docs(sso): fixed azure attributes typo

docs(guides): updated python guide
Merge pull request #3031 from Infisical/project-list-pagination-fix
2025-07-02 16:55:02 +00:00 · 2025-01-23 05:20:44 +01:00 · 2025-01-23 05:20:26 +01:00 · 2025-01-22 16:27:59 -08:00 · 2025-01-22 18:42:05 -05:00 · 2025-01-22 14:18:38 -08:00
534 changed files with 20463 additions and 6068 deletions
--- a/.github/workflows/deployment-pipeline.yml
+++ b/.github/workflows/deployment-pipeline.yml
@ -5,6 +5,10 @@ permissions:
  id-token: write
  contents: read

+concurrency: 
+  group: "infisical-core-deployment"
+  cancel-in-progress: true  
+
 jobs:
  infisical-tests:
    name: Integration tests
@ -113,10 +117,6 @@ jobs:
    steps:
      - uses: twingate/github-action@v1
        with:
-        # The Twingate Service Key used to connect Twingate to the proper service
-        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
-        #
-        # Required
          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
      - name: Checkout code
        uses: actions/checkout@v2
@ -159,6 +159,31 @@ jobs:
          service: infisical-core-platform
          cluster: infisical-core-platform
          wait-for-service-stability: true
+      - name: Post slack message 
+        uses: slackapi/slack-github-action@v2.0.0
+        with:
+          webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: "*Deployment Status Update*: ${{ job.status }}"
+            blocks:
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: "*Deployment Status Update*: ${{ job.status }}"
+              - type: "section"
+                fields:
+                  - type: "mrkdwn"
+                    text: "*Application:*\nInfisical Core"
+                  - type: "mrkdwn"
+                    text: "*Instance Type:*\nShared Infisical Cloud"
+              - type: "section"
+                fields:
+                  - type: "mrkdwn"
+                    text: "*Region:*\nUS"
+                  - type: "mrkdwn"
+                    text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
+

  production-eu:
      name: EU production deploy
@ -210,3 +235,28 @@ jobs:
            service: infisical-core-platform
            cluster: infisical-core-platform
            wait-for-service-stability: true
+        - name: Post slack message 
+          uses: slackapi/slack-github-action@v2.0.0
+          with:
+            webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
+            webhook-type: incoming-webhook
+            payload: |
+              text: "*Deployment Status Update*: ${{ job.status }}"
+              blocks:
+                - type: "section"
+                  text:
+                    type: "mrkdwn"
+                    text: "*Deployment Status Update*: ${{ job.status }}"
+                - type: "section"
+                  fields:
+                    - type: "mrkdwn"
+                      text: "*Application:*\nInfisical Core"
+                    - type: "mrkdwn"
+                      text: "*Instance Type:*\nShared Infisical Cloud"
+                - type: "section"
+                  fields:
+                    - type: "mrkdwn"
+                      text: "*Region:*\nEU"
+                    - type: "mrkdwn"
+                      text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
+
--- a/.infisicalignore
+++ b/.infisicalignore
@ -7,3 +7,4 @@ docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
+docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
--- a/README.md
+++ b/README.md
@ -56,7 +56,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.

-### Internal PKI:
+### Infisical (Internal) PKI:

 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@ -64,12 +64,17 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.

-### Key Management (KMS):
+### Infisical Key Management System (KMS):

 - **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.

+### Infisical SSH
+
+- **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
+
 ### General Platform:
+
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -80,6 +80,7 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
+import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
@ -210,6 +211,7 @@ declare module "fastify" {
      projectTemplate: TProjectTemplateServiceFactory;
      totp: TTotpServiceFactory;
      appConnection: TAppConnectionServiceFactory;
+      secretSync: TSecretSyncServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -372,6 +372,7 @@ import {
  TExternalGroupOrgRoleMappingsInsert,
  TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
+import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
  TSecretV2TagJunction,
  TSecretV2TagJunctionInsert,
@ -900,5 +901,6 @@ declare module "knex/types/tables" {
      TAppConnectionsInsert,
      TAppConnectionsUpdate
    >;
+    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
  }
 }
--- a/backend/src/db/migrations/20250115222458_groups-unique-name.ts
+++ b/backend/src/db/migrations/20250115222458_groups-unique-name.ts
@ -0,0 +1,49 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // find any duplicate group names within organizations
+  const duplicates = await knex(TableName.Groups)
+    .select("orgId", "name")
+    .count("* as count")
+    .groupBy("orgId", "name")
+    .having(knex.raw("count(*) > 1"));
+
+  // for each set of duplicates, update all but one with a numbered suffix
+  for await (const duplicate of duplicates) {
+    const groups = await knex(TableName.Groups)
+      .select("id", "name")
+      .where({
+        orgId: duplicate.orgId,
+        name: duplicate.name
+      })
+      .orderBy("createdAt", "asc"); // keep original name for oldest group
+
+    // skip the first (oldest) group, rename others with numbered suffix
+    for (let i = 1; i < groups.length; i += 1) {
+      // eslint-disable-next-line no-await-in-loop
+      await knex(TableName.Groups)
+        .where("id", groups[i].id)
+        .update({
+          name: `${groups[i].name} (${i})`,
+
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore TS doesn't know about Knex's timestamp types
+          updatedAt: new Date()
+        });
+    }
+  }
+
+  // add the unique constraint
+  await knex.schema.alterTable(TableName.Groups, (t) => {
+    t.unique(["orgId", "name"]);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // Remove the unique constraint
+  await knex.schema.alterTable(TableName.Groups, (t) => {
+    t.dropUnique(["orgId", "name"]);
+  });
+}
--- a/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
+++ b/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
@ -0,0 +1,33 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
+  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
+
+  await knex.schema.alterTable(TableName.Project, (t) => {
+    if (!hasEnforceCapitalizationCol) {
+      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
+    }
+
+    if (hasAutoCapitalizationCol) {
+      t.boolean("autoCapitalization").defaultTo(false).alter();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
+  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
+
+  await knex.schema.alterTable(TableName.Project, (t) => {
+    if (hasEnforceCapitalizationCol) {
+      t.dropColumn("enforceCapitalization");
+    }
+
+    if (hasAutoCapitalizationCol) {
+      t.boolean("autoCapitalization").defaultTo(true).alter();
+    }
+  });
+}
--- a/backend/src/db/migrations/20250122055102_secret-sync.ts
+++ b/backend/src/db/migrations/20250122055102_secret-sync.ts
@ -0,0 +1,50 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
+    await knex.schema.createTable(TableName.SecretSync, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name", 32).notNullable();
+      t.string("description");
+      t.string("destination").notNullable();
+      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
+      t.integer("version").defaultTo(1).notNullable();
+      t.jsonb("destinationConfig").notNullable();
+      t.jsonb("syncOptions").notNullable();
+      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
+      // is deleted), to preserve sync configuration
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("folderId");
+      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
+      t.uuid("connectionId").notNullable();
+      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
+      t.timestamps(true, true, true);
+      // sync secrets to destination
+      t.string("syncStatus");
+      t.string("lastSyncJobId");
+      t.string("lastSyncMessage");
+      t.datetime("lastSyncedAt");
+      // import secrets from destination
+      t.string("importStatus");
+      t.string("lastImportJobId");
+      t.string("lastImportMessage");
+      t.datetime("lastImportedAt");
+      // remove secrets from destination
+      t.string("removeStatus");
+      t.string("lastRemoveJobId");
+      t.string("lastRemoveMessage");
+      t.datetime("lastRemovedAt");
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretSync);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretSync);
+  await dropOnUpdateTrigger(knex, TableName.SecretSync);
+}
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -131,7 +131,8 @@ export enum TableName {
  WorkflowIntegrations = "workflow_integrations",
  SlackIntegrations = "slack_integrations",
  ProjectSlackConfigs = "project_slack_configs",
-  AppConnection = "app_connections"
+  AppConnection = "app_connections",
+  SecretSync = "secret_syncs"
 }

 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@ -215,3 +216,12 @@ export enum ProjectType {
  KMS = "kms",
  SSH = "ssh"
 }
+
+export enum ActionProjectType {
+  SecretManager = ProjectType.SecretManager,
+  CertificateManager = ProjectType.CertificateManager,
+  KMS = ProjectType.KMS,
+  SSH = ProjectType.SSH,
+  // project operations that happen on all types
+  Any = "any"
+}
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@ -13,7 +13,7 @@ export const ProjectsSchema = z.object({
  id: z.string(),
  name: z.string(),
  slug: z.string(),
-  autoCapitalization: z.boolean().default(true).nullable().optional(),
+  autoCapitalization: z.boolean().default(false).nullable().optional(),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
@ -25,7 +25,8 @@ export const ProjectsSchema = z.object({
  kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
  description: z.string().nullable().optional(),
-  type: z.string()
+  type: z.string(),
+  enforceCapitalization: z.boolean().default(false)
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/secret-syncs.ts
+++ b/backend/src/db/schemas/secret-syncs.ts
@ -0,0 +1,40 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretSyncsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  description: z.string().nullable().optional(),
+  destination: z.string(),
+  isAutoSyncEnabled: z.boolean().default(true),
+  version: z.number().default(1),
+  destinationConfig: z.unknown(),
+  syncOptions: z.unknown(),
+  projectId: z.string(),
+  folderId: z.string().uuid().nullable().optional(),
+  connectionId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  syncStatus: z.string().nullable().optional(),
+  lastSyncJobId: z.string().nullable().optional(),
+  lastSyncMessage: z.string().nullable().optional(),
+  lastSyncedAt: z.date().nullable().optional(),
+  importStatus: z.string().nullable().optional(),
+  lastImportJobId: z.string().nullable().optional(),
+  lastImportMessage: z.string().nullable().optional(),
+  lastImportedAt: z.date().nullable().optional(),
+  removeStatus: z.string().nullable().optional(),
+  lastRemoveJobId: z.string().nullable().optional(),
+  lastRemoveMessage: z.string().nullable().optional(),
+  lastRemovedAt: z.date().nullable().optional()
+});
+
+export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;
+export type TSecretSyncsInsert = Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>;
+export type TSecretSyncsUpdate = Partial<Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>>;
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@ -24,6 +24,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        ),
        name: z.string().trim(),
        description: z.string().trim().nullish(),
+        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array()
        permissions: z.any().array()
      }),
      response: {
@ -96,6 +97,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          .optional(),
        name: z.string().trim().optional(),
        description: z.string().trim().nullish(),
+        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array().optional()
        permissions: z.any().array().optional()
      }),
      response: {
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@ -1,9 +1,13 @@
 import { z } from "zod";

 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
-import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
+import {
+  SecretScanningResolvedStatus,
+  SecretScanningRiskStatus
+} from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
+import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -97,6 +101,45 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    }
  });

+  server.route({
+    url: "/organization/:organizationId/risks/export",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({ organizationId: z.string().trim() }),
+      querystring: z.object({
+        repositoryNames: z
+          .string()
+          .optional()
+          .nullable()
+          .transform((val) => (val ? val.split(",") : undefined)),
+        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
+      }),
+      response: {
+        200: z.object({
+          risks: SecretScanningGitRisksSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const risks = await server.services.secretScanning.getAllRisksByOrg({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.params.organizationId,
+        filter: {
+          repositoryNames: req.query.repositoryNames,
+          resolvedStatus: req.query.resolvedStatus
+        }
+      });
+      return { risks };
+    }
+  });
+
  server.route({
    url: "/organization/:organizationId/risks",
    method: "GET",
@ -105,20 +148,46 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
+
+      querystring: z.object({
+        offset: z.coerce.number().min(0).default(0),
+        limit: z.coerce.number().min(1).max(20000).default(100),
+        orderBy: z.enum(["createdAt", "name"]).default("createdAt"),
+        orderDirection: z.nativeEnum(OrderByDirection).default(OrderByDirection.DESC),
+        repositoryNames: z
+          .string()
+          .optional()
+          .nullable()
+          .transform((val) => (val ? val.split(",") : undefined)),
+        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
+      }),
+
      response: {
-        200: z.object({ risks: SecretScanningGitRisksSchema.array() })
+        200: z.object({
+          risks: SecretScanningGitRisksSchema.array(),
+          totalCount: z.number(),
+          repos: z.array(z.string())
+        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
-      const { risks } = await server.services.secretScanning.getRisksByOrg({
+      const { risks, totalCount, repos } = await server.services.secretScanning.getRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId
+        orgId: req.params.organizationId,
+        filter: {
+          limit: req.query.limit,
+          offset: req.query.offset,
+          orderBy: req.query.orderBy,
+          orderDirection: req.query.orderDirection,
+          repositoryNames: req.query.repositoryNames,
+          resolvedStatus: req.query.resolvedStatus
+        }
      });
-      return { risks };
+      return { risks, totalCount, repos };
    }
  });

--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@ -87,14 +87,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -193,7 +193,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    // Anyone in the project should be able to get the policies.
-    await permissionService.getProjectPermission(actor, actorId, project.id, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: project.id,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
    return accessApprovalPolicies;
@ -237,14 +244,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!accessApprovalPolicy) {
      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      accessApprovalPolicy.projectId,
+      projectId: accessApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);

@ -321,14 +328,14 @@ export const accessApprovalPolicyServiceFactory = ({
    const policy = await accessApprovalPolicyDAL.findById(policyId);
    if (!policy) throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      policy.projectId,
+      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretApproval
@ -372,13 +379,14 @@ export const accessApprovalPolicyServiceFactory = ({

    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@ -411,13 +419,14 @@ export const accessApprovalPolicyServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      policy.projectId,
+      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";

-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@ -100,13 +100,14 @@ export const accessApprovalRequestServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    // Anyone can create an access approval request.
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@ -273,13 +274,14 @@ export const accessApprovalRequestServiceFactory = ({
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@ -318,13 +320,14 @@ export const accessApprovalRequestServiceFactory = ({
      });
    }

-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      accessApprovalRequest.projectId,
+      projectId: accessApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@ -422,13 +425,14 @@ export const accessApprovalRequestServiceFactory = ({
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@ -93,7 +93,7 @@ export const auditLogStreamServiceFactory = ({
        }
      )
      .catch((err) => {
-        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
+        throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
      });
    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
    const logStream = await auditLogStreamDAL.create({
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";

@ -26,13 +27,14 @@ export const auditLogServiceFactory = ({
  const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
    // Filter logs for specific project
    if (filter.projectId) {
-      const { permission } = await permissionService.getProjectPermission(
+      const { permission } = await permissionService.getProjectPermission({
        actor,
        actorId,
-        filter.projectId,
+        projectId: filter.projectId,
        actorAuthMethod,
-        actorOrgId
-      );
+        actorOrgId,
+        actionProjectType: ActionProjectType.Any
+      });
      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    } else {
      // Organization-wide logs
@ -79,7 +81,8 @@ export const auditLogServiceFactory = ({
    }
    // add all cases in which project id or org id cannot be added
    if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
-      if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
+      if (!data.projectId && !data.orgId)
+        throw new BadRequestError({ message: "Must specify either project id or org id" });
    }

    return auditLogQueue.pushToLog(data);
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -13,6 +13,13 @@ import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
+import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  TCreateSecretSyncDTO,
+  TDeleteSecretSyncDTO,
+  TSecretSyncRaw,
+  TUpdateSecretSyncDTO
+} from "@app/services/secret-sync/secret-sync-types";

 export type TListProjectAuditLogDTO = {
  filter: {
@ -31,7 +38,7 @@ export type TListProjectAuditLogDTO = {

 export type TCreateAuditLogDTO = {
  event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
  orgId?: string;
  projectId?: string;
 } & BaseAuthData;
@ -226,10 +233,22 @@ export enum EventType {
  DELETE_PROJECT_TEMPLATE = "delete-project-template",
  APPLY_PROJECT_TEMPLATE = "apply-project-template",
  GET_APP_CONNECTIONS = "get-app-connections",
+  GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
  GET_APP_CONNECTION = "get-app-connection",
  CREATE_APP_CONNECTION = "create-app-connection",
  UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection"
+  DELETE_APP_CONNECTION = "delete-app-connection",
+  CREATE_SHARED_SECRET = "create-shared-secret",
+  DELETE_SHARED_SECRET = "delete-shared-secret",
+  READ_SHARED_SECRET = "read-shared-secret",
+  GET_SECRET_SYNCS = "get-secret-syncs",
+  GET_SECRET_SYNC = "get-secret-sync",
+  CREATE_SECRET_SYNC = "create-secret-sync",
+  UPDATE_SECRET_SYNC = "update-secret-sync",
+  DELETE_SECRET_SYNC = "delete-secret-sync",
+  SECRET_SYNC_SYNC_SECRETS = "secret-sync-sync-secrets",
+  SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
+  SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets"
 }

 interface UserActorMetadata {
@ -252,6 +271,8 @@ interface ScimClientActorMetadata {}

 interface PlatformActorMetadata {}

+interface UnknownUserActorMetadata {}
+
 export interface UserActor {
  type: ActorType.USER;
  metadata: UserActorMetadata;
@ -267,6 +288,11 @@ export interface PlatformActor {
  metadata: PlatformActorMetadata;
 }

+export interface UnknownUserActor {
+  type: ActorType.UNKNOWN_USER;
+  metadata: UnknownUserActorMetadata;
+}
+
 export interface IdentityActor {
  type: ActorType.IDENTITY;
  metadata: IdentityActorMetadata;
@ -1883,6 +1909,15 @@ interface GetAppConnectionsEvent {
  };
 }

+interface GetAvailableAppConnectionsDetailsEvent {
+  type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS;
+  metadata: {
+    app?: AppConnection;
+    count: number;
+    connectionIds: string[];
+  };
+}
+
 interface GetAppConnectionEvent {
  type: EventType.GET_APP_CONNECTION;
  metadata: {
@ -1907,6 +1942,107 @@ interface DeleteAppConnectionEvent {
  };
 }

+interface CreateSharedSecretEvent {
+  type: EventType.CREATE_SHARED_SECRET;
+  metadata: {
+    id: string;
+    accessType: string;
+    name?: string;
+    expiresAfterViews?: number;
+    usingPassword: boolean;
+    expiresAt: string;
+  };
+}
+
+interface DeleteSharedSecretEvent {
+  type: EventType.DELETE_SHARED_SECRET;
+  metadata: {
+    id: string;
+    name?: string;
+  };
+}
+
+interface ReadSharedSecretEvent {
+  type: EventType.READ_SHARED_SECRET;
+  metadata: {
+    id: string;
+    name?: string;
+    accessType: string;
+  };
+}
+
+interface GetSecretSyncsEvent {
+  type: EventType.GET_SECRET_SYNCS;
+  metadata: {
+    destination?: SecretSync;
+    count: number;
+    syncIds: string[];
+  };
+}
+
+interface GetSecretSyncEvent {
+  type: EventType.GET_SECRET_SYNC;
+  metadata: {
+    destination: SecretSync;
+    syncId: string;
+  };
+}
+
+interface CreateSecretSyncEvent {
+  type: EventType.CREATE_SECRET_SYNC;
+  metadata: Omit<TCreateSecretSyncDTO, "projectId"> & { syncId: string };
+}
+
+interface UpdateSecretSyncEvent {
+  type: EventType.UPDATE_SECRET_SYNC;
+  metadata: TUpdateSecretSyncDTO;
+}
+
+interface DeleteSecretSyncEvent {
+  type: EventType.DELETE_SECRET_SYNC;
+  metadata: TDeleteSecretSyncDTO;
+}
+
+interface SecretSyncSyncSecretsEvent {
+  type: EventType.SECRET_SYNC_SYNC_SECRETS;
+  metadata: Pick<
+    TSecretSyncRaw,
+    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "connectionId" | "folderId"
+  > & {
+    syncId: string;
+    syncMessage: string | null;
+    jobId: string;
+    jobRanAt: Date;
+  };
+}
+
+interface SecretSyncImportSecretsEvent {
+  type: EventType.SECRET_SYNC_IMPORT_SECRETS;
+  metadata: Pick<
+    TSecretSyncRaw,
+    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "connectionId" | "folderId"
+  > & {
+    syncId: string;
+    importMessage: string | null;
+    jobId: string;
+    jobRanAt: Date;
+    importBehavior: SecretSyncImportBehavior;
+  };
+}
+
+interface SecretSyncRemoveSecretsEvent {
+  type: EventType.SECRET_SYNC_REMOVE_SECRETS;
+  metadata: Pick<
+    TSecretSyncRaw,
+    "syncOptions" | "destinationConfig" | "destination" | "removeStatus" | "connectionId" | "folderId"
+  > & {
+    syncId: string;
+    removeMessage: string | null;
+    jobId: string;
+    jobRanAt: Date;
+  };
+}
+
 export type Event =
  | GetSecretsEvent
  | GetSecretEvent
@ -2080,7 +2216,19 @@ export type Event =
  | DeleteProjectTemplateEvent
  | ApplyProjectTemplateEvent
  | GetAppConnectionsEvent
+  | GetAvailableAppConnectionsDetailsEvent
  | GetAppConnectionEvent
  | CreateAppConnectionEvent
  | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent;
+  | DeleteAppConnectionEvent
+  | CreateSharedSecretEvent
+  | DeleteSharedSecretEvent
+  | ReadSharedSecretEvent
+  | GetSecretSyncsEvent
+  | GetSecretSyncEvent
+  | CreateSecretSyncEvent
+  | UpdateSecretSyncEvent
+  | DeleteSecretSyncEvent
+  | SecretSyncSyncSecretsEvent
+  | SecretSyncImportSecretsEvent
+  | SecretSyncRemoveSecretsEvent;
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -66,13 +67,14 @@ export const certificateAuthorityCrlServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import ms from "ms";

-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@ -67,14 +67,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -147,14 +147,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -227,14 +227,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -297,13 +297,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -339,13 +340,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";

-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@ -73,14 +73,14 @@ export const dynamicSecretServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.CreateRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -145,14 +145,14 @@ export const dynamicSecretServiceFactory = ({

    const projectId = project.id;

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.EditRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -229,14 +229,14 @@ export const dynamicSecretServiceFactory = ({

    const projectId = project.id;

