nil, err
+	}
+	savedByName := make(map[string]*spantypes.SpanMapperGroup, len(savedGroups))
+	for _, g := range savedGroups {
+		savedByName[g.Name] = g
+	}
+
+	// For each group in the request, if Mappers is nil, load the saved mappers for that group name.
+	for _, g := range groups {
+		if g.Mappers != nil {
+			continue
+		}
+		saved, ok := savedByName[g.Group.Name]
+		if !ok {
+			return nil, errors.Newf(errors.TypeInvalidInput, spantypes.ErrCodeMappingGroupNotFound, "no saved group named %q to load mappers from; send 'mappers' for new or edited groups", g.Group.Name)
+		}
+		loaded, err := module.store.ListMappers(ctx, orgID, saved.ID)
+		if err != nil {
+			return nil, err
+		}
+		g.Mappers = loaded
+	}
+	return groups, nil
+}
+
 func (module *module) AgentFeatureType() agentConf.AgentFeatureType {
 	return spantypes.SpanAttrMappingFeatureType
 }

pkg/modules/spanmapper/spanmapper.go

@@ -27,6 +27,7 @@ type Module interface {
 	CreateMapper(ctx context.Context, orgID, groupID valuer.UUID, mapper *spantypes.SpanMapper) error
 	UpdateMapper(ctx context.Context, orgID, groupID, id valuer.UUID, fieldContext spantypes.FieldContext, config *spantypes.SpanMapperConfig, enabled *bool, updatedBy string) error
 	DeleteMapper(ctx context.Context, orgID, groupID, id valuer.UUID) error
+	TestMappers(ctx context.Context, orgID valuer.UUID, spans []spantypes.SpanMapperTestSpan, groups []*spantypes.SpanMapperGroupWithMappers) ([]spantypes.SpanMapperTestSpan, error)
 }
 
 // Handler defines the HTTP handler interface for mapping group and mapper endpoints.
@@ -42,4 +43,5 @@ type Handler interface {
 	CreateMapper(rw http.ResponseWriter, r *http.Request)
 	UpdateMapper(rw http.ResponseWriter, r *http.Request)
 	DeleteMapper(rw http.ResponseWriter, r *http.Request)
+	TestMappers(rw http.ResponseWriter, r *http.Request)
 }

pkg/types/authtypes/role.go

@@ -72,17 +72,12 @@ type Role struct {
 	OrgID       valuer.UUID   `bun:"org_id,type:string" json:"orgId" required:"true"`
 }
 
-type RoleWithTransactionGroups struct {
-	*Role
-	TransactionGroups []*TransactionGroup `json:"transactionGroups" required:"true" nullable:"false"`
-}
-
 type PostableRole struct {
 	Name        string `json:"name" required:"true"`
 	Description string `json:"description"`
 }
 
-type UpdatableRole struct {
+type PatchableRole struct {
 	Description string `json:"description" required:"true"`
 }
 
@@ -102,13 +97,6 @@ func NewRole(name, description string, roleType valuer.String, orgID valuer.UUID
 	}
 }
 
-func MakeRoleWithTransactionGroups(role *Role, transactionGroups []*TransactionGroup) *RoleWithTransactionGroups {
-	return &RoleWithTransactionGroups{
-		Role:              role,
-		TransactionGroups: transactionGroups,
-	}
-}
-
 func NewManagedRoles(orgID valuer.UUID) []*Role {
 	return []*Role{
 		NewRole(SigNozAdminRoleName, SigNozAdminRoleDescription, RoleTypeManaged, orgID),
@@ -119,7 +107,7 @@ func NewManagedRoles(orgID valuer.UUID) []*Role {
 
 }
 
-func (role *Role) Update(description string) error {
+func (role *Role) PatchMetadata(description string) error {
 	err := role.ErrIfManaged()
 	if err != nil {
 		return err
@@ -139,42 +127,46 @@ func (role *Role) ErrIfManaged() error {
 }
 
 func (role *PostableRole) UnmarshalJSON(data []byte) error {
-	type Alias PostableRole
-	var temp Alias
-
-	if err := json.Unmarshal(data, &temp); err != nil {
-		return err
-	}
-
-	if temp.Name == "" {
-		return errors.New(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "name is missing from the request")
-	}
-
-	if match := roleNameRegex.MatchString(temp.Name); !match {
-		return errors.New(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "name must contain only lowercase letters (a-z) and hyphens (-), and be at most 50 characters long.")
-	}
-
-	if strings.HasPrefix(temp.Name, managedRolePrefix) {
-		return errors.Newf(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "role name cannot start with %q as it is reserved for SigNoz managed roles.", managedRolePrefix)
-	}
-
-	role.Name = temp.Name
-	role.Description = temp.Description
-	return nil
-}
-
-func (role *UpdatableRole) UnmarshalJSON(data []byte) error {
-	type shadowUpdatableRole struct {
+	type shadowPostableRole struct {
+		Name        string `json:"name"`
 		Description string `json:"description"`
 	}
 
