fix: cleanup

* fix(user): increase expiry for reset password token for invites

* fix(user): increase expiry for reset password token for invites

* fix(user): increase expiry for reset password token for invites

* fix(user): increase expiry for reset password token for invites

conf/example.yaml

@@ -308,6 +308,9 @@ user:
       allow_self: true
       # The duration within which a user can reset their password.
       max_token_lifetime: 6h
+    invite:
+      # The duration within which a user can accept their invite.
+      max_token_lifetime: 48h
   root:
     # Whether to enable the root user. When enabled, a root user is provisioned
     # on startup using the email and password below. The root user cannot be

ee/query-service/app/api/cloudIntegrations.go

@@ -10,8 +10,6 @@ import (
 	"strings"
 	"time"
 
-	"log/slog"
-
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/user"
@@ -20,6 +18,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
+	"log/slog"
 )
 
 type CloudIntegrationConnectionParamsResponse struct {
@@ -170,7 +169,7 @@ func (ah *APIHandler) getOrCreateCloudIntegrationUser(
 	cloudIntegrationUserName := fmt.Sprintf("%s-integration", cloudProvider)
 	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", cloudIntegrationUserName))
 
-	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, []string{authtypes.SigNozViewerRoleName}, valuer.MustNewUUID(orgId), types.UserStatusActive)
+	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, valuer.MustNewUUID(orgId), types.UserStatusActive)
 	if err != nil {
 		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration user: %w", err))
 	}

pkg/apiserver/signozapiserver/user.go

@@ -186,7 +186,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint lists all users",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            make([]*types.User, 0),
+		Response:            make([]*types.GettableUser, 0),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -203,7 +203,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user I belong to",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.User),
+		Response:            new(types.GettableUser),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -220,7 +220,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user by id",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.User),
+		Response:            new(types.GettableUser),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
@@ -237,7 +237,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint updates the user by id",
 		Request:             new(types.User),
 		RequestContentType:  "application/json",
-		Response:            new(types.User),
+		Response:            new(types.GettableUser),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},

pkg/authn/authnstore/sqlauthnstore/store.go

@@ -17,8 +17,8 @@ func NewStore(sqlstore sqlstore.SQLStore) authtypes.AuthNStore {
 	return &store{sqlstore: sqlstore}
 }
 
-func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.StorableUser, *types.FactorPassword, error) {
-	user := new(types.StorableUser)
+func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error) {
+	user := new(types.User)
 	factorPassword := new(types.FactorPassword)
 
 	err := store.

pkg/authn/passwordauthn/emailpasswordauthn/authn.go

@@ -30,5 +30,5 @@ func (a *AuthN) Authenticate(ctx context.Context, email string, password string,
 		return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email or password")
 	}
 
-	return authtypes.NewIdentity(user.ID, orgID, user.Email, types.RoleViewer, authtypes.IdentNProviderTokenizer), nil
+	return authtypes.NewIdentity(user.ID, orgID, user.Email, user.Role, authtypes.IdentNProviderTokenizer), nil
 }

pkg/modules/session/implsession/module.go

@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/authn"
-	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -29,10 +28,9 @@ type module struct {
 	authDomain authdomain.Module
 	tokenizer  tokenizer.Tokenizer
 	orgGetter  organization.Getter
-	authz      authz.AuthZ
 }
 
-func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter, authz authz.AuthZ) session.Module {
+func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter) session.Module {
 	return &module{
 		settings:   factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/session/implsession"),
 		authNs:     authNs,
@@ -41,7 +39,6 @@ func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.A
 		authDomain: authDomain,
 		tokenizer:  tokenizer,
 		orgGetter:  orgGetter,
-		authz:      authz,
 	}
 }
 
@@ -145,15 +142,9 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 	}
 
 	roleMapping := authDomain.AuthDomainConfig().RoleMapping
-	legacyRole, managedRoles := roleMapping.ManagedRolesFromCallbackIdentity(callbackIdentity)
+	role := roleMapping.NewRoleFromCallbackIdentity(callbackIdentity)
 
-	// pass only valid or fallback to viewer
-	validRoles, err := module.resolveValidRoles(ctx, callbackIdentity.OrgID, managedRoles, callbackIdentity.Email)
-	if err != nil {
-		return "", err
-	}
-
-	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, legacyRole, validRoles, callbackIdentity.OrgID, types.UserStatusActive)
+	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, role, callbackIdentity.OrgID, types.UserStatusActive)
 	if err != nil {
 		return "", err
 	}
@@ -167,7 +158,7 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 		return "", errors.WithAdditionalf(err, "root user can only authenticate via password")
 	}
 
-	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, types.RoleViewer, authtypes.IdentNProviderTokenizer), map[string]string{})
+	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, user.Role, authtypes.IdentNProviderTokenizer), map[string]string{})
 	if err != nil {
 		return "", err
 	}
@@ -231,38 +222,3 @@ func getProvider[T authn.AuthN](authNProvider authtypes.AuthNProvider, authNs ma
 
 	return provider, nil
 }
-
-// resolveValidRoles validates role names against the database
-// returns only roles that exist. If none are valid, falls back to signoz-viewer role
-func (module *module) resolveValidRoles(ctx context.Context, orgID valuer.UUID, roles []string, email valuer.Email) ([]string, error) {
-	storableRoles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, roles)
-	if err != nil {
-		return nil, err
-	}
-
-	validRoles := make([]string, 0, len(storableRoles))
-	validSet := make(map[string]struct{})
-	for _, sr := range storableRoles {
-		validRoles = append(validRoles, sr.Name)
-		validSet[sr.Name] = struct{}{}
-	}
-
-	// log ignored roles
-	if len(validRoles) < len(roles) {
-		var ignored []string
-		for _, r := range roles {
-			if _, ok := validSet[r]; !ok {
-				ignored = append(ignored, r)
-			}
-		}
-		module.settings.Logger().WarnContext(ctx, "ignoring non-existent roles from SSO mapping", "ignored_roles", ignored, "email", email)
-	}
-
-	// fallback to viewer if no valid roles
-	if len(validRoles) == 0 {
-		module.settings.Logger().WarnContext(ctx, "no valid roles from SSO mapping, falling back to viewer", "email", email)
-		validRoles = []string{authtypes.SigNozViewerRoleName}
-	}
-
-	return validRoles, nil
-}

pkg/modules/tracefunnel/impltracefunnel/module.go

@@ -30,7 +30,7 @@ func (module *module) Create(ctx context.Context, timestamp int64, name string,
 	funnel.CreatedBy = userID.String()
 
 	// Set up the user relationship
-	funnel.CreatedByUser = &types.StorableUser{
+	funnel.CreatedByUser = &types.User{
 		Identifiable: types.Identifiable{
 			ID: userID,
 		},

pkg/modules/user/config.go

@@ -27,7 +27,12 @@ type OrgConfig struct {
 }
 
 type PasswordConfig struct {
-	Reset ResetConfig `mapstructure:"reset"`
+	Invite InviteConfig `mapstructure:"invite"`
+	Reset  ResetConfig  `mapstructure:"reset"`
+}
+
+type InviteConfig struct {
+	MaxTokenLifetime time.Duration `mapstructure:"max_token_lifetime"`
 }
 
 type ResetConfig struct {
@@ -46,6 +51,9 @@ func newConfig() factory.Config {
 				AllowSelf:        false,
 				MaxTokenLifetime: 6 * time.Hour,
 			},
+			Invite: InviteConfig{
+				MaxTokenLifetime: 48 * time.Hour,
+			},
 		},
 		Root: RootConfig{
 			Enabled: false,
@@ -61,6 +69,10 @@ func (c Config) Validate() error {
 		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "user::password::reset::max_token_lifetime must be positive")
 	}
 
+	if c.Password.Invite.MaxTokenLifetime <= 0 {
+		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "user::password::invite::max_token_lifetime must be positive")
+	}
+
 	if c.Root.Enabled {
 		if c.Root.Email.IsZero() {
 			return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "user::root::email is required when root user is enabled")

pkg/modules/user/impluser/getter.go

@@ -2,56 +2,78 @@ package impluser
 
 import (
 	"context"
+	"slices"
 
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type getter struct {
-	store types.UserStore
+	store   types.UserStore
+	flagger flagger.Flagger
 }
 
-func NewGetter(store types.UserStore) user.Getter {
-	return &getter{store: store}
+func NewGetter(store types.UserStore, flagger flagger.Flagger) user.Getter {
+	return &getter{store: store, flagger: flagger}
+}
+
+func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
+	return module.store.GetRootUserByOrgID(ctx, orgID)
 }
 
 func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
-	storableUsers, err := module.store.ListUsersByOrgID(ctx, orgID)
+	users, err := module.store.ListUsersByOrgID(ctx, orgID)
 	if err != nil {
 		return nil, err
 	}
 
-	// we are not resolving roles for getter methods
-	users := make([]*types.User, len(storableUsers))
-	for idx, storableUser := range storableUsers {
-		users[idx] = types.NewUserFromStorable(storableUser, make([]string, 0))
+	// filter root users if feature flag `hide_root_users` is true
+	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
+	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
+
+	if hideRootUsers {
+		users = slices.DeleteFunc(users, func(user *types.User) bool { return user.IsRoot })
 	}
 
 	return users, nil
 }
 
-func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.User, error) {
-	storableUser, err := module.store.GetUser(ctx, id)
+func (module *getter) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
+	users, err := module.store.GetUsersByEmail(ctx, email)
 	if err != nil {
 		return nil, err
 	}
 
-	return types.NewUserFromStorable(storableUser, make([]string, 0)), nil
+	return users, nil
+}
+
+func (module *getter) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
+	user, err := module.store.GetByOrgIDAndID(ctx, orgID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
+func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.User, error) {
+	user, err := module.store.GetUser(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
 }
 
 func (module *getter) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	storableUsers, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
+	users, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
 	if err != nil {
 		return nil, err
 	}
 
-	users := make([]*types.User, len(storableUsers))
-
-	for idx, storableUser := range storableUsers {
-		users[idx] = types.NewUserFromStorable(storableUser, make([]string, 0))
-	}
-
 	return users, nil
 }
 

pkg/modules/user/impluser/handler.go

@@ -169,7 +169,7 @@ func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
+	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -188,7 +188,7 @@ func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -207,7 +207,7 @@ func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	users, err := h.module.ListUsersByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
+	users, err := h.getter.ListByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -270,7 +270,7 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
-	userID := mux.Vars(r)["id"]
+	id := mux.Vars(r)["id"]
 
 	claims, err := authtypes.ClaimsFromContext(ctx)
 	if err != nil {
@@ -278,7 +278,13 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
+	user, err := handler.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, user.ID)
 	if err != nil {
 		render.Error(w, err)
 		return

pkg/modules/user/impluser/module.go

@@ -11,103 +11,47 @@ import (
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
+	"github.com/SigNoz/signoz/pkg/modules/user"
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/emailtypes"
-	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/dustin/go-humanize"
 )
 
 type Module struct {
-	store         types.UserStore
-	userRoleStore authtypes.UserRoleStore
-	tokenizer     tokenizer.Tokenizer
-	emailing      emailing.Emailing
-	settings      factory.ScopedProviderSettings
-	orgSetter     organization.Setter
-	authz         authz.AuthZ
-	analytics     analytics.Analytics
-	config        root.Config
-	flagger       flagger.Flagger
+	store     types.UserStore
+	tokenizer tokenizer.Tokenizer
+	emailing  emailing.Emailing
+	settings  factory.ScopedProviderSettings
+	orgSetter organization.Setter
+	authz     authz.AuthZ
+	analytics analytics.Analytics
+	config    user.Config
 }
 