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -290,13 +290,14 @@ export const dynamicSecretServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -340,13 +341,14 @@ export const dynamicSecretServiceFactory = ({
    isInternal
  }: TListDynamicSecretsMultiEnvDTO) => {
    if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission(
+      const { permission } = await permissionService.getProjectPermission({
        actor,
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId
-      );
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
+      });

      // verify user has access to each env in request
      environmentSlugs.forEach((environmentSlug) =>
@ -383,13 +385,14 @@ export const dynamicSecretServiceFactory = ({
    search,
    projectId
  }: TGetDynamicSecretsCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -431,13 +434,14 @@ export const dynamicSecretServiceFactory = ({
      projectId = project.id;
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -462,13 +466,14 @@ export const dynamicSecretServiceFactory = ({
    { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
    actor: OrgServiceActor
  ) => {
-    const { permission } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
+    const { permission } = await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
      projectId,
-      actor.authMethod,
-      actor.orgId
-    );
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
      permission.can(
@ -507,13 +512,14 @@ export const dynamicSecretServiceFactory = ({
    ...params
  }: TListDynamicSecretsMultiEnvDTO) => {
    if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission(
+      const { permission } = await permissionService.getProjectPermission({
        actor,
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId
-      );
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
+      });

      // verify user has access to each env in request
      environmentSlugs.forEach((environmentSlug) =>
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@ -1,7 +1,9 @@
+import { KMSServiceException } from "@aws-sdk/client-kms";
+import { STSServiceException } from "@aws-sdk/client-sts";
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";

-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@ -71,7 +73,16 @@ export const externalKmsServiceFactory = ({
    switch (provider.type) {
      case KmsProviders.Aws:
        {
-          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs }).catch((error) => {
+            if (error instanceof STSServiceException || error instanceof KMSServiceException) {
+              throw new InternalServerError({
+                message: error.message ? `AWS error: ${error.message}` : ""
+              });
+            }
+
+            throw error;
+          });
+
          // if missing kms key this generate a new kms key id and returns new provider input
          const newProviderInput = await externalKms.generateInputKmsKey();
          sanitizedProviderInput = JSON.stringify(newProviderInput);
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@ -32,7 +32,7 @@ type TGroupServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
  groupDAL: Pick<
    TGroupDALFactory,
-    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
@ -88,12 +88,26 @@ export const groupServiceFactory = ({
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });

-    const group = await groupDAL.create({
-      name,
-      slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
-      orgId: actorOrgId,
-      role: isCustomRole ? OrgMembershipRole.Custom : role,
-      roleId: customRole?.id
+    const group = await groupDAL.transaction(async (tx) => {
+      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
+      if (existingGroup) {
+        throw new BadRequestError({
+          message: `Failed to create group with name '${name}'. Group with the same name already exists`
+        });
+      }
+
+      const newGroup = await groupDAL.create(
+        {
+          name,
+          slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
+          orgId: actorOrgId,
+          role: isCustomRole ? OrgMembershipRole.Custom : role,
+          roleId: customRole?.id
+        },
+        tx
+      );
+
+      return newGroup;
    });

    return group;
@ -145,21 +159,36 @@ export const groupServiceFactory = ({
      if (isCustomRole) customRole = customOrgRole;
    }

-    const [updatedGroup] = await groupDAL.update(
-      {
-        id: group.id
-      },
-      {
-        name,
-        slug: slug ? slugify(slug) : undefined,
-        ...(role
-          ? {
-              role: customRole ? OrgMembershipRole.Custom : role,
-              roleId: customRole?.id ?? null
-            }
-          : {})
+    const updatedGroup = await groupDAL.transaction(async (tx) => {
+      if (name) {
+        const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
+
+        if (existingGroup && existingGroup.id !== id) {
+          throw new BadRequestError({
+            message: `Failed to update group with name '${name}'. Group with the same name already exists`
+          });
+        }
      }
-    );
+
+      const [updated] = await groupDAL.update(
+        {
+          id: group.id
+        },
+        {
+          name,
+          slug: slug ? slugify(slug) : undefined,
+          ...(role
+            ? {
+                role: customRole ? OrgMembershipRole.Custom : role,
+                roleId: customRole?.id ?? null
+              }
+            : {})
+        },
+        tx
+      );
+
+      return updated;
+    });

    return updatedGroup;
  };
--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 import ms from "ms";

-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
@ -55,24 +55,26 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityId,
-      identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
+      actor: ActorType.IDENTITY,
+      actorId: identityId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -135,24 +137,26 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
+      actor: ActorType.IDENTITY,
+      actorId: identityProjectMembership.identityId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -215,24 +219,26 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
+      actor: ActorType.IDENTITY,
+      actorId: identityProjectMembership.identityId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
@ -260,13 +266,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@ -294,13 +301,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@ -329,13 +337,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@ -2,6 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability"
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";

+import { ActionProjectType } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@ -62,25 +63,27 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );

-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityId,
-      identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
+      actor: ActorType.IDENTITY,
+      actorId: identityId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -143,26 +146,28 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );

-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
+      actor: ActorType.IDENTITY,
+      actorId: identityProjectMembership.identityId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -242,25 +247,27 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );

-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
+      actor: ActorType.IDENTITY,
+      actorId: identityProjectMembership.identityId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
@ -299,13 +306,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId })
@ -341,13 +349,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -476,14 +476,14 @@ export const ldapConfigServiceFactory = ({
      });
    } else {
      const plan = await licenseService.getPlan(orgId);
-      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
        throw new BadRequestError({
          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
        });
      }

-      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
        throw new BadRequestError({
          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
--- a/backend/src/ee/services/license/license-fns.ts
+++ b/backend/src/ee/services/license/license-fns.ts
@ -50,8 +50,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  },
  pkiEst: false,
  enforceMfa: false,
-  projectTemplates: false,
-  appConnections: false
+  projectTemplates: false
 });

 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@ -68,7 +68,6 @@ export type TFeatureSet = {
  pkiEst: boolean;
  enforceMfa: boolean;
  projectTemplates: false;
-  appConnections: false; // TODO: remove once live
 };

 export type TOrgPlansTableDTO = {
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@ -1,4 +1,12 @@
-import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";
+import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
+import { z } from "zod";
+
+import {
+  CASL_ACTION_SCHEMA_ENUM,
+  CASL_ACTION_SCHEMA_NATIVE_ENUM
+} from "@app/ee/services/permission/permission-schemas";
+import { PermissionConditionSchema } from "@app/ee/services/permission/permission-types";
+import { PermissionConditionOperators } from "@app/lib/casl";

 export enum OrgPermissionActions {
  Read = "read",
@ -7,6 +15,14 @@ export enum OrgPermissionActions {
  Delete = "delete"
 }

+export enum OrgPermissionAppConnectionActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  Connect = "connect"
+}
+
 export enum OrgPermissionAdminConsoleAction {
  AccessAllProjects = "access-all-projects"
 }
@ -31,6 +47,10 @@ export enum OrgPermissionSubjects {
  AppConnections = "app-connections"
 }

+export type AppConnectionSubjectFields = {
+  connectionId: string;
+};
+
 export type OrgPermissionSet =
  | [OrgPermissionActions.Create, OrgPermissionSubjects.Workspace]
  | [OrgPermissionActions, OrgPermissionSubjects.Role]
@ -47,9 +67,109 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
-  | [OrgPermissionActions, OrgPermissionSubjects.AppConnections]
+  | [
+      OrgPermissionAppConnectionActions,
+      (
+        | OrgPermissionSubjects.AppConnections
+        | (ForcedSubject<OrgPermissionSubjects.AppConnections> & AppConnectionSubjectFields)
+      )
+    ]
  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];

+const AppConnectionConditionSchema = z
+  .object({
+    connectionId: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+        })
+        .partial()
+    ])
+  })
+  .partial();
+
+export const OrgPermissionSchema = z.discriminatedUnion("subject", [
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Workspace).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_ENUM([OrgPermissionActions.Create]).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Role).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Member).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Settings).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.IncidentAccount).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Sso).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Scim).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Ldap).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Groups).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.SecretScanning).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Billing).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Identity).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.Kms).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.AuditLogs).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.ProjectTemplates).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.AppConnections).describe("The entity this permission pertains to."),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAppConnectionActions).describe(
+      "Describe what action an entity can take."
+    ),
+    conditions: AppConnectionConditionSchema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
+  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.AdminConsole).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAdminConsoleAction).describe(
+      "Describe what action an entity can take."
+    )
+  })
+]);
+
 const buildAdminPermission = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
  // ws permissions
@ -125,10 +245,11 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);

-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Read, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Create, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Edit, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Delete, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);

  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);

@ -160,7 +281,7 @@ const buildMemberPermission = () => {

  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);

-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);

  return rules;
 };
--- a/backend/src/ee/services/permission/permission-schemas.ts
+++ b/backend/src/ee/services/permission/permission-schemas.ts
@ -0,0 +1,9 @@
+import { z } from "zod";
+
+export const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
+  z
+    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
+    .transform((el) => (typeof el === "string" ? [el] : el));
+
+export const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
+  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
--- a/backend/src/ee/services/permission/permission-service-types.ts
+++ b/backend/src/ee/services/permission/permission-service-types.ts
@ -1,3 +1,6 @@
+import { ActionProjectType } from "@app/db/schemas";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
+
 export type TBuildProjectPermissionDTO = {
  permissions?: unknown;
  role: string;
@ -7,3 +10,34 @@ export type TBuildOrgPermissionDTO = {
  permissions?: unknown;
  role: string;
 }[];
+
+export type TGetUserProjectPermissionArg = {
+  userId: string;
+  projectId: string;
+  authMethod: ActorAuthMethod;
+  actionProjectType: ActionProjectType;
+  userOrgId?: string;
+};
+
+export type TGetIdentityProjectPermissionArg = {
+  identityId: string;
+  projectId: string;
+  identityOrgId?: string;
+  actionProjectType: ActionProjectType;
+};
+
+export type TGetServiceTokenProjectPermissionArg = {
+  serviceTokenId: string;
+  projectId: string;
+  actorOrgId?: string;
+  actionProjectType: ActionProjectType;
+};
+
+export type TGetProjectPermissionArg = {
+  actor: ActorType;
+  actorId: string;
+  projectId: string;
+  actorAuthMethod: ActorAuthMethod;
+  actorOrgId?: string;
+  actionProjectType: ActionProjectType;
+};
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@ -4,9 +4,9 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";

 import {
+  ActionProjectType,
  OrgMembershipRole,
  ProjectMembershipRole,
-  ProjectType,
  ServiceTokenScopes,
  TIdentityProjectMemberships,
  TProjectMemberships
@ -23,7 +23,14 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
 import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
-import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
+import {
+  TBuildOrgPermissionDTO,
+  TBuildProjectPermissionDTO,
+  TGetIdentityProjectPermissionArg,
+  TGetProjectPermissionArg,
+  TGetServiceTokenProjectPermissionArg,
+  TGetUserProjectPermissionArg
+} from "./permission-service-types";
 import {
  buildServiceTokenProjectPermission,
  projectAdminPermissions,
@ -193,12 +200,13 @@ export const permissionServiceFactory = ({
  };

  // user permission for a project in an organization
-  const getUserProjectPermission = async (
-    userId: string,
-    projectId: string,
-    authMethod: ActorAuthMethod,
-    userOrgId?: string
-  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
+  const getUserProjectPermission = async ({
+    userId,
+    projectId,
+    authMethod,
+    userOrgId,
+    actionProjectType
+  }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
    if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });

@ -219,6 +227,12 @@ export const permissionServiceFactory = ({

    validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);

+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
    // join two permissions and pass to build the final permission set
    const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@ -256,13 +270,6 @@ export const permissionServiceFactory = ({
    return {
      permission,
      membership: userProjectPermission,
-      ForbidOnInvalidProjectType: (productType: ProjectType) => {
-        if (productType !== userProjectPermission.projectType) {
-          throw new BadRequestError({
-            message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
-          });
-        }
-      },
      hasRole: (role: string) =>
        userProjectPermission.roles.findIndex(
          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@ -270,11 +277,12 @@ export const permissionServiceFactory = ({
    };
  };

-  const getIdentityProjectPermission = async (
-    identityId: string,
-    projectId: string,
-    identityOrgId: string | undefined
-  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
+  const getIdentityProjectPermission = async ({
+    identityId,
+    projectId,
+    identityOrgId,
+    actionProjectType
+  }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
    if (!identityProjectPermission)
      throw new ForbiddenRequestError({
@ -293,6 +301,12 @@ export const permissionServiceFactory = ({
      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
    }

+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
    const rolePermissions =
      identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@ -331,13 +345,6 @@ export const permissionServiceFactory = ({
    return {
      permission,
      membership: identityProjectPermission,
-      ForbidOnInvalidProjectType: (productType: ProjectType) => {
-        if (productType !== identityProjectPermission.projectType) {
-          throw new BadRequestError({
-            message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
-          });
-        }
-      },
      hasRole: (role: string) =>
        identityProjectPermission.roles.findIndex(
          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@ -345,11 +352,12 @@ export const permissionServiceFactory = ({
    };
  };

-  const getServiceTokenProjectPermission = async (
-    serviceTokenId: string,
-    projectId: string,
-    actorOrgId: string | undefined
-  ) => {
+  const getServiceTokenProjectPermission = async ({
+    serviceTokenId,
+    projectId,
+    actorOrgId,
+    actionProjectType
+  }: TGetServiceTokenProjectPermissionArg) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
    if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });

@ -373,17 +381,16 @@ export const permissionServiceFactory = ({
      });
    }

+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
+      throw new BadRequestError({
+        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
-      membership: undefined,
-      ForbidOnInvalidProjectType: (productType: ProjectType) => {
-        if (productType !== serviceTokenProject.type) {
-          throw new BadRequestError({
-            message: `The project is of type ${serviceTokenProject.type}. Operations of type ${productType} are not allowed.`
-          });
-        }
-      }
+      membership: undefined
    };
  };

@ -392,7 +399,6 @@ export const permissionServiceFactory = ({
        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
        membership: undefined;
        hasRole: (arg: string) => boolean;
-        ForbidOnInvalidProjectType: (type: ProjectType) => void;
      } // service token doesn't have both membership and roles
    : {
        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
@ -402,7 +408,6 @@ export const permissionServiceFactory = ({
          roles: Array<{ role: string }>;
        };
        hasRole: (role: string) => boolean;
-        ForbidOnInvalidProjectType: (type: ProjectType) => void;
      };

  const getProjectPermissions = async (projectId: string) => {
@ -522,20 +527,37 @@ export const permissionServiceFactory = ({
    };
  };

-  const getProjectPermission = async <T extends ActorType>(
-    type: T,
-    id: string,
-    projectId: string,
-    actorAuthMethod: ActorAuthMethod,
-    actorOrgId: string | undefined
-  ): Promise<TProjectPermissionRT<T>> => {
-    switch (type) {
+  const getProjectPermission = async <T extends ActorType>({
+    actor,
+    actorId,
+    projectId,
+    actorAuthMethod,
+    actorOrgId,
+    actionProjectType
+  }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
+    switch (actor) {
      case ActorType.USER:
-        return getUserProjectPermission(id, projectId, actorAuthMethod, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getUserProjectPermission({
+          userId: actorId,
+          projectId,
+          authMethod: actorAuthMethod,
+          userOrgId: actorOrgId,
+          actionProjectType
+        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.SERVICE:
-        return getServiceTokenProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getServiceTokenProjectPermission({
+          serviceTokenId: actorId,
+          projectId,
+          actorOrgId,
+          actionProjectType
+        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.IDENTITY:
-        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getIdentityProjectPermission({
+          identityId: actorId,
+          projectId,
+          identityOrgId: actorOrgId,
+          actionProjectType
+        }) as Promise<TProjectPermissionRT<T>>;
      default:
        throw new BadRequestError({
          message: "Invalid actor provided",
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@ -1,6 +1,10 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";

+import {
+  CASL_ACTION_SCHEMA_ENUM,
+  CASL_ACTION_SCHEMA_NATIVE_ENUM
+} from "@app/ee/services/permission/permission-schemas";
 import { conditionsMatcher, PermissionConditionOperators } from "@app/lib/casl";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";

@ -30,6 +34,16 @@ export enum ProjectPermissionDynamicSecretActions {
  Lease = "lease"
 }

+export enum ProjectPermissionSecretSyncActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  SyncSecrets = "sync-secrets",
+  ImportSecrets = "import-secrets",
+  RemoveSecrets = "remove-secrets"
+}
+
 export enum ProjectPermissionSub {
  Role = "role",
  Member = "member",
@ -60,7 +74,8 @@ export enum ProjectPermissionSub {
  PkiAlerts = "pki-alerts",
  PkiCollections = "pki-collections",
  Kms = "kms",
-  Cmek = "cmek"
+  Cmek = "cmek",
+  SecretSyncs = "secret-syncs"
 }

 export type SecretSubjectFields = {
@ -140,6 +155,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
+  | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
  | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
@ -147,14 +163,6 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];

-const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
-  z
-    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
-    .transform((el) => (typeof el === "string" ? [el] : el));
-
-const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
-  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
-
 // akhilmhdh: don't modify this for v2
 // if you want to update create a new schema
 const SecretConditionV1Schema = z
@ -392,10 +400,15 @@ const GeneralPermissionSchema = [
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
      "Describe what action an entity can take."
    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.SecretSyncs).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretSyncActions).describe(
+      "Describe what action an entity can take."
+    )
  })
 ];

@ -549,6 +562,18 @@ const buildAdminPermissionRules = () => {
    ],
    ProjectPermissionSub.Cmek
  );
+  can(
+    [
+      ProjectPermissionSecretSyncActions.Create,
+      ProjectPermissionSecretSyncActions.Edit,
+      ProjectPermissionSecretSyncActions.Delete,
+      ProjectPermissionSecretSyncActions.Read,
+      ProjectPermissionSecretSyncActions.SyncSecrets,
+      ProjectPermissionSecretSyncActions.ImportSecrets,
+      ProjectPermissionSecretSyncActions.RemoveSecrets
+    ],
+    ProjectPermissionSub.SecretSyncs
+  );
  return rules;
 };

@ -713,6 +738,19 @@ const buildMemberPermissionRules = () => {
    ProjectPermissionSub.Cmek
  );

+  can(
+    [
+      ProjectPermissionSecretSyncActions.Create,
+      ProjectPermissionSecretSyncActions.Edit,
+      ProjectPermissionSecretSyncActions.Delete,
+      ProjectPermissionSecretSyncActions.Read,
+      ProjectPermissionSecretSyncActions.SyncSecrets,
+      ProjectPermissionSecretSyncActions.ImportSecrets,
+      ProjectPermissionSecretSyncActions.RemoveSecrets
+    ],
+    ProjectPermissionSub.SecretSyncs
+  );
+
  return rules;
 };

@ -746,6 +784,7 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
+  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);

  return rules;
 };
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";

-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@ -55,21 +55,23 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    if (!projectMembership)
      throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
-      ActorType.USER,
-      projectMembership.userId,
-      projectMembership.projectId,
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
+      actor: ActorType.USER,
+      actorId: projectMembership.userId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -140,21 +142,23 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
-      ActorType.USER,
-      projectMembership.userId,
-      projectMembership.projectId,
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
+      actor: ActorType.USER,
+      actorId: projectMembership.userId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -224,13 +228,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);

    const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
@ -260,13 +265,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);

    return {
@ -286,13 +292,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    if (!projectMembership)
      throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);

    const userPrivileges = await projectUserAdditionalPrivilegeDAL.find(
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@ -421,14 +421,14 @@ export const samlConfigServiceFactory = ({
      });
    } else {
      const plan = await licenseService.getPlan(orgId);
-      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
        throw new BadRequestError({
          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
        });
      }

-      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
        throw new BadRequestError({
          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@ -531,7 +531,7 @@ export const scimServiceFactory = ({
          firstName: scimUser.name.givenName,
          email: scimUser.emails[0].value,
          lastName: scimUser.name.familyName,
-          isEmailVerified: hasEmailChanged ? trustScimEmails : true
+          isEmailVerified: hasEmailChanged ? trustScimEmails : undefined
        },
        tx
      );
@ -790,6 +790,21 @@ export const scimServiceFactory = ({
      });

    const newGroup = await groupDAL.transaction(async (tx) => {
+      const conflictingGroup = await groupDAL.findOne(
+        {
+          name: displayName,
+          orgId
+        },
+        tx
+      );
+
+      if (conflictingGroup) {
+        throw new ScimRequestError({
+          detail: `Group with name '${displayName}' already exists in the organization`,
+          status: 409
+        });
+      }
+
      const group = await groupDAL.create(
        {
          name: displayName,
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";

-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@ -79,14 +79,14 @@ export const secretApprovalPolicyServiceFactory = ({
    if (!groupApprovers.length && approvals > approvers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretApproval
@ -193,14 +193,14 @@ export const secretApprovalPolicyServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      secretApprovalPolicy.projectId,
+      projectId: secretApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);

    const plan = await licenseService.getPlan(actorOrgId);
@ -288,14 +288,14 @@ export const secretApprovalPolicyServiceFactory = ({
    if (!sapPolicy)
      throw new NotFoundError({ message: `Secret approval policy with ID '${secretPolicyId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sapPolicy.projectId,
+      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretApproval
@ -328,13 +328,14 @@ export const secretApprovalPolicyServiceFactory = ({
    actorAuthMethod,
    projectId
  }: TListSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

    const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
@ -372,7 +373,14 @@ export const secretApprovalPolicyServiceFactory = ({
    environment,
    secretPath
  }: TGetBoardSapDTO) => {
-    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    return getSecretApprovalPolicy(projectId, environment, secretPath);
  };
@ -392,13 +400,14 @@ export const secretApprovalPolicyServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sapPolicy.projectId,
+      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@ -1,8 +1,8 @@
 import { ForbiddenError, subject } from "@casl/ability";

 import {
+  ActionProjectType,
  ProjectMembershipRole,
-  ProjectType,
  SecretEncryptionAlgo,
  SecretKeyEncoding,
  SecretType,
@ -147,13 +147,14 @@ export const secretApprovalRequestServiceFactory = ({
  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

