test: integration tests now use v2 user apis

fix: openapi specs
feat: user v2 apis
2026-03-24 13:20:27 +00:00 · 2026-03-24 18:21:17 +05:30 · 2026-03-24 18:20:15 +05:30 · 2026-03-24 18:20:15 +05:30
25 changed files with 2194 additions and 323 deletions
--- a/docs/api/openapi.yml
+++ b/docs/api/openapi.yml
@@ -342,6 +342,34 @@ components:
        config:
          $ref: '#/components/schemas/AuthtypesAuthDomainConfig'
      type: object
+    AuthtypesUserWithRoles:
+      properties:
+        createdAt:
+          format: date-time
+          type: string
+        displayName:
+          type: string
+        email:
+          type: string
+        id:
+          type: string
+        isRoot:
+          type: boolean
+        orgId:
+          type: string
+        roles:
+          items:
+            $ref: '#/components/schemas/AuthtypesRole'
+          nullable: true
+          type: array
+        status:
+          type: string
+        updatedAt:
+          format: date-time
+          type: string
+      required:
+      - id
+      type: object
    CloudintegrationtypesAWSAccountConfig:
      properties:
        regions:
@@ -2647,6 +2675,25 @@ components:
      required:
      - id
      type: object
+    TypesUpdatableSelfUser:
+      properties:
+        displayName:
+          type: string
+      required:
+      - displayName
+      type: object
+    TypesUpdatableUser:
+      properties:
+        displayName:
+          type: string
+        roleNames:
+          items:
+            type: string
+          type: array
+      required:
+      - displayName
+      - roleNames
+      type: object
    TypesUser:
      properties:
        createdAt:
@@ -7781,6 +7828,66 @@ paths:
      summary: Readiness check
      tags:
      - health
+  /api/v2/roles/{id}/users:
+    get:
+      deprecated: false
+      description: This endpoint returns the users having the role by role id
+      operationId: GetUsersByRoleID
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/TypesUser'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Get users by role id
+      tags:
+      - users
  /api/v2/sessions:
    delete:
      deprecated: false
@@ -7939,6 +8046,306 @@ paths:
      summary: Rotate session
      tags:
      - sessions
+  /api/v2/users:
+    get:
+      deprecated: false
+      description: This endpoint lists all users for the organization
+      operationId: ListUsersV2
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/TypesUser'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: List users v2
+      tags:
+      - users
+  /api/v2/users/{id}:
+    get:
+      deprecated: false
+      description: This endpoint returns the user by id
+      operationId: GetUserV2
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/TypesUser'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Get user by user id
+      tags:
+      - users
+    put:
+      deprecated: false
+      description: This endpoint updates the user by id
+      operationId: UpdateUserV2
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TypesUpdatableUser'
+      responses:
+        "204":
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Update user v2
+      tags:
+      - users
+  /api/v2/users/{id}/roles:
+    get:
+      deprecated: false
+      description: This endpoint returns the user roles by user id
+      operationId: GetUserRoles
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/AuthtypesRole'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Get user roles
+      tags:
+      - users
+  /api/v2/users/me:
+    get:
+      deprecated: false
+      description: This endpoint returns the user I belong to
+      operationId: GetMyUserV2
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/AuthtypesUserWithRoles'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - tokenizer: []
+      summary: Get my user v2
+      tags:
+      - users
+    put:
+      deprecated: false
+      description: This endpoint updates the user I belong to
+      operationId: UpdateMyUserV2
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TypesUpdatableSelfUser'
+      responses:
+        "204":
+          description: No Content
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - tokenizer: []
+      summary: Update my user v2
+      tags:
+      - users
  /api/v2/zeus/hosts:
    get:
      deprecated: false
--- a/frontend/src/api/generated/services/sigNoz.schemas.ts
+++ b/frontend/src/api/generated/services/sigNoz.schemas.ts
@@ -437,6 +437,48 @@ export interface AuthtypesUpdateableAuthDomainDTO {
 	config?: AuthtypesAuthDomainConfigDTO;
 }

+export interface AuthtypesUserWithRolesDTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: Date;
+	/**
+	 * @type string
+	 */
+	displayName?: string;
+	/**
+	 * @type string
+	 */
+	email?: string;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type boolean
+	 */
+	isRoot?: boolean;
+	/**
+	 * @type string
+	 */
+	orgId?: string;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	roles?: AuthtypesRoleDTO[] | null;
+	/**
+	 * @type string
+	 */
+	status?: string;
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: Date;
+}
+
 export interface CloudintegrationtypesAWSAccountConfigDTO {
 	/**
 	 * @type array
@@ -3144,6 +3186,24 @@ export interface TypesStorableAPIKeyDTO {
 	userId?: string;
 }

+export interface TypesUpdatableSelfUserDTO {
+	/**
+	 * @type string
+	 */
+	displayName: string;
+}
+
+export interface TypesUpdatableUserDTO {
+	/**
+	 * @type string
+	 */
+	displayName: string;
+	/**
+	 * @type array
+	 */
+	roleNames: string[];
+}
+
 export interface TypesUserDTO {
 	/**
 	 * @type string
@@ -4183,6 +4243,20 @@ export type Readyz503 = {
 	status: string;
 };

+export type GetUsersByRoleIDPathParameters = {
+	id: string;
+};
+export type GetUsersByRoleID200 = {
+	/**
+	 * @type array
+	 */
+	data: TypesUserDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type GetSessionContext200 = {
 	data: AuthtypesSessionContextDTO;
 	/**
@@ -4207,6 +4281,53 @@ export type RotateSession200 = {
 	status: string;
 };

+export type ListUsersV2200 = {
+	/**
+	 * @type array
+	 */
+	data: TypesUserDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type GetUserV2PathParameters = {
+	id: string;
+};
+export type GetUserV2200 = {
+	data: TypesUserDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type UpdateUserV2PathParameters = {
+	id: string;
+};
+export type GetUserRolesPathParameters = {
+	id: string;
+};
+export type GetUserRoles200 = {
+	/**
+	 * @type array
+	 */
+	data: AuthtypesRoleDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type GetMyUserV2200 = {
+	data: AuthtypesUserWithRolesDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type GetHosts200 = {
 	data: ZeustypesGettableHostDTO;
 	/**
--- a/frontend/src/api/generated/services/users/index.ts
+++ b/frontend/src/api/generated/services/users/index.ts
@@ -25,12 +25,20 @@ import type {
 	CreateInvite201,
 	DeleteUserPathParameters,
 	GetMyUser200,
+	GetMyUserV2200,
 	GetResetPasswordToken200,
 	GetResetPasswordTokenPathParameters,
 	GetUser200,
 	GetUserPathParameters,
+	GetUserRoles200,
+	GetUserRolesPathParameters,
+	GetUsersByRoleID200,
+	GetUsersByRoleIDPathParameters,
+	GetUserV2PathParameters,
+	GetUserV2200,
 	ListAPIKeys200,
 	ListUsers200,
+	ListUsersV2200,
 	RenderErrorResponseDTO,
 	RevokeAPIKeyPathParameters,
 	TypesChangePasswordRequestDTO,
@@ -41,9 +49,12 @@ import type {
 	TypesPostableInviteDTO,
 	TypesPostableResetPasswordDTO,
 	TypesStorableAPIKeyDTO,
+	TypesUpdatableSelfUserDTO,
+	TypesUpdatableUserDTO,
 	UpdateAPIKeyPathParameters,
 	UpdateUser200,
 	UpdateUserPathParameters,
+	UpdateUserV2PathParameters,
 } from '../sigNoz.schemas';