 // This module is a WIP, don't take inspiration from this.
-func NewModule(store types.UserStore, userRoleStore authtypes.UserRoleStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config root.Config, flagger flagger.Flagger) root.Module {
+func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config user.Config) root.Module {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/user/impluser")
 	return &Module{
-		store:         store,
-		userRoleStore: userRoleStore,
-		tokenizer:     tokenizer,
-		emailing:      emailing,
-		settings:      settings,
-		orgSetter:     orgSetter,
-		analytics:     analytics,
-		authz:         authz,
-		config:        config,
-		flagger:       flagger,
+		store:     store,
+		tokenizer: tokenizer,
+		emailing:  emailing,
+		settings:  settings,
+		orgSetter: orgSetter,
+		analytics: analytics,
+		authz:     authz,
+		config:    config,
 	}
 }
 
-// this function gets user with its proper roles populated
-func (m *Module) GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error) {
-	storableUser, err := m.store.GetByOrgIDAndID(ctx, orgID, userID)
-	if err != nil {
-		return nil, err
-	}
-
-	roleNames, err := m.resolveRoleNamesForUser(ctx, userID, storableUser.OrgID)
-	if err != nil {
-		return nil, err
-	}
-
-	user := types.NewUserFromStorable(storableUser, roleNames)
-
-	return user, nil
-}
-
-func (module *Module) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
-	storableUsers, err := module.store.ListUsersByOrgID(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	userIDs := make([]valuer.UUID, len(storableUsers))
-	for idx, storableUser := range storableUsers {
-		userIDs[idx] = storableUser.ID
-	}
-
-	storableUserRoles, err := module.userRoleStore.ListUserRolesByOrgIDAndUserIDs(ctx, orgID, userIDs)
-	if err != nil {
-		return nil, err
-	}
-
-	userIDToRoleIDs, roleIDs := authtypes.GetUserIDToRoleIDsMappingAndUniqueRoles(storableUserRoles)
-	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
-	if err != nil {
-		return nil, err
-	}
-
-	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
-	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
-
-	if hideRootUsers {
-		storableUsers = slices.DeleteFunc(storableUsers, func(user *types.StorableUser) bool { return user.IsRoot })
-	}
-
-	users := module.usersFromStorableUsersAndRolesMaps(storableUsers, roles, userIDToRoleIDs)
-
-	return users, nil
-}
-
 func (m *Module) AcceptInvite(ctx context.Context, token string, password string) (*types.User, error) {
 	// get the user by reset password token
-	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
 	if err != nil {
 		return nil, err
 	}
@@ -119,7 +63,7 @@ func (m *Module) AcceptInvite(ctx context.Context, token string, password string
 	}
 
 	// query the user again
-	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
+	user, err = m.store.GetByOrgIDAndID(ctx, user.OrgID, user.ID)
 	if err != nil {
 		return nil, err
 	}
@@ -129,12 +73,7 @@ func (m *Module) AcceptInvite(ctx context.Context, token string, password string
 
 func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Invite, error) {
 	// get the user
-	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
-	if err != nil {
-		return nil, err
-	}
-
-	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
+	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
 	if err != nil {
 		return nil, err
 	}
@@ -148,7 +87,6 @@ func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Inv
 		Email: user.Email,
 		Token: token,
 		Role:  user.Role,
-		Roles: user.Roles,
 		OrgID: user.OrgID,
 		TimeAuditable: types.TimeAuditable{
 			CreatedAt: user.CreatedAt,
@@ -168,40 +106,24 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 
 	// validate all emails to be invited
 	emails := make([]string, len(bulkInvites.Invites))
-	var allRolesFromRequest []string
-	seenRolesFromRequest := make(map[string]struct{})
 	for idx, invite := range bulkInvites.Invites {
 		emails[idx] = invite.Email.StringValue()
-		// for role name validation
-		for _, role := range invite.Roles {
-			if _, ok := seenRolesFromRequest[role]; !ok {
-				seenRolesFromRequest[role] = struct{}{}
-				allRolesFromRequest = append(allRolesFromRequest, role)
-			}
-		}
 	}
-
-	storableUsers, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
+	users, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
 	if err != nil {
 		return nil, err
 	}
 
-	if len(storableUsers) > 0 {
-		if err := storableUsers[0].ErrIfRoot(); err != nil {
+	if len(users) > 0 {
+		if err := users[0].ErrIfRoot(); err != nil {
 			return nil, errors.WithAdditionalf(err, "Cannot send invite to root user")
 		}
 
-		if storableUsers[0].Status == types.UserStatusPendingInvite {
-			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", storableUsers[0].Email.StringValue())
+		if users[0].Status == types.UserStatusPendingInvite {
+			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", users[0].Email.StringValue())
 		}
 
-		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", storableUsers[0].Email.StringValue())
-	}
-
-	// this function returns error if some role is not found by name
-	_, err = m.authz.ListByOrgIDAndNames(ctx, orgID, allRolesFromRequest)
-	if err != nil {
-		return nil, err
+		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", users[0].Email.StringValue())
 	}
 
 	type userWithResetToken struct {
@@ -213,20 +135,25 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 
 	if err := m.store.RunInTx(ctx, func(ctx context.Context) error {
 		for idx, invite := range bulkInvites.Invites {
-			// create a new user with pending invite status
-			newUser, err := types.NewUser(invite.Name, invite.Email, invite.Role,  invite.Roles, orgID, types.UserStatusPendingInvite)
+			role, err := types.NewRole(invite.Role.String())
 			if err != nil {
 				return err
 			}
 
-			// store the user and user_role entries in db
+			// create a new user with pending invite status
+			newUser, err := types.NewUser(invite.Name, invite.Email, role, orgID, types.UserStatusPendingInvite)
+			if err != nil {
+				return err
+			}
+
+			// store the user and password in db
 			err = m.createUserWithoutGrant(ctx, newUser)
 			if err != nil {
 				return err
 			}
 
 			// generate reset password token
-			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.OrgID, newUser.ID)
+			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.ID)
 			if err != nil {
 				m.settings.Logger().ErrorContext(ctx, "failed to create reset password token for invited user", "error", err)
 				return err
@@ -248,7 +175,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 	for idx, userWithToken := range newUsersWithResetToken {
 		m.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{
 			"invitee_email": userWithToken.User.Email,
-			"invitee_roles": userWithToken.User.Roles,
+			"invitee_role":  userWithToken.User.Role,
 		})
 
 		invite := &types.Invite{
@@ -259,7 +186,6 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 			Email: userWithToken.User.Email,
 			Token: userWithToken.ResetPasswordToken.Token,
 			Role:  userWithToken.User.Role,
-			Roles: userWithToken.User.Roles,
 			OrgID: userWithToken.User.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: userWithToken.User.CreatedAt,
@@ -277,7 +203,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 
 		resetLink := userWithToken.ResetPasswordToken.FactorPasswordResetLink(frontendBaseUrl)
 
-		tokenLifetime := m.config.Password.Reset.MaxTokenLifetime
+		tokenLifetime := m.config.Password.Invite.MaxTokenLifetime
 		humanizedTokenLifetime := strings.TrimSpace(humanize.RelTime(time.Now(), time.Now().Add(tokenLifetime), "", ""))
 
 		if err := m.emailing.SendHTML(ctx, userWithToken.User.Email.String(), "You're Invited to Join SigNoz", emailtypes.TemplateNameInvitationEmail, map[string]any{
@@ -293,7 +219,8 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 }
 
 func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite, error) {
-	users, err := m.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
+	// find all the users with pending_invite status
+	users, err := m.store.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
 	if err != nil {
 		return nil, err
 	}
@@ -304,7 +231,7 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 
 	for _, pUser := range pendingUsers {
 		// get the reset password token
-		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, pUser.OrgID, pUser.ID)
+		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, pUser.ID)
 		if err != nil {
 			return nil, err
 		}
@@ -318,7 +245,6 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 			Email: pUser.Email,
 			Token: resetPasswordToken.Token,
 			Role:  pUser.Role,
-			Roles: pUser.Roles,
 			OrgID: pUser.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: pUser.CreatedAt,
@@ -333,27 +259,16 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 }
 
 func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
-	// validate the roles
-	_, err := module.authz.ListByOrgIDAndNames(ctx, input.OrgID, input.Roles)
-	if err != nil {
-		return err
-	}
-
-	// since assign is idempotant multiple calls to assign won't cause issues in case of retries, also we cannot run this in a transaction for now
-	err = module.authz.Grant(ctx, input.OrgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
-	if err != nil {
-		return err
-	}
-
 	createUserOpts := root.NewCreateUserOptions(opts...)
 
-	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
-			return err
-		}
+	// since assign is idempotant multiple calls to assign won't cause issues in case of retries.
+	err := module.authz.Grant(ctx, input.OrgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(input.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	if err != nil {
+		return err
+	}
 
-		// create user_role junction entries
-		if err := module.createUserRoleEntries(ctx, input); err != nil {
+	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
+		if err := module.store.CreateUser(ctx, input); err != nil {
 			return err
 		}
 
@@ -376,7 +291,7 @@ func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ..
 }
 
 func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User, updatedBy string) (*types.User, error) {
-	existingUser, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
+	existingUser, err := m.store.GetUser(ctx, valuer.MustNewUUID(id))
 	if err != nil {
 		return nil, err
 	}
@@ -393,21 +308,18 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		return nil, errors.WithAdditionalf(err, "cannot update pending user")
 	}
 
-	requestor, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(updatedBy))
+	requestor, err := m.store.GetUser(ctx, valuer.MustNewUUID(updatedBy))
 	if err != nil {
 		return nil, err
 	}
 
-	grants, revokes := existingUser.PatchRoles(user.Roles)
-	rolesChanged := (len(grants) > 0) || (len(revokes) > 0)
-
-	if rolesChanged && !slices.Contains(requestor.Roles, authtypes.SigNozAdminRoleName) {
+	if user.Role != "" && user.Role != existingUser.Role && requestor.Role != types.RoleAdmin {
 		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can change roles")
 	}
 
 	// Make sure that the request is not demoting the last admin user.
-	if rolesChanged && slices.Contains(existingUser.Roles, authtypes.SigNozAdminRoleName) && !slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
-		adminUsers, err := m.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
+	if user.Role != "" && user.Role != existingUser.Role && existingUser.Role == types.RoleAdmin {
+		adminUsers, err := m.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
 		if err != nil {
 			return nil, err
 		}
@@ -417,49 +329,28 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		}
 	}
 
-	if rolesChanged {
-		// can't run in txn
-		err = m.authz.ModifyGrant(ctx, orgID, revokes, grants, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
+	if user.Role != "" && user.Role != existingUser.Role {
+		err = m.authz.ModifyGrant(ctx,
+			orgID,
+			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role)},
+			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+			authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
+		)
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	existingUser.Update(user.DisplayName, user.Role, user.Roles)
-	if rolesChanged {
-		err = m.store.RunInTx(ctx, func(ctx context.Context) error {
-			// update the user
-			if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
-				return err
-			}
-
-			// delete old role entries and create new ones
-			if err := m.userRoleStore.DeleteUserRoles(ctx, existingUser.ID); err != nil {
-				return err
-			}
-
-			// create new ones
-			if err := m.createUserRoleEntries(ctx, existingUser); err != nil {
-				return err
-			}
-			return nil
-		})
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		// persist display name change even when roles haven't changed
-		if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
-			return nil, err
-		}
+	existingUser.Update(user.DisplayName, user.Role)
+	if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+		return nil, err
 	}
 
 	return existingUser, nil
 }
 
 func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
-	storableUser := types.NewStorableUser(user)
-	if err := module.store.UpdateUser(ctx, orgID, storableUser); err != nil {
+	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
 		return err
 	}
 
@@ -475,7 +366,7 @@ func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user
 }
 
 func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
-	user, err := module.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
+	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(id))
 	if err != nil {
 		return err
 	}
@@ -493,17 +384,17 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	}
 