-    await permissionService.getProjectPermission(
-      actor as ActorType.USER,
+    await permissionService.getProjectPermission({
+      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
    return count;
@ -173,7 +174,14 @@ export const secretApprovalRequestServiceFactory = ({
  }: TListApprovalsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

-    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    if (shouldUseSecretV2Bridge) {
@ -216,13 +224,14 @@ export const secretApprovalRequestServiceFactory = ({
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);

    const { policy } = secretApprovalRequest;
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerUserId !== actorId &&
@ -336,13 +345,14 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }

-    const { hasRole } = await permissionService.getProjectPermission(
-      ActorType.USER,
+    const { hasRole } = await permissionService.getProjectPermission({
+      actor: ActorType.USER,
      actorId,
-      secretApprovalRequest.projectId,
+      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerUserId !== actorId &&
@ -402,13 +412,14 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }

-    const { hasRole } = await permissionService.getProjectPermission(
-      ActorType.USER,
+    const { hasRole } = await permissionService.getProjectPermission({
+      actor: ActorType.USER,
      actorId,
-      secretApprovalRequest.projectId,
+      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerUserId !== actorId &&
@ -458,13 +469,14 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }

-    const { hasRole } = await permissionService.getProjectPermission(
-      ActorType.USER,
+    const { hasRole } = await permissionService.getProjectPermission({
+      actor: ActorType.USER,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    if (
      !hasRole(ProjectMembershipRole.Admin) &&
@ -889,14 +901,14 @@ export const secretApprovalRequestServiceFactory = ({
  }: TGenerateSecretApprovalRequestDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
@ -1170,14 +1182,14 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor === ActorType.SERVICE || actor === ActorType.Machine)
      throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
      throw new NotFoundError({
@ -1255,9 +1267,10 @@ export const secretApprovalRequestServiceFactory = ({
            type: SecretType.Shared
          }))
        );
-        if (secrets.length)
+
+        if (secrets.length !== secretsWithNewName.length)
          throw new NotFoundError({
-            message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
+            message: `Secret does not exist: ${secrets.map((el) => el.key).join(",")}`
          });
      }

--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";

-import { ProjectType, ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@ -53,14 +53,14 @@ export const secretRotationServiceFactory = ({
    actorAuthMethod,
    projectId
  }: TProjectPermission) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);

    return {
@ -82,14 +82,14 @@ export const secretRotationServiceFactory = ({
    secretPath,
    environment
  }: TCreateSecretRotationDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRotation
@ -191,13 +191,14 @@ export const secretRotationServiceFactory = ({
  };

  const getByProjectId = async ({ actorId, projectId, actor, actorOrgId, actorAuthMethod }: TListByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    if (shouldUseSecretV2Bridge) {
@ -236,14 +237,14 @@ export const secretRotationServiceFactory = ({
        message: "Failed to add secret rotation due to plan restriction. Upgrade plan to add secret rotation."
      });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      doc.projectId,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
    await secretRotationQueue.removeFromQueue(doc.id, doc.interval);
    await secretRotationQueue.addToQueue(doc.id, doc.interval);
@ -254,14 +255,14 @@ export const secretRotationServiceFactory = ({
    const doc = await secretRotationDAL.findById(rotationId);
    if (!doc) throw new NotFoundError({ message: `Rotation with ID '${rotationId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      doc.projectId,
+      projectId: doc.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretRotation
--- a/backend/src/ee/services/secret-scanning/secret-scanning-dal.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-dal.ts
@ -1,9 +1,12 @@
-import { Knex } from "knex";
+import knex, { Knex } from "knex";

 import { TDbClient } from "@app/db";
 import { TableName, TSecretScanningGitRisksInsert } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { ormify } from "@app/lib/knex";
+import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+
+import { SecretScanningResolvedStatus, TGetOrgRisksDTO } from "./secret-scanning-types";

 export type TSecretScanningDALFactory = ReturnType<typeof secretScanningDALFactory>;

@ -19,5 +22,70 @@ export const secretScanningDALFactory = (db: TDbClient) => {
    }
  };

-  return { ...gitRiskOrm, upsert };
+  const findByOrgId = async (orgId: string, filter: TGetOrgRisksDTO["filter"], tx?: Knex) => {
+    try {
+      // Find statements
+      const sqlQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
+        // eslint-disable-next-line func-names
+        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId);
+
+      if (filter.repositoryNames) {
+        void sqlQuery.whereIn(`${TableName.SecretScanningGitRisk}.repositoryFullName`, filter.repositoryNames);
+      }
+
+      if (filter.resolvedStatus) {
+        if (filter.resolvedStatus !== SecretScanningResolvedStatus.All) {
+          const isResolved = filter.resolvedStatus === SecretScanningResolvedStatus.Resolved;
+
+          void sqlQuery.where(`${TableName.SecretScanningGitRisk}.isResolved`, isResolved);
+        }
+      }
+
+      // Select statements
+      void sqlQuery
+        .select(selectAllTableCols(TableName.SecretScanningGitRisk))
+        .limit(filter.limit)
+        .offset(filter.offset);
+
+      if (filter.orderBy) {
+        const orderDirection = filter.orderDirection || OrderByDirection.ASC;
+
+        void sqlQuery.orderBy(filter.orderBy, orderDirection);
+      }
+
+      const countQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
+        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
+        .count();
+
+      const uniqueReposQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
+        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
+        .distinct("repositoryFullName")
+        .select("repositoryFullName");
+
+      // we timeout long running queries to prevent DB resource issues (2 minutes)
+      const docs = await sqlQuery.timeout(1000 * 120);
+      const uniqueRepos = await uniqueReposQuery.timeout(1000 * 120);
+      const totalCount = await countQuery;
+
+      return {
+        risks: docs,
+        totalCount: Number(totalCount?.[0].count),
+        repos: uniqueRepos
+          .filter(Boolean)
+          .map((r) => r.repositoryFullName!)
+          .sort((a, b) => a.localeCompare(b))
+      };
+    } catch (error) {
+      if (error instanceof knex.KnexTimeoutError) {
+        throw new GatewayTimeoutError({
+          error,
+          message: "Failed to fetch secret leaks due to timeout. Add more search filters."
+        });
+      }
+
+      throw new DatabaseError({ error });
+    }
+  };
+
+  return { ...gitRiskOrm, upsert, findByOrgId };
 };
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@ -15,6 +15,7 @@ import { TSecretScanningDALFactory } from "./secret-scanning-dal";
 import { TSecretScanningQueueFactory } from "./secret-scanning-queue";
 import {
  SecretScanningRiskStatus,
+  TGetAllOrgRisksDTO,
  TGetOrgInstallStatusDTO,
  TGetOrgRisksDTO,
  TInstallAppSessionDTO,
@ -118,11 +119,21 @@ export const secretScanningServiceFactory = ({
    return Boolean(appInstallation);
  };

-  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetOrgRisksDTO) => {
+  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId, filter }: TGetOrgRisksDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
+
+    const results = await secretScanningDAL.findByOrgId(orgId, filter);
+
+    return results;
+  };
+
+  const getAllRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetAllOrgRisksDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
+
    const risks = await secretScanningDAL.find({ orgId }, { sort: [["createdAt", "desc"]] });
-    return { risks };
+    return risks;
  };

  const updateRiskStatus = async ({
@ -189,6 +200,7 @@ export const secretScanningServiceFactory = ({
    linkInstallationToOrg,
    getOrgInstallationStatus,
    getRisksByOrg,
+    getAllRisksByOrg,
    updateRiskStatus,
    handleRepoPushEvent,
    handleRepoDeleteEvent
--- a/backend/src/ee/services/secret-scanning/secret-scanning-types.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-types.ts
@ -1,4 +1,4 @@
-import { TOrgPermission } from "@app/lib/types";
+import { OrderByDirection, TOrgPermission } from "@app/lib/types";

 export enum SecretScanningRiskStatus {
  FalsePositive = "RESOLVED_FALSE_POSITIVE",
@ -7,6 +7,12 @@ export enum SecretScanningRiskStatus {
  Unresolved = "UNRESOLVED"
 }

+export enum SecretScanningResolvedStatus {
+  All = "all",
+  Resolved = "resolved",
+  Unresolved = "unresolved"
+}
+
 export type TInstallAppSessionDTO = TOrgPermission;

 export type TLinkInstallSessionDTO = {
@ -16,7 +22,22 @@ export type TLinkInstallSessionDTO = {

 export type TGetOrgInstallStatusDTO = TOrgPermission;

-export type TGetOrgRisksDTO = TOrgPermission;
+type RiskFilter = {
+  offset: number;
+  limit: number;
+  orderBy?: "createdAt" | "name";
+  orderDirection?: OrderByDirection;
+  repositoryNames?: string[];
+  resolvedStatus?: SecretScanningResolvedStatus;
+};
+
+export type TGetOrgRisksDTO = {
+  filter: RiskFilter;
+} & TOrgPermission;
+
+export type TGetAllOrgRisksDTO = {
+  filter: Omit<RiskFilter, "offset" | "limit" | "orderBy" | "orderDirection">;
+} & TOrgPermission;

 export type TUpdateRiskStatusDTO = {
  riskId: string;
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";

-import { ProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@ -83,13 +83,14 @@ export const secretSnapshotServiceFactory = ({
    actorAuthMethod,
    path
  }: TProjectSnapshotCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@ -119,13 +120,14 @@ export const secretSnapshotServiceFactory = ({
    limit = 20,
    offset = 0
  }: TProjectSnapshotListDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@ -147,13 +149,14 @@ export const secretSnapshotServiceFactory = ({
  const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
    const snapshot = await snapshotDAL.findById(id);
    if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${id}' not found` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      snapshot.projectId,
+      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    const shouldUseBridge = snapshot.projectVersion === 3;
@ -322,14 +325,14 @@ export const secretSnapshotServiceFactory = ({
    if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${snapshotId}' not found` });
    const shouldUseBridge = snapshot.projectVersion === 3;

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      snapshot.projectId,
+      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRollback
--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";

-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@ -54,15 +54,15 @@ export const sshCertificateTemplateServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificateTemplates
@ -127,15 +127,15 @@ export const sshCertificateTemplateServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certTemplate.projectId,
+      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      ProjectPermissionSub.SshCertificateTemplates
@ -196,15 +196,15 @@ export const sshCertificateTemplateServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certificateTemplate.projectId,
+      projectId: certificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SshCertificateTemplates
@ -223,15 +223,15 @@ export const sshCertificateTemplateServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certTemplate.projectId,
+      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateTemplates
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@ -65,15 +65,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    actor,
    actorOrgId
  }: TCreateSshCaDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificateAuthorities
@ -118,15 +118,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateAuthorities
@ -187,15 +187,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      ProjectPermissionSub.SshCertificateAuthorities
@ -226,15 +226,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SshCertificateAuthorities
@ -268,15 +268,15 @@ export const sshCertificateAuthorityServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sshCertificateTemplate.projectId,
+      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificates
@ -390,15 +390,15 @@ export const sshCertificateAuthorityServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sshCertificateTemplate.projectId,
+      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificates
@ -488,15 +488,15 @@ export const sshCertificateAuthorityServiceFactory = ({
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateTemplates
--- a/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
+++ b/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectPermission } from "@app/lib/types";
@ -27,13 +28,14 @@ export const trustedIpServiceFactory = ({
  projectDAL
 }: TTrustedIpServiceFactoryDep) => {
  const listIpsByProjectId = async ({ projectId, actor, actorId, actorAuthMethod, actorOrgId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
    const trustedIps = await trustedIpDAL.find({
      projectId
@ -51,13 +53,14 @@ export const trustedIpServiceFactory = ({
    comment,
    isActive
  }: TCreateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

    const project = await projectDAL.findById(projectId);
@ -96,13 +99,14 @@ export const trustedIpServiceFactory = ({
    comment,
    trustedIpId
  }: TUpdateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

    const project = await projectDAL.findById(projectId);
@ -141,13 +145,14 @@ export const trustedIpServiceFactory = ({
    actorAuthMethod,
    trustedIpId
  }: TDeleteIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

    const project = await projectDAL.findById(projectId);
--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@ -23,6 +23,8 @@ export const KeyStorePrefixes = {
    `sync-integration-mutex-${projectId}-${environmentSlug}-${secretPath}` as const,
  SyncSecretIntegrationLastRunTimestamp: (projectId: string, environmentSlug: string, secretPath: string) =>
    `sync-integration-last-run-${projectId}-${environmentSlug}-${secretPath}` as const,
+  SecretSyncLock: (syncId: string) => `secret-sync-mutex-${syncId}` as const,
+  SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
  IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
    `identity-access-token-status:${identityAccessTokenId}`,
  ServiceTokenStatusUpdate: (serviceTokenId: string) => `service-token-status:${serviceTokenId}`
@ -30,6 +32,7 @@ export const KeyStorePrefixes = {

 export const KeyStoreTtls = {
  SetSyncSecretIntegrationLastRunTimestampInSeconds: 60,
+  SetSecretSyncLastRunTimestampInSeconds: 60,
  AccessTokenStatusUpdateInSeconds: 120
 };

--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -1,5 +1,7 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";

 export const GROUPS = {
  CREATE: {
@ -474,7 +476,7 @@ export const PROJECTS = {
  },
  ADD_GROUP_TO_PROJECT: {
    projectId: "The ID of the project to add the group to.",
-    groupId: "The ID of the group to add to the project.",
+    groupIdOrName: "The ID or name of the group to add to the project.",
    role: "The role for the group to assume in the project."
  },
  UPDATE_GROUP_IN_PROJECT: {
@ -1643,6 +1645,83 @@ export const AppConnections = {
    };
  },
  DELETE: (app: AppConnection) => ({
-    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} connection to be deleted.`
+    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to be deleted.`
  })
 };
+
+export const SecretSyncs = {
+  LIST: (destination?: SecretSync) => ({
+    projectId: `The ID of the project to list ${destination ? SECRET_SYNC_NAME_MAP[destination] : "Secret"} Syncs from.`
+  }),
+  GET_BY_ID: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`
+  }),
+  GET_BY_NAME: (destination: SecretSync) => ({
+    syncName: `The name of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`,
+    projectId: `The ID of the project the ${SECRET_SYNC_NAME_MAP[destination]} Sync is associated with.`
+  }),
+  CREATE: (destination: SecretSync) => {
+    const destinationName = SECRET_SYNC_NAME_MAP[destination];
+    return {
+      name: `The name of the ${destinationName} Sync to create. Must be slug-friendly.`,
+      description: `An optional description for the ${destinationName} Sync.`,
+      projectId: "The ID of the project to create the sync in.",
+      environment: `The slug of the project environment to sync secrets from.`,
+      secretPath: `The folder path to sync secrets from.`,
+      connectionId: `The ID of the ${
+        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
+      } Connection to use for syncing.`,
+      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
+      syncOptions: "Optional parameters to modify how secrets are synced."
+    };
+  },
+  UPDATE: (destination: SecretSync) => {
+    const destinationName = SECRET_SYNC_NAME_MAP[destination];
+    return {
+      syncId: `The ID of the ${destinationName} Sync to be updated.`,
+      connectionId: `The updated ID of the ${
+        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
+      } Connection to use for syncing.`,
+      name: `The updated name of the ${destinationName} Sync. Must be slug-friendly.`,
+      environment: `The updated slug of the project environment to sync secrets from.`,
+      secretPath: `The updated folder path to sync secrets from.`,
+      description: `The updated description of the ${destinationName} Sync.`,
+      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
+      syncOptions: "Optional parameters to modify how secrets are synced."
+    };
+  },
+  DELETE: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to be deleted.`,
+    removeSecrets: `Whether previously synced secrets should be removed prior to deletion.`
+  }),
+  SYNC_SECRETS: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger a sync for.`
+  }),
+  IMPORT_SECRETS: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger importing secrets for.`,
+    importBehavior: `Specify whether Infisical should prioritize secret values from Infisical or ${SECRET_SYNC_NAME_MAP[destination]}.`
+  }),
+  REMOVE_SECRETS: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger removing secrets for.`
+  }),
+  SYNC_OPTIONS: (destination: SecretSync) => {
+    const destinationName = SECRET_SYNC_NAME_MAP[destination];
+    return {
+      INITIAL_SYNC_BEHAVIOR: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
+      PREPEND_PREFIX: `Optionally prepend a prefix to your secrets' keys when syncing to ${destinationName}.`,
+      APPEND_SUFFIX: `Optionally append a suffix to your secrets' keys when syncing to ${destinationName}.`
+    };
+  },
+  DESTINATION_CONFIG: {
+    AWS_PARAMETER_STORE: {
+      REGION: "The AWS region to sync secrets to.",
+      PATH: "The Parameter Store path to sync secrets to."
+    },
+    GITHUB: {
+      ORG: "The name of the GitHub organization.",
+      OWNER: "The name of the GitHub account owner of the repository.",
+      REPO: "The name of the GitHub repository.",
+      ENV: "The name of the GitHub environment."
+    }
+  }
+};
--- a/backend/src/lib/validator/index.ts
+++ b/backend/src/lib/validator/index.ts
@ -1,3 +1,4 @@
 export { isDisposableEmail } from "./validate-email";
 export { isValidFolderName, isValidSecretPath } from "./validate-folder-name";
 export { blockLocalAndPrivateIpAddresses } from "./validate-url";
+export { isUuidV4 } from "./validate-uuid";
--- a/backend/src/lib/validator/validate-uuid.ts
+++ b/backend/src/lib/validator/validate-uuid.ts
@ -0,0 +1,3 @@
+import { z } from "zod";
+
+export const isUuidV4 = (uuid: string) => z.string().uuid().safeParse(uuid).success;
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@ -15,6 +15,12 @@ import {
  TIntegrationSyncPayload,
  TSyncSecretsDTO
 } from "@app/services/secret/secret-types";
+import {
+  TQueueSecretSyncImportSecretsByIdDTO,
+  TQueueSecretSyncRemoveSecretsByIdDTO,
+  TQueueSecretSyncSyncSecretsByIdDTO,
+  TQueueSendSecretSyncActionFailedNotificationsDTO
+} from "@app/services/secret-sync/secret-sync-types";

 export enum QueueName {
  SecretRotation = "secret-rotation",
@ -36,7 +42,8 @@ export enum QueueName {
  SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
  ProjectV3Migration = "project-v3-migration",
  AccessTokenStatusUpdate = "access-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
+  AppConnectionSecretSync = "app-connection-secret-sync"
 }

 export enum QueueJobs {
@ -61,7 +68,11 @@ export enum QueueJobs {
  ProjectV3Migration = "project-v3-migration",
  IdentityAccessTokenStatusUpdate = "identity-access-token-status-update",
  ServiceTokenStatusUpdate = "service-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
+  SecretSyncSyncSecrets = "secret-sync-sync-secrets",
+  SecretSyncImportSecrets = "secret-sync-import-secrets",
+  SecretSyncRemoveSecrets = "secret-sync-remove-secrets",
+  SecretSyncSendActionFailedNotifications = "secret-sync-send-action-failed-notifications"
 }

 export type TQueueJobTypes = {
@ -184,6 +195,23 @@ export type TQueueJobTypes = {
      };
    };
  };
+  [QueueName.AppConnectionSecretSync]:
+    | {
+        name: QueueJobs.SecretSyncSyncSecrets;
+        payload: TQueueSecretSyncSyncSecretsByIdDTO;
+      }
+    | {
+        name: QueueJobs.SecretSyncImportSecrets;
+        payload: TQueueSecretSyncImportSecretsByIdDTO;
+      }
+    | {
+        name: QueueJobs.SecretSyncRemoveSecrets;
+        payload: TQueueSecretSyncRemoveSecretsByIdDTO;
+      }
+    | {
+        name: QueueJobs.SecretSyncSendActionFailedNotifications;
+        payload: TQueueSendSecretSyncActionFailedNotificationsDTO;
+      };
 };

 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
--- a/backend/src/server/plugins/audit-log.ts
+++ b/backend/src/server/plugins/audit-log.ts
@ -32,13 +32,21 @@ export const getUserAgentType = (userAgent: string | undefined) => {
 export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
  server.decorateRequest("auditLogInfo", null);
  server.addHook("onRequest", async (req) => {
-    if (!req.auth) return;
    const userAgent = req.headers["user-agent"] ?? "";
    const payload = {
      ipAddress: req.realIp,
      userAgent,
      userAgentType: getUserAgentType(userAgent)
    } as typeof req.auditLogInfo;
+
+    if (!req.auth) {
+      payload.actor = {
+        type: ActorType.UNKNOWN_USER,
+        metadata: {}
+      };
+      req.auditLogInfo = payload;
+      return;
+    }
    if (req.auth.actor === ActorType.USER) {
      payload.actor = {
        type: ActorType.USER,
--- a/backend/src/server/plugins/secret-scanner.ts
+++ b/backend/src/server/plugins/secret-scanner.ts
@ -1,3 +1,4 @@
+import type { EmitterWebhookEventName } from "@octokit/webhooks/dist-types/types";
 import { PushEvent } from "@octokit/webhooks-types";
 import { Probot } from "probot";
 import SmeeClient from "smee-client";
@ -54,14 +55,14 @@ export const registerSecretScannerGhApp = async (server: FastifyZodProvider) =>
        rateLimit: writeLimit
      },
      handler: async (req, res) => {
-        const eventName = req.headers["x-github-event"];
+        const eventName = req.headers["x-github-event"] as EmitterWebhookEventName;
        const signatureSHA256 = req.headers["x-hub-signature-256"] as string;
        const id = req.headers["x-github-delivery"] as string;
+
        await probot.webhooks.verifyAndReceive({
          id,
-          // @ts-expect-error type
          name: eventName,
-          payload: req.body as string,
+          payload: JSON.stringify(req.body),
          signature: signatureSHA256
        });
        void res.send("ok");
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -196,6 +196,9 @@ import { secretImportDALFactory } from "@app/services/secret-import/secret-impor
 import { secretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { secretSharingDALFactory } from "@app/services/secret-sharing/secret-sharing-dal";
 import { secretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
+import { secretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
+import { secretSyncQueueFactory } from "@app/services/secret-sync/secret-sync-queue";
+import { secretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 import { secretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
@ -318,6 +321,7 @@ export const registerRoutes = async (
  const trustedIpDAL = trustedIpDALFactory(db);
  const telemetryDAL = telemetryDALFactory(db);
  const appConnectionDAL = appConnectionDALFactory(db);
+  const secretSyncDAL = secretSyncDALFactory(db, folderDAL);