 /**
@@ -1345,3 +1356,648 @@ export const useForgotPassword = <

 	return useMutation(mutationOptions);
 };
+/**
+ * This endpoint returns the users having the role by role id
+ * @summary Get users by role id
+ */
+export const getUsersByRoleID = (
+	{ id }: GetUsersByRoleIDPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetUsersByRoleID200>({
+		url: `/api/v2/roles/${id}/users`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetUsersByRoleIDQueryKey = ({
+	id,
+}: GetUsersByRoleIDPathParameters) => {
+	return [`/api/v2/roles/${id}/users`] as const;
+};
+
+export const getGetUsersByRoleIDQueryOptions = <
+	TData = Awaited<ReturnType<typeof getUsersByRoleID>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUsersByRoleIDPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getUsersByRoleID>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetUsersByRoleIDQueryKey({ id });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getUsersByRoleID>>> = ({
+		signal,
+	}) => getUsersByRoleID({ id }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!id,
+		...queryOptions,
+	} as UseQueryOptions<
+		Awaited<ReturnType<typeof getUsersByRoleID>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetUsersByRoleIDQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getUsersByRoleID>>
+>;
+export type GetUsersByRoleIDQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get users by role id
+ */
+
+export function useGetUsersByRoleID<
+	TData = Awaited<ReturnType<typeof getUsersByRoleID>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUsersByRoleIDPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getUsersByRoleID>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetUsersByRoleIDQueryOptions({ id }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get users by role id
+ */
+export const invalidateGetUsersByRoleID = async (
+	queryClient: QueryClient,
+	{ id }: GetUsersByRoleIDPathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetUsersByRoleIDQueryKey({ id }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint lists all users for the organization
+ * @summary List users v2
+ */
+export const listUsersV2 = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<ListUsersV2200>({
+		url: `/api/v2/users`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getListUsersV2QueryKey = () => {
+	return [`/api/v2/users`] as const;
+};
+
+export const getListUsersV2QueryOptions = <
+	TData = Awaited<ReturnType<typeof listUsersV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof listUsersV2>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getListUsersV2QueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof listUsersV2>>> = ({
+		signal,
+	}) => listUsersV2(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof listUsersV2>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type ListUsersV2QueryResult = NonNullable<
+	Awaited<ReturnType<typeof listUsersV2>>
+>;
+export type ListUsersV2QueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary List users v2
+ */
+
+export function useListUsersV2<
+	TData = Awaited<ReturnType<typeof listUsersV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof listUsersV2>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getListUsersV2QueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary List users v2
+ */
+export const invalidateListUsersV2 = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getListUsersV2QueryKey() },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint returns the user by id
+ * @summary Get user by user id
+ */
+export const getUserV2 = (
+	{ id }: GetUserV2PathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetUserV2200>({
+		url: `/api/v2/users/${id}`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetUserV2QueryKey = ({ id }: GetUserV2PathParameters) => {
+	return [`/api/v2/users/${id}`] as const;
+};
+
+export const getGetUserV2QueryOptions = <
+	TData = Awaited<ReturnType<typeof getUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUserV2PathParameters,
+	options?: {
+		query?: UseQueryOptions<Awaited<ReturnType<typeof getUserV2>>, TError, TData>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetUserV2QueryKey({ id });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getUserV2>>> = ({
+		signal,
+	}) => getUserV2({ id }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!id,
+		...queryOptions,
+	} as UseQueryOptions<Awaited<ReturnType<typeof getUserV2>>, TError, TData> & {
+		queryKey: QueryKey;
+	};
+};
+
+export type GetUserV2QueryResult = NonNullable<
+	Awaited<ReturnType<typeof getUserV2>>
+>;
+export type GetUserV2QueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get user by user id
+ */
+
+export function useGetUserV2<
+	TData = Awaited<ReturnType<typeof getUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUserV2PathParameters,
+	options?: {
+		query?: UseQueryOptions<Awaited<ReturnType<typeof getUserV2>>, TError, TData>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetUserV2QueryOptions({ id }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get user by user id
+ */
+export const invalidateGetUserV2 = async (
+	queryClient: QueryClient,
+	{ id }: GetUserV2PathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetUserV2QueryKey({ id }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint updates the user by id
+ * @summary Update user v2
+ */
+export const updateUserV2 = (
+	{ id }: UpdateUserV2PathParameters,
+	typesUpdatableUserDTO: BodyType<TypesUpdatableUserDTO>,
+) => {
+	return GeneratedAPIInstance<void>({
+		url: `/api/v2/users/${id}`,
+		method: 'PUT',
+		headers: { 'Content-Type': 'application/json' },
+		data: typesUpdatableUserDTO,
+	});
+};
+
+export const getUpdateUserV2MutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateUserV2>>,
+		TError,
+		{
+			pathParams: UpdateUserV2PathParameters;
+			data: BodyType<TypesUpdatableUserDTO>;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof updateUserV2>>,
+	TError,
+	{
+		pathParams: UpdateUserV2PathParameters;
+		data: BodyType<TypesUpdatableUserDTO>;
+	},
+	TContext
+> => {
+	const mutationKey = ['updateUserV2'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof updateUserV2>>,
+		{
+			pathParams: UpdateUserV2PathParameters;
+			data: BodyType<TypesUpdatableUserDTO>;
+		}
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return updateUserV2(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type UpdateUserV2MutationResult = NonNullable<
+	Awaited<ReturnType<typeof updateUserV2>>
+>;
+export type UpdateUserV2MutationBody = BodyType<TypesUpdatableUserDTO>;
+export type UpdateUserV2MutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Update user v2
+ */
+export const useUpdateUserV2 = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateUserV2>>,
+		TError,
+		{
+			pathParams: UpdateUserV2PathParameters;
+			data: BodyType<TypesUpdatableUserDTO>;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof updateUserV2>>,
+	TError,
+	{
+		pathParams: UpdateUserV2PathParameters;
+		data: BodyType<TypesUpdatableUserDTO>;
+	},
+	TContext
+> => {
+	const mutationOptions = getUpdateUserV2MutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint returns the user roles by user id
+ * @summary Get user roles
+ */
+export const getUserRoles = (
+	{ id }: GetUserRolesPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetUserRoles200>({
+		url: `/api/v2/users/${id}/roles`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetUserRolesQueryKey = ({ id }: GetUserRolesPathParameters) => {
+	return [`/api/v2/users/${id}/roles`] as const;
+};
+
+export const getGetUserRolesQueryOptions = <
+	TData = Awaited<ReturnType<typeof getUserRoles>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUserRolesPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getUserRoles>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetUserRolesQueryKey({ id });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getUserRoles>>> = ({
+		signal,
+	}) => getUserRoles({ id }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!id,
+		...queryOptions,
+	} as UseQueryOptions<
+		Awaited<ReturnType<typeof getUserRoles>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetUserRolesQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getUserRoles>>
+>;
+export type GetUserRolesQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get user roles
+ */
+
+export function useGetUserRoles<
+	TData = Awaited<ReturnType<typeof getUserRoles>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetUserRolesPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getUserRoles>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetUserRolesQueryOptions({ id }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get user roles
+ */
+export const invalidateGetUserRoles = async (
+	queryClient: QueryClient,
+	{ id }: GetUserRolesPathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetUserRolesQueryKey({ id }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint returns the user I belong to
+ * @summary Get my user v2
+ */
+export const getMyUserV2 = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<GetMyUserV2200>({
+		url: `/api/v2/users/me`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetMyUserV2QueryKey = () => {
+	return [`/api/v2/users/me`] as const;
+};
+
+export const getGetMyUserV2QueryOptions = <
+	TData = Awaited<ReturnType<typeof getMyUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getMyUserV2>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetMyUserV2QueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getMyUserV2>>> = ({
+		signal,
+	}) => getMyUserV2(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof getMyUserV2>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetMyUserV2QueryResult = NonNullable<
+	Awaited<ReturnType<typeof getMyUserV2>>
+>;
+export type GetMyUserV2QueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get my user v2
+ */
+
+export function useGetMyUserV2<
+	TData = Awaited<ReturnType<typeof getMyUserV2>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof getMyUserV2>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetMyUserV2QueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get my user v2
+ */
+export const invalidateGetMyUserV2 = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetMyUserV2QueryKey() },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint updates the user I belong to
+ * @summary Update my user v2
+ */
+export const updateMyUserV2 = (
+	typesUpdatableSelfUserDTO: BodyType<TypesUpdatableSelfUserDTO>,
+) => {
+	return GeneratedAPIInstance<void>({
+		url: `/api/v2/users/me`,
+		method: 'PUT',
+		headers: { 'Content-Type': 'application/json' },
+		data: typesUpdatableSelfUserDTO,
+	});
+};
+
+export const getUpdateMyUserV2MutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateMyUserV2>>,
+		TError,
+		{ data: BodyType<TypesUpdatableSelfUserDTO> },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof updateMyUserV2>>,
+	TError,
+	{ data: BodyType<TypesUpdatableSelfUserDTO> },
+	TContext
+> => {
+	const mutationKey = ['updateMyUserV2'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof updateMyUserV2>>,
+		{ data: BodyType<TypesUpdatableSelfUserDTO> }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return updateMyUserV2(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type UpdateMyUserV2MutationResult = NonNullable<
+	Awaited<ReturnType<typeof updateMyUserV2>>
+>;
+export type UpdateMyUserV2MutationBody = BodyType<TypesUpdatableSelfUserDTO>;
+export type UpdateMyUserV2MutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Update my user v2
+ */
+export const useUpdateMyUserV2 = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateMyUserV2>>,
+		TError,
+		{ data: BodyType<TypesUpdatableSelfUserDTO> },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof updateMyUserV2>>,
+	TError,
+	{ data: BodyType<TypesUpdatableSelfUserDTO> },
+	TContext
+> => {
+	const mutationOptions = getUpdateMyUserV2MutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
--- a/pkg/apiserver/signozapiserver/user.go
+++ b/pkg/apiserver/signozapiserver/user.go
@@ -111,7 +111,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}

-	if err := router.Handle("/api/v1/user", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListUsers), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/user", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListUsersDeprecated), handler.OpenAPIDef{
 		ID:                  "ListUsers",
 		Tags:                []string{"users"},
 		Summary:             "List users",
@@ -128,7 +128,24 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}

-	if err := router.Handle("/api/v1/user/me", handler.New(provider.authZ.OpenAccess(provider.userHandler.GetMyUser), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/users", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListUsers), handler.OpenAPIDef{
+		ID:                  "ListUsersV2",
+		Tags:                []string{"users"},
+		Summary:             "List users v2",
+		Description:         "This endpoint lists all users for the organization",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*types.User, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/user/me", handler.New(provider.authZ.OpenAccess(provider.userHandler.GetMyUserDeprecated), handler.OpenAPIDef{
 		ID:                  "GetMyUser",
 		Tags:                []string{"users"},
 		Summary:             "Get my user",
@@ -145,7 +162,41 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}

