fix: sti

* feat(authz): migrate authorization to authz instead of user.role

* fixup! feat(authz): migrate authorization to authz instead of user.role

address comments

* fixup! fixup! feat(authz): migrate authorization to authz instead of user.role

Allow anonymous to go to unauthorized, otherwise it will loop in errors

* fixup! fixup! fixup! feat(authz): migrate authorization to authz instead of user.role

Improve error message when anonymous

* fixup! fixup! fixup! fixup! feat(authz): migrate authorization to authz instead of user.role

Format breaking with new css

deploy/docker-swarm/docker-compose.ha.yaml

@@ -190,7 +190,7 @@ services:
       # - ../common/clickhouse/storage.xml:/etc/clickhouse-server/config.d/storage.xml
   signoz:
     !!merge <<: *db-depend
-    image: signoz/signoz:v0.116.0
+    image: signoz/signoz:v0.116.1
     ports:
       - "8080:8080" # signoz port
     #   - "6060:6060"     # pprof port

deploy/docker-swarm/docker-compose.yaml

@@ -117,7 +117,7 @@ services:
       # - ../common/clickhouse/storage.xml:/etc/clickhouse-server/config.d/storage.xml
   signoz:
     !!merge <<: *db-depend
-    image: signoz/signoz:v0.116.0
+    image: signoz/signoz:v0.116.1
     ports:
       - "8080:8080" # signoz port
     volumes:

deploy/docker/docker-compose.ha.yaml

@@ -181,7 +181,7 @@ services:
       # - ../common/clickhouse/storage.xml:/etc/clickhouse-server/config.d/storage.xml
   signoz:
     !!merge <<: *db-depend
-    image: signoz/signoz:${VERSION:-v0.116.0}
+    image: signoz/signoz:${VERSION:-v0.116.1}
     container_name: signoz
     ports:
       - "8080:8080" # signoz port

deploy/docker/docker-compose.yaml

@@ -109,7 +109,7 @@ services:
       # - ../common/clickhouse/storage.xml:/etc/clickhouse-server/config.d/storage.xml
   signoz:
     !!merge <<: *db-depend
-    image: signoz/signoz:${VERSION:-v0.116.0}
+    image: signoz/signoz:${VERSION:-v0.116.1}
     container_name: signoz
     ports:
       - "8080:8080" # signoz port

docs/api/openapi.yml

@@ -2061,6 +2061,11 @@ components:
           type: string
         role:
           type: string
+        roles:
+          items:
+            type: string
+          nullable: true
+          type: array
         token:
           type: string
         updatedAt:
@@ -2143,6 +2148,11 @@ components:
           type: string
         role:
           type: string
+        roles:
+          items:
+            type: string
+          nullable: true
+          type: array
       type: object
     TypesPostableResetPassword:
       properties:
@@ -2209,6 +2219,11 @@ components:
           type: string
         role:
           type: string
+        roles:
+          items:
+            type: string
+          nullable: true
+          type: array
         status:
           type: string
         updatedAt:

ee/licensing/httplicensing/provider.go

@@ -198,7 +198,10 @@ func (provider *provider) Checkout(ctx context.Context, organizationID valuer.UU
 
 	response, err := provider.zeus.GetCheckoutURL(ctx, activeLicense.Key, body)
 	if err != nil {
-		return nil, errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to generate checkout session")
+		if errors.Ast(err, errors.TypeAlreadyExists) {
+			return nil, errors.WithAdditionalf(err, "checkout has already been completed for this account. Please click 'Refresh Status' to sync your subscription")
+		}
+		return nil, err
 	}
 
 	return &licensetypes.GettableSubscription{RedirectURL: gjson.GetBytes(response, "url").String()}, nil
@@ -217,7 +220,7 @@ func (provider *provider) Portal(ctx context.Context, organizationID valuer.UUID
 
 	response, err := provider.zeus.GetPortalURL(ctx, activeLicense.Key, body)
 	if err != nil {
-		return nil, errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to generate portal session")
+		return nil, err
 	}
 
 	return &licensetypes.GettableSubscription{RedirectURL: gjson.GetBytes(response, "url").String()}, nil

ee/query-service/app/api/cloudIntegrations.go

@@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"
 
+	"log/slog"
+
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/user"
@@ -18,7 +20,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
-	"log/slog"
 )
 
 type CloudIntegrationConnectionParamsResponse struct {
@@ -169,7 +170,7 @@ func (ah *APIHandler) getOrCreateCloudIntegrationUser(
 	cloudIntegrationUserName := fmt.Sprintf("%s-integration", cloudProvider)
 	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", cloudIntegrationUserName))
 
-	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, valuer.MustNewUUID(orgId), types.UserStatusActive)
+	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, []string{authtypes.SigNozViewerRoleName}, valuer.MustNewUUID(orgId), types.UserStatusActive)
 	if err != nil {
 		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration user: %w", err))
 	}

ee/sqlstore/postgressqlstore/provider.go

@@ -101,7 +101,7 @@ func (provider *provider) WrapNotFoundErrf(err error, code errors.Code, format s
 
 func (provider *provider) WrapAlreadyExistsErrf(err error, code errors.Code, format string, args ...any) error {
 	var pgErr *pgconn.PgError
-	if errors.As(err, &pgErr) && pgErr.Code == "23505" {
+	if errors.As(err, &pgErr) && (pgErr.Code == "23505" || pgErr.Code == "23503") {
 		return errors.Wrapf(err, errors.TypeAlreadyExists, code, format, args...)
 	}
 

frontend/jest.config.ts

@@ -24,7 +24,8 @@ const config: Config.InitialOptions = {
 			'<rootDir>/node_modules/@signozhq/icons/dist/index.esm.js',
 		'^react-syntax-highlighter/dist/esm/(.*)$':
 			'<rootDir>/node_modules/react-syntax-highlighter/dist/cjs/$1',
-		'^@signozhq/([^/]+)$': '<rootDir>/node_modules/@signozhq/$1/dist/$1.js',
+		'^@signozhq/(?!ui$)([^/]+)$':
+			'<rootDir>/node_modules/@signozhq/$1/dist/$1.js',
 	},
 	extensionsToTreatAsEsm: ['.ts'],
 	testMatch: ['<rootDir>/src/**/*?(*.)(test).(ts|js)?(x)'],

frontend/package.json

@@ -67,6 +67,7 @@
     "@signozhq/table": "0.3.7",
     "@signozhq/toggle-group": "0.0.1",
     "@signozhq/tooltip": "0.0.2",
+    "@signozhq/ui": "0.0.5",
     "@tanstack/react-table": "8.20.6",
     "@tanstack/react-virtual": "3.11.2",
     "@uiw/codemirror-theme-copilot": "4.23.11",

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -2450,6 +2450,11 @@ export interface TypesInviteDTO {
 	 * @type string
 	 */
 	role?: string;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	roles?: string[] | null;
 	/**
 	 * @type string
 	 */
@@ -2569,6 +2574,11 @@ export interface TypesPostableInviteDTO {
 	 * @type string
 	 */
 	role?: string;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	roles?: string[] | null;
 }
 
 export interface TypesPostableResetPasswordDTO {
@@ -2677,6 +2687,11 @@ export interface TypesUserDTO {
 	 * @type string
 	 */
 	role?: string;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	roles?: string[] | null;
 	/**
 	 * @type string
 	 */

frontend/src/api/index.ts

@@ -81,7 +81,8 @@ export const interceptorRejected = async (
 				response.config.url !== '/sessions/email_password' &&
 				!(
 					response.config.url === '/sessions' && response.config.method === 'delete'
-				)
+				) &&
+				response.config.url !== '/authz/check'
 			) {
 				try {
 					const accessToken = getLocalStorageApi(LOCALSTORAGE.AUTH_TOKEN);

frontend/src/api/interceptors.test.ts

@@ -0,0 +1,152 @@
+import axios, { AxiosHeaders, AxiosResponse } from 'axios';
+
+import { interceptorRejected } from './index';
+
+jest.mock('api/browser/localstorage/get', () => ({
+	__esModule: true,
+	default: jest.fn(() => 'mock-token'),
+}));
+
+jest.mock('api/v2/sessions/rotate/post', () => ({
+	__esModule: true,
+	default: jest.fn(() =>
+		Promise.resolve({
+			data: { accessToken: 'new-token', refreshToken: 'new-refresh' },
+		}),
+	),
+}));
+
+jest.mock('AppRoutes/utils', () => ({
+	__esModule: true,
+	default: jest.fn(),
+}));
+
+jest.mock('axios', () => {
+	const actualAxios = jest.requireActual('axios');
+	const mockAxios = jest.fn().mockResolvedValue({ data: 'success' });
+
+	return {
+		...actualAxios,
+		default: Object.assign(mockAxios, {
+			...actualAxios.default,
+			isAxiosError: jest.fn().mockReturnValue(true),
+			create: actualAxios.create,
+		}),
+		__esModule: true,
+	};
+});
+
+describe('interceptorRejected', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		((axios as unknown) as jest.Mock).mockResolvedValue({ data: 'success' });
+		((axios.isAxiosError as unknown) as jest.Mock).mockReturnValue(true);
+	});
+
+	it('should preserve array payload structure when retrying a 401 request', async () => {
+		const arrayPayload = [
+			{ relation: 'assignee', object: { resource: { name: 'role' } } },
+			{ relation: 'assignee', object: { resource: { name: 'editor' } } },
+		];
+
+		const error = ({
+			response: {
+				status: 401,
+				config: {
+					url: '/some-endpoint',
+					method: 'POST',
+					baseURL: 'http://localhost/',
+					headers: new AxiosHeaders(),
+					data: JSON.stringify(arrayPayload),
+				},
+			},
+			config: {
+				url: '/some-endpoint',
+				method: 'POST',
+				baseURL: 'http://localhost/',
+				headers: new AxiosHeaders(),
+				data: JSON.stringify(arrayPayload),
+			},
+		} as unknown) as AxiosResponse;
+
+		try {
+			await interceptorRejected(error);
+		} catch {
+			// Expected to reject after retry
+		}
+
+		const mockAxiosFn = (axios as unknown) as jest.Mock;
+		expect(mockAxiosFn.mock.calls.length).toBe(1);
+		const retryCallConfig = mockAxiosFn.mock.calls[0][0];
+		expect(Array.isArray(JSON.parse(retryCallConfig.data))).toBe(true);
+		expect(JSON.parse(retryCallConfig.data)).toEqual(arrayPayload);
+	});
+
+	it('should preserve object payload structure when retrying a 401 request', async () => {
+		const objectPayload = { key: 'value', nested: { data: 123 } };
+
+		const error = ({
+			response: {
+				status: 401,
+				config: {
+					url: '/some-endpoint',
+					method: 'POST',
+					baseURL: 'http://localhost/',
+					headers: new AxiosHeaders(),
+					data: JSON.stringify(objectPayload),
+				},
+			},
+			config: {
+				url: '/some-endpoint',
+				method: 'POST',
+				baseURL: 'http://localhost/',
+				headers: new AxiosHeaders(),
+				data: JSON.stringify(objectPayload),
+			},
+		} as unknown) as AxiosResponse;
+
+		try {
+			await interceptorRejected(error);
+		} catch {
+			// Expected to reject after retry
+		}
+
+		const mockAxiosFn = (axios as unknown) as jest.Mock;
+		expect(mockAxiosFn.mock.calls.length).toBe(1);
+		const retryCallConfig = mockAxiosFn.mock.calls[0][0];
+		expect(JSON.parse(retryCallConfig.data)).toEqual(objectPayload);
+	});
+
+	it('should handle undefined data gracefully when retrying', async () => {
+		const error = ({
+			response: {
+				status: 401,
+				config: {
+					url: '/some-endpoint',
+					method: 'GET',
+					baseURL: 'http://localhost/',
+					headers: new AxiosHeaders(),
+					data: undefined,
+				},
+			},
+			config: {
+				url: '/some-endpoint',
+				method: 'GET',
+				baseURL: 'http://localhost/',
+				headers: new AxiosHeaders(),
+				data: undefined,
+			},
+		} as unknown) as AxiosResponse;
+
+		try {
+			await interceptorRejected(error);
+		} catch {
+			// Expected to reject after retry
+		}
+
+		const mockAxiosFn = (axios as unknown) as jest.Mock;
+		expect(mockAxiosFn.mock.calls.length).toBe(1);
+		const retryCallConfig = mockAxiosFn.mock.calls[0][0];
+		expect(retryCallConfig.data).toBeUndefined();
+	});
+});

frontend/src/assets/UnAuthorized.tsx

@@ -1,8 +1,14 @@
-function UnAuthorized(): JSX.Element {
+function UnAuthorized({
+	width = 137,
+	height = 137,
+}: {
+	height?: number;
+	width?: number;
+}): JSX.Element {
 	return (
 		<svg
-			width="137"
-			height="137"
+			width={width}
+			height={height}
 			viewBox="0 0 137 137"
 			fill="none"
 			xmlns="http://www.w3.org/2000/svg"

frontend/src/auto-import-registry.d.ts

@@ -30,3 +30,4 @@ import '@signozhq/switch';
 import '@signozhq/table';
 import '@signozhq/toggle-group';
 import '@signozhq/tooltip';
+import '@signozhq/ui';

frontend/src/components/ShiftOverlay/ShiftHoldOverlayController.tsx

@@ -1,13 +1,13 @@
 import { createShortcutActions } from '../../constants/shortcutActions';
 import { useCmdK } from '../../providers/cmdKProvider';
+import { ROLES } from '../../types/roles';
 import { ShiftOverlay } from './ShiftOverlay';
 import { useShiftHoldOverlay } from './useShiftHoldOverlay';
 
-type UserRole = 'ADMIN' | 'EDITOR' | 'AUTHOR' | 'VIEWER';
 export function ShiftHoldOverlayController({
 	userRole,
 }: {
-	userRole: UserRole;
+	userRole: ROLES;
 }): JSX.Element | null {
 	const { open: isCmdKOpen } = useCmdK();
 	const noop = (): void => undefined;

frontend/src/components/ShiftOverlay/ShiftOverlay.tsx

@@ -1,18 +1,18 @@
 import { useMemo } from 'react';
 import ReactDOM from 'react-dom';
+import { ROLES } from 'types/roles';
 
 import { formatShortcut } from './formatShortcut';
 
 import './shiftOverlay.scss';
 
-export type UserRole = 'ADMIN' | 'EDITOR' | 'AUTHOR' | 'VIEWER';
 export type CmdAction = {
 	id: string;
 	name: string;
 	shortcut?: string[];
 	keywords?: string;
 	section?: string;
-	roles?: UserRole[];
+	roles?: ROLES[];
 	perform: () => void;
 };
 
@@ -33,7 +33,7 @@ function Shortcut({ label, keyHint }: ShortcutProps): JSX.Element {
 interface ShiftOverlayProps {
 	visible: boolean;
 	actions: CmdAction[];
-	userRole: UserRole;
+	userRole: ROLES;
 }
 
 export function ShiftOverlay({

frontend/src/components/cmdKPalette/cmdKPalette.tsx

@@ -11,6 +11,7 @@ import {
 import logEvent from 'api/common/logEvent';
 import { useThemeMode } from 'hooks/useDarkMode';
 import history from 'lib/history';
+import { ROLES as UserRole } from 'types/roles';
 
 import { createShortcutActions } from '../../constants/shortcutActions';
 import { useCmdK } from '../../providers/cmdKProvider';
@@ -28,7 +29,6 @@ type CmdAction = {
 	perform: () => void;
 };
 
-type UserRole = 'ADMIN' | 'EDITOR' | 'AUTHOR' | 'VIEWER';
 export function CmdKPalette({
 	userRole,
 }: {

frontend/src/constants/shortcutActions.tsx

@@ -18,8 +18,7 @@ import {
 	TowerControl,
 	Workflow,
 } from 'lucide-react';
-
-export type UserRole = 'ADMIN' | 'EDITOR' | 'AUTHOR' | 'VIEWER';
+import { ROLES } from 'types/roles';
 
 export type CmdAction = {
 	id: string;
@@ -28,7 +27,7 @@ export type CmdAction = {
 	keywords?: string;
 	section?: string;
 	icon?: React.ReactNode;
-	roles?: UserRole[];
+	roles?: ROLES[];
 	perform: () => void;
 };
 

frontend/src/container/ApiMonitoring/Explorer/Domains/DomainDetails/components/StatusCodeBarCharts.tsx

@@ -3,16 +3,14 @@ import { UseQueryResult } from 'react-query';
 import { Color } from '@signozhq/design-tokens';
 import { Button, Card, Skeleton, Typography } from 'antd';
 import cx from 'classnames';
-import { useGetGraphCustomSeries } from 'components/CeleryTask/useGetGraphCustomSeries';
 import { useNavigateToExplorer } from 'components/CeleryTask/useNavigateToExplorer';
-import Uplot from 'components/Uplot';
-import { PANEL_TYPES } from 'constants/queryBuilder';
 import {
 	getCustomFiltersForBarChart,
 	getFormattedEndPointStatusCodeChartData,
 	getStatusCodeBarChartWidgetData,
 	statusCodeWidgetInfo,
 } from 'container/ApiMonitoring/utils';
+import BarChart from 'container/DashboardContainer/visualization/charts/BarChart/BarChart';
 import { handleGraphClick } from 'container/GridCardLayout/GridCard/utils';
 import { useGraphClickToShowButton } from 'container/GridCardLayout/useGraphClickToShowButton';
 import useNavigateToExplorerPages from 'container/GridCardLayout/useNavigateToExplorerPages';
@@ -20,15 +18,16 @@ import { useQueryBuilder } from 'hooks/queryBuilder/useQueryBuilder';
 import { useIsDarkMode } from 'hooks/useDarkMode';
 import { useResizeObserver } from 'hooks/useDimensions';
 import { useNotifications } from 'hooks/useNotifications';
-import { getUPlotChartOptions } from 'lib/uPlotLib/getUplotChartOptions';
 import { getUPlotChartData } from 'lib/uPlotLib/utils/getUplotChartData';
+import { LegendPosition } from 'lib/uPlotV2/components/types';
 import { getStartAndEndTimesInMilliseconds } from 'pages/MessagingQueues/MessagingQueuesUtils';
+import { useTimezone } from 'providers/Timezone';
 import { SuccessResponse } from 'types/api';
 import { Widgets } from 'types/api/dashboard/getAll';
 import { IBuilderQuery } from 'types/api/queryBuilder/queryBuilderData';
-import { Options } from 'uplot';
 
 import ErrorState from './ErrorState';
+import { prepareStatusCodeBarChartsConfig } from './utils';
 
 function StatusCodeBarCharts({
 	endPointStatusCodeBarChartsDataQuery,
@@ -67,13 +66,6 @@ function StatusCodeBarCharts({
 	} = endPointStatusCodeLatencyBarChartsDataQuery;
 
 	const { startTime: minTime, endTime: maxTime } = timeRange;
-	const legendScrollPositionRef = useRef<{
-		scrollTop: number;
-		scrollLeft: number;
-	}>({
-		scrollTop: 0,
-		scrollLeft: 0,
-	});
 
 	const graphRef = useRef<HTMLDivElement>(null);
 	const dimensions = useResizeObserver(graphRef);
@@ -119,6 +111,7 @@ function StatusCodeBarCharts({
 
 	const navigateToExplorer = useNavigateToExplorer();
 	const { currentQuery } = useQueryBuilder();
+	const { timezone } = useTimezone();
 
 	const navigateToExplorerPages = useNavigateToExplorerPages();
 	const { notifications } = useNotifications();
@@ -134,12 +127,6 @@ function StatusCodeBarCharts({
 		[],
 	);
 
-	const { getCustomSeries } = useGetGraphCustomSeries({
-		isDarkMode,
-		drawStyle: 'bars',
-		colorMapping,
-	});
-
 	const widget = useMemo<Widgets>(
 		() =>
 			getStatusCodeBarChartWidgetData(domainName, {
@@ -193,49 +180,36 @@ function StatusCodeBarCharts({
 		],
 	);
 
-	const options = useMemo(
-		() =>
-			getUPlotChartOptions({
-				apiResponse:
-					currentWidgetInfoIndex === 0
-						? formattedEndPointStatusCodeBarChartsDataPayload
-						: formattedEndPointStatusCodeLatencyBarChartsDataPayload,
-				isDarkMode,
-				dimensions,
-				yAxisUnit: statusCodeWidgetInfo[currentWidgetInfoIndex].yAxisUnit,
-				softMax: null,
-				softMin: null,
-				minTimeScale: minTime,
-				maxTimeScale: maxTime,
-				panelType: PANEL_TYPES.BAR,
-				onClickHandler: graphClickHandler,
-				customSeries: getCustomSeries,
-				onDragSelect,
-				colorMapping,
-				query: currentQuery,
-				legendScrollPosition: legendScrollPositionRef.current,
-				setLegendScrollPosition: (position: {
-					scrollTop: number;
-					scrollLeft: number;
-				}) => {
-					legendScrollPositionRef.current = position;
-				},
-			}),
-		[
-			minTime,
-			maxTime,
-			currentWidgetInfoIndex,
-			dimensions,
-			formattedEndPointStatusCodeBarChartsDataPayload,
-			formattedEndPointStatusCodeLatencyBarChartsDataPayload,
+	const config = useMemo(() => {
+		const apiResponse =
+			currentWidgetInfoIndex === 0
+				? formattedEndPointStatusCodeBarChartsDataPayload
+				: formattedEndPointStatusCodeLatencyBarChartsDataPayload;
+		return prepareStatusCodeBarChartsConfig({
+			timezone,
 			isDarkMode,
-			graphClickHandler,
-			getCustomSeries,
+			query: currentQuery,
 			onDragSelect,
+			onClick: graphClickHandler,
+			apiResponse,
+			minTimeScale: minTime,
+			maxTimeScale: maxTime,
+			yAxisUnit: statusCodeWidgetInfo[currentWidgetInfoIndex].yAxisUnit,
 			colorMapping,
-			currentQuery,
-		],
-	);
+		});
+	}, [
+		currentQuery,
+		isDarkMode,
+		minTime,
+		maxTime,
+		graphClickHandler,
+		onDragSelect,
+		formattedEndPointStatusCodeBarChartsDataPayload,
+		formattedEndPointStatusCodeLatencyBarChartsDataPayload,
+		timezone,
+		currentWidgetInfoIndex,
+		colorMapping,
+	]);
 
 	const renderCardContent = useCallback(
 		(query: UseQueryResult<SuccessResponse<any>, unknown>): JSX.Element => {
@@ -253,11 +227,20 @@ function StatusCodeBarCharts({
 							!query.isLoading && !query?.data?.payload?.data?.result?.length,
 					})}
 				>
-					<Uplot options={options as Options} data={chartData} />
+					<BarChart
+						config={config}
+						data={chartData}
+						width={dimensions.width}
+						height={dimensions.height}
+						timezone={timezone}
+						legendConfig={{
+							position: LegendPosition.BOTTOM,
+						}}
+					/>
 				</div>
 			);
 		},
-		[options, chartData],
+		[config, chartData, dimensions, timezone],
 	);
 
 	return (

frontend/src/container/ApiMonitoring/Explorer/Domains/DomainDetails/components/utils.ts

@@ -0,0 +1,83 @@
+import { ExecStats } from 'api/v5/v5';
+import { Timezone } from 'components/CustomTimePicker/timezoneUtils';
+import { PANEL_TYPES } from 'constants/queryBuilder';
+import { buildBaseConfig } from 'container/DashboardContainer/visualization/panels/utils/baseConfigBuilder';
+import { getLegend } from 'lib/dashboard/getQueryResults';
+import getLabelName from 'lib/getLabelName';
+import { OnClickPluginOpts } from 'lib/uPlotLib/plugins/onClickPlugin';
+import { DrawStyle } from 'lib/uPlotV2/config/types';
+import { UPlotConfigBuilder } from 'lib/uPlotV2/config/UPlotConfigBuilder';
+import { get } from 'lodash-es';
+import { MetricRangePayloadProps } from 'types/api/metrics/getQueryRange';
+import { Query } from 'types/api/queryBuilder/queryBuilderData';
+import { QueryData } from 'types/api/widgets/getQuery';
+import { v4 } from 'uuid';
+
+export const prepareStatusCodeBarChartsConfig = ({
+	timezone,
+	isDarkMode,
+	query,
+	onDragSelect,
+	onClick,
+	apiResponse,
+	minTimeScale,
+	maxTimeScale,
+	yAxisUnit,
+	colorMapping,
+}: {
+	timezone: Timezone;
+	isDarkMode: boolean;
+	query: Query;
+	onDragSelect: (startTime: number, endTime: number) => void;
+	onClick?: OnClickPluginOpts['onClick'];
+	minTimeScale?: number;
+	maxTimeScale?: number;
+	apiResponse: MetricRangePayloadProps;
+	yAxisUnit?: string;
+	colorMapping?: Record<string, string>;
+}): UPlotConfigBuilder => {
+	const stepIntervals: ExecStats['stepIntervals'] = get(
+		apiResponse,
+		'data.newResult.meta.stepIntervals',
+		{},
+	);
+	const minStepInterval = Math.min(...Object.values(stepIntervals));
+
+	const config = buildBaseConfig({
+		id: v4(),
+		yAxisUnit: yAxisUnit,
+		apiResponse,
+		isDarkMode,
+		onDragSelect,
+		timezone,
+		onClick,
+		minTimeScale,
+		maxTimeScale,
+		stepInterval: minStepInterval,
+		panelType: PANEL_TYPES.BAR,
+	});
+
+	const seriesList: QueryData[] = apiResponse?.data?.result || [];
+	seriesList.forEach((series) => {
+		const baseLabelName = getLabelName(
+			series.metric,
+			series.queryName || '', // query
+			series.legend || '',
+		);
+
+		const label = query ? getLegend(series, query, baseLabelName) : baseLabelName;
+
+		const currentStepInterval = get(stepIntervals, series.queryName, undefined);
+
+		config.addSeries({
+			scaleKey: 'y',
+			drawStyle: DrawStyle.Bar,
+			label: label,
+			colorMapping: colorMapping ?? {},
+			isDarkMode,
+			stepInterval: currentStepInterval,
+		});
+	});
+
+	return config;
+};

frontend/src/container/ApiMonitoring/__tests__/StatusCodeBarCharts.test.tsx

@@ -21,10 +21,15 @@ interface MockQueryResult {
 }
 
 // Mocks
-jest.mock('components/Uplot', () => ({
-	__esModule: true,
-	default: jest.fn().mockImplementation(() => <div data-testid="uplot-mock" />),
-}));
+jest.mock(
+	'container/DashboardContainer/visualization/charts/BarChart/BarChart',
+	() => ({
+		__esModule: true,
+		default: jest
+			.fn()
+			.mockImplementation(() => <div data-testid="bar-chart-mock" />),
+	}),
+);
 
 jest.mock('components/CeleryTask/useGetGraphCustomSeries', () => ({
 	useGetGraphCustomSeries: (): { getCustomSeries: jest.Mock } => ({
@@ -70,6 +75,24 @@ jest.mock('hooks/useNotifications', () => ({
 	useNotifications: (): { notifications: [] } => ({ notifications: [] }),
 }));
 