  // ee db layer ops
  const permissionDAL = permissionDALFactory(db);
@ -608,6 +612,7 @@ export const registerRoutes = async (
  });
  const superAdminService = superAdminServiceFactory({
    userDAL,
+    userAliasDAL,
    authService: loginService,
    serverCfgDAL: superAdminDAL,
    kmsRootConfigDAL,
@ -823,6 +828,29 @@ export const registerRoutes = async (
    kmsService
  });

+  const secretSyncQueue = secretSyncQueueFactory({
+    queueService,
+    secretSyncDAL,
+    folderDAL,
+    secretImportDAL,
+    secretV2BridgeDAL,
+    kmsService,
+    keyStore,
+    auditLogService,
+    smtpService,
+    projectDAL,
+    projectMembershipDAL,
+    projectBotDAL,
+    secretDAL,
+    secretBlindIndexDAL,
+    secretVersionDAL,
+    secretTagDAL,
+    secretVersionTagDAL,
+    secretVersionV2BridgeDAL,
+    secretVersionTagV2BridgeDAL,
+    resourceMetadataDAL
+  });
+
  const secretQueueService = secretQueueFactory({
    keyStore,
    queueService,
@ -857,7 +885,8 @@ export const registerRoutes = async (
    projectKeyDAL,
    projectUserMembershipRoleDAL,
    orgService,
-    resourceMetadataDAL
+    resourceMetadataDAL,
+    secretSyncQueue
  });

  const projectService = projectServiceFactory({
@ -894,7 +923,8 @@ export const registerRoutes = async (
    certificateTemplateDAL,
    projectSlackConfigDAL,
    slackIntegrationDAL,
-    projectTemplateService
+    projectTemplateService,
+    groupProjectDAL
  });

  const projectEnvService = projectEnvServiceFactory({
@ -1367,8 +1397,17 @@ export const registerRoutes = async (
  const appConnectionService = appConnectionServiceFactory({
    appConnectionDAL,
    permissionService,
-    kmsService,
-    licenseService
+    kmsService
+  });
+
+  const secretSyncService = secretSyncServiceFactory({
+    secretSyncDAL,
+    permissionService,
+    appConnectionService,
+    folderDAL,
+    secretSyncQueue,
+    projectBotService,
+    keyStore
  });

  await superAdminService.initServerCfg();
@ -1468,7 +1507,8 @@ export const registerRoutes = async (
    externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService,
    projectTemplate: projectTemplateService,
    totp: totpService,
-    appConnection: appConnectionService
+    appConnection: appConnectionService,
+    secretSync: secretSyncService
  });

  const cronJobs: CronJob[] = [];
--- a/backend/src/server/routes/v1/app-connection-routers/apps/app-connection-endpoints.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/apps/app-connection-endpoints.ts
@ -15,7 +15,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
  app,
  createSchema,
  updateSchema,
-  responseSchema
+  sanitizedResponseSchema
 }: {
  app: AppConnection;
  server: FastifyZodProvider;
@ -26,7 +26,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
    description?: string | null;
  }>;
  updateSchema: z.ZodType<{ name?: string; credentials?: I["credentials"]; description?: string | null }>;
-  responseSchema: z.ZodTypeAny;
+  sanitizedResponseSchema: z.ZodTypeAny;
 }) => {
  const appName = APP_CONNECTION_NAME_MAP[app];

@ -39,7 +39,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
    schema: {
      description: `List the ${appName} Connections for the current organization.`,
      response: {
-        200: z.object({ appConnections: responseSchema.array() })
+        200: z.object({ appConnections: sanitizedResponseSchema.array() })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@ -63,6 +63,44 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
    }
  });

+  server.route({
+    method: "GET",
+    url: "/available",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `List the ${appName} Connections the current user has permission to establish connections with.`,
+      response: {
+        200: z.object({
+          appConnections: z.object({ app: z.literal(app), name: z.string(), id: z.string().uuid() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const appConnections = await server.services.appConnection.listAvailableAppConnectionsForUser(
+        app,
+        req.permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS,
+          metadata: {
+            app,
+            count: appConnections.length,
+            connectionIds: appConnections.map((connection) => connection.id)
+          }
+        }
+      });
+
+      return { appConnections };
+    }
+  });
+
  server.route({
    method: "GET",
    url: "/:connectionId",
@ -75,7 +113,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
        connectionId: z.string().uuid().describe(AppConnections.GET_BY_ID(app).connectionId)
      }),
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@ -105,7 +143,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten

  server.route({
    method: "GET",
-    url: `/name/:connectionName`,
+    url: `/connection-name/:connectionName`,
    config: {
      rateLimit: readLimit
    },
@ -114,11 +152,12 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      params: z.object({
        connectionName: z
          .string()
-          .min(0, "Connection name required")
+          .trim()
+          .min(1, "Connection name required")
          .describe(AppConnections.GET_BY_NAME(app).connectionName)
      }),
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@ -158,7 +197,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      } ${appName} Connection for the current organization.`,
      body: createSchema,
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@ -168,7 +207,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      const appConnection = (await server.services.appConnection.createAppConnection(
        { name, method, app, credentials, description },
        req.permission
-      )) as TAppConnection;
+      )) as T;

      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
@ -201,7 +240,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
      }),
      body: updateSchema,
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@ -244,7 +283,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
        connectionId: z.string().uuid().describe(AppConnections.DELETE(app).connectionId)
      }),
      response: {
-        200: z.object({ appConnection: responseSchema })
+        200: z.object({ appConnection: sanitizedResponseSchema })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
--- a/backend/src/server/routes/v1/app-connection-routers/apps/github-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/apps/github-connection-router.ts
@ -1,17 +0,0 @@
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  CreateGitHubConnectionSchema,
-  SanitizedGitHubConnectionSchema,
-  UpdateGitHubConnectionSchema
-} from "@app/services/app-connection/github";
-
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
-
-export const registerGitHubConnectionRouter = async (server: FastifyZodProvider) =>
-  registerAppConnectionEndpoints({
-    app: AppConnection.GitHub,
-    server,
-    responseSchema: SanitizedGitHubConnectionSchema,
-    createSchema: CreateGitHubConnectionSchema,
-    updateSchema: UpdateGitHubConnectionSchema
-  });
--- a/backend/src/server/routes/v1/app-connection-routers/apps/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/apps/index.ts
@ -1,8 +0,0 @@
-import { registerAwsConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/aws-connection-router";
-import { registerGitHubConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/github-connection-router";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const APP_CONNECTION_REGISTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> = {
-  [AppConnection.AWS]: registerAwsConnectionRouter,
-  [AppConnection.GitHub]: registerGitHubConnectionRouter
-};
--- a/backend/src/server/routes/v1/app-connection-routers/apps/aws-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/apps/aws-connection-router.ts
@ -11,7 +11,7 @@ export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
  registerAppConnectionEndpoints({
    app: AppConnection.AWS,
    server,
-    responseSchema: SanitizedAwsConnectionSchema,
+    sanitizedResponseSchema: SanitizedAwsConnectionSchema,
    createSchema: CreateAwsConnectionSchema,
    updateSchema: UpdateAwsConnectionSchema
  });
--- a/backend/src/server/routes/v1/app-connection-routers/github-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/github-connection-router.ts
@ -0,0 +1,117 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateGitHubConnectionSchema,
+  SanitizedGitHubConnectionSchema,
+  UpdateGitHubConnectionSchema
+} from "@app/services/app-connection/github";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerGitHubConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.GitHub,
+    server,
+    sanitizedResponseSchema: SanitizedGitHubConnectionSchema,
+    createSchema: CreateGitHubConnectionSchema,
+    updateSchema: UpdateGitHubConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/repositories`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          repositories: z
+            .object({ id: z.number(), name: z.string(), owner: z.object({ login: z.string(), id: z.number() }) })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const repositories = await server.services.appConnection.github.listRepositories(connectionId, req.permission);
+
+      return { repositories };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/organizations`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          organizations: z.object({ id: z.number(), login: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const organizations = await server.services.appConnection.github.listOrganizations(connectionId, req.permission);
+
+      return { organizations };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/environments`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      querystring: z.object({
+        repo: z.string().min(1, "Repository name is required"),
+        owner: z.string().min(1, "Repository owner name is required")
+      }),
+      response: {
+        200: z.object({
+          environments: z.object({ id: z.number(), name: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const { repo, owner } = req.query;
+
+      const environments = await server.services.appConnection.github.listEnvironments(
+        {
+          connectionId,
+          repo,
+          owner
+        },
+        req.permission
+      );
+
+      return { environments };
+    }
+  });
+};
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@ -1,2 +1,12 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { registerAwsConnectionRouter } from "./aws-connection-router";
+import { registerGitHubConnectionRouter } from "./github-connection-router";
+
 export * from "./app-connection-router";
-export * from "./apps";
+
+export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> =
+  {
+    [AppConnection.AWS]: registerAwsConnectionRouter,
+    [AppConnection.GitHub]: registerGitHubConnectionRouter
+  };
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { z } from "zod";

-import { SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
+import { ActionProjectType, SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import {
  ProjectPermissionDynamicSecretActions,
@ -220,13 +220,14 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          totalCount: totalFolderCount ?? 0
        };

-      const { permission } = await server.services.permission.getProjectPermission(
-        req.permission.type,
-        req.permission.id,
+      const { permission } = await server.services.permission.getProjectPermission({
+        actor: req.permission.type,
+        actorId: req.permission.id,
        projectId,
-        req.permission.authMethod,
-        req.permission.orgId
-      );
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        actionProjectType: ActionProjectType.SecretManager
+      });

      const allowedDynamicSecretEnvironments = // filter envs user has access to
        environments.filter((environment) =>
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@ -1,6 +1,10 @@
-import { APP_CONNECTION_REGISTER_MAP, registerAppConnectionRouter } from "@app/server/routes/v1/app-connection-routers";
+import {
+  APP_CONNECTION_REGISTER_ROUTER_MAP,
+  registerAppConnectionRouter
+} from "@app/server/routes/v1/app-connection-routers";
 import { registerCmekRouter } from "@app/server/routes/v1/cmek-router";
 import { registerDashboardRouter } from "@app/server/routes/v1/dashboard-router";
+import { registerSecretSyncRouter, SECRET_SYNC_REGISTER_ROUTER_MAP } from "@app/server/routes/v1/secret-sync-routers";

 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
@ -113,12 +117,28 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
  await server.register(registerExternalGroupOrgRoleMappingRouter, { prefix: "/external-group-mappings" });

  await server.register(
-    async (appConnectionsRouter) => {
-      await appConnectionsRouter.register(registerAppConnectionRouter);
-      for await (const [app, router] of Object.entries(APP_CONNECTION_REGISTER_MAP)) {
-        await appConnectionsRouter.register(router, { prefix: `/${app}` });
+    async (appConnectionRouter) => {
+      // register generic app connection endpoints
+      await appConnectionRouter.register(registerAppConnectionRouter);
+
+      // register service specific endpoints (app-connections/aws, app-connections/github, etc.)
+      for await (const [app, router] of Object.entries(APP_CONNECTION_REGISTER_ROUTER_MAP)) {
+        await appConnectionRouter.register(router, { prefix: `/${app}` });
      }
    },
    { prefix: "/app-connections" }
  );
+
+  await server.register(
+    async (secretSyncRouter) => {
+      // register generic secret sync endpoints
+      await secretSyncRouter.register(registerSecretSyncRouter);
+
+      // register service specific secret sync endpoints (secret-syncs/aws-parameter-store, secret-syncs/github, etc.)
+      for await (const [destination, router] of Object.entries(SECRET_SYNC_REGISTER_ROUTER_MAP)) {
+        await secretSyncRouter.register(router, { prefix: `/${destination}` });
+      }
+    },
+    { prefix: "/secret-syncs" }
+  );
 };
--- a/backend/src/server/routes/v1/invite-org-router.ts
+++ b/backend/src/server/routes/v1/invite-org-router.ts
@ -73,6 +73,40 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    url: "/signup-resend",
+    config: {
+      rateLimit: inviteUserRateLimit
+    },
+    method: "POST",
+    schema: {
+      body: z.object({
+        membershipId: z.string()
+      }),
+      response: {
+        200: z.object({
+          signupToken: z
+            .object({
+              email: z.string(),
+              link: z.string()
+            })
+            .optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      return server.services.org.resendOrgMemberInvitation({
+        orgId: req.permission.orgId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        membershipId: req.body.membershipId
+      });
+    }
+  });
+
  server.route({
    url: "/verify",
    method: "POST",
--- a/backend/src/server/routes/v1/secret-sharing-router.ts
+++ b/backend/src/server/routes/v1/secret-sharing-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { SecretSharingSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SecretSharingAccessType } from "@app/lib/types";
 import {
  publicEndpointLimit,
@ -88,6 +89,21 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        orgId: req.permission?.orgId
      });

+      if (sharedSecret.secret?.orgId) {
+        await server.services.auditLog.createAuditLog({
+          orgId: sharedSecret.secret.orgId,
+          ...req.auditLogInfo,
+          event: {
+            type: EventType.READ_SHARED_SECRET,
+            metadata: {
+              id: req.params.id,
+              name: sharedSecret.secret.name || undefined,
+              accessType: sharedSecret.secret.accessType
+            }
+          }
+        });
+      }
+
      return sharedSecret;
    }
  });
@ -151,6 +167,23 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        actorOrgId: req.permission.orgId,
        ...req.body
      });
+
+      await server.services.auditLog.createAuditLog({
+        orgId: req.permission.orgId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.CREATE_SHARED_SECRET,
+          metadata: {
+            accessType: req.body.accessType,
+            expiresAt: req.body.expiresAt,
+            expiresAfterViews: req.body.expiresAfterViews,
+            name: req.body.name,
+            id: sharedSecret.id,
+            usingPassword: !!req.body.password
+          }
+        }
+      });
+
      return { id: sharedSecret.id };
    }
  });
@ -181,6 +214,18 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        sharedSecretId
      });

+      await server.services.auditLog.createAuditLog({
+        orgId: req.permission.orgId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.DELETE_SHARED_SECRET,
+          metadata: {
+            id: sharedSecretId,
+            name: deletedSharedSecret.name || undefined
+          }
+        }
+      });
+
      return { ...deletedSharedSecret };
    }
  });
--- a/backend/src/server/routes/v1/secret-sync-routers/aws-parameter-store-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/aws-parameter-store-sync-router.ts
@ -0,0 +1,17 @@
+import {
+  AwsParameterStoreSyncSchema,
+  CreateAwsParameterStoreSyncSchema,
+  UpdateAwsParameterStoreSyncSchema
+} from "@app/services/secret-sync/aws-parameter-store";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerAwsParameterStoreSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.AWSParameterStore,
+    server,
+    responseSchema: AwsParameterStoreSyncSchema,
+    createSchema: CreateAwsParameterStoreSyncSchema,
+    updateSchema: UpdateAwsParameterStoreSyncSchema
+  });
--- a/backend/src/server/routes/v1/secret-sync-routers/github-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/github-sync-router.ts
@ -0,0 +1,13 @@
+import { CreateGitHubSyncSchema, GitHubSyncSchema, UpdateGitHubSyncSchema } from "@app/services/secret-sync/github";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerGitHubSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.GitHub,
+    server,
+    responseSchema: GitHubSyncSchema,
+    createSchema: CreateGitHubSyncSchema,
+    updateSchema: UpdateGitHubSyncSchema
+  });
--- a/backend/src/server/routes/v1/secret-sync-routers/index.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/index.ts
@ -0,0 +1,11 @@
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerAwsParameterStoreSyncRouter } from "./aws-parameter-store-sync-router";
+import { registerGitHubSyncRouter } from "./github-sync-router";
+
+export * from "./secret-sync-router";
+
+export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: FastifyZodProvider) => Promise<void>> = {
+  [SecretSync.AWSParameterStore]: registerAwsParameterStoreSyncRouter,
+  [SecretSync.GitHub]: registerGitHubSyncRouter
+};
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-endpoints.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-endpoints.ts
@ -0,0 +1,408 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SecretSyncs } from "@app/lib/api-docs";
+import { startsWithVowel } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
+import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
+import { TSecretSync, TSecretSyncInput } from "@app/services/secret-sync/secret-sync-types";
+
+export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TSecretSyncInput>({
+  server,
+  destination,
+  createSchema,
+  updateSchema,
+  responseSchema
+}: {
+  destination: SecretSync;
+  server: FastifyZodProvider;
+  createSchema: z.ZodType<{
+    name: string;
+    environment: string;
+    secretPath: string;
+    projectId: string;
+    connectionId: string;
+    destinationConfig: I["destinationConfig"];
+    syncOptions: I["syncOptions"];
+    description?: string | null;
+    isAutoSyncEnabled?: boolean;
+  }>;
+  updateSchema: z.ZodType<{
+    connectionId?: string;
+    name?: string;
+    environment?: string;
+    secretPath?: string;
+    destinationConfig?: I["destinationConfig"];
+    syncOptions?: I["syncOptions"];
+    description?: string | null;
+    isAutoSyncEnabled?: boolean;
+  }>;
+  responseSchema: z.ZodTypeAny;
+}) => {
+  const destinationName = SECRET_SYNC_NAME_MAP[destination];
+
+  server.route({
+    method: "GET",
+    url: `/`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `List the ${destinationName} Syncs for the specified project.`,
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.LIST(destination).projectId)
+      }),
+      response: {
+        200: z.object({ secretSyncs: responseSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId }
+      } = req;
+
+      const secretSyncs = (await server.services.secretSync.listSecretSyncsByProjectId(
+        { projectId, destination },
+        req.permission
+      )) as T[];
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_SECRET_SYNCS,
+          metadata: {
+            destination,
+            count: secretSyncs.length,
+            syncIds: secretSyncs.map((connection) => connection.id)
+          }
+        }
+      });
+
+      return { secretSyncs };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:syncId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `Get the specified ${destinationName} Sync by ID.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.GET_BY_ID(destination).syncId)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+
+      const secretSync = (await server.services.secretSync.findSecretSyncById(
+        { syncId, destination },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: secretSync.projectId,
+        event: {
+          type: EventType.GET_SECRET_SYNC,
+          metadata: {
+            syncId,
+            destination
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/sync-name/:syncName`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `Get the specified ${destinationName} Sync by name and project ID.`,
+      params: z.object({
+        syncName: z.string().trim().min(1, "Sync name required").describe(SecretSyncs.GET_BY_NAME(destination).syncName)
+      }),
+      querystring: z.object({
+        projectId: z
+          .string()
+          .trim()
+          .min(1, "Project ID required")
+          .describe(SecretSyncs.GET_BY_NAME(destination).projectId)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncName } = req.params;
+      const { projectId } = req.query;
+
+      const secretSync = (await server.services.secretSync.findSecretSyncByName(
+        { syncName, projectId, destination },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_SECRET_SYNC,
+          metadata: {
+            syncId: secretSync.id,
+            destination
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Create ${
+        startsWithVowel(destinationName) ? "an" : "a"
+      } ${destinationName} Sync for the specified project environment.`,
+      body: createSchema,
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const secretSync = (await server.services.secretSync.createSecretSync(
+        { ...req.body, destination },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: secretSync.projectId,
+        event: {
+          type: EventType.CREATE_SECRET_SYNC,
+          metadata: {
+            syncId: secretSync.id,
+            destination,
+            ...req.body
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:syncId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Update the specified ${destinationName} Sync.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.UPDATE(destination).syncId)
+      }),
+      body: updateSchema,
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+
+      const secretSync = (await server.services.secretSync.updateSecretSync(
+        { ...req.body, syncId, destination },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: secretSync.projectId,
+        event: {
+          type: EventType.UPDATE_SECRET_SYNC,
+          metadata: {
+            syncId,
+            destination,
+            ...req.body
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: `/:syncId`,
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Delete the specified ${destinationName} Sync.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.DELETE(destination).syncId)
+      }),
+      querystring: z.object({
+        removeSecrets: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(SecretSyncs.DELETE(destination).removeSecrets)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+      const { removeSecrets } = req.query;
+
+      const secretSync = (await server.services.secretSync.deleteSecretSync(
+        { destination, syncId, removeSecrets },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.DELETE_SECRET_SYNC,
+          metadata: {
+            destination,
+            syncId,
+            removeSecrets
+          }
+        }
+      });
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:syncId/sync-secrets",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Trigger a sync for the specified ${destinationName} Sync.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.SYNC_SECRETS(destination).syncId)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+
+      const secretSync = (await server.services.secretSync.triggerSecretSyncSyncSecretsById(
+        {
+          syncId,
+          destination,
+          auditLogInfo: req.auditLogInfo
+        },
+        req.permission
+      )) as T;
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:syncId/import-secrets",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Import secrets from the specified ${destinationName} Sync destination.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.IMPORT_SECRETS(destination).syncId)
+      }),
+      querystring: z.object({
+        importBehavior: z
+          .nativeEnum(SecretSyncImportBehavior)
+          .describe(SecretSyncs.IMPORT_SECRETS(destination).importBehavior)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+      const { importBehavior } = req.query;
+
+      const secretSync = (await server.services.secretSync.triggerSecretSyncImportSecretsById(
+        {
+          syncId,
+          destination,
+          importBehavior
+        },
+        req.permission
+      )) as T;
+
+      return { secretSync };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:syncId/remove-secrets",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Remove previously synced secrets from the specified ${destinationName} Sync destination.`,
+      params: z.object({
+        syncId: z.string().uuid().describe(SecretSyncs.REMOVE_SECRETS(destination).syncId)
+      }),
+      response: {
+        200: z.object({ secretSync: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { syncId } = req.params;
+
+      const secretSync = (await server.services.secretSync.triggerSecretSyncRemoveSecretsById(
+        {
+          syncId,
+          destination
+        },
+        req.permission
+      )) as T;
+
+      return { secretSync };
+    }
+  });
+};
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
@ -0,0 +1,82 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SecretSyncs } from "@app/lib/api-docs";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import {
+  AwsParameterStoreSyncListItemSchema,
+  AwsParameterStoreSyncSchema
+} from "@app/services/secret-sync/aws-parameter-store";
+import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
+
+const SecretSyncSchema = z.discriminatedUnion("destination", [AwsParameterStoreSyncSchema, GitHubSyncSchema]);
+
+const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
+  AwsParameterStoreSyncListItemSchema,
+  GitHubSyncListItemSchema
+]);
+
+export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/options",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List the available Secret Sync Options.",
+      response: {
+        200: z.object({
+          secretSyncOptions: SecretSyncOptionsSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: () => {
+      const secretSyncOptions = server.services.secretSync.listSecretSyncOptions();
+      return { secretSyncOptions };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List all the Secret Syncs for the specified project.",
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required").describe(SecretSyncs.LIST().projectId)
+      }),
+      response: {
+        200: z.object({ secretSyncs: SecretSyncSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId },
+        permission
+      } = req;
+
+      const secretSyncs = await server.services.secretSync.listSecretSyncsByProjectId({ projectId }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_SECRET_SYNCS,
+          metadata: {
+            syncIds: secretSyncs.map((sync) => sync.id),
+            count: secretSyncs.length
+          }
+        }
+      });
+
+      return { secretSyncs };
+    }
+  });
+};
--- a/backend/src/server/routes/v2/group-project-router.ts
+++ b/backend/src/server/routes/v2/group-project-router.ts
@ -16,7 +16,7 @@ import { ProjectUserMembershipTemporaryMode } from "@app/services/project-member
 export const registerGroupProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
-    url: "/:projectId/groups/:groupId",
+    url: "/:projectId/groups/:groupIdOrName",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    config: {
      rateLimit: writeLimit
@ -30,7 +30,7 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
      ],
      params: z.object({
        projectId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.projectId),
-        groupId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupId)
+        groupIdOrName: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupIdOrName)
      }),
      body: z
        .object({
@ -76,7 +76,7 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        actorOrgId: req.permission.orgId,
        roles: req.body.roles || [{ role: req.body.role }],
        projectId: req.params.projectId,
-        groupId: req.params.groupId
+        groupIdOrName: req.params.groupIdOrName
      });