 	// don't allow to delete the last admin user
-	adminUsers, err := module.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
+	adminUsers, err := module.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
 	if err != nil {
 		return err
 	}
 
-	if len(adminUsers) == 1 && slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
+	if len(adminUsers) == 1 && user.Role == types.RoleAdmin {
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot delete the last admin")
 	}
 
 	// since revoke is idempotant multiple calls to revoke won't cause issues in case of retries
-	err = module.authz.Revoke(ctx, orgID, user.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
+	err = module.authz.Revoke(ctx, orgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 	if err != nil {
 		return err
 	}
@@ -520,8 +411,8 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	return nil
 }
 
-func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error) {
-	user, err := module.GetByOrgIDAndUserID(ctx, orgID, userID)
+func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error) {
+	user, err := module.store.GetUser(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -569,7 +460,11 @@ func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, orgID,
 	}
 
 	// create a new token
-	resetPasswordToken, err := types.NewResetPasswordToken(password.ID, time.Now().Add(module.config.Password.Reset.MaxTokenLifetime))
+	tokenLifetime := module.config.Password.Reset.MaxTokenLifetime
+	if user.Status == types.UserStatusPendingInvite {
+		tokenLifetime = module.config.Password.Invite.MaxTokenLifetime
+	}
+	resetPasswordToken, err := types.NewResetPasswordToken(password.ID, time.Now().Add(tokenLifetime))
 	if err != nil {
 		return nil, err
 	}
@@ -600,7 +495,7 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}
 
-	token, err := module.GetOrCreateResetPasswordToken(ctx, orgID, user.ID)
+	token, err := module.GetOrCreateResetPasswordToken(ctx, user.ID)
 	if err != nil {
 		module.settings.Logger().ErrorContext(ctx, "failed to create reset password token", "error", err)
 		return err
@@ -609,6 +504,9 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 	resetLink := token.FactorPasswordResetLink(frontendBaseURL)
 
 	tokenLifetime := module.config.Password.Reset.MaxTokenLifetime
+	if user.Status == types.UserStatusPendingInvite {
+		tokenLifetime = module.config.Password.Invite.MaxTokenLifetime
+	}
 	humanizedTokenLifetime := strings.TrimSpace(humanize.RelTime(time.Now(), time.Now().Add(tokenLifetime), "", ""))
 
 	if err := module.emailing.SendHTML(
@@ -643,17 +541,17 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}
 
-	storableUser, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
+	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
 	if err != nil {
 		return err
 	}
 
 	// handle deleted user
-	if err := storableUser.ErrIfDeleted(); err != nil {
+	if err := user.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "deleted users cannot reset their password")
 	}
 
-	if err := storableUser.ErrIfRoot(); err != nil {
+	if err := user.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}
 
@@ -661,19 +559,12 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}
 
-	roleNames, err := module.resolveRoleNamesForUser(ctx, storableUser.ID, storableUser.OrgID)
-	if err != nil {
-		return err
-	}
-
-	user := types.NewUserFromStorable(storableUser, roleNames)
-
 	// since grant is idempotent, multiple calls won't cause issues in case of retries
 	if user.Status == types.UserStatusPendingInvite {
 		if err = module.authz.Grant(
 			ctx,
 			user.OrgID,
-			user.Roles,
+			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
 			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 		); err != nil {
 			return err
@@ -685,7 +576,7 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 			if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 				return err
 			}
-			if err := module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user)); err != nil {
+			if err := module.store.UpdateUser(ctx, user.OrgID, user); err != nil {
 				return err
 			}
 		}
@@ -703,16 +594,16 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 }
 
 func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, oldpasswd string, passwd string) error {
-	storableUser, err := module.store.GetUser(ctx, userID)
+	user, err := module.store.GetUser(ctx, userID)
 	if err != nil {
 		return err
 	}
 
-	if err := storableUser.ErrIfDeleted(); err != nil {
+	if err := user.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for deleted user")
 	}
 
-	if err := storableUser.ErrIfRoot(); err != nil {
+	if err := user.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for root user")
 	}
 
@@ -758,7 +649,7 @@ func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opt
 		// for users logging through SSO flow but are having status as pending_invite
 		if existingUser.Status == types.UserStatusPendingInvite {
 			// respect the role coming from the SSO
-			existingUser.Update("", user.Role, user.Roles)
+			existingUser.Update("", user.Role)
 			// activate the user
 			if err = module.activatePendingUser(ctx, existingUser); err != nil {
 				return nil, err
@@ -797,7 +688,7 @@ func (m *Module) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UU
 }
 
 func (module *Module) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
-	user, err := types.NewRootUser(name, email, organization.ID, []string{authtypes.SigNozAdminRoleName})
+	user, err := types.NewRootUser(name, email, organization.ID)
 	if err != nil {
 		return nil, err
 	}
@@ -859,24 +750,20 @@ func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 
 // this function restricts that only one non-deleted user email can exist for an org ID, if found more, it throws an error
 func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error) {
-	existingStorableUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
+	existingUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		return nil, err
 	}
 
 	// filter out the deleted users
-	existingStorableUsers = slices.DeleteFunc(existingStorableUsers, func(user *types.StorableUser) bool { return user.ErrIfDeleted() != nil })
+	existingUsers = slices.DeleteFunc(existingUsers, func(user *types.User) bool { return user.ErrIfDeleted() != nil })
 
-	if len(existingStorableUsers) > 1 {
+	if len(existingUsers) > 1 {
 		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "Multiple non-deleted users found for email %s in org_id: %s", email.StringValue(), orgID.StringValue())
 	}
 
-	if len(existingStorableUsers) == 1 {
-		existingUser, err := module.GetByOrgIDAndUserID(ctx, existingStorableUsers[0].OrgID, existingStorableUsers[0].ID)
-		if err != nil {
-			return nil, err
-		}
-		return existingUser, nil
+	if len(existingUsers) == 1 {
+		return existingUsers[0], nil
 	}
 
 	return nil, errors.Newf(errors.TypeNotFound, errors.CodeNotFound, "No non-deleted user found with email %s in org_id: %s", email.StringValue(), orgID.StringValue())
@@ -886,12 +773,7 @@ func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, emai
 func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
 	createUserOpts := root.NewCreateUserOptions(opts...)
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
-			return err
-		}
-
-		// create user_role junction entries
-		if err := module.createUserRoleEntries(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, input); err != nil {
 			return err
 		}
 
@@ -913,25 +795,11 @@ func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.U
 	return nil
 }
 
-func (module *Module) createUserRoleEntries(ctx context.Context, user *types.User) error {
-	if len(user.Roles) == 0 {
-		return nil
-	}
-
-	storableRoles, err := module.authz.ListByOrgIDAndNames(ctx, user.OrgID, user.Roles)
-	if err != nil {
-		return err
-	}
-
-	userRoles := authtypes.NewStorableUserRoles(user.ID, storableRoles)
-	return module.userRoleStore.CreateUserRoles(ctx, userRoles)
-}
-
 func (module *Module) activatePendingUser(ctx context.Context, user *types.User) error {
 	err := module.authz.Grant(
 		ctx,
 		user.OrgID,
-		user.Roles,
+		[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
 		authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 	)
 	if err != nil {
@@ -941,59 +809,10 @@ func (module *Module) activatePendingUser(ctx context.Context, user *types.User)
 	if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 		return err
 	}
-	err = module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user))
+	err = module.store.UpdateUser(ctx, user.OrgID, user)
 	if err != nil {
 		return err
 	}
 
 	return nil
 }
-
-func (module *Module) usersFromStorableUsersAndRolesMaps(storableUsers []*types.StorableUser, roles []*authtypes.Role, userIDToRoleIDsMap map[valuer.UUID][]valuer.UUID) []*types.User {
-	users := make([]*types.User, 0, len(storableUsers))
-
-	roleIDToRole := make(map[string]*authtypes.Role, len(roles))
-	for _, role := range roles {
-		roleIDToRole[role.ID.String()] = role
-	}
-
-	for _, user := range storableUsers {
-		roleIDs := userIDToRoleIDsMap[user.ID]
-
-		roleNames := make([]string, 0, len(roleIDs))
-		for _, rid := range roleIDs {
-			if role, ok := roleIDToRole[rid.String()]; ok {
-				roleNames = append(roleNames, role.Name)
-			}
-		}
-
-		account := types.NewUserFromStorable(user, roleNames)
-		users = append(users, account)
-	}
-
-	return users
-}
-
-func (m *Module) resolveRoleNamesForUser(ctx context.Context, userID valuer.UUID, orgID valuer.UUID) ([]string, error) {
-	storableUserRoles, err := m.userRoleStore.GetUserRolesByUserID(ctx, userID)
-	if err != nil {
-		return nil, err
-	}
-
-	roleIDs := make([]valuer.UUID, len(storableUserRoles))
-	for idx, sur := range storableUserRoles {
-		roleIDs[idx] = sur.RoleID
-	}
-
-	roles, err := m.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
-	if err != nil {
-		return nil, err
-	}
-
-	roleNames := make([]string, len(roles))
-	for idx, role := range roles {
-		roleNames[idx] = role.Name
-	}
-
-	return roleNames, nil
-}

pkg/modules/user/impluser/service.go

@@ -15,34 +15,31 @@ import (
 )
 
 type service struct {
-	settings      factory.ScopedProviderSettings
-	store         types.UserStore
-	userRoleStore authtypes.UserRoleStore
-	module        user.Module
-	orgGetter     organization.Getter
-	authz         authz.AuthZ
-	config        user.RootConfig
-	stopC         chan struct{}
+	settings  factory.ScopedProviderSettings
+	store     types.UserStore
+	module    user.Module
+	orgGetter organization.Getter
+	authz     authz.AuthZ
+	config    user.RootConfig
+	stopC     chan struct{}
 }
 
 func NewService(
 	providerSettings factory.ProviderSettings,
 	store types.UserStore,
-	userRoleStore authtypes.UserRoleStore,
 	module user.Module,
 	orgGetter organization.Getter,
 	authz authz.AuthZ,
 	config user.RootConfig,
 ) user.Service {
 	return &service{
-		settings:      factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
-		store:         store,
-		userRoleStore: userRoleStore,
-		module:        module,
-		orgGetter:     orgGetter,
-		authz:         authz,
-		config:        config,
-		stopC:         make(chan struct{}),
+		settings:  factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
+		store:     store,
+		module:    module,
+		orgGetter: orgGetter,
+		authz:     authz,
+		config:    config,
+		stopC:     make(chan struct{}),
 	}
 }
 
@@ -132,16 +129,16 @@ func (s *service) reconcileByName(ctx context.Context) error {
 }
 
 func (s *service) reconcileRootUser(ctx context.Context, orgID valuer.UUID) error {
-	existingStorableRoot, err := s.getRootUserByOrgID(ctx, orgID)
+	existingRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
 	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
 		return err
 	}
 
-	if existingStorableRoot == nil {
+	if existingRoot == nil {
 		return s.createOrPromoteRootUser(ctx, orgID)
 	}
 
-	return s.updateExistingRootUser(ctx, orgID, existingStorableRoot)
+	return s.updateExistingRootUser(ctx, orgID, existingRoot)
 }
 
 func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID) error {
@@ -151,27 +148,29 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 	}
 
 	if existingUser != nil {
-		oldRoles := existingUser.Roles
+		oldRole := existingUser.Role
 
-		existingUser.PromoteToRoot() // this only sets the column is_root as true (permissions are managed by authz in next step)
+		existingUser.PromoteToRoot()
 		if err := s.module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
 			return err
 		}
 