+jest.mock('providers/Timezone', () => ({
+	useTimezone: (): {
+		timezone: {
+			name: string;
+			value: string;
+			offset: string;
+			searchIndex: string;
+		};
+	} => ({
+		timezone: {
+			name: 'UTC',
+			value: 'UTC',
+			offset: '+00:00',
+			searchIndex: 'UTC',
+		},
+	}),
+}));
+
 jest.mock('lib/uPlotLib/getUplotChartOptions', () => ({
 	getUPlotChartOptions: jest.fn().mockReturnValue({}),
 }));
@@ -319,7 +342,7 @@ describe('StatusCodeBarCharts', () => {
 			mockData.payload,
 			'sum',
 		);
-		expect(screen.getByTestId('uplot-mock')).toBeInTheDocument();
+		expect(screen.getByTestId('bar-chart-mock')).toBeInTheDocument();
 		expect(screen.getByText('Number of calls')).toBeInTheDocument();
 		expect(screen.getByText('Latency')).toBeInTheDocument();
 	});

frontend/src/container/Login/Login.styles.scss

@@ -337,31 +337,6 @@
 
 .login-submit-btn {
 	width: 100%;
-	height: 32px;
-	padding: 10px 16px;
-	background: var(--primary);
-	border: none;
-	border-radius: 2px;
-	font-family: Inter, sans-serif;
-	font-size: 11px;
-	font-weight: 500;
-	line-height: 1;
-	color: var(--bg-neutral-dark-50);
-	display: flex;
-	align-items: center;
-	justify-content: center;
-	gap: 8px;
-
-	&:hover:not(:disabled) {
-		background: var(--primary);
-		opacity: 0.9;
-	}
-
-	&:disabled {
-		background: var(--primary);
-		opacity: 0.6;
-		cursor: not-allowed;
-	}
 }
 
 .lightMode {

frontend/src/container/Login/index.tsx

@@ -1,6 +1,6 @@
 import { useCallback, useEffect, useMemo, useState } from 'react';
 import { useQuery } from 'react-query';
-import { Button } from '@signozhq/button';
+import { Button } from '@signozhq/ui';
 import { Form, Input, Select, Typography } from 'antd';
 import getVersion from 'api/v1/version/get';
 import get from 'api/v2/sessions/context/get';
@@ -392,9 +392,9 @@ function Login(): JSX.Element {
 							disabled={!isNextButtonEnabled}
 							variant="solid"
 							onClick={onNextHandler}
-							data-testid="initiate_login"
+							testId="initiate_login"
 							className="login-submit-btn"
-							suffixIcon={<ArrowRight size={12} />}
+							suffix={<ArrowRight />}
 						>
 							Next
 						</Button>
@@ -406,10 +406,10 @@ function Login(): JSX.Element {
 							variant="solid"
 							type="submit"
 							color="primary"
-							data-testid="callback_authn_submit"
+							testId="callback_authn_submit"
 							data-attr="signup"
 							className="login-submit-btn"
-							suffixIcon={<ArrowRight size={12} />}
+							suffix={<ArrowRight />}
 						>
 							Sign in with SSO
 						</Button>
@@ -420,11 +420,11 @@ function Login(): JSX.Element {
 							disabled={!isSubmitButtonEnabled}
 							variant="solid"
 							color="primary"
-							data-testid="password_authn_submit"
+							testId="password_authn_submit"
 							type="submit"
 							data-attr="signup"
 							className="login-submit-btn"
-							suffixIcon={<ArrowRight size={12} />}
+							suffix={<ArrowRight />}
 						>
 							Sign in with Password
 						</Button>

frontend/src/hooks/useAuthZ/constants.ts

@@ -0,0 +1,2 @@
+export const SINGLE_FLIGHT_WAIT_TIME_MS = 50;
+export const AUTHZ_CACHE_TIME = 20_000;

frontend/src/hooks/useAuthZ/legacy.ts

@@ -0,0 +1,18 @@
+import { buildPermission } from './utils';
+
+export const IsAdminPermission = buildPermission(
+	'assignee',
+	'role:signoz-admin',
+);
+export const IsEditorPermission = buildPermission(
+	'assignee',
+	'role:signoz-editor',
+);
+export const IsViewerPermission = buildPermission(
+	'assignee',
+	'role:signoz-viewer',
+);
+export const IsAnonymousPermission = buildPermission(
+	'assignee',
+	'role:signoz-anonymous',
+);

frontend/src/hooks/useAuthZ/types.ts

@@ -14,7 +14,7 @@ type ResourceTypeMap = {
 
 type RelationName = keyof RelationsByType;
 
-type ResourcesForRelation<R extends RelationName> = Extract<
+export type ResourcesForRelation<R extends RelationName> = Extract<
 	Resource,
 	{ type: RelationsByType[R][number] }
 >['name'];
@@ -50,8 +50,26 @@ export type AuthZCheckResponse = Record<
 	}
 >;
 
+export type UseAuthZOptions = {
+	/**
+	 * If false, the query/permissions will not be fetched.
+	 * Useful when you want to disable the query/permissions for a specific use case, like logout.
+	 *
+	 * @default true
+	 */
+	enabled?: boolean;
+};
+
 export type UseAuthZResult = {
+	/**
+	 * If query is cached, and refetch happens in background, this is false.
+	 */
 	isLoading: boolean;
+	/**
+	 * If query is fetching, even if happens in background, this is true.
+	 */
+	isFetching: boolean;
 	error: Error | null;
 	permissions: AuthZCheckResponse | null;
+	refetchPermissions: () => void;
 };

frontend/src/hooks/useAuthZ/useAuthZ.tsx

@@ -1,4 +1,4 @@
-import { useMemo } from 'react';
+import { useCallback, useMemo } from 'react';
 import { useQueries } from 'react-query';
 import { authzCheck } from 'api/generated/services/authz';
 import type {
@@ -6,7 +6,13 @@ import type {
 	AuthtypesTransactionDTO,
 } from 'api/generated/services/sigNoz.schemas';
 
-import { AuthZCheckResponse, BrandedPermission, UseAuthZResult } from './types';
+import { AUTHZ_CACHE_TIME, SINGLE_FLIGHT_WAIT_TIME_MS } from './constants';
+import {
+	AuthZCheckResponse,
+	BrandedPermission,
+	UseAuthZOptions,
+	UseAuthZResult,
+} from './types';
 import {
 	gettableTransactionToPermission,
 	permissionToTransactionDto,
@@ -14,8 +20,6 @@ import {
 
 let ctx: Promise<AuthZCheckResponse> | null;
 let pendingPermissions: BrandedPermission[] = [];
-const SINGLE_FLIGHT_WAIT_TIME_MS = 50;
-const AUTHZ_CACHE_TIME = 20_000;
 
 function dispatchPermission(
 	permission: BrandedPermission,
@@ -70,7 +74,12 @@ async function fetchManyPermissions(
 	}, {} as AuthZCheckResponse);
 }
 
-export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
+export function useAuthZ(
+	permissions: BrandedPermission[],
+	options?: UseAuthZOptions,
+): UseAuthZResult {
+	const { enabled } = options ?? { enabled: true };
+
 	const queryResults = useQueries(
 		permissions.map((permission) => {
 			return {
@@ -80,6 +89,7 @@ export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
 				refetchIntervalInBackground: false,
 				refetchOnWindowFocus: false,
 				refetchOnReconnect: true,
+				enabled,
 				queryFn: async (): Promise<AuthZCheckResponse> => {
 					const response = await dispatchPermission(permission);
 
@@ -96,6 +106,10 @@ export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
 	const isLoading = useMemo(() => queryResults.some((q) => q.isLoading), [
 		queryResults,
 	]);
+	const isFetching = useMemo(() => queryResults.some((q) => q.isFetching), [
+		queryResults,
+	]);
+
 	const error = useMemo(
 		() =>
 			!isLoading
@@ -121,9 +135,17 @@ export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
 		}, {} as AuthZCheckResponse);
 	}, [isLoading, error, queryResults]);
 
+	const refetchPermissions = useCallback(() => {
+		for (const query of queryResults) {
+			query.refetch();
+		}
+	}, [queryResults]);
+
 	return {
 		isLoading,
+		isFetching,
 		error,
 		permissions: data ?? null,
+		refetchPermissions,
 	};
 }

frontend/src/hooks/useAuthZ/utils.ts

@@ -3,9 +3,9 @@ import permissionsType from './permissions.type';
 import {
 	AuthZObject,
 	AuthZRelation,
-	AuthZResource,
 	BrandedPermission,
 	ResourceName,
+	ResourcesForRelation,
 	ResourceType,
 } from './types';
 
@@ -19,11 +19,10 @@ export function buildPermission<R extends AuthZRelation>(
 	return `${relation}${PermissionSeparator}${object}` as BrandedPermission;
 }
 
-export function buildObjectString(
-	resource: AuthZResource,
-	objectId: string,
-): `${AuthZResource}${typeof ObjectSeparator}${string}` {
-	return `${resource}${ObjectSeparator}${objectId}` as const;
+export function buildObjectString<
+	R extends 'delete' | 'read' | 'update' | 'assignee'
+>(resource: ResourcesForRelation<R>, objectId: string): AuthZObject<R> {
+	return `${resource}${ObjectSeparator}${objectId}` as AuthZObject<R>;
 }
 
 export function parsePermission(

frontend/src/pages/UnAuthorized/index.styles.scss

@@ -0,0 +1,5 @@
+.unauthorized-page {
+	&__description {
+		text-align: center;
+	}
+}

frontend/src/pages/UnAuthorized/index.tsx

@@ -1,20 +1,51 @@
+import { useCallback } from 'react';
 import { Space, Typography } from 'antd';
 import UnAuthorized from 'assets/UnAuthorized';
-import { Button, Container } from 'components/NotFound/styles';
-import ROUTES from 'constants/routes';
+import { Container } from 'components/NotFound/styles';
+import { useGetTenantLicense } from 'hooks/useGetTenantLicense';
+import { useQueryState } from 'nuqs';
+import { handleContactSupport } from 'pages/Integrations/utils';
+
+import { useAppContext } from '../../providers/App/App';
+import { USER_ROLES } from '../../types/roles';
+
+import './index.styles.scss';
 
 function UnAuthorizePage(): JSX.Element {
-	return (
-		<Container>
-			<Space align="center" direction="vertical">
-				<UnAuthorized />
-				<Typography.Title level={3}>
-					Oops.. you don&apos;t have permission to view this page
-				</Typography.Title>
+	const [debugCurrentRole] = useQueryState('currentRole');
+	const { user } = useAppContext();
+	const { isCloudUser: isCloudUserVal } = useGetTenantLicense();
 
-				<Button to={ROUTES.HOME} tabIndex={0} className="periscope-btn primary">
-					Return To Home
-				</Button>
+	const userIsAnonymous =
+		debugCurrentRole === USER_ROLES.ANONYMOUS ||
+		user.role === USER_ROLES.ANONYMOUS;
+	const mistakeMessage = userIsAnonymous
+		? 'If you believe this is a mistake, please contact your administrator or'
+		: 'Please contact your administrator.';
+
+	const handleContactSupportClick = useCallback((): void => {
+		handleContactSupport(isCloudUserVal);
+	}, [isCloudUserVal]);
+
+	return (
+		<Container className="unauthorized-page">
+			<Space align="center" direction="vertical">
+				<UnAuthorized width={64} height={64} />
+				<Typography.Title level={3}>Access Restricted</Typography.Title>
+
+				<p className="unauthorized-page__description">
+					It looks like you don&lsquo;t have permission to view this page. <br />
+					{mistakeMessage}
+					{userIsAnonymous ? (
+						<Typography.Link
+							className="contact-support-link"
+							onClick={handleContactSupportClick}
+						>
+							{' '}
+							reach out to us.
+						</Typography.Link>
+					) : null}
+				</p>
 			</Space>
 		</Container>
 	);

frontend/src/providers/App/App.tsx

@@ -19,6 +19,12 @@ import getUserVersion from 'api/v1/version/get';
 import { LOCALSTORAGE } from 'constants/localStorage';
 import dayjs from 'dayjs';
 import useActiveLicenseV3 from 'hooks/useActiveLicenseV3/useActiveLicenseV3';
+import {
+	IsAdminPermission,
+	IsEditorPermission,
+	IsViewerPermission,
+} from 'hooks/useAuthZ/legacy';
+import { useAuthZ } from 'hooks/useAuthZ/useAuthZ';
 import { useGetFeatureFlag } from 'hooks/useGetFeatureFlag';
 import { useGlobalEventListener } from 'hooks/useGlobalEventListener';
 import { ChangelogSchema } from 'types/api/changelog/getChangelogByVersion';
@@ -34,7 +40,7 @@ import {
 	UserPreference,
 } from 'types/api/preferences/preference';
 import { Organization } from 'types/api/user/getOrganization';
-import { USER_ROLES } from 'types/roles';
+import { ROLES, USER_ROLES } from 'types/roles';
 
 import { IAppContext, IUser } from './types';
 import { getUserDefaults } from './utils';
@@ -43,7 +49,7 @@ export const AppContext = createContext<IAppContext | undefined>(undefined);
 
 export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 	// on load of the provider set the user defaults with access token , refresh token from local storage
-	const [user, setUser] = useState<IUser>(() => getUserDefaults());
+	const [defaultUser, setDefaultUser] = useState<IUser>(() => getUserDefaults());
 	const [activeLicense, setActiveLicense] = useState<LicenseResModel | null>(
 		null,
 	);
@@ -70,18 +76,51 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 	// if logged out and trying to hit any route none of these calls will trigger
 	const {
 		data: userData,
-		isFetching: isFetchingUser,
-		error: userFetchError,
+		isFetching: isFetchingUserData,
+		error: userFetchDataError,
 	} = useQuery({
 		queryFn: get,
 		queryKey: ['/api/v1/user/me'],
 		enabled: isLoggedIn,
 	});
 
+	const {
+		permissions: permissionsResult,
+		isFetching: isFetchingPermissions,
+		error: errorOnPermissions,
+		refetchPermissions,
+	} = useAuthZ([IsAdminPermission, IsEditorPermission, IsViewerPermission], {
+		enabled: isLoggedIn,
+	});
+
+	const isFetchingUser = isFetchingUserData || isFetchingPermissions;
+	const userFetchError = userFetchDataError || errorOnPermissions;
+
+	const userRole = useMemo(() => {
+		if (permissionsResult?.[IsAdminPermission]?.isGranted) {
+			return USER_ROLES.ADMIN;
+		}
+		if (permissionsResult?.[IsEditorPermission]?.isGranted) {
+			return USER_ROLES.EDITOR;
+		}
+		if (permissionsResult?.[IsViewerPermission]?.isGranted) {
+			return USER_ROLES.VIEWER;
+		}
+		// if none of the permissions, so anonymous
+		return USER_ROLES.ANONYMOUS;
+	}, [permissionsResult]);
+
+	const user: IUser = useMemo(() => {
+		return {
+			...defaultUser,
+			role: userRole as ROLES,
+		};
+	}, [defaultUser, userRole]);
+
 	useEffect(() => {
 		if (!isFetchingUser && userData && userData.data) {
 			setLocalStorageApi(LOCALSTORAGE.LOGGED_IN_USER_EMAIL, userData.data.email);
-			setUser((prev) => ({
+			setDefaultUser((prev) => ({
 				...prev,
 				...userData.data,
 			}));
@@ -203,7 +242,7 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 	}, [userPreferencesData, isFetchingUserPreferences, isLoggedIn]);
 
 	function updateUser(user: IUser): void {
-		setUser((prev) => ({
+		setDefaultUser((prev) => ({
 			...prev,
 			...user,
 		}));
@@ -244,7 +283,7 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 					...org.slice(orgIndex + 1, org.length),
 				];
 				setOrg(updatedOrg);
-				setUser((prev) => {
+				setDefaultUser((prev) => {
 					if (prev.orgId === orgId) {
 						return {
 							...prev,
@@ -272,7 +311,7 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 	// global event listener for AFTER_LOGIN event to start the user fetch post all actions are complete
 	useGlobalEventListener('AFTER_LOGIN', (event) => {
 		if (event.detail) {
-			setUser((prev) => ({
+			setDefaultUser((prev) => ({
 				...prev,
 				accessJwt: event.detail.accessJWT,
 				refreshJwt: event.detail.refreshJWT,
@@ -280,12 +319,14 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 			}));
 			setIsLoggedIn(true);
 		}
+
+		refetchPermissions();
 	});
 
 	// global event listener for LOGOUT event to clean the app context state
 	useGlobalEventListener('LOGOUT', () => {
 		setIsLoggedIn(false);
-		setUser(getUserDefaults());
+		setDefaultUser(getUserDefaults());
 		setActiveLicense(null);
 		setTrialInfo(null);
 		setFeatureFlags(null);

frontend/src/providers/App/__tests__/App.test.tsx

@@ -0,0 +1,273 @@
+import { ReactElement } from 'react';
+import { QueryClient, QueryClientProvider } from 'react-query';
+import { renderHook, waitFor } from '@testing-library/react';
+import setLocalStorageApi from 'api/browser/localstorage/set';
+import {
+	AuthtypesGettableTransactionDTO,
+	AuthtypesTransactionDTO,
+} from 'api/generated/services/sigNoz.schemas';
+import { LOCALSTORAGE } from 'constants/localStorage';
+import { SINGLE_FLIGHT_WAIT_TIME_MS } from 'hooks/useAuthZ/constants';
+import { server } from 'mocks-server/server';
+import { rest } from 'msw';
+import { USER_ROLES } from 'types/roles';
+
+import { AppProvider, useAppContext } from '../App';
+
+const AUTHZ_CHECK_URL = 'http://localhost/api/v1/authz/check';
+
+jest.mock('constants/env', () => ({
+	ENVIRONMENT: { baseURL: 'http://localhost', wsURL: '' },
+}));
+
+/**
+ * Since we are mocking the check permissions, this is needed
+ */
+const waitForSinglePreflightToFinish = async (): Promise<void> =>
+	await new Promise((r) => setTimeout(r, SINGLE_FLIGHT_WAIT_TIME_MS));
+
+function authzMockResponse(
+	payload: AuthtypesTransactionDTO[],
+	authorizedByIndex: boolean[],
+): { data: AuthtypesGettableTransactionDTO[]; status: string } {
+	return {
+		data: payload.map((txn, i) => ({
+			relation: txn.relation,
+			object: txn.object,
+			authorized: authorizedByIndex[i] ?? false,
+		})),
+		status: 'success',
+	};
+}
+
+const queryClient = new QueryClient({
+	defaultOptions: {
+		queries: {
+			refetchOnWindowFocus: false,
+			retry: false,
+		},
+	},
+});
+
+function createWrapper(): ({
+	children,
+}: {
+	children: ReactElement;
+}) => ReactElement {
+	return function Wrapper({
+		children,
+	}: {
+		children: ReactElement;
+	}): ReactElement {
+		return (
+			<QueryClientProvider client={queryClient}>
+				<AppProvider>{children}</AppProvider>
+			</QueryClientProvider>
+		);
+	};
+}
+
+describe('AppProvider user.role from permissions', () => {
+	beforeEach(() => {
+		queryClient.clear();
+		setLocalStorageApi(LOCALSTORAGE.IS_LOGGED_IN, 'true');
+	});
+
+	it('sets user.role to ADMIN and hasEditPermission to true when admin permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [true, false, false])),
+				);
+			}),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.user.role).toBe(USER_ROLES.ADMIN);
+				expect(result.current.hasEditPermission).toBe(true);
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	it('sets user.role to EDITOR and hasEditPermission to true when only editor permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [false, true, false])),
+				);
+			}),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.user.role).toBe(USER_ROLES.EDITOR);
+				expect(result.current.hasEditPermission).toBe(true);
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	it('sets user.role to VIEWER and hasEditPermission to false when only viewer permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [false, false, true])),
+				);
+			}),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.user.role).toBe(USER_ROLES.VIEWER);
+				expect(result.current.hasEditPermission).toBe(false);
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	it('sets user.role to ANONYMOUS and hasEditPermission to false when no role permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [false, false, false])),
+				);
+			}),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.user.role).toBe(USER_ROLES.ANONYMOUS);
+				expect(result.current.hasEditPermission).toBe(false);
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	/**
+	 * This is expected to not happen, but we'll test it just in case.
+	 */
+	describe('when multiple role permissions are granted', () => {
+		it('prefers ADMIN over EDITOR and VIEWER when multiple role permissions are granted', async () => {
+			server.use(
+				rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+					const payload = await req.json();
+					return res(
+						ctx.status(200),
+						ctx.json(authzMockResponse(payload, [true, true, true])),
+					);
+				}),
+			);
+
+			const wrapper = createWrapper();
+			const { result } = renderHook(() => useAppContext(), { wrapper });
+
+			await waitFor(
+				() => {
+					expect(result.current.user.role).toBe(USER_ROLES.ADMIN);
+					expect(result.current.hasEditPermission).toBe(true);
+				},
+				{ timeout: 300 },
+			);
+		});
+
+		it('prefers EDITOR over VIEWER when editor and viewer permissions are granted', async () => {
+			server.use(
+				rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+					const payload = await req.json();
+					return res(
+						ctx.status(200),
+						ctx.json(authzMockResponse(payload, [false, true, true])),
+					);
+				}),
+			);
+
+			const wrapper = createWrapper();
+			const { result } = renderHook(() => useAppContext(), { wrapper });
+
+			await waitForSinglePreflightToFinish();
+
+			await waitFor(
+				() => {
+					expect(result.current.user.role).toBe(USER_ROLES.EDITOR);
+					expect(result.current.hasEditPermission).toBe(true);
+				},
+				{ timeout: 2000 },
+			);
+		});
+	});
+});
+
+describe('AppProvider when authz/check fails', () => {
+	beforeEach(() => {
+		queryClient.clear();
+		setLocalStorageApi(LOCALSTORAGE.IS_LOGGED_IN, 'true');
+	});
+
+	it('sets userFetchError when authz/check returns 500 (same as user fetch error)', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_, res, ctx) =>
+				res(ctx.status(500), ctx.json({ error: 'Internal Server Error' })),
+			),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.userFetchError).toBeTruthy();
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	it('sets userFetchError when authz/check fails with network error (same as user fetch error)', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_, res) => res.networkError('Network error')),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.userFetchError).toBeTruthy();
+			},
+			{ timeout: 2000 },
+		);
+	});
+});

frontend/src/types/api/user/getUser.ts

@@ -13,6 +13,9 @@ export interface UserResponse {
 	displayName: string;
 	orgId: string;
 	organization: string;
+	/**
+	 * @deprecated This will be removed in the future releases in favor of new AuthZ framework
+	 */
 	role: ROLES;
 	updatedAt?: number;
 }

frontend/src/types/roles.ts

@@ -2,14 +2,16 @@ export type ADMIN = 'ADMIN';
 export type VIEWER = 'VIEWER';
 export type EDITOR = 'EDITOR';
 export type AUTHOR = 'AUTHOR';
+export type ANONYMOUS = 'ANONYMOUS';
 
-export type ROLES = ADMIN | VIEWER | EDITOR | AUTHOR;
+export type ROLES = ADMIN | VIEWER | EDITOR | AUTHOR | ANONYMOUS;
 
 export const USER_ROLES = {
 	ADMIN: 'ADMIN',
 	VIEWER: 'VIEWER',
 	EDITOR: 'EDITOR',
 	AUTHOR: 'AUTHOR',
+	ANONYMOUS: 'ANONYMOUS',
 };
 
 export enum RoleType {

frontend/src/utils/permission/index.ts

@@ -69,7 +69,7 @@ export const routePermission: Record<keyof typeof ROUTES, ROLES[]> = {
 	ALERT_OVERVIEW: ['ADMIN', 'EDITOR', 'VIEWER'],
 	LOGIN: ['ADMIN', 'EDITOR', 'VIEWER'],
 	FORGOT_PASSWORD: ['ADMIN', 'EDITOR', 'VIEWER'],
-	NOT_FOUND: ['ADMIN', 'VIEWER', 'EDITOR'],
+	NOT_FOUND: ['ADMIN', 'VIEWER', 'EDITOR', 'ANONYMOUS'],
 	PASSWORD_RESET: ['ADMIN', 'EDITOR', 'VIEWER'],
 	SERVICE_METRICS: ['ADMIN', 'EDITOR', 'VIEWER'],
 	SETTINGS: ['ADMIN', 'EDITOR', 'VIEWER'],
@@ -77,7 +77,7 @@ export const routePermission: Record<keyof typeof ROUTES, ROLES[]> = {
 	TRACES_EXPLORER: ['ADMIN', 'EDITOR', 'VIEWER'],
 	TRACE: ['ADMIN', 'EDITOR', 'VIEWER'],
 	TRACE_DETAIL: ['ADMIN', 'EDITOR', 'VIEWER'],
-	UN_AUTHORIZED: ['ADMIN', 'EDITOR', 'VIEWER'],
+	UN_AUTHORIZED: ['ADMIN', 'EDITOR', 'VIEWER', 'ANONYMOUS'],
 	USAGE_EXPLORER: ['ADMIN', 'EDITOR', 'VIEWER'],
 	VERSION: ['ADMIN', 'EDITOR', 'VIEWER'],
 	LOGS: ['ADMIN', 'EDITOR', 'VIEWER'],
@@ -101,7 +101,7 @@ export const routePermission: Record<keyof typeof ROUTES, ROLES[]> = {
 	ROLE_DETAILS: ['ADMIN'],
 	MEMBERS_SETTINGS: ['ADMIN'],
 	BILLING: ['ADMIN'],
-	SUPPORT: ['ADMIN', 'EDITOR', 'VIEWER'],
+	SUPPORT: ['ADMIN', 'EDITOR', 'VIEWER', 'ANONYMOUS'],
 	SOMETHING_WENT_WRONG: ['ADMIN', 'EDITOR', 'VIEWER'],
 	LOGS_SAVE_VIEWS: ['ADMIN', 'EDITOR', 'VIEWER'],
 	TRACES_SAVE_VIEWS: ['ADMIN', 'EDITOR', 'VIEWER'],

frontend/yarn.lock

@@ -4506,6 +4506,19 @@
     "@radix-ui/react-use-callback-ref" "1.1.1"
     "@radix-ui/react-use-escape-keydown" "1.1.1"
 
+"@radix-ui/react-dropdown-menu@^2.1.16":
+  version "2.1.16"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-dropdown-menu/-/react-dropdown-menu-2.1.16.tgz#5ee045c62bad8122347981c479d92b1ff24c7254"
+  integrity sha512-1PLGQEynI/3OX/ftV54COn+3Sud/Mn8vALg2rWnBLnRaGtJDduNW/22XjlGgPdpcIbiQxjKtb7BkcjP00nqfJw==
+  dependencies:
+    "@radix-ui/primitive" "1.1.3"
+    "@radix-ui/react-compose-refs" "1.1.2"
+    "@radix-ui/react-context" "1.1.2"
+    "@radix-ui/react-id" "1.1.1"
+    "@radix-ui/react-menu" "2.1.16"
+    "@radix-ui/react-primitive" "2.1.3"
+    "@radix-ui/react-use-controllable-state" "1.2.2"
+
 "@radix-ui/react-focus-guards@1.0.0":
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-focus-guards/-/react-focus-guards-1.0.0.tgz#339c1c69c41628c1a5e655f15f7020bf11aa01fa"
@@ -4565,6 +4578,30 @@
   dependencies:
     "@radix-ui/react-use-layout-effect" "1.1.1"
 