      return { groupMembership };
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@ -2,3 +2,50 @@ export enum AppConnection {
  GitHub = "github",
  AWS = "aws"
 }
+
+export enum AWSRegion {
+  // US
+  US_EAST_1 = "us-east-1", // N. Virginia
+  US_EAST_2 = "us-east-2", // Ohio
+  US_WEST_1 = "us-west-1", // N. California
+  US_WEST_2 = "us-west-2", // Oregon
+
+  // GovCloud
+  US_GOV_EAST_1 = "us-gov-east-1", // US-East
+  US_GOV_WEST_1 = "us-gov-west-1", // US-West
+
+  // Africa
+  AF_SOUTH_1 = "af-south-1", // Cape Town
+
+  // Asia Pacific
+  AP_EAST_1 = "ap-east-1", // Hong Kong
+  AP_SOUTH_1 = "ap-south-1", // Mumbai
+  AP_SOUTH_2 = "ap-south-2", // Hyderabad
+  AP_NORTHEAST_1 = "ap-northeast-1", // Tokyo
+  AP_NORTHEAST_2 = "ap-northeast-2", // Seoul
+  AP_NORTHEAST_3 = "ap-northeast-3", // Osaka
+  AP_SOUTHEAST_1 = "ap-southeast-1", // Singapore
+  AP_SOUTHEAST_2 = "ap-southeast-2", // Sydney
+  AP_SOUTHEAST_3 = "ap-southeast-3", // Jakarta
+  AP_SOUTHEAST_4 = "ap-southeast-4", // Melbourne
+
+  // Canada
+  CA_CENTRAL_1 = "ca-central-1", // Central
+
+  // Europe
+  EU_CENTRAL_1 = "eu-central-1", // Frankfurt
+  EU_CENTRAL_2 = "eu-central-2", // Zurich
+  EU_WEST_1 = "eu-west-1", // Ireland
+  EU_WEST_2 = "eu-west-2", // London
+  EU_WEST_3 = "eu-west-3", // Paris
+  EU_SOUTH_1 = "eu-south-1", // Milan
+  EU_SOUTH_2 = "eu-south-2", // Spain
+  EU_NORTH_1 = "eu-north-1", // Stockholm
+
+  // Middle East
+  ME_SOUTH_1 = "me-south-1", // Bahrain
+  ME_CENTRAL_1 = "me-central-1", // UAE
+
+  // South America
+  SA_EAST_1 = "sa-east-1" // Sao Paulo
+}
--- a/backend/src/services/app-connection/app-connection-fns.ts
+++ b/backend/src/services/app-connection/app-connection-fns.ts
@ -1,3 +1,4 @@
+import { TAppConnections } from "@app/db/schemas/app-connections";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TAppConnectionServiceFactoryDep } from "@app/services/app-connection/app-connection-service";
 import { TAppConnection, TAppConnectionConfig } from "@app/services/app-connection/app-connection-types";
@ -64,9 +65,8 @@ export const validateAppConnectionCredentials = async (
 ): Promise<TAppConnection["credentials"]> => {
  const { app } = appConnection;
  switch (app) {
-    case AppConnection.AWS: {
+    case AppConnection.AWS:
      return validateAwsConnectionCredentials(appConnection);
-    }
    case AppConnection.GitHub:
      return validateGitHubConnectionCredentials(appConnection);
    default:
@ -90,3 +90,17 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
      throw new Error(`Unhandled App Connection Method: ${method}`);
  }
 };
+
+export const decryptAppConnection = async (
+  appConnection: TAppConnections,
+  kmsService: TAppConnectionServiceFactoryDep["kmsService"]
+) => {
+  return {
+    ...appConnection,
+    credentials: await decryptAppConnectionCredentials({
+      encryptedCredentials: appConnection.encryptedCredentials,
+      orgId: appConnection.orgId,
+      kmsService
+    })
+  } as TAppConnection;
+};
--- a/backend/src/services/app-connection/app-connection-service.ts
+++ b/backend/src/services/app-connection/app-connection-service.ts
@ -1,13 +1,12 @@
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";

-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { OrgPermissionAppConnectionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
 import { DiscriminativePick, OrgServiceActor } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
-  decryptAppConnectionCredentials,
+  decryptAppConnection,
  encryptAppConnectionCredentials,
  getAppConnectionMethodName,
  listAppConnectionOptions,
@ -23,6 +22,7 @@ import {
 } from "@app/services/app-connection/app-connection-types";
 import { ValidateAwsConnectionCredentialsSchema } from "@app/services/app-connection/aws";
 import { ValidateGitHubConnectionCredentialsSchema } from "@app/services/app-connection/github";
+import { githubConnectionService } from "@app/services/app-connection/github/github-connection-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";

 import { TAppConnectionDALFactory } from "./app-connection-dal";
@ -31,7 +31,6 @@ export type TAppConnectionServiceFactoryDep = {
  appConnectionDAL: TAppConnectionDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">; // TODO: remove once launched
 };

 export type TAppConnectionServiceFactory = ReturnType<typeof appConnectionServiceFactory>;
@ -44,19 +43,9 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
 export const appConnectionServiceFactory = ({
  appConnectionDAL,
  permissionService,
-  kmsService,
-  licenseService
+  kmsService
 }: TAppConnectionServiceFactoryDep) => {
-  // app connections are disabled for public until launch
-  const checkAppServicesAvailability = async (orgId: string) => {
-    const subscription = await licenseService.getPlan(orgId);
-
-    if (!subscription.appConnections) throw new BadRequestError({ message: "App Connections are not available yet." });
-  };
-
  const listAppConnectionsByOrg = async (actor: OrgServiceActor, app?: AppConnection) => {
-    await checkAppServicesAvailability(actor.orgId);
-
    const { permission } = await permissionService.getOrgPermission(
      actor.type,
      actor.id,
@ -65,7 +54,10 @@ export const appConnectionServiceFactory = ({
      actor.orgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Read,
+      OrgPermissionSubjects.AppConnections
+    );

    const appConnections = await appConnectionDAL.find(
      app
@ -78,24 +70,11 @@ export const appConnectionServiceFactory = ({
    return Promise.all(
      appConnections
        .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()))
-        .map(async ({ encryptedCredentials, ...connection }) => {
-          const credentials = await decryptAppConnectionCredentials({
-            encryptedCredentials,
-            kmsService,
-            orgId: connection.orgId
-          });
-
-          return {
-            ...connection,
-            credentials
-          } as TAppConnection;
-        })
+        .map((appConnection) => decryptAppConnection(appConnection, kmsService))
    );
  };

  const findAppConnectionById = async (app: AppConnection, connectionId: string, actor: OrgServiceActor) => {
-    await checkAppServicesAvailability(actor.orgId);
-
    const appConnection = await appConnectionDAL.findById(connectionId);

    if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
@ -108,24 +87,18 @@ export const appConnectionServiceFactory = ({
      appConnection.orgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Read,
+      OrgPermissionSubjects.AppConnections
+    );

    if (appConnection.app !== app)
      throw new BadRequestError({ message: `App Connection with ID ${connectionId} is not for App "${app}"` });

-    return {
-      ...appConnection,
-      credentials: await decryptAppConnectionCredentials({
-        encryptedCredentials: appConnection.encryptedCredentials,
-        orgId: appConnection.orgId,
-        kmsService
-      })
-    } as TAppConnection;
+    return decryptAppConnection(appConnection, kmsService);
  };

  const findAppConnectionByName = async (app: AppConnection, connectionName: string, actor: OrgServiceActor) => {
-    await checkAppServicesAvailability(actor.orgId);
-
    const appConnection = await appConnectionDAL.findOne({ name: connectionName, orgId: actor.orgId });

    if (!appConnection)
@ -139,27 +112,21 @@ export const appConnectionServiceFactory = ({
      appConnection.orgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Read,
+      OrgPermissionSubjects.AppConnections
+    );

    if (appConnection.app !== app)
      throw new BadRequestError({ message: `App Connection with name ${connectionName} is not for App "${app}"` });

-    return {
-      ...appConnection,
-      credentials: await decryptAppConnectionCredentials({
-        encryptedCredentials: appConnection.encryptedCredentials,
-        orgId: appConnection.orgId,
-        kmsService
-      })
-    } as TAppConnection;
+    return decryptAppConnection(appConnection, kmsService);
  };

  const createAppConnection = async (
    { method, app, credentials, ...params }: TCreateAppConnectionDTO,
    actor: OrgServiceActor
  ) => {
-    await checkAppServicesAvailability(actor.orgId);
-
    const { permission } = await permissionService.getOrgPermission(
      actor.type,
      actor.id,
@ -168,7 +135,10 @@ export const appConnectionServiceFactory = ({
      actor.orgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Create,
+      OrgPermissionSubjects.AppConnections
+    );

    const appConnection = await appConnectionDAL.transaction(async (tx) => {
      const isConflictingName = Boolean(
@ -216,15 +186,13 @@ export const appConnectionServiceFactory = ({
      };
    });

-    return appConnection;
+    return appConnection as TAppConnection;
  };

  const updateAppConnection = async (
    { connectionId, credentials, ...params }: TUpdateAppConnectionDTO,
    actor: OrgServiceActor
  ) => {
-    await checkAppServicesAvailability(actor.orgId);
-
    const appConnection = await appConnectionDAL.findById(connectionId);

    if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
@ -237,7 +205,10 @@ export const appConnectionServiceFactory = ({
      appConnection.orgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Edit,
+      OrgPermissionSubjects.AppConnections
+    );

    const updatedAppConnection = await appConnectionDAL.transaction(async (tx) => {
      if (params.name && appConnection.name !== params.name) {
@ -304,19 +275,10 @@ export const appConnectionServiceFactory = ({
      return updatedConnection;
    });

-    return {
-      ...updatedAppConnection,
-      credentials: await decryptAppConnectionCredentials({
-        encryptedCredentials: updatedAppConnection.encryptedCredentials,
-        orgId: updatedAppConnection.orgId,
-        kmsService
-      })
-    } as TAppConnection;
+    return decryptAppConnection(updatedAppConnection, kmsService);
  };

  const deleteAppConnection = async (app: AppConnection, connectionId: string, actor: OrgServiceActor) => {
-    await checkAppServicesAvailability(actor.orgId);
-
    const appConnection = await appConnectionDAL.findById(connectionId);

    if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
@ -329,23 +291,85 @@ export const appConnectionServiceFactory = ({
      appConnection.orgId
    );

-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Delete,
+      OrgPermissionSubjects.AppConnections
+    );

    if (appConnection.app !== app)
      throw new BadRequestError({ message: `App Connection with ID ${connectionId} is not for App "${app}"` });

-    // TODO: specify delete error message if due to existing dependencies
+    // TODO (scott): add option to delete all dependencies

-    const deletedAppConnection = await appConnectionDAL.deleteById(connectionId);
+    try {
+      const deletedAppConnection = await appConnectionDAL.deleteById(connectionId);

-    return {
-      ...deletedAppConnection,
-      credentials: await decryptAppConnectionCredentials({
-        encryptedCredentials: deletedAppConnection.encryptedCredentials,
-        orgId: deletedAppConnection.orgId,
-        kmsService
-      })
-    } as TAppConnection;
+      return await decryptAppConnection(deletedAppConnection, kmsService);
+    } catch (err) {
+      if (err instanceof DatabaseError && (err.error as { code: string })?.code === "23503") {
+        throw new BadRequestError({
+          message:
+            "Cannot delete App Connection with existing connections. Remove all existing connections and try again."
+        });
+      }
+
+      throw err;
+    }
+  };
+
+  const connectAppConnectionById = async <T extends TAppConnection>(
+    app: AppConnection,
+    connectionId: string,
+    actor: OrgServiceActor
+  ) => {
+    const appConnection = await appConnectionDAL.findById(connectionId);
+
+    if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
+
+    const { permission: orgPermission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      appConnection.orgId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(orgPermission).throwUnlessCan(
+      OrgPermissionAppConnectionActions.Connect,
+      subject(OrgPermissionSubjects.AppConnections, { connectionId: appConnection.id })
+    );
+
+    if (appConnection.app !== app)
+      throw new BadRequestError({
+        message: `${
+          APP_CONNECTION_NAME_MAP[appConnection.app as AppConnection]
+        } Connection with ID ${connectionId} cannot be used to connect to ${APP_CONNECTION_NAME_MAP[app]}`
+      });
+
+    const connection = await decryptAppConnection(appConnection, kmsService);
+
+    return connection as T;
+  };
+
+  const listAvailableAppConnectionsForUser = async (app: AppConnection, actor: OrgServiceActor) => {
+    const { permission: orgPermission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    const appConnections = await appConnectionDAL.find({ app, orgId: actor.orgId });
+
+    const availableConnections = appConnections.filter((connection) =>
+      orgPermission.can(
+        OrgPermissionAppConnectionActions.Connect,
+        subject(OrgPermissionSubjects.AppConnections, { connectionId: connection.id })
+      )
+    );
+
+    return availableConnections as Omit<TAppConnection, "credentials">[];
  };

  return {
@ -355,6 +379,9 @@ export const appConnectionServiceFactory = ({
    findAppConnectionByName,
    createAppConnection,
    updateAppConnection,
-    deleteAppConnection
+    deleteAppConnection,
+    connectAppConnectionById,
+    listAvailableAppConnectionsForUser,
+    github: githubConnectionService(connectAppConnectionById)
  };
 };
--- a/backend/src/services/app-connection/aws/aws-connection-fns.ts
+++ b/backend/src/services/app-connection/aws/aws-connection-fns.ts
@ -4,7 +4,7 @@ import { randomUUID } from "crypto";

 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";

 import { AwsConnectionMethod } from "./aws-connection-enums";
 import { TAwsConnectionConfig } from "./aws-connection-types";
@ -20,7 +20,7 @@ export const getAwsAppConnectionListItem = () => {
  };
 };

-export const getAwsConnectionConfig = async (appConnection: TAwsConnectionConfig, region = "us-east-1") => {
+export const getAwsConnectionConfig = async (appConnection: TAwsConnectionConfig, region = AWSRegion.US_EAST_1) => {
  const appCfg = getConfig();

  let accessKeyId: string;
--- a/backend/src/services/app-connection/aws/aws-connection-schemas.ts
+++ b/backend/src/services/app-connection/aws/aws-connection-schemas.ts
@ -38,11 +38,11 @@ export const AwsConnectionSchema = z.intersection(
 export const SanitizedAwsConnectionSchema = z.discriminatedUnion("method", [
  BaseAwsConnectionSchema.extend({
    method: z.literal(AwsConnectionMethod.AssumeRole),
-    credentials: AwsConnectionAssumeRoleCredentialsSchema.omit({ roleArn: true })
+    credentials: AwsConnectionAssumeRoleCredentialsSchema.pick({})
  }),
  BaseAwsConnectionSchema.extend({
    method: z.literal(AwsConnectionMethod.AccessKey),
-    credentials: AwsConnectionAccessTokenCredentialsSchema.omit({ secretAccessKey: true })
+    credentials: AwsConnectionAccessTokenCredentialsSchema.pick({ accessKeyId: true })
  })
 ]);

@ -75,7 +75,7 @@ export const UpdateAwsConnectionSchema = z
 export const AwsConnectionListItemSchema = z.object({
  name: z.literal("AWS"),
  app: z.literal(AppConnection.AWS),
-  // the below is preferable but currently breaks mintlify
+  // the below is preferable but currently breaks with our zod to json schema parser
  // methods: z.tuple([z.literal(AwsConnectionMethod.AssumeRole), z.literal(AwsConnectionMethod.AccessKey)]),
  methods: z.nativeEnum(AwsConnectionMethod).array(),
  accessKeyId: z.string().optional()
--- a/backend/src/services/app-connection/github/github-connection-fns.ts
+++ b/backend/src/services/app-connection/github/github-connection-fns.ts
@ -1,3 +1,5 @@
+import { createAppAuth } from "@octokit/auth-app";
+import { Octokit } from "@octokit/rest";
 import { AxiosResponse } from "axios";

 import { getConfig } from "@app/lib/config/env";
@ -8,7 +10,7 @@ import { IntegrationUrls } from "@app/services/integration-auth/integration-list

 import { AppConnection } from "../app-connection-enums";
 import { GitHubConnectionMethod } from "./github-connection-enums";
-import { TGitHubConnectionConfig } from "./github-connection-types";
+import { TGitHubConnection, TGitHubConnectionConfig } from "./github-connection-types";

 export const getGitHubConnectionListItem = () => {
  const { INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITHUB_APP_SLUG } = getConfig();
@ -22,10 +24,131 @@ export const getGitHubConnectionListItem = () => {
  };
 };

+export const getGitHubClient = (appConnection: TGitHubConnection) => {
+  const appCfg = getConfig();
+
+  const { method, credentials } = appConnection;
+
+  let client: Octokit;
+
+  switch (method) {
+    case GitHubConnectionMethod.App:
+      if (!appCfg.INF_APP_CONNECTION_GITHUB_APP_ID || !appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY) {
+        throw new InternalServerError({
+          message: `GitHub ${getAppConnectionMethodName(method).replace(
+            "GitHub",
+            ""
+          )} environment variables have not been configured`
+        });
+      }
+
+      client = new Octokit({
+        authStrategy: createAppAuth,
+        auth: {
+          appId: appCfg.INF_APP_CONNECTION_GITHUB_APP_ID,
+          privateKey: appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY,
+          installationId: credentials.installationId
+        }
+      });
+      break;
+    case GitHubConnectionMethod.OAuth:
+      client = new Octokit({
+        auth: credentials.accessToken
+      });
+      break;
+    default:
+      throw new InternalServerError({
+        message: `Unhandled GitHub connection method: ${method as GitHubConnectionMethod}`
+      });
+  }
+
+  return client;
+};
+
+type GitHubOrganization = {
+  login: string;
+  id: number;
+};
+
+type GitHubRepository = {
+  id: number;
+  name: string;
+  owner: GitHubOrganization;
+};
+
+export const getGitHubRepositories = async (appConnection: TGitHubConnection) => {
+  const client = getGitHubClient(appConnection);
+
+  let repositories: GitHubRepository[];
+
+  switch (appConnection.method) {
+    case GitHubConnectionMethod.App:
+      repositories = await client.paginate("GET /installation/repositories");
+      break;
+    case GitHubConnectionMethod.OAuth:
+    default:
+      repositories = (await client.paginate("GET /user/repos")).filter((repo) => repo.permissions?.admin);
+      break;
+  }
+
+  return repositories;
+};
+
+export const getGitHubOrganizations = async (appConnection: TGitHubConnection) => {
+  const client = getGitHubClient(appConnection);
+
+  let organizations: GitHubOrganization[];
+
+  switch (appConnection.method) {
+    case GitHubConnectionMethod.App: {
+      const installationRepositories = await client.paginate("GET /installation/repositories");
+
+      const organizationMap: Record<string, GitHubOrganization> = {};
+
+      installationRepositories.forEach((repo) => {
+        if (repo.owner.type === "Organization") {
+          organizationMap[repo.owner.id] = repo.owner;
+        }
+      });
+
+      organizations = Object.values(organizationMap);
+
+      break;
+    }
+    case GitHubConnectionMethod.OAuth:
+    default:
+      organizations = await client.paginate("GET /user/orgs");
+      break;
+  }
+
+  return organizations;
+};
+
+export const getGitHubEnvironments = async (appConnection: TGitHubConnection, owner: string, repo: string) => {
+  const client = getGitHubClient(appConnection);
+
+  try {
+    const environments = await client.paginate("GET /repos/{owner}/{repo}/environments", {
+      owner,
+      repo
+    });
+
+    return environments;
+  } catch (e) {
+    // repo doesn't have envs
+    if ((e as { status: number }).status === 404) {
+      return [];
+    }
+
+    throw e;
+  }
+};
+
 type TokenRespData = {
  access_token: string;
  scope: string;
  token_type: string;
+  error?: string;
 };

 export const validateGitHubConnectionCredentials = async (config: TGitHubConnectionConfig) => {
@ -53,7 +176,10 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect

  if (!clientId || !clientSecret) {
    throw new InternalServerError({
-      message: `GitHub ${getAppConnectionMethodName(method)} environment variables have not been configured`
+      message: `GitHub ${getAppConnectionMethodName(method).replace(
+        "GitHub",
+        ""
+      )} environment variables have not been configured`
    });
  }

