feat(authz): revert role details changes

- Add CheckAll middleware (AND of OR groups) for multi-resource authz checks
- Switch SA role routes (SetRole, DeleteRole) to VerbAttach on ResourceServiceAccount
- Add RoleAttachSelectors on SA module for role-level VerbAttach resolution
- DeleteRole uses CheckAll (both checks at middleware from URL params)
- SetRole uses Check (entity) at middleware + module-level role attach check
- Add migration 078 to backfill FGA tuples for existing organizations
- Add authz contributing guide (docs/contributing/go/authz.md)
- Regenerate OpenAPI spec with scoped security schemes

cmd/authz.go

@@ -66,9 +66,10 @@ func runGenerateAuthz(_ context.Context) error {
 	registry := coretypes.NewRegistry()
 
 	allowedResources := map[string]bool{
-		coretypes.NewResourceRef(coretypes.ResourceServiceAccount).String():    true,
-		coretypes.NewResourceRef(coretypes.ResourceRole).String():              true,
-		coretypes.NewResourceRef(coretypes.ResourceMetaResourcesRole).String(): true,
+		coretypes.NewResourceRef(coretypes.ResourceServiceAccount).String():              true,
+		coretypes.NewResourceRef(coretypes.ResourceMetaResourcesServiceAccount).String(): true,
+		coretypes.NewResourceRef(coretypes.ResourceRole).String():                        true,
+		coretypes.NewResourceRef(coretypes.ResourceMetaResourcesRole).String():           true,
 	}
 
 	allowedTypes := map[string]bool{}

docs/api/openapi.yml

@@ -448,6 +448,7 @@ components:
       - delete
       - list
       - assignee
+      - attach
       type: string
     AuthtypesRole:
       properties:
@@ -9377,9 +9378,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:list
       - tokenizer:
-        - ADMIN
+        - serviceaccount:list
       summary: List service accounts
       tags:
       - serviceaccount
@@ -9439,9 +9440,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:create
       - tokenizer:
-        - ADMIN
+        - serviceaccount:create
       summary: Create service account
       tags:
       - serviceaccount
@@ -9489,9 +9490,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:delete
       - tokenizer:
-        - ADMIN
+        - serviceaccount:delete
       summary: Deletes a service account
       tags:
       - serviceaccount
@@ -9546,9 +9547,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:read
       - tokenizer:
-        - ADMIN
+        - serviceaccount:read
       summary: Gets a service account
       tags:
       - serviceaccount
@@ -9606,9 +9607,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:update
       - tokenizer:
-        - ADMIN
+        - serviceaccount:update
       summary: Updates a service account
       tags:
       - serviceaccount
@@ -9660,9 +9661,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:read
       - tokenizer:
-        - ADMIN
+        - serviceaccount:read
       summary: List service account keys
       tags:
       - serviceaccount
@@ -9728,9 +9729,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:update
       - tokenizer:
-        - ADMIN
+        - serviceaccount:update
       summary: Create a service account key
       tags:
       - serviceaccount
@@ -9783,9 +9784,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:update
       - tokenizer:
-        - ADMIN
+        - serviceaccount:update
       summary: Revoke a service account key
       tags:
       - serviceaccount
@@ -9848,9 +9849,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:update
       - tokenizer:
-        - ADMIN
+        - serviceaccount:update
       summary: Updates a service account key
       tags:
       - serviceaccount
@@ -9909,9 +9910,9 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:read
       - tokenizer:
-        - ADMIN
+        - serviceaccount:read
       summary: Gets service account roles
       tags:
       - serviceaccount
@@ -9971,9 +9972,11 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:attach
+        - role:attach
       - tokenizer:
-        - ADMIN
+        - serviceaccount:attach
+        - role:attach
       summary: Create service account role
       tags:
       - serviceaccount
@@ -10020,9 +10023,11 @@ paths:
           description: Internal Server Error
       security:
       - api_key:
-        - ADMIN
+        - serviceaccount:attach
+        - role:attach
       - tokenizer:
-        - ADMIN
+        - serviceaccount:attach
+        - role:attach
       summary: Delete service account role
       tags:
       - serviceaccount

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -1839,6 +1839,7 @@ export enum AuthtypesRelationDTO {
 	delete = 'delete',
 	list = 'list',
 	assignee = 'assignee',
+	attach = 'attach',
 }
 export interface AuthtypesRoleDTO {
 	/**

frontend/src/hooks/useAuthZ/permissions.type.ts

@@ -7,6 +7,10 @@ export default {
 				kind: 'role',
 				type: 'metaresources',
 			},
+			{
+				kind: 'serviceaccount',
+				type: 'metaresources',
+			},
 			{
 				kind: 'role',
 				type: 'role',

pkg/apiserver/signozapiserver/provider.go

@@ -60,6 +60,7 @@ type provider struct {
 	rawDataExportHandler    rawdataexport.Handler
 	zeusHandler             zeus.Handler
 	querierHandler          querier.Handler
+	serviceAccountModule    serviceaccount.Module
 	serviceAccountHandler   serviceaccount.Handler
 	factoryHandler          factory.Handler
 	cloudIntegrationHandler cloudintegration.Handler
@@ -92,6 +93,7 @@ func NewFactory(
 	rawDataExportHandler rawdataexport.Handler,
 	zeusHandler zeus.Handler,
 	querierHandler querier.Handler,
+	serviceAccountModule serviceaccount.Module,
 	serviceAccountHandler serviceaccount.Handler,
 	factoryHandler factory.Handler,
 	cloudIntegrationHandler cloudintegration.Handler,
@@ -127,6 +129,7 @@ func NewFactory(
 			rawDataExportHandler,
 			zeusHandler,
 			querierHandler,
+			serviceAccountModule,
 			serviceAccountHandler,
 			factoryHandler,
 			cloudIntegrationHandler,
@@ -164,6 +167,7 @@ func newProvider(
 	rawDataExportHandler rawdataexport.Handler,
 	zeusHandler zeus.Handler,
 	querierHandler querier.Handler,
+	serviceAccountModule serviceaccount.Module,
 	serviceAccountHandler serviceaccount.Handler,
 	factoryHandler factory.Handler,
 	cloudIntegrationHandler cloudintegration.Handler,
@@ -199,6 +203,7 @@ func newProvider(
 		rawDataExportHandler:    rawDataExportHandler,
 		zeusHandler:             zeusHandler,
 		querierHandler:          querierHandler,
+		serviceAccountModule:    serviceAccountModule,
 		serviceAccountHandler:   serviceAccountHandler,
 		factoryHandler:          factoryHandler,
 		cloudIntegrationHandler: cloudIntegrationHandler,
@@ -336,10 +341,7 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 }
 