+"@radix-ui/react-menu@2.1.16":
+  version "2.1.16"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-menu/-/react-menu-2.1.16.tgz#528a5a973c3a7413d3d49eb9ccd229aa52402911"
+  integrity sha512-72F2T+PLlphrqLcAotYPp0uJMr5SjP5SL01wfEspJbru5Zs5vQaSHb4VB3ZMJPimgHHCHG7gMOeOB9H3Hdmtxg==
+  dependencies:
+    "@radix-ui/primitive" "1.1.3"
+    "@radix-ui/react-collection" "1.1.7"
+    "@radix-ui/react-compose-refs" "1.1.2"
+    "@radix-ui/react-context" "1.1.2"
+    "@radix-ui/react-direction" "1.1.1"
+    "@radix-ui/react-dismissable-layer" "1.1.11"
+    "@radix-ui/react-focus-guards" "1.1.3"
+    "@radix-ui/react-focus-scope" "1.1.7"
+    "@radix-ui/react-id" "1.1.1"
+    "@radix-ui/react-popper" "1.2.8"
+    "@radix-ui/react-portal" "1.1.9"
+    "@radix-ui/react-presence" "1.1.5"
+    "@radix-ui/react-primitive" "2.1.3"
+    "@radix-ui/react-roving-focus" "1.1.11"
+    "@radix-ui/react-slot" "1.2.3"
+    "@radix-ui/react-use-callback-ref" "1.1.1"
+    aria-hidden "^1.2.4"
+    react-remove-scroll "^2.6.3"
+
 "@radix-ui/react-popover@^1.1.15", "@radix-ui/react-popover@^1.1.2":
   version "1.1.15"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-popover/-/react-popover-1.1.15.tgz#9c852f93990a687ebdc949b2c3de1f37cdc4c5d5"
@@ -4804,6 +4841,20 @@
     "@radix-ui/react-roving-focus" "1.0.4"
     "@radix-ui/react-use-controllable-state" "1.0.1"
 
+"@radix-ui/react-tabs@^1.1.3":
+  version "1.1.13"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-tabs/-/react-tabs-1.1.13.tgz#3537ce379d7e7ff4eeb6b67a0973e139c2ac1f15"
+  integrity sha512-7xdcatg7/U+7+Udyoj2zodtI9H/IIopqo+YOIcZOq1nJwXWBZ9p8xiu5llXlekDbZkca79a/fozEYQXIA4sW6A==
+  dependencies:
+    "@radix-ui/primitive" "1.1.3"
+    "@radix-ui/react-context" "1.1.2"
+    "@radix-ui/react-direction" "1.1.1"
+    "@radix-ui/react-id" "1.1.1"
+    "@radix-ui/react-presence" "1.1.5"
+    "@radix-ui/react-primitive" "2.1.3"
+    "@radix-ui/react-roving-focus" "1.1.11"
+    "@radix-ui/react-use-controllable-state" "1.2.2"
+
 "@radix-ui/react-toggle-group@^1.1.7":
   version "1.1.11"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-toggle-group/-/react-toggle-group-1.1.11.tgz#e513d6ffdb07509b400ab5b26f2523747c0d51c1"
@@ -5675,6 +5726,42 @@
     tailwind-merge "^2.5.2"
     tailwindcss-animate "^1.0.7"
 
+"@signozhq/ui@0.0.5":
+  version "0.0.5"
+  resolved "https://registry.yarnpkg.com/@signozhq/ui/-/ui-0.0.5.tgz#8badef53416b7ace0fe61ff01ff3da679a0e4ba5"
+  integrity sha512-4vPvUh3rwpst068qXUZ26JfCQGv1vo1xMSwtKw6wTjiiq1Bf3geP84HWVXycNMIrIeVnUgDGnqe0D4doh+mL8A==
+  dependencies:
+    "@radix-ui/react-checkbox" "^1.2.3"
+    "@radix-ui/react-dialog" "^1.1.11"
+    "@radix-ui/react-dropdown-menu" "^2.1.16"
+    "@radix-ui/react-icons" "^1.3.0"
+    "@radix-ui/react-popover" "^1.1.15"
+    "@radix-ui/react-radio-group" "^1.3.4"
+    "@radix-ui/react-slot" "^1.2.3"
+    "@radix-ui/react-switch" "^1.1.4"
+    "@radix-ui/react-tabs" "^1.1.3"
+    "@radix-ui/react-toggle" "^1.1.6"
+    "@radix-ui/react-toggle-group" "^1.1.7"
+    "@radix-ui/react-tooltip" "^1.2.6"
+    "@tanstack/react-table" "^8.21.3"
+    "@tanstack/react-virtual" "^3.13.9"
+    "@types/lodash-es" "^4.17.12"
+    class-variance-authority "^0.7.0"
+    clsx "^2.1.1"
+    cmdk "^1.1.1"
+    date-fns "^4.1.0"
+    dayjs "^1.11.10"
+    lodash-es "^4.17.21"
+    lucide-react "^0.445.0"
+    lucide-solid "^0.510.0"
+    motion "^11.11.17"
+    next-themes "^0.4.6"
+    nuqs "^2.8.9"
+    react-day-picker "^9.8.1"
+    react-resizable-panels "^4.7.1"
+    sonner "^2.0.7"
+    tailwind-merge "^3.5.0"
+
 "@sinclair/typebox@^0.25.16":
   version "0.25.24"
   resolved "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.25.24.tgz"
@@ -9573,6 +9660,11 @@ dayjs@^1.10.7, dayjs@^1.11.1:
   resolved "https://registry.npmjs.org/dayjs/-/dayjs-1.11.7.tgz"
   integrity sha512-+Yw9U6YO5TQohxLcIkrXBeY73WP3ejHWVvx8XCk3gxvQDCTEmS48ZrSZCKciI7Bhl/uCMyxYtE9UqRILmFphkQ==
 
+dayjs@^1.11.10:
+  version "1.11.20"
+  resolved "https://registry.yarnpkg.com/dayjs/-/dayjs-1.11.20.tgz#88d919fd639dc991415da5f4cb6f1b6650811938"
+  integrity sha512-YbwwqR/uYpeoP4pu043q+LTDLFBLApUP6VxRihdfNTqu4ubqMlGDLd6ErXhEgsyvY0K6nCs7nggYumAN+9uEuQ==
+
 debounce@^1.2.1:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/debounce/-/debounce-1.2.1.tgz#38881d8f4166a5c5848020c11827b834bcb3e0a5"
@@ -11092,6 +11184,15 @@ fraction.js@^4.3.7:
   resolved "https://registry.yarnpkg.com/fraction.js/-/fraction.js-4.3.7.tgz#06ca0085157e42fda7f9e726e79fefc4068840f7"
   integrity sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==
 
+framer-motion@^11.18.2:
+  version "11.18.2"
+  resolved "https://registry.yarnpkg.com/framer-motion/-/framer-motion-11.18.2.tgz#0c6bd05677f4cfd3b3bdead4eb5ecdd5ed245718"
+  integrity sha512-5F5Och7wrvtLVElIpclDT0CBzMVg3dL22B64aZwHtsIY8RB4mXICLrkajK4G9R+ieSAGcgrLeae2SeUTg2pr6w==
+  dependencies:
+    motion-dom "^11.18.1"
+    motion-utils "^11.18.1"
+    tslib "^2.4.0"
+
 framer-motion@^12.4.13:
   version "12.4.13"
   resolved "https://registry.yarnpkg.com/framer-motion/-/framer-motion-12.4.13.tgz#1efd954f95e6a54685b660929c00f5a61e35256a"
@@ -15002,6 +15103,13 @@ moment@^2.29.4:
   resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.4.tgz#3dbe052889fe7c1b2ed966fcb3a77328964ef108"
   integrity sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w==
 
+motion-dom@^11.18.1:
+  version "11.18.1"
+  resolved "https://registry.yarnpkg.com/motion-dom/-/motion-dom-11.18.1.tgz#e7fed7b7dc6ae1223ef1cce29ee54bec826dc3f2"
+  integrity sha512-g76KvA001z+atjfxczdRtw/RXOM3OMSdd1f4DL77qCTF/+avrRJiawSG4yDibEQ215sr9kpinSlX2pCTJ9zbhw==
+  dependencies:
+    motion-utils "^11.18.1"
+
 motion-dom@^12.4.11:
   version "12.4.11"
   resolved "https://registry.yarnpkg.com/motion-dom/-/motion-dom-12.4.11.tgz#0419c8686cda4d523f08249deeb8fa6683a9b9d3"
@@ -15009,6 +15117,11 @@ motion-dom@^12.4.11:
   dependencies:
     motion-utils "^12.4.10"
 
+motion-utils@^11.18.1:
+  version "11.18.1"
+  resolved "https://registry.yarnpkg.com/motion-utils/-/motion-utils-11.18.1.tgz#671227669833e991c55813cf337899f41327db5b"
+  integrity sha512-49Kt+HKjtbJKLtgO/LKj9Ld+6vw9BjH5d9sc40R/kVyH8GLAXgT42M2NnuPcJNuA3s9ZfZBUcwIgpmZWGEE+hA==
+
 motion-utils@^12.4.10:
   version "12.4.10"
   resolved "https://registry.yarnpkg.com/motion-utils/-/motion-utils-12.4.10.tgz#3d93acea5454419eaaad8d5e5425cb71cbfa1e7f"
@@ -15022,6 +15135,14 @@ motion@12.4.13:
     framer-motion "^12.4.13"
     tslib "^2.4.0"
 
+motion@^11.11.17:
+  version "11.18.2"
+  resolved "https://registry.yarnpkg.com/motion/-/motion-11.18.2.tgz#17fb372f3ed94fc9ee1384a25a9068e9da1951e7"
+  integrity sha512-JLjvFDuFr42NFtcVoMAyC2sEjnpA8xpy6qWPyzQvCloznAyQ8FIXioxWfHiLtgYhoVpfUqSWpn1h9++skj9+Wg==
+  dependencies:
+    framer-motion "^11.18.2"
+    tslib "^2.4.0"
+
 mri@^1.1.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/mri/-/mri-1.2.0.tgz#6721480fec2a11a4889861115a48b6cbe7cc8f0b"
@@ -15292,6 +15413,13 @@ nuqs@2.8.8:
   dependencies:
     "@standard-schema/spec" "1.0.0"
 
+nuqs@^2.8.9:
+  version "2.8.9"
+  resolved "https://registry.yarnpkg.com/nuqs/-/nuqs-2.8.9.tgz#e2c27d87c0dd0e3b4412fe867bcd0947cc4c998f"
+  integrity sha512-8ou6AEwsxMWSYo2qkfZtYFVzngwbKmg4c00HVxC1fF6CEJv3Fwm6eoZmfVPALB+vw8Udo7KL5uy96PFcYe1BIQ==
+  dependencies:
+    "@standard-schema/spec" "1.0.0"
+
 nwsapi@^2.2.2:
   version "2.2.23"
   resolved "https://registry.yarnpkg.com/nwsapi/-/nwsapi-2.2.23.tgz#59712c3a88e6de2bb0b6ccc1070397267019cf6c"
@@ -16957,6 +17085,11 @@ react-resizable-panels@^3.0.5:
   resolved "https://registry.yarnpkg.com/react-resizable-panels/-/react-resizable-panels-3.0.5.tgz#50a20645263eed02344de4a70d1319bbc0014bbd"
   integrity sha512-3z1yN25DMTXLg2wfyFrW32r5k4WEcUa3F7cJ2EgtNK07lnOs4mpM8yWLGunCpkhcQRwJX4fqoLcIh/pHPxzlmQ==
 
+react-resizable-panels@^4.7.1:
+  version "4.7.3"
+  resolved "https://registry.yarnpkg.com/react-resizable-panels/-/react-resizable-panels-4.7.3.tgz#4040aa0f5c5c4cc4bb685cb69973601ccda3b014"
+  integrity sha512-PYcYMLtvJD+Pr0TQNeMvddcnLOwUa/Yb4iNwU7ThNLlHaQYEEC9MIBWHaBGODzYuXIkPRZ/OWe5sbzG1Rzq5ew==
+
 react-resizable@3.0.4:
   version "3.0.4"
   resolved "https://registry.npmjs.org/react-resizable/-/react-resizable-3.0.4.tgz"
@@ -18797,6 +18930,11 @@ tailwind-merge@^2.5.2:
   resolved "https://registry.yarnpkg.com/tailwind-merge/-/tailwind-merge-2.6.0.tgz#ac5fb7e227910c038d458f396b7400d93a3142d5"
   integrity sha512-P+Vu1qXfzediirmHOC3xKGAYeZtPcV9g76X+xg2FD4tYgR71ewMA35Y3sCz3zhiN/dwefRpJX0yBcgwi1fXNQA==
 
+tailwind-merge@^3.5.0:
+  version "3.5.0"
+  resolved "https://registry.yarnpkg.com/tailwind-merge/-/tailwind-merge-3.5.0.tgz#06502f4496ba15151445d97d916a26564d50d1ca"
+  integrity sha512-I8K9wewnVDkL1NTGoqWmVEIlUcB9gFriAEkXkfCjX5ib8ezGxtR3xD7iZIxrfArjEsH7F1CHD4RFUtxefdqV/A==
+
 tailwindcss-animate@^1.0.7:
   version "1.0.7"
   resolved "https://registry.yarnpkg.com/tailwindcss-animate/-/tailwindcss-animate-1.0.7.tgz#318b692c4c42676cc9e67b19b78775742388bef4"

go.mod

@@ -11,7 +11,6 @@ require (
 	github.com/SigNoz/signoz-otel-collector v0.144.2
 	github.com/antlr4-go/antlr/v4 v4.13.1
 	github.com/antonmedv/expr v1.15.3
-	github.com/bytedance/sonic v1.14.1
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/dgraph-io/ristretto/v2 v2.3.0
@@ -106,6 +105,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect
 	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic v1.14.1 // indirect
 	github.com/bytedance/sonic/loader v0.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect

pkg/apiserver/signozapiserver/user.go

@@ -186,7 +186,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint lists all users",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            make([]*types.GettableUser, 0),
+		Response:            make([]*types.User, 0),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -203,7 +203,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user I belong to",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -220,7 +220,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user by id",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
@@ -237,7 +237,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint updates the user by id",
 		Request:             new(types.User),
 		RequestContentType:  "application/json",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},

pkg/authn/authnstore/sqlauthnstore/store.go

@@ -17,8 +17,8 @@ func NewStore(sqlstore sqlstore.SQLStore) authtypes.AuthNStore {
 	return &store{sqlstore: sqlstore}
 }
 
-func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error) {
-	user := new(types.User)
+func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.StorableUser, *types.FactorPassword, error) {
+	user := new(types.StorableUser)
 	factorPassword := new(types.FactorPassword)
 
 	err := store.

pkg/http/middleware/authz.go

@@ -9,7 +9,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -41,9 +40,7 @@ func (middleware *AuthZ) ViewAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		commentCtx := ctxtypes.CommentFromContext(ctx)
-		authtype, ok := commentCtx.Map()["auth_type"]
-		if ok && (authtype == authtypes.IdentNProviderAPIkey.StringValue()) {
+		if claims.IdentNProvider == authtypes.IdentNProviderAPIkey.StringValue() {
 			if err := claims.IsViewer(); err != nil {
 				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
 				render.Error(rw, err)
@@ -93,9 +90,7 @@ func (middleware *AuthZ) EditAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		commentCtx := ctxtypes.CommentFromContext(ctx)
-		authtype, ok := commentCtx.Map()["auth_type"]
-		if ok && (authtype == authtypes.IdentNProviderAPIkey.StringValue()) {
+		if claims.IdentNProvider == authtypes.IdentNProviderAPIkey.StringValue() {
 			if err := claims.IsEditor(); err != nil {
 				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
 				render.Error(rw, err)
@@ -144,9 +139,7 @@ func (middleware *AuthZ) AdminAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		commentCtx := ctxtypes.CommentFromContext(ctx)
-		authtype, ok := commentCtx.Map()["auth_type"]
-		if ok && (authtype == authtypes.IdentNProviderAPIkey.StringValue()) {
+		if claims.IdentNProvider == authtypes.IdentNProviderAPIkey.StringValue() {
 			if err := claims.IsAdmin(); err != nil {
 				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
 				render.Error(rw, err)

pkg/identn/apikeyidentn/identn.go

@@ -89,7 +89,7 @@ func (provider *provider) GetIdentity(req *http.Request) (*authtypes.Identity, e
 		return nil, errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "api key has expired")
 	}
 
-	var user types.User
+	var user types.StorableUser
 	err = provider.
 		store.
 		BunDB().
@@ -101,13 +101,8 @@ func (provider *provider) GetIdentity(req *http.Request) (*authtypes.Identity, e
 		return nil, err
 	}
 
-	identity := authtypes.Identity{
-		UserID: user.ID,
-		Role:   apiKey.Role,
-		Email:  user.Email,
-		OrgID:  user.OrgID,
-	}
-	return &identity, nil
+	identity := authtypes.NewIdentity(user.ID, user.OrgID, user.Email, apiKey.Role, provider.Name())
+	return identity, nil
 }
 
 func (provider *provider) Post(ctx context.Context, _ *http.Request, _ authtypes.Claims) {

pkg/modules/cloudintegration/cloudintegration.go

@@ -0,0 +1,65 @@
+package cloudintegration
+
+import (
+	"context"
+	"net/http"
+
+	citypes "github.com/SigNoz/signoz/pkg/types/cloudintegrationtypes"
+	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type Module interface {
+	CreateAccount(ctx context.Context, account *citypes.Account) error
+
+	// GetAccount returns cloud integration account
+	GetAccount(ctx context.Context, orgID, accountID valuer.UUID) (*citypes.Account, error)
+
+	// ListAccounts lists accounts where agent is connected
+	ListAccounts(ctx context.Context, orgID valuer.UUID) ([]*citypes.Account, error)
+
+	// UpdateAccount updates the cloud integration account for a specific organization.
+	UpdateAccount(ctx context.Context, account *citypes.Account) error
+
+	// DisconnectAccount soft deletes/removes a cloud integration account.
+	DisconnectAccount(ctx context.Context, orgID, accountID valuer.UUID) error
+
+	// GetConnectionArtifact returns cloud provider specific connection information,
+	// client side handles how this information is shown
+	GetConnectionArtifact(ctx context.Context, account *citypes.Account, req *citypes.ConnectionArtifactRequest) (*citypes.ConnectionArtifact, error)
+
+	// ListServicesMetadata returns the list of services metadata for a cloud provider attached with the integrationID.
+	// This just returns a summary of the service and not the whole service definition
+	ListServicesMetadata(ctx context.Context, orgID valuer.UUID, integrationID *valuer.UUID) ([]*citypes.ServiceMetadata, error)
+
+	// GetService returns service definition details for a serviceID. This returns config and
+	// other details required to show in service details page on web client.
+	GetService(ctx context.Context, orgID valuer.UUID, integrationID *valuer.UUID, serviceID string) (*citypes.Service, error)
+
+	// UpdateService updates cloud integration service
+	UpdateService(ctx context.Context, orgID valuer.UUID, service *citypes.CloudIntegrationService) error
+
+	// AgentCheckIn is called by agent to heartbeat and get latest config in response.
+	AgentCheckIn(ctx context.Context, orgID valuer.UUID, req *citypes.AgentCheckInRequest) (*citypes.AgentCheckInResponse, error)
+
+	// GetDashboardByID returns dashboard JSON for a given dashboard id.
+	// this only returns the dashboard when the service (embedded in dashboard id) is enabled
+	// in the org for any cloud integration account
+	GetDashboardByID(ctx context.Context, orgID valuer.UUID, id string) (*dashboardtypes.Dashboard, error)
+
+	// ListDashboards returns list of dashboards across all connected cloud integration accounts
+	// for enabled services in the org. This list gets added to dashboard list page
+	ListDashboards(ctx context.Context, orgID valuer.UUID) ([]*dashboardtypes.Dashboard, error)
+}
+
+type Handler interface {
+	GetConnectionArtifact(http.ResponseWriter, *http.Request)
+	ListAccounts(http.ResponseWriter, *http.Request)
+	GetAccount(http.ResponseWriter, *http.Request)
+	UpdateAccount(http.ResponseWriter, *http.Request)
+	DisconnectAccount(http.ResponseWriter, *http.Request)
+	ListServicesMetadata(http.ResponseWriter, *http.Request)
+	GetService(http.ResponseWriter, *http.Request)
+	UpdateService(http.ResponseWriter, *http.Request)
+	AgentCheckIn(http.ResponseWriter, *http.Request)
+}

pkg/modules/promote/implpromote/module.go

@@ -78,7 +78,7 @@ func (m *module) ListPromotedAndIndexedPaths(ctx context.Context) ([]promotetype
 
 	// add the paths that are not promoted but have indexes
 	for path, indexes := range aggr {
-		path := strings.TrimPrefix(path, telemetrylogs.BodyJSONColumnPrefix)
+		path := strings.TrimPrefix(path, telemetrylogs.BodyV2ColumnPrefix)
 		path = telemetrytypes.BodyJSONStringSearchPrefix + path
 		response = append(response, promotetypes.PromotePath{
 			Path:    path,
@@ -163,7 +163,7 @@ func (m *module) PromoteAndIndexPaths(
 			}
 		}
 		if len(it.Indexes) > 0 {
-			parentColumn := telemetrylogs.LogsV2BodyJSONColumn
+			parentColumn := telemetrylogs.LogsV2BodyV2Column
 			// if the path is already promoted or is being promoted, add it to the promoted column
 			if _, promoted := existingPromotedPaths[it.Path]; promoted || it.Promote {
 				parentColumn = telemetrylogs.LogsV2BodyPromotedColumn

pkg/modules/session/implsession/module.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/authn"
+	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -28,9 +29,10 @@ type module struct {
 	authDomain authdomain.Module
 	tokenizer  tokenizer.Tokenizer
 	orgGetter  organization.Getter
+	authz      authz.AuthZ
 }
 
-func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter) session.Module {
+func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter, authz authz.AuthZ) session.Module {
 	return &module{
 		settings:   factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/session/implsession"),
 		authNs:     authNs,
@@ -39,6 +41,7 @@ func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.A
 		authDomain: authDomain,
 		tokenizer:  tokenizer,
 		orgGetter:  orgGetter,
+		authz:      authz,
 	}
 }
 
@@ -142,9 +145,16 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 	}
 
 	roleMapping := authDomain.AuthDomainConfig().RoleMapping
-	role := roleMapping.NewRoleFromCallbackIdentity(callbackIdentity)
+	managedRoles := roleMapping.ManagedRolesFromCallbackIdentity(callbackIdentity)
 
-	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, role, callbackIdentity.OrgID, types.UserStatusActive)
+	// pass only valid or fallback to viewer
+	validRoles, err := module.resolveValidRoles(ctx, callbackIdentity.OrgID, managedRoles, callbackIdentity.Email)
+	if err != nil {
+		return "", err
+	}
+
+	legacyRole := authtypes.HighestLegacyRoleFromManagedRoles(validRoles)
+	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, legacyRole, validRoles, callbackIdentity.OrgID, types.UserStatusActive)
 	if err != nil {
 		return "", err
 	}
@@ -222,3 +232,34 @@ func getProvider[T authn.AuthN](authNProvider authtypes.AuthNProvider, authNs ma
 
 	return provider, nil
 }
+
+// resolveValidRoles validates role names against the database
+// returns only roles that exist. If none are valid, falls back to signoz-viewer role
+func (module *module) resolveValidRoles(ctx context.Context, orgID valuer.UUID, roles []string, email valuer.Email) ([]string, error) {
+	validRoles := make([]string, 0, len(roles))
+	var ignored []string
+
+	for _, roleName := range roles {
+		_, err := module.authz.GetByOrgIDAndName(ctx, orgID, roleName)
+		if err != nil {
+			if errors.Ast(err, errors.TypeNotFound) {
+				ignored = append(ignored, roleName)
+				continue
+			}
+			return nil, err
+		}
+		validRoles = append(validRoles, roleName)
+	}
+
+	if len(ignored) > 0 {
+		module.settings.Logger().WarnContext(ctx, "ignoring non-existent roles from SSO mapping", "ignored_roles", ignored, "email", email)
+	}
+
+	// fallback to viewer if no valid roles
+	if len(validRoles) == 0 {
+		module.settings.Logger().WarnContext(ctx, "no valid roles from SSO mapping, falling back to viewer", "email", email)
+		validRoles = []string{authtypes.SigNozViewerRoleName}
+	}
+
+	return validRoles, nil
+}

pkg/modules/tracefunnel/impltracefunnel/module.go

@@ -30,7 +30,7 @@ func (module *module) Create(ctx context.Context, timestamp int64, name string,
 	funnel.CreatedBy = userID.String()
 
 	// Set up the user relationship
-	funnel.CreatedByUser = &types.User{
+	funnel.CreatedByUser = &types.StorableUser{
 		Identifiable: types.Identifiable{
 			ID: userID,
 		},

pkg/modules/user/impluser/getter.go

@@ -2,78 +2,56 @@ package impluser
 
 import (
 	"context"
-	"slices"
 
-	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type getter struct {
-	store   types.UserStore
-	flagger flagger.Flagger
+	store types.UserStore
 }
 
-func NewGetter(store types.UserStore, flagger flagger.Flagger) user.Getter {
-	return &getter{store: store, flagger: flagger}
-}
-
-func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	return module.store.GetRootUserByOrgID(ctx, orgID)
+func NewGetter(store types.UserStore) user.Getter {
+	return &getter{store: store}
 }
 
 func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
-	users, err := module.store.ListUsersByOrgID(ctx, orgID)
+	storableUsers, err := module.store.ListUsersByOrgID(ctx, orgID)
 	if err != nil {
 		return nil, err
 	}
 
-	// filter root users if feature flag `hide_root_users` is true
-	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
-	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
-
-	if hideRootUsers {
-		users = slices.DeleteFunc(users, func(user *types.User) bool { return user.IsRoot })
+	// we are not resolving roles for getter methods
+	users := make([]*types.User, len(storableUsers))
+	for idx, storableUser := range storableUsers {
+		users[idx] = types.NewUserFromStorable(storableUser, make([]string, 0))
 	}
 
 	return users, nil
 }
 
-func (module *getter) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	users, err := module.store.GetUsersByEmail(ctx, email)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
-func (module *getter) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
-	user, err := module.store.GetByOrgIDAndID(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return user, nil
-}
-
 func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.User, error) {
-	user, err := module.store.GetUser(ctx, id)
+	storableUser, err := module.store.GetUser(ctx, id)
 	if err != nil {
 		return nil, err
 	}
 
-	return user, nil
+	return types.NewUserFromStorable(storableUser, make([]string, 0)), nil
 }
 
 func (module *getter) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	users, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
+	storableUsers, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
 	if err != nil {
 		return nil, err
 	}
 