@ -65,7 +191,7 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
        client_id: clientId,
        client_secret: clientSecret,
        code: credentials.code,
-        redirect_uri: `${SITE_URL}/app-connections/github/oauth/callback`
+        redirect_uri: `${SITE_URL}/organization/app-connections/github/oauth/callback`
      },
      headers: {
        Accept: "application/json",
@ -90,6 +216,8 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
        id: number;
        account: {
          login: string;
+          type: string;
+          id: number;
        };
      }[];
    }>(IntegrationUrls.GITHUB_USER_INSTALLATIONS, {
@ -111,10 +239,13 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
    }
  }

+  if (!tokenResp.data.access_token) {
+    throw new InternalServerError({ message: `Missing access token: ${tokenResp.data.error}` });
+  }
+
  switch (method) {
    case GitHubConnectionMethod.App:
      return {
-        // access token not needed for GitHub App
        installationId: credentials.installationId
      };
    case GitHubConnectionMethod.OAuth:
--- a/backend/src/services/app-connection/github/github-connection-schemas.ts
+++ b/backend/src/services/app-connection/github/github-connection-schemas.ts
@ -57,7 +57,7 @@ export const UpdateGitHubConnectionSchema = z

 const BaseGitHubConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.GitHub) });

-export const GitHubAppConnectionSchema = z.intersection(
+export const GitHubConnectionSchema = z.intersection(
  BaseGitHubConnectionSchema,
  z.discriminatedUnion("method", [
    z.object({
@ -74,19 +74,19 @@ export const GitHubAppConnectionSchema = z.intersection(
 export const SanitizedGitHubConnectionSchema = z.discriminatedUnion("method", [
  BaseGitHubConnectionSchema.extend({
    method: z.literal(GitHubConnectionMethod.App),
-    credentials: GitHubConnectionAppOutputCredentialsSchema.omit({ installationId: true })
+    credentials: GitHubConnectionAppOutputCredentialsSchema.pick({})
  }),
  BaseGitHubConnectionSchema.extend({
    method: z.literal(GitHubConnectionMethod.OAuth),
-    credentials: GitHubConnectionOAuthOutputCredentialsSchema.omit({ accessToken: true })
+    credentials: GitHubConnectionOAuthOutputCredentialsSchema.pick({})
  })
 ]);

 export const GitHubConnectionListItemSchema = z.object({
  name: z.literal("GitHub"),
  app: z.literal(AppConnection.GitHub),
-  // the below is preferable but currently breaks mintlify
-  // methods: z.tuple([z.literal(GitHubConnectionMethod.GitHubApp), z.literal(GitHubConnectionMethod.OAuth)]),
+  // the below is preferable but currently breaks with our zod to json schema parser
+  // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
  methods: z.nativeEnum(GitHubConnectionMethod).array(),
  oauthClientId: z.string().optional(),
  appClientSlug: z.string().optional()
--- a/backend/src/services/app-connection/github/github-connection-service.ts
+++ b/backend/src/services/app-connection/github/github-connection-service.ts
@ -0,0 +1,55 @@
+import { OrgServiceActor } from "@app/lib/types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  getGitHubEnvironments,
+  getGitHubOrganizations,
+  getGitHubRepositories
+} from "@app/services/app-connection/github/github-connection-fns";
+import { TGitHubConnection } from "@app/services/app-connection/github/github-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TGitHubConnection>;
+
+type TListGitHubEnvironmentsDTO = {
+  connectionId: string;
+  repo: string;
+  owner: string;
+};
+
+export const githubConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listRepositories = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.GitHub, connectionId, actor);
+
+    const repositories = await getGitHubRepositories(appConnection);
+
+    return repositories;
+  };
+
+  const listOrganizations = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.GitHub, connectionId, actor);
+
+    const organizations = await getGitHubOrganizations(appConnection);
+
+    return organizations;
+  };
+
+  const listEnvironments = async (
+    { connectionId, repo, owner }: TListGitHubEnvironmentsDTO,
+    actor: OrgServiceActor
+  ) => {
+    const appConnection = await getAppConnection(AppConnection.GitHub, connectionId, actor);
+
+    const environments = await getGitHubEnvironments(appConnection, owner, repo);
+
+    return environments;
+  };
+
+  return {
+    listRepositories,
+    listOrganizations,
+    listEnvironments
+  };
+};
--- a/backend/src/services/app-connection/github/github-connection-types.ts
+++ b/backend/src/services/app-connection/github/github-connection-types.ts
@ -5,11 +5,11 @@ import { DiscriminativePick } from "@app/lib/types";
 import { AppConnection } from "../app-connection-enums";
 import {
  CreateGitHubConnectionSchema,
-  GitHubAppConnectionSchema,
+  GitHubConnectionSchema,
  ValidateGitHubConnectionCredentialsSchema
 } from "./github-connection-schemas";

-export type TGitHubConnection = z.infer<typeof GitHubAppConnectionSchema>;
+export type TGitHubConnection = z.infer<typeof GitHubConnectionSchema>;

 export type TGitHubConnectionInput = z.infer<typeof CreateGitHubConnectionSchema> & {
  app: AppConnection.GitHub;
--- a/backend/src/services/auth/auth-type.ts
+++ b/backend/src/services/auth/auth-type.ts
@ -39,7 +39,8 @@ export enum ActorType { // would extend to AWS, Azure, ...
  SERVICE = "service",
  IDENTITY = "identity",
  Machine = "machine",
-  SCIM_CLIENT = "scimClient"
+  SCIM_CLIENT = "scimClient",
+  UNKNOWN_USER = "unknownUser"
 }

 // This will be null unless the token-type is JWT
--- a/backend/src/services/certificate-authority/certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-service.ts
@ -5,7 +5,7 @@ import crypto, { KeyObject } from "crypto";
 import ms from "ms";
 import { z } from "zod";

-import { ProjectType, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
+import { ActionProjectType, ProjectType, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
@ -136,14 +136,14 @@ export const certificateAuthorityServiceFactory = ({
      projectId = certManagerProjectFromSplit.id;
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -305,13 +305,14 @@ export const certificateAuthorityServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.CertificateAuthorities
@ -336,14 +337,14 @@ export const certificateAuthorityServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
@ -362,14 +363,14 @@ export const certificateAuthorityServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
@ -388,13 +389,14 @@ export const certificateAuthorityServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -449,14 +451,14 @@ export const certificateAuthorityServiceFactory = ({

    if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -720,13 +722,14 @@ export const certificateAuthorityServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
@ -755,13 +758,14 @@ export const certificateAuthorityServiceFactory = ({
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
    if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
@ -835,14 +839,14 @@ export const certificateAuthorityServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: "CA not found" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -982,14 +986,14 @@ export const certificateAuthorityServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -1145,14 +1149,14 @@ export const certificateAuthorityServiceFactory = ({
      throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Certificates);

@ -1474,14 +1478,14 @@ export const certificateAuthorityServiceFactory = ({
    }

    if (!dto.isInternal) {
-      const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-        dto.actor,
-        dto.actorId,
-        ca.projectId,
-        dto.actorAuthMethod,
-        dto.actorOrgId
-      );
-      ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      const { permission } = await permissionService.getProjectPermission({
+        actor: dto.actor,
+        actorId: dto.actorId,
+        projectId: ca.projectId,
+        actorAuthMethod: dto.actorAuthMethod,
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
+      });

      ForbiddenError.from(permission).throwUnlessCan(
        ProjectPermissionActions.Create,
@ -1832,13 +1836,14 @@ export const certificateAuthorityServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
--- a/backend/src/services/certificate-template/certificate-template-service.ts
+++ b/backend/src/services/certificate-template/certificate-template-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import bcrypt from "bcrypt";

-import { ProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
+import { ActionProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -67,14 +67,14 @@ export const certificateTemplateServiceFactory = ({
        message: `CA with ID ${caId} not found`
      });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -129,14 +129,14 @@ export const certificateTemplateServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certTemplate.projectId,
+      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
@ -187,14 +187,14 @@ export const certificateTemplateServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certTemplate.projectId,
+      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
@ -214,13 +214,14 @@ export const certificateTemplateServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certTemplate.projectId,
+      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
@ -255,14 +256,14 @@ export const certificateTemplateServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certTemplate.projectId,
+      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
@ -340,14 +341,14 @@ export const certificateTemplateServiceFactory = ({
      });
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      certTemplate.projectId,
+      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
@ -422,13 +423,14 @@ export const certificateTemplateServiceFactory = ({
    }

    if (!dto.isInternal) {
-      const { permission } = await permissionService.getProjectPermission(
-        dto.actor,
-        dto.actorId,
-        certTemplate.projectId,
-        dto.actorAuthMethod,
-        dto.actorOrgId
-      );
+      const { permission } = await permissionService.getProjectPermission({
+        actor: dto.actor,
+        actorId: dto.actorId,
+        projectId: certTemplate.projectId,
+        actorAuthMethod: dto.actorAuthMethod,
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
+      });

      ForbiddenError.from(permission).throwUnlessCan(
        ProjectPermissionActions.Edit,
--- a/backend/src/services/certificate/certificate-service.ts
+++ b/backend/src/services/certificate/certificate-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -50,14 +50,14 @@ export const certificateServiceFactory = ({
    const cert = await certificateDAL.findOne({ serialNumber });
    const ca = await certificateAuthorityDAL.findById(cert.caId);

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);

@ -74,14 +74,14 @@ export const certificateServiceFactory = ({
    const cert = await certificateDAL.findOne({ serialNumber });
    const ca = await certificateAuthorityDAL.findById(cert.caId);

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Certificates);

@ -109,14 +109,14 @@ export const certificateServiceFactory = ({
    const cert = await certificateDAL.findOne({ serialNumber });
    const ca = await certificateAuthorityDAL.findById(cert.caId);

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Certificates);

@ -156,13 +156,14 @@ export const certificateServiceFactory = ({
    const cert = await certificateDAL.findOne({ serialNumber });
    const ca = await certificateAuthorityDAL.findById(cert.caId);

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);

--- a/backend/src/services/cmek/cmek-service.ts
+++ b/backend/src/services/cmek/cmek-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType, ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@ -34,14 +34,14 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
      projectId = cmekProjectFromSplit.id;
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
+    const { permission } = await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
      projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.KMS);
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Create, ProjectPermissionSub.Cmek);

    const cmek = await kmsService.generateKmsKey({
@ -60,14 +60,14 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj

    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      key.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.KMS);
+    const { permission } = await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
+      projectId: key.projectId,
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Edit, ProjectPermissionSub.Cmek);

@ -83,14 +83,14 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj

    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      key.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.KMS);
+    const { permission } = await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
+      projectId: key.projectId,
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Delete, ProjectPermissionSub.Cmek);

@ -109,13 +109,14 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
      projectId = cmekProjectFromSplit.id;
    }

-    const { permission } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
+    const { permission } = await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
      projectId,
-      actor.authMethod,
-      actor.orgId
-    );
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);

@ -133,15 +134,15 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj

    if (key.isDisabled) throw new BadRequestError({ message: "Key is disabled" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      key.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
+    const { permission } = await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
+      projectId: key.projectId,
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
+    });

-    ForbidOnInvalidProjectType(ProjectType.KMS);
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Encrypt, ProjectPermissionSub.Cmek);

    const encrypt = await kmsService.encryptWithKmsKey({ kmsId: keyId });
@ -160,14 +161,14 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj

    if (key.isDisabled) throw new BadRequestError({ message: "Key is disabled" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
-      actor.type,
-      actor.id,
-      key.projectId,
-      actor.authMethod,
-      actor.orgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.KMS);
+    const { permission } = await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
+      projectId: key.projectId,
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Decrypt, ProjectPermissionSub.Cmek);

--- a/backend/src/services/group-project/group-project-service.ts
+++ b/backend/src/services/group-project/group-project-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";

-import { ProjectMembershipRole, SecretKeyEncoding } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
@ -9,6 +9,7 @@ import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
+import { isUuidV4 } from "@app/lib/validator";

 import { TGroupDALFactory } from "../../ee/services/group/group-dal";
 import { TUserGroupMembershipDALFactory } from "../../ee/services/group/user-group-membership-dal";
@ -62,29 +63,37 @@ export const groupProjectServiceFactory = ({
    actorAuthMethod,
    roles,
    projectId,
-    groupId
+    groupIdOrName
  }: TCreateProjectGroupDTO) => {
    const project = await projectDAL.findById(projectId);

    if (!project) throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
    if (project.version < 2) throw new BadRequestError({ message: `Failed to add group to E2EE project` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Groups);

-    const group = await groupDAL.findOne({ orgId: actorOrgId, id: groupId });
-    if (!group) throw new NotFoundError({ message: `Failed to find group with ID ${groupId}` });
+    let group: TGroups | null = null;
+    if (isUuidV4(groupIdOrName)) {
+      group = await groupDAL.findOne({ orgId: actorOrgId, id: groupIdOrName });
+    }
+    if (!group) {
+      group = await groupDAL.findOne({ orgId: actorOrgId, name: groupIdOrName });
+    }
+
+    if (!group) throw new NotFoundError({ message: `Failed to find group with ID or name ${groupIdOrName}` });

    const existingGroup = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
    if (existingGroup)
      throw new BadRequestError({
-        message: `Group with ID ${groupId} already exists in project with id ${project.id}`
+        message: `Group with ID ${group.id} already exists in project with id ${project.id}`
      });

    for await (const { role: requestedRoleChange } of roles) {
@ -127,7 +136,7 @@ export const groupProjectServiceFactory = ({
    const projectGroup = await groupProjectDAL.transaction(async (tx) => {
      const groupProjectMembership = await groupProjectDAL.create(
        {
-          groupId: group.id,
+          groupId: group!.id,
          projectId: project.id
        },
        tx
@ -162,7 +171,7 @@ export const groupProjectServiceFactory = ({
      // share project key with users in group that have not
      // individually been added to the project and that are not part of
      // other groups that are in the project
-      const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id, tx);
+      const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group!.id, project.id, tx);

      if (groupMembers.length) {
        const ghostUser = await projectDAL.findProjectGhostUser(project.id, tx);
@ -237,13 +246,14 @@ export const groupProjectServiceFactory = ({

    if (!project) throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Groups);

    const group = await groupDAL.findOne({ orgId: actorOrgId, id: groupId });
@ -339,13 +349,14 @@ export const groupProjectServiceFactory = ({
    const groupProjectMembership = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
    if (!groupProjectMembership) throw new NotFoundError({ message: `Failed to find group with ID ${groupId}` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Groups);

    const deletedProjectGroup = await groupProjectDAL.transaction(async (tx) => {
@ -383,13 +394,14 @@ export const groupProjectServiceFactory = ({
      throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);

    const groupMemberships = await groupProjectDAL.findByProjectId(project.id);
@ -410,13 +422,14 @@ export const groupProjectServiceFactory = ({
      throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);

    const [groupMembership] = await groupProjectDAL.findByProjectId(project.id, {
--- a/backend/src/services/group-project/group-project-types.ts
+++ b/backend/src/services/group-project/group-project-types.ts
@ -3,7 +3,7 @@ import { TProjectPermission } from "@app/lib/types";
 import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";

 export type TCreateProjectGroupDTO = {
-  groupId: string;
+  groupIdOrName: string;
  roles: (
    | {
        role: string;
--- a/backend/src/services/identity-project/identity-project-service.ts
+++ b/backend/src/services/identity-project/identity-project-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import ms from "ms";

-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
@ -54,13 +54,14 @@ export const identityProjectServiceFactory = ({
    projectId,
    roles
  }: TCreateProjectIdentityDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      subject(ProjectPermissionSub.Identity, {
@ -159,13 +160,14 @@ export const identityProjectServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TUpdateProjectIdentityDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
@ -254,25 +256,27 @@ export const identityProjectServiceFactory = ({
      throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      subject(ProjectPermissionSub.Identity, { identityId })
    );

-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityId,
-      identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
+      actor: ActorType.IDENTITY,
+      actorId: identityId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    if (!isAtLeastAsPrivileged(permission, identityRolePermission))
      throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });

@ -292,13 +296,14 @@ export const identityProjectServiceFactory = ({
    orderDirection,
    search
  }: TListProjectIdentityDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);

    const identityMemberships = await identityProjectDAL.findByProjectId(projectId, {
@ -322,13 +327,14 @@ export const identityProjectServiceFactory = ({
    actorOrgId,
    identityId
  }: TGetProjectIdentityByIdentityIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
--- a/backend/src/services/integration-auth/integration-auth-service.ts
+++ b/backend/src/services/integration-auth/integration-auth-service.ts
@ -5,7 +5,7 @@ import { Client as OctopusClient, SpaceRepository as OctopusSpaceRepository } fr
 import AWS from "aws-sdk";

 import {
-  ProjectType,
+  ActionProjectType,
  SecretEncryptionAlgo,
  SecretKeyEncoding,
  TIntegrationAuths,
@ -97,13 +97,14 @@ export const integrationAuthServiceFactory = ({
    actorAuthMethod,
    projectId
  }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const authorizations = await integrationAuthDAL.find({ projectId });
    return authorizations;
@ -114,13 +115,14 @@ export const integrationAuthServiceFactory = ({

    return Promise.all(
      authorizations.filter(async (auth) => {
-        const { permission } = await permissionService.getProjectPermission(
+        const { permission } = await permissionService.getProjectPermission({
          actor,
          actorId,
-          auth.projectId,
+          projectId: auth.projectId,
          actorAuthMethod,
-          actorOrgId
-        );
+          actorOrgId,
+          actionProjectType: ActionProjectType.SecretManager
+        });

        return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
      })
@ -131,13 +133,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    return integrationAuth;
  };
@ -156,14 +159,14 @@ export const integrationAuthServiceFactory = ({
    if (!Object.values(Integrations).includes(integration as Integrations))
      throw new BadRequestError({ message: "Invalid integration" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);

    const tokenExchange = await exchangeCode({ integration, code, url, installationId });
@ -266,14 +269,14 @@ export const integrationAuthServiceFactory = ({
    if (!Object.values(Integrations).includes(integration as Integrations))
      throw new BadRequestError({ message: "Invalid integration" });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);

    const updateDoc: TIntegrationAuthsInsert = {
@ -401,13 +404,14 @@ export const integrationAuthServiceFactory = ({
      throw new NotFoundError({ message: `Integration auth with id ${integrationAuthId} not found.` });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);

    const { projectId } = integrationAuth;
@ -662,13 +666,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(integrationAuth.projectId);
@ -696,13 +701,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@ -726,13 +732,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -767,13 +774,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -795,13 +803,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);

@ -869,13 +878,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -916,13 +926,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -950,13 +961,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessId, accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1008,13 +1020,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1044,13 +1057,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1085,13 +1099,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1125,13 +1140,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1165,13 +1181,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID ${id} not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1204,13 +1221,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1244,13 +1262,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1312,13 +1331,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1386,13 +1406,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1436,13 +1457,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1484,13 +1506,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1552,13 +1575,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1593,13 +1617,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1705,13 +1730,14 @@ export const integrationAuthServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TDeleteIntegrationAuthsDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);

    const integrations = await integrationAuthDAL.delete({ integration, projectId });
@ -1728,13 +1754,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);

    const delIntegrationAuth = await integrationAuthDAL.transaction(async (tx) => {
@ -1761,26 +1788,28 @@ export const integrationAuthServiceFactory = ({
      throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
    }

-    const { permission: sourcePermission } = await permissionService.getProjectPermission(
+    const { permission: sourcePermission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    ForbiddenError.from(sourcePermission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.Integrations
    );

-    const { permission: targetPermission } = await permissionService.getProjectPermission(
+    const { permission: targetPermission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    ForbiddenError.from(targetPermission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -1806,13 +1835,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@ -1846,13 +1876,14 @@ export const integrationAuthServiceFactory = ({
    const integrationAuth = await integrationAuthDAL.findById(id);
    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
--- a/backend/src/services/integration-auth/integration-sync-secret.ts
+++ b/backend/src/services/integration-auth/integration-sync-secret.ts
@ -932,15 +932,22 @@ const syncSecretsAWSParameterStore = async ({
          logger.info(
            `getIntegrationSecrets: create secret in AWS SSM for [projectId=${projectId}] [environment=${integration.environment.slug}]  [secretPath=${integration.secretPath}]`
          );
-          await ssm
-            .putParameter({
-              Name: `${integration.path}${key}`,
-              Type: "SecureString",
-              Value: secrets[key].value,
-              ...(metadata.kmsKeyId && { KeyId: metadata.kmsKeyId }),
-              Overwrite: true
-            })
-            .promise();
+
+          try {
+            await ssm
+              .putParameter({
+                Name: `${integration.path}${key}`,
+                Type: "SecureString",
+                Value: secrets[key].value,
+                ...(metadata.kmsKeyId && { KeyId: metadata.kmsKeyId }),
+                Overwrite: true
+              })
+              .promise();
+          } catch (error) {
+            (error as { secretKey: string }).secretKey = key;
+            throw error;
+          }
+
          if (metadata.secretAWSTag?.length) {
            try {
              await ssm
@ -987,15 +994,20 @@ const syncSecretsAWSParameterStore = async ({