-	var shadowRole shadowUpdatableRole
+	var shadowRole shadowPostableRole
+	if err := json.Unmarshal(data, &shadowRole); err != nil {
+		return err
+	}
+
+	if shadowRole.Name == "" {
+		return errors.New(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "name is missing from the request")
+	}
+
+	if match := roleNameRegex.MatchString(shadowRole.Name); !match {
+		return errors.New(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "name must contain only lowercase letters (a-z) and hyphens (-), and be at most 50 characters long.")
+	}
+
+	if strings.HasPrefix(shadowRole.Name, managedRolePrefix) {
+		return errors.Newf(errors.TypeInvalidInput, ErrCodeRoleInvalidInput, "role name cannot start with %q as it is reserved for SigNoz managed roles.", managedRolePrefix)
+	}
+
+	role.Name = shadowRole.Name
+	role.Description = shadowRole.Description
+
+	return nil
+}
+
+func (role *PatchableRole) UnmarshalJSON(data []byte) error {
+	type shadowPatchableRole struct {
+		Description string `json:"description"`
+	}
+
+	var shadowRole shadowPatchableRole
 	if err := json.Unmarshal(data, &shadowRole); err != nil {
 		return err
 	}
 
 	if shadowRole.Description == "" {
-		return errors.New(errors.TypeInvalidInput, ErrCodeRoleEmptyPatch, "description must be present")
+		return errors.New(errors.TypeInvalidInput, ErrCodeRoleEmptyPatch, "empty role patch request received, description must be present")
 	}
 
 	role.Description = shadowRole.Description

pkg/types/authtypes/transaction.go

@@ -13,21 +13,12 @@ type Transaction struct {
 	Object   coretypes.Object `json:"object" required:"true"`
 }
 
-type TransactionGroup struct {
-	Relation    Relation              `json:"relation" required:"true"`
-	ObjectGroup coretypes.ObjectGroup `json:"objectGroup" required:"true"`
-}
-
 type GettableTransaction struct {
 	Relation   Relation         `json:"relation" required:"true"`
 	Object     coretypes.Object `json:"object" required:"true"`
 	Authorized bool             `json:"authorized" required:"true"`
 }
 
-type UpdatableTransactionGroups struct {
-	TransactionGroups []*TransactionGroup `json:"transactionGroups" required:"true" nullable:"false"`
-}
-
 type TransactionWithAuthorization struct {
 	Transaction *Transaction
 	Authorized  bool
@@ -41,18 +32,6 @@ func NewTransaction(relation Relation, object coretypes.Object) (*Transaction, e
 	return &Transaction{ID: valuer.GenerateUUID(), Relation: relation, Object: object}, nil
 }
 
-func NewTransactionGroup(relation Relation, objectGroup coretypes.ObjectGroup) (*TransactionGroup, error) {
-	if err := coretypes.ErrIfVerbNotValidForResource(relation.Verb, objectGroup.Resource); err != nil {
-		return nil, err
-	}
-
-	if _, err := coretypes.NewObjectsFromObjectGroup(objectGroup); err != nil {
-		return nil, err
-	}
-
-	return &TransactionGroup{Relation: relation, ObjectGroup: objectGroup}, nil
-}
-
 func NewGettableTransaction(results []*TransactionWithAuthorization) []*GettableTransaction {
 	gettableTransactions := make([]*GettableTransaction, len(results))
 	for i, result := range results {
@@ -86,26 +65,6 @@ func (transaction *Transaction) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-func (transactionGroup *TransactionGroup) UnmarshalJSON(data []byte) error {
-	var shadow = struct {
-		Relation    Relation
-		ObjectGroup coretypes.ObjectGroup
-	}{}
-
-	err := json.Unmarshal(data, &shadow)
-	if err != nil {
-		return err
-	}
-
-	group, err := NewTransactionGroup(shadow.Relation, shadow.ObjectGroup)
-	if err != nil {
-		return err
-	}
-
-	*transactionGroup = *group
-	return nil
-}
-
 func (transaction *Transaction) TransactionKey() string {
 	return transaction.Relation.StringValue() + ":" + transaction.Object.Resource.Type.StringValue() + ":" + transaction.Object.Resource.Kind.String()
 }

pkg/types/authtypes/tuple.go

@@ -47,62 +47,14 @@ func NewTuplesFromTransactions(transactions []*Transaction, subject string, orgI
 	return tuples, nil
 }
 