+	users := make([]*types.User, len(storableUsers))
+
+	for idx, storableUser := range storableUsers {
+		users[idx] = types.NewUserFromStorable(storableUser, make([]string, 0))
+	}
+
 	return users, nil
 }
 

pkg/modules/user/impluser/handler.go

@@ -169,7 +169,7 @@ func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
+	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -188,7 +188,7 @@ func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -207,7 +207,7 @@ func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	users, err := h.getter.ListByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
+	users, err := h.module.ListUsersByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -270,7 +270,7 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
-	id := mux.Vars(r)["id"]
+	userID := mux.Vars(r)["id"]
 
 	claims, err := authtypes.ClaimsFromContext(ctx)
 	if err != nil {
@@ -278,13 +278,7 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	user, err := handler.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, user.ID)
+	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
 	if err != nil {
 		render.Error(w, err)
 		return

pkg/modules/user/impluser/module.go

@@ -11,47 +11,103 @@ import (
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/emailtypes"
+	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/dustin/go-humanize"
 )
 
 type Module struct {
-	store     types.UserStore
-	tokenizer tokenizer.Tokenizer
-	emailing  emailing.Emailing
-	settings  factory.ScopedProviderSettings
-	orgSetter organization.Setter
-	authz     authz.AuthZ
-	analytics analytics.Analytics
-	config    user.Config
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	tokenizer     tokenizer.Tokenizer
+	emailing      emailing.Emailing
+	settings      factory.ScopedProviderSettings
+	orgSetter     organization.Setter
+	authz         authz.AuthZ
+	analytics     analytics.Analytics
+	config        root.Config
+	flagger       flagger.Flagger
 }
 
 // This module is a WIP, don't take inspiration from this.
-func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config user.Config) root.Module {
+func NewModule(store types.UserStore, userRoleStore authtypes.UserRoleStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config root.Config, flagger flagger.Flagger) root.Module {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/user/impluser")
 	return &Module{
-		store:     store,
-		tokenizer: tokenizer,
-		emailing:  emailing,
-		settings:  settings,
-		orgSetter: orgSetter,
-		analytics: analytics,
-		authz:     authz,
-		config:    config,
+		store:         store,
+		userRoleStore: userRoleStore,
+		tokenizer:     tokenizer,
+		emailing:      emailing,
+		settings:      settings,
+		orgSetter:     orgSetter,
+		analytics:     analytics,
+		authz:         authz,
+		config:        config,
+		flagger:       flagger,
 	}
 }
 
+// this function gets user with its proper roles populated
+func (m *Module) GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error) {
+	storableUser, err := m.store.GetByOrgIDAndID(ctx, orgID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames, err := m.resolveRoleNamesForUser(ctx, userID, storableUser.OrgID)
+	if err != nil {
+		return nil, err
+	}
+
+	user := types.NewUserFromStorable(storableUser, roleNames)
+
+	return user, nil
+}
+
+func (module *Module) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
+	storableUsers, err := module.store.ListUsersByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	userIDs := make([]valuer.UUID, len(storableUsers))
+	for idx, storableUser := range storableUsers {
+		userIDs[idx] = storableUser.ID
+	}
+
+	storableUserRoles, err := module.userRoleStore.ListUserRolesByOrgIDAndUserIDs(ctx, orgID, userIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	userIDToRoleIDs, roleIDs := authtypes.GetUserIDToRoleIDsMappingAndUniqueRoles(storableUserRoles)
+	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
+	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
+
+	if hideRootUsers {
+		storableUsers = slices.DeleteFunc(storableUsers, func(user *types.StorableUser) bool { return user.IsRoot })
+	}
+
+	users := module.usersFromStorableUsersAndRolesMaps(storableUsers, roles, userIDToRoleIDs)
+
+	return users, nil
+}
+
 func (m *Module) AcceptInvite(ctx context.Context, token string, password string) (*types.User, error) {
 	// get the user by reset password token
-	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
 	if err != nil {
 		return nil, err
 	}
@@ -63,7 +119,7 @@ func (m *Module) AcceptInvite(ctx context.Context, token string, password string
 	}
 
 	// query the user again
-	user, err = m.store.GetByOrgIDAndID(ctx, user.OrgID, user.ID)
+	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +129,12 @@ func (m *Module) AcceptInvite(ctx context.Context, token string, password string
 
 func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Invite, error) {
 	// get the user
-	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+
+	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
 	if err != nil {
 		return nil, err
 	}
@@ -87,6 +148,7 @@ func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Inv
 		Email: user.Email,
 		Token: token,
 		Role:  user.Role,
+		Roles: user.Roles,
 		OrgID: user.OrgID,
 		TimeAuditable: types.TimeAuditable{
 			CreatedAt: user.CreatedAt,
@@ -106,24 +168,52 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 
 	// validate all emails to be invited
 	emails := make([]string, len(bulkInvites.Invites))
-	for idx, invite := range bulkInvites.Invites {
+	var allRolesFromRequest []string
+	seenRolesFromRequest := make(map[string]struct{})
+	for idx := range bulkInvites.Invites {
+		invite := &bulkInvites.Invites[idx]
 		emails[idx] = invite.Email.StringValue()
+
+		// backward compat: derive Roles from legacy Role when Roles is not provided
+		if len(invite.Roles) == 0 && invite.Role != "" {
+			if managedRole, ok := authtypes.ExistingRoleToSigNozManagedRoleMap[invite.Role]; ok {
+				invite.Roles = []string{managedRole}
+			}
+		} else if invite.Role == "" && len(invite.Roles) > 0 {
+			// and vice versa
+			invite.Role = authtypes.HighestLegacyRoleFromManagedRoles(invite.Roles)
+		}
+
+		// for role name validation
+		for _, role := range invite.Roles {
+			if _, ok := seenRolesFromRequest[role]; !ok {
+				seenRolesFromRequest[role] = struct{}{}
+				allRolesFromRequest = append(allRolesFromRequest, role)
+			}
+		}
 	}
-	users, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
+
+	storableUsers, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
 	if err != nil {
 		return nil, err
 	}
 
-	if len(users) > 0 {
-		if err := users[0].ErrIfRoot(); err != nil {
+	if len(storableUsers) > 0 {
+		if err := storableUsers[0].ErrIfRoot(); err != nil {
 			return nil, errors.WithAdditionalf(err, "Cannot send invite to root user")
 		}
 
-		if users[0].Status == types.UserStatusPendingInvite {
-			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", users[0].Email.StringValue())
+		if storableUsers[0].Status == types.UserStatusPendingInvite {
+			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", storableUsers[0].Email.StringValue())
 		}
 
-		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", users[0].Email.StringValue())
+		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", storableUsers[0].Email.StringValue())
+	}
+
+	// this function returns error if some role is not found by name
+	_, err = m.authz.ListByOrgIDAndNames(ctx, orgID, allRolesFromRequest)
+	if err != nil {
+		return nil, err
 	}
 
 	type userWithResetToken struct {
@@ -135,25 +225,20 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 
 	if err := m.store.RunInTx(ctx, func(ctx context.Context) error {
 		for idx, invite := range bulkInvites.Invites {
-			role, err := types.NewRole(invite.Role.String())
-			if err != nil {
-				return err
-			}
-
 			// create a new user with pending invite status
-			newUser, err := types.NewUser(invite.Name, invite.Email, role, orgID, types.UserStatusPendingInvite)
+			newUser, err := types.NewUser(invite.Name, invite.Email, invite.Role, invite.Roles, orgID, types.UserStatusPendingInvite)
 			if err != nil {
 				return err
 			}
 
-			// store the user and password in db
+			// store the user and user_role entries in db
 			err = m.createUserWithoutGrant(ctx, newUser)
 			if err != nil {
 				return err
 			}
 
 			// generate reset password token
-			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.ID)
+			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.OrgID, newUser.ID)
 			if err != nil {
 				m.settings.Logger().ErrorContext(ctx, "failed to create reset password token for invited user", "error", err)
 				return err
@@ -175,7 +260,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 	for idx, userWithToken := range newUsersWithResetToken {
 		m.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{
 			"invitee_email": userWithToken.User.Email,
-			"invitee_role":  userWithToken.User.Role,
+			"invitee_roles": userWithToken.User.Roles,
 		})
 
 		invite := &types.Invite{
@@ -186,6 +271,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 			Email: userWithToken.User.Email,
 			Token: userWithToken.ResetPasswordToken.Token,
 			Role:  userWithToken.User.Role,
+			Roles: userWithToken.User.Roles,
 			OrgID: userWithToken.User.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: userWithToken.User.CreatedAt,
@@ -219,8 +305,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 }
 
 func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite, error) {
-	// find all the users with pending_invite status
-	users, err := m.store.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
+	users, err := m.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
 	if err != nil {
 		return nil, err
 	}
@@ -231,7 +316,7 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 
 	for _, pUser := range pendingUsers {
 		// get the reset password token
-		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, pUser.ID)
+		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, pUser.OrgID, pUser.ID)
 		if err != nil {
 			return nil, err
 		}
@@ -245,6 +330,7 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 			Email: pUser.Email,
 			Token: resetPasswordToken.Token,
 			Role:  pUser.Role,
+			Roles: pUser.Roles,
 			OrgID: pUser.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: pUser.CreatedAt,
@@ -259,16 +345,27 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 }
 
 func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
-	createUserOpts := root.NewCreateUserOptions(opts...)
-
-	// since assign is idempotant multiple calls to assign won't cause issues in case of retries.
-	err := module.authz.Grant(ctx, input.OrgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(input.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	// validate the roles
+	_, err := module.authz.ListByOrgIDAndNames(ctx, input.OrgID, input.Roles)
 	if err != nil {
 		return err
 	}
 
+	// since assign is idempotant multiple calls to assign won't cause issues in case of retries, also we cannot run this in a transaction for now
+	err = module.authz.Grant(ctx, input.OrgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	if err != nil {
+		return err
+	}
+
+	createUserOpts := root.NewCreateUserOptions(opts...)
+
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
+			return err
+		}
+
+		// create user_role junction entries
+		if err := module.createUserRoleEntries(ctx, input); err != nil {
 			return err
 		}
 
@@ -291,7 +388,7 @@ func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ..
 }
 
 func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User, updatedBy string) (*types.User, error) {
-	existingUser, err := m.store.GetUser(ctx, valuer.MustNewUUID(id))
+	existingUser, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return nil, err
 	}
@@ -308,18 +405,30 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		return nil, errors.WithAdditionalf(err, "cannot update pending user")
 	}
 
-	requestor, err := m.store.GetUser(ctx, valuer.MustNewUUID(updatedBy))
+	requestor, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(updatedBy))
 	if err != nil {
 		return nil, err
 	}
 
-	if user.Role != "" && user.Role != existingUser.Role && requestor.Role != types.RoleAdmin {
+	// backward compatibility: convert legacy "role" field to "roles" when "roles" is not provided
+	if user.Roles == nil && user.Role != "" && user.Role != existingUser.Role {
+		user.Roles = []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}
+	}
+
+	var grants, revokes []string
+	var rolesChanged bool
+	if user.Roles != nil {
+		grants, revokes = existingUser.PatchRoles(user.Roles)
+		rolesChanged = (len(grants) > 0) || (len(revokes) > 0)
+	}
+
+	if rolesChanged && !slices.Contains(requestor.Roles, authtypes.SigNozAdminRoleName) {
 		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can change roles")
 	}
 
 	// Make sure that the request is not demoting the last admin user.
-	if user.Role != "" && user.Role != existingUser.Role && existingUser.Role == types.RoleAdmin {
-		adminUsers, err := m.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	if rolesChanged && slices.Contains(existingUser.Roles, authtypes.SigNozAdminRoleName) && !slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
+		adminUsers, err := m.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
 		if err != nil {
 			return nil, err
 		}
@@ -329,28 +438,58 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		}
 	}
 
-	if user.Role != "" && user.Role != existingUser.Role {
-		err = m.authz.ModifyGrant(ctx,
-			orgID,
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role)},
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
-			authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
-		)
+	if rolesChanged {
+		// can't run in txn
+		err = m.authz.ModifyGrant(ctx, orgID, revokes, grants, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	existingUser.Update(user.DisplayName, user.Role)
-	if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
-		return nil, err
+	// preserve existing role and roles when not explicitly provided in the request
+	updateRole := user.Role
+	updateRoles := user.Roles
+	if user.Roles == nil {
+		updateRole = existingUser.Role
+		updateRoles = existingUser.Roles
+	} else if updateRole == "" {
+		updateRole = existingUser.Role
+	}
+	existingUser.Update(user.DisplayName, updateRole, updateRoles)
+	if rolesChanged {
+		err = m.store.RunInTx(ctx, func(ctx context.Context) error {
+			// update the user
+			if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+				return err
+			}
+
+			// delete old role entries and create new ones
+			if err := m.userRoleStore.DeleteUserRoles(ctx, existingUser.ID); err != nil {
+				return err
+			}
+
+			// create new ones
+			if err := m.createUserRoleEntries(ctx, existingUser); err != nil {
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// persist display name change even when roles haven't changed
+		if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+			return nil, err
+		}
 	}
 
 	return existingUser, nil
 }
 
 func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
-	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
+	storableUser := types.NewStorableUser(user)
+	if err := module.store.UpdateUser(ctx, orgID, storableUser); err != nil {
 		return err
 	}
 
@@ -366,7 +505,7 @@ func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user
 }
 
 func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
-	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(id))
+	user, err := module.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return err
 	}
@@ -384,17 +523,17 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	}
 
 	// don't allow to delete the last admin user
-	adminUsers, err := module.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	adminUsers, err := module.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
 	if err != nil {
 		return err
 	}
 
-	if len(adminUsers) == 1 && user.Role == types.RoleAdmin {
+	if len(adminUsers) == 1 && slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot delete the last admin")
 	}
 
 	// since revoke is idempotant multiple calls to revoke won't cause issues in case of retries
-	err = module.authz.Revoke(ctx, orgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
+	err = module.authz.Revoke(ctx, orgID, user.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 	if err != nil {
 		return err
 	}
@@ -411,8 +550,8 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	return nil
 }
 
-func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error) {
-	user, err := module.store.GetUser(ctx, userID)
+func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error) {
+	user, err := module.GetByOrgIDAndUserID(ctx, orgID, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -495,7 +634,7 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}
 
-	token, err := module.GetOrCreateResetPasswordToken(ctx, user.ID)
+	token, err := module.GetOrCreateResetPasswordToken(ctx, orgID, user.ID)
 	if err != nil {
 		module.settings.Logger().ErrorContext(ctx, "failed to create reset password token", "error", err)
 		return err
@@ -541,17 +680,17 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}
 
-	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
+	storableUser, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
 	if err != nil {
 		return err
 	}
 
 	// handle deleted user
-	if err := user.ErrIfDeleted(); err != nil {
+	if err := storableUser.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "deleted users cannot reset their password")
 	}
 
-	if err := user.ErrIfRoot(); err != nil {
+	if err := storableUser.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}
 
@@ -559,12 +698,19 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}
 
+	roleNames, err := module.resolveRoleNamesForUser(ctx, storableUser.ID, storableUser.OrgID)
+	if err != nil {
+		return err
+	}
+
+	user := types.NewUserFromStorable(storableUser, roleNames)
+
 	// since grant is idempotent, multiple calls won't cause issues in case of retries
 	if user.Status == types.UserStatusPendingInvite {
 		if err = module.authz.Grant(
 			ctx,
 			user.OrgID,
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+			user.Roles,
 			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 		); err != nil {
 			return err
@@ -576,7 +722,7 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 			if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 				return err
 			}
-			if err := module.store.UpdateUser(ctx, user.OrgID, user); err != nil {
+			if err := module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user)); err != nil {
 				return err
 			}
 		}
@@ -594,16 +740,16 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 }
 
 func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, oldpasswd string, passwd string) error {
-	user, err := module.store.GetUser(ctx, userID)
+	storableUser, err := module.store.GetUser(ctx, userID)
 	if err != nil {
 		return err
 	}
 
-	if err := user.ErrIfDeleted(); err != nil {
+	if err := storableUser.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for deleted user")
 	}
 
-	if err := user.ErrIfRoot(); err != nil {
+	if err := storableUser.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for root user")
 	}
 
@@ -648,10 +794,12 @@ func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opt
 	if existingUser != nil {
 		// for users logging through SSO flow but are having status as pending_invite
 		if existingUser.Status == types.UserStatusPendingInvite {
+			// capture old roles before overwriting with SSO roles
+			oldRoles := existingUser.Roles
 			// respect the role coming from the SSO
-			existingUser.Update("", user.Role)
+			existingUser.Update("", user.Role, user.Roles)
 			// activate the user
-			if err = module.activatePendingUser(ctx, existingUser); err != nil {
+			if err = module.activatePendingUser(ctx, existingUser, oldRoles); err != nil {
 				return nil, err
 			}
 		}
@@ -688,7 +836,7 @@ func (m *Module) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UU
 }
 
 func (module *Module) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
-	user, err := types.NewRootUser(name, email, organization.ID)
+	user, err := types.NewRootUser(name, email, organization.ID, []string{authtypes.SigNozAdminRoleName})
 	if err != nil {
 		return nil, err
 	}
@@ -750,20 +898,24 @@ func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 
 // this function restricts that only one non-deleted user email can exist for an org ID, if found more, it throws an error
 func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error) {
-	existingUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
+	existingStorableUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		return nil, err
 	}
 
 	// filter out the deleted users
-	existingUsers = slices.DeleteFunc(existingUsers, func(user *types.User) bool { return user.ErrIfDeleted() != nil })
+	existingStorableUsers = slices.DeleteFunc(existingStorableUsers, func(user *types.StorableUser) bool { return user.ErrIfDeleted() != nil })
 
-	if len(existingUsers) > 1 {
+	if len(existingStorableUsers) > 1 {
 		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "Multiple non-deleted users found for email %s in org_id: %s", email.StringValue(), orgID.StringValue())
 	}
 
-	if len(existingUsers) == 1 {
-		return existingUsers[0], nil
+	if len(existingStorableUsers) == 1 {
+		existingUser, err := module.GetByOrgIDAndUserID(ctx, existingStorableUsers[0].OrgID, existingStorableUsers[0].ID)
+		if err != nil {
+			return nil, err
+		}
+		return existingUser, nil
 	}
 
 	return nil, errors.Newf(errors.TypeNotFound, errors.CodeNotFound, "No non-deleted user found with email %s in org_id: %s", email.StringValue(), orgID.StringValue())
@@ -773,7 +925,12 @@ func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, emai
 func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
 	createUserOpts := root.NewCreateUserOptions(opts...)
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
+			return err
+		}
+
+		// create user_role junction entries
+		if err := module.createUserRoleEntries(ctx, input); err != nil {
 			return err
 		}
 
@@ -795,11 +952,27 @@ func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.U
 	return nil
 }
 
-func (module *Module) activatePendingUser(ctx context.Context, user *types.User) error {
-	err := module.authz.Grant(
+func (module *Module) createUserRoleEntries(ctx context.Context, user *types.User) error {
+	if len(user.Roles) == 0 {
+		return nil
+	}
+
+	storableRoles, err := module.authz.ListByOrgIDAndNames(ctx, user.OrgID, user.Roles)
+	if err != nil {
+		return err
+	}
+
+	userRoles := authtypes.NewStorableUserRoles(user.ID, storableRoles)
+	return module.userRoleStore.CreateUserRoles(ctx, userRoles)
+}
+
+func (module *Module) activatePendingUser(ctx context.Context, user *types.User, oldRoles []string) error {
+	// use ModifyGrant to revoke old invite roles and grant new SSO roles
+	err := module.authz.ModifyGrant(
 		ctx,
 		user.OrgID,
-		[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+		oldRoles,
+		user.Roles,
 		authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 	)
 	if err != nil {
@@ -809,10 +982,66 @@ func (module *Module) activatePendingUser(ctx context.Context, user *types.User)
 	if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 		return err
 	}
-	err = module.store.UpdateUser(ctx, user.OrgID, user)
-	if err != nil {
-		return err
+
+	return module.store.RunInTx(ctx, func(ctx context.Context) error {
+		if err := module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user)); err != nil {
+			return err
+		}
+
+		// delete old invite role entries and create new ones from SSO
+		if err := module.userRoleStore.DeleteUserRoles(ctx, user.ID); err != nil {
+			return err
+		}
+
+		return module.createUserRoleEntries(ctx, user)
+	})
+}
+
+func (module *Module) usersFromStorableUsersAndRolesMaps(storableUsers []*types.StorableUser, roles []*authtypes.Role, userIDToRoleIDsMap map[valuer.UUID][]valuer.UUID) []*types.User {
+	users := make([]*types.User, 0, len(storableUsers))
+
+	roleIDToRole := make(map[string]*authtypes.Role, len(roles))
+	for _, role := range roles {
+		roleIDToRole[role.ID.String()] = role
 	}
 
-	return nil
+	for _, user := range storableUsers {
+		roleIDs := userIDToRoleIDsMap[user.ID]
+
+		roleNames := make([]string, 0, len(roleIDs))
+		for _, rid := range roleIDs {
+			if role, ok := roleIDToRole[rid.String()]; ok {
+				roleNames = append(roleNames, role.Name)
+			}
+		}
+
+		account := types.NewUserFromStorable(user, roleNames)
+		users = append(users, account)
+	}
+
+	return users
+}
+
+func (m *Module) resolveRoleNamesForUser(ctx context.Context, userID valuer.UUID, orgID valuer.UUID) ([]string, error) {
+	storableUserRoles, err := m.userRoleStore.GetUserRolesByUserID(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]valuer.UUID, len(storableUserRoles))
+	for idx, sur := range storableUserRoles {
+		roleIDs[idx] = sur.RoleID
+	}
+
+	roles, err := m.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames := make([]string, len(roles))
+	for idx, role := range roles {
+		roleNames[idx] = role.Name
+	}
+
+	return roleNames, nil
 }

pkg/modules/user/impluser/service.go

@@ -15,31 +15,34 @@ import (
 )
 
 type service struct {
-	settings  factory.ScopedProviderSettings
-	store     types.UserStore
-	module    user.Module
-	orgGetter organization.Getter
-	authz     authz.AuthZ
-	config    user.RootConfig
-	stopC     chan struct{}
+	settings      factory.ScopedProviderSettings
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	module        user.Module
+	orgGetter     organization.Getter
+	authz         authz.AuthZ
+	config        user.RootConfig
+	stopC         chan struct{}
 }
 
 func NewService(
 	providerSettings factory.ProviderSettings,
 	store types.UserStore,
+	userRoleStore authtypes.UserRoleStore,
 	module user.Module,
 	orgGetter organization.Getter,
 	authz authz.AuthZ,
 	config user.RootConfig,
 ) user.Service {
 	return &service{
-		settings:  factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
-		store:     store,
-		module:    module,
-		orgGetter: orgGetter,
-		authz:     authz,
-		config:    config,
-		stopC:     make(chan struct{}),
+		settings:      factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
+		store:         store,
+		userRoleStore: userRoleStore,
+		module:        module,
+		orgGetter:     orgGetter,
+		authz:         authz,
+		config:        config,
+		stopC:         make(chan struct{}),
 	}
 }
 
@@ -129,7 +132,7 @@ func (s *service) reconcileByName(ctx context.Context) error {
 }
 
 func (s *service) reconcileRootUser(ctx context.Context, orgID valuer.UUID) error {
-	existingRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	existingRoot, err := s.getRootUserByOrgID(ctx, orgID)
 	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
 		return err
 	}
@@ -148,29 +151,49 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 	}
 
 	if existingUser != nil {
-		oldRole := existingUser.Role
+		oldRoles := existingUser.Roles
 
-		existingUser.PromoteToRoot()
+		existingUser.PromoteToRoot() // this only sets the column is_root as true (permissions are managed by authz in next step)
+		existingUser.Roles = []string{authtypes.SigNozAdminRoleName}
+
+		// authz grant is idempotent and safe to retry, so do it before DB mutations
+		if err := s.authz.ModifyGrant(ctx,
+			orgID,
+			oldRoles,
+			[]string{authtypes.SigNozAdminRoleName},
+			authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
+		); err != nil {
+			return err
+		}
+
+		// this is idempotent
 		if err := s.module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
 			return err
 		}
 
-		if oldRole != types.RoleAdmin {
-			if err := s.authz.ModifyGrant(ctx,
-				orgID,
-				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(oldRole)},
-				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin)},
-				authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
-			); err != nil {
-				return err
-			}
+		// resolve the admin role ID for user_role entries
+		storableRoles, err := s.authz.ListByOrgIDAndNames(ctx, orgID, []string{authtypes.SigNozAdminRoleName})
+		if err != nil {
+			return err
 		}
 
-		return s.setPassword(ctx, existingUser.ID)
+		// wrap user_role updates and password in a transaction
+		return s.store.RunInTx(ctx, func(ctx context.Context) error {
+			if err := s.userRoleStore.DeleteUserRoles(ctx, existingUser.ID); err != nil {
+				return err
+			}
+
+			userRoles := authtypes.NewStorableUserRoles(existingUser.ID, storableRoles)
+			if err := s.userRoleStore.CreateUserRoles(ctx, userRoles); err != nil {
+				return err
+			}
+
+			return s.setPassword(ctx, existingUser.ID)
+		})
 	}
 
 	// Create new root user
-	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID)
+	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID, []string{authtypes.SigNozAdminRoleName})
 	if err != nil {
 		return err
 	}
@@ -180,6 +203,7 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		return err
 	}
 
+	// authz grants are handled inside CreateUser
 	return s.module.CreateUser(ctx, newUser, user.WithFactorPassword(factorPassword))
 }
 
@@ -221,3 +245,12 @@ func (s *service) setPassword(ctx context.Context, userID valuer.UUID) error {
 
 	return nil
 }
+
+func (s *service) getRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
+	storableRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	return s.module.GetByOrgIDAndUserID(ctx, orgID, storableRoot.ID)
+}

pkg/modules/user/impluser/store.go

@@ -39,7 +39,7 @@ func (store *store) CreatePassword(ctx context.Context, password *types.FactorPa
 	return nil
 }
 
-func (store *store) CreateUser(ctx context.Context, user *types.User) error {
+func (store *store) CreateUser(ctx context.Context, user *types.StorableUser) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -52,8 +52,8 @@ func (store *store) CreateUser(ctx context.Context, user *types.User) error {
 	return nil
 }
 
-func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	var users []*types.User
+func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser
 
 	err := store.
 		sqlstore.
@@ -69,8 +69,8 @@ func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]
 	return users, nil
 }
 
-func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 
 	err := store.
 		sqlstore.
@@ -86,8 +86,8 @@ func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, e
 	return user, nil
 }
 
-func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 
 	err := store.
 		sqlstore.
@@ -104,8 +104,8 @@ func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id v
 	return user, nil
 }
 
-func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.User, error) {
-	var users []*types.User
+func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser
 
 	err := store.
 		sqlstore.
@@ -122,26 +122,7 @@ func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Em
 	return users, nil
 }
 
-func (store *store) GetActiveUsersByRoleAndOrgID(ctx context.Context, role types.Role, orgID valuer.UUID) ([]*types.User, error) {
-	var users []*types.User
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&users).
-		Where("org_id = ?", orgID).
-		Where("role = ?", role).
-		Where("status = ?", types.UserStatusActive.StringValue()).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
-func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
+func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.StorableUser) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -162,8 +143,8 @@ func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *typ
 	return nil
 }
 
-func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.GettableUser, error) {
-	users := []*types.User{}
+func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}
 
 	err := store.
 		sqlstore.
@@ -247,7 +228,7 @@ func (store *store) DeleteUser(ctx context.Context, orgID string, id string) err
 