        // we ensure that the KMS key configured in the integration is applied for ALL parameters on AWS
        if (secrets[key].value && (shouldUpdateKms || awsParameterStoreSecretsObj[key].Value !== secrets[key].value)) {
-          await ssm
-            .putParameter({
-              Name: `${integration.path}${key}`,
-              Type: "SecureString",
-              Value: secrets[key].value,
-              Overwrite: true,
-              ...(metadata.kmsKeyId && { KeyId: metadata.kmsKeyId })
-            })
-            .promise();
+          try {
+            await ssm
+              .putParameter({
+                Name: `${integration.path}${key}`,
+                Type: "SecureString",
+                Value: secrets[key].value,
+                Overwrite: true,
+                ...(metadata.kmsKeyId && { KeyId: metadata.kmsKeyId })
+              })
+              .promise();
+          } catch (error) {
+            (error as { secretKey: string }).secretKey = key;
+            throw error;
+          }
        }

        if (awsParameterStoreSecretsObj[key].Name) {
@ -3750,17 +3762,28 @@ const syncSecretsCloudflarePages = async ({
  );

  const metadata = z.record(z.any()).parse(integration.metadata);
-  if (metadata.shouldAutoRedeploy) {
-    await request.post(
-      `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accessId}/pages/projects/${integration.app}/deployments`,
-      {},
-      {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          Accept: "application/json"
+  if (metadata.shouldAutoRedeploy && integration.targetEnvironment === "production") {
+    await request
+      .post(
+        `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accessId}/pages/projects/${integration.app}/deployments`,
+        {},
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: "application/json"
+          }
        }
-      }
-    );
+      )
+      .catch((error) => {
+        if (error instanceof AxiosError && error.response?.status === 304) {
+          logger.info(
+            `syncSecretsCloudflarePages: CF pages redeployment returned status code 304 for integration [id=${integration.id}]`
+          );
+          return;
+        }
+
+        throw error;
+      });
  }
 };

--- a/backend/src/services/integration/integration-service.ts
+++ b/backend/src/services/integration/integration-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";

-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { NotFoundError } from "@app/lib/errors";
@ -81,14 +81,14 @@ export const integrationServiceFactory = ({
    if (!integrationAuth)
      throw new NotFoundError({ message: `Integration auth with ID '${integrationAuthId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integrationAuth.projectId,
+      projectId: integrationAuth.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);

    ForbiddenError.from(permission).throwUnlessCan(
@ -160,14 +160,14 @@ export const integrationServiceFactory = ({
    const integration = await integrationDAL.findById(id);
    if (!integration) throw new NotFoundError({ message: `Integration with ID '${id}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integration.projectId,
+      projectId: integration.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);

    const newEnvironment = environment || integration.environment.slug;
@ -227,13 +227,14 @@ export const integrationServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integration?.projectId || "",
+      projectId: integration.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

    if (!integration) {
@ -254,13 +255,14 @@ export const integrationServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integration?.projectId || "",
+      projectId: integration.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

    const integrationAuth = await integrationAuthDAL.findById(integration.integrationAuthId);
@ -296,14 +298,14 @@ export const integrationServiceFactory = ({
    const integration = await integrationDAL.findById(id);
    if (!integration) throw new NotFoundError({ message: `Integration with ID '${id}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integration.projectId,
+      projectId: integration.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);

    const integrationAuth = await integrationAuthDAL.findById(integration.integrationAuthId);
@ -333,13 +335,14 @@ export const integrationServiceFactory = ({
    actorAuthMethod,
    projectId
  }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

    const integrations = await integrationDAL.findByProjectId(projectId);
@ -352,13 +355,14 @@ export const integrationServiceFactory = ({
      throw new NotFoundError({ message: `Integration with ID '${id}' not found` });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      integration.projectId,
+      projectId: integration.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

    await secretQueueService.syncIntegrations({
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@ -5,6 +5,7 @@ import jwt from "jsonwebtoken";
 import { Knex } from "knex";

 import {
+  ActionProjectType,
  OrgMembershipRole,
  OrgMembershipStatus,
  ProjectMembershipRole,
@ -68,6 +69,7 @@ import {
  TGetOrgMembershipDTO,
  TInviteUserToOrgDTO,
  TListProjectMembershipsByOrgMembershipIdDTO,
+  TResendOrgMemberInvitationDTO,
  TUpdateOrgDTO,
  TUpdateOrgMembershipDTO,
  TVerifyUserToOrgDTO
@ -583,6 +585,66 @@ export const orgServiceFactory = ({
    });
    return membership;
  };
+
+  const resendOrgMemberInvitation = async ({
+    orgId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId,
+    membershipId
+  }: TResendOrgMemberInvitationDTO) => {
+    const appCfg = getConfig();
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Member);
+
+    const org = await orgDAL.findOrgById(orgId);
+
+    const [inviteeOrgMembership] = await orgDAL.findMembership({
+      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId,
+      [`${TableName.OrgMembership}.id` as "id"]: membershipId
+    });
+
+    if (inviteeOrgMembership.status !== OrgMembershipStatus.Invited) {
+      throw new BadRequestError({
+        message: "Organization invitation already accepted"
+      });
+    }
+
+    const token = await tokenService.createTokenForUser({
+      type: TokenType.TOKEN_EMAIL_ORG_INVITATION,
+      userId: inviteeOrgMembership.userId,
+      orgId
+    });
+
+    if (!appCfg.isSmtpConfigured) {
+      return {
+        signupToken: {
+          email: inviteeOrgMembership.email as string,
+          link: `${appCfg.SITE_URL}/signupinvite?token=${token}&to=${inviteeOrgMembership.email}&organization_id=${org?.id}`
+        }
+      };
+    }
+
+    await smtpService.sendMail({
+      template: SmtpTemplates.OrgInvite,
+      subjectLine: "Infisical organization invitation",
+      recipients: [inviteeOrgMembership.email as string],
+      substitutions: {
+        inviterFirstName: inviteeOrgMembership.firstName,
+        inviterUsername: inviteeOrgMembership.email,
+        organizationName: org?.name,
+        email: inviteeOrgMembership.email,
+        organizationId: org?.id.toString(),
+        token,
+        callback_url: `${appCfg.SITE_URL}/signupinvite`
+      }
+    });
+
+    return { signupToken: undefined };
+  };
+
  /*
   * Invite user to organization
   */
@ -626,6 +688,7 @@ export const orgServiceFactory = ({
          }
        })
      : [];
+
    if (projectsToInvite.length !== invitedProjects?.length) {
      throw new ForbiddenRequestError({
        message: "Access denied to one or more of the specified projects"
@ -773,13 +836,14 @@ export const orgServiceFactory = ({
      // if there exist no project membership we set is as given by the request
      for await (const project of projectsToInvite) {
        const projectId = project.id;
-        const { permission: projectPermission } = await permissionService.getProjectPermission(
+        const { permission: projectPermission } = await permissionService.getProjectPermission({
          actor,
          actorId,
          projectId,
          actorAuthMethod,
-          actorOrgId
-        );
+          actorOrgId,
+          actionProjectType: ActionProjectType.Any
+        });
        ForbiddenError.from(projectPermission).throwUnlessCan(
          ProjectPermissionActions.Create,
          ProjectPermissionSub.Member
@ -1219,6 +1283,7 @@ export const orgServiceFactory = ({
    deleteIncidentContact,
    getOrgGroups,
    listProjectMembershipsByOrgMembershipId,
-    findOrgBySlug
+    findOrgBySlug,
+    resendOrgMemberInvitation
  };
 };
--- a/backend/src/services/org/org-types.ts
+++ b/backend/src/services/org/org-types.ts
@ -35,6 +35,10 @@ export type TInviteUserToOrgDTO = {
  }[];
 } & TOrgPermission;

+export type TResendOrgMemberInvitationDTO = {
+  membershipId: string;
+} & TOrgPermission;
+
 export type TVerifyUserToOrgDTO = {
  email: string;
  orgId: string;
--- a/backend/src/services/pki-alert/pki-alert-service.ts
+++ b/backend/src/services/pki-alert/pki-alert-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType, ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@ -86,14 +86,14 @@ export const pkiAlertServiceFactory = ({
      projectId = certManagerProjectFromSplit.id;
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.PkiAlerts);

@ -116,13 +116,14 @@ export const pkiAlertServiceFactory = ({
    const alert = await pkiAlertDAL.findById(alertId);
    if (!alert) throw new NotFoundError({ message: `Alert with ID '${alertId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      alert.projectId,
+      projectId: alert.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);
    return alert;
@ -142,14 +143,14 @@ export const pkiAlertServiceFactory = ({
    let alert = await pkiAlertDAL.findById(alertId);
    if (!alert) throw new NotFoundError({ message: `Alert with ID '${alertId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      alert.projectId,
+      projectId: alert.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.PkiAlerts);

@ -175,14 +176,14 @@ export const pkiAlertServiceFactory = ({
    let alert = await pkiAlertDAL.findById(alertId);
    if (!alert) throw new NotFoundError({ message: `Alert with ID '${alertId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      alert.projectId,
+      projectId: alert.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.PkiAlerts);
    alert = await pkiAlertDAL.deleteById(alertId);
--- a/backend/src/services/pki-collection/pki-collection-service.ts
+++ b/backend/src/services/pki-collection/pki-collection-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { ProjectType, TPkiCollectionItems } from "@app/db/schemas";
+import { ActionProjectType, ProjectType, TPkiCollectionItems } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@ -62,14 +62,14 @@ export const pkiCollectionServiceFactory = ({
      projectId = certManagerProjectFromSplit.id;
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -95,13 +95,14 @@ export const pkiCollectionServiceFactory = ({
    const pkiCollection = await pkiCollectionDAL.findById(collectionId);
    if (!pkiCollection) throw new NotFoundError({ message: `PKI collection with ID '${collectionId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      pkiCollection.projectId,
+      projectId: pkiCollection.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
    return pkiCollection;
@ -119,14 +120,14 @@ export const pkiCollectionServiceFactory = ({
    let pkiCollection = await pkiCollectionDAL.findById(collectionId);
    if (!pkiCollection) throw new NotFoundError({ message: `PKI collection with ID '${collectionId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      pkiCollection.projectId,
+      projectId: pkiCollection.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.PkiCollections);
    pkiCollection = await pkiCollectionDAL.updateById(collectionId, {
@ -147,14 +148,14 @@ export const pkiCollectionServiceFactory = ({
    let pkiCollection = await pkiCollectionDAL.findById(collectionId);
    if (!pkiCollection) throw new NotFoundError({ message: `PKI collection with ID '${collectionId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      pkiCollection.projectId,
+      projectId: pkiCollection.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
@ -177,13 +178,14 @@ export const pkiCollectionServiceFactory = ({
    const pkiCollection = await pkiCollectionDAL.findById(collectionId);
    if (!pkiCollection) throw new NotFoundError({ message: `PKI collection with ID '${collectionId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      pkiCollection.projectId,
+      projectId: pkiCollection.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);

@ -220,14 +222,14 @@ export const pkiCollectionServiceFactory = ({
    const pkiCollection = await pkiCollectionDAL.findById(collectionId);
    if (!pkiCollection) throw new NotFoundError({ message: `PKI collection with ID '${collectionId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      pkiCollection.projectId,
+      projectId: pkiCollection.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -314,14 +316,14 @@ export const pkiCollectionServiceFactory = ({

    if (!pkiCollectionItem) throw new NotFoundError({ message: `PKI collection item with ID '${itemId}' not found` });

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      pkiCollection.projectId,
+      projectId: pkiCollection.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
--- a/backend/src/services/project-bot/project-bot-service.ts
+++ b/backend/src/services/project-bot/project-bot-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { ProjectVersion } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { generateAsymmetricKeyPair } from "@app/lib/crypto";
@ -41,13 +41,14 @@ export const projectBotServiceFactory = ({
    botKey,
    publicKey
  }: TFindBotByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);

    const bot = await projectBotDAL.transaction(async (tx) => {
@ -107,13 +108,14 @@ export const projectBotServiceFactory = ({
    const bot = await projectBotDAL.findById(botId);
    if (!bot) throw new NotFoundError({ message: `Project bot with ID '${botId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      bot.projectId,
+      projectId: bot.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);

    const project = await projectBotDAL.findProjectByBotId(botId);
--- a/backend/src/services/project-env/project-env-service.ts
+++ b/backend/src/services/project-env/project-env-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -42,14 +42,14 @@ export const projectEnvServiceFactory = ({
    name,
    slug
  }: TCreateEnvDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Environments);

    const lock = await keyStore
@ -131,14 +131,14 @@ export const projectEnvServiceFactory = ({
    id,
    position
  }: TUpdateEnvDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Environments);

    const lock = await keyStore
@ -195,14 +195,14 @@ export const projectEnvServiceFactory = ({
  };

  const deleteEnvironment = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod, id }: TDeleteEnvDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Environments);

    const lock = await keyStore
@ -251,13 +251,14 @@ export const projectEnvServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      environment.projectId,
+      projectId: environment.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);

--- a/backend/src/services/project-key/project-key-service.ts
+++ b/backend/src/services/project-key/project-key-service.ts
@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError } from "@app/lib/errors";
@ -31,13 +32,14 @@ export const projectKeyServiceFactory = ({
    nonce,
    encryptedKey
  }: TUploadProjectKeyDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);

    const receiverMembership = await projectMembershipDAL.findOne({
@ -60,7 +62,14 @@ export const projectKeyServiceFactory = ({
    actorOrgId,
    actorAuthMethod
  }: TGetLatestProjectKeyDTO) => {
-    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    const latestKey = await projectKeyDAL.findLatestProjectKey(actorId, projectId);
    return latestKey;
  };
@ -72,13 +81,14 @@ export const projectKeyServiceFactory = ({
    actorAuthMethod,
    projectId
  }: TGetLatestProjectKeyDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
    return projectKeyDAL.findAllProjectUserPubKeys(projectId);
  };
--- a/backend/src/services/project-membership/project-membership-service.ts
+++ b/backend/src/services/project-membership/project-membership-service.ts
@ -2,7 +2,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";

-import { ProjectMembershipRole, ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole, ProjectVersion, TableName } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -78,13 +78,14 @@ export const projectMembershipServiceFactory = ({
    includeGroupMembers,
    projectId
  }: TGetProjectMembershipDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);

    const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
@ -121,13 +122,14 @@ export const projectMembershipServiceFactory = ({
    projectId,
    username
  }: TGetProjectMembershipByUsernameDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);

    const [membership] = await projectMembershipDAL.findAllProjectMembers(projectId, { username });
@ -143,13 +145,14 @@ export const projectMembershipServiceFactory = ({
    projectId,
    id
  }: TGetProjectMembershipByIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);

    const [membership] = await projectMembershipDAL.findAllProjectMembers(projectId, { id });
@ -169,13 +172,14 @@ export const projectMembershipServiceFactory = ({
    const project = await projectDAL.findById(projectId);
    if (!project) throw new NotFoundError({ message: `Project with ID '${projectId}' not found` });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
    const orgMembers = await orgDAL.findMembership({
      [`${TableName.OrgMembership}.orgId` as "orgId"]: project.orgId,
@ -249,13 +253,14 @@ export const projectMembershipServiceFactory = ({
    membershipId,
    roles
  }: TUpdateProjectMembershipDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);

    const membershipUser = await userDAL.findUserByProjectMembershipId(membershipId);
@ -348,13 +353,14 @@ export const projectMembershipServiceFactory = ({
    projectId,
    membershipId
  }: TDeleteProjectMembershipOldDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);

    const member = await userDAL.findUserByProjectMembershipId(membershipId);
@ -383,13 +389,14 @@ export const projectMembershipServiceFactory = ({
    emails,
    usernames
  }: TDeleteProjectMembershipsDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);

    const project = await projectDAL.findById(projectId);
--- a/backend/src/services/project-role/project-role-service.ts
+++ b/backend/src/services/project-role/project-role-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";

-import { ProjectMembershipRole, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole, TableName } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
  ProjectPermissionActions,
@ -58,13 +58,14 @@ export const projectRoleServiceFactory = ({
      projectId = filter.projectId;
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Role);
    const existingRole = await projectRoleDAL.findOne({ slug: data.slug, projectId });
    if (existingRole) {
@ -95,13 +96,14 @@ export const projectRoleServiceFactory = ({
      projectId = filter.projectId;
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
    if (roleSlug !== "custom" && Object.values(ProjectMembershipRole).includes(roleSlug as ProjectMembershipRole)) {
      const predefinedRole = getPredefinedRoles(projectId, roleSlug as ProjectMembershipRole)[0];
@ -117,13 +119,14 @@ export const projectRoleServiceFactory = ({
    const projectRole = await projectRoleDAL.findById(roleId);
    if (!projectRole) throw new NotFoundError({ message: "Project role not found", name: "Delete role" });

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectRole.projectId,
+      projectId: projectRole.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Role);

    if (data?.slug) {
@ -144,13 +147,14 @@ export const projectRoleServiceFactory = ({
  const deleteRole = async ({ actor, actorId, actorAuthMethod, actorOrgId, roleId }: TDeleteRoleDTO) => {
    const projectRole = await projectRoleDAL.findById(roleId);
    if (!projectRole) throw new NotFoundError({ message: "Project role not found", name: "Delete role" });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectRole.projectId,
+      projectId: projectRole.projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Role);

    const identityRole = await identityProjectMembershipRoleDAL.findOne({ customRoleId: roleId });
@ -185,13 +189,14 @@ export const projectRoleServiceFactory = ({
      projectId = filter.projectId;
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
    const customRoles = await projectRoleDAL.find(
      { projectId },
@ -208,12 +213,13 @@ export const projectRoleServiceFactory = ({
    actorAuthMethod: ActorAuthMethod,
    actorOrgId: string | undefined
  ) => {
-    const { permission, membership } = await permissionService.getUserProjectPermission(
+    const { permission, membership } = await permissionService.getUserProjectPermission({
      userId,
      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
+      authMethod: actorAuthMethod,
+      userOrgId: actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    return { permissions: packRules(permission.rules), membership };
  };

--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@ -1,7 +1,13 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";

-import { ProjectMembershipRole, ProjectType, ProjectVersion, TProjectEnvironments } from "@app/db/schemas";
+import {
+  ActionProjectType,
+  ProjectMembershipRole,
+  ProjectType,
+  ProjectVersion,
+  TProjectEnvironments
+} from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@ -23,6 +29,7 @@ import { ActorType } from "../auth/auth-type";
 import { TCertificateDALFactory } from "../certificate/certificate-dal";
 import { TCertificateAuthorityDALFactory } from "../certificate-authority/certificate-authority-dal";
 import { TCertificateTemplateDALFactory } from "../certificate-template/certificate-template-dal";
+import { TGroupProjectDALFactory } from "../group-project/group-project-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityProjectDALFactory } from "../identity-project/identity-project-dal";
 import { TIdentityProjectMembershipRoleDALFactory } from "../identity-project/identity-project-membership-role-dal";
@ -94,7 +101,8 @@ type TProjectServiceFactoryDep = {
  identityProjectDAL: TIdentityProjectDALFactory;
  identityProjectMembershipRoleDAL: Pick<TIdentityProjectMembershipRoleDALFactory, "create">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "create" | "findLatestProjectKey" | "delete" | "find" | "insertMany">;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create" | "findProjectGhostUser" | "findOne">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create" | "findProjectGhostUser" | "findOne" | "delete">;
+  groupProjectDAL: Pick<TGroupProjectDALFactory, "delete">;
  projectSlackConfigDAL: Pick<TProjectSlackConfigDALFactory, "findOne" | "transaction" | "updateById" | "create">;
  slackIntegrationDAL: Pick<TSlackIntegrationDALFactory, "findById" | "findByIdWithWorkflowIntegrationDetails">;
  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
@ -114,7 +122,7 @@ type TProjectServiceFactoryDep = {
  orgDAL: Pick<TOrgDALFactory, "findOne">;
  keyStore: Pick<TKeyStoreFactory, "deleteItem">;
  projectBotDAL: Pick<TProjectBotDALFactory, "create">;
-  projectRoleDAL: Pick<TProjectRoleDALFactory, "find" | "insertMany">;
+  projectRoleDAL: Pick<TProjectRoleDALFactory, "find" | "insertMany" | "delete">;
  kmsService: Pick<
    TKmsServiceFactory,
    | "updateProjectSecretManagerKmsKey"
@ -163,7 +171,8 @@ export const projectServiceFactory = ({
  projectBotDAL,
  projectSlackConfigDAL,
  slackIntegrationDAL,
-  projectTemplateService
+  projectTemplateService,
+  groupProjectDAL
 }: TProjectServiceFactoryDep) => {
  /*
   * Create workspace. Make user the admin
@ -427,23 +436,43 @@ export const projectServiceFactory = ({
  const deleteProject = async ({ actor, actorId, actorOrgId, actorAuthMethod, filter }: TDeleteProjectDTO) => {
    const project = await projectDAL.findProjectByFilter(filter);

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);

    const deletedProject = await projectDAL.transaction(async (tx) => {
+      // delete these so that project custom roles can be deleted in cascade effect
+      // direct deletion of project without these will cause fk error
+      await projectMembershipDAL.delete({ projectId: project.id }, tx);
+      await groupProjectDAL.delete({ projectId: project.id }, tx);
      const delProject = await projectDAL.deleteById(project.id, tx);
      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id, tx).catch(() => null);
+      // akhilmhdh: before removing those kms checking any other project uses it
+      // happened due to project split
      if (delProject.kmsCertificateKeyId) {
-        await kmsService.deleteInternalKms(delProject.kmsCertificateKeyId, delProject.orgId, tx);
+        const projectsLinkedToForiegnKey = await projectDAL.find(
+          { kmsCertificateKeyId: delProject.kmsCertificateKeyId },
+          { tx }
+        );
+        if (!projectsLinkedToForiegnKey.length) {
+          await kmsService.deleteInternalKms(delProject.kmsCertificateKeyId, delProject.orgId, tx);
+        }
      }
+
      if (delProject.kmsSecretManagerKeyId) {
-        await kmsService.deleteInternalKms(delProject.kmsSecretManagerKeyId, delProject.orgId, tx);
+        const projectsLinkedToForiegnKey = await projectDAL.find(
+          { kmsSecretManagerKeyId: delProject.kmsSecretManagerKeyId },
+          { tx }
+        );
+        if (!projectsLinkedToForiegnKey.length) {
+          await kmsService.deleteInternalKms(delProject.kmsSecretManagerKeyId, delProject.orgId, tx);
+        }
      }
      // Delete the org membership for the ghost user if it's found.
      if (projectGhostUser) {
@ -510,27 +539,37 @@ export const projectServiceFactory = ({
  const getAProject = async ({ actorId, actorOrgId, actorAuthMethod, filter, actor }: TGetProjectDTO) => {
    const project = await projectDAL.findProjectByFilter(filter);