-		if err := s.authz.ModifyGrant(ctx,
-			orgID,
-			oldRoles,
-			[]string{authtypes.SigNozAdminRoleName},
-			authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
-		); err != nil {
-			return err
+		if oldRole != types.RoleAdmin {
+			if err := s.authz.ModifyGrant(ctx,
+				orgID,
+				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(oldRole)},
+				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin)},
+				authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
+			); err != nil {
+				return err
+			}
 		}
 
 		return s.setPassword(ctx, existingUser.ID)
 	}
 
 	// Create new root user
-	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID, []string{authtypes.SigNozAdminRoleName})
+	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID)
 	if err != nil {
 		return err
 	}
@@ -181,7 +180,6 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		return err
 	}
 
-	// authz grants are handled inside CreateUser
 	return s.module.CreateUser(ctx, newUser, user.WithFactorPassword(factorPassword))
 }
 
@@ -223,12 +221,3 @@ func (s *service) setPassword(ctx context.Context, userID valuer.UUID) error {
 
 	return nil
 }
-
-func (s *service) getRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	storableRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	return s.module.GetByOrgIDAndUserID(ctx, orgID, storableRoot.ID)
-}

pkg/modules/user/impluser/store.go

@@ -39,7 +39,7 @@ func (store *store) CreatePassword(ctx context.Context, password *types.FactorPa
 	return nil
 }
 
-func (store *store) CreateUser(ctx context.Context, user *types.StorableUser) error {
+func (store *store) CreateUser(ctx context.Context, user *types.User) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -52,8 +52,8 @@ func (store *store) CreateUser(ctx context.Context, user *types.StorableUser) er
 	return nil
 }
 
-func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.StorableUser, error) {
-	var users []*types.StorableUser
+func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
+	var users []*types.User
 
 	err := store.
 		sqlstore.
@@ -69,8 +69,8 @@ func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]
 	return users, nil
 }
 
-func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.StorableUser, error) {
-	user := new(types.StorableUser)
+func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, error) {
+	user := new(types.User)
 
 	err := store.
 		sqlstore.
@@ -86,8 +86,8 @@ func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.Storabl
 	return user, nil
 }
 
-func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.StorableUser, error) {
-	user := new(types.StorableUser)
+func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
+	user := new(types.User)
 
 	err := store.
 		sqlstore.
@@ -104,8 +104,8 @@ func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id v
 	return user, nil
 }
 
-func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.StorableUser, error) {
-	var users []*types.StorableUser
+func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.User, error) {
+	var users []*types.User
 
 	err := store.
 		sqlstore.
@@ -122,7 +122,26 @@ func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Em
 	return users, nil
 }
 
-func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.StorableUser) error {
+func (store *store) GetActiveUsersByRoleAndOrgID(ctx context.Context, role types.Role, orgID valuer.UUID) ([]*types.User, error) {
+	var users []*types.User
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&users).
+		Where("org_id = ?", orgID).
+		Where("role = ?", role).
+		Where("status = ?", types.UserStatusActive.StringValue()).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}
+
+func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -143,8 +162,8 @@ func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *typ
 	return nil
 }
 
-func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.StorableUser, error) {
-	users := []*types.StorableUser{}
+func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.GettableUser, error) {
+	users := []*types.User{}
 
 	err := store.
 		sqlstore.
@@ -228,7 +247,7 @@ func (store *store) DeleteUser(ctx context.Context, orgID string, id string) err
 
 	// delete user
 	_, err = tx.NewDelete().
-		Model(new(types.StorableUser)).
+		Model(new(types.User)).
 		Where("org_id = ?", orgID).
 		Where("id = ?", id).
 		Exec(ctx)
@@ -313,7 +332,7 @@ func (store *store) SoftDeleteUser(ctx context.Context, orgID string, id string)
 	// soft delete user
 	now := time.Now()
 	_, err = tx.NewUpdate().
-		Model(new(types.StorableUser)).
+		Model(new(types.User)).
 		Set("status = ?", types.UserStatusDeleted).
 		Set("deleted_at = ?", now).
 		Set("updated_at = ?", now).
@@ -544,7 +563,7 @@ func (store *store) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*type
 }
 
 func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
-	user := new(types.StorableUser)
+	user := new(types.User)
 
 	count, err := store.
 		sqlstore.
@@ -561,7 +580,7 @@ func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64,
 }
 
 func (store *store) CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error) {
-	user := new(types.StorableUser)
+	user := new(types.User)
 	var results []struct {
 		Status valuer.String `bun:"status"`
 		Count  int64         `bun:"count"`
@@ -614,8 +633,8 @@ func (store *store) RunInTx(ctx context.Context, cb func(ctx context.Context) er
 	})
 }
 
-func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.StorableUser, error) {
-	user := new(types.StorableUser)
+func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
+	user := new(types.User)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -630,8 +649,8 @@ func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (
 	return user, nil
 }
 
-func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.StorableUser, error) {
-	users := []*types.StorableUser{}
+func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
+	users := []*types.User{}
 	err := store.
 		sqlstore.
 		BunDB().
@@ -647,15 +666,15 @@ func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.
 	return users, nil
 }
 
-func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.StorableUser, error) {
-	user := new(types.StorableUser)
+func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.User, error) {
+	user := new(types.User)
 
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
 		NewSelect().
 		Model(user).
-		Join(`JOIN factor_password ON factor_password.user_id = "users".id`).
+		Join(`JOIN factor_password ON factor_password.user_id = "user".id`).
 		Join("JOIN reset_password_token ON reset_password_token.password_id = factor_password.id").
 		Where("reset_password_token.token = ?", token).
 		Scan(ctx)
@@ -666,8 +685,8 @@ func (store *store) GetUserByResetPasswordToken(ctx context.Context, token strin
 	return user, nil
 }
 
-func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.StorableUser, error) {
-	users := []*types.StorableUser{}
+func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.User, error) {
+	users := []*types.User{}
 
 	err := store.
 		sqlstore.
@@ -684,20 +703,3 @@ func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID
 
 	return users, nil
 }
-
-func (store *store) GetActiveUsersByRoleNameAndOrgID(ctx context.Context, roleName string, orgID valuer.UUID) ([]*types.StorableUser, error) {
-	var users []*types.StorableUser
-
-	err := store.sqlstore.BunDBCtx(ctx).NewSelect().
-		Model(&users).
-		Join("JOIN user_role ON user_role.user_id = users.id").
-		Join("JOIN role ON role.id = user_role.role_id").
-		Where("users.org_id = ?", orgID).
-		Where("role.name = ?", roleName).
-		Where("users.status = ?", types.UserStatusActive.StringValue()).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return users, nil
-}

pkg/modules/user/impluser/userrolestore.go

@@ -1,62 +0,0 @@
-package impluser
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/uptrace/bun"
-)
-
-type userRoleStore struct {
-	sqlstore sqlstore.SQLStore
-	settings factory.ProviderSettings
-}
-
-func NewUserRoleStore(sqlstore sqlstore.SQLStore, settings factory.ProviderSettings) authtypes.UserRoleStore {
-	return &userRoleStore{sqlstore: sqlstore, settings: settings}
-}
-
-func (store *userRoleStore) ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*authtypes.StorableUserRole, error) {
-	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
-
-	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).
-		Join("JOIN users").
-		JoinOn("users.id = user_role.user_id").
-		Where("users.org_id = ?", orgID).Where("users.id IN (?)", bun.In(userIDs)).Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return storableUserRoles, nil
-}
-
-func (store *userRoleStore) CreateUserRoles(ctx context.Context, userRoles []*authtypes.StorableUserRole) error {
-	_, err := store.sqlstore.BunDBCtx(ctx).NewInsert().Model(&userRoles).Exec(ctx)
-	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, authtypes.ErrCodeUserRoleAlreadyExists, "duplicate role assignments for service account")
-	}
-	return nil
-}
-
-func (store *userRoleStore) DeleteUserRoles(ctx context.Context, userID valuer.UUID) error {
-	_, err := store.sqlstore.BunDBCtx(ctx).NewDelete().Model(new(authtypes.StorableUserRole)).Where("user_id = ?", userID).Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (store *userRoleStore) GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*authtypes.StorableUserRole, error) {
-	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
-
-	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).Where("user_id = ?", userID).Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return storableUserRoles, nil
-}

pkg/modules/user/user.go

@@ -10,12 +10,6 @@ import (
 )
 
 type Module interface {
-	// Gets user by org id and user id, this includes the roles resolution
-	GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error)
-
-	// Lists all the users by org id, no filters applied and includes roles resolution
-	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error)
-
 	// Creates the organization and the first user of that organization.
 	CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, password string) (*types.User, error)
 
@@ -27,7 +21,7 @@ type Module interface {
 
 	// Get or Create a reset password token for a user. If the password does not exist, a new one is randomly generated and inserted. The function
 	// is idempotent and can be called multiple times.
-	GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error)
+	GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error)
 
 	// Updates password of a user using a reset password token. It also deletes all reset password tokens for the user.
 	// This is used to reset the password of a user when they forget their password.
@@ -64,13 +58,22 @@ type Module interface {
 }
 
 type Getter interface {
+	// Get root user by org id.
+	GetRootUserByOrgID(context.Context, valuer.UUID) (*types.User, error)
+
 	// Get gets the users based on the given id
 	ListByOrgID(context.Context, valuer.UUID) ([]*types.User, error)
 
+	// Get users by email.
+	GetUsersByEmail(context.Context, valuer.Email) ([]*types.User, error)
+
+	// Get user by orgID and id.
+	GetByOrgIDAndID(context.Context, valuer.UUID, valuer.UUID) (*types.User, error)
+
 	// Get user by id.
 	Get(context.Context, valuer.UUID) (*types.User, error)
 
-	// List users by email and org ids. This does not includes roles resolution as this is only used for session context
+	// List users by email and org ids.
 	ListUsersByEmailAndOrgIDs(context.Context, valuer.Email, []valuer.UUID) ([]*types.User, error)
 
 	// Count users by org id.

pkg/querier/builder_query.go

@@ -361,6 +361,10 @@ func (q *builderQuery[T]) executeWindowList(ctx context.Context) (*qbtypes.Resul
 		if err != nil {
 			return nil, err
 		}
+		// skip = true means we have indentified from the query itself that we don't need to execute this bucket
+		if stmt.Skip {
+			continue
+		}
 		warnings = stmt.Warnings
 		warningsDocURL = stmt.WarningsDocURL
 		// Execute with proper context for partial value detection

pkg/signoz/handler_test.go

@@ -48,11 +48,9 @@ func TestNewHandlers(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
 
-	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
 
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
-
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore, flagger)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
 
 	querierHandler := querier.NewHandler(providerSettings, nil, nil)
 	handlers := NewHandlers(modules, providerSettings, nil, querierHandler, nil, nil, nil, nil, nil, nil, nil)

pkg/signoz/module.go

@@ -8,7 +8,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/cache"
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/apdex"
 	"github.com/SigNoz/signoz/pkg/modules/apdex/implapdex"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -90,12 +89,10 @@ func NewModules(
 	config Config,
 	dashboard dashboard.Module,
 	userGetter user.Getter,
-	userRoleStore authtypes.UserRoleStore,
-	flagger flagger.Flagger,
 ) Modules {
 	quickfilter := implquickfilter.NewModule(implquickfilter.NewStore(sqlstore))
 	orgSetter := implorganization.NewSetter(implorganization.NewStore(sqlstore), alertmanager, quickfilter)
-	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), userRoleStore, tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User, flagger)
+	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User)
 	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)
 
 	return Modules{
@@ -111,7 +108,7 @@ func NewModules(
 		TraceFunnel:     impltracefunnel.NewModule(impltracefunnel.NewStore(sqlstore)),
 		RawDataExport:   implrawdataexport.NewModule(querier),
 		AuthDomain:      implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs),
-		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter, authz),
+		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter),
 		SpanPercentile:  implspanpercentile.NewModule(querier, providerSettings),
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),

pkg/signoz/module_test.go

@@ -47,11 +47,9 @@ func TestNewModules(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
 