 	// delete user
 	_, err = tx.NewDelete().
-		Model(new(types.User)).
+		Model(new(types.StorableUser)).
 		Where("org_id = ?", orgID).
 		Where("id = ?", id).
 		Exec(ctx)
@@ -332,7 +313,7 @@ func (store *store) SoftDeleteUser(ctx context.Context, orgID string, id string)
 	// soft delete user
 	now := time.Now()
 	_, err = tx.NewUpdate().
-		Model(new(types.User)).
+		Model(new(types.StorableUser)).
 		Set("status = ?", types.UserStatusDeleted).
 		Set("deleted_at = ?", now).
 		Set("updated_at = ?", now).
@@ -563,7 +544,7 @@ func (store *store) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*type
 }
 
 func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)
 
 	count, err := store.
 		sqlstore.
@@ -580,7 +561,7 @@ func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64,
 }
 
 func (store *store) CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)
 	var results []struct {
 		Status valuer.String `bun:"status"`
 		Count  int64         `bun:"count"`
@@ -633,8 +614,8 @@ func (store *store) RunInTx(ctx context.Context, cb func(ctx context.Context) er
 	})
 }
 
-func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -649,8 +630,8 @@ func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (
 	return user, nil
 }
 
-func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	users := []*types.User{}
+func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}
 	err := store.
 		sqlstore.
 		BunDB().
@@ -666,15 +647,15 @@ func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.
 	return users, nil
 }
 
-func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
 		NewSelect().
 		Model(user).
-		Join(`JOIN factor_password ON factor_password.user_id = "user".id`).
+		Join(`JOIN factor_password ON factor_password.user_id = "users".id`).
 		Join("JOIN reset_password_token ON reset_password_token.password_id = factor_password.id").
 		Where("reset_password_token.token = ?", token).
 		Scan(ctx)
@@ -685,8 +666,8 @@ func (store *store) GetUserByResetPasswordToken(ctx context.Context, token strin
 	return user, nil
 }
 
-func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.User, error) {
-	users := []*types.User{}
+func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}
 
 	err := store.
 		sqlstore.
@@ -703,3 +684,20 @@ func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID
 
 	return users, nil
 }
+
+func (store *store) GetActiveUsersByRoleNameAndOrgID(ctx context.Context, roleName string, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().
+		Model(&users).
+		Join("JOIN user_role ON user_role.user_id = users.id").
+		Join("JOIN role ON role.id = user_role.role_id").
+		Where("users.org_id = ?", orgID).
+		Where("role.name = ?", roleName).
+		Where("users.status = ?", types.UserStatusActive.StringValue()).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return users, nil
+}

pkg/modules/user/impluser/userrolestore.go

@@ -0,0 +1,62 @@
+package impluser
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+type userRoleStore struct {
+	sqlstore sqlstore.SQLStore
+	settings factory.ProviderSettings
+}
+
+func NewUserRoleStore(sqlstore sqlstore.SQLStore, settings factory.ProviderSettings) authtypes.UserRoleStore {
+	return &userRoleStore{sqlstore: sqlstore, settings: settings}
+}
+
+func (store *userRoleStore) ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*authtypes.StorableUserRole, error) {
+	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).
+		Join("JOIN users").
+		JoinOn("users.id = user_role.user_id").
+		Where("users.org_id = ?", orgID).Where("users.id IN (?)", bun.In(userIDs)).Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storableUserRoles, nil
+}
+
+func (store *userRoleStore) CreateUserRoles(ctx context.Context, userRoles []*authtypes.StorableUserRole) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).NewInsert().Model(&userRoles).Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, authtypes.ErrCodeUserRoleAlreadyExists, "duplicate role assignments for service account")
+	}
+	return nil
+}
+
+func (store *userRoleStore) DeleteUserRoles(ctx context.Context, userID valuer.UUID) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).NewDelete().Model(new(authtypes.StorableUserRole)).Where("user_id = ?", userID).Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *userRoleStore) GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*authtypes.StorableUserRole, error) {
+	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).Where("user_id = ?", userID).Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storableUserRoles, nil
+}

pkg/modules/user/user.go

@@ -10,6 +10,12 @@ import (
 )
 
 type Module interface {
+	// Gets user by org id and user id, this includes the roles resolution
+	GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error)
+
+	// Lists all the users by org id, includes roles resolution
+	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error)
+
 	// Creates the organization and the first user of that organization.
 	CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, password string) (*types.User, error)
 
@@ -21,7 +27,7 @@ type Module interface {
 
 	// Get or Create a reset password token for a user. If the password does not exist, a new one is randomly generated and inserted. The function
 	// is idempotent and can be called multiple times.
-	GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error)
+	GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error)
 
 	// Updates password of a user using a reset password token. It also deletes all reset password tokens for the user.
 	// This is used to reset the password of a user when they forget their password.
@@ -58,22 +64,13 @@ type Module interface {
 }
 
 type Getter interface {
-	// Get root user by org id.
-	GetRootUserByOrgID(context.Context, valuer.UUID) (*types.User, error)
-
 	// Get gets the users based on the given id
 	ListByOrgID(context.Context, valuer.UUID) ([]*types.User, error)
 
-	// Get users by email.
-	GetUsersByEmail(context.Context, valuer.Email) ([]*types.User, error)
-
-	// Get user by orgID and id.
-	GetByOrgIDAndID(context.Context, valuer.UUID, valuer.UUID) (*types.User, error)
-
 	// Get user by id.
 	Get(context.Context, valuer.UUID) (*types.User, error)
 
-	// List users by email and org ids.
+	// List users by email and org ids. This does not includes roles resolution as this is only used for session context
 	ListUsersByEmailAndOrgIDs(context.Context, valuer.Email, []valuer.UUID) ([]*types.User, error)
 
 	// Count users by org id.

pkg/querier/builder_query.go

@@ -10,13 +10,11 @@ import (
 
 	"github.com/ClickHouse/clickhouse-go/v2"
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/telemetrylogs"
 	"github.com/SigNoz/signoz/pkg/telemetrystore"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	"github.com/SigNoz/signoz/pkg/types/instrumentationtypes"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
-	"github.com/bytedance/sonic"
 )
 
 type builderQuery[T any] struct {
@@ -262,40 +260,6 @@ func (q *builderQuery[T]) executeWithContext(ctx context.Context, query string,
 		return nil, err
 	}
 
-	// merge body_json and promoted into body
-	if q.spec.Signal == telemetrytypes.SignalLogs {
-		switch typedPayload := payload.(type) {
-		case *qbtypes.RawData:
-			for _, rr := range typedPayload.Rows {
-				seeder := func() error {
-					body, ok := rr.Data[telemetrylogs.LogsV2BodyJSONColumn].(map[string]any)
-					if !ok {
-						return nil
-					}
-					promoted, ok := rr.Data[telemetrylogs.LogsV2BodyPromotedColumn].(map[string]any)
-					if !ok {
-						return nil
-					}
-					seed(promoted, body)
-					str, err := sonic.MarshalString(body)
-					if err != nil {
-						return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to marshal body")
-					}
-					rr.Data["body"] = str
-					return nil
-				}
-				err := seeder()
-				if err != nil {
-					return nil, err
-				}
-
-				delete(rr.Data, telemetrylogs.LogsV2BodyJSONColumn)
-				delete(rr.Data, telemetrylogs.LogsV2BodyPromotedColumn)
-			}
-			payload = typedPayload
-		}
-	}
-
 	return &qbtypes.Result{
 		Type:  q.kind,
 		Value: payload,
@@ -423,18 +387,3 @@ func decodeCursor(cur string) (int64, error) {
 	}
 	return strconv.ParseInt(string(b), 10, 64)
 }
-
-func seed(promoted map[string]any, body map[string]any) {
-	for key, fromValue := range promoted {
-		if toValue, ok := body[key]; !ok {
-			body[key] = fromValue
-		} else {
-			if fromValue, ok := fromValue.(map[string]any); ok {
-				if toValue, ok := toValue.(map[string]any); ok {
-					seed(fromValue, toValue)
-					body[key] = toValue
-				}
-			}
-		}
-	}
-}

pkg/querier/consume.go

@@ -14,7 +14,6 @@ import (
 	"github.com/ClickHouse/clickhouse-go/v2/lib/driver"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
-	"github.com/bytedance/sonic"
 )
 
 var (
@@ -394,17 +393,11 @@ func readAsRaw(rows driver.Rows, queryName string) (*qbtypes.RawData, error) {
 
 			// de-reference the typed pointer to any
 			val := reflect.ValueOf(cellPtr).Elem().Interface()
-
-			// Post-process JSON columns: normalize into structured values
+			// Post-process JSON columns: normalize into String value
 			if strings.HasPrefix(strings.ToUpper(colTypes[i].DatabaseTypeName()), "JSON") {
 				switch x := val.(type) {
 				case []byte:
-					if len(x) > 0 {
-						var v any
-						if err := sonic.Unmarshal(x, &v); err == nil {
-							val = v
-						}
-					}
+					val = string(x)
 				default:
 					// already a structured type (map[string]any, []any, etc.)
 				}

pkg/query-service/app/cloudintegrations/accountsRepo.go

@@ -177,7 +177,7 @@ func (r *cloudProviderAccountsSQLRepository) upsert(
 	onConflictClause := ""
 	if len(onConflictSetStmts) > 0 {
 		onConflictClause = fmt.Sprintf(
-			"conflict(id, provider, org_id) do update SET\n%s",
+			"conflict(id) do update SET\n%s",
 			strings.Join(onConflictSetStmts, ",\n"),
 		)
 	}
@@ -202,6 +202,8 @@ func (r *cloudProviderAccountsSQLRepository) upsert(
 		Exec(ctx)
 
 	if dbErr != nil {
+		// for now returning internal error even if there is a conflict,
+		// will be handled better in the future iteration
 		return nil, model.InternalError(fmt.Errorf(
 			"could not upsert cloud account record: %w", dbErr,
 		))

pkg/query-service/rules/prom_rule_task.go

@@ -7,12 +7,14 @@ import (
 	"sync"
 	"time"
 
+	"log/slog"
+
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	ruletypes "github.com/SigNoz/signoz/pkg/types/ruletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	opentracing "github.com/opentracing/opentracing-go"
 	plabels "github.com/prometheus/prometheus/model/labels"
-	"log/slog"
 )
 
 // PromRuleTask is a promql rule executor
@@ -371,7 +373,7 @@ func (g *PromRuleTask) Eval(ctx context.Context, ts time.Time) {
 
 			comment := ctxtypes.CommentFromContext(ctx)
 			comment.Set("rule_id", rule.ID())
-			comment.Set("auth_type", "internal")
+			comment.Set("identn_provider", authtypes.IdentNProviderInternal.StringValue())
 			ctx = ctxtypes.NewContextWithComment(ctx, comment)
 
 			_, err := rule.Eval(ctx, ts)

pkg/query-service/rules/rule_task.go

@@ -10,6 +10,7 @@ import (
 	"log/slog"
 
 	"github.com/SigNoz/signoz/pkg/query-service/utils/labels"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	ruletypes "github.com/SigNoz/signoz/pkg/types/ruletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -358,7 +359,7 @@ func (g *RuleTask) Eval(ctx context.Context, ts time.Time) {
 
 			comment := ctxtypes.CommentFromContext(ctx)
 			comment.Set("rule_id", rule.ID())
-			comment.Set("auth_type", "internal")
+			comment.Set("identn_provider", authtypes.IdentNProviderInternal.StringValue())
 			ctx = ctxtypes.NewContextWithComment(ctx, comment)
 
 			_, err := rule.Eval(ctx, ts)

pkg/querybuilder/fallback_expr.go

@@ -219,7 +219,6 @@ func DataTypeCollisionHandledFieldName(key *telemetrytypes.TelemetryFieldKey, va
 			// we don't have a toBoolOrNull in ClickHouse, so we need to convert the bool to a string
 			value = fmt.Sprintf("%t", v)
 		}
-
 	case telemetrytypes.FieldDataTypeInt64,
 		telemetrytypes.FieldDataTypeArrayInt64,
 		telemetrytypes.FieldDataTypeNumber,

pkg/querybuilder/where_clause_visitor.go

@@ -313,37 +313,30 @@ func (v *filterExpressionVisitor) VisitPrimary(ctx *grammar.PrimaryContext) any
 			return ""
 		}
 		child := ctx.GetChild(0)
+		var searchText string
 		if keyCtx, ok := child.(*grammar.KeyContext); ok {
 			// create a full text search condition on the body field
-
-			keyText := keyCtx.GetText()
-			cond, err := v.conditionBuilder.ConditionFor(context.Background(), v.fullTextColumn, qbtypes.FilterOperatorRegexp, FormatFullTextSearch(keyText), v.builder, v.startNs, v.endNs)
-			if err != nil {
-				v.errors = append(v.errors, fmt.Sprintf("failed to build full text search condition: %s", err.Error()))
-				return ""
-			}
-			return cond
+			searchText = keyCtx.GetText()
 		} else if valCtx, ok := child.(*grammar.ValueContext); ok {
-			var text string
 			if valCtx.QUOTED_TEXT() != nil {
-				text = trimQuotes(valCtx.QUOTED_TEXT().GetText())
+				searchText = trimQuotes(valCtx.QUOTED_TEXT().GetText())
 			} else if valCtx.NUMBER() != nil {
-				text = valCtx.NUMBER().GetText()
+				searchText = valCtx.NUMBER().GetText()
 			} else if valCtx.BOOL() != nil {
-				text = valCtx.BOOL().GetText()
+				searchText = valCtx.BOOL().GetText()
 			} else if valCtx.KEY() != nil {
-				text = valCtx.KEY().GetText()
+				searchText = valCtx.KEY().GetText()
 			} else {
 				v.errors = append(v.errors, fmt.Sprintf("unsupported value type: %s", valCtx.GetText()))
 				return ""
 			}
-			cond, err := v.conditionBuilder.ConditionFor(context.Background(), v.fullTextColumn, qbtypes.FilterOperatorRegexp, FormatFullTextSearch(text), v.builder, v.startNs, v.endNs)
-			if err != nil {
-				v.errors = append(v.errors, fmt.Sprintf("failed to build full text search condition: %s", err.Error()))
-				return ""
-			}
-			return cond
 		}
+		cond, err := v.conditionBuilder.ConditionFor(context.Background(), v.fullTextColumn, qbtypes.FilterOperatorRegexp, FormatFullTextSearch(searchText), v.builder, v.startNs, v.endNs)
+		if err != nil {
+			v.errors = append(v.errors, fmt.Sprintf("failed to build full text search condition: %s", err.Error()))
+			return ""
+		}
+		return cond
 	}
 
 	return "" // Should not happen with valid input
@@ -383,6 +376,7 @@ func (v *filterExpressionVisitor) VisitComparison(ctx *grammar.ComparisonContext
 		for _, key := range keys {
 			condition, err := v.conditionBuilder.ConditionFor(context.Background(), key, op, nil, v.builder, v.startNs, v.endNs)
 			if err != nil {
+				v.errors = append(v.errors, fmt.Sprintf("failed to build condition: %s", err.Error()))
 				return ""
 			}
 			conds = append(conds, condition)
@@ -648,7 +642,6 @@ func (v *filterExpressionVisitor) VisitValueList(ctx *grammar.ValueListContext)
 
 // VisitFullText handles standalone quoted strings for full-text search
 func (v *filterExpressionVisitor) VisitFullText(ctx *grammar.FullTextContext) any {
-
 	if v.skipFullTextFilter {
 		return ""
 	}
@@ -670,6 +663,7 @@ func (v *filterExpressionVisitor) VisitFullText(ctx *grammar.FullTextContext) an
 		v.errors = append(v.errors, fmt.Sprintf("failed to build full text search condition: %s", err.Error()))
 		return ""
 	}
+
 	return cond
 }
 

pkg/ruler/rulestore/sqlrulestore/maintenance.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"time"
 
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
@@ -135,7 +136,7 @@ func (r *maintenance) DeletePlannedMaintenance(ctx context.Context, id valuer.UU
 		Where("id = ?", id.StringValue()).
 		Exec(ctx)
 	if err != nil {
-		return err
+		return r.sqlstore.WrapAlreadyExistsErrf(err, errors.CodeAlreadyExists, "cannot delete planned maintenance because it is referenced by associated rules, remove the rules from the planned maintenance first")
 	}
 
 	return nil

pkg/ruler/rulestore/sqlrulestore/rule.go

@@ -6,6 +6,7 @@ import (
 	"log/slog"
 	"slices"
 
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
@@ -75,7 +76,7 @@ func (r *rule) DeleteRule(ctx context.Context, id valuer.UUID, cb func(context.C
 			Where("id = ?", id.StringValue()).
 			Exec(ctx)
 		if err != nil {
-			return err
+			return r.sqlstore.WrapAlreadyExistsErrf(err, errors.CodeAlreadyExists, "cannot delete rule because it is referenced by a planned maintenance, remove the rule from the planned maintenance first")
 		}
 
 		return cb(ctx)

pkg/signoz/handler_test.go

@@ -48,9 +48,11 @@ func TestNewHandlers(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
 
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
 
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore, flagger)
 
 	querierHandler := querier.NewHandler(providerSettings, nil, nil)
 	handlers := NewHandlers(modules, providerSettings, nil, querierHandler, nil, nil, nil, nil, nil, nil, nil)

pkg/signoz/module.go

@@ -8,6 +8,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/cache"
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/apdex"
 	"github.com/SigNoz/signoz/pkg/modules/apdex/implapdex"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -89,10 +90,12 @@ func NewModules(
 	config Config,
 	dashboard dashboard.Module,
 	userGetter user.Getter,
+	userRoleStore authtypes.UserRoleStore,
+	flagger flagger.Flagger,
 ) Modules {
 	quickfilter := implquickfilter.NewModule(implquickfilter.NewStore(sqlstore))
 	orgSetter := implorganization.NewSetter(implorganization.NewStore(sqlstore), alertmanager, quickfilter)
-	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User)
+	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), userRoleStore, tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User, flagger)
 	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)
 
 	return Modules{
@@ -108,7 +111,7 @@ func NewModules(
 		TraceFunnel:     impltracefunnel.NewModule(impltracefunnel.NewStore(sqlstore)),
 		RawDataExport:   implrawdataexport.NewModule(querier),
 		AuthDomain:      implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs),
-		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter),
+		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter, authz),
 		SpanPercentile:  implspanpercentile.NewModule(querier, providerSettings),
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),

pkg/signoz/module_test.go

@@ -47,9 +47,11 @@ func TestNewModules(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
 
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
 
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore, flagger)
 
 	reflectVal := reflect.ValueOf(modules)
 	for i := 0; i < reflectVal.NumField(); i++ {

pkg/signoz/provider.go

@@ -175,6 +175,10 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewMigrateRulesV4ToV5Factory(sqlstore, telemetryStore),
 		sqlmigration.NewAddStatusUserFactory(sqlstore, sqlschema),
 		sqlmigration.NewDeprecateUserInviteFactory(sqlstore, sqlschema),
+		sqlmigration.NewUpdateCloudIntegrationUniqueIndexFactory(sqlstore, sqlschema),
+		sqlmigration.NewUpdatePlannedMaintenanceRuleFactory(sqlstore, sqlschema),
+		sqlmigration.NewAddUserRoleFactory(sqlstore, sqlschema),
+		sqlmigration.NewAddUserRoleAuthzFactory(sqlstore),
 	)
 }
 

pkg/signoz/provider_test.go

@@ -1,13 +1,11 @@
 package signoz
 
 import (
-	"context"
 	"testing"
 
 	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/SigNoz/signoz/pkg/alertmanager/nfmanager/nfmanagertest"
 	"github.com/SigNoz/signoz/pkg/analytics"
-	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
@@ -77,12 +75,7 @@ func TestNewProviderFactories(t *testing.T) {
 	})
 
 	assert.NotPanics(t, func() {
-		flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
-		if err != nil {
-			panic(err)
-		}
-
-		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()), flagger)
+		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()))
 		orgGetter := implorganization.NewGetter(implorganization.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual)), nil)
 		telemetryStore := telemetrystoretest.New(telemetrystore.Config{Provider: "clickhouse"}, sqlmock.QueryMatcherEqual)
 		NewStatsReporterProviderFactories(telemetryStore, []statsreporter.StatsCollector{}, orgGetter, userGetter, tokenizertest.NewMockTokenizer(t), version.Build{}, analytics.Config{Enabled: true})

pkg/signoz/signoz.go

@@ -281,8 +281,14 @@ func New(
 		return nil, err
 	}
 
+	// Initialize user store
+	userStore := impluser.NewStore(sqlstore, providerSettings)
+
+	// Initialize user role store
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
+
 	// Initialize user getter
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userGetter := impluser.NewGetter(userStore)
 
 	licensingProviderFactory := licenseProviderFactory(sqlstore, zeus, orgGetter, analytics)
 	licensing, err := licensingProviderFactory.New(
@@ -390,7 +396,7 @@ func New(
 	}
 
 	// Initialize all modules
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter, userRoleStore, flagger)
 
 	// Initialize identN resolver
 	identNFactories := NewIdentNProviderFactories(sqlstore, tokenizer)
@@ -404,7 +410,7 @@ func New(
 	}
 	identNResolver := identn.NewIdentNResolver(providerSettings, identNs...)
 
-	userService := impluser.NewService(providerSettings, impluser.NewStore(sqlstore, providerSettings), modules.User, orgGetter, authz, config.User.Root)
+	userService := impluser.NewService(providerSettings, userStore, userRoleStore, modules.User, orgGetter, authz, config.User.Root)
 
 	// Initialize the querier handler via callback (allows EE to decorate with anomaly detection)
 	querierHandler := querierHandlerCallback(providerSettings, querier, analytics)

pkg/sqlmigration/037_add_trace_funnels.go

@@ -2,6 +2,7 @@ package sqlmigration
 
 import (
 	"context"
+
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -16,12 +17,12 @@ type funnel struct {
 	types.Identifiable // funnel id
 	types.TimeAuditable
 	types.UserAuditable
-	Name          string       `json:"funnel_name" bun:"name,type:text,notnull"` // funnel name
-	Description   string       `json:"description" bun:"description,type:text"`  // funnel description
-	OrgID         valuer.UUID  `json:"org_id" bun:"org_id,type:varchar,notnull"`
-	Steps         []funnelStep `json:"steps" bun:"steps,type:text,notnull"`
-	Tags          string       `json:"tags" bun:"tags,type:text"`
-	CreatedByUser *types.User  `json:"user" bun:"rel:belongs-to,join:created_by=id"`
+	Name          string              `json:"funnel_name" bun:"name,type:text,notnull"` // funnel name
+	Description   string              `json:"description" bun:"description,type:text"`  // funnel description
+	OrgID         valuer.UUID         `json:"org_id" bun:"org_id,type:varchar,notnull"`
+	Steps         []funnelStep        `json:"steps" bun:"steps,type:text,notnull"`
+	Tags          string              `json:"tags" bun:"tags,type:text"`
+	CreatedByUser *types.StorableUser `json:"user" bun:"rel:belongs-to,join:created_by=id"`
 }
 
 type funnelStep struct {

pkg/sqlmigration/069_update_cloud_integration_index.go

@@ -0,0 +1,255 @@
+package sqlmigration
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type updateCloudIntegrationUniqueIndex struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+func NewUpdateCloudIntegrationUniqueIndexFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(
+		factory.MustNewName("update_cloud_integration_index"),
+		func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+			return &updateCloudIntegrationUniqueIndex{
+				sqlstore:  sqlstore,
+				sqlschema: sqlschema,
+			}, nil
+		},
+	)
+}
+
+func (migration *updateCloudIntegrationUniqueIndex) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+type cloudIntegrationRow struct {
+	bun.BaseModel `bun:"table:cloud_integration"`
+
+	ID        string    `bun:"id"`
+	AccountID string    `bun:"account_id"`
+	Provider  string    `bun:"provider"`
+	OrgID     string    `bun:"org_id"`
+	Config    string    `bun:"config"`
+	UpdatedAt time.Time `bun:"updated_at"`
+}
+
+type cloudIntegrationAccountConfig struct {
+	Regions []string `json:"regions"`
+}
+
+// duplicateGroup holds the keeper (first element) and losers (rest) for a duplicate (account_id, provider, org_id) group.
+type duplicateGroup struct {
+	keeper *cloudIntegrationRow
+	losers []*cloudIntegrationRow
+}
+
+func (migration *updateCloudIntegrationUniqueIndex) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	sqls := [][]byte{}
+
+	// Step 1: Drop the wrong index on (id, provider, org_id)
+	dropSqls := migration.sqlschema.Operator().DropIndex(
+		(&sqlschema.UniqueIndex{
+			TableName:   "cloud_integration",
+			ColumnNames: []sqlschema.ColumnName{"id", "provider", "org_id"},
+		}).Named("unique_cloud_integration"),
+	)
+	sqls = append(sqls, dropSqls...)
+
+	// Step 2: Normalize empty-string account_id to NULL
+	// Older table structure could store "" instead of NULL for unconnected accounts.
+	// Empty strings would violate the partial unique index since '' = '' (unlike NULL != NULL).
+	_, err = tx.NewUpdate().
+		TableExpr("cloud_integration").
+		Set("account_id = NULL").
+		Where("account_id = ''").
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	// Step 3: Fetch all active rows with non-null account_id, ordered for grouping
+	var activeRows []*cloudIntegrationRow
+	err = tx.NewSelect().
+		Model(&activeRows).
+		Where("removed_at IS NULL").
+		Where("account_id IS NOT NULL").
+		OrderExpr("account_id, provider, org_id, updated_at DESC").
+		Scan(ctx)
+	if err != nil && !errors.Is(err, sql.ErrNoRows) {
+		return err
+	}
+
+	// Group by (account_id, provider, org_id)
+	groups := groupCloudIntegrationRows(activeRows)
+
+	now := time.Now()
+	var loserIDs []string
+
+	for _, group := range groups {
+		if len(group.losers) == 0 {
+			continue
+		}
+
+		// Step 4: Merge config from losers into keeper
+		if err = mergeCloudIntegrationConfigs(ctx, tx, group); err != nil {
+			return err
+		}
+
+		// Step 5: Reassign non-conflicting cloud_integration_service rows to keeper
+		for _, loser := range group.losers {
+			_, err = tx.NewUpdate().
+				TableExpr("cloud_integration_service").
+				Set("cloud_integration_id = ?", group.keeper.ID).
+				Where("cloud_integration_id = ?", loser.ID).
+				Where("type NOT IN (?)",
+					tx.NewSelect().
+						TableExpr("cloud_integration_service").
+						Column("type").
+						Where("cloud_integration_id = ?", group.keeper.ID),
+				).
+				Exec(ctx)
+			if err != nil {
+				return err
+			}
+
+			loserIDs = append(loserIDs, loser.ID)
+		}
+	}
+
+	// Step 6: Soft-delete all loser rows
+	if len(loserIDs) > 0 {
+		_, err = tx.NewUpdate().
+			TableExpr("cloud_integration").
+			Set("removed_at = ?", now).
+			Set("updated_at = ?", now).
+			Where("id IN (?)", bun.In(loserIDs)).
+			Exec(ctx)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Step 7: Create the correct partial unique index on (account_id, provider, org_id) WHERE removed_at IS NULL
+	createSqls := migration.sqlschema.Operator().CreateIndex(
+		&sqlschema.PartialUniqueIndex{
+			TableName:   "cloud_integration",
+			ColumnNames: []sqlschema.ColumnName{"account_id", "provider", "org_id"},
+			Where:       "removed_at IS NULL",
+		},
+	)
+	sqls = append(sqls, createSqls...)
+
+	for _, sql := range sqls {
+		if _, err = tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	return tx.Commit()
+}
+
+func (migration *updateCloudIntegrationUniqueIndex) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}
+
+// groupCloudIntegrationRows groups rows by (account_id, provider, org_id).
+// Rows must be pre-sorted by account_id, provider, org_id, updated_at DESC
+// so the first row in each group is the keeper (most recently updated).
+func groupCloudIntegrationRows(rows []*cloudIntegrationRow) []duplicateGroup {
+	if len(rows) == 0 {
+		return nil
+	}
+
+	var groups []duplicateGroup
+	var current duplicateGroup
+	current.keeper = rows[0]
+
+	for i := 1; i < len(rows); i++ {
+		row := rows[i]
+		if row.AccountID == current.keeper.AccountID &&
+			row.Provider == current.keeper.Provider &&
+			row.OrgID == current.keeper.OrgID {
+			current.losers = append(current.losers, row)
+		} else {
+			groups = append(groups, current)
+			current = duplicateGroup{keeper: row}
+		}
+	}
+	groups = append(groups, current)
+
+	return groups
+}
+
+// mergeCloudIntegrationConfigs unions the EnabledRegions from all rows in the group into the keeper's config and updates
+func mergeCloudIntegrationConfigs(ctx context.Context, tx bun.Tx, group duplicateGroup) error {
+	regionSet := make(map[string]struct{})
+
+	// Parse keeper's config
+	parseRegions(group.keeper.Config, regionSet)
+
+	// Parse each loser's config
+	for _, loser := range group.losers {
+		parseRegions(loser.Config, regionSet)
+	}
+
+	// Build merged config
+	mergedRegions := make([]string, 0, len(regionSet))
+	for region := range regionSet {
+		mergedRegions = append(mergedRegions, region)
+	}
+
+	merged := cloudIntegrationAccountConfig{Regions: mergedRegions}
+	mergedJSON, err := json.Marshal(merged)
+	if err != nil {
+		return err
+	}
+
+	// Update keeper's config
+	_, err = tx.NewUpdate().
+		TableExpr("cloud_integration").
+		Set("config = ?", string(mergedJSON)).
+		Where("id = ?", group.keeper.ID).
+		Exec(ctx)
+	return err
+}
+
+// parseRegions unmarshals a config JSON string and adds its regions to the set.
+func parseRegions(configJSON string, regionSet map[string]struct{}) {
+	if configJSON == "" {
+		return
+	}
+
+	var config cloudIntegrationAccountConfig
+	if err := json.Unmarshal([]byte(configJSON), &config); err != nil {
+		return
+	}
+
+	for _, region := range config.Regions {
+		regionSet[region] = struct{}{}
+	}
+}