-func NewTuplesFromTransactionGroups(name string, orgID valuer.UUID, transactionGroups []*TransactionGroup) ([]*openfgav1.TupleKey, error) {
-	tuples := make([]*openfgav1.TupleKey, 0)
-	subject := MustNewSubject(coretypes.NewResourceRole(), name, orgID, &coretypes.VerbAssignee)
-
-	for _, transactionGroup := range transactionGroups {
-		if err := coretypes.ErrIfVerbNotValidForResource(transactionGroup.Relation.Verb, transactionGroup.ObjectGroup.Resource); err != nil {
-			return nil, err
-		}
-
-		resource, err := coretypes.NewResourceFromTypeAndKind(transactionGroup.ObjectGroup.Resource.Type, transactionGroup.ObjectGroup.Resource.Kind)
-		if err != nil {
-			return nil, err
-		}
-
-		objectGroupTuples := NewTuples(resource, subject, transactionGroup.Relation, transactionGroup.ObjectGroup.Selectors, orgID)
-		tuples = append(tuples, objectGroupTuples...)
-	}
-
-	return tuples, nil
-}
-
-func NewTransactionGroupsFromTuples(tuples []*openfgav1.TupleKey) ([]*TransactionGroup, error) {
-	objectsByRelation := make(map[string][]*coretypes.Object)
-
-	for _, tuple := range tuples {
-		verb, err := coretypes.NewVerb(tuple.GetRelation())
-		if err != nil {
-			return nil, err
-		}
-
-		object, err := coretypes.NewObjectFromString(tuple.GetObject())
-		if err != nil {
-			return nil, err
-		}
-
-		objectsByRelation[verb.StringValue()] = append(objectsByRelation[verb.StringValue()], object)
-	}
-
-	transactionGroups := make([]*TransactionGroup, 0)
-	for _, verb := range coretypes.Verbs {
-		objects := objectsByRelation[verb.StringValue()]
-		if len(objects) == 0 {
-			continue
-		}
-
-		for _, objectGroup := range coretypes.NewObjectGroupsFromObjects(objects) {
-			transactionGroups = append(transactionGroups, &TransactionGroup{
-				Relation:    Relation{Verb: verb},
-				ObjectGroup: *objectGroup,
-			})
-		}
-	}
-
-	return transactionGroups, nil
-}
-
+// NewTuplesFromTransactionsWithCorrelations converts transactions to tuples for BatchCheck,
+// and for each transaction whose selector is not already a wildcard, generates an additional
+// tuple with the wildcard selector. This ensures that permissions granted via wildcard
+// selectors (e.g., dashboard:*) are checked alongside exact selectors (e.g., dashboard:abc-123).
+//
+// Returns:
+//   - tuples: all tuples to check (exact + correlated), keyed by transaction ID or generated correlation ID
+//   - correlations: maps transaction ID to a slice of correlation IDs for the additional tuples
 func NewTuplesFromTransactionsWithCorrelations(transactions []*Transaction, subject string, orgID valuer.UUID) (tuples map[string]*openfgav1.TupleKey, correlations map[string][]string, err error) {
 	tuples = make(map[string]*openfgav1.TupleKey)
 	correlations = make(map[string][]string)
@@ -131,6 +83,10 @@ func NewTuplesFromTransactionsWithCorrelations(transactions []*Transaction, subj
 	return tuples, correlations, nil
 }
 
+// NewTuplesFromTransactionsWithManagedRoles converts transactions to tuples for BatchCheck.
+// Direct role-assignment transactions (TypeRole + VerbAssignee) produce one tuple keyed by txn ID.
+// Other transactions are expanded via managedRolesByTransaction into role-assignee checks, keyed by "txnID:roleName".
+// Transactions with no managed role mapping are marked as pre-resolved (false) in the returned map.
 func NewTuplesFromTransactionsWithManagedRoles(
 	transactions []*Transaction,
 	subject string,
@@ -175,6 +131,10 @@ func NewTuplesFromTransactionsWithManagedRoles(
 	return tuples, preResolved, roleCorrelations, nil
 }
 