-	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
 
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
-
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore, flagger)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
 
 	reflectVal := reflect.ValueOf(modules)
 	for i := 0; i < reflectVal.NumField(); i++ {

pkg/signoz/provider.go

@@ -175,8 +175,6 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewMigrateRulesV4ToV5Factory(sqlstore, telemetryStore),
 		sqlmigration.NewAddStatusUserFactory(sqlstore, sqlschema),
 		sqlmigration.NewDeprecateUserInviteFactory(sqlstore, sqlschema),
-		sqlmigration.NewAddUserRoleFactory(sqlstore, sqlschema),
-		sqlmigration.NewAddUserRoleAuthzFactory(sqlstore),
 	)
 }
 

pkg/signoz/provider_test.go

@@ -1,11 +1,13 @@
 package signoz
 
 import (
+	"context"
 	"testing"
 
 	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/SigNoz/signoz/pkg/alertmanager/nfmanager/nfmanagertest"
 	"github.com/SigNoz/signoz/pkg/analytics"
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
@@ -75,7 +77,12 @@ func TestNewProviderFactories(t *testing.T) {
 	})
 
 	assert.NotPanics(t, func() {
-		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()))
+		flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
+		if err != nil {
+			panic(err)
+		}
+
+		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()), flagger)
 		orgGetter := implorganization.NewGetter(implorganization.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual)), nil)
 		telemetryStore := telemetrystoretest.New(telemetrystore.Config{Provider: "clickhouse"}, sqlmock.QueryMatcherEqual)
 		NewStatsReporterProviderFactories(telemetryStore, []statsreporter.StatsCollector{}, orgGetter, userGetter, tokenizertest.NewMockTokenizer(t), version.Build{}, analytics.Config{Enabled: true})

pkg/signoz/signoz.go

@@ -281,14 +281,8 @@ func New(
 		return nil, err
 	}
 
-	// Initialize user store
-	userStore := impluser.NewStore(sqlstore, providerSettings)
-
-	// Initialize user role store
-	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
-
 	// Initialize user getter
-	userGetter := impluser.NewGetter(userStore)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
 
 	licensingProviderFactory := licenseProviderFactory(sqlstore, zeus, orgGetter, analytics)
 	licensing, err := licensingProviderFactory.New(
@@ -396,7 +390,7 @@ func New(
 	}
 
 	// Initialize all modules
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter, userRoleStore, flagger)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter)
 
 	// Initialize identN resolver
 	identNFactories := NewIdentNProviderFactories(sqlstore, tokenizer)
@@ -410,7 +404,7 @@ func New(
 	}
 	identNResolver := identn.NewIdentNResolver(providerSettings, identNs...)
 
-	userService := impluser.NewService(providerSettings, userStore, userRoleStore, modules.User, orgGetter, authz, config.User.Root)
+	userService := impluser.NewService(providerSettings, impluser.NewStore(sqlstore, providerSettings), modules.User, orgGetter, authz, config.User.Root)
 
 	// Initialize the querier handler via callback (allows EE to decorate with anomaly detection)
 	querierHandler := querierHandlerCallback(providerSettings, querier, analytics)

pkg/sqlmigration/037_add_trace_funnels.go

@@ -2,7 +2,6 @@ package sqlmigration
 
 import (
 	"context"
-
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -17,12 +16,12 @@ type funnel struct {
 	types.Identifiable // funnel id
 	types.TimeAuditable
 	types.UserAuditable
-	Name          string              `json:"funnel_name" bun:"name,type:text,notnull"` // funnel name
-	Description   string              `json:"description" bun:"description,type:text"`  // funnel description
-	OrgID         valuer.UUID         `json:"org_id" bun:"org_id,type:varchar,notnull"`
-	Steps         []funnelStep        `json:"steps" bun:"steps,type:text,notnull"`
-	Tags          string              `json:"tags" bun:"tags,type:text"`
-	CreatedByUser *types.StorableUser `json:"user" bun:"rel:belongs-to,join:created_by=id"`
+	Name          string       `json:"funnel_name" bun:"name,type:text,notnull"` // funnel name
+	Description   string       `json:"description" bun:"description,type:text"`  // funnel description
+	OrgID         valuer.UUID  `json:"org_id" bun:"org_id,type:varchar,notnull"`
+	Steps         []funnelStep `json:"steps" bun:"steps,type:text,notnull"`
+	Tags          string       `json:"tags" bun:"tags,type:text"`
+	CreatedByUser *types.User  `json:"user" bun:"rel:belongs-to,join:created_by=id"`
 }
 
 type funnelStep struct {

pkg/sqlmigration/069_add_user_role.go

@@ -1,197 +0,0 @@
-package sqlmigration
-
-import (
-	"context"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/sqlschema"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/uptrace/bun"
-	"github.com/uptrace/bun/migrate"
-)
-
-var (
-	userRoleToSigNozManagedRoleMap = map[string]string{
-		"ADMIN":  "signoz-admin",
-		"EDITOR": "signoz-editor",
-		"VIEWER": "signoz-viewer",
-	}
-)
-
-type userRow struct {
-	ID    string `bun:"id"`
-	Role  string `bun:"role"`
-	OrgID string `bun:"org_id"`
-}
-
-type roleRow struct {
-	ID    string `bun:"id"`
-	Name  string `bun:"name"`
-	OrgID string `bun:"org_id"`
-}
-
-type orgRoleKey struct {
-	OrgID    string
-	RoleName string
-}
-
-type addUserRole struct {
-	sqlstore  sqlstore.SQLStore
-	sqlschema sqlschema.SQLSchema
-}
-
-type userRoleRow struct {
-	bun.BaseModel `bun:"table:user_role"`
-
-	types.Identifiable
-	UserID string `bun:"user_id"`
-	RoleID string `bun:"role_id"`
-	types.TimeAuditable
-}
-
-func NewAddUserRoleFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
-	return factory.NewProviderFactory(factory.MustNewName("add_user_role"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
-		return &addUserRole{
-			sqlstore:  sqlstore,
-			sqlschema: sqlschema,
-		}, nil
-	})
-}
-
-func (migration *addUserRole) Register(migrations *migrate.Migrations) error {
-	if err := migrations.Register(migration.Up, migration.Down); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (migration *addUserRole) Up(ctx context.Context, db *bun.DB) error {
-	tx, err := db.BeginTx(ctx, nil)
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		_ = tx.Rollback()
-	}()
-
-	sqls := [][]byte{}
-
-	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
-		Name: "user_role",
-		Columns: []*sqlschema.Column{
-			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "user_id", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "role_id", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-		},
-		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
-			ColumnNames: []sqlschema.ColumnName{"id"},
-		},
-		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
-			{
-				ReferencingColumnName: sqlschema.ColumnName("user_id"),
-				ReferencedTableName:   sqlschema.TableName("users"),
-				ReferencedColumnName:  sqlschema.ColumnName("id"),
-			},
-			{
-				ReferencingColumnName: sqlschema.ColumnName("role_id"),
-				ReferencedTableName:   sqlschema.TableName("role"),
-				ReferencedColumnName:  sqlschema.ColumnName("id"),
-			},
-		},
-	})
-
-	sqls = append(sqls, tableSQLs...)
-
-	indexSQLs := migration.sqlschema.Operator().CreateIndex(
-		&sqlschema.UniqueIndex{
-			TableName:   "user_role",
-			ColumnNames: []sqlschema.ColumnName{"user_id", "role_id"},
-		},
-	)
-
-	sqls = append(sqls, indexSQLs...)
-
-	for _, sql := range sqls {
-		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
-			return err
-		}
-	}
-
-	// fill the new user_role table for existing users
-	var users []userRow
-	err = tx.NewSelect().TableExpr("users").ColumnExpr("id, role, org_id").Scan(ctx, &users)
-	if err != nil {
-		return err
-	}
-
-	if len(users) == 0 {
-		return tx.Commit()
-	}
-
-	orgIDs := make(map[string]struct{})
-	for _, u := range users {
-		orgIDs[u.OrgID] = struct{}{}
-	}
-
-	orgIDList := make([]string, 0, len(orgIDs))
-	for oid := range orgIDs {
-		orgIDList = append(orgIDList, oid)
-	}
-
-	var roles []roleRow
-	err = tx.NewSelect().TableExpr("role").ColumnExpr("id, name, org_id").Where("org_id IN (?)", bun.In(orgIDList)).Scan(ctx, &roles)
-	if err != nil {
-		return err
-	}
-
-	roleMap := make(map[orgRoleKey]string)
-	for _, r := range roles {
-		roleMap[orgRoleKey{OrgID: r.OrgID, RoleName: r.Name}] = r.ID
-	}
-
-	now := time.Now()
-	userRoles := make([]*userRoleRow, 0, len(users))
-	for _, u := range users {
-		managedRoleName, ok := userRoleToSigNozManagedRoleMap[u.Role]
-		if !ok {
-			managedRoleName = "signoz-viewer" // fallback
-		}
-		roleID, ok := roleMap[orgRoleKey{OrgID: u.OrgID, RoleName: managedRoleName}]
-		if !ok {
-			continue // user needs to get access again
-		}
-
-		userRoles = append(userRoles, &userRoleRow{
-			Identifiable: types.Identifiable{ID: valuer.GenerateUUID()},
-			UserID:       u.ID,
-			RoleID:       roleID,
-			TimeAuditable: types.TimeAuditable{
-				CreatedAt: now,
-				UpdatedAt: now,
-			},
-		})
-	}
-
-	if len(userRoles) > 0 {
-		if _, err := tx.NewInsert().Model(&userRoles).Exec(ctx); err != nil {
-			return err
-		}
-	}
-
-	if err := tx.Commit(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (migration *addUserRole) Down(ctx context.Context, db *bun.DB) error {
-	return nil
-}