pkg/sqlmigration/070_update_planned_maintenance_rule.go

@@ -0,0 +1,132 @@
+package sqlmigration
+
+import (
+	"context"
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type updatePlannedMaintenanceRule struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+type plannedMaintenanceRuleRow struct {
+	bun.BaseModel `bun:"table:planned_maintenance_rule"`
+
+	ID                   string `bun:"id"`
+	PlannedMaintenanceID string `bun:"planned_maintenance_id"`
+	RuleID               string `bun:"rule_id"`
+}
+
+func NewUpdatePlannedMaintenanceRuleFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(
+		factory.MustNewName("update_planned_maintenance_rule"),
+		func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+			return &updatePlannedMaintenanceRule{
+				sqlstore:  sqlstore,
+				sqlschema: sqlschema,
+			}, nil
+		},
+	)
+}
+
+func (migration *updatePlannedMaintenanceRule) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *updatePlannedMaintenanceRule) Up(ctx context.Context, db *bun.DB) error {
+	table, _, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("planned_maintenance_rule"))
+	if err != nil {
+		return err
+	}
+
+	if err := migration.sqlschema.ToggleFKEnforcement(ctx, db, false); err != nil {
+		return err
+	}
+
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	// Read all existing rows
+	var rows []*plannedMaintenanceRuleRow
+	err = tx.NewSelect().Model(&rows).Scan(ctx)
+	if err != nil {
+		return err
+	}
+
+	// Drop the existing table
+	dropTableSQLs := migration.sqlschema.Operator().DropTable(table)
+	for _, sql := range dropTableSQLs {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	// Create the table fresh without CASCADE constraints
+	newTable := &sqlschema.Table{
+		Name: sqlschema.TableName("planned_maintenance_rule"),
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "planned_maintenance_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "rule_id", DataType: sqlschema.DataTypeText, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: "planned_maintenance_id",
+				ReferencedTableName:   "planned_maintenance",
+				ReferencedColumnName:  "id",
+			},
+			{
+				ReferencingColumnName: "rule_id",
+				ReferencedTableName:   "rule",
+				ReferencedColumnName:  "id",
+			},
+		},
+	}
+
+	createTableSQLs := migration.sqlschema.Operator().CreateTable(newTable)
+	for _, sql := range createTableSQLs {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	// Re-insert the data
+	if len(rows) > 0 {
+		_, err = tx.NewInsert().Model(&rows).Exec(ctx)
+		if err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	if err := migration.sqlschema.ToggleFKEnforcement(ctx, db, true); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *updatePlannedMaintenanceRule) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}

pkg/sqlmigration/071_add_user_role.go

@@ -0,0 +1,197 @@
+package sqlmigration
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+var (
+	userRoleToSigNozManagedRoleMap = map[string]string{
+		"ADMIN":  "signoz-admin",
+		"EDITOR": "signoz-editor",
+		"VIEWER": "signoz-viewer",
+	}
+)
+
+type userRow struct {
+	ID    string `bun:"id"`
+	Role  string `bun:"role"`
+	OrgID string `bun:"org_id"`
+}
+
+type roleRow struct {
+	ID    string `bun:"id"`
+	Name  string `bun:"name"`
+	OrgID string `bun:"org_id"`
+}
+
+type orgRoleKey struct {
+	OrgID    string
+	RoleName string
+}
+
+type addUserRole struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+type userRoleRow struct {
+	bun.BaseModel `bun:"table:user_role"`
+
+	types.Identifiable
+	UserID string `bun:"user_id"`
+	RoleID string `bun:"role_id"`
+	types.TimeAuditable
+}
+
+func NewAddUserRoleFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_user_role"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addUserRole{
+			sqlstore:  sqlstore,
+			sqlschema: sqlschema,
+		}, nil
+	})
+}
+
+func (migration *addUserRole) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRole) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	sqls := [][]byte{}
+
+	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "user_role",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "user_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "role_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("user_id"),
+				ReferencedTableName:   sqlschema.TableName("users"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+			{
+				ReferencingColumnName: sqlschema.ColumnName("role_id"),
+				ReferencedTableName:   sqlschema.TableName("role"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+
+	sqls = append(sqls, tableSQLs...)
+
+	indexSQLs := migration.sqlschema.Operator().CreateIndex(
+		&sqlschema.UniqueIndex{
+			TableName:   "user_role",
+			ColumnNames: []sqlschema.ColumnName{"user_id", "role_id"},
+		},
+	)
+
+	sqls = append(sqls, indexSQLs...)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	// fill the new user_role table for existing users
+	var users []userRow
+	err = tx.NewSelect().TableExpr("users").ColumnExpr("id, role, org_id").Scan(ctx, &users)
+	if err != nil {
+		return err
+	}
+
+	if len(users) == 0 {
+		return tx.Commit()
+	}
+
+	orgIDs := make(map[string]struct{})
+	for _, u := range users {
+		orgIDs[u.OrgID] = struct{}{}
+	}
+
+	orgIDList := make([]string, 0, len(orgIDs))
+	for oid := range orgIDs {
+		orgIDList = append(orgIDList, oid)
+	}
+
+	var roles []roleRow
+	err = tx.NewSelect().TableExpr("role").ColumnExpr("id, name, org_id").Where("org_id IN (?)", bun.In(orgIDList)).Scan(ctx, &roles)
+	if err != nil {
+		return err
+	}
+
+	roleMap := make(map[orgRoleKey]string)
+	for _, r := range roles {
+		roleMap[orgRoleKey{OrgID: r.OrgID, RoleName: r.Name}] = r.ID
+	}
+
+	now := time.Now()
+	userRoles := make([]*userRoleRow, 0, len(users))
+	for _, u := range users {
+		managedRoleName, ok := userRoleToSigNozManagedRoleMap[u.Role]
+		if !ok {
+			managedRoleName = "signoz-viewer" // fallback
+		}
+		roleID, ok := roleMap[orgRoleKey{OrgID: u.OrgID, RoleName: managedRoleName}]
+		if !ok {
+			continue // user needs to get access again
+		}
+
+		userRoles = append(userRoles, &userRoleRow{
+			Identifiable: types.Identifiable{ID: valuer.GenerateUUID()},
+			UserID:       u.ID,
+			RoleID:       roleID,
+			TimeAuditable: types.TimeAuditable{
+				CreatedAt: now,
+				UpdatedAt: now,
+			},
+		})
+	}
+
+	if len(userRoles) > 0 {
+		if _, err := tx.NewInsert().Model(&userRoles).Exec(ctx); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRole) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}

pkg/sqlmigration/072_add_user_role_authz.go

@@ -0,0 +1,156 @@
+package sqlmigration
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/oklog/ulid/v2"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/dialect"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addUserRoleAuthz struct {
+	sqlstore sqlstore.SQLStore
+}
+
+func NewAddUserRoleAuthzFactory(sqlstore sqlstore.SQLStore) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_user_role_authz"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addUserRoleAuthz{sqlstore: sqlstore}, nil
+	})
+}
+
+func (migration *addUserRoleAuthz) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRoleAuthz) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	var storeID string
+	err = tx.QueryRowContext(ctx, `SELECT id FROM store WHERE name = ? LIMIT 1`, "signoz").Scan(&storeID)
+	if err != nil {
+		return err
+	}
+
+	type userRoleTuple struct {
+		UserID   string
+		OrgID    string
+		RoleName string
+	}
+
+	rows, err := tx.QueryContext(ctx, `
+		SELECT u.id, u.org_id, r.name
+		FROM users u
+		JOIN user_role ur ON ur.user_id = u.id
+		JOIN role r ON r.id = ur.role_id
+		WHERE u.status != 'deleted'
+	`)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return tx.Commit()
+		}
+		return err
+	}
+	defer rows.Close()
+
+	tuples := make([]userRoleTuple, 0)
+	for rows.Next() {
+		var t userRoleTuple
+		if err := rows.Scan(&t.UserID, &t.OrgID, &t.RoleName); err != nil {
+			return err
+		}
+		tuples = append(tuples, t)
+	}
+
+	if err := rows.Err(); err != nil {
+		return err
+	}
+
+	entropy := ulid.DefaultEntropy()
+	for _, t := range tuples {
+		now := time.Now().UTC()
+		tupleID := ulid.MustNew(ulid.Timestamp(now), entropy).String()
+
+		objectID := "organization/" + t.OrgID + "/role/" + t.RoleName
+		userID := "organization/" + t.OrgID + "/user/" + t.UserID
+
+		if migration.sqlstore.BunDB().Dialect().Name() == dialect.PG {
+			result, err := tx.ExecContext(ctx, `
+				INSERT INTO tuple (store, object_type, object_id, relation, _user, user_type, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, object_type, object_id, relation, _user) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user:"+userID, "user", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+
+			rowsAffected, err := result.RowsAffected()
+			if err != nil {
+				return err
+			}
+			if rowsAffected == 0 {
+				continue
+			}
+
+			_, err = tx.ExecContext(ctx, `
+				INSERT INTO changelog (store, object_type, object_id, relation, _user, operation, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user:"+userID, "TUPLE_OPERATION_WRITE", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+		} else {
+			result, err := tx.ExecContext(ctx, `
+				INSERT INTO tuple (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, user_type, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user", userID, "", "user", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+
+			rowsAffected, err := result.RowsAffected()
+			if err != nil {
+				return err
+			}
+			if rowsAffected == 0 {
+				continue
+			}
+
+			_, err = tx.ExecContext(ctx, `
+				INSERT INTO changelog (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, operation, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user", userID, "", 0, tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return tx.Commit()
+}
+
+func (migration *addUserRoleAuthz) Down(context.Context, *bun.DB) error {
+	return nil
+}

pkg/sqlstore/sqlitesqlstore/provider.go

@@ -100,7 +100,7 @@ func (provider *provider) WrapNotFoundErrf(err error, code errors.Code, format s
 
 func (provider *provider) WrapAlreadyExistsErrf(err error, code errors.Code, format string, args ...any) error {
 	if sqlite3Err, ok := err.(*sqlite.Error); ok {
-		if sqlite3Err.Code() == sqlite3.SQLITE_CONSTRAINT_UNIQUE || sqlite3Err.Code() == sqlite3.SQLITE_CONSTRAINT_PRIMARYKEY {
+		if sqlite3Err.Code() == sqlite3.SQLITE_CONSTRAINT_UNIQUE || sqlite3Err.Code() == sqlite3.SQLITE_CONSTRAINT_PRIMARYKEY || sqlite3Err.Code() == sqlite3.SQLITE_CONSTRAINT_FOREIGNKEY {
 			return errors.Wrapf(err, errors.TypeAlreadyExists, code, format, args...)
 		}
 	}

pkg/telemetrylogs/condition_builder.go

@@ -3,14 +3,12 @@ package telemetrylogs
 import (
 	"context"
 	"fmt"
-	"slices"
 
 	schema "github.com/SigNoz/signoz-otel-collector/cmd/signozschemamigrator/schema_migrator"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/querybuilder"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
-	"golang.org/x/exp/maps"
 
 	"github.com/huandu/go-sqlbuilder"
 )
@@ -35,7 +33,7 @@ func (c *conditionBuilder) conditionFor(
 		return "", err
 	}
 
-	if column.Type.GetType() == schema.ColumnTypeEnumJSON && querybuilder.BodyJSONQueryEnabled {
+	if column.Type.GetType() == schema.ColumnTypeEnumJSON && querybuilder.BodyJSONQueryEnabled && key.Name != messageSubField {
 		valueType, value := InferDataType(value, operator, key)
 		cond, err := NewJSONConditionBuilder(key, valueType).buildJSONCondition(operator, value, sb)
 		if err != nil {
@@ -54,14 +52,14 @@ func (c *conditionBuilder) conditionFor(
 	}
 
 	// Check if this is a body JSON search - either by FieldContext
-	if key.FieldContext == telemetrytypes.FieldContextBody {
+	if key.FieldContext == telemetrytypes.FieldContextBody && !querybuilder.BodyJSONQueryEnabled {
 		tblFieldName, value = GetBodyJSONKey(ctx, key, operator, value)
 	}
 
 	tblFieldName, value = querybuilder.DataTypeCollisionHandledFieldName(key, value, tblFieldName, operator)
 
 	// make use of case insensitive index for body
-	if tblFieldName == "body" {
+	if tblFieldName == "body" || tblFieldName == messageSubColumn {
 		switch operator {
 		case qbtypes.FilterOperatorLike:
 			return sb.ILike(tblFieldName, value), nil
@@ -108,7 +106,6 @@ func (c *conditionBuilder) conditionFor(
 		return sb.ILike(tblFieldName, fmt.Sprintf("%%%s%%", value)), nil
 	case qbtypes.FilterOperatorNotContains:
 		return sb.NotILike(tblFieldName, fmt.Sprintf("%%%s%%", value)), nil
-
 	case qbtypes.FilterOperatorRegexp:
 		// Note: Escape $$ to $$$$ to avoid sqlbuilder interpreting materialized $ signs
 		// Only needed because we are using sprintf instead of sb.Match (not implemented in sqlbuilder)
@@ -178,9 +175,8 @@ func (c *conditionBuilder) conditionFor(
 		case schema.ColumnTypeEnumJSON:
 			if operator == qbtypes.FilterOperatorExists {
 				return sb.IsNotNull(tblFieldName), nil
-			} else {
-				return sb.IsNull(tblFieldName), nil
 			}
+			return sb.IsNull(tblFieldName), nil
 		case schema.ColumnTypeEnumLowCardinality:
 			switch elementType := column.Type.(schema.LowCardinalityColumnType).ElementType; elementType.GetType() {
 			case schema.ColumnTypeEnumString:
@@ -247,19 +243,30 @@ func (c *conditionBuilder) ConditionFor(
 		return "", err
 	}
 
-	if !(key.FieldContext == telemetrytypes.FieldContextBody && querybuilder.BodyJSONQueryEnabled) && operator.AddDefaultExistsFilter() {
-		// skip adding exists filter for intrinsic fields
-		// with an exception for body json search
-		field, _ := c.fm.FieldFor(ctx, key)
-		if slices.Contains(maps.Keys(IntrinsicFields), field) && key.FieldContext != telemetrytypes.FieldContextBody {
+	// Skip adding exists filter for intrinsic fields i.e. Table level log context fields
+	buildExistCondition := operator.AddDefaultExistsFilter()
+	switch key.FieldContext {
+	case telemetrytypes.FieldContextLog, telemetrytypes.FieldContextScope:
+		// pass; No need to build exist condition for top level columns
+		// immediately return
+		return condition, nil
+	case telemetrytypes.FieldContextResource, telemetrytypes.FieldContextAttribute:
+		// build exist condition for resource and attribute fields based on filter operator
+	case telemetrytypes.FieldContextBody:
+		// Querying JSON fields already account for Nullability of fields
+		// so additional exists checks are not needed
+		if querybuilder.BodyJSONQueryEnabled {
 			return condition, nil
 		}
+	}
 
+	if buildExistCondition {
 		existsCondition, err := c.conditionFor(ctx, key, qbtypes.FilterOperatorExists, nil, sb)
 		if err != nil {
 			return "", err
 		}
 		return sb.And(condition, existsCondition), nil
 	}
+
 	return condition, nil
 }

pkg/telemetrylogs/condition_builder_test.go

@@ -127,7 +127,8 @@ func TestConditionFor(t *testing.T) {
 		{
 			name: "Contains operator - body",
 			key: telemetrytypes.TelemetryFieldKey{
-				Name: "body",
+				Name:         "body",
+				FieldContext: telemetrytypes.FieldContextLog,
 			},
 			operator:      qbtypes.FilterOperatorContains,
 			value:         521509198310,

pkg/telemetrylogs/const.go

@@ -1,7 +1,10 @@
 package telemetrylogs
 
 import (
+	"fmt"
+
 	"github.com/SigNoz/signoz-otel-collector/constants"
+	"github.com/SigNoz/signoz/pkg/querybuilder"
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 )
@@ -17,7 +20,7 @@ const (
 	LogsV2TimestampColumn         = "timestamp"
 	LogsV2ObservedTimestampColumn = "observed_timestamp"
 	LogsV2BodyColumn              = "body"
-	LogsV2BodyJSONColumn          = constants.BodyV2Column
+	LogsV2BodyV2Column            = constants.BodyV2Column
 	LogsV2BodyPromotedColumn      = constants.BodyPromotedColumn
 	LogsV2TraceIDColumn           = "trace_id"
 	LogsV2SpanIDColumn            = "span_id"
@@ -34,8 +37,14 @@ const (
 	LogsV2ResourcesStringColumn  = "resources_string"
 	LogsV2ScopeStringColumn      = "scope_string"
 
-	BodyJSONColumnPrefix     = constants.BodyV2ColumnPrefix
+	BodyV2ColumnPrefix       = constants.BodyV2ColumnPrefix
 	BodyPromotedColumnPrefix = constants.BodyPromotedColumnPrefix
+
+	// messageSubColumn is the ClickHouse sub-column that body searches map to
+	// when BodyJSONQueryEnabled is true.
+	messageSubField          = "message"
+	messageSubColumn         = "body_v2.message"
+	bodySearchDefaultWarning = "body searches default to `body.message:string`. Use `body.<key>` to search a different field inside body"
 )
 
 var (
@@ -118,3 +127,11 @@ var (
 		},
 	}
 )
+
+func bodyAliasExpression() string {
+	if !querybuilder.BodyJSONQueryEnabled {
+		return LogsV2BodyColumn
+	}
+
+	return fmt.Sprintf("%s as body", LogsV2BodyV2Column)
+}

pkg/telemetrylogs/field_mapper.go

@@ -30,7 +30,8 @@ var (
 		"severity_text":      {Name: "severity_text", Type: schema.LowCardinalityColumnType{ElementType: schema.ColumnTypeString}},
 		"severity_number":    {Name: "severity_number", Type: schema.ColumnTypeUInt8},
 		"body":               {Name: "body", Type: schema.ColumnTypeString},
-		LogsV2BodyJSONColumn: {Name: LogsV2BodyJSONColumn, Type: schema.JSONColumnType{
+		messageSubColumn:     {Name: messageSubColumn, Type: schema.ColumnTypeString},
+		LogsV2BodyV2Column: {Name: LogsV2BodyV2Column, Type: schema.JSONColumnType{
 			MaxDynamicTypes: utils.ToPointer(uint(32)),
 			MaxDynamicPaths: utils.ToPointer(uint(0)),
 		}},
@@ -88,21 +89,26 @@ func (m *fieldMapper) getColumn(_ context.Context, key *telemetrytypes.Telemetry
 			return logsV2Columns["attributes_bool"], nil
 		}
 	case telemetrytypes.FieldContextBody:
-		// Body context is for JSON body fields
-		// Use body_json if feature flag is enabled
+		// Body context is for JSON body fields. Use body_v2 if feature flag is enabled.
 		if querybuilder.BodyJSONQueryEnabled {
-			return logsV2Columns[LogsV2BodyJSONColumn], nil
+			if key.Name == messageSubField {
+				return logsV2Columns[messageSubColumn], nil
+			}
+			return logsV2Columns[LogsV2BodyV2Column], nil
 		}
 		// Fall back to legacy body column
 		return logsV2Columns["body"], nil
 	case telemetrytypes.FieldContextLog, telemetrytypes.FieldContextUnspecified:
+		if key.Name == LogsV2BodyColumn && querybuilder.BodyJSONQueryEnabled {
+			return logsV2Columns[messageSubColumn], nil
+		}
 		col, ok := logsV2Columns[key.Name]
 		if !ok {
 			// check if the key has body JSON search
 			if strings.HasPrefix(key.Name, telemetrytypes.BodyJSONStringSearchPrefix) {
-				// Use body_json if feature flag is enabled and we have a body condition builder
+				// Use body_v2 if feature flag is enabled and we have a body condition builder
 				if querybuilder.BodyJSONQueryEnabled {
-					return logsV2Columns[LogsV2BodyJSONColumn], nil
+					return logsV2Columns[LogsV2BodyV2Column], nil
 				}
 				// Fall back to legacy body column
 				return logsV2Columns["body"], nil
@@ -138,6 +144,10 @@ func (m *fieldMapper) FieldFor(ctx context.Context, key *telemetrytypes.Telemetr
 			}
 			return fmt.Sprintf("multiIf(%s.`%s` IS NOT NULL, %s.`%s`::String, mapContains(%s, '%s'), %s, NULL)", column.Name, key.Name, column.Name, key.Name, oldColumn.Name, key.Name, oldKeyName), nil
 		case telemetrytypes.FieldContextBody:
+			if key.Name == messageSubField {
+				return messageSubColumn, nil
+			}
+
 			if key.JSONDataType == nil {
 				return "", qbtypes.ErrColumnNotFound
 			}
@@ -246,34 +256,37 @@ func (m *fieldMapper) buildFieldForJSON(key *telemetrytypes.TelemetryFieldKey) (
 		node := plan[0]
 
 		expr := fmt.Sprintf("dynamicElement(%s, '%s')", node.FieldPath(), node.TerminalConfig.ElemType.StringValue())
-		if key.Materialized {
-			if len(plan) < 2 {
-				return "", errors.Newf(errors.TypeUnexpected, CodePromotedPlanMissing,
-					"plan length is less than 2 for promoted path: %s", key.Name)
-			}
+		// TODO(Piyush): Promoted path logic commented out. Materialized now means type hint
+		// promotion will be extracted from key field evolution
+		// (direct sub-column access), not a promoted body_promoted.* column.
+		// if key.Materialized {
+		// 	if len(plan) < 2 {
+		// 		return "", errors.Newf(errors.TypeUnexpected, CodePromotedPlanMissing,
+		// 			"plan length is less than 2 for promoted path: %s", key.Name)
+		// 	}
 
-			node := plan[1]
-			promotedExpr := fmt.Sprintf(
-				"dynamicElement(%s, '%s')",
-				node.FieldPath(),
-				node.TerminalConfig.ElemType.StringValue(),
-			)
+		// 	node := plan[1]
+		// 	promotedExpr := fmt.Sprintf(
+		// 		"dynamicElement(%s, '%s')",
+		// 		node.FieldPath(),
+		// 		node.TerminalConfig.ElemType.StringValue(),
+		// 	)
 
-			// dynamicElement returns NULL for scalar types or an empty array for array types.
-			if node.TerminalConfig.ElemType.IsArray {
-				expr = fmt.Sprintf(
-					"if(length(%s) > 0, %s, %s)",
-					promotedExpr,
-					promotedExpr,
-					expr,
-				)
-			} else {
-				// promoted column first then body_json column
-				// TODO(Piyush): Change this in future for better performance
-				expr = fmt.Sprintf("coalesce(%s, %s)", promotedExpr, expr)
-			}
+		// 	// dynamicElement returns NULL for scalar types or an empty array for array types.
+		// 	if node.TerminalConfig.ElemType.IsArray {
+		// 		expr = fmt.Sprintf(
+		// 			"if(length(%s) > 0, %s, %s)",
+		// 			promotedExpr,
+		// 			promotedExpr,
+		// 			expr,
+		// 		)
+		// 	} else {
+		// 		// promoted column first then body_json column
+		// 		// TODO(Piyush): Change this in future for better performance
+		// 		expr = fmt.Sprintf("coalesce(%s, %s)", promotedExpr, expr)
+		// 	}
 
-		}
+		// }
 
 		return expr, nil
 	}

pkg/telemetrylogs/json_condition_builder.go

@@ -30,7 +30,7 @@ func NewJSONConditionBuilder(key *telemetrytypes.TelemetryFieldKey, valueType te
 	return &jsonConditionBuilder{key: key, valueType: telemetrytypes.MappingFieldDataTypeToJSONDataType[valueType]}
 }
 
-// BuildCondition builds the full WHERE condition for body_json JSON paths
+// BuildCondition builds the full WHERE condition for body_v2 JSON paths
 func (c *jsonConditionBuilder) buildJSONCondition(operator qbtypes.FilterOperator, value any, sb *sqlbuilder.SelectBuilder) (string, error) {
 	conditions := []string{}
 	for _, node := range c.key.JSONPlan {
@@ -40,6 +40,7 @@ func (c *jsonConditionBuilder) buildJSONCondition(operator qbtypes.FilterOperato
 		}
 		conditions = append(conditions, condition)
 	}
+
 	return sb.Or(conditions...), nil
 }
 