 func newSecuritySchemes(role types.Role) []handler.OpenAPISecurityScheme {
-	return []handler.OpenAPISecurityScheme{
-		{Name: authtypes.IdentNProviderAPIKey.StringValue(), Scopes: []string{role.String()}},
-		{Name: authtypes.IdentNProviderTokenizer.StringValue(), Scopes: []string{role.String()}},
-	}
+	return newScopedSecuritySchemes([]string{role.String()})
 }
 
 func newAnonymousSecuritySchemes(scopes []string) []handler.OpenAPISecurityScheme {
@@ -347,3 +349,10 @@ func newAnonymousSecuritySchemes(scopes []string) []handler.OpenAPISecuritySchem
 		{Name: authtypes.IdentNProviderAnonymous.StringValue(), Scopes: scopes},
 	}
 }
+
+func newScopedSecuritySchemes(scopes []string) []handler.OpenAPISecurityScheme {
+	return []handler.OpenAPISecurityScheme{
+		{Name: authtypes.IdentNProviderAPIKey.StringValue(), Scopes: scopes},
+		{Name: authtypes.IdentNProviderTokenizer.StringValue(), Scopes: scopes},
+	}
+}

pkg/apiserver/signozapiserver/serviceaccount.go

@@ -4,14 +4,19 @@ import (
 	"net/http"
 
 	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/SigNoz/signoz/pkg/http/middleware"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
 
 func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Create), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authZ.Check(provider.serviceAccountHandler.Create, authtypes.Relation{Verb: coretypes.VerbCreate}, coretypes.ResourceMetaResourcesServiceAccount, serviceAccountCollectionSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "CreateServiceAccount",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Create service account",
@@ -23,12 +28,14 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusCreated,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourcesServiceAccount.Scope(coretypes.VerbCreate)}),
 	})).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.List), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authZ.Check(provider.serviceAccountHandler.List, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceMetaResourcesServiceAccount, serviceAccountCollectionSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "ListServiceAccounts",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "List service accounts",
@@ -40,7 +47,7 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourcesServiceAccount.Scope(coretypes.VerbList)}),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
@@ -62,7 +69,9 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Get), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.Check(provider.serviceAccountHandler.Get, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "GetServiceAccount",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Gets a service account",
@@ -74,12 +83,14 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.GetRoles), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authZ.Check(provider.serviceAccountHandler.GetRoles, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "GetServiceAccountRoles",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Gets service account roles",
@@ -91,12 +102,14 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.SetRole), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authZ.Check(provider.serviceAccountHandler.SetRole, authtypes.Relation{Verb: coretypes.VerbAttach}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "CreateServiceAccountRole",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Create service account role",
@@ -108,12 +121,19 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusCreated,
 		ErrorStatusCodes:    []int{http.StatusBadRequest},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach), coretypes.ResourceRole.Scope(coretypes.VerbAttach)}),
 	})).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles/{rid}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.DeleteRole), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}/roles/{rid}", handler.New(provider.authZ.CheckAll(provider.serviceAccountHandler.DeleteRole, []middleware.AuthZCheckGroup{
+		{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{
+			authtypes.SigNozAdminRoleName,
+		}}},
+		{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceRole, SelectorCallback: provider.roleAttachSelectorFromPath, Roles: []string{
+			authtypes.SigNozAdminRoleName,
+		}}},
+	}), handler.OpenAPIDef{
 		ID:                  "DeleteServiceAccountRole",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Delete service account role",
@@ -125,7 +145,7 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusNoContent,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach), coretypes.ResourceRole.Scope(coretypes.VerbAttach)}),
 	})).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
@@ -147,7 +167,9 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Update), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.Check(provider.serviceAccountHandler.Update, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "UpdateServiceAccount",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Updates a service account",
@@ -159,12 +181,14 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusNoContent,
 		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),
 	})).Methods(http.MethodPut).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Delete), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.Check(provider.serviceAccountHandler.Delete, authtypes.Relation{Verb: coretypes.VerbDelete}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "DeleteServiceAccount",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Deletes a service account",
@@ -176,12 +200,14 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusNoContent,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDelete)}),
 	})).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.CreateFactorAPIKey), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authZ.Check(provider.serviceAccountHandler.CreateFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "CreateServiceAccountKey",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Create a service account key",
@@ -193,12 +219,14 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusCreated,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),
 	})).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.ListFactorAPIKey), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authZ.Check(provider.serviceAccountHandler.ListFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "ListServiceAccountKeys",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "List service account keys",
@@ -210,12 +238,14 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.UpdateFactorAPIKey), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authZ.Check(provider.serviceAccountHandler.UpdateFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "UpdateServiceAccountKey",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Updates a service account key",
@@ -227,12 +257,14 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusNoContent,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),
 	})).Methods(http.MethodPut).GetError(); err != nil {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.RevokeFactorAPIKey), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authZ.Check(provider.serviceAccountHandler.RevokeFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{
+		authtypes.SigNozAdminRoleName,
+	}), handler.OpenAPIDef{
 		ID:                  "RevokeServiceAccountKey",
 		Tags:                []string{"serviceaccount"},
 		Summary:             "Revoke a service account key",
@@ -244,10 +276,38 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusNoContent,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),
 	})).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
 