pkg/sqlmigration/070_add_user_role_authz.go

@@ -1,156 +0,0 @@
-package sqlmigration
-
-import (
-	"context"
-	"database/sql"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/oklog/ulid/v2"
-	"github.com/uptrace/bun"
-	"github.com/uptrace/bun/dialect"
-	"github.com/uptrace/bun/migrate"
-)
-
-type addUserRoleAuthz struct {
-	sqlstore sqlstore.SQLStore
-}
-
-func NewAddUserRoleAuthzFactory(sqlstore sqlstore.SQLStore) factory.ProviderFactory[SQLMigration, Config] {
-	return factory.NewProviderFactory(factory.MustNewName("add_user_role_authz"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
-		return &addUserRoleAuthz{sqlstore: sqlstore}, nil
-	})
-}
-
-func (migration *addUserRoleAuthz) Register(migrations *migrate.Migrations) error {
-	if err := migrations.Register(migration.Up, migration.Down); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (migration *addUserRoleAuthz) Up(ctx context.Context, db *bun.DB) error {
-	tx, err := db.BeginTx(ctx, nil)
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		_ = tx.Rollback()
-	}()
-
-	var storeID string
-	err = tx.QueryRowContext(ctx, `SELECT id FROM store WHERE name = ? LIMIT 1`, "signoz").Scan(&storeID)
-	if err != nil {
-		return err
-	}
-
-	type userRoleTuple struct {
-		UserID   string
-		OrgID    string
-		RoleName string
-	}
-
-	rows, err := tx.QueryContext(ctx, `
-		SELECT u.id, u.org_id, r.name
-		FROM users u
-		JOIN user_role ur ON ur.user_id = u.id
-		JOIN role r ON r.id = ur.role_id
-		WHERE u.status != 'deleted'
-	`)
-	if err != nil {
-		if err == sql.ErrNoRows {
-			return tx.Commit()
-		}
-		return err
-	}
-	defer rows.Close()
-
-	tuples := make([]userRoleTuple, 0)
-	for rows.Next() {
-		var t userRoleTuple
-		if err := rows.Scan(&t.UserID, &t.OrgID, &t.RoleName); err != nil {
-			return err
-		}
-		tuples = append(tuples, t)
-	}
-
-	if err := rows.Err(); err != nil {
-		return err
-	}
-
-	entropy := ulid.DefaultEntropy()
-	for _, t := range tuples {
-		now := time.Now().UTC()
-		tupleID := ulid.MustNew(ulid.Timestamp(now), entropy).String()
-
-		objectID := "organization/" + t.OrgID + "/role/" + t.RoleName
-		userID := "organization/" + t.OrgID + "/user/" + t.UserID
-
-		if migration.sqlstore.BunDB().Dialect().Name() == dialect.PG {
-			result, err := tx.ExecContext(ctx, `
-				INSERT INTO tuple (store, object_type, object_id, relation, _user, user_type, ulid, inserted_at)
-				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
-				ON CONFLICT (store, object_type, object_id, relation, _user) DO NOTHING`,
-				storeID, "role", objectID, "assignee", "user:"+userID, "user", tupleID, now,
-			)
-			if err != nil {
-				return err
-			}
-
-			rowsAffected, err := result.RowsAffected()
-			if err != nil {
-				return err
-			}
-			if rowsAffected == 0 {
-				continue
-			}
-
-			_, err = tx.ExecContext(ctx, `
-				INSERT INTO changelog (store, object_type, object_id, relation, _user, operation, ulid, inserted_at)
-				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
-				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
-				storeID, "role", objectID, "assignee", "user:"+userID, "TUPLE_OPERATION_WRITE", tupleID, now,
-			)
-			if err != nil {
-				return err
-			}
-		} else {
-			result, err := tx.ExecContext(ctx, `
-				INSERT INTO tuple (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, user_type, ulid, inserted_at)
-				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-				ON CONFLICT (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation) DO NOTHING`,
-				storeID, "role", objectID, "assignee", "user", userID, "", "user", tupleID, now,
-			)
-			if err != nil {
-				return err
-			}
-
-			rowsAffected, err := result.RowsAffected()
-			if err != nil {
-				return err
-			}
-			if rowsAffected == 0 {
-				continue
-			}
-
-			_, err = tx.ExecContext(ctx, `
-				INSERT INTO changelog (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, operation, ulid, inserted_at)
-				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
-				storeID, "role", objectID, "assignee", "user", userID, "", 0, tupleID, now,
-			)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	return tx.Commit()
-}
-
-func (migration *addUserRoleAuthz) Down(context.Context, *bun.DB) error {
-	return nil
-}

pkg/telemetrytraces/statement_builder.go

@@ -121,8 +121,18 @@ func (b *traceQueryStatementBuilder) Build(
 			if !ok {
 				b.logger.DebugContext(ctx, "failed to get trace time range", "trace_ids", traceIDs)
 			} else if traceStart > 0 && traceEnd > 0 {
-				start = uint64(traceStart)
-				end = uint64(traceEnd)
+				// we don't  need to query if the start and end are non overlapping
+				if uint64(traceStart) > end || uint64(traceEnd) < start {
+					return &qbtypes.Statement{Skip: true}, nil
+				}
+
+				// clamp start/end to trace time range to avoid overlap between buckets
+				if uint64(traceStart) > start {
+					start = uint64(traceStart)
+				}
+				if uint64(traceEnd) < end {
+					end = uint64(traceEnd)
+				}
 				b.logger.DebugContext(ctx, "optimized time range for traces", "trace_ids", traceIDs, "start", start, "end", end)
 			}
 		}

pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go

@@ -34,7 +34,7 @@ func (store *store) Create(ctx context.Context, token *authtypes.StorableToken)
 }
 
 func (store *store) GetIdentityByUserID(ctx context.Context, userID valuer.UUID) (*authtypes.Identity, error) {
-	user := new(types.StorableUser)
+	user := new(types.User)
 
 	err := store.
 		sqlstore.

pkg/types/authtypes/authn.go

@@ -128,7 +128,7 @@ func (typ *Identity) ToClaims() Claims {
 
 type AuthNStore interface {
 	// Get user and factor password by email and orgID.
-	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.StorableUser, *types.FactorPassword, error)
+	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error)
 
 	// Get org domain from id.
 	GetAuthDomainFromID(ctx context.Context, domainID valuer.UUID) (*AuthDomain, error)

pkg/types/authtypes/mapping.go

@@ -83,62 +83,44 @@ func (typ *RoleMapping) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-func (roleMapping *RoleMapping) ManagedRolesFromCallbackIdentity(callbackIdentity *CallbackIdentity) (types.Role, []string) {
+func (roleMapping *RoleMapping) NewRoleFromCallbackIdentity(callbackIdentity *CallbackIdentity) types.Role {
 	if roleMapping == nil {
-		return types.RoleViewer, []string{SigNozViewerRoleName}
+		return types.RoleViewer
 	}
 
 	if roleMapping.UseRoleAttribute && callbackIdentity.Role != "" {
-		legacyRole, err := types.NewRole(strings.ToUpper(callbackIdentity.Role))
-		if err != nil {
-			return types.RoleViewer, []string{SigNozViewerRoleName}
-		}
-		if managedRole := resolveToManagedRole(callbackIdentity.Role); managedRole != "" {
-			return legacyRole, []string{managedRole}
+		if role, err := types.NewRole(strings.ToUpper(callbackIdentity.Role)); err == nil {
+			return role
 		}
 	}
 
 	if len(roleMapping.GroupMappings) > 0 && len(callbackIdentity.Groups) > 0 {
-		highestLegacyRole := types.RoleViewer
+		highestRole := types.RoleViewer
+		found := false
+
 		for _, group := range callbackIdentity.Groups {
 			if mappedRole, exists := roleMapping.GroupMappings[group]; exists {
+				found = true
 				if role, err := types.NewRole(strings.ToUpper(mappedRole)); err == nil {
-					if compareRoles(role, highestLegacyRole) > 0 {
-						highestLegacyRole = role
+					if compareRoles(role, highestRole) > 0 {
+						highestRole = role
 					}
 				}
 			}
 		}
 
-		seen := make(map[string]struct{})
-		var roles []string
-		for _, group := range callbackIdentity.Groups {
-			if mappedRole, exists := roleMapping.GroupMappings[group]; exists {
-				managedRole := resolveToManagedRole(mappedRole)
-				if managedRole != "" {
-					if _, ok := seen[managedRole]; !ok {
-						seen[managedRole] = struct{}{}
-						roles = append(roles, managedRole)
-					}
-				}
-			}
-		}
-		if len(roles) > 0 {
-			return highestLegacyRole, roles
+		if found {
+			return highestRole
 		}
 	}
 
 	if roleMapping.DefaultRole != "" {
-		legacyRole, err := types.NewRole(strings.ToUpper(roleMapping.DefaultRole))
-		if err != nil {
-			return types.RoleViewer, []string{SigNozViewerRoleName}
-		}
-		if managedRole := resolveToManagedRole(roleMapping.DefaultRole); managedRole != "" {
-			return legacyRole, []string{managedRole}
+		if role, err := types.NewRole(strings.ToUpper(roleMapping.DefaultRole)); err == nil {
+			return role
 		}
 	}
 
-	return types.RoleViewer, []string{SigNozViewerRoleName}
+	return types.RoleViewer
 }
 
 func compareRoles(a, b types.Role) int {
@@ -149,12 +131,3 @@ func compareRoles(a, b types.Role) int {
 	}
 	return order[a] - order[b]
 }
-
-func resolveToManagedRole(role string) string {
-	// backward compatible legacy role (ADMIN -> signoz-admin) useful in case of SSO
-	if legacyRole, err := types.NewRole(strings.ToUpper(role)); err == nil {
-		return MustGetSigNozManagedRoleFromExistingRole(legacyRole)
-	}
-
-	return role
-}

pkg/types/authtypes/user_role.go

@@ -1,104 +0,0 @@
-package authtypes
-
-import (
-	"context"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/uptrace/bun"
-)
-
-var (
-	ErrCodeUserRoleAlreadyExists = errors.MustNewCode("user_role_already_exists")
-)
-
-type StorableUserRole struct {
-	bun.BaseModel `bun:"table:user_role,alias:user_role"`
-
-	types.Identifiable
-
-	UserID valuer.UUID `bun:"user_id"`
-	RoleID valuer.UUID `bun:"role_id"`
-
-	types.TimeAuditable
-}
-
-func newStorableUserRole(userID valuer.UUID, roleID valuer.UUID) *StorableUserRole {
-	return &StorableUserRole{
-		Identifiable: types.Identifiable{
-			ID: valuer.GenerateUUID(),
-		},
-		UserID: userID,
-		RoleID: roleID,
-		TimeAuditable: types.TimeAuditable{
-			CreatedAt: time.Now(),
-			UpdatedAt: time.Now(),
-		},
-	}
-}
-
-func NewStorableUserRoles(userID valuer.UUID, roles []*Role) []*StorableUserRole {
-	storableUserRoles := make([]*StorableUserRole, len(roles))
-
-	for idx, role := range roles {
-		storableUserRoles[idx] = newStorableUserRole(userID, role.ID)
-	}
-
-	return storableUserRoles
-}
-
-func GetUserIDToRoleIDsMappingAndUniqueRoles(storableUserRoles []*StorableUserRole) (map[valuer.UUID][]valuer.UUID, []valuer.UUID) {
-	userIDRoles := make(map[valuer.UUID][]valuer.UUID)
-	uniqueRoleIDSet := make(map[valuer.UUID]struct{})
-
-	for _, userRole := range storableUserRoles {
-		userID := userRole.UserID
-		if _, ok := userIDRoles[userID]; !ok {
-			userIDRoles[userID] = make([]valuer.UUID, 0)
-		}
-		roleUUID := userRole.RoleID
-		userIDRoles[userID] = append(userIDRoles[userID], roleUUID)
-		uniqueRoleIDSet[userRole.RoleID] = struct{}{}
-	}
-
-	roleIDs := make([]valuer.UUID, 0, len(uniqueRoleIDSet))
-	for rid := range uniqueRoleIDSet {
-		roleIDs = append(roleIDs, rid)
-	}
-
-	return userIDRoles, roleIDs
-}
-
-func NewRoleNamesFromStorableUserRoles(storableUserRoles []*StorableUserRole, roles []*Role) ([]string, error) {
-	roleIDToName := make(map[valuer.UUID]string, len(roles))
-	for _, role := range roles {
-		roleIDToName[role.ID] = role.Name
-	}
-
-	names := make([]string, 0, len(storableUserRoles))
-	for _, storableUserRole := range storableUserRoles {
-		roleName, ok := roleIDToName[storableUserRole.RoleID]
-		if !ok {
-			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "role id %s not found in provided roles", storableUserRole.RoleID)
-		}
-		names = append(names, roleName)
-	}
-
-	return names, nil
-}
-
-type UserRoleStore interface {
-	// create user roles in bulk
-	CreateUserRoles(ctx context.Context, userRoles []*StorableUserRole) error
-
-	// get user roles by user id
-	GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*StorableUserRole, error)
-
-	// list all user_role entries for
-	ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*StorableUserRole, error)
-
-	// delete user role entries by user id
-	DeleteUserRoles(ctx context.Context, userID valuer.UUID) error
-}

pkg/types/factor_api_key.go

@@ -39,15 +39,15 @@ type OrgUserAPIKey struct {
 }
 
 type UserWithAPIKey struct {
-	*StorableUser `bun:",extend"`
-	APIKeys       []*StorableAPIKeyUser `bun:"rel:has-many,join:id=user_id"`
+	*User   `bun:",extend"`
+	APIKeys []*StorableAPIKeyUser `bun:"rel:has-many,join:id=user_id"`
 }
 
 type StorableAPIKeyUser struct {
 	StorableAPIKey `bun:",extend"`
 
-	CreatedByUser *StorableUser `json:"createdByUser" bun:"created_by_user,rel:belongs-to,join:created_by=id"`
-	UpdatedByUser *StorableUser `json:"updatedByUser" bun:"updated_by_user,rel:belongs-to,join:updated_by=id"`
+	CreatedByUser *User `json:"createdByUser" bun:"created_by_user,rel:belongs-to,join:created_by=id"`
+	UpdatedByUser *User `json:"updatedByUser" bun:"updated_by_user,rel:belongs-to,join:updated_by=id"`
 }
 
 type StorableAPIKey struct {
@@ -138,7 +138,7 @@ func NewGettableAPIKeyFromStorableAPIKey(storableAPIKey *StorableAPIKeyUser) *Ge
 		LastUsed:      lastUsed,
 		Revoked:       storableAPIKey.Revoked,
 		UserID:        storableAPIKey.UserID.String(),
-		CreatedByUser: NewUserFromStorable(storableAPIKey.CreatedByUser, make([]string, 0)), // factor api key will be removed
-		UpdatedByUser: NewUserFromStorable(storableAPIKey.UpdatedByUser, make([]string, 0)), // factor api key will be removed
+		CreatedByUser: storableAPIKey.CreatedByUser,
+		UpdatedByUser: storableAPIKey.UpdatedByUser,
 	}
 }

pkg/types/invite.go

@@ -25,7 +25,6 @@ type Invite struct {
 	Email valuer.Email `bun:"email,type:text" json:"email"`
 	Token string       `bun:"token,type:text" json:"token"`
 	Role  Role         `bun:"role,type:text" json:"role"`
-	Roles []string     `bun:"roles,type:text" json:"roles"`
 	OrgID valuer.UUID  `bun:"org_id,type:text" json:"orgId"`
 