@@ -288,9 +289,9 @@ func (c *jsonConditionBuilder) applyOperator(sb *sqlbuilder.SelectBuilder, field
 		}
 		return sb.NotIn(fieldExpr, values...), nil
 	case qbtypes.FilterOperatorExists:
-		return fmt.Sprintf("%s IS NOT NULL", fieldExpr), nil
+		return sb.IsNotNull(fieldExpr), nil
 	case qbtypes.FilterOperatorNotExists:
-		return fmt.Sprintf("%s IS NULL", fieldExpr), nil
+		return sb.IsNull(fieldExpr), nil
 	// between and not between
 	case qbtypes.FilterOperatorBetween, qbtypes.FilterOperatorNotBetween:
 		values, ok := value.([]any)

pkg/telemetrylogs/statement_builder.go

@@ -65,7 +65,7 @@ func (b *logQueryStatementBuilder) Build(
 	start = querybuilder.ToNanoSecs(start)
 	end = querybuilder.ToNanoSecs(end)
 
-	keySelectors := getKeySelectors(query)
+	keySelectors, warnings := getKeySelectors(query)
 	keys, _, err := b.metadataStore.GetKeysMulti(ctx, keySelectors)
 	if err != nil {
 		return nil, err
@@ -76,20 +76,29 @@ func (b *logQueryStatementBuilder) Build(
 	// Create SQL builder
 	q := sqlbuilder.NewSelectBuilder()
 
+	var stmt *qbtypes.Statement
 	switch requestType {
 	case qbtypes.RequestTypeRaw, qbtypes.RequestTypeRawStream:
-		return b.buildListQuery(ctx, q, query, start, end, keys, variables)
+		stmt, err = b.buildListQuery(ctx, q, query, start, end, keys, variables)
 	case qbtypes.RequestTypeTimeSeries:
-		return b.buildTimeSeriesQuery(ctx, q, query, start, end, keys, variables)
+		stmt, err = b.buildTimeSeriesQuery(ctx, q, query, start, end, keys, variables)
 	case qbtypes.RequestTypeScalar:
-		return b.buildScalarQuery(ctx, q, query, start, end, keys, false, variables)
+		stmt, err = b.buildScalarQuery(ctx, q, query, start, end, keys, false, variables)
+	default:
+		return nil, errors.NewInvalidInputf(errors.CodeInvalidInput, "unsupported request type: %s", requestType)
 	}
 
-	return nil, errors.NewInvalidInputf(errors.CodeInvalidInput, "unsupported request type: %s", requestType)
+	if err != nil {
+		return nil, err
+	}
+
+	stmt.Warnings = append(stmt.Warnings, warnings...)
+	return stmt, nil
 }
 
-func getKeySelectors(query qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]) []*telemetrytypes.FieldKeySelector {
+func getKeySelectors(query qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]) ([]*telemetrytypes.FieldKeySelector, []string) {
 	var keySelectors []*telemetrytypes.FieldKeySelector
+	var warnings []string
 
 	for idx := range query.Aggregations {
 		aggExpr := query.Aggregations[idx]
@@ -136,7 +145,19 @@ func getKeySelectors(query qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]) []
 		keySelectors[idx].SelectorMatchType = telemetrytypes.FieldSelectorMatchTypeExact
 	}
 
-	return keySelectors
+	// When the new JSON body experience is enabled, warn the user if they use the bare
+	// "body" key in the filter — queries on plain "body" default to body.message:string.
+	// TODO(Piyush): Setup better for coming FTS support.
+	if querybuilder.BodyJSONQueryEnabled {
+		for _, sel := range keySelectors {
+			if sel.Name == LogsV2BodyColumn {
+				warnings = append(warnings, bodySearchDefaultWarning)
+				break
+			}
+		}
+	}
+
+	return keySelectors, warnings
 }
 
 func (b *logQueryStatementBuilder) adjustKeys(ctx context.Context, keys map[string][]*telemetrytypes.TelemetryFieldKey, query qbtypes.QueryBuilderQuery[qbtypes.LogAggregation], requestType qbtypes.RequestType) qbtypes.QueryBuilderQuery[qbtypes.LogAggregation] {
@@ -203,7 +224,6 @@ func (b *logQueryStatementBuilder) adjustKeys(ctx context.Context, keys map[stri
 }
 
 func (b *logQueryStatementBuilder) adjustKey(key *telemetrytypes.TelemetryFieldKey, keys map[string][]*telemetrytypes.TelemetryFieldKey) []string {
-
 	// First check if it matches with any intrinsic fields
 	var intrinsicOrCalculatedField telemetrytypes.TelemetryFieldKey
 	if _, ok := IntrinsicFields[key.Name]; ok {
@@ -212,7 +232,6 @@ func (b *logQueryStatementBuilder) adjustKey(key *telemetrytypes.TelemetryFieldK
 	}
 
 	return querybuilder.AdjustKey(key, keys, nil)
-
 }
 
 // buildListQuery builds a query for list panel type
@@ -249,11 +268,7 @@ func (b *logQueryStatementBuilder) buildListQuery(
 		sb.SelectMore(LogsV2SeverityNumberColumn)
 		sb.SelectMore(LogsV2ScopeNameColumn)
 		sb.SelectMore(LogsV2ScopeVersionColumn)
-		sb.SelectMore(LogsV2BodyColumn)
-		if querybuilder.BodyJSONQueryEnabled {
-			sb.SelectMore(LogsV2BodyJSONColumn)
-			sb.SelectMore(LogsV2BodyPromotedColumn)
-		}
+		sb.SelectMore(bodyAliasExpression())
 		sb.SelectMore(LogsV2AttributesStringColumn)
 		sb.SelectMore(LogsV2AttributesNumberColumn)
 		sb.SelectMore(LogsV2AttributesBoolColumn)

pkg/telemetrylogs/stmt_builder_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/querybuilder"
 	"github.com/SigNoz/signoz/pkg/querybuilder/resourcefilter"
@@ -886,3 +887,246 @@ func TestAdjustKey(t *testing.T) {
 		})
 	}
 }
+
+func TestStmtBuilderBodyField(t *testing.T) {
+	cases := []struct {
+		name                string
+		requestType         qbtypes.RequestType
+		query               qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]
+		enableBodyJSONQuery bool
+		expected            qbtypes.Statement
+		expectedErr         error
+	}{
+		{
+			name:        "body_exists",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body Exists"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: true,
+			expected: qbtypes.Statement{
+				Query:    "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body_v2 as body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND body_v2.message <> ? AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:     []any{uint64(1747945619), uint64(1747983448), "", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+				Warnings: []string{bodySearchDefaultWarning},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_exists_disabled",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body Exists"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: false,
+			expected: qbtypes.Statement{
+				Query: "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND body <> ? AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:  []any{uint64(1747945619), uint64(1747983448), "", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_empty",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body == ''"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: true,
+			expected: qbtypes.Statement{
+				Query:    "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body_v2 as body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND body_v2.message = ? AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:     []any{uint64(1747945619), uint64(1747983448), "", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+				Warnings: []string{bodySearchDefaultWarning},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_empty_disabled",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body == ''"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: false,
+			expected: qbtypes.Statement{
+				Query: "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND body = ? AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:  []any{uint64(1747945619), uint64(1747983448), "", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_contains",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body CONTAINS 'error'"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: true,
+			expected: qbtypes.Statement{
+				Query:    "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body_v2 as body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND LOWER(body_v2.message) LIKE LOWER(?) AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:     []any{uint64(1747945619), uint64(1747983448), "%error%", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+				Warnings: []string{bodySearchDefaultWarning},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_contains_disabled",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "body CONTAINS 'error'"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: false,
+			expected: qbtypes.Statement{
+				Query: "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND LOWER(body) LIKE LOWER(?) AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:  []any{uint64(1747945619), uint64(1747983448), "%error%", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+			},
+			expectedErr: nil,
+		},
+	}
+
+	fm := NewFieldMapper()
+	cb := NewConditionBuilder(fm)
+
+	enable, disable := jsonQueryTestUtil(t)
+	defer disable()
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			if c.enableBodyJSONQuery {
+				enable()
+			} else {
+				disable()
+			}
+			// build the key map after enabling/disabling body JSON query
+			mockMetadataStore := telemetrytypestest.NewMockMetadataStore()
+			for _, field := range IntrinsicFields {
+				f := field
+				mockMetadataStore.KeysMap[field.Name] = append(mockMetadataStore.KeysMap[field.Name], &f)
+			}
+			aggExprRewriter := querybuilder.NewAggExprRewriter(instrumentationtest.New().ToProviderSettings(), nil, fm, cb, nil)
+			resourceFilterStmtBuilder := resourceFilterStmtBuilder()
+			statementBuilder := NewLogQueryStatementBuilder(
+				instrumentationtest.New().ToProviderSettings(),
+				mockMetadataStore,
+				fm,
+				cb,
+				resourceFilterStmtBuilder,
+				aggExprRewriter,
+				DefaultFullTextColumn,
+				GetBodyJSONKey,
+			)
+
+			q, err := statementBuilder.Build(context.Background(), 1747947419000, 1747983448000, c.requestType, c.query, nil)
+			if c.expectedErr != nil {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), c.expectedErr.Error())
+			} else {
+				if err != nil {
+					_, _, _, _, _, add := errors.Unwrapb(err)
+					t.Logf("error additionals: %v", add)
+				}
+				require.NoError(t, err)
+				require.Equal(t, c.expected.Query, q.Query)
+				require.Equal(t, c.expected.Args, q.Args)
+				require.Equal(t, c.expected.Warnings, q.Warnings)
+			}
+		})
+	}
+}
+
+func TestStmtBuilderBodyFullTextSearch(t *testing.T) {
+	cases := []struct {
+		name                string
+		requestType         qbtypes.RequestType
+		query               qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]
+		enableBodyJSONQuery bool
+		expected            qbtypes.Statement
+		expectedErr         error
+	}{
+		{
+			name:        "body_contains",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "'error'"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: true,
+			expected: qbtypes.Statement{
+				Query: "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body_v2 as body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND match(LOWER(body_v2.message), LOWER(?)) AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:  []any{uint64(1747945619), uint64(1747983448), "error", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+			},
+			expectedErr: nil,
+		},
+		{
+			name:        "body_contains_disabled",
+			requestType: qbtypes.RequestTypeRaw,
+			query: qbtypes.QueryBuilderQuery[qbtypes.LogAggregation]{
+				Signal: telemetrytypes.SignalLogs,
+				Filter: &qbtypes.Filter{Expression: "'error'"},
+				Limit:  10,
+			},
+			enableBodyJSONQuery: false,
+			expected: qbtypes.Statement{
+				Query: "WITH __resource_filter AS (SELECT fingerprint FROM signoz_logs.distributed_logs_v2_resource WHERE true AND seen_at_ts_bucket_start >= ? AND seen_at_ts_bucket_start <= ?) SELECT timestamp, id, trace_id, span_id, trace_flags, severity_text, severity_number, scope_name, scope_version, body, attributes_string, attributes_number, attributes_bool, resources_string, scope_string FROM signoz_logs.distributed_logs_v2 WHERE resource_fingerprint GLOBAL IN (SELECT fingerprint FROM __resource_filter) AND match(LOWER(body), LOWER(?)) AND timestamp >= ? AND ts_bucket_start >= ? AND timestamp < ? AND ts_bucket_start <= ? LIMIT ?",
+				Args:  []any{uint64(1747945619), uint64(1747983448), "error", "1747947419000000000", uint64(1747945619), "1747983448000000000", uint64(1747983448), 10},
+			},
+			expectedErr: nil,
+		},
+	}
+
+	fm := NewFieldMapper()
+	cb := NewConditionBuilder(fm)
+
+	enable, disable := jsonQueryTestUtil(t)
+	defer disable()
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			if c.enableBodyJSONQuery {
+				enable()
+			} else {
+				disable()
+			}
+			// build the key map after enabling/disabling body JSON query
+			mockMetadataStore := telemetrytypestest.NewMockMetadataStore()
+			for _, field := range IntrinsicFields {
+				f := field
+				mockMetadataStore.KeysMap[field.Name] = append(mockMetadataStore.KeysMap[field.Name], &f)
+			}
+			aggExprRewriter := querybuilder.NewAggExprRewriter(instrumentationtest.New().ToProviderSettings(), nil, fm, cb, nil)
+			resourceFilterStmtBuilder := resourceFilterStmtBuilder()
+			statementBuilder := NewLogQueryStatementBuilder(
+				instrumentationtest.New().ToProviderSettings(),
+				mockMetadataStore,
+				fm,
+				cb,
+				resourceFilterStmtBuilder,
+				aggExprRewriter,
+				DefaultFullTextColumn,
+				GetBodyJSONKey,
+			)
+
+			q, err := statementBuilder.Build(context.Background(), 1747947419000, 1747983448000, c.requestType, c.query, nil)
+			if c.expectedErr != nil {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), c.expectedErr.Error())
+			} else {
+				if err != nil {
+					_, _, _, _, _, add := errors.Unwrapb(err)
+					t.Logf("error additionals: %v", add)
+				}
+				require.NoError(t, err)
+				require.Equal(t, c.expected.Query, q.Query)
+				require.Equal(t, c.expected.Args, q.Args)
+				require.Equal(t, c.expected.Warnings, q.Warnings)
+			}
+		})
+	}
+}

pkg/telemetrylogs/test_data.go

@@ -27,13 +27,6 @@ func buildCompleteFieldKeyMap() map[string][]*telemetrytypes.TelemetryFieldKey {
 				FieldDataType: telemetrytypes.FieldDataTypeString,
 			},
 		},
-		"body": {
-			{
-				Name:          "body",
-				FieldContext:  telemetrytypes.FieldContextLog,
-				FieldDataType: telemetrytypes.FieldDataTypeString,
-			},
-		},
 		"http.status_code": {
 			{
 				Name:          "http.status_code",
@@ -938,6 +931,13 @@ func buildCompleteFieldKeyMap() map[string][]*telemetrytypes.TelemetryFieldKey {
 				Materialized:  true,
 			},
 		},
+		"body": {
+			{
+				Name:          "body",
+				FieldContext:  telemetrytypes.FieldContextLog,
+				FieldDataType: telemetrytypes.FieldDataTypeString,
+			},
+		},
 	}
 
 	for _, keys := range keysMap {
@@ -945,6 +945,7 @@ func buildCompleteFieldKeyMap() map[string][]*telemetrytypes.TelemetryFieldKey {
 			key.Signal = telemetrytypes.SignalLogs
 		}
 	}
+
 	return keysMap
 }
 

pkg/telemetrymetadata/body_json_metadata.go

@@ -54,6 +54,7 @@ func (t *telemetryMetaStore) fetchBodyJSONPaths(ctx context.Context,
 		instrumentationtypes.CodeNamespace:    "metadata",
 		instrumentationtypes.CodeFunctionName: "fetchBodyJSONPaths",
 	})
+
 	query, args, limit := buildGetBodyJSONPathsQuery(fieldKeySelectors)
 	rows, err := t.telemetrystore.ClickhouseDB().Query(ctx, query, args...)
 	if err != nil {
@@ -184,7 +185,6 @@ func buildGetBodyJSONPathsQuery(fieldKeySelectors []*telemetrytypes.FieldKeySele
 		limit += fieldKeySelector.Limit
 	}
 	sb.Where(sb.Or(orClauses...))
-
 	// Group by path to get unique paths with aggregated types
 	sb.GroupBy("path")
 
@@ -319,7 +319,7 @@ func (t *telemetryMetaStore) ListJSONValues(ctx context.Context, path string, li
 	if promoted {
 		path = telemetrylogs.BodyPromotedColumnPrefix + path
 	} else {
-		path = telemetrylogs.BodyJSONColumnPrefix + path
+		path = telemetrylogs.BodyV2ColumnPrefix + path
 	}
 
 	from := fmt.Sprintf("%s.%s", telemetrylogs.DBName, telemetrylogs.LogsV2TableName)
@@ -522,7 +522,7 @@ func (t *telemetryMetaStore) GetPromotedPaths(ctx context.Context, paths ...stri
 // TODO(Piyush): Remove this function
 func CleanPathPrefixes(path string) string {
 	path = strings.TrimPrefix(path, telemetrytypes.BodyJSONStringSearchPrefix)
-	path = strings.TrimPrefix(path, telemetrylogs.BodyJSONColumnPrefix)
+	path = strings.TrimPrefix(path, telemetrylogs.BodyV2ColumnPrefix)
 	path = strings.TrimPrefix(path, telemetrylogs.BodyPromotedColumnPrefix)
 	return path
 }

pkg/telemetrymetadata/metadata.go

@@ -102,7 +102,7 @@ func NewTelemetryMetaStore(
 		jsonColumnMetadata: map[telemetrytypes.Signal]map[telemetrytypes.FieldContext]telemetrytypes.JSONColumnMetadata{
 			telemetrytypes.SignalLogs: {
 				telemetrytypes.FieldContextBody: telemetrytypes.JSONColumnMetadata{
-					BaseColumn:     telemetrylogs.LogsV2BodyJSONColumn,
+					BaseColumn:     telemetrylogs.LogsV2BodyV2Column,
 					PromotedColumn: telemetrylogs.LogsV2BodyPromotedColumn,
 				},
 			},

pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go

@@ -34,7 +34,7 @@ func (store *store) Create(ctx context.Context, token *authtypes.StorableToken)
 }
 
 func (store *store) GetIdentityByUserID(ctx context.Context, userID valuer.UUID) (*authtypes.Identity, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)
 
 	err := store.
 		sqlstore.

pkg/types/authtypes/authn.go

@@ -128,7 +128,7 @@ func (typ *Identity) ToClaims() Claims {
 
 type AuthNStore interface {
 	// Get user and factor password by email and orgID.
-	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error)
+	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.StorableUser, *types.FactorPassword, error)
 
 	// Get org domain from id.
 	GetAuthDomainFromID(ctx context.Context, domainID valuer.UUID) (*AuthDomain, error)

pkg/types/authtypes/identn.go

@@ -6,6 +6,7 @@ var (
 	IdentNProviderTokenizer = IdentNProvider{valuer.NewString("tokenizer")}
 	IdentNProviderAPIkey    = IdentNProvider{valuer.NewString("api_key")}
 	IdentNProviderAnonymous = IdentNProvider{valuer.NewString("anonymous")}
+	IdentNProviderInternal  = IdentNProvider{valuer.NewString("internal")}
 )
 
 type IdentNProvider struct{ valuer.String }

pkg/types/authtypes/mapping.go

@@ -83,44 +83,56 @@ func (typ *RoleMapping) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-func (roleMapping *RoleMapping) NewRoleFromCallbackIdentity(callbackIdentity *CallbackIdentity) types.Role {
+func (roleMapping *RoleMapping) ManagedRolesFromCallbackIdentity(callbackIdentity *CallbackIdentity) []string {
 	if roleMapping == nil {
-		return types.RoleViewer
+		return []string{SigNozViewerRoleName}
 	}
 
 	if roleMapping.UseRoleAttribute && callbackIdentity.Role != "" {
-		if role, err := types.NewRole(strings.ToUpper(callbackIdentity.Role)); err == nil {
-			return role
+		if managedRole := resolveToManagedRole(callbackIdentity.Role); managedRole != "" {
+			return []string{managedRole}
 		}
 	}
 
 	if len(roleMapping.GroupMappings) > 0 && len(callbackIdentity.Groups) > 0 {
-		highestRole := types.RoleViewer
-		found := false
-
+		seen := make(map[string]struct{})
+		var roles []string
 		for _, group := range callbackIdentity.Groups {
 			if mappedRole, exists := roleMapping.GroupMappings[group]; exists {
-				found = true
-				if role, err := types.NewRole(strings.ToUpper(mappedRole)); err == nil {
-					if compareRoles(role, highestRole) > 0 {
-						highestRole = role
+				managedRole := resolveToManagedRole(mappedRole)
+				if managedRole != "" {
+					if _, ok := seen[managedRole]; !ok {
+						seen[managedRole] = struct{}{}
+						roles = append(roles, managedRole)
 					}
 				}
 			}
 		}
-
-		if found {
-			return highestRole
+		if len(roles) > 0 {
+			return roles
 		}
 	}
 
 	if roleMapping.DefaultRole != "" {
-		if role, err := types.NewRole(strings.ToUpper(roleMapping.DefaultRole)); err == nil {
-			return role
+		if managedRole := resolveToManagedRole(roleMapping.DefaultRole); managedRole != "" {
+			return []string{managedRole}
 		}
 	}
 
-	return types.RoleViewer
+	return []string{SigNozViewerRoleName}
+}
+
+// for backward compatibility in API responses
+func HighestLegacyRoleFromManagedRoles(managedRoles []string) types.Role {
+	highest := types.RoleViewer
+	for _, name := range managedRoles {
+		for legacyRole, managedName := range ExistingRoleToSigNozManagedRoleMap {
+			if managedName == name && compareRoles(legacyRole, highest) > 0 {
+				highest = legacyRole
+			}
+		}
+	}
+	return highest
 }
 
 func compareRoles(a, b types.Role) int {
@@ -131,3 +143,13 @@ func compareRoles(a, b types.Role) int {
 	}
 	return order[a] - order[b]
 }
+
+func resolveToManagedRole(role string) string {
+	// backward compatible legacy role (ADMIN -> signoz-admin) useful in case of SSO
+	if legacyRole, err := types.NewRole(strings.ToUpper(role)); err == nil {
+		return MustGetSigNozManagedRoleFromExistingRole(legacyRole)
+	}
+
+	// if it's not a valid legacy role, return empty to signal unrecognized
+	return ""
+}

pkg/types/authtypes/user_role.go

@@ -0,0 +1,104 @@
+package authtypes
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+var (
+	ErrCodeUserRoleAlreadyExists = errors.MustNewCode("user_role_already_exists")
+)
+
+type StorableUserRole struct {
+	bun.BaseModel `bun:"table:user_role,alias:user_role"`
+
+	types.Identifiable
+
+	UserID valuer.UUID `bun:"user_id"`
+	RoleID valuer.UUID `bun:"role_id"`
+
+	types.TimeAuditable
+}
+
+func newStorableUserRole(userID valuer.UUID, roleID valuer.UUID) *StorableUserRole {
+	return &StorableUserRole{
+		Identifiable: types.Identifiable{
+			ID: valuer.GenerateUUID(),
+		},
+		UserID: userID,
+		RoleID: roleID,
+		TimeAuditable: types.TimeAuditable{
+			CreatedAt: time.Now(),
+			UpdatedAt: time.Now(),
+		},
+	}
+}
+
+func NewStorableUserRoles(userID valuer.UUID, roles []*Role) []*StorableUserRole {
+	storableUserRoles := make([]*StorableUserRole, len(roles))
+
+	for idx, role := range roles {
+		storableUserRoles[idx] = newStorableUserRole(userID, role.ID)
+	}
+
+	return storableUserRoles
+}
+
+func GetUserIDToRoleIDsMappingAndUniqueRoles(storableUserRoles []*StorableUserRole) (map[valuer.UUID][]valuer.UUID, []valuer.UUID) {
+	userIDRoles := make(map[valuer.UUID][]valuer.UUID)
+	uniqueRoleIDSet := make(map[valuer.UUID]struct{})
+
+	for _, userRole := range storableUserRoles {
+		userID := userRole.UserID
+		if _, ok := userIDRoles[userID]; !ok {
+			userIDRoles[userID] = make([]valuer.UUID, 0)
+		}
+		roleUUID := userRole.RoleID
+		userIDRoles[userID] = append(userIDRoles[userID], roleUUID)
+		uniqueRoleIDSet[userRole.RoleID] = struct{}{}
+	}
+
+	roleIDs := make([]valuer.UUID, 0, len(uniqueRoleIDSet))
+	for rid := range uniqueRoleIDSet {
+		roleIDs = append(roleIDs, rid)
+	}
+
+	return userIDRoles, roleIDs
+}
+
+func NewRoleNamesFromStorableUserRoles(storableUserRoles []*StorableUserRole, roles []*Role) ([]string, error) {
+	roleIDToName := make(map[valuer.UUID]string, len(roles))
+	for _, role := range roles {
+		roleIDToName[role.ID] = role.Name
+	}
+
+	names := make([]string, 0, len(storableUserRoles))
+	for _, storableUserRole := range storableUserRoles {
+		roleName, ok := roleIDToName[storableUserRole.RoleID]
+		if !ok {
+			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "role id %s not found in provided roles", storableUserRole.RoleID)
+		}
+		names = append(names, roleName)
+	}
+
+	return names, nil
+}
+
+type UserRoleStore interface {
+	// create user roles in bulk
+	CreateUserRoles(ctx context.Context, userRoles []*StorableUserRole) error
+
+	// get user roles by user id
+	GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*StorableUserRole, error)
+
+	// list all user_role entries for
+	ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*StorableUserRole, error)
+
+	// delete user role entries by user id
+	DeleteUserRoles(ctx context.Context, userID valuer.UUID) error
+}

pkg/types/cloudintegrationtypes/account.go

@@ -0,0 +1,43 @@
+package cloudintegrationtypes
+
+import (
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type Account struct {
+	types.Identifiable
+	types.TimeAuditable
+	ProviderAccountId *string           `json:"providerAccountID,omitempty"`
+	Provider          CloudProviderType `json:"provider"`
+	RemovedAt         *time.Time        `json:"removedAt,omitempty"`
+	AgentReport       *AgentReport      `json:"agentReport,omitempty"`
+	OrgID             valuer.UUID       `json:"orgID"`
+	Config            *AccountConfig    `json:"config,omitempty"`
+}
+
+// AgentReport represents heartbeats sent by the agent.
+type AgentReport struct {
+	TimestampMillis int64          `json:"timestampMillis"`
+	Data            map[string]any `json:"data"`
+}
+
+type GettableAccounts struct {
+	Accounts []*Account `json:"accounts"`
+}
+
+type GettableAccount = Account
+
+type UpdatableAccount struct {
+	Config *AccountConfig `json:"config"`
+}
+
+type AccountConfig struct {
+	AWS *AWSAccountConfig `json:"aws,omitempty"`
+}
+
+type AWSAccountConfig struct {
+	Regions []string `json:"regions"`
+}