+// NewTransactionWithAuthorizationFromBatchResults merges batch check results into an ordered
+// slice of TransactionWithAuthorization matching the input transactions order.
+// preResolved contains txn IDs whose authorization was determined without BatchCheck.
+// roleCorrelations maps txn IDs to correlation IDs used for managed role checks.
 func NewTransactionWithAuthorizationFromBatchResults(
 	transactions []*Transaction,
 	batchResults map[string]*TupleKeyAuthorization,

pkg/types/coretypes/object.go

@@ -9,7 +9,6 @@ import (
 
 var (
 	ErrCodeInvalidPatchObject = errors.MustNewCode("authz_invalid_patch_objects")
-	ErrCodeInvalidObject      = errors.MustNewCode("authz_invalid_object")
 )
 
 type Object struct {
@@ -45,46 +44,25 @@ func MustNewObject(resource ResourceRef, inputSelector string) *Object {
 	return object
 }
 
-// NewObjectFromString parses a tuple's object string back into an Object. Object strings are of the
-// form "<type>:<...>/<kind>/<selector>" across all resource types (e.g.
-// "metaresource:organization/<org>/dashboard/<uuid>", "organization:organization/<uuid>"); the kind
-// is always the second-to-last "/" segment and the selector is the last, after stripping the type prefix.
-func NewObjectFromString(input string) (*Object, error) {
-	typeAndRest := strings.SplitN(input, ":", 2)
-	if len(typeAndRest) != 2 {
-		return nil, errors.Newf(errors.TypeInvalidInput, ErrCodeInvalidObject, "invalid object format: %s", input)
-	}
-
-	typed, err := NewType(typeAndRest[0])
-	if err != nil {
-		return nil, err
-	}
-
-	segments := strings.Split(typeAndRest[1], "/")
-	if len(segments) < 2 {
-		return nil, errors.Newf(errors.TypeInvalidInput, ErrCodeInvalidObject, "invalid object format: %s", input)
-	}
-
-	kind, err := NewKind(segments[len(segments)-2])
-	if err != nil {
-		return nil, err
-	}
-
-	selector, err := typed.Selector(segments[len(segments)-1])
-	if err != nil {
-		return nil, err
-	}
-
-	return &Object{Resource: ResourceRef{Type: typed, Kind: kind}, Selector: selector}, nil
-}
-
 func MustNewObjectFromString(input string) *Object {
-	object, err := NewObjectFromString(input)
-	if err != nil {
-		panic(err)
+	parts := strings.Split(input, "/")
+	if len(parts) != 4 {
+		panic(errors.Newf(errors.TypeInternal, errors.CodeInternal, "invalid input format: %s", input))
 	}
 
-	return object
+	typeParts := strings.Split(parts[0], ":")
+	if len(typeParts) != 2 {
+		panic(errors.Newf(errors.TypeInternal, errors.CodeInternal, "invalid type format: %s", parts[0]))
+	}
+
+	resource := ResourceRef{
+		Type: MustNewType(typeParts[0]),
+		Kind: MustNewKind(parts[2]),
+	}
+
+	selector := resource.Type.MustSelector(parts[3])
+
+	return &Object{Resource: resource, Selector: selector}
 }
 