 	return nil
 }
+
+func (provider *provider) roleAttachSelectorFromPath(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {
+	roleID, err := valuer.NewUUID(mux.Vars(req)["rid"])
+	if err != nil {
+		return nil, err
+	}
+
+	return provider.serviceAccountModule.RoleAttachSelectors(req.Context(), valuer.MustNewUUID(claims.OrgID), roleID)
+}
+
+func serviceAccountCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
+	return []coretypes.Selector{
+		coretypes.TypeMetaResources.MustSelector(coretypes.WildCardSelectorString),
+	}, nil
+}
+
+func serviceAccountInstanceSelectorCallback(req *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {
+	id := mux.Vars(req)["id"]
+	idSelector, err := coretypes.TypeServiceAccount.Selector(id)
+	if err != nil {
+		return nil, err
+	}
+
+	return []coretypes.Selector{
+		idSelector,
+		coretypes.TypeServiceAccount.MustSelector(coretypes.WildCardSelectorString),
+	}, nil
+}

pkg/http/middleware/authz.go

@@ -8,6 +8,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -18,6 +19,20 @@ const (
 	authzDeniedMessage string = "::AUTHZ-DENIED::"
 )
 
+type AuthZCheckDef struct {
+	Relation         authtypes.Relation
+	Resource         coretypes.Resource
+	SelectorCallback selectorCallbackWithClaimsFn
+	Roles            []string
+}
+
+// AuthZCheckGroup is a set of checks OR'd together.
+// At least one check in the group must pass for the group to pass.
+type AuthZCheckGroup []AuthZCheckDef
+
+type selectorCallbackWithClaimsFn func(*http.Request, authtypes.Claims) ([]coretypes.Selector, error)
+type selectorCallbackWithoutClaimsFn func(*http.Request, []*types.Organization) ([]coretypes.Selector, valuer.UUID, error)
+
 type AuthZ struct {
 	logger       *slog.Logger
 	orgGetter    organization.Getter
@@ -186,7 +201,7 @@ func (middleware *AuthZ) OpenAccess(next http.HandlerFunc) http.HandlerFunc {
 	})
 }
 
-func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb authtypes.SelectorCallbackWithClaimsFn, roles []string) http.HandlerFunc {
+func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb selectorCallbackWithClaimsFn, roles []string) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
 		claims, err := authtypes.ClaimsFromContext(ctx)
@@ -216,7 +231,61 @@ func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relatio
 	})
 }
 
-func (middleware *AuthZ) CheckWithoutClaims(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb authtypes.SelectorCallbackWithoutClaimsFn, roles []string) http.HandlerFunc {
+// CheckAll verifies groups of permission checks.
+// Within each group, checks are OR'd (any check passing = group passes).
+// Across groups, results are AND'd (all groups must pass).
+//
+// This model expresses any combination:
+//   - Single check:          []AuthZCheckGroup{{checkA}}
+//   - Pure AND:              []AuthZCheckGroup{{checkA}, {checkB}}
+//   - Cross-resource OR:     []AuthZCheckGroup{{checkA, checkB}}
+//   - Mixed (A OR B) AND C:  []AuthZCheckGroup{{checkA, checkB}, {checkC}}
+func (middleware *AuthZ) CheckAll(next http.HandlerFunc, groups []AuthZCheckGroup) http.HandlerFunc {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		ctx := req.Context()
+		claims, err := authtypes.ClaimsFromContext(ctx)
+		if err != nil {
+			render.Error(rw, err)
+			return
+		}
+
+		orgID := valuer.MustNewUUID(claims.OrgID)
+
+		for _, group := range groups {
+			groupPassed := false
+			var lastErr error
+
+			for _, check := range group {
+				selectors, err := check.SelectorCallback(req, claims)
+				if err != nil {
+					render.Error(rw, err)
+					return
+				}
+
+				roleSelectors := make([]coretypes.Selector, len(check.Roles))
+				for idx, role := range check.Roles {
+					roleSelectors[idx] = coretypes.TypeRole.MustSelector(role)
+				}
+
+				err = middleware.authzService.CheckWithTupleCreation(ctx, claims, orgID, check.Relation, check.Resource, selectors, roleSelectors)
+				if err == nil {
+					groupPassed = true
+					break
+				}
+				lastErr = err
+			}
+
+			if !groupPassed {
+				render.Error(rw, lastErr)
+				return
+			}
+		}
+
+		next(rw, req)
+	})
+}
+
+func (middleware *AuthZ) CheckWithoutClaims(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb selectorCallbackWithoutClaimsFn, roles []string) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
 		orgs, err := middleware.orgGetter.ListByOwnedKeyRange(ctx)

pkg/modules/serviceaccount/implserviceaccount/module.go

@@ -376,7 +376,43 @@ func (module *module) getOrGetSetIdentity(ctx context.Context, serviceAccountID
 	return identity, nil
 }
 
+func (module *module) RoleAttachSelectors(ctx context.Context, orgID valuer.UUID, roleID valuer.UUID) ([]coretypes.Selector, error) {
+	role, err := module.authz.Get(ctx, orgID, roleID)
+	if err != nil {
+		return nil, err
+	}
+
+	return []coretypes.Selector{
+		coretypes.TypeRole.MustSelector(role.Name),
+		coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),
+	}, nil
+}
+
 func (module *module) setRole(ctx context.Context, orgID valuer.UUID, id valuer.UUID, role *authtypes.Role) error {
+	// Role-level attach check. The entity-level attach check (VerbAttach on the SA)
+	// is done in the middleware. The role check lives here because the role ID comes
+	// from the request body which is only available after the handler parses it.
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		return err
+	}
+
+	selectors, err := module.RoleAttachSelectors(ctx, orgID, role.ID)
+	if err != nil {
+		return err
+	}
+
+	err = module.authz.CheckWithTupleCreation(
+		ctx, claims, orgID,
+		authtypes.Relation{Verb: coretypes.VerbAttach},
+		coretypes.ResourceRole,
+		selectors,
+		[]coretypes.Selector{coretypes.TypeRole.MustSelector(authtypes.SigNozAdminRoleName)},
+	)
+	if err != nil {
+		return errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "caller does not have permission to grant role %q", role.Name)
+	}
+
 	serviceAccount, err := module.GetWithRoles(ctx, orgID, id)
 	if err != nil {
 		return err
@@ -431,3 +467,4 @@ func apiKeyCacheKey(apiKey string) string {
 func identityCacheKey(serviceAccountID valuer.UUID) string {
 	return "identity::" + serviceAccountID.String()
 }
+

pkg/modules/serviceaccount/serviceaccount.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/statsreporter"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
@@ -35,6 +36,9 @@ type Module interface {
 	// Updates an existing service account
 	Update(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
 