pkg/types/cloudintegrationtypes/cloudintegration.go

@@ -0,0 +1,80 @@
+package cloudintegrationtypes
+
+import (
+	"database/sql/driver"
+	"encoding/json"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/uptrace/bun"
+
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+var (
+	ErrCodeCloudIntegrationNotFound = errors.MustNewCode("cloud_integration_not_found")
+)
+
+// StorableCloudIntegration represents a cloud integration stored in the database.
+// This is also referred as "Account" in the context of cloud integrations.
+type StorableCloudIntegration struct {
+	bun.BaseModel `bun:"table:cloud_integration"`
+	types.Identifiable
+	types.TimeAuditable
+
+	Provider        CloudProviderType    `bun:"provider,type:text"`
+	Config          string               `bun:"config,type:text"` // Config is provider-specific data in JSON string format
+	AccountID       *string              `bun:"account_id,type:text"`
+	LastAgentReport *StorableAgentReport `bun:"last_agent_report,type:text"`
+	RemovedAt       *time.Time           `bun:"removed_at,type:timestamp,nullzero"`
+	OrgID           valuer.UUID          `bun:"org_id,type:text"`
+}
+
+// StorableAgentReport represents the last heartbeat and arbitrary data sent by the agent
+// as of now there is no use case for Data field, but keeping it for backwards compatibility with older structure.
+type StorableAgentReport struct {
+	TimestampMillis int64          `json:"timestamp_millis"` // backward compatibility
+	Data            map[string]any `json:"data"`
+}
+
+// StorableCloudIntegrationService is to store service config for a cloud integration, which is a cloud provider specific configuration.
+type StorableCloudIntegrationService struct {
+	bun.BaseModel `bun:"table:cloud_integration_service,alias:cis"`
+	types.Identifiable
+	types.TimeAuditable
+
+	Type               ServiceID   `bun:"type,type:text,notnull"` // Keeping Type field name as is, but it is a service id
+	Config             string      `bun:"config,type:text"`       // Config is cloud provider's service specific data in JSON string format
+	CloudIntegrationID valuer.UUID `bun:"cloud_integration_id,type:text"`
+}
+
+// Scan scans value from DB.
+func (r *StorableAgentReport) Scan(src any) error {
+	var data []byte
+	switch v := src.(type) {
+	case []byte:
+		data = v
+	case string:
+		data = []byte(v)
+	default:
+		return errors.NewInternalf(errors.CodeInternal, "tried to scan from %T instead of string or bytes", src)
+	}
+	return json.Unmarshal(data, r)
+}
+
+// Value creates value to be stored in DB.
+func (r *StorableAgentReport) Value() (driver.Value, error) {
+	if r == nil {
+		return nil, errors.NewInternalf(errors.CodeInternal, "agent report is nil")
+	}
+
+	serialized, err := json.Marshal(r)
+	if err != nil {
+		return nil, errors.WrapInternalf(
+			err, errors.CodeInternal, "couldn't serialize agent report to JSON",
+		)
+	}
+	// Return as string instead of []byte to ensure PostgreSQL stores as text, not bytes
+	return string(serialized), nil
+}

pkg/types/cloudintegrationtypes/cloudprovider.go

@@ -0,0 +1,41 @@
+package cloudintegrationtypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+// CloudProviderType type alias.
+type CloudProviderType struct{ valuer.String }
+
+var (
+	// cloud providers.
+	CloudProviderTypeAWS   = CloudProviderType{valuer.NewString("aws")}
+	CloudProviderTypeAzure = CloudProviderType{valuer.NewString("azure")}
+
+	// errors.
+	ErrCodeCloudProviderInvalidInput = errors.MustNewCode("invalid_cloud_provider")
+
+	AWSIntegrationUserEmail   = valuer.MustNewEmail("aws-integration@signoz.io")
+	AzureIntegrationUserEmail = valuer.MustNewEmail("azure-integration@signoz.io")
+)
+
+// CloudIntegrationUserEmails is the list of valid emails for Cloud One Click integrations.
+// This is used for validation and restrictions in different contexts, across codebase.
+var CloudIntegrationUserEmails = []valuer.Email{
+	AWSIntegrationUserEmail,
+	AzureIntegrationUserEmail,
+}
+
+// NewCloudProvider returns a new CloudProviderType from a string.
+// It validates the input and returns an error if the input is not valid cloud provider.
+func NewCloudProvider(provider string) (CloudProviderType, error) {
+	switch provider {
+	case CloudProviderTypeAWS.StringValue():
+		return CloudProviderTypeAWS, nil
+	case CloudProviderTypeAzure.StringValue():
+		return CloudProviderTypeAzure, nil
+	default:
+		return CloudProviderType{}, errors.NewInvalidInputf(ErrCodeCloudProviderInvalidInput, "invalid cloud provider: %s", provider)
+	}
+}

pkg/types/cloudintegrationtypes/connection.go

@@ -0,0 +1,88 @@
+package cloudintegrationtypes
+
+import "github.com/SigNoz/signoz/pkg/types/integrationtypes"
+
+type ConnectionArtifactRequest struct {
+	Aws *AWSConnectionArtifactRequest `json:"aws"`
+}
+
+type AWSConnectionArtifactRequest struct {
+	DeploymentRegion string   `json:"deploymentRegion"`
+	Regions          []string `json:"regions"`
+}
+
+type PostableConnectionArtifact = ConnectionArtifactRequest
+
+type ConnectionArtifact struct {
+	Aws *AWSConnectionArtifact `json:"aws"`
+}
+
+type AWSConnectionArtifact struct {
+	ConnectionUrl string `json:"connectionURL"`
+}
+
+type GettableConnectionArtifact = ConnectionArtifact
+
+type AccountStatus struct {
+	Id                string                         `json:"id"`
+	ProviderAccountId *string                        `json:"providerAccountID,omitempty"`
+	Status            integrationtypes.AccountStatus `json:"status"`
+}
+
+type GettableAccountStatus = AccountStatus
+
+type AgentCheckInRequest struct {
+	// older backward compatible fields are mapped to new fields
+	// CloudIntegrationId string `json:"cloudIntegrationId"`
+	// AccountId          string `json:"accountId"`
+
+	// New fields
+	ProviderAccountId string `json:"providerAccountId"`
+	CloudAccountId    string `json:"cloudAccountId"`
+
+	Data map[string]any `json:"data,omitempty"`
+}
+
+type PostableAgentCheckInRequest struct {
+	AgentCheckInRequest
+	// following are backward compatible fields for older running agents
+	// which gets mapped to new fields in AgentCheckInRequest
+	CloudIntegrationId string `json:"cloud_integration_id"`
+	CloudAccountId     string `json:"cloud_account_id"`
+}
+
+type GettableAgentCheckInResponse struct {
+	AgentCheckInResponse
+
+	// For backward compatibility
+	CloudIntegrationId string `json:"cloud_integration_id"`
+	AccountId          string `json:"account_id"`
+}
+
+type AgentCheckInResponse struct {
+	// Older fields for backward compatibility are mapped to new fields below
+	// CloudIntegrationId string `json:"cloud_integration_id"`
+	// AccountId          string `json:"account_id"`
+
+	// New fields
+	ProviderAccountId string `json:"providerAccountId"`
+	CloudAccountId    string `json:"cloudAccountId"`
+
+	// IntegrationConfig populates data related to integration that is required for an agent
+	// to start collecting telemetry data
+	// keeping JSON key snake_case for backward compatibility
+	IntegrationConfig *IntegrationConfig `json:"integration_config,omitempty"`
+}
+
+type IntegrationConfig struct {
+	EnabledRegions []string               `json:"enabledRegions"`      // backward compatible
+	Telemetry      *AWSCollectionStrategy `json:"telemetry,omitempty"` // backward compatible
+
+	// new fields
+	AWS *AWSIntegrationConfig `json:"aws,omitempty"`
+}
+
+type AWSIntegrationConfig struct {
+	EnabledRegions []string               `json:"enabledRegions"`
+	Telemetry      *AWSCollectionStrategy `json:"telemetry,omitempty"`
+}

pkg/types/cloudintegrationtypes/regions.go

@@ -0,0 +1,103 @@
+package cloudintegrationtypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/errors"
+)
+
+var (
+	ErrCodeInvalidCloudRegion    = errors.MustNewCode("invalid_cloud_region")
+	ErrCodeMismatchCloudProvider = errors.MustNewCode("cloud_provider_mismatch")
+)
+
+// List of all valid cloud regions on Amazon Web Services.
+var ValidAWSRegions = map[string]struct{}{
+	"af-south-1":     {}, // Africa (Cape Town).
+	"ap-east-1":      {}, // Asia Pacific (Hong Kong).
+	"ap-northeast-1": {}, // Asia Pacific (Tokyo).
+	"ap-northeast-2": {}, // Asia Pacific (Seoul).
+	"ap-northeast-3": {}, // Asia Pacific (Osaka).
+	"ap-south-1":     {}, // Asia Pacific (Mumbai).
+	"ap-south-2":     {}, // Asia Pacific (Hyderabad).
+	"ap-southeast-1": {}, // Asia Pacific (Singapore).
+	"ap-southeast-2": {}, // Asia Pacific (Sydney).
+	"ap-southeast-3": {}, // Asia Pacific (Jakarta).
+	"ap-southeast-4": {}, // Asia Pacific (Melbourne).
+	"ca-central-1":   {}, // Canada (Central).
+	"ca-west-1":      {}, // Canada West (Calgary).
+	"eu-central-1":   {}, // Europe (Frankfurt).
+	"eu-central-2":   {}, // Europe (Zurich).
+	"eu-north-1":     {}, // Europe (Stockholm).
+	"eu-south-1":     {}, // Europe (Milan).
+	"eu-south-2":     {}, // Europe (Spain).
+	"eu-west-1":      {}, // Europe (Ireland).
+	"eu-west-2":      {}, // Europe (London).
+	"eu-west-3":      {}, // Europe (Paris).
+	"il-central-1":   {}, // Israel (Tel Aviv).
+	"me-central-1":   {}, // Middle East (UAE).
+	"me-south-1":     {}, // Middle East (Bahrain).
+	"sa-east-1":      {}, // South America (Sao Paulo).
+	"us-east-1":      {}, // US East (N. Virginia).
+	"us-east-2":      {}, // US East (Ohio).
+	"us-west-1":      {}, // US West (N. California).
+	"us-west-2":      {}, // US West (Oregon).
+}
+
+// List of all valid cloud regions for Microsoft Azure.
+var ValidAzureRegions = map[string]struct{}{
+	"australiacentral":   {}, // Australia Central
+	"australiacentral2":  {}, // Australia Central 2
+	"australiaeast":      {}, // Australia East
+	"australiasoutheast": {}, // Australia Southeast
+	"austriaeast":        {}, // Austria East
+	"belgiumcentral":     {}, // Belgium Central
+	"brazilsouth":        {}, // Brazil South
+	"brazilsoutheast":    {}, // Brazil Southeast
+	"canadacentral":      {}, // Canada Central
+	"canadaeast":         {}, // Canada East
+	"centralindia":       {}, // Central India
+	"centralus":          {}, // Central US
+	"chilecentral":       {}, // Chile Central
+	"denmarkeast":        {}, // Denmark East
+	"eastasia":           {}, // East Asia
+	"eastus":             {}, // East US
+	"eastus2":            {}, // East US 2
+	"francecentral":      {}, // France Central
+	"francesouth":        {}, // France South
+	"germanynorth":       {}, // Germany North
+	"germanywestcentral": {}, // Germany West Central
+	"indonesiacentral":   {}, // Indonesia Central
+	"israelcentral":      {}, // Israel Central
+	"italynorth":         {}, // Italy North
+	"japaneast":          {}, // Japan East
+	"japanwest":          {}, // Japan West
+	"koreacentral":       {}, // Korea Central
+	"koreasouth":         {}, // Korea South
+	"malaysiawest":       {}, // Malaysia West
+	"mexicocentral":      {}, // Mexico Central
+	"newzealandnorth":    {}, // New Zealand North
+	"northcentralus":     {}, // North Central US
+	"northeurope":        {}, // North Europe
+	"norwayeast":         {}, // Norway East
+	"norwaywest":         {}, // Norway West
+	"polandcentral":      {}, // Poland Central
+	"qatarcentral":       {}, // Qatar Central
+	"southafricanorth":   {}, // South Africa North
+	"southafricawest":    {}, // South Africa West
+	"southcentralus":     {}, // South Central US
+	"southindia":         {}, // South India
+	"southeastasia":      {}, // Southeast Asia
+	"spaincentral":       {}, // Spain Central
+	"swedencentral":      {}, // Sweden Central
+	"switzerlandnorth":   {}, // Switzerland North
+	"switzerlandwest":    {}, // Switzerland West
+	"uaecentral":         {}, // UAE Central
+	"uaenorth":           {}, // UAE North
+	"uksouth":            {}, // UK South
+	"ukwest":             {}, // UK West
+	"westcentralus":      {}, // West Central US
+	"westeurope":         {}, // West Europe
+	"westindia":          {}, // West India
+	"westus":             {}, // West US
+	"westus2":            {}, // West US 2
+	"westus3":            {}, // West US 3
+}

pkg/types/cloudintegrationtypes/service.go

@@ -0,0 +1,248 @@
+package cloudintegrationtypes
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+var (
+	S3Sync = valuer.NewString("s3sync")
+	// ErrCodeInvalidServiceID is the error code for invalid service id.
+	ErrCodeInvalidServiceID = errors.MustNewCode("invalid_service_id")
+)
+
+type ServiceID struct{ valuer.String }
+
+type CloudIntegrationService struct {
+	types.Identifiable
+	types.TimeAuditable
+	Type               ServiceID      `json:"type"`
+	Config             *ServiceConfig `json:"config"`
+	CloudIntegrationID valuer.UUID    `json:"cloudIntegrationID"`
+}
+
+// ServiceMetadata helps to quickly list available services and whether it is enabled or not.
+// As getting complete service definition is a heavy operation and the response is also large,
+// initial integration page load can be very slow.
+type ServiceMetadata struct {
+	ServiceDefinitionMetadata
+	// if the service is enabled for the account
+	Enabled bool `json:"enabled"`
+}
+
+type GettableServicesMetadata struct {
+	Services []*ServiceMetadata `json:"services"`
+}
+
+type Service struct {
+	ServiceDefinition
+	ServiceConfig *ServiceConfig `json:"serviceConfig"`
+}
+
+type GettableService = Service
+
+type UpdatableService struct {
+	Config *ServiceConfig `json:"config"`
+}
+
+type ServiceConfig struct {
+	AWS *AWSServiceConfig `json:"aws,omitempty"`
+}
+
+type AWSServiceConfig struct {
+	Logs    *AWSServiceLogsConfig    `json:"logs"`
+	Metrics *AWSServiceMetricsConfig `json:"metrics"`
+}
+
+// AWSServiceLogsConfig is AWS specific logs config for a service
+// NOTE: the JSON keys are snake case for backward compatibility with existing agents.
+type AWSServiceLogsConfig struct {
+	Enabled   bool                `json:"enabled"`
+	S3Buckets map[string][]string `json:"s3_buckets,omitempty"`
+}
+
+type AWSServiceMetricsConfig struct {
+	Enabled bool `json:"enabled"`
+}
+
+// ServiceDefinitionMetadata represents service definition metadata. This is useful for showing service tab in frontend.
+type ServiceDefinitionMetadata struct {
+	Id    string `json:"id"`
+	Title string `json:"title"`
+	Icon  string `json:"icon"`
+}
+
+type ServiceDefinition struct {
+	ServiceDefinitionMetadata
+	Overview         string              `json:"overview"` // markdown
+	Assets           Assets              `json:"assets"`
+	SupportedSignals SupportedSignals    `json:"supported_signals"`
+	DataCollected    DataCollected       `json:"dataCollected"`
+	Strategy         *CollectionStrategy `json:"telemetryCollectionStrategy"`
+}
+
+// CollectionStrategy is cloud provider specific configuration for signal collection,
+// this is used by agent to understand the nitty-gritty for collecting telemetry for the cloud provider.
+type CollectionStrategy struct {
+	AWS *AWSCollectionStrategy `json:"aws,omitempty"`
+}
+
+// Assets represents the collection of dashboards.
+type Assets struct {
+	Dashboards []Dashboard `json:"dashboards"`
+}
+
+// SupportedSignals for cloud provider's service.
+type SupportedSignals struct {
+	Logs    bool `json:"logs"`
+	Metrics bool `json:"metrics"`
+}
+
+// DataCollected is curated static list of metrics and logs, this is shown as part of service overview.
+type DataCollected struct {
+	Logs    []CollectedLogAttribute `json:"logs"`
+	Metrics []CollectedMetric       `json:"metrics"`
+}
+
+// CollectedLogAttribute represents a log attribute that is present in all log entries for a service,
+// this is shown as part of service overview.
+type CollectedLogAttribute struct {
+	Name string `json:"name"`
+	Path string `json:"path"`
+	Type string `json:"type"`
+}
+
+// CollectedMetric represents a metric that is collected for a service, this is shown as part of service overview.
+type CollectedMetric struct {
+	Name        string `json:"name"`
+	Type        string `json:"type"`
+	Unit        string `json:"unit"`
+	Description string `json:"description"`
+}
+
+// AWSCollectionStrategy represents signal collection strategy for AWS services.
+// this is AWS specific.
+// NOTE: this structure is still using snake case, for backward compatibility,
+// with existing agents.
+type AWSCollectionStrategy struct {
+	Metrics   *AWSMetricsStrategy `json:"aws_metrics,omitempty"`
+	Logs      *AWSLogsStrategy    `json:"aws_logs,omitempty"`
+	S3Buckets map[string][]string `json:"s3_buckets,omitempty"` // Only available in S3 Sync Service Type in AWS
+}
+
+// AWSMetricsStrategy represents metrics collection strategy for AWS services.
+// this is AWS specific.
+// NOTE: this structure is still using snake case, for backward compatibility,
+// with existing agents.
+type AWSMetricsStrategy struct {
+	// to be used as https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-metricstream.html#cfn-cloudwatch-metricstream-includefilters
+	StreamFilters []struct {
+		// json tags here are in the shape expected by AWS API as detailed at
+		// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudwatch-metricstream-metricstreamfilter.html
+		Namespace   string   `json:"Namespace"`
+		MetricNames []string `json:"MetricNames,omitempty"`
+	} `json:"cloudwatch_metric_stream_filters"`
+}
+
+// AWSLogsStrategy represents logs collection strategy for AWS services.
+// this is AWS specific.
+// NOTE: this structure is still using snake case, for backward compatibility,
+// with existing agents.
+type AWSLogsStrategy struct {
+	Subscriptions []struct {
+		// subscribe to all logs groups with specified prefix.
+		// eg: `/aws/rds/`
+		LogGroupNamePrefix string `json:"log_group_name_prefix"`
+
+		// https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html
+		// "" implies no filtering is required.
+		FilterPattern string `json:"filter_pattern"`
+	} `json:"cloudwatch_logs_subscriptions"`
+}
+
+// Dashboard represents a dashboard definition for cloud integration.
+// This is used to show available pre-made dashboards for a service,
+// hence has additional fields like id, title and description
+type Dashboard struct {
+	Id          string                               `json:"id"`
+	Title       string                               `json:"title"`
+	Description string                               `json:"description"`
+	Definition  dashboardtypes.StorableDashboardData `json:"definition,omitempty"`
+}
+
+// SupportedServices is the map of supported services for each cloud provider.
+var SupportedServices = map[CloudProviderType][]ServiceID{
+	CloudProviderTypeAWS: {
+		{valuer.NewString("alb")},
+		{valuer.NewString("api-gateway")},
+		{valuer.NewString("dynamodb")},
+		{valuer.NewString("ec2")},
+		{valuer.NewString("ecs")},
+		{valuer.NewString("eks")},
+		{valuer.NewString("elasticache")},
+		{valuer.NewString("lambda")},
+		{valuer.NewString("msk")},
+		{valuer.NewString("rds")},
+		{valuer.NewString("s3sync")},
+		{valuer.NewString("sns")},
+		{valuer.NewString("sqs")},
+	},
+}
+
+// NewServiceID returns a new ServiceID from a string, validated against the supported services for the given cloud provider.
+func NewServiceID(provider CloudProviderType, service string) (ServiceID, error) {
+	services, ok := SupportedServices[provider]
+	if !ok {
+		return ServiceID{}, errors.NewInvalidInputf(ErrCodeInvalidServiceID, "no services defined for cloud provider: %s", provider)
+	}
+	for _, s := range services {
+		if s.StringValue() == service {
+			return s, nil
+		}
+	}
+	return ServiceID{}, errors.NewInvalidInputf(ErrCodeInvalidServiceID, "invalid service id %q for cloud provider %s", service, provider)
+}
+
+// UTILS
+
+// GetCloudIntegrationDashboardID returns the dashboard id for a cloud integration, given the cloud provider, service id, and dashboard id.
+// This is used to generate unique dashboard ids for cloud integration, and also to parse the dashboard id to get the cloud provider and service id when needed.
+func GetCloudIntegrationDashboardID(cloudProvider CloudProviderType, svcId, dashboardId string) string {
+	return fmt.Sprintf("cloud-integration--%s--%s--%s", cloudProvider, svcId, dashboardId)
+}
+
+// GetDashboardsFromAssets returns the list of dashboards for the cloud provider service from definition.
+func GetDashboardsFromAssets(
+	svcId string,
+	orgID valuer.UUID,
+	cloudProvider CloudProviderType,
+	createdAt time.Time,
+	assets Assets,
+) []*dashboardtypes.Dashboard {
+	dashboards := make([]*dashboardtypes.Dashboard, 0)
+
+	for _, d := range assets.Dashboards {
+		author := fmt.Sprintf("%s-integration", cloudProvider)
+		dashboards = append(dashboards, &dashboardtypes.Dashboard{
+			ID:     GetCloudIntegrationDashboardID(cloudProvider, svcId, d.Id),
+			Locked: true,
+			OrgID:  orgID,
+			Data:   d.Definition,
+			TimeAuditable: types.TimeAuditable{
+				CreatedAt: createdAt,
+				UpdatedAt: createdAt,
+			},
+			UserAuditable: types.UserAuditable{
+				CreatedBy: author,
+				UpdatedBy: author,
+			},
+		})
+	}
+
+	return dashboards
+}

pkg/types/cloudintegrationtypes/store.go

@@ -0,0 +1,41 @@
+package cloudintegrationtypes
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type Store interface {
+	// GetAccountByID returns a cloud integration account by id
+	GetAccountByID(ctx context.Context, orgID, id valuer.UUID, provider CloudProviderType) (*StorableCloudIntegration, error)
+
+	// CreateAccount creates a new cloud integration account
+	CreateAccount(ctx context.Context, account *StorableCloudIntegration) (*StorableCloudIntegration, error)
+
+	// UpdateAccount updates an existing cloud integration account
+	UpdateAccount(ctx context.Context, account *StorableCloudIntegration) error
+
+	// RemoveAccount marks a cloud integration account as removed by setting the RemovedAt field
+	RemoveAccount(ctx context.Context, orgID, id valuer.UUID, provider CloudProviderType) error
+
+	// ListConnectedAccounts returns all the cloud integration accounts for the org and cloud provider
+	ListConnectedAccounts(ctx context.Context, orgID valuer.UUID, provider CloudProviderType) ([]*StorableCloudIntegration, error)
+
+	// GetConnectedAccount for a given provider
+	GetConnectedAccount(ctx context.Context, orgID valuer.UUID, provider CloudProviderType, providerAccountID string) (*StorableCloudIntegration, error)
+
+	// cloud_integration_service related methods
+
+	// GetServiceByServiceID returns the cloud integration service for the given cloud integration id and service id
+	GetServiceByServiceID(ctx context.Context, cloudIntegrationID valuer.UUID, serviceID ServiceID) (*StorableCloudIntegrationService, error)
+
+	// CreateService creates a new cloud integration service
+	CreateService(ctx context.Context, service *StorableCloudIntegrationService) (*StorableCloudIntegrationService, error)
+
+	// UpdateService updates an existing cloud integration service
+	UpdateService(ctx context.Context, service *StorableCloudIntegrationService) error
+
+	// ListServices returns all the cloud integration services for the given cloud integration id
+	ListServices(ctx context.Context, cloudIntegrationID valuer.UUID) ([]*StorableCloudIntegrationService, error)
+}

pkg/types/factor_api_key.go

@@ -39,15 +39,15 @@ type OrgUserAPIKey struct {
 }
 
 type UserWithAPIKey struct {
-	*User   `bun:",extend"`
-	APIKeys []*StorableAPIKeyUser `bun:"rel:has-many,join:id=user_id"`
+	*StorableUser `bun:",extend"`
+	APIKeys       []*StorableAPIKeyUser `bun:"rel:has-many,join:id=user_id"`
 }
 
 type StorableAPIKeyUser struct {
 	StorableAPIKey `bun:",extend"`
 
-	CreatedByUser *User `json:"createdByUser" bun:"created_by_user,rel:belongs-to,join:created_by=id"`
-	UpdatedByUser *User `json:"updatedByUser" bun:"updated_by_user,rel:belongs-to,join:updated_by=id"`
+	CreatedByUser *StorableUser `json:"createdByUser" bun:"created_by_user,rel:belongs-to,join:created_by=id"`
+	UpdatedByUser *StorableUser `json:"updatedByUser" bun:"updated_by_user,rel:belongs-to,join:updated_by=id"`
 }
 
 type StorableAPIKey struct {
@@ -138,7 +138,7 @@ func NewGettableAPIKeyFromStorableAPIKey(storableAPIKey *StorableAPIKeyUser) *Ge
 		LastUsed:      lastUsed,
 		Revoked:       storableAPIKey.Revoked,
 		UserID:        storableAPIKey.UserID.String(),
-		CreatedByUser: storableAPIKey.CreatedByUser,
-		UpdatedByUser: storableAPIKey.UpdatedByUser,
+		CreatedByUser: NewUserFromStorable(storableAPIKey.CreatedByUser, make([]string, 0)), // factor api key will be removed
+		UpdatedByUser: NewUserFromStorable(storableAPIKey.UpdatedByUser, make([]string, 0)), // factor api key will be removed
 	}
 }

pkg/types/invite.go

@@ -25,6 +25,7 @@ type Invite struct {
 	Email valuer.Email `bun:"email,type:text" json:"email"`
 	Token string       `bun:"token,type:text" json:"token"`
 	Role  Role         `bun:"role,type:text" json:"role"`
+	Roles []string     `bun:"roles,type:text" json:"roles"`
 	OrgID valuer.UUID  `bun:"org_id,type:text" json:"orgId"`
 
 	InviteLink string `bun:"-" json:"inviteLink"`
@@ -50,6 +51,7 @@ type PostableInvite struct {
 	Name            string       `json:"name"`
 	Email           valuer.Email `json:"email"`
 	Role            Role         `json:"role"`
+	Roles           []string     `json:"roles"`
 	FrontendBaseUrl string       `json:"frontendBaseUrl"`
 }
 
@@ -83,7 +85,7 @@ type GettableCreateInviteResponse struct {
 	InviteToken string `json:"token"`
 }
 
-func NewInvite(name string, role Role, orgID valuer.UUID, email valuer.Email) (*Invite, error) {
+func NewInvite(name string, role Role, roles []string, orgID valuer.UUID, email valuer.Email) (*Invite, error) {
 	invite := &Invite{
 		Identifiable: Identifiable{
 			ID: valuer.GenerateUUID(),
@@ -92,6 +94,7 @@ func NewInvite(name string, role Role, orgID valuer.UUID, email valuer.Email) (*
 		Email: email,
 		Token: valuer.GenerateUUID().String(),
 		Role:  role,
+		Roles: roles,
 		OrgID: orgID,
 		TimeAuditable: TimeAuditable{
 			CreatedAt: time.Now(),

pkg/types/telemetrytypes/json_access_plan.go

@@ -40,7 +40,7 @@ type JSONAccessNode struct {
 	// Node information
 	Name       string
 	IsTerminal bool
-	isRoot     bool // marked true for only body_json and body_json_promoted
+	isRoot     bool // marked true for only body_v2 and body_promoted
 
 	// Precomputed type information (single source of truth)
 	AvailableTypes []JSONDataType