-	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.SelfAccess(provider.userHandler.GetUser), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/users/me", handler.New(provider.authZ.OpenAccess(provider.userHandler.GetMyUser), handler.OpenAPIDef{
+		ID:                  "GetMyUserV2",
+		Tags:                []string{"users"},
+		Summary:             "Get my user v2",
+		Description:         "This endpoint returns the user I belong to",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(authtypes.UserWithRoles),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     []handler.OpenAPISecurityScheme{{Name: authtypes.IdentNProviderTokenizer.StringValue()}},
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v2/users/me", handler.New(provider.authZ.OpenAccess(provider.userHandler.UpdateMyUser), handler.OpenAPIDef{
+		ID:                  "UpdateMyUserV2",
+		Tags:                []string{"users"},
+		Summary:             "Update my user v2",
+		Description:         "This endpoint updates the user I belong to",
+		Request:             new(types.UpdatableSelfUser),
+		RequestContentType:  "application/json",
+		Response:            nil,
+		ResponseContentType: "",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     []handler.OpenAPISecurityScheme{{Name: authtypes.IdentNProviderTokenizer.StringValue()}},
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.SelfAccess(provider.userHandler.GetUserDeprecated), handler.OpenAPIDef{
 		ID:                  "GetUser",
 		Tags:                []string{"users"},
 		Summary:             "Get user",
@@ -162,7 +213,24 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}

-	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.SelfAccess(provider.userHandler.UpdateUser), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/users/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.GetUser), handler.OpenAPIDef{
+		ID:                  "GetUserV2",
+		Tags:                []string{"users"},
+		Summary:             "Get user by user id",
+		Description:         "This endpoint returns the user by id",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(types.User),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.SelfAccess(provider.userHandler.UpdateUserDeprecated), handler.OpenAPIDef{
 		ID:                  "UpdateUser",
 		Tags:                []string{"users"},
 		Summary:             "Update user",
@@ -179,6 +247,23 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}

+	if err := router.Handle("/api/v2/users/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.UpdateUser), handler.OpenAPIDef{
+		ID:                  "UpdateUserV2",
+		Tags:                []string{"users"},
+		Summary:             "Update user v2",
+		Description:         "This endpoint updates the user by id",
+		Request:             new(types.UpdatableUser),
+		RequestContentType:  "application/json",
+		Response:            nil,
+		ResponseContentType: "",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/user/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.DeleteUser), handler.OpenAPIDef{
 		ID:                  "DeleteUser",
 		Tags:                []string{"users"},
@@ -264,5 +349,39 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}

+	if err := router.Handle("/api/v2/users/{id}/roles", handler.New(provider.authZ.AdminAccess(provider.userHandler.GetUserRoles), handler.OpenAPIDef{
+		ID:                  "GetUserRoles",
+		Tags:                []string{"users"},
+		Summary:             "Get user roles",
+		Description:         "This endpoint returns the user roles by user id",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*authtypes.Role, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v2/roles/{id}/users", handler.New(provider.authZ.AdminAccess(provider.userHandler.GetUsersByRoleID), handler.OpenAPIDef{
+		ID:                  "GetUsersByRoleID",
+		Tags:                []string{"users"},
+		Summary:             "Get users by role id",
+		Description:         "This endpoint returns the users having the role by role id",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*types.User, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
 	return nil
 }
--- a/pkg/modules/user/impluser/getter.go
+++ b/pkg/modules/user/impluser/getter.go
@@ -37,7 +37,7 @@ func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID)
 	return rootUser, userRoles, nil
 }

-func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.DeprecatedUser, error) {
+func (module *getter) ListByOrgIDDeprecated(ctx context.Context, orgID valuer.UUID) ([]*types.DeprecatedUser, error) {
 	users, err := module.store.ListUsersByOrgID(ctx, orgID)
 	if err != nil {
 		return nil, err
@@ -84,6 +84,23 @@ func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*ty
 	return deprecatedUsers, nil
 }

+func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
+	users, err := module.store.ListUsersByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	// filter root users if feature flag `hide_root_users` is true
+	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
+	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
+
+	if hideRootUsers {
+		users = slices.DeleteFunc(users, func(user *types.User) bool { return user.IsRoot })
+	}
+
+	return users, nil
+}
+
 func (module *getter) GetDeprecatedUserByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.DeprecatedUser, error) {
 	user, err := module.store.GetByOrgIDAndID(ctx, orgID, id)
 	if err != nil {
@@ -99,11 +116,19 @@ func (module *getter) GetDeprecatedUserByOrgIDAndID(ctx context.Context, orgID v
 		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
 	}

+	if userRoles[0].Role == nil {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeRoleNotFound, "role not found for user role entry")
+	}
+
 	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]

 	return types.NewDeprecatedUserFromUserAndRole(user, role), nil
 }

+func (module *getter) GetUserByOrgIDAndID(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) (*types.User, error) {
+	return module.store.GetByOrgIDAndID(ctx, orgID, userID)
+}
+
 func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.DeprecatedUser, error) {
 	user, err := module.store.GetUser(ctx, id)
 	if err != nil {
@@ -119,6 +144,10 @@ func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.Deprecate
 		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
 	}

+	if userRoles[0].Role == nil {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeRoleNotFound, "role not found for user role entry")
+	}
+
 	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]

 	return types.NewDeprecatedUserFromUserAndRole(user, role), nil
@@ -180,5 +209,15 @@ func (module *getter) GetUserRoles(ctx context.Context, userID valuer.UUID) ([]*
 		return nil, err
 	}

+	for _, ur := range userRoles {
+		if ur.Role == nil {
+			return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeRoleNotFound, "role not found for user role entry")
+		}
+	}
+
 	return userRoles, nil
 }
+
+func (module *getter) GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*types.User, error) {
+	return module.store.GetUsersByOrgIDAndRoleID(ctx, orgID, roleID)
+}
--- a/pkg/modules/user/impluser/handler.go
+++ b/pkg/modules/user/impluser/handler.go
@@ -85,7 +85,7 @@ func (h *handler) CreateBulkInvite(rw http.ResponseWriter, r *http.Request) {
 	render.Success(rw, http.StatusCreated, nil)
 }

-func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetUserDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()

@@ -106,7 +106,28 @@ func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, user)
 }

-func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	userID := mux.Vars(r)["id"]
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	user, err := h.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusOK, user)
+}
+
+func (h *handler) GetMyUserDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()

@@ -125,6 +146,85 @@ func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, user)
 }

+func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	user, err := h.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	userRoles, err := h.getter.GetUserRoles(ctx, user.ID)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	roles := make([]*authtypes.Role, len(userRoles))
+	for idx, userRole := range userRoles {
+		roles[idx] = authtypes.NewRoleFromStorableRole(userRole.Role)
+	}
+
+	userWithRoles := &authtypes.UserWithRoles{
+		User:  user,
+		Roles: roles,
+	}
+
+	render.Success(w, http.StatusOK, userWithRoles)
+}
+
+func (h *handler) UpdateMyUser(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	updatableSelfUser := new(types.UpdatableSelfUser)
+	if err := json.NewDecoder(r.Body).Decode(&updatableSelfUser); err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	_, err = h.setter.UpdateMyUser(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), updatableSelfUser)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusNoContent, nil)
+}
+
+func (h *handler) ListUsersDeprecated(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	users, err := h.getter.ListByOrgIDDeprecated(ctx, valuer.MustNewUUID(claims.OrgID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusOK, users)
+}
+
 func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
@@ -144,7 +244,7 @@ func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, users)
 }

-func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
+func (h *handler) UpdateUserDeprecated(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()

@@ -162,7 +262,7 @@ func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	updatedUser, err := h.setter.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), id, &user, claims.UserID)
+	updatedUser, err := h.setter.UpdateUserDeprecated(ctx, valuer.MustNewUUID(claims.OrgID), id, &user, claims.UserID)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -171,6 +271,33 @@ func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusOK, updatedUser)
 }

+func (h *handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	userID := mux.Vars(r)["id"]
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	updatableUser := new(types.UpdatableUser)
+	if err := json.NewDecoder(r.Body).Decode(&updatableUser); err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	_, err = h.setter.UpdateUser(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID), updatableUser, valuer.MustNewUUID(claims.UserID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusNoContent, nil)
+}
+
 func (h *handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
@@ -443,3 +570,56 @@ func (h *handler) RevokeAPIKey(w http.ResponseWriter, r *http.Request) {

 	render.Success(w, http.StatusNoContent, nil)
 }
+
+func (h *handler) GetUserRoles(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	userID := mux.Vars(r)["id"]
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	user, err := h.getter.GetUserByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	userRoles, err := h.getter.GetUserRoles(ctx, user.ID)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	roles := make([]*authtypes.Role, len(userRoles))
+	for idx, userRole := range userRoles {
+		roles[idx] = authtypes.NewRoleFromStorableRole(userRole.Role)
+	}
+
+	render.Success(w, http.StatusOK, roles)
+}
+
+func (h *handler) GetUsersByRoleID(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	roleID := mux.Vars(r)["id"]
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	users, err := h.getter.GetUsersByOrgIDAndRoleID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(roleID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusOK, users)
+}
--- a/pkg/modules/user/impluser/service.go
+++ b/pkg/modules/user/impluser/service.go
@@ -156,9 +156,7 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		existingUser.PromoteToRoot()

 		err = s.store.RunInTx(ctx, func(ctx context.Context) error {
-			// update users table
-			deprecatedUser := types.NewDeprecatedUserFromUserAndRole(existingUser, types.RoleAdmin)
-			if err := s.setter.UpdateAnyUser(ctx, orgID, deprecatedUser); err != nil {
+			if err := s.setter.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
 				return err
 			}