+	// RoleAttachSelectors returns the selectors needed to check VerbAttach permission on a role.
+	RoleAttachSelectors(context.Context, valuer.UUID, valuer.UUID) ([]coretypes.Selector, error)
+
 	// Assign a role to the service account. this is safe to retry
 	SetRole(context.Context, valuer.UUID, valuer.UUID, valuer.UUID) error
 

pkg/signoz/openapi.go

@@ -72,6 +72,7 @@ func NewOpenAPI(ctx context.Context, instrumentation instrumentation.Instrumenta
 		struct{ rawdataexport.Handler }{},
 		struct{ zeus.Handler }{},
 		struct{ querier.Handler }{},
+		struct{ serviceaccount.Module }{},
 		struct{ serviceaccount.Handler }{},
 		struct{ factory.Handler }{},
 		struct{ cloudintegration.Handler }{},

pkg/signoz/provider.go

@@ -195,6 +195,7 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewServiceAccountAuthzactory(sqlstore),
 		sqlmigration.NewDropUserDeletedAtFactory(sqlstore, sqlschema),
 		sqlmigration.NewMigrateAWSAllRegionsFactory(sqlstore),
+		sqlmigration.NewAddServiceAccountManagedRoleTransactionsFactory(sqlstore),
 	)
 }
 
@@ -277,6 +278,7 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			handlers.RawDataExport,
 			handlers.ZeusHandler,
 			handlers.QuerierHandler,
+			modules.ServiceAccount,
 			handlers.ServiceAccountHandler,
 			handlers.RegistryHandler,
 			handlers.CloudIntegrationHandler,

pkg/sqlmigration/078_add_sa_managed_role_txn.go

@@ -0,0 +1,150 @@
+package sqlmigration
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/oklog/ulid/v2"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/dialect"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addServiceAccountManagedRoleTransactions struct {
+	sqlstore sqlstore.SQLStore
+}
+
+func NewAddServiceAccountManagedRoleTransactionsFactory(sqlstore sqlstore.SQLStore) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_sa_managed_role_txn"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addServiceAccountManagedRoleTransactions{sqlstore: sqlstore}, nil
+	})
+}
+
+func (migration *addServiceAccountManagedRoleTransactions) Register(migrations *migrate.Migrations) error {
+	return migrations.Register(migration.Up, migration.Down)
+}
+
+// managedRoleTuple describes a single FGA tuple to insert for a managed role.
+type managedRoleTuple struct {
+	roleName   string
+	objectType string // "metaresources" or "metaresource"
+	objectName string // "service-accounts" or "service-account"
+	relation   string // "create", "list", "read", "update", "delete"
+}
+
+func (migration *addServiceAccountManagedRoleTransactions) Up(ctx context.Context, db *bun.DB) error {
+	// All tuples that need to be created for service account FGA managed role permissions.
+	tuples := []managedRoleTuple{
+		{authtypes.SigNozAdminRoleName, "role", "role", "attach"},
+		{authtypes.SigNozAdminRoleName, "serviceaccount", "serviceaccount", "attach"},
+		{authtypes.SigNozAdminRoleName, "metaresources", "serviceaccount", "create"},
+		{authtypes.SigNozAdminRoleName, "metaresources", "serviceaccount", "list"},
+		{authtypes.SigNozAdminRoleName, "serviceaccount", "serviceaccount", "read"},
+		{authtypes.SigNozAdminRoleName, "serviceaccount", "serviceaccount", "update"},
+		{authtypes.SigNozAdminRoleName, "serviceaccount", "serviceaccount", "delete"},
+	}
+
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	var storeID string
+	err = tx.QueryRowContext(ctx, `SELECT id FROM store WHERE name = ? LIMIT 1`, "signoz").Scan(&storeID)
+	if err != nil {
+		return err
+	}
+
+	// Fetch all orgs.
+	var orgIDs []string
+	rows, err := tx.QueryContext(ctx, `SELECT id FROM organizations`)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+	for rows.Next() {
+		var orgID string
+		if err := rows.Scan(&orgID); err != nil {
+			return err
+		}
+		orgIDs = append(orgIDs, orgID)
+	}
+
+	isPG := migration.sqlstore.BunDB().Dialect().Name() == dialect.PG
+
+	for _, orgID := range orgIDs {
+		for _, tuple := range tuples {
+			entropy := ulid.DefaultEntropy()
+			now := time.Now().UTC()
+			tupleID := ulid.MustNew(ulid.Timestamp(now), entropy).String()
+
+			objectID := "organization/" + orgID + "/" + tuple.objectName + "/*"
+			roleSubject := "organization/" + orgID + "/role/" + tuple.roleName
+
+			if isPG {
+				user := "role:" + roleSubject + "#assignee"
+				result, err := tx.ExecContext(ctx, `
+					INSERT INTO tuple (store, object_type, object_id, relation, _user, user_type, ulid, inserted_at)
+					VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+					ON CONFLICT (store, object_type, object_id, relation, _user) DO NOTHING`,
+					storeID, tuple.objectType, objectID, tuple.relation, user, "userset", tupleID, now,
+				)
+				if err != nil {
+					return err
+				}
+				rowsAffected, err := result.RowsAffected()
+				if err != nil {
+					return err
+				}
+				if rowsAffected == 0 {
+					continue
+				}
+				_, err = tx.ExecContext(ctx, `
+					INSERT INTO changelog (store, object_type, object_id, relation, _user, operation, ulid, inserted_at)
+					VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+					ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+					storeID, tuple.objectType, objectID, tuple.relation, user, "TUPLE_OPERATION_WRITE", tupleID, now,
+				)
+				if err != nil {
+					return err
+				}
+			} else {
+				result, err := tx.ExecContext(ctx, `
+					INSERT INTO tuple (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, user_type, ulid, inserted_at)
+					VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+					ON CONFLICT (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation) DO NOTHING`,
+					storeID, tuple.objectType, objectID, tuple.relation, "role", roleSubject, "assignee", "userset", tupleID, now,
+				)
+				if err != nil {
+					return err
+				}
+				rowsAffected, err := result.RowsAffected()
+				if err != nil {
+					return err
+				}
+				if rowsAffected == 0 {
+					continue
+				}
+				_, err = tx.ExecContext(ctx, `
+					INSERT INTO changelog (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, operation, ulid, inserted_at)
+					VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+					ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+					storeID, tuple.objectType, objectID, tuple.relation, "role", roleSubject, "assignee", 0, tupleID, now,
+				)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return tx.Commit()
+}
+
+func (migration *addServiceAccountManagedRoleTransactions) Down(context.Context, *bun.DB) error {
+	return nil
+}