 	InviteLink string `bun:"-" json:"inviteLink"`
@@ -51,7 +50,6 @@ type PostableInvite struct {
 	Name            string       `json:"name"`
 	Email           valuer.Email `json:"email"`
 	Role            Role         `json:"role"`
-	Roles           []string     `json:"roles"`
 	FrontendBaseUrl string       `json:"frontendBaseUrl"`
 }
 
@@ -85,7 +83,7 @@ type GettableCreateInviteResponse struct {
 	InviteToken string `json:"token"`
 }
 
-func NewInvite(name string, role Role, roles []string, orgID valuer.UUID, email valuer.Email) (*Invite, error) {
+func NewInvite(name string, role Role, orgID valuer.UUID, email valuer.Email) (*Invite, error) {
 	invite := &Invite{
 		Identifiable: Identifiable{
 			ID: valuer.GenerateUUID(),
@@ -94,7 +92,6 @@ func NewInvite(name string, role Role, roles []string, orgID valuer.UUID, email
 		Email: email,
 		Token: valuer.GenerateUUID().String(),
 		Role:  role,
-		Roles: roles,
 		OrgID: orgID,
 		TimeAuditable: TimeAuditable{
 			CreatedAt: time.Now(),

pkg/types/querybuildertypes/querybuildertypesv5/qb.go

@@ -47,6 +47,7 @@ type Statement struct {
 	Args           []any
 	Warnings       []string
 	WarningsDocURL string
+	Skip           bool // don't run this query
 }
 
 // StatementBuilder builds the query.

pkg/types/tracefunneltypes/tracefunnel.go

@@ -18,12 +18,12 @@ type StorableFunnel struct {
 	types.TimeAuditable
 	types.UserAuditable
 	bun.BaseModel `bun:"table:trace_funnel"`
-	Name          string              `json:"funnel_name" bun:"name,type:text,notnull"`
-	Description   string              `json:"description" bun:"description,type:text"`
-	OrgID         valuer.UUID         `json:"org_id" bun:"org_id,type:varchar,notnull"`
-	Steps         []*FunnelStep       `json:"steps" bun:"steps,type:text,notnull"`
-	Tags          string              `json:"tags" bun:"tags,type:text"`
-	CreatedByUser *types.StorableUser `json:"user" bun:"rel:belongs-to,join:created_by=id"`
+	Name          string        `json:"funnel_name" bun:"name,type:text,notnull"`
+	Description   string        `json:"description" bun:"description,type:text"`
+	OrgID         valuer.UUID   `json:"org_id" bun:"org_id,type:varchar,notnull"`
+	Steps         []*FunnelStep `json:"steps" bun:"steps,type:text,notnull"`
+	Tags          string        `json:"tags" bun:"tags,type:text"`
+	CreatedByUser *types.User   `json:"user" bun:"rel:belongs-to,join:created_by=id"`
 }
 
 type FunnelStep struct {

pkg/types/tracefunneltypes/utils_test.go

@@ -443,7 +443,7 @@ func TestConstructFunnelResponse(t *testing.T) {
 				},
 				Name:  "test-funnel",
 				OrgID: orgID,
-				CreatedByUser: &types.StorableUser{
+				CreatedByUser: &types.User{
 					Identifiable: types.Identifiable{
 						ID: userID,
 					},

pkg/types/user.go

@@ -33,21 +33,10 @@ var (
 	ValidUserStatus         = []valuer.String{UserStatusPendingInvite, UserStatusActive, UserStatusDeleted}
 )
 
-type User struct {
-	Identifiable
-	DisplayName string        `json:"displayName"`
-	Email       valuer.Email  `json:"email"`
-	Role        Role          `json:"role"`
-	Roles       []string      `json:"roles"`
-	OrgID       valuer.UUID   `json:"orgId"`
-	IsRoot      bool          `json:"isRoot"`
-	Status      valuer.String `json:"status"`
-	DeletedAt   time.Time     `json:"-"`
-	TimeAuditable
-}
+type GettableUser = User
 
-type StorableUser struct {
-	bun.BaseModel `bun:"table:users,alias:users"`
+type User struct {
+	bun.BaseModel `bun:"table:users"`
 
 	Identifiable
 	DisplayName string        `bun:"display_name" json:"displayName"`
@@ -68,59 +57,7 @@ type PostableRegisterOrgAndAdmin struct {
 	OrgName        string       `json:"orgName"`
 }
 
-func NewStorableUser(user *User) *StorableUser {
-	if user == nil {
-		return nil
-	}
-
-	return &StorableUser{
-		Identifiable:  user.Identifiable,
-		DisplayName:   user.DisplayName,
-		Email:         user.Email,
-		Role:          user.Role,
-		OrgID:         user.OrgID,
-		IsRoot:        user.IsRoot,
-		Status:        user.Status,
-		DeletedAt:     user.DeletedAt,
-		TimeAuditable: user.TimeAuditable,
-	}
-}
-
-func NewUserFromStorable(storableUser *StorableUser, roleNames []string) *User {
-	if storableUser == nil {
-		return nil
-	}
-	return &User{
-		Identifiable:  storableUser.Identifiable,
-		DisplayName:   storableUser.DisplayName,
-		Email:         storableUser.Email,
-		Role:          storableUser.Role,
-		Roles:         roleNames,
-		OrgID:         storableUser.OrgID,
-		IsRoot:        storableUser.IsRoot,
-		Status:        storableUser.Status,
-		DeletedAt:     storableUser.DeletedAt,
-		TimeAuditable: storableUser.TimeAuditable,
-	}
-}
-
-// func NewUsersFromStorables(storableUsers []*StorableUser) []*User {
-// 	users := make([]*User, len(storableUsers))
-// 	for i, s := range storableUsers {
-// 		users[i] = NewUserFromStorable(s)
-// 	}
-// 	return users
-// }
-
-func NewStorableUsers(users []*User) []*StorableUser {
-	storableUsers := make([]*StorableUser, len(users))
-	for i, u := range users {
-		storableUsers[i] = NewStorableUser(u)
-	}
-	return storableUsers
-}
-
-func NewUser(displayName string, email valuer.Email, role Role, roles []string, orgID valuer.UUID, status valuer.String) (*User, error) {
+func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUID, status valuer.String) (*User, error) {
 	if email.IsZero() {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
 	}
@@ -144,7 +81,6 @@ func NewUser(displayName string, email valuer.Email, role Role, roles []string,
 		DisplayName: displayName,
 		Email:       email,
 		Role:        role,
-		Roles:       roles,
 		OrgID:       orgID,
 		IsRoot:      false,
 		Status:      status,
@@ -155,7 +91,7 @@ func NewUser(displayName string, email valuer.Email, role Role, roles []string,
 	}, nil
 }
 
-func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID, roleNames []string) (*User, error) {
+func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*User, error) {
 	if email.IsZero() {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
 	}
@@ -171,7 +107,6 @@ func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID, role
 		DisplayName: displayName,
 		Email:       email,
 		Role:        RoleAdmin,
-		Roles:       roleNames,
 		OrgID:       orgID,
 		IsRoot:      true,
 		Status:      UserStatusActive,
@@ -184,10 +119,13 @@ func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID, role
 
 // Update applies mutable fields from the input to the user. Immutable fields
 // (email, is_root, org_id, id) are preserved. Only non-zero input fields are applied.
-func (u *User) Update(displayName string, role Role, roles []string) {
-	u.DisplayName = displayName
-	u.Role = role
-	u.Roles = roles
+func (u *User) Update(displayName string, role Role) {
+	if displayName != "" {
+		u.DisplayName = displayName
+	}
+	if role != "" {
+		u.Role = role
+	}
 	u.UpdatedAt = time.Now()
 }
 
@@ -230,15 +168,6 @@ func (u *User) ErrIfRoot() error {
 	return nil
 }
 
-// ErrIfRoot returns an error if the user is a root user. The caller should
-// enrich the error with the specific operation using errors.WithAdditionalf.
-func (u *StorableUser) ErrIfRoot() error {
-	if u.IsRoot {
-		return errors.New(errors.TypeUnsupported, ErrCodeRootUserOperationUnsupported, "this operation is not supported for the root user")
-	}
-	return nil
-}
-
 // ErrIfDeleted returns an error if the user is in deleted state.
 // This error can be enriched with specific operation by the called using errors.WithAdditionalf
 func (u *User) ErrIfDeleted() error {
@@ -248,15 +177,6 @@ func (u *User) ErrIfDeleted() error {
 	return nil
 }
 
-// ErrIfDeleted returns an error if the user is in deleted state.
-// This error can be enriched with specific operation by the called using errors.WithAdditionalf
-func (u *StorableUser) ErrIfDeleted() error {
-	if u.Status == UserStatusDeleted {
-		return errors.New(errors.TypeUnsupported, ErrCodeUserStatusDeleted, "unsupported operation for deleted user")
-	}
-	return nil
-}
-
 // ErrIfPending returns an error if the user is in pending invite state.
 // This error can be enriched with specific operation by the called using errors.WithAdditionalf
 func (u *User) ErrIfPending() error {
@@ -266,40 +186,10 @@ func (u *User) ErrIfPending() error {
 	return nil
 }
 
-func (u *User) PatchRoles(targetRoles []string) ([]string, []string) {
-	currentRolesSet := make(map[string]struct{}, len(u.Roles))
-	inputRolesSet := make(map[string]struct{}, len(targetRoles))
-
-	for _, role := range u.Roles {
-		currentRolesSet[role] = struct{}{}
-	}
-	for _, role := range targetRoles {
-		inputRolesSet[role] = struct{}{}
-	}
-
-	// additions: roles present in input but not in current
-	additions := []string{}
-	for _, role := range targetRoles {
-		if _, exists := currentRolesSet[role]; !exists {
-			additions = append(additions, role)
-		}
-	}
-
-	// deletions: roles present in current but not in input
-	deletions := []string{}
-	for _, role := range u.Roles {
-		if _, exists := inputRolesSet[role]; !exists {
-			deletions = append(deletions, role)
-		}
-	}
-
-	return additions, deletions
-}
-
 func NewTraitsFromUser(user *User) map[string]any {
 	return map[string]any{
 		"name":         user.DisplayName,
-		"roles":        user.Roles,
+		"role":         user.Role,
 		"email":        user.Email.String(),
 		"display_name": user.DisplayName,
 		"status":       user.Status,
@@ -325,33 +215,33 @@ func (request *PostableRegisterOrgAndAdmin) UnmarshalJSON(data []byte) error {
 
 type UserStore interface {
 	// Creates a user.
-	CreateUser(ctx context.Context, user *StorableUser) error
+	CreateUser(ctx context.Context, user *User) error
 