@@ -201,8 +199,7 @@ func (s *service) updateExistingRootUser(ctx context.Context, orgID valuer.UUID,

 	if existingRoot.Email != s.config.Email {
 		existingRoot.UpdateEmail(s.config.Email)
-		deprecatedUser := types.NewDeprecatedUserFromUserAndRole(existingRoot, types.RoleAdmin)
-		if err := s.setter.UpdateAnyUser(ctx, orgID, deprecatedUser); err != nil {
+		if err := s.setter.UpdateAnyUser(ctx, orgID, existingRoot); err != nil {
 			return err
 		}
 	}
--- a/pkg/modules/user/impluser/setter.go
+++ b/pkg/modules/user/impluser/setter.go
@@ -220,7 +220,7 @@ func (module *setter) CreateUser(ctx context.Context, user *types.User, opts ...
 	return nil
 }

-func (module *setter) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error) {
+func (module *setter) UpdateUserDeprecated(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error) {
 	existingUser, err := module.getter.GetDeprecatedUserByOrgIDAndID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return nil, err
@@ -265,7 +265,7 @@ func (module *setter) UpdateUser(ctx context.Context, orgID valuer.UUID, id stri
 	existingUser.Update(user.DisplayName, user.Role)

 	// update the user - idempotent (this does analytics too so keeping it outside txn)
-	if err := module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+	if err := module.UpdateAnyUserDeprecated(ctx, orgID, existingUser); err != nil {
 		return nil, err
 	}

@@ -291,7 +291,113 @@ func (module *setter) UpdateUser(ctx context.Context, orgID valuer.UUID, id stri
 	return existingUser, nil
 }

-func (module *setter) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, deprecateUser *types.DeprecatedUser) error {
+func (module *setter) UpdateMyUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, updatable *types.UpdatableSelfUser) (*types.User, error) {
+	existingUser, err := module.getter.GetUserByOrgIDAndID(ctx, orgID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := existingUser.ErrIfRoot(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update root user")
+	}
+
+	if err := existingUser.ErrIfDeleted(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update deleted user")
+	}
+
+	existingUser.Update(updatable.DisplayName)
+	if err := module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+		return nil, err
+	}
+
+	return existingUser, nil
+}
+
+func (module *setter) UpdateUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, updatable *types.UpdatableUser, updatedBy valuer.UUID) (*types.User, error) {
+	existingUser, err := module.getter.GetUserByOrgIDAndID(ctx, orgID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := existingUser.ErrIfRoot(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update root user")
+	}
+
+	if err := existingUser.ErrIfDeleted(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update deleted user")
+	}
+
+	existingUserRoles, err := module.getter.GetUserRoles(ctx, existingUser.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	existingUserRoleNames := roleNamesFromUserRoles(existingUserRoles)
+
+	var grants, revokes []string
+	var rolesChanged bool
+	if len(updatable.RoleNames) > 0 {
+		// validate that all requested role names exist before making any changes
+		_, err := module.authz.ListByOrgIDAndNames(ctx, orgID, updatable.RoleNames)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	grants, revokes = module.patchRolesNames(existingUserRoleNames, updatable.RoleNames)
+	rolesChanged = (len(grants) > 0) || (len(revokes) > 0)
+
+	if rolesChanged && existingUser.ID == updatedBy {
+		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot change self roles")
+	}
+
+	if rolesChanged {
+		err = module.authz.ModifyGrant(
+			ctx,
+			orgID,
+			revokes,
+			grants,
+			authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil),
+		)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	existingUser.Update(updatable.DisplayName)
+
+	if err := module.UpdateAnyUser(ctx, existingUser.OrgID, existingUser); err != nil {
+		return nil, err
+	}
+
+	if rolesChanged {
+		// this by default runs in txn
+		if err := module.UpdateUserRoles(ctx, existingUser.OrgID, existingUser.ID, updatable.RoleNames); err != nil {
+			return nil, err
+		}
+	}
+
+	return existingUser, nil
+}
+
+func (module *setter) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
+	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
+		return err
+	}
+
+	if err := module.tokenizer.DeleteIdentity(ctx, user.ID); err != nil {
+		return err
+	}
+
+	// stats collector things
+	traits := types.NewTraitsFromUser(user)
+	module.analytics.IdentifyUser(ctx, user.OrgID.String(), user.ID.String(), traits)
+	module.analytics.TrackUser(ctx, user.OrgID.String(), user.ID.String(), "User Updated", traits)
+
+	return nil
+}
+
+func (module *setter) UpdateAnyUserDeprecated(ctx context.Context, orgID valuer.UUID, deprecateUser *types.DeprecatedUser) error {
 	user := types.NewUserFromDeprecatedUser(deprecateUser)
 	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
 		return err
@@ -801,13 +907,17 @@ func (module *setter) activatePendingUser(ctx context.Context, user *types.User,

 func (module *setter) UpdateUserRoles(ctx context.Context, orgID, userID valuer.UUID, finalRoleNames []string) error {
 	return module.store.RunInTx(ctx, func(ctx context.Context) error {
-		// delete old user_role entries and create new ones from SSO
+		// delete old user_role entries
 		if err := module.userRoleStore.DeleteUserRoles(ctx, userID); err != nil {
 			return err
 		}

-		// create fresh ones
-		return module.createUserRoleEntries(ctx, orgID, userID, finalRoleNames)
+		// create fresh ones only if there are roles to assign
+		if len(finalRoleNames) > 0 {
+			return module.createUserRoleEntries(ctx, orgID, userID, finalRoleNames)
+		}
+
+		return nil
 	})
 }

@@ -820,3 +930,33 @@ func roleNamesFromUserRoles(userRoles []*authtypes.UserRole) []string {
 	}
 	return names
 }
+
+func (module *setter) patchRolesNames(currentRolesNames, targetRoleNames []string) ([]string, []string) {
+	currentRolesSet := make(map[string]struct{}, len(currentRolesNames))
+	targetRolesSet := make(map[string]struct{}, len(targetRoleNames))
+
+	for _, role := range currentRolesNames {
+		currentRolesSet[role] = struct{}{}
+	}
+	for _, role := range targetRoleNames {
+		targetRolesSet[role] = struct{}{}
+	}
+
+	// additions: roles present in input but not in current
+	additions := []string{}
+	for _, role := range targetRoleNames {
+		if _, exists := currentRolesSet[role]; !exists {
+			additions = append(additions, role)
+		}
+	}
+
+	// deletions: roles present in current but not in input
+	deletions := []string{}
+	for _, role := range currentRolesNames {
+		if _, exists := targetRolesSet[role]; !exists {
+			deletions = append(deletions, role)
+		}
+	}
+
+	return additions, deletions
+}
--- a/pkg/modules/user/impluser/store.go
+++ b/pkg/modules/user/impluser/store.go
@@ -667,3 +667,22 @@ func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID

 	return users, nil
 }
+
+func (store *store) GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*types.User, error) {
+	users := []*types.User{}
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&users).
+		Join(`JOIN user_role ON user_role.user_id = "users".id`).
+		Where(`"users".org_id = ?`, orgID).
+		Where("user_role.role_id = ?", roleID).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}
--- a/pkg/modules/user/user.go
+++ b/pkg/modules/user/user.go
@@ -34,10 +34,13 @@ type Setter interface {
 	// Initiate forgot password flow for a user
 	ForgotPassword(ctx context.Context, orgID valuer.UUID, email valuer.Email, frontendBaseURL string) error

-	UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error)
+	UpdateUserDeprecated(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error)
+	UpdateMyUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, updatable *types.UpdatableSelfUser) (*types.User, error)
+	UpdateUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, updatable *types.UpdatableUser, updatedBy valuer.UUID) (*types.User, error)

 	// UpdateAnyUser updates a user and persists the changes to the database along with the analytics and identity deletion.
-	UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.DeprecatedUser) error
+	UpdateAnyUserDeprecated(ctx context.Context, orgID valuer.UUID, deprecateUser *types.DeprecatedUser) error
+	UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error
 	DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error

 	// invite
@@ -60,11 +63,13 @@ type Getter interface {
 	// Get root user by org id.
 	GetRootUserByOrgID(context.Context, valuer.UUID) (*types.User, []*authtypes.UserRole, error)