-    await permissionService.getProjectPermission(actor, actorId, project.id, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: project.id,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    return project;
  };

  const updateProject = async ({ actor, actorId, actorOrgId, actorAuthMethod, update, filter }: TUpdateProjectDTO) => {
    const project = await projectDAL.findProjectByFilter(filter);

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);

    const updatedProject = await projectDAL.updateById(project.id, {
      name: update.name,
      description: update.description,
-      autoCapitalization: update.autoCapitalization
+      autoCapitalization: update.autoCapitalization,
+      enforceCapitalization: update.autoCapitalization
    });
+
    return updatedProject;
  };

@ -542,16 +581,21 @@ export const projectServiceFactory = ({
    actorAuthMethod,
    autoCapitalization
  }: TToggleProjectAutoCapitalizationDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);

-    const updatedProject = await projectDAL.updateById(projectId, { autoCapitalization });
+    const updatedProject = await projectDAL.updateById(projectId, {
+      autoCapitalization,
+      enforceCapitalization: autoCapitalization
+    });
+
    return updatedProject;
  };

@ -570,13 +614,14 @@ export const projectServiceFactory = ({
      });
    }

-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    if (!hasRole(ProjectMembershipRole.Admin))
      throw new ForbiddenRequestError({
@ -601,13 +646,14 @@ export const projectServiceFactory = ({
      });
    }

-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    if (!hasRole(ProjectMembershipRole.Admin)) {
      throw new ForbiddenRequestError({
@ -633,13 +679,14 @@ export const projectServiceFactory = ({
    actorAuthMethod,
    name
  }: TUpdateProjectNameDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);

    const updatedProject = await projectDAL.updateById(projectId, { name });
@ -654,13 +701,14 @@ export const projectServiceFactory = ({
    actorOrgId,
    userPrivateKey
  }: TUpgradeProjectDTO) => {
-    const { permission, hasRole } = await permissionService.getProjectPermission(
+    const { permission, hasRole } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);

@ -691,13 +739,14 @@ export const projectServiceFactory = ({
    actorOrgId,
    actorId
  }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);

    const project = await projectDAL.findProjectById(projectId);
@ -736,13 +785,14 @@ export const projectServiceFactory = ({
      projectId = certManagerProjectFromSplit.id;
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
@ -786,14 +836,14 @@ export const projectServiceFactory = ({
      projectId = certManagerProjectFromSplit.id;
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);

@ -841,14 +891,14 @@ export const projectServiceFactory = ({
      projectId = certManagerProjectFromSplit.id;
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);

@ -877,14 +927,14 @@ export const projectServiceFactory = ({
    if (certManagerProjectFromSplit) {
      projectId = certManagerProjectFromSplit.id;
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);

@ -914,14 +964,14 @@ export const projectServiceFactory = ({
      projectId = certManagerProjectFromSplit.id;
    }

-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
-    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
@ -945,15 +995,15 @@ export const projectServiceFactory = ({
    actor,
    projectId
  }: TListProjectSshCasDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateAuthorities
@ -981,15 +1031,15 @@ export const projectServiceFactory = ({
    actor,
    projectId
  }: TListProjectSshCertificatesDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);

    const cas = await sshCertificateAuthorityDAL.find({
@ -1020,15 +1070,15 @@ export const projectServiceFactory = ({
    actor,
    projectId
  }: TListProjectSshCertificateTemplatesDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });

-    ForbidOnInvalidProjectType(ProjectType.SSH);
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateTemplates
@ -1055,13 +1105,14 @@ export const projectServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TUpdateProjectKmsDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);

@ -1082,13 +1133,14 @@ export const projectServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);

@ -1111,13 +1163,14 @@ export const projectServiceFactory = ({
    actorOrgId,
    backup
  }: TLoadProjectKmsBackupDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);

@ -1133,13 +1186,14 @@ export const projectServiceFactory = ({
  };

  const getProjectKmsKeys = async ({ projectId, actor, actorId, actorAuthMethod, actorOrgId }: TGetProjectKmsKey) => {
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@ -1165,13 +1219,14 @@ export const projectServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);

@ -1213,13 +1268,14 @@ export const projectServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
-    );
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Daniel Hougaard	b949708f45	docs(sso): fixed azure attributes typo	2025-01-23 05:20:44 +01:00
Daniel Hougaard	2a6b6b03b9	docs(guides): updated python guide	2025-01-23 05:20:26 +01:00
Scott Wilson	89c6ab591a	Merge pull request #3031 from Infisical/project-list-pagination-fix Fix: Project List/Grid Pagination Behavior	2025-01-22 16:27:59 -08:00
Maidul Islam	235a33a01c	Update deployment-pipeline.yml	2025-01-22 18:42:05 -05:00
Scott Wilson	dd6c217dc8	fix: include page/page size in dependencies array on filtered projects	2025-01-22 14:18:38 -08:00
Scott Wilson	78b1b5583a	Merge pull request #2998 from Infisical/secret-syncs-feature Feature: Secret Syncs	2025-01-22 12:00:57 -08:00
Scott Wilson	8f2a504fd0	improvements: address feedback	2025-01-22 10:50:24 -08:00
Maidul Islam	1d5b629d8f	Merge pull request #3006 from akhilmhdh/feat/region-flag Added region flag for eu in cli	2025-01-22 13:21:14 -05:00
Maidul Islam	14f895cae2	Merge pull request #3026 from Infisical/readme-ssh Add Infisical SSH to README	2025-01-22 12:56:21 -05:00
=	b7be6bd1d9	feat: removed region flag in description	2025-01-22 14:41:24 +05:30
Maidul Islam	58a97852f6	Merge pull request #3027 from akhilmhdh/fix/pro-trail-btn fix: resolved pro trial button issue in sidebar	2025-01-22 01:58:32 -05:00
=	980aa9eaae	fix: resolved pro trial button issue in sidebar	2025-01-22 12:25:54 +05:30
=	a35d1aa72b	feat: removed root flag and added description for domain	2025-01-22 12:18:58 +05:30
Tuan Dang	52d801bce5	Add Infisical SSH to README	2025-01-21 22:36:55 -08:00
Scott Wilson	c92c160709	chore: move migration to latest	2025-01-21 21:51:35 -08:00
Scott Wilson	71ca7a82db	Merge pull request #3022 from Infisical/vercel-project-help-text Improvement: Vercel Integration Project Permission Helper Text	2025-01-21 21:43:53 -08:00
Scott Wilson	6f799b478d	chore: remove unused component	2025-01-21 21:34:41 -08:00
Scott Wilson	a89e6b6e58	chore: resolve merge conflicts	2025-01-21 21:30:18 -08:00
Scott Wilson	99ca9e04f8	improvements: final adjustments/improvements	2025-01-21 20:21:29 -08:00
Daniel Hougaard	6cdc71b9b1	Merge pull request #3023 from Infisical/fix-org-sidebar-check Fix: Correct Display Org Sidebar Check	2025-01-22 03:02:43 +01:00
Scott Wilson	f88d6a183f	fix: correct display org sidebar check	2025-01-21 17:46:14 -08:00
Scott Wilson	fa82d4953e	improvement: adjust casing	2025-01-21 16:05:11 -08:00
Scott Wilson	12d9fe9ffd	improvement: add helper text to point vercel users to access permissions if they dont see their project listed	2025-01-21 16:02:24 -08:00
Maidul Islam	86acf88a13	Merge pull request #3021 from akhilmhdh/fix/project-delete fix: resolved org sidebar not showing in org member detail window	2025-01-21 15:14:12 -05:00
=	63c7c39e21	fix: resolved org sidebar not showing in member detail window and other detail window	2025-01-22 01:39:44 +05:30
Maidul Islam	151edc7efa	Merge pull request #3020 from Infisical/remove-enterprise-identity-limit Remove Enterprise Member and Identity Limits for SAML/LDAP Login	2025-01-21 13:17:16 -05:00
Tuan Dang	5fa7f56285	Remove member and identity limits for enterprise saml and ldap login case	2025-01-21 10:12:23 -08:00
Scott Wilson	810b27d121	Merge pull request #3019 from Infisical/audit-log-stream-setup-error-improvement Improvement: Propagate Upstream Error on Audit Log Stream Setup Fail	2025-01-21 10:06:23 -08:00
Scott Wilson	51fe7450ae	improvement: propogate upstream error on audit log stream setup	2025-01-21 09:54:33 -08:00
Maidul Islam	938c06a2ed	Merge pull request #3018 from Infisical/misc/added-more-scoping-for-namespace misc: added more scoping logic for namespace installation	2025-01-21 11:09:45 -05:00
Sheen Capadngan	38d431ec77	misc: added more scoping logic for namespace installation	2025-01-21 23:57:11 +08:00
Maidul Islam	d202fdf5c8	Merge pull request #3017 from akhilmhdh/fix/project-delete fix: resolved failing project delete	2025-01-21 10:42:59 -05:00
=	f1b2028542	fix: resolved failing project delete	2025-01-21 20:55:19 +05:30
Sheen	5c9b46dfba	Merge pull request #3015 from Infisical/misc/address-scim-email-verification-patch-issue misc: address scim email verification patch issue	2025-01-21 20:23:08 +08:00
Sheen Capadngan	a516e50984	misc: address scim email verification patch issue	2025-01-21 17:01:34 +08:00
Scott Wilson	3c1fc024c2	improvements: address feedback	2025-01-20 22:17:20 -08:00
Sheen	569439f208	Merge pull request #2999 from Infisical/misc/added-handling-for-case-enforcement misc: added handling of secret case enforcement	2025-01-21 13:58:48 +08:00
Maidul Islam	9afc282679	Update deployment-pipeline.yml	2025-01-21 00:49:31 -05:00
Maidul Islam	8db85cfb84	Add slack alert	2025-01-21 00:04:14 -05:00
Maidul Islam	664b2f0089	add concurrency to git workflow	2025-01-20 23:52:47 -05:00
Maidul Islam	5e9bd3a7c6	Merge pull request #3014 from Infisical/expanded-secret-overview-adjustment Fix: Adjust Secret Overview Expanded Secret View	2025-01-20 21:39:39 -05:00
Maidul Islam	2c13af6db3	correct helm verion	2025-01-20 21:37:13 -05:00
Scott Wilson	ec9171d0bc	fix: adjust secret overview expanded secret view to accomodate nav restructure	2025-01-20 18:30:54 -08:00
Vlad Matsiiako	81362bec8f	Merge pull request #3013 from Infisical/daniel/cli-fix-2 fix: saml redirect failing due to blocked pop-ups	2025-01-20 13:21:32 -08:00
Daniel Hougaard	5a4d7541a2	Update SelectOrgPage.tsx	2025-01-20 22:13:52 +01:00
Maidul Islam	3c97c45455	others => other	2025-01-20 15:26:15 -05:00
Maidul Islam	4f015d77fb	Merge pull request #3003 from akhilmhdh/feat/nav-restructure Navigation restructure	2025-01-20 15:07:39 -05:00
=	78e894c2bb	feat: changed user icon	2025-01-21 01:34:21 +05:30
=	23513158ed	feat: updated nav ui based on feedback	2025-01-20 22:59:00 +05:30
=	934ef8ab27	feat: resolved plan text generator	2025-01-20 22:59:00 +05:30
=	23e9c52f67	feat: added missing breadcrumbs for integration pages	2025-01-20 22:59:00 +05:30
=	e276752e7c	feat: removed trailing comma from ui	2025-01-20 22:59:00 +05:30
=	01ae19fa2b	feat: completed all nav restructing and breadcrumbs cleanup	2025-01-20 22:58:59 +05:30
=	9df8cf60ef	feat: finished breadcrumbs for all project types except secret manager	2025-01-20 22:58:59 +05:30
=	1b1fe2a700	feat: completed org breadcrumbs	2025-01-20 22:58:59 +05:30
=	338961480c	feat: resolved accessibility issue with menu	2025-01-20 22:58:59 +05:30
=	03debcab5a	feat: completed sidebar changes	2025-01-20 22:58:59 +05:30
Maidul Islam	4a6f759900	Merge pull request #3007 from akhilmhdh/feat/base64-decode-in-operator Base64 decode in operator	2025-01-19 13:50:56 -05:00
Maidul Islam	b9d06ff686	update operator version	2025-01-19 13:50:24 -05:00
=	5cc5a4f03d	feat: updated doc for the function name	2025-01-20 00:08:22 +05:30
=	5ef2be1a9c	feat: updated function name	2025-01-20 00:08:06 +05:30
Maidul Islam	8de9ddfb8b	update k8s operator doc	2025-01-19 11:29:55 -05:00
Maidul Islam	5b40de16cf	improve docs and add missing function to create mamaged secret	2025-01-18 17:11:52 -05:00
=	11aac3f5dc	docs: updated k8s operator template section with base64DecodeBytes content	2025-01-18 18:58:26 +05:30
=	9823c7d1aa	feat: added base64DecodeBytes function to operator template	2025-01-18 18:58:00 +05:30
=	d627ecf05d	feat: added region flag for eu in cli	2025-01-18 17:05:29 +05:30
Scott Wilson	3ba396f7fa	Merge pull request #3005 from Infisical/parameter-store-error-message-improvement Improvement: Add Secret Key to AWS Parameter Store Integreation Sync Error	2025-01-17 11:56:31 -08:00
Scott Wilson	9c561266ed	improvement: add secret key to aws parameter store integreation error message	2025-01-17 08:51:41 -08:00
Sheen	36fef11d91	Merge pull request #3004 from Infisical/misc/added-misisng-install-crd-flag-for-multi-installation misc: added missing install CRD flag for multi-installation	2025-01-17 21:42:09 +08:00
Akhil Mohan	742932c4a0	Merge pull request #2993 from Infisical/misc/add-org-id-to-org-settings misc: add org id display to org settings	2025-01-17 17:31:43 +05:30
Sheen Capadngan	57a77ae5f1	misc: incremented chart and operator versions	2025-01-17 19:16:48 +08:00
Sheen Capadngan	7c9564c7dc	misc: added missing install CRD flag for multi installation	2025-01-17 19:09:12 +08:00
Sheen	736aecebf8	Merge pull request #3001 from Infisical/fix/address-org-invite-resend fix: address org invite resend issues	2025-01-17 18:53:32 +08:00
Sheen Capadngan	16748357d7	misc: addressed comments	2025-01-17 03:50:01 +08:00
Daniel Hougaard	12863b389b	Merge pull request #2997 from Infisical/daniel/unique-group-names feat(groups): unique names	2025-01-16 20:41:07 +01:00
Scott Wilson	6341b7e989	improvement: update intial sync logic to account for replica reads	2025-01-16 09:48:21 -08:00
Sheen Capadngan	c592ff00a6	fix: address org invite resend	2025-01-17 01:42:35 +08:00
Daniel Hougaard	ef87086272	fix(groups): unique names, requested changes	2025-01-16 17:38:54 +01:00
Sheen Capadngan	bd459d994c	misc: finalized error message	2025-01-16 19:55:21 +08:00
Sheen Capadngan	440f93f392	misc: added handling for case enforcement	2025-01-16 19:10:00 +08:00
Scott Wilson	bc32d6cbbf	chore: revert mint openapi url	2025-01-15 22:42:09 -08:00
Scott Wilson	0cf3115830	chore: remove needless comment	2025-01-15 22:39:54 -08:00
Scott Wilson	65f2e626ae	chore: optimize import path, add comment context and removed commented out code	2025-01-15 22:37:20 -08:00
Scott Wilson	8b3e3152a4	chore: remove outdated comment	2025-01-15 22:30:27 -08:00
Scott Wilson	661b31f762	chore: remove concurrency from testing	2025-01-15 22:24:47 -08:00
Scott Wilson	e78ad1147b	fix: various ui and github sync fixes	2025-01-15 22:20:33 -08:00
Scott Wilson	473efa91f0	feature: secret sync base + aws parameter store & github	2025-01-15 21:52:50 -08:00
Daniel Hougaard	b440e918ac	Merge pull request #2988 from Infisical/daniel/audit-logs-searchability feat(radar): pagination and filtering	2025-01-16 01:24:24 +01:00
Daniel Hougaard	439f253350	Merge pull request #2981 from Infisical/daniel/secret-scans-export feat(radar): export radar data	2025-01-16 01:22:05 +01:00
Daniel Hougaard	4e68304262	fix: type check	2025-01-16 01:08:43 +01:00
Daniel Hougaard	c4d0896609	feat(groups): unique names	2025-01-16 01:01:01 +01:00
Daniel Hougaard	b8115d481c	Merge pull request #2989 from Infisical/daniel/audit-log-docs docs(audit-logs): audit log streams structure	2025-01-15 18:07:24 +01:00
Daniel Hougaard	5fdec97319	requested changes	2025-01-15 17:50:30 +01:00
Daniel Hougaard	755bb1679a	requested changes	2025-01-15 17:32:53 +01:00
Daniel Hougaard	7142e7a6c6	Update secret-scanning-dal.ts	2025-01-15 16:39:08 +01:00
Daniel Hougaard	11ade92b5b	Update secret-scanning-service.ts	2025-01-15 16:39:08 +01:00
Daniel Hougaard	4147725260	feat(radar): pagination & filtering	2025-01-15 16:39:08 +01:00
Daniel Hougaard	c359cf162f	requested changes	2025-01-15 16:37:42 +01:00
Sheen Capadngan	9d04b648fa	misc: add org id display to org settings	2025-01-15 20:21:10 +08:00
Daniel Hougaard	9edfdb7234	docs(audit-logs): audit log streams structure	2025-01-15 02:33:21 +01:00
Daniel Hougaard	ff74e020fc	requested changes	2025-01-15 01:55:10 +01:00
Akhil Mohan	6ee446e574	Merge pull request #2979 from akhilmhdh/refactor/permission-service-fn Refactored permission service for project to have project operation type validation	2025-01-14 23:50:10 +05:30
Maidul Islam	c806059b11	Merge pull request #2985 from Infisical/misc/add-oidc-saml-handling-for-login-check misc: add oidc saml handling for login SA check	2025-01-14 13:11:29 -05:00
=	3a5bb31bde	feat: updated all permission argument to actionProjectType	2025-01-14 23:41:06 +05:30
=	6f38d6c76f	feat: updated to enum ActionProjectType	2025-01-14 23:26:18 +05:30
=	d721a46ec9	fix: resolved secret and approval count triggered for other project types	2025-01-14 23:26:18 +05:30
=	989065ba34	refactor: updated permission service for projects to check for operation type as well	2025-01-14 23:26:18 +05:30
Sheen Capadngan	5ad419c079	misc: updated comment	2025-01-15 00:49:53 +08:00
Sheen Capadngan	80f72e8040	misc: added context	2025-01-15 00:48:19 +08:00
Maidul Islam	0cef728617	Merge pull request #2986 from Infisical/misc/addressed-cf-pages-error-304 fix: addressed cloudflare pages error 304	2025-01-14 10:42:42 -05:00
Sheen Capadngan	0a735422ed	misc: standardized log	2025-01-14 23:39:47 +08:00
Sheen Capadngan	8370a0d9c0	misc: added log	2025-01-14 23:29:04 +08:00
Sheen Capadngan	71af662998	fix: addressed cloudflare pages error 304	2025-01-14 23:18:38 +08:00
Sheen Capadngan	27e391f7e0	misc: add oidc saml handling for login check	2025-01-14 21:02:41 +08:00
Maidul Islam	2187c7588c	update cache control to be no store	2025-01-13 23:58:36 -05:00
Maidul Islam	8ab7e8360d	add cache busting param	2025-01-13 22:53:04 -05:00
Maidul Islam	957cab3117	Merge pull request #2982 from Infisical/fix-copy-user-id Fix: Copy Username on User Details Page	2025-01-13 20:06:11 -05:00
Scott Wilson	4bf16f68fc	fix: correctly copy user email to clipboard	2025-01-13 17:03:08 -08:00
Daniel Hougaard	ab3ee775bb	feat(radar): export radar data	2025-01-14 00:53:40 +01:00
Maidul Islam	2a86e6f4d1	add cache contro to cloudflare pages integration	2025-01-13 17:17:39 -05:00
Maidul Islam	194fbb79f2	Merge pull request #2975 from Infisical/daniel/custom-cors feat(api): custom cors settings	2025-01-13 14:36:19 -05:00
Maidul Islam	faaba8deb7	add metabase link to on call guide	2025-01-13 11:16:49 -05:00
Sheen	ae21b157a9	Merge pull request #2980 from Infisical/misc/added-proper-error-propagation-for-aws-kms misc: added error propagation for aws kms	2025-01-13 23:46:57 +08:00
Maidul Islam	6167c70a74	Merge pull request #2973 from Infisical/daniel/push-secret-docs docs: small k8s docs improvements	2025-01-13 10:39:45 -05:00
Sheen Capadngan	0ecf75cbdb	misc: scoped down to AWS-related errors	2025-01-13 23:18:24 +08:00
Sheen Capadngan	3f8aa0fa4b	misc: added error propagation for aws kms	2025-01-13 23:00:40 +08:00
Daniel Hougaard	6487c83bda	docs: requested changes	2025-01-13 14:35:36 +01:00
Maidul Islam	a4aa65bb81	add on call to hand book	2025-01-13 01:27:50 -05:00
Daniel Hougaard	258d19cbe4	Merge pull request #2974 from Infisical/daniel/shared-secret-audit-logs feat(audit-logs): shared secrets audit logs	2025-01-10 22:29:05 +01:00
Daniel Hougaard	3d278b0925	feat(audit-logs): shared secrets audit logs	2025-01-10 21:37:10 +01:00
Daniel Hougaard	956fb2efb4	docs: better k8s pre-req	2025-01-10 20:16:30 +01:00
Daniel Hougaard	13894261ce	docs: small k8s docs improvements	2025-01-10 20:10:00 +01:00