 	// Get user by id.
-	GetUser(context.Context, valuer.UUID) (*StorableUser, error)
+	GetUser(context.Context, valuer.UUID) (*User, error)
 
 	// Get user by orgID and id.
-	GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*StorableUser, error)
+	GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*User, error)
 
 	// Get user by email and orgID.
-	GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*StorableUser, error)
+	GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*User, error)
 
 	// Get users by email.
-	GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*StorableUser, error)
+	GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*User, error)
 
-	// Get active users by role name and org. join to user_role table.
-	GetActiveUsersByRoleNameAndOrgID(ctx context.Context, roleName string, orgID valuer.UUID) ([]*StorableUser, error)
+	// Get users by role and org.
+	GetActiveUsersByRoleAndOrgID(ctx context.Context, role Role, orgID valuer.UUID) ([]*User, error)
 
 	// List users by org.
-	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*StorableUser, error)
+	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*User, error)
 
 	// List users by email and org ids.
-	ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*StorableUser, error)
+	ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*User, error)
 
 	// Get users for an org id using emails and statuses
-	GetUsersByEmailsOrgIDAndStatuses(context.Context, valuer.UUID, []string, []string) ([]*StorableUser, error)
+	GetUsersByEmailsOrgIDAndStatuses(context.Context, valuer.UUID, []string, []string) ([]*User, error)
 
-	UpdateUser(ctx context.Context, orgID valuer.UUID, user *StorableUser) error
+	UpdateUser(ctx context.Context, orgID valuer.UUID, user *User) error
 	DeleteUser(ctx context.Context, orgID string, id string) error
 	SoftDeleteUser(ctx context.Context, orgID string, id string) error
 
@@ -377,10 +267,10 @@ type UserStore interface {
 	CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error)
 
 	// Get root user by org.
-	GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*StorableUser, error)
+	GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*User, error)
 
 	// Get user by reset password token
-	GetUserByResetPasswordToken(ctx context.Context, token string) (*StorableUser, error)
+	GetUserByResetPasswordToken(ctx context.Context, token string) (*User, error)
 
 	// Transaction
 	RunInTx(ctx context.Context, cb func(ctx context.Context) error) error

tests/integration/src/querier/04_traces.py

@@ -696,7 +696,6 @@ def test_traces_list_with_corrupt_data(
     assert response.status_code == status_code
 
     if response.status_code == HTTPStatus.OK:
-
         if not results(traces):
             # No results expected
             assert response.json()["data"]["data"]["results"][0]["rows"] is None
@@ -2026,3 +2025,249 @@ def test_traces_fill_zero_formula_with_group_by(
             expected_by_ts=expectations[service_name],
             context=f"traces/fillZero/F1/{service_name}",
         )
+
+
+def test_traces_list_filter_by_trace_id(
+    signoz: types.SigNoz,
+    create_user_admin: None,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+    insert_traces: Callable[[List[Traces]], None],
+) -> None:
+    """
+    Tests that filtering by trace_id:
+    1. Returns the matching span (narrow window, single bucket).
+    2. Does not return duplicate spans when the query window spans multiple
+       exponential buckets (>1 h) — regression test for the expand-vs-clamp bug.
+    3. Returns no results when the query window does not contain the trace.
+    """
+    target_trace_id = TraceIdGenerator.trace_id()
+    other_trace_id = TraceIdGenerator.trace_id()
+    span_id_root = TraceIdGenerator.span_id()
+    other_span_id = TraceIdGenerator.span_id()
+
+    now = datetime.now(tz=timezone.utc).replace(second=0, microsecond=0)
+
+    common_resources = {
+        "deployment.environment": "production",
+        "service.name": "trace-filter-service",
+        "cloud.provider": "integration",
+    }
+
+    insert_traces(
+        [
+            Traces(
+                timestamp=now - timedelta(seconds=10),
+                duration=timedelta(seconds=5),
+                trace_id=target_trace_id,
+                span_id=span_id_root,
+                parent_span_id="",
+                name="root-span",
+                kind=TracesKind.SPAN_KIND_SERVER,
+                status_code=TracesStatusCode.STATUS_CODE_OK,
+                status_message="",
+                resources=common_resources,
+                attributes={"http.request.method": "GET"},
+            ),
+            # span from a different trace — must not appear in results
+            Traces(
+                timestamp=now - timedelta(seconds=5),
+                duration=timedelta(seconds=1),
+                trace_id=other_trace_id,
+                span_id=other_span_id,
+                parent_span_id="",
+                name="other-root-span",
+                kind=TracesKind.SPAN_KIND_SERVER,
+                status_code=TracesStatusCode.STATUS_CODE_OK,
+                status_message="",
+                resources=common_resources,
+                attributes={},
+            ),
+        ]
+    )
+
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    trace_filter = f"trace_id = '{target_trace_id}'"
+
+    def _query(start_ms: int, end_ms: int) -> List:
+        response = make_query_request(
+            signoz,
+            token,
+            start_ms=start_ms,
+            end_ms=end_ms,
+            request_type="raw",
+            queries=[
+                {
+                    "type": "builder_query",
+                    "spec": {
+                        "name": "A",
+                        "signal": "traces",
+                        "limit": 100,
+                        "offset": 0,
+                        "filter": {"expression": trace_filter},
+                        "order": [{"key": {"name": "timestamp"}, "direction": "desc"}],
+                        "selectFields": [
+                            {
+                                "name": "name",
+                                "fieldDataType": "string",
+                                "fieldContext": "span",
+                                "signal": "traces",
+                            }
+                        ],
+                    },
+                }
+            ],
+        )
+        assert response.status_code == HTTPStatus.OK
+        assert response.json()["status"] == "success"
+        return response.json()["data"]["data"]["results"][0]["rows"] or []
+
+    now_ms = int(now.timestamp() * 1000)
+
+    # --- Test 1: narrow window (single bucket, <1 h) ---
+    narrow_start_ms = int((now - timedelta(minutes=5)).timestamp() * 1000)
+    narrow_rows = _query(narrow_start_ms, now_ms)
+
+    assert len(narrow_rows) == 1, (
+        f"Expected 1 span for trace_id filter (narrow window), got {len(narrow_rows)}"
+    )
+    assert narrow_rows[0]["data"]["span_id"] == span_id_root
+    assert narrow_rows[0]["data"]["trace_id"] == target_trace_id
+
+    # --- Test 2: wide window (>1 h, triggers multiple exponential buckets) ---
+    # should just return 1 span, not duplicate
+    wide_start_ms = int((now - timedelta(hours=12)).timestamp() * 1000)
+    wide_rows = _query(wide_start_ms, now_ms)
+
+    assert len(wide_rows) == 1, (
+        f"Expected 1 span for trace_id filter (wide window, multi-bucket), "
+        f"got {len(wide_rows)} — possible duplicate-span regression"
+    )
+    assert wide_rows[0]["data"]["span_id"] == span_id_root
+    assert wide_rows[0]["data"]["trace_id"] == target_trace_id
+
+    # --- Test 3: window that does not contain the trace returns no results ---
+    past_start_ms = int((now - timedelta(hours=6)).timestamp() * 1000)
+    past_end_ms = int((now - timedelta(hours=2)).timestamp() * 1000)
+    past_rows = _query(past_start_ms, past_end_ms)
+
+    assert len(past_rows) == 0, (
+        f"Expected 0 spans for trace_id filter outside time window, "
+        f"got {len(past_rows)}"
+    )
+
+
+def test_traces_list_filter_by_trace_id_cross_bucket(
+    signoz: types.SigNoz,
+    create_user_admin: None,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+    insert_traces: Callable[[List[Traces]], None],
+) -> None:
+    """
+    Regression test for multi-bucket trace_id queries.
+
+    Setup: a single trace with two spans placed in different exponential buckets.
+      makeBuckets over a 3-hour window produces (newest-first):
+        bucket 1: [now-1h,  now]       ← span_a lives here (now-30min)
+        bucket 2: [now-3h,  now-1h]    ← span_b lives here (now-90min)
+
+    Without the fix: both buckets expanded their window to [traceStart, traceEnd]
+    and therefore each returned both spans → 4 rows total (duplicates).
+
+    With the fix: each bucket is tied to its intersection with the trace range,
+    so bucket 1 returns span_a and bucket 2 returns span_b → exactly 2 rows.
+    """
+    trace_id = TraceIdGenerator.trace_id()
+    span_id_a = TraceIdGenerator.span_id()
+    span_id_b = TraceIdGenerator.span_id()
+
+    now = datetime.now(tz=timezone.utc).replace(second=0, microsecond=0)
+
+    common_resources = {
+        "deployment.environment": "production",
+        "service.name": "cross-bucket-service",
+        "cloud.provider": "integration",
+    }
+
+    insert_traces(
+        [
+            # span_a: sits in bucket 1 [now-1h, now]
+            Traces(
+                timestamp=now - timedelta(minutes=30),
+                duration=timedelta(seconds=1),
+                trace_id=trace_id,
+                span_id=span_id_a,
+                parent_span_id="",
+                name="span-a",
+                kind=TracesKind.SPAN_KIND_SERVER,
+                status_code=TracesStatusCode.STATUS_CODE_OK,
+                status_message="",
+                resources=common_resources,
+                attributes={},
+            ),
+            # span_b: sits in bucket 2 [now-3h, now-1h]
+            Traces(
+                timestamp=now - timedelta(minutes=90),
+                duration=timedelta(seconds=1),
+                trace_id=trace_id,
+                span_id=span_id_b,
+                parent_span_id=span_id_a,
+                name="span-b",
+                kind=TracesKind.SPAN_KIND_CLIENT,
+                status_code=TracesStatusCode.STATUS_CODE_OK,
+                status_message="",
+                resources=common_resources,
+                attributes={},
+            ),
+        ]
+    )
+
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    # 3-hour window forces makeBuckets to create two buckets:
+    #   bucket 1: [now-1h, now]
+    #   bucket 2: [now-3h, now-1h]
+    start_ms = int((now - timedelta(hours=3)).timestamp() * 1000)
+    end_ms = int(now.timestamp() * 1000)
+
+    response = make_query_request(
+        signoz,
+        token,
+        start_ms=start_ms,
+        end_ms=end_ms,
+        request_type="raw",
+        queries=[
+            {
+                "type": "builder_query",
+                "spec": {
+                    "name": "A",
+                    "signal": "traces",
+                    "limit": 100,
+                    "offset": 0,
+                    "filter": {"expression": f"trace_id = '{trace_id}'"},
+                    "order": [{"key": {"name": "timestamp"}, "direction": "desc"}],
+                    "selectFields": [
+                        {
+                            "name": "name",
+                            "fieldDataType": "string",
+                            "fieldContext": "span",
+                            "signal": "traces",
+                        }
+                    ],
+                },
+            }
+        ],
+    )
+
+    assert response.status_code == HTTPStatus.OK
+    assert response.json()["status"] == "success"
+
+    rows = response.json()["data"]["data"]["results"][0]["rows"] or []
+
+    assert len(rows) == 2, (
+        f"Expected exactly 2 spans (one per bucket), got {len(rows)} — "
+        f"likely a duplicate-span regression from bucket window expansion"
+    )
+    returned_span_ids = {r["data"]["span_id"] for r in rows}
+    assert returned_span_ids == {span_id_a, span_id_b}
+    assert all(r["data"]["trace_id"] == trace_id for r in rows)