-	// Get gets the users based on the given id
-	ListByOrgID(context.Context, valuer.UUID) ([]*types.DeprecatedUser, error)
+	// Get gets the users based on the given org id
+	ListByOrgIDDeprecated(context.Context, valuer.UUID) ([]*types.DeprecatedUser, error)
+	ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error)

 	// Get deprecated user object by orgID and id.
 	GetDeprecatedUserByOrgIDAndID(context.Context, valuer.UUID, valuer.UUID) (*types.DeprecatedUser, error)
+	GetUserByOrgIDAndID(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) (*types.User, error)

 	// Get user by id.
 	Get(context.Context, valuer.UUID) (*types.DeprecatedUser, error)
@@ -86,6 +91,9 @@ type Getter interface {

 	// Gets user_role with roles entries from db
 	GetUserRoles(ctx context.Context, userID valuer.UUID) ([]*authtypes.UserRole, error)
+
+	// Gets all the user with role using role id in an org id
+	GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*types.User, error)
 }

 type Handler interface {
@@ -93,11 +101,19 @@ type Handler interface {
 	CreateInvite(http.ResponseWriter, *http.Request)
 	CreateBulkInvite(http.ResponseWriter, *http.Request)

+	// users
+	ListUsersDeprecated(http.ResponseWriter, *http.Request)
 	ListUsers(http.ResponseWriter, *http.Request)
+	UpdateUserDeprecated(http.ResponseWriter, *http.Request)
 	UpdateUser(http.ResponseWriter, *http.Request)
 	DeleteUser(http.ResponseWriter, *http.Request)
+	GetUserDeprecated(http.ResponseWriter, *http.Request)
 	GetUser(http.ResponseWriter, *http.Request)
+	GetMyUserDeprecated(http.ResponseWriter, *http.Request)
 	GetMyUser(http.ResponseWriter, *http.Request)
+	UpdateMyUser(http.ResponseWriter, *http.Request)
+	GetUserRoles(http.ResponseWriter, *http.Request)
+	GetUsersByRoleID(http.ResponseWriter, *http.Request)

 	// Reset Password
 	GetResetPasswordToken(http.ResponseWriter, *http.Request)
--- a/pkg/statsreporter/analyticsstatsreporter/provider.go
+++ b/pkg/statsreporter/analyticsstatsreporter/provider.go
@@ -178,7 +178,7 @@ func (provider *provider) Report(ctx context.Context) error {
 		}

 		for _, user := range users {
-			traits := types.NewTraitsFromDeprecatedUser(user)
+			traits := types.NewTraitsFromUser(user)
 			if maxLastObservedAt, ok := maxLastObservedAtPerUserID[user.ID]; ok {
 				traits["auth_token.last_observed_at.max.time"] = maxLastObservedAt.UTC()
 				traits["auth_token.last_observed_at.max.time_unix"] = maxLastObservedAt.Unix()
--- a/pkg/types/authtypes/user_role.go
+++ b/pkg/types/authtypes/user_role.go
@@ -5,13 +5,14 @@ import (
 	"time"

 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
 )

 var (
 	ErrCodeUserRoleAlreadyExists = errors.MustNewCode("user_role_already_exists")
-	ErrCodeUserRolesNotFound      = errors.MustNewCode("user_roles_not_found")
+	ErrCodeUserRolesNotFound     = errors.MustNewCode("user_roles_not_found")
 )

 type UserRole struct {
@@ -47,6 +48,11 @@ func NewUserRoles(userID valuer.UUID, roles []*Role) []*UserRole {
 	return userRoles
 }

+type UserWithRoles struct {
+	*types.User
+	Roles []*Role `json:"roles"`
+}
+
 type UserRoleStore interface {
 	// create user roles in bulk
 	CreateUserRoles(ctx context.Context, userRoles []*UserRole) error
--- a/pkg/types/user.go
+++ b/pkg/types/user.go
@@ -51,6 +51,15 @@ type DeprecatedUser struct {
 	Role Role `json:"role"`
 }

+type UpdatableSelfUser struct {
+	DisplayName string `json:"displayName" required:"true"`
+}
+
+type UpdatableUser struct {
+	DisplayName string   `json:"displayName" required:"true"`
+	RoleNames   []string `json:"roleNames" required:"true" nullable:"false"`
+}
+
 type PostableRegisterOrgAndAdmin struct {
 	Name           string       `json:"name"`
 	Email          valuer.Email `json:"email"`
@@ -298,6 +307,9 @@ type UserStore interface {
 	// Get user by reset password token
 	GetUserByResetPasswordToken(ctx context.Context, token string) (*User, error)

+	// Get users having role by org id and role id
+	GetUsersByOrgIDAndRoleID(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]*User, error)
+
 	// Transaction
 	RunInTx(ctx context.Context, cb func(ctx context.Context) error) error
 }
--- a/tests/integration/fixtures/idputils.py
+++ b/tests/integration/fixtures/idputils.py
@@ -654,19 +654,6 @@ def get_oidc_domain(signoz: types.SigNoz, admin_token: str) -> dict:
    )


-def get_user_by_email(signoz: types.SigNoz, admin_token: str, email: str) -> dict:
-    """Helper to get a user by email."""
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    return next(
-        (user for user in response.json()["data"] if user["email"] == email),
-        None,
-    )
-
-
 def perform_oidc_login(
    signoz: types.SigNoz,  # pylint: disable=unused-argument
    idp: types.TestContainerIDP,
--- a/tests/integration/fixtures/utils.py
+++ b/tests/integration/fixtures/utils.py
@@ -3,6 +3,9 @@ import os
 from typing import Any

 import isodate
+import requests
+
+from fixtures import types


 # parses the given timestamp string from ISO format to datetime.datetime
@@ -31,3 +34,33 @@ def parse_duration(duration: Any) -> datetime.timedelta:
 def get_testdata_file_path(file: str) -> str:
    testdata_dir = os.path.join(os.path.dirname(__file__), "..", "testdata")
    return os.path.join(testdata_dir, file)
+
+
+def get_user_by_email(signoz: types.SigNoz, admin_token: str, email: str) -> dict:
+    """Helper to get a user by email."""
+    headers = {"Authorization": f"Bearer {admin_token}"} if admin_token else {}
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
+        timeout=2,
+        headers=headers,
+    )
+    return next(
+        (user for user in response.json()["data"] if user["email"] == email),
+        None,
+    )
+
+
+def get_user_role_names(signoz: types.SigNoz, admin_token: str, user_id: str) -> list:
+    """Helper to get the user roles by user ID"""
+    headers = {"Authorization": f"Bearer {admin_token}"} if admin_token else {}
+    response = requests.get(
+        signoz.self.host_configs["8080"].get(f"/api/v2/users/{user_id}/roles"),
+        timeout=2,
+        headers=headers,
+    )
+
+    roles = response.json()["data"]
+    if not roles:
+        return []
+
+    return [role["name"] for role in roles]
--- a/tests/integration/src/callbackauthn/02_saml.py
+++ b/tests/integration/src/callbackauthn/02_saml.py
@@ -12,11 +12,8 @@ from fixtures.auth import (
    USER_ADMIN_PASSWORD,
    add_license,
 )
-from fixtures.idputils import (
-    get_saml_domain,
-    get_user_by_email,
-    perform_saml_login,
-)
+from fixtures.idputils import get_saml_domain, perform_saml_login
+from fixtures.utils import get_user_by_email, get_user_role_names
 from fixtures.types import Operation, SigNoz, TestContainerDocker, TestContainerIDP


@@ -131,26 +128,12 @@ def test_saml_authn(
    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

    # Assert that the user was created in signoz.
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (
-            user
-            for user in user_response
-            if user["email"] == "viewer@saml.integration.test"
-        ),
-        None,
-    )
-
+    found_user = get_user_by_email(signoz, admin_token, "viewer@saml.integration.test")
    assert found_user is not None
-    assert found_user["role"] == "VIEWER"
+
+    # Confirm role
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_idp_initiated_saml_authn(
@@ -182,26 +165,14 @@ def test_idp_initiated_saml_authn(
    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