 func MustNewObjectsFromStringSlice(input []string) []*Object {

pkg/types/spantypes/spanmappersimulator.go

@@ -0,0 +1,151 @@
+package spantypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/errors"
+	"go.opentelemetry.io/collector/pdata/ptrace"
+)
+
+var (
+	ErrCodeProcessorFactoryMapFailed  = errors.MustNewCode("processor_factory_map_failed")
+	ErrCodeSpanMapperSimulationFailed = errors.MustNewCode("span_mapper_simulation_failed")
+)
+
+// spanInputOrderAttr tags each input span with its index so the simulator
+// output can be sorted back into input order. The collector simulator does
+// not guarantee that traces come out in the order they went in.
+const spanInputOrderAttr = "__signoz_input_idx__"
+
+// SimulateSpanMappersProcessing runs the given spans through an in-memory
+// collector pipeline that hosts signozspanmapperprocessor configured by the
+// supplied groups, and returns the transformed spans. Mirrors
+// SimulatePipelinesProcessing in pkg/query-service/app/logparsingpipeline.
+// func SimulateSpanMappersProcessing(
+// 	ctx context.Context,
+// 	groups []*SpanMapperGroupWithMappers,
+// 	spans []SpanMapperTestSpan,
+// ) (
+// 	[]SpanMapperTestSpan, []string, error,
+// ) {
+// 	enabled := filterEnabledGroupsWithMappers(groups)
+// 	if len(enabled) < 1 {
+// 		return spans, nil, nil
+// 	}
+
+// 	for i := range spans {
+// 		if spans[i].Attributes == nil {
+// 			spans[i].Attributes = map[string]any{}
+// 		}
+// 		spans[i].Attributes[spanInputOrderAttr] = int64(i)
+// 	}
+// 	simulatorInput := SpansToPTraces(spans)
+
+// 	processorFactories, err := otelcol.MakeFactoryMap(signozspanmapperprocessor.NewFactory())
+// 	if err != nil {
+// 		return nil, nil, errors.WrapInternalf(err, ErrCodeProcessorFactoryMapFailed, "could not construct processor factory map")
+// 	}
+
+// 	configGenerator := func(baseConf []byte) ([]byte, error) {
+// 		return GenerateCollectorConfigWithSpanMapperProcessor(baseConf, enabled)
+// 	}
+
+// 	// signozspanmapperprocessor does no batching; spans flow through immediately.
+// 	timeout := 200 * time.Millisecond
+
+// 	outputTraces, collectorErrs, simErr := collectorsimulator.SimulateTracesProcessing(
+// 		ctx,
+// 		processorFactories,
+// 		configGenerator,
+// 		simulatorInput,
+// 		timeout,
+// 	)
+// 	if simErr != nil {
+// 		if errors.Is(simErr, collectorsimulator.ErrInvalidConfig) {
+// 			return nil, nil, errors.WrapInvalidInputf(simErr, errors.CodeInvalidInput, "invalid config")
+// 		}
+// 		return nil, nil, errors.WrapInternalf(simErr, ErrCodeSpanMapperSimulationFailed, "could not simulate span mapper processing")
+// 	}
+
+// 	outputSpans := PTracesToSpans(outputTraces)
+
+// 	sort.Slice(outputSpans, func(i, j int) bool {
+// 		iIdx, _ := outputSpans[i].Attributes[spanInputOrderAttr].(int64)
+// 		jIdx, _ := outputSpans[j].Attributes[spanInputOrderAttr].(int64)
+// 		return iIdx < jIdx
+// 	})
+// 	for _, s := range outputSpans {
+// 		delete(s.Attributes, spanInputOrderAttr)
+// 	}
+
+// 	collectorWarnAndErrorLogs := []string{}
+// 	for _, log := range collectorErrs {
+// 		if log == "" || strings.Contains(log, "featuregate.go") {
+// 			continue
+// 		}
+// 		collectorWarnAndErrorLogs = append(collectorWarnAndErrorLogs, log)
+// 	}
+
+// 	return outputSpans, collectorWarnAndErrorLogs, nil
+// }
+
+// SpansToPTraces packs each input span into its own ptrace.Traces with one
+// ResourceSpans / ScopeSpans / Span carrying its attribute and resource maps.
+func SpansToPTraces(spans []SpanMapperTestSpan) []ptrace.Traces {
+	result := make([]ptrace.Traces, 0, len(spans))
+	for _, s := range spans {
+		td := ptrace.NewTraces()
+		rs := td.ResourceSpans().AppendEmpty()
+		if s.Resource != nil {
+			_ = rs.Resource().Attributes().FromRaw(s.Resource)
+		}
+		sl := rs.ScopeSpans().AppendEmpty()
+		span := sl.Spans().AppendEmpty()
+		if s.Attributes != nil {
+			_ = span.Attributes().FromRaw(s.Attributes)
+		}
+		result = append(result, td)
+	}
+	return result
+}
+
+// PTracesToSpans flattens simulator output back into SpanMapperTestSpan: one
+// entry per individual Span across all ResourceSpans / ScopeSpans.
+func PTracesToSpans(traces []ptrace.Traces) []SpanMapperTestSpan {
+	result := []SpanMapperTestSpan{}
+	for _, td := range traces {
+		rss := td.ResourceSpans()
+		for i := 0; i < rss.Len(); i++ {
+			rs := rss.At(i)
+			resourceAttrs := rs.Resource().Attributes().AsRaw()
+			ilss := rs.ScopeSpans()
+			for j := 0; j < ilss.Len(); j++ {
+				spans := ilss.At(j).Spans()
+				for k := 0; k < spans.Len(); k++ {
+					result = append(result, SpanMapperTestSpan{
+						Attributes: spans.At(k).Attributes().AsRaw(),
+						Resource:   resourceAttrs,
+					})
+				}
+			}
+		}
+	}
+	return result
+}
+
+func filterEnabledGroupsWithMappers(groups []*SpanMapperGroupWithMappers) []*SpanMapperGroupWithMappers {
+	out := make([]*SpanMapperGroupWithMappers, 0, len(groups))
+	for _, gm := range groups {
+		if gm == nil || gm.Group == nil || !gm.Group.Enabled {
+			continue
+		}
+		enabled := make([]*SpanMapper, 0, len(gm.Mappers))
+		for _, m := range gm.Mappers {
+			if m != nil && m.Enabled {
+				enabled = append(enabled, m)
+			}
+		}
+		if len(enabled) > 0 {
+			out = append(out, &SpanMapperGroupWithMappers{Group: gm.Group, Mappers: enabled})
+		}
+	}
+	return out
+}