pkg/types/authtypes/role.go

@@ -176,7 +176,7 @@ func GetAdditionTuples(name string, orgID valuer.UUID, relation Relation, additi
 		transactionTuples := NewTuples(
 			resource,
 			MustNewSubject(
-				resource,
+				coretypes.NewResourceRole(),
 				name,
 				orgID,
 				&coretypes.VerbAssignee,
@@ -200,7 +200,7 @@ func GetDeletionTuples(name string, orgID valuer.UUID, relation Relation, deleti
 		transactionTuples := NewTuples(
 			resource,
 			MustNewSubject(
-				resource,
+				coretypes.NewResourceRole(),
 				name,
 				orgID,
 				&coretypes.VerbAssignee,

pkg/types/authtypes/tuple.go

@@ -1,18 +1,12 @@
 package authtypes
 
 import (
-	"net/http"
-
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/coretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 )
 
-type SelectorCallbackWithClaimsFn func(*http.Request, Claims) ([]coretypes.Selector, error)
-type SelectorCallbackWithoutClaimsFn func(*http.Request, []*types.Organization) ([]coretypes.Selector, valuer.UUID, error)
-
 var (
 	ErrCodeAuthZUnavailable = errors.MustNewCode("authz_unavailable")
 	ErrCodeAuthZForbidden   = errors.MustNewCode("authz_forbidden")

pkg/types/coretypes/registry_resource.go

@@ -9,7 +9,6 @@ var Resources = []Resource{
 	ResourceMetaResourcesRole,
 	ResourceMetaResourcesOrganization,
 	ResourceMetaResourcesServiceAccount,
-	ResourceMetaResourcesServiceAccount,
 	ResourceMetaResourcesUser,
 	ResourceMetaResourceNotificationChannel,
 	ResourceMetaResourcesNotificationChannel,

pkg/types/coretypes/verb.go

@@ -28,6 +28,8 @@ func NewVerb(verb string) (Verb, error) {
 		return VerbList, nil
 	case "assignee":
 		return VerbAssignee, nil
+	case "attach":
+		return VerbAttach, nil
 	default:
 		return Verb{}, errors.Newf(errors.TypeInvalidInput, ErrCodeInvalidVerb, "verb %s is invalid, valid verbs are: %s", verb, Verb{}.Enum())
 	}
@@ -41,6 +43,7 @@ func (Verb) Enum() []any {
 		VerbDelete,
 		VerbList,
 		VerbAssignee,
+		VerbAttach,
 	}
 }
 

tests/conftest.py

@@ -25,6 +25,8 @@ pytest_plugins = [
     "fixtures.cloudintegrations",
     "fixtures.jsontypes",
     "fixtures.seeder",
+    "fixtures.serviceaccount",
+    "fixtures.role",
 ]
 
 

tests/fixtures/role.py

@@ -0,0 +1,76 @@
+"""Fixtures and helpers for role tests."""
+
+from http import HTTPStatus
+
+import requests
+
+from fixtures import types
+from fixtures.logger import setup_logger
+
+logger = setup_logger(__name__)
+
+ROLES_BASE = "/api/v1/roles"
+
+
+def find_role_by_name(signoz: types.SigNoz, token: str, name: str) -> str:
+    """Find a role by name from the roles endpoint and return its UUID."""
+    resp = requests.get(
+        signoz.self.host_configs["8080"].get(ROLES_BASE),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.OK, resp.text
+    roles = resp.json()["data"]
+    role = next(r for r in roles if r["name"] == name)
+    return role["id"]
+
+
+def create_custom_role(signoz: types.SigNoz, token: str, name: str) -> str:
+    """Create a custom role and return its ID."""
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get(ROLES_BASE),
+        json={"name": name},
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.CREATED, resp.text
+    return resp.json()["data"]["id"]
+
+
+def delete_custom_role(signoz: types.SigNoz, token: str, role_id: str) -> None:
+    """Delete a custom role."""
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{ROLES_BASE}/{role_id}"),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.NO_CONTENT, resp.text
+
+
+def patch_role_objects(
+    signoz: types.SigNoz,
+    token: str,
+    role_id: str,
+    relation: str,
+    additions=None,
+    deletions=None,
+) -> None:
+    """PATCH /api/v1/roles/{id}/relations/{relation}/objects."""
+    body = {}
+    if additions is not None:
+        body["additions"] = additions
+    if deletions is not None:
+        body["deletions"] = deletions
+
+    resp = requests.patch(
+        signoz.self.host_configs["8080"].get(f"{ROLES_BASE}/{role_id}/relations/{relation}/objects"),
+        json=body,
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.NO_CONTENT, f"PatchObjects {relation} failed: {resp.text}"
+
+
+def object_group(type_name: str, kind_name: str, selectors: list[str]) -> dict:
+    """Build an ObjectGroup dict for PatchObjects."""
+    return {"resource": {"type": type_name, "kind": kind_name}, "selectors": selectors}

tests/fixtures/serviceaccount.py

@@ -6,24 +6,11 @@ import requests
 
 from fixtures import types
 from fixtures.logger import setup_logger
+from fixtures.role import ROLES_BASE, find_role_by_name  # noqa: F401 — re-export for existing callers
 
 logger = setup_logger(__name__)
 