    # Assert that the user was created in signoz.
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
+    found_user = get_user_by_email(
+        signoz, admin_token, "viewer.idp.initiated@saml.integration.test"
    )
-
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (
-            user
-            for user in user_response
-            if user["email"] == "viewer.idp.initiated@saml.integration.test"
-        ),
-        None,
-    )
-
    assert found_user is not None
-    assert found_user["role"] == "VIEWER"
+
+    # Confirm role
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_saml_update_domain_with_group_mappings(
@@ -271,7 +242,8 @@ def test_saml_role_mapping_single_group_admin(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "ADMIN"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-admin" in found_user_role_names


 def test_saml_role_mapping_single_group_editor(
@@ -297,7 +269,8 @@ def test_saml_role_mapping_single_group_editor(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "EDITOR"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-editor" in found_user_role_names


 def test_saml_role_mapping_multiple_groups_highest_wins(
@@ -327,7 +300,8 @@ def test_saml_role_mapping_multiple_groups_highest_wins(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "EDITOR"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-editor" in found_user_role_names


 def test_saml_role_mapping_explicit_viewer_group(
@@ -354,7 +328,8 @@ def test_saml_role_mapping_explicit_viewer_group(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "VIEWER"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_saml_role_mapping_unmapped_group_uses_default(
@@ -380,7 +355,8 @@ def test_saml_role_mapping_unmapped_group_uses_default(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "VIEWER"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_saml_update_domain_with_use_role_claim(
@@ -457,7 +433,8 @@ def test_saml_role_mapping_role_claim_takes_precedence(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "ADMIN"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-admin" in found_user_role_names


 def test_saml_role_mapping_invalid_role_claim_fallback(
@@ -487,7 +464,8 @@ def test_saml_role_mapping_invalid_role_claim_fallback(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "EDITOR"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-editor" in found_user_role_names


 def test_saml_role_mapping_case_insensitive(
@@ -517,7 +495,8 @@ def test_saml_role_mapping_case_insensitive(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "ADMIN"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-admin" in found_user_role_names


 def test_saml_name_mapping(
@@ -545,7 +524,8 @@ def test_saml_name_mapping(
    assert (
        found_user["displayName"] == "Jane"
    )  # We are only mapping the first name here
-    assert found_user["role"] == "VIEWER"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_saml_empty_name_fallback(
@@ -570,7 +550,8 @@ def test_saml_empty_name_fallback(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "VIEWER"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_saml_sso_login_activates_pending_invite_user(
@@ -613,7 +594,8 @@ def test_saml_sso_login_activates_pending_invite_user(
    found_user = get_user_by_email(signoz, admin_token, email)
    assert found_user is not None
    assert found_user["status"] == "active"
-    assert found_user["role"] == "VIEWER"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_saml_sso_deleted_user_gets_new_user_on_login(
@@ -680,7 +662,7 @@ def test_saml_sso_deleted_user_gets_new_user_on_login(

    # Verify a NEW active user was auto-provisioned via SSO
    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
        timeout=2,
        headers={"Authorization": f"Bearer {admin_token}"},
    )
@@ -694,4 +676,7 @@ def test_saml_sso_deleted_user_gets_new_user_on_login(
    )
    assert found_user is not None
    assert found_user["status"] == "active"
-    assert found_user["role"] == "VIEWER"  # default role from SSO domain config
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert (
+        "signoz-viewer" in found_user_role_names
+    )  # default role from SSO domain config
--- a/tests/integration/src/callbackauthn/03_oidc.py
+++ b/tests/integration/src/callbackauthn/03_oidc.py
@@ -11,11 +11,8 @@ from fixtures.auth import (
    USER_ADMIN_PASSWORD,
    add_license,
 )
-from fixtures.idputils import (
-    get_oidc_domain,
-    get_user_by_email,
-    perform_oidc_login,
-)
+from fixtures.idputils import get_oidc_domain, perform_oidc_login
+from fixtures.utils import get_user_by_email, get_user_role_names
 from fixtures.types import Operation, SigNoz, TestContainerDocker, TestContainerIDP


@@ -112,26 +109,12 @@ def test_oidc_authn(
    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

    # Assert that the user was created in signoz.
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (
-            user
-            for user in user_response
-            if user["email"] == "viewer@oidc.integration.test"
-        ),
-        None,
-    )
-
+    found_user = get_user_by_email(signoz, admin_token, "viewer@oidc.integration.test")
    assert found_user is not None
-    assert found_user["role"] == "VIEWER"
+
+    # Confirm role
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_oidc_update_domain_with_group_mappings(
@@ -208,7 +191,8 @@ def test_oidc_role_mapping_single_group_admin(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "ADMIN"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-admin" in found_user_role_names


 def test_oidc_role_mapping_single_group_editor(
@@ -234,7 +218,8 @@ def test_oidc_role_mapping_single_group_editor(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "EDITOR"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-editor" in found_user_role_names


 def test_oidc_role_mapping_multiple_groups_highest_wins(
@@ -264,7 +249,8 @@ def test_oidc_role_mapping_multiple_groups_highest_wins(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "ADMIN"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-admin" in found_user_role_names


 def test_oidc_role_mapping_explicit_viewer_group(
@@ -291,7 +277,8 @@ def test_oidc_role_mapping_explicit_viewer_group(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "VIEWER"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_oidc_role_mapping_unmapped_group_uses_default(
@@ -317,7 +304,8 @@ def test_oidc_role_mapping_unmapped_group_uses_default(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "VIEWER"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names


 def test_oidc_update_domain_with_use_role_claim(
@@ -397,7 +385,8 @@ def test_oidc_role_mapping_role_claim_takes_precedence(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "ADMIN"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-admin" in found_user_role_names


 def test_oidc_role_mapping_invalid_role_claim_fallback(
@@ -429,7 +418,8 @@ def test_oidc_role_mapping_invalid_role_claim_fallback(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "EDITOR"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-editor" in found_user_role_names


 def test_oidc_role_mapping_case_insensitive(
@@ -459,7 +449,8 @@ def test_oidc_role_mapping_case_insensitive(
    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
-    assert found_user["role"] == "EDITOR"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-editor" in found_user_role_names


 def test_oidc_name_mapping(
@@ -482,20 +473,13 @@ def test_oidc_name_mapping(
    )

    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        headers={"Authorization": f"Bearer {admin_token}"},
-        timeout=5,
-    )
-
-    assert response.status_code == HTTPStatus.OK
-    users = response.json()["data"]
-    found_user = next((u for u in users if u["email"] == email), None)
+    found_user = get_user_by_email(signoz, admin_token, email)

    assert found_user is not None
    # Keycloak concatenates firstName + lastName into "name" claim
    assert found_user["displayName"] == "John Doe"
-    assert found_user["role"] == "VIEWER"  # Default role
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names  # Default role


 def test_oidc_empty_name_uses_fallback(
@@ -518,19 +502,12 @@ def test_oidc_empty_name_uses_fallback(
    )

    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        headers={"Authorization": f"Bearer {admin_token}"},
-        timeout=5,
-    )
-
-    assert response.status_code == HTTPStatus.OK
-    users = response.json()["data"]
-    found_user = next((u for u in users if u["email"] == email), None)
+    found_user = get_user_by_email(signoz, admin_token, email)

    # User should still be created even with empty name
    assert found_user is not None
-    assert found_user["role"] == "VIEWER"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names
    # Note: displayName may be empty - this is a known limitation


@@ -570,16 +547,9 @@ def test_oidc_sso_login_activates_pending_invite_user(
        signoz, idp, driver, get_session_context, idp_login, email, "password123"
    )

-    # User should be active with ADMIN role from invite, not VIEWER from SSO
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    found_user = next(
-        (user for user in response.json()["data"] if user["email"] == email),
-        None,
-    )
+    # User should be active with VIEWER role from SSO
+    found_user = get_user_by_email(signoz, admin_token, email)
    assert found_user is not None
    assert found_user["status"] == "active"
-    assert found_user["role"] == "VIEWER"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-viewer" in found_user_role_names
--- a/tests/integration/src/passwordauthn/01_register.py
+++ b/tests/integration/src/passwordauthn/01_register.py
@@ -5,6 +5,7 @@ import requests

 from fixtures import types
 from fixtures.logger import setup_logger
+from fixtures.utils import get_user_by_email, get_user_role_names

 logger = setup_logger(__name__)

@@ -74,31 +75,10 @@ def test_register(signoz: types.SigNoz, get_token: Callable[[str, str], str]) ->

    admin_token = get_token("admin@integration.test", "password123Z$")

-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (user for user in user_response if user["email"] == "admin@integration.test"),
-        None,
-    )
-
+    found_user = get_user_by_email(signoz, admin_token, "admin@integration.test")
    assert found_user is not None
-    assert found_user["role"] == "ADMIN"
-
-    response = requests.get(
-        signoz.self.host_configs["8080"].get(f"/api/v1/user/{found_user["id"]}"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    assert response.status_code == HTTPStatus.OK
-    assert response.json()["data"]["role"] == "ADMIN"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-admin" in found_user_role_names


 def test_invite_and_register(
@@ -120,21 +100,11 @@ def test_invite_and_register(
    assert invited_user["role"] == "EDITOR"

    # Verify the user user appears in the users list but as pending_invite status
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (user for user in user_response if user["email"] == "editor@integration.test"),
-        None,
-    )
+    found_user = get_user_by_email(signoz, admin_token, "editor@integration.test")
    assert found_user is not None
    assert found_user["status"] == "pending_invite"
-    assert found_user["role"] == "EDITOR"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-editor" in found_user_role_names

    reset_token = invited_user["token"]

@@ -152,7 +122,7 @@ def test_invite_and_register(

    # Verify that an admin endpoint cannot be called by the editor user
    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
        timeout=2,
        headers={"Authorization": f"Bearer {editor_token}"},
    )
@@ -160,24 +130,12 @@ def test_invite_and_register(
    assert response.status_code == HTTPStatus.FORBIDDEN