pkg/types/spantypes/spanmappertest.go

@@ -0,0 +1,53 @@
+package spantypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type SpanMapperTestSpan struct {
+	Attributes map[string]any `json:"attributes"`
+	Resource   map[string]any `json:"resource"`
+}
+
+// Mappers is optional because the module can backfill from the store by Group.Name.
+type PostableSpanMapperTestGroup struct {
+	PostableSpanMapperGroup
+	Mappers []PostableSpanMapper `json:"mappers"`
+}
+
+type PostableSpanMapperTest struct {
+	Spans  []SpanMapperTestSpan          `json:"spans"  required:"true"`
+	Groups []PostableSpanMapperTestGroup `json:"groups" required:"true"`
+}
+
+type GettableSpanMapperTest struct {
+	Spans []SpanMapperTestSpan `json:"spans" required:"true"`
+}
+
+func NewSpanMapperGroupsWithMappersFromPostable(orgID valuer.UUID, in []PostableSpanMapperTestGroup) []*SpanMapperGroupWithMappers {
+	out := make([]*SpanMapperGroupWithMappers, 0, len(in))
+	for _, pg := range in {
+		var mappers []*SpanMapper
+		if pg.Mappers != nil {
+			mappers = make([]*SpanMapper, 0, len(pg.Mappers))
+			for _, pm := range pg.Mappers {
+				mappers = append(mappers, &SpanMapper{
+					Name:         pm.Name,
+					FieldContext: pm.FieldContext,
+					Config:       pm.Config,
+					Enabled:      pm.Enabled,
+				})
+			}
+		}
+		out = append(out, &SpanMapperGroupWithMappers{
+			Group: &SpanMapperGroup{
+				OrgID:     orgID,
+				Name:      pg.Name,
+				Condition: pg.Condition,
+				Enabled:   pg.Enabled,
+			},
+			Mappers: mappers,
+		})
+	}
+	return out
+}

pkg/types/telemetrytypes/field.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/SigNoz/signoz-otel-collector/exporter/jsontypeexporter"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
@@ -22,7 +21,7 @@ const (
 	// BodyJSONStringSearchPrefix is the prefix used for body JSON search queries.
 	// e.g., "body.status" where "body." is the prefix.
 	BodyJSONStringSearchPrefix = "body."
-	ArraySep                   = jsontypeexporter.ArraySeparator
+	ArraySep                   = "[]."
 	ArraySepSuffix             = "[]"
 	// TODO(Piyush): Remove once we've migrated to the new array syntax.
 	ArrayAnyIndex       = "[*]."

pkg/types/telemetrytypes/json_access_plan.go

@@ -6,7 +6,6 @@ import (
 	"slices"
 	"strings"
 
-	"github.com/SigNoz/signoz-otel-collector/exporter/jsontypeexporter"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
@@ -76,7 +75,7 @@ func (n *JSONAccessNode) Alias() string {
 	parentAlias := strings.TrimLeft(n.Parent.Alias(), "`")
 	parentAlias = strings.TrimRight(parentAlias, "`")
 
-	sep := jsontypeexporter.ArraySeparator
+	sep := "[]."
 	if n.Parent.isRoot {
 		sep = "."
 	}