 SERVICE_ACCOUNT_BASE = "/api/v1/service_accounts"
-ROLES_BASE = "/api/v1/roles"
-
-
-def find_role_by_name(signoz: types.SigNoz, token: str, name: str) -> str:
-    """Find a role by name from the roles endpoint and return its UUID."""
-    resp = requests.get(
-        signoz.self.host_configs["8080"].get(ROLES_BASE),
-        headers={"Authorization": f"Bearer {token}"},
-        timeout=5,
-    )
-    assert resp.status_code == HTTPStatus.OK, resp.text
-    roles = resp.json()["data"]
-    role = next(r for r in roles if r["name"] == name)
-    return role["id"]
 
 
 def create_service_account(signoz: types.SigNoz, token: str, name: str, role: str = "signoz-viewer") -> str:
@@ -75,6 +62,17 @@ def delete_service_account(signoz: types.SigNoz, token: str, service_account_id:
     assert resp.status_code == HTTPStatus.NO_CONTENT, resp.text
 
 
+def get_first_key_id(signoz: types.SigNoz, token: str, service_account_id: str) -> str:
+    """Return the ID of the first API key for a service account."""
+    resp = requests.get(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{service_account_id}/keys"),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.OK, resp.text
+    return resp.json()["data"][0]["id"]
+
+
 def find_service_account_by_name(signoz: types.SigNoz, token: str, name: str) -> dict:
     """Find a service account by name from the list endpoint."""
     list_resp = requests.get(