    # Verify that the editor user status has been updated to ACTIVE
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={
-            "Authorization": f"Bearer {get_token("admin@integration.test", "password123Z$")}"
-        },
-    )
-
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (user for user in user_response if user["email"] == "editor@integration.test"),
-        None,
-    )
+    admin_token = get_token("admin@integration.test", "password123Z$")
+    found_user = get_user_by_email(signoz, admin_token, "editor@integration.test")

    assert found_user is not None
-    assert found_user["role"] == "EDITOR"
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-editor" in found_user_role_names
    assert found_user["displayName"] == "editor"
    assert found_user["email"] == "editor@integration.test"
    assert found_user["status"] == "active"
@@ -221,25 +179,7 @@ def test_self_access(
 ) -> None:
    admin_token = get_token("admin@integration.test", "password123Z$")

-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (user for user in user_response if user["email"] == "editor@integration.test"),
-        None,
-    )
-
-    response = requests.get(
-        signoz.self.host_configs["8080"].get(f"/api/v1/user/{found_user['id']}"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    assert response.status_code == HTTPStatus.OK
-    assert response.json()["data"]["role"] == "EDITOR"
+    found_user = get_user_by_email(signoz, admin_token, "editor@integration.test")
+    assert found_user is not None
+    found_user_role_names = get_user_role_names(signoz, admin_token, found_user["id"])
+    assert "signoz-editor" in found_user_role_names
--- a/tests/integration/src/passwordauthn/03_apikey.py
+++ b/tests/integration/src/passwordauthn/03_apikey.py
@@ -26,7 +26,7 @@ def test_api_key(signoz: types.SigNoz, get_token: Callable[[str, str], str]) ->
    assert "token" in pat_response["data"]

    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
        timeout=2,
        headers={"SIGNOZ-API-KEY": f"{pat_response["data"]["token"]}"},
    )
@@ -85,7 +85,7 @@ def test_api_key_role(
    assert "token" in pat_response["data"]

    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
        timeout=2,
        headers={"SIGNOZ-API-KEY": f"{pat_response["data"]["token"]}"},
    )
@@ -109,7 +109,7 @@ def test_api_key_role(
    assert "token" in pat_response["data"]

    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
        timeout=2,
        headers={"SIGNOZ-API-KEY": f"{pat_response["data"]["token"]}"},
    )
--- a/tests/integration/src/passwordauthn/04_password.py
+++ b/tests/integration/src/passwordauthn/04_password.py
@@ -6,6 +6,7 @@ from sqlalchemy import sql

 from fixtures import types
 from fixtures.logger import setup_logger
+from fixtures.utils import get_user_by_email

 logger = setup_logger(__name__)

@@ -35,23 +36,10 @@ def test_change_password(
    assert response.status_code == HTTPStatus.NO_CONTENT

    # Get the user id
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (
-            user
-            for user in user_response
-            if user["email"] == "admin+password@integration.test"
-        ),
-        None,
+    found_user = get_user_by_email(
+        signoz, admin_token, "admin+password@integration.test"
    )
+    assert found_user is not None

    # Try logging in with the password
    token = get_token("admin+password@integration.test", "password123Z$")
@@ -100,23 +88,10 @@ def test_reset_password(
    admin_token = get_token("admin@integration.test", "password123Z$")

    # Get the user id for admin+password@integration.test
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (
-            user
-            for user in user_response
-            if user["email"] == "admin+password@integration.test"
-        ),
-        None,
+    found_user = get_user_by_email(
+        signoz, admin_token, "admin+password@integration.test"
    )
+    assert found_user is not None

    response = requests.get(
        signoz.self.host_configs["8080"].get(
@@ -158,23 +133,10 @@ def test_reset_password_with_no_password(
    admin_token = get_token("admin@integration.test", "password123Z$")

    # Get the user id for admin+password@integration.test
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-
-    assert response.status_code == HTTPStatus.OK
-
-    user_response = response.json()["data"]
-    found_user = next(
-        (
-            user
-            for user in user_response
-            if user["email"] == "admin+password@integration.test"
-        ),
-        None,
+    found_user = get_user_by_email(
+        signoz, admin_token, "admin+password@integration.test"
    )
+    assert found_user is not None

    with signoz.sqlstore.conn.connect() as conn:
        result = conn.execute(
@@ -305,17 +267,7 @@ def test_forgot_password_creates_reset_token(

    # Verify reset password token was created by querying the database
    # First, get the user ID
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    assert response.status_code == HTTPStatus.OK
-    user_response = response.json()["data"]
-    found_user = next(
-        (user for user in user_response if user["email"] == "forgot@integration.test"),
-        None,
-    )
+    found_user = get_user_by_email(signoz, admin_token, "forgot@integration.test")
    assert found_user is not None

    reset_token = None
@@ -371,17 +323,7 @@ def test_reset_password_with_expired_token(
    admin_token = get_token("admin@integration.test", "password123Z$")

    # Get user ID for the forgot@integration.test user
-    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
-        timeout=2,
-        headers={"Authorization": f"Bearer {admin_token}"},
-    )
-    assert response.status_code == HTTPStatus.OK
-    user_response = response.json()["data"]
-    found_user = next(
-        (user for user in user_response if user["email"] == "forgot@integration.test"),
-        None,
-    )
+    found_user = get_user_by_email(signoz, admin_token, "forgot@integration.test")
    assert found_user is not None

    # Get org ID
--- a/tests/integration/src/passwordauthn/05_role.py
+++ b/tests/integration/src/passwordauthn/05_role.py
@@ -4,6 +4,7 @@ from typing import Callable, Tuple
 import requests

 from fixtures import types
+from fixtures.utils import get_user_role_names


 def test_change_role(
@@ -40,7 +41,7 @@ def test_change_role(
    )

    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user/me"),
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
        timeout=2,
        headers={"Authorization": f"Bearer {new_user_token}"},
    )
@@ -60,20 +61,20 @@ def test_change_role(

    # Change the new user's role - move to ADMIN
    response = requests.put(
-        signoz.self.host_configs["8080"].get(f"/api/v1/user/{new_user_id}"),
+        signoz.self.host_configs["8080"].get(f"/api/v2/users/{new_user_id}"),
        json={
            "displayName": "role change user",
-            "role": "ADMIN",
+            "roleNames": ["signoz-admin"],
        },
        headers={"Authorization": f"Bearer {admin_token}"},
        timeout=2,
    )

-    assert response.status_code == HTTPStatus.OK
+    assert response.status_code == HTTPStatus.NO_CONTENT

    # Make some API calls again
    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user/me"),
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
        timeout=2,
        headers={"Authorization": f"Bearer {new_user_token}"},
    )
@@ -106,3 +107,302 @@ def test_change_role(
    )

    assert response.status_code == HTTPStatus.OK
+
+
+def test_remove_all_roles(
+    signoz: types.SigNoz,
+    get_token: Callable[[str, str], str],
+    get_tokens: Callable[[str, str], Tuple[str, str]],
+):
+    admin_token = get_token("admin@integration.test", "password123Z$")
+
+    # Create a new user as EDITOR
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": "admin+noroles@integration.test", "role": "EDITOR"},
+        timeout=2,
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == HTTPStatus.CREATED
+
+    invited_user = response.json()["data"]
+    reset_token = invited_user["token"]
+
+    # Activate user via reset password
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "password123Z$", "token": reset_token},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # Login and get user id
+    new_user_token, new_user_refresh_token = get_tokens(
+        "admin+noroles@integration.test", "password123Z$"
+    )
+
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.OK
+    new_user_id = response.json()["data"]["id"]
+
+    # Validate the user has the editor role
+    role_names = get_user_role_names(signoz, admin_token, new_user_id)
+    assert role_names is not None
+    assert "signoz-editor" in role_names
+
+    # Remove all roles
+    response = requests.put(
+        signoz.self.host_configs["8080"].get(f"/api/v2/users/{new_user_id}"),
+        json={
+            "displayName": "no roles user",
+            "roleNames": [],
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # Validate the user has no roles
+    role_names = get_user_role_names(signoz, admin_token, new_user_id)
+    assert role_names is None or len(role_names) == 0
+
+    # Old token should be invalidated after role change
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.UNAUTHORIZED
+
+    # Token rotation should also fail for a user with no roles
+    # (the session endpoint requires roles to build an identity)
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v2/sessions/rotate"),
+        json={
+            "refreshToken": new_user_refresh_token,
+        },
+        headers={"Authorization": f"Bearer {new_user_token}"},
+        timeout=2,
+    )
+    assert (
+        response.status_code != HTTPStatus.OK
+    ), "token rotation should fail for user with no roles"
+
+
+def test_multiple_roles(
+    signoz: types.SigNoz,
+    get_token: Callable[[str, str], str],
+    get_tokens: Callable[[str, str], Tuple[str, str]],
+):
+    admin_token = get_token("admin@integration.test", "password123Z$")
+
+    # Create a new user as VIEWER
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/invite"),
+        json={"email": "admin+multirole@integration.test", "role": "VIEWER"},
+        timeout=2,
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == HTTPStatus.CREATED
+
+    invited_user = response.json()["data"]
+    reset_token = invited_user["token"]
+
+    # Activate user via reset password
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v1/resetPassword"),
+        json={"password": "password123Z$", "token": reset_token},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # Login and get user id
+    new_user_token, new_user_refresh_token = get_tokens(
+        "admin+multirole@integration.test", "password123Z$"
+    )
+
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.OK
+    new_user_id = response.json()["data"]["id"]
+
+    # Validate user starts with viewer role
+    role_names = get_user_role_names(signoz, admin_token, new_user_id)
+    assert role_names is not None
+    assert role_names == [
+        "signoz-viewer"
+    ], f"expected ['signoz-viewer'], got {role_names}"
+
+    # As viewer, admin-only APIs should be forbidden
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/org/preferences"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.FORBIDDEN
+
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.FORBIDDEN
+
+    # Assign multiple roles: editor + viewer
+    response = requests.put(
+        signoz.self.host_configs["8080"].get(f"/api/v2/users/{new_user_id}"),
+        json={
+            "displayName": "multi role user",
+            "roleNames": ["signoz-editor", "signoz-viewer"],
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    # Validate user has both roles
+    role_names = get_user_role_names(signoz, admin_token, new_user_id)
+    assert role_names is not None
+    assert sorted(role_names) == [
+        "signoz-editor",
+        "signoz-viewer",
+    ], f"expected ['signoz-editor', 'signoz-viewer'], got {sorted(role_names)}"
+
+    # Rotate token to pick up new roles
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v2/sessions/rotate"),
+        json={"refreshToken": new_user_refresh_token},
+        headers={"Authorization": f"Bearer {new_user_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.OK
+
+    rotate_response = response.json()["data"]
+    new_user_token = rotate_response["accessToken"]
+    new_user_refresh_token = rotate_response["refreshToken"]
+
+    # Verify /me includes both roles
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.OK
+    me_role_names = sorted(r["name"] for r in response.json()["data"]["roles"])
+    assert me_role_names == [
+        "signoz-editor",
+        "signoz-viewer",
+    ], f"expected ['signoz-editor', 'signoz-viewer'] in /me, got {me_role_names}"
+
+    # Editor+viewer still cannot access admin-only APIs
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/org/preferences"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.FORBIDDEN
+
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.FORBIDDEN
+
+    # Assign all three roles including admin
+    response = requests.put(
+        signoz.self.host_configs["8080"].get(f"/api/v2/users/{new_user_id}"),
+        json={
+            "displayName": "multi role user",
+            "roleNames": ["signoz-admin", "signoz-editor", "signoz-viewer"],
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    role_names = get_user_role_names(signoz, admin_token, new_user_id)
+    assert sorted(role_names) == [
+        "signoz-admin",
+        "signoz-editor",
+        "signoz-viewer",
+    ], f"expected all three roles, got {sorted(role_names)}"
+
+    # Rotate token to pick up admin role
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v2/sessions/rotate"),
+        json={"refreshToken": new_user_refresh_token},
+        headers={"Authorization": f"Bearer {new_user_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.OK
+
+    rotate_response = response.json()["data"]
+    new_user_token = rotate_response["accessToken"]
+    new_user_refresh_token = rotate_response["refreshToken"]
+
+    # Now with admin role, admin-only APIs should succeed
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/org/preferences"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.OK
+
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.OK
+
+    # Reduce back to single viewer role
+    response = requests.put(
+        signoz.self.host_configs["8080"].get(f"/api/v2/users/{new_user_id}"),
+        json={
+            "displayName": "multi role user",
+            "roleNames": ["signoz-viewer"],
+        },
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.NO_CONTENT
+
+    role_names = get_user_role_names(signoz, admin_token, new_user_id)
+    assert role_names == [
+        "signoz-viewer"
+    ], f"expected ['signoz-viewer'] after reduction, got {role_names}"
+
+    # Rotate token to pick up reduced roles
+    response = requests.post(
+        signoz.self.host_configs["8080"].get("/api/v2/sessions/rotate"),
+        json={"refreshToken": new_user_refresh_token},
+        headers={"Authorization": f"Bearer {new_user_token}"},
+        timeout=2,
+    )
+    assert response.status_code == HTTPStatus.OK
+
+    rotate_response = response.json()["data"]
+    new_user_token = rotate_response["accessToken"]
+
+    # After reducing to viewer, admin-only APIs should be forbidden again
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v1/org/preferences"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.FORBIDDEN
+
+    response = requests.get(
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
+        timeout=2,
+        headers={"Authorization": f"Bearer {new_user_token}"},
+    )
+    assert response.status_code == HTTPStatus.FORBIDDEN
--- a/tests/integration/src/role/01_register.py
+++ b/tests/integration/src/role/01_register.py
@@ -52,7 +52,7 @@ def test_root_user_signoz_admin_assignment(

    # Get the user from the /user/me endpoint and extract the id
    user_response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user/me"),
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
        headers={"Authorization": f"Bearer {admin_token}"},
        timeout=2,
    )
--- a/tests/integration/src/role/02_user.py
+++ b/tests/integration/src/role/02_user.py
@@ -47,7 +47,7 @@ def test_user_invite_accept_role_grant(
    # Login with editor email and password
    editor_token = get_token(USER_EDITOR_EMAIL, USER_EDITOR_PASSWORD)
    user_me_response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user/me"),
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
        headers={"Authorization": f"Bearer {editor_token}"},
        timeout=2,
    )
@@ -102,7 +102,7 @@ def test_user_update_role_grant(
    # Get the editor user's id
    editor_token = get_token(USER_EDITOR_EMAIL, USER_EDITOR_PASSWORD)
    user_me_response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user/me"),
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
        headers={"Authorization": f"Bearer {editor_token}"},
        timeout=2,
    )
@@ -121,14 +121,14 @@ def test_user_update_role_grant(
    org_id = roles_data[0]["orgId"]

    # Update the user's role to viewer
-    update_payload = {"role": "VIEWER"}
+    update_payload = {"roleNames": ["signoz-viewer"]}
    update_response = requests.put(
-        signoz.self.host_configs["8080"].get(f"/api/v1/user/{editor_id}"),
+        signoz.self.host_configs["8080"].get(f"/api/v2/users/{editor_id}"),
        json=update_payload,
        headers={"Authorization": f"Bearer {admin_token}"},
        timeout=2,
    )
-    assert update_response.status_code == HTTPStatus.OK
+    assert update_response.status_code == HTTPStatus.NO_CONTENT

    # Check that user no longer has the editor role in the db
    with signoz.sqlstore.conn.connect() as conn:
@@ -179,7 +179,7 @@ def test_user_delete_role_revoke(
    # login with editor to get the user_id and check if user exists
    editor_token = get_token(USER_EDITOR_EMAIL, USER_EDITOR_PASSWORD)
    user_me_response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user/me"),
+        signoz.self.host_configs["8080"].get("/api/v2/users/me"),
        headers={"Authorization": f"Bearer {editor_token}"},
        timeout=2,
    )
--- a/tests/integration/src/rootuser/01_rootuser.py
+++ b/tests/integration/src/rootuser/01_rootuser.py
@@ -14,7 +14,7 @@ def test_root_user_created(signoz: types.SigNoz) -> None:
    The root user service reconciles asynchronously after startup.

    Phase 1: Poll /api/v1/version until setupCompleted=true.
-    Phase 2: Poll /api/v1/user until it returns 200, confirming the root
+    Phase 2: Poll /api/v2/users until it returns 200, confirming the root
             user actually exists and the impersonation provider works.
    """
    # Phase 1: wait for setupCompleted
@@ -39,13 +39,13 @@ def test_root_user_created(signoz: types.SigNoz) -> None:
    # Phase 2: wait for root user to be fully resolved
    for attempt in range(15):
        response = requests.get(
-            signoz.self.host_configs["8080"].get("/api/v1/user"),
+            signoz.self.host_configs["8080"].get("/api/v2/users"),
            timeout=2,
        )
        if response.status_code == HTTPStatus.OK:
            return
        logger.info(
-            "Attempt %s: /api/v1/user returned %s, retrying ...",
+            "Attempt %s: /api/v2/users returned %s, retrying ...",
            attempt + 1,
            response.status_code,
        )
--- a/tests/integration/src/rootuser/02_impersonation.py
+++ b/tests/integration/src/rootuser/02_impersonation.py
@@ -4,6 +4,7 @@ import requests

 from fixtures import types
 from fixtures.logger import setup_logger
+from fixtures.utils import get_user_role_names

 logger = setup_logger(__name__)

@@ -32,7 +33,7 @@ def test_impersonated_user_is_admin(signoz: types.SigNoz) -> None:
    Listing users is an admin-only endpoint.
    """
    response = requests.get(
-        signoz.self.host_configs["8080"].get("/api/v1/user"),
+        signoz.self.host_configs["8080"].get("/api/v2/users"),
        timeout=2,
    )

@@ -46,4 +47,5 @@ def test_impersonated_user_is_admin(signoz: types.SigNoz) -> None:
        None,
    )
    assert root_user is not None
-    assert root_user["role"] == "ADMIN"
+    root_user_role_names = get_user_role_names(signoz, None, root_user["id"])
+    assert "signoz-admin" in root_user_role_names
Author	SHA1	Message	Date
Karan Balani	083a33e781	test: integration tests now use v2 user apis	2026-03-24 18:21:17 +05:30
Karan Balani	d0de617e0b	fix: openapi specs	2026-03-24 18:20:15 +05:30
Karan Balani	6fa418c72f	feat: user v2 apis	2026-03-24 18:20:15 +05:30