tests/integration/tests/serviceaccount/06_fga.py

@@ -0,0 +1,578 @@
+"""Tests for resource-level FGA on service account endpoints.
+
+Validates that a custom role with specific SA permissions gets exactly
+the access it was granted, and that SA role assignment requires BOTH
+serviceaccount:attach AND role:attach.
+"""
+
+from collections.abc import Callable
+from http import HTTPStatus
+
+import requests
+from wiremock.resources.mappings import Mapping
+
+from fixtures import types
+from fixtures.auth import (
+    USER_ADMIN_EMAIL,
+    USER_ADMIN_PASSWORD,
+    add_license,
+    change_user_role,
+    create_active_user,
+    find_user_by_email,
+)
+from fixtures.role import (
+    create_custom_role,
+    delete_custom_role,
+    find_role_by_name,
+    object_group,
+    patch_role_objects,
+)
+from fixtures.serviceaccount import (
+    SERVICE_ACCOUNT_BASE,
+    create_service_account,
+    find_service_account_by_name,
+    get_first_key_id,
+)
+
+SA_FGA_CUSTOM_ROLE_NAME = "sa-fga-readonly"
+SA_FGA_CUSTOM_USER_EMAIL = "customrole+safga@integration.test"
+SA_FGA_CUSTOM_USER_PASSWORD = "password123Z$"
+SA_FGA_TARGET_SA_NAME = "sa-fga-target"
+
+
+# ---------------------------------------------------------------------------
+# 1. Apply license (required for custom role CRUD)
+# ---------------------------------------------------------------------------
+
+
+def test_apply_license(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    make_http_mocks: Callable[[types.TestContainerDocker, list[Mapping]], None],
+    get_token: Callable[[str, str], str],
+) -> None:
+    add_license(signoz, make_http_mocks, get_token)
+
+
+# ---------------------------------------------------------------------------
+# 2. Create custom role + user
+# ---------------------------------------------------------------------------
+
+
+def test_create_custom_role_readonly_sa(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+
+    # Create the custom role.
+    role_id = create_custom_role(signoz, admin_token, SA_FGA_CUSTOM_ROLE_NAME)
+
+    # Grant read on serviceaccount instances.
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "read",
+        additions=[
+            object_group("serviceaccount", "serviceaccount", ["*"]),
+        ],
+    )
+
+    # Grant list on serviceaccount collection.
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "list",
+        additions=[
+            object_group("metaresources", "serviceaccount", ["*"]),
+        ],
+    )
+
+    # Create the custom-role user: invite as VIEWER, activate, change role.
+    user_id = create_active_user(
+        signoz,
+        admin_token,
+        email=SA_FGA_CUSTOM_USER_EMAIL,
+        role="VIEWER",
+        password=SA_FGA_CUSTOM_USER_PASSWORD,
+        name="sa-fga-test-user",
+    )
+    change_user_role(signoz, admin_token, user_id, "signoz-viewer", SA_FGA_CUSTOM_ROLE_NAME)
+
+    # Create a target SA (with role + key) for the custom user to operate on.
+    sa_id = create_service_account(signoz, admin_token, SA_FGA_TARGET_SA_NAME, role="signoz-viewer")
+
+    # Create a key on the target SA.
+    key_resp = requests.post(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/keys"),
+        json={"name": "fga-key", "expiresAt": 0},
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=5,
+    )
+    assert key_resp.status_code == HTTPStatus.CREATED, key_resp.text
+
+
+# ---------------------------------------------------------------------------
+# 3. Read-only access: allowed operations
+# ---------------------------------------------------------------------------
+
+
+def test_readonly_role_allowed_operations(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    token = get_token(SA_FGA_CUSTOM_USER_EMAIL, SA_FGA_CUSTOM_USER_PASSWORD)
+    sa_id = find_service_account_by_name(signoz, get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD), SA_FGA_TARGET_SA_NAME)["id"]
+
+    # List SAs.
+    resp = requests.get(
+        signoz.self.host_configs["8080"].get(SERVICE_ACCOUNT_BASE),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.OK, f"list SAs: {resp.text}"
+
+    # Get SA.
+    resp = requests.get(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}"),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.OK, f"get SA: {resp.text}"
+
+    # Get SA roles.
+    resp = requests.get(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles"),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.OK, f"get SA roles: {resp.text}"
+
+    # List SA keys.
+    resp = requests.get(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/keys"),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.OK, f"list SA keys: {resp.text}"
+
+
+# ---------------------------------------------------------------------------
+# 4. Read-only access: forbidden operations
+# ---------------------------------------------------------------------------
+
+
+def test_readonly_role_forbidden_operations(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    token = get_token(SA_FGA_CUSTOM_USER_EMAIL, SA_FGA_CUSTOM_USER_PASSWORD)
+    sa_id = find_service_account_by_name(signoz, admin_token, SA_FGA_TARGET_SA_NAME)["id"]
+    viewer_role_id = find_role_by_name(signoz, admin_token, "signoz-viewer")
+    key_id = get_first_key_id(signoz, admin_token, sa_id)
+
+    # Create SA — forbidden.
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get(SERVICE_ACCOUNT_BASE),
+        json={"name": "sa-fga-should-fail"},
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"create SA: expected 403, got {resp.status_code}: {resp.text}"
+
+    # Update SA — forbidden.
+    resp = requests.put(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}"),
+        json={"name": "sa-fga-renamed"},
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"update SA: expected 403, got {resp.status_code}: {resp.text}"
+
+    # Delete SA — forbidden.
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}"),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"delete SA: expected 403, got {resp.status_code}: {resp.text}"
+
+    # Assign role to SA — forbidden.
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles"),
+        json={"id": viewer_role_id},
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"assign SA role: expected 403, got {resp.status_code}: {resp.text}"
+
+    # Remove role from SA — forbidden.
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles/{viewer_role_id}"),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"remove SA role: expected 403, got {resp.status_code}: {resp.text}"
+
+    # Create key — forbidden (needs update).
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/keys"),
+        json={"name": "fga-key-fail", "expiresAt": 0},
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"create key: expected 403, got {resp.status_code}: {resp.text}"
+
+    # Revoke key — forbidden (needs update).
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/keys/{key_id}"),
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"revoke key: expected 403, got {resp.status_code}: {resp.text}"
+
+
+# ---------------------------------------------------------------------------
+# 5. Grant write permissions, verify access opens up
+# ---------------------------------------------------------------------------
+
+
+def test_patch_role_add_write_permissions(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    role_id = find_role_by_name(signoz, admin_token, SA_FGA_CUSTOM_ROLE_NAME)
+    sa_id = find_service_account_by_name(signoz, admin_token, SA_FGA_TARGET_SA_NAME)["id"]
+    viewer_role_id = find_role_by_name(signoz, admin_token, "signoz-viewer")
+
+    # Grant create on collection.
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "create",
+        additions=[
+            object_group("metaresources", "serviceaccount", ["*"]),
+        ],
+    )
+
+    # Grant update on instances.
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "update",
+        additions=[
+            object_group("serviceaccount", "serviceaccount", ["*"]),
+        ],
+    )
+
+    # Grant delete on instances.
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "delete",
+        additions=[
+            object_group("serviceaccount", "serviceaccount", ["*"]),
+        ],
+    )
+
+    custom_token = get_token(SA_FGA_CUSTOM_USER_EMAIL, SA_FGA_CUSTOM_USER_PASSWORD)
+
+    # Create SA — now allowed.
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get(SERVICE_ACCOUNT_BASE),
+        json={"name": "sa-fga-write-test"},
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.CREATED, f"create SA: {resp.text}"
+    new_sa_id = resp.json()["data"]["id"]
+
+    # Update SA — now allowed.
+    resp = requests.put(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{new_sa_id}"),
+        json={"name": "sa-fga-write-renamed"},
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.NO_CONTENT, f"update SA: {resp.text}"
+
+    # Create key — now allowed (update permission covers key create).
+    key_resp = requests.post(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{new_sa_id}/keys"),
+        json={"name": "fga-write-key", "expiresAt": 0},
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert key_resp.status_code == HTTPStatus.CREATED, f"create key: {key_resp.text}"
+    new_key_id = key_resp.json()["data"]["id"]
+
+    # Revoke key — now allowed (update permission covers key revoke).
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{new_sa_id}/keys/{new_key_id}"),
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.NO_CONTENT, f"revoke key: {resp.text}"
+
+    # Delete SA — now allowed.
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{new_sa_id}"),
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.NO_CONTENT, f"delete SA: {resp.text}"
+
+    # Role assignment still forbidden (no attach).
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles"),
+        json={"id": viewer_role_id},
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"assign SA role: expected 403, got {resp.status_code}: {resp.text}"
+
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles/{viewer_role_id}"),
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"remove SA role: expected 403, got {resp.status_code}: {resp.text}"
+
+
+# ---------------------------------------------------------------------------
+# 6. Dual-attach: SA attach only (no role attach) → forbidden
+# ---------------------------------------------------------------------------
+
+
+def test_attach_with_only_sa_attach_forbidden(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    role_id = find_role_by_name(signoz, admin_token, SA_FGA_CUSTOM_ROLE_NAME)
+    sa_id = find_service_account_by_name(signoz, admin_token, SA_FGA_TARGET_SA_NAME)["id"]
+    viewer_role_id = find_role_by_name(signoz, admin_token, "signoz-viewer")
+
+    # Grant attach on serviceaccount only.
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "attach",
+        additions=[
+            object_group("serviceaccount", "serviceaccount", ["*"]),
+        ],
+    )
+
+    custom_token = get_token(SA_FGA_CUSTOM_USER_EMAIL, SA_FGA_CUSTOM_USER_PASSWORD)
+
+    # Assign role — forbidden (has SA attach, missing role attach).
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles"),
+        json={"id": viewer_role_id},
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"assign with only SA attach: expected 403, got {resp.status_code}: {resp.text}"
+
+    # Remove role — forbidden (CheckAll: role attach group fails).
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles/{viewer_role_id}"),
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"remove with only SA attach: expected 403, got {resp.status_code}: {resp.text}"
+
+
+# ---------------------------------------------------------------------------
+# 7. Dual-attach: role attach only (no SA attach) → forbidden
+# ---------------------------------------------------------------------------
+
+
+def test_attach_with_only_role_attach_forbidden(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    role_id = find_role_by_name(signoz, admin_token, SA_FGA_CUSTOM_ROLE_NAME)
+    sa_id = find_service_account_by_name(signoz, admin_token, SA_FGA_TARGET_SA_NAME)["id"]
+    viewer_role_id = find_role_by_name(signoz, admin_token, "signoz-viewer")
+
+    # Remove SA attach, grant role attach.
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "attach",
+        additions=[object_group("role", "role", ["*"])],
+        deletions=[object_group("serviceaccount", "serviceaccount", ["*"])],
+    )
+
+    custom_token = get_token(SA_FGA_CUSTOM_USER_EMAIL, SA_FGA_CUSTOM_USER_PASSWORD)
+
+    # Assign role — forbidden (middleware SA attach check fails).
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles"),
+        json={"id": viewer_role_id},
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"assign with only role attach: expected 403, got {resp.status_code}: {resp.text}"
+
+    # Remove role — forbidden (CheckAll: SA attach group fails).
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles/{viewer_role_id}"),
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"remove with only role attach: expected 403, got {resp.status_code}: {resp.text}"
+
+
+# ---------------------------------------------------------------------------
+# 8. Dual-attach: both SA + role attach → succeeds
+# ---------------------------------------------------------------------------
+
+
+def test_attach_with_both_permissions_succeeds(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    role_id = find_role_by_name(signoz, admin_token, SA_FGA_CUSTOM_ROLE_NAME)
+    sa_id = find_service_account_by_name(signoz, admin_token, SA_FGA_TARGET_SA_NAME)["id"]
+
+    # Add back SA attach (role attach already present from previous test).
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "attach",
+        additions=[
+            object_group("serviceaccount", "serviceaccount", ["*"]),
+        ],
+    )
+
+    custom_token = get_token(SA_FGA_CUSTOM_USER_EMAIL, SA_FGA_CUSTOM_USER_PASSWORD)
+
+    # The target SA currently has signoz-viewer assigned. Assign a different role.
+    editor_role_id = find_role_by_name(signoz, admin_token, "signoz-editor")
+
+    # Assign editor role — should succeed (both SA attach + role attach).
+    resp = requests.post(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles"),
+        json={"id": editor_role_id},
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.NO_CONTENT, f"assign with both attach: {resp.text}"
+
+    # Remove the editor role — should succeed (CheckAll: both groups pass).
+    resp = requests.delete(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}/roles/{editor_role_id}"),
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.NO_CONTENT, f"remove with both attach: {resp.text}"
+
+
+# ---------------------------------------------------------------------------
+# 9. Revoke read/list → verify access lost
+# ---------------------------------------------------------------------------
+
+
+def test_remove_read_permissions_revokes_access(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    role_id = find_role_by_name(signoz, admin_token, SA_FGA_CUSTOM_ROLE_NAME)
+    sa_id = find_service_account_by_name(signoz, admin_token, SA_FGA_TARGET_SA_NAME)["id"]
+
+    # Revoke read.
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "read",
+        deletions=[
+            object_group("serviceaccount", "serviceaccount", ["*"]),
+        ],
+    )
+
+    # Revoke list.
+    patch_role_objects(
+        signoz,
+        admin_token,
+        role_id,
+        "list",
+        deletions=[
+            object_group("metaresources", "serviceaccount", ["*"]),
+        ],
+    )
+
+    custom_token = get_token(SA_FGA_CUSTOM_USER_EMAIL, SA_FGA_CUSTOM_USER_PASSWORD)
+
+    # List SAs — forbidden.
+    resp = requests.get(
+        signoz.self.host_configs["8080"].get(SERVICE_ACCOUNT_BASE),
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"list SAs after revoke: expected 403, got {resp.status_code}: {resp.text}"
+
+    # Get SA — forbidden.
+    resp = requests.get(
+        signoz.self.host_configs["8080"].get(f"{SERVICE_ACCOUNT_BASE}/{sa_id}"),
+        headers={"Authorization": f"Bearer {custom_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.FORBIDDEN, f"get SA after revoke: expected 403, got {resp.status_code}: {resp.text}"
+
+
+# ---------------------------------------------------------------------------
+# 10. Clean up: delete custom role
+# ---------------------------------------------------------------------------
+
+
+def test_delete_custom_role_cleanup(
+    signoz: types.SigNoz,
+    create_user_admin: types.Operation,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+):
+    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    role_id = find_role_by_name(signoz, admin_token, SA_FGA_CUSTOM_ROLE_NAME)
+    user = find_user_by_email(signoz, admin_token, SA_FGA_CUSTOM_USER_EMAIL)
+
+    # Remove the custom role from the user first — role deletion requires no assignees.
+    resp = requests.get(
+        signoz.self.host_configs["8080"].get(f"/api/v2/users/{user['id']}/roles"),
+        headers={"Authorization": f"Bearer {admin_token}"},
+        timeout=5,
+    )
+    assert resp.status_code == HTTPStatus.OK, resp.text
+    roles = resp.json()["data"]
+    custom_entry = next((r for r in roles if r["name"] == SA_FGA_CUSTOM_ROLE_NAME), None)
+    if custom_entry is not None:
+        resp = requests.delete(
+            signoz.self.host_configs["8080"].get(f"/api/v2/users/{user['id']}/roles/{custom_entry['id']}"),
+            headers={"Authorization": f"Bearer {admin_token}"},
+            timeout=5,
+        )
+        assert resp.status_code == HTTPStatus.NO_CONTENT, f"remove role from user: {resp.text}"
+
+    delete_custom_role(signoz, admin_token, role_id)