misc: made it specific for cloud

misc: added maintenance notice to audit log page and handled project auto-select
Merge pull request #2475 from Infisical/daniel/prefix-secret-folders
2025-07-31 10:38:12 +00:00 · 2024-09-25 00:31:13 +08:00 · 2024-09-25 00:27:36 +08:00 · 2024-09-24 17:30:47 +04:00 · 2024-09-24 15:49:27 +04:00 · 2024-09-24 01:01:58 +04:00
178 changed files with 6482 additions and 1821 deletions
--- a/backend/e2e-test/routes/v1/secret-approval-policy.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-approval-policy.spec.ts
@@ -1,6 +1,7 @@
 import { seedData1 } from "@app/db/seed-data";
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";

-const createPolicy = async (dto: { name: string; secretPath: string; approvers: string[]; approvals: number }) => {
+const createPolicy = async (dto: { name: string; secretPath: string; approvers: {type: ApproverType.User, id: string}[]; approvals: number }) => {
  const res = await testServer.inject({
    method: "POST",
    url: `/api/v1/secret-approvals`,
@@ -26,7 +27,7 @@ describe("Secret approval policy router", async () => {
    const policy = await createPolicy({
      secretPath: "/",
      approvals: 1,
-      approvers: [seedData1.id],
+      approvers: [{id:seedData1.id, type: ApproverType.User}],
      name: "test-policy"
    });

--- a/backend/src/db/migrations/20240918005344_add-group-approvals.ts
+++ b/backend/src/db/migrations/20240918005344_add-group-approvals.ts
@@ -0,0 +1,36 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
+    // add column approverGroupId to AccessApprovalPolicyApprover
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
+      // make nullable
+      table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      // make approverUserId nullable
+      table.uuid("approverUserId").nullable().alter();
+    });
+    // add column approverGroupId to SecretApprovalPolicyApprover
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
+      table.uuid("approverGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      table.uuid("approverUserId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
+    // remove
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
+      table.dropColumn("approverGroupId");
+      table.uuid("approverUserId").notNullable().alter();
+    });
+
+    // remove
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
+      table.dropColumn("approverGroupId");
+      table.uuid("approverUserId").notNullable().alter();
+    });
+  }
+}
--- a/backend/src/db/schemas/access-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/access-approval-policies-approvers.ts
@@ -12,7 +12,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
  policyId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  approverUserId: z.string().uuid()
+  approverUserId: z.string().uuid().nullable().optional(),
+  approverGroupId: z.string().uuid().nullable().optional()
 });

 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/secret-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/secret-approval-policies-approvers.ts
@@ -12,7 +12,8 @@ export const SecretApprovalPoliciesApproversSchema = z.object({
  policyId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  approverUserId: z.string().uuid()
+  approverUserId: z.string().uuid().nullable().optional(),
+  approverGroupId: z.string().uuid().nullable().optional()
 });

 export type TSecretApprovalPoliciesApprovers = z.infer<typeof SecretApprovalPoliciesApproversSchema>;
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { EnforcementLevel } from "@app/lib/types";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
@@ -11,20 +12,18 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
    url: "/",
    method: "POST",
    schema: {
-      body: z
-        .object({
-          projectSlug: z.string().trim(),
-          name: z.string().optional(),
-          secretPath: z.string().trim().default("/"),
-          environment: z.string(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        projectSlug: z.string().trim(),
+        name: z.string().optional(),
+        secretPath: z.string().trim().default("/"),
+        environment: z.string(),
+        approvers: z
+          .object({ type: z.nativeEnum(ApproverType), id: z.string() })
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
@@ -58,14 +57,15 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          approvals: sapPubSchema
            .extend({
-              userApprovers: z
-                .object({
-                  userId: z.string()
-                })
-                .array(),
-              secretPath: z.string().optional().nullable()
+              approvers: z
+                .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
+                .array()
+                .nullable()
+                .optional()
            })
            .array()
+            .nullable()
+            .optional()
        })
      }
    },
@@ -119,22 +119,20 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
      params: z.object({
        policyId: z.string()
      }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          secretPath: z
-            .string()
-            .trim()
-            .optional()
-            .transform((val) => (val === "" ? "/" : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        name: z.string().optional(),
+        secretPath: z
+          .string()
+          .trim()
+          .optional()
+          .transform((val) => (val === "" ? "/" : val)),
+        approvers: z
+          .object({ type: z.nativeEnum(ApproverType), id: z.string() })
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).optional(),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@@ -77,6 +77,39 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
    }
  });

+  server.route({
+    method: "POST",
+    url: "/entra-id/users",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      body: z.object({
+        tenantId: z.string().min(1).describe("The tenant ID of the Azure Entra ID"),
+        applicationId: z.string().min(1).describe("The application ID of the Azure Entra ID App Registration"),
+        clientSecret: z.string().min(1).describe("The client secret of the Azure Entra ID App Registration")
+      }),
+      response: {
+        200: z
+          .object({
+            name: z.string().min(1).describe("The name of the user"),
+            id: z.string().min(1).describe("The ID of the user"),
+            email: z.string().min(1).describe("The email of the user")
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const data = await server.services.dynamicSecret.fetchAzureEntraIdUsers({
+        tenantId: req.body.tenantId,
+        applicationId: req.body.applicationId,
+        clientSecret: req.body.clientSecret
+      });
+      return data;
+    }
+  });
+
  server.route({
    method: "PATCH",
    url: "/:name",
@@ -237,7 +270,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
+      const dynamicSecretCfgs = await server.services.dynamicSecret.listDynamicSecretsByEnv({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@@ -10,7 +10,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
    method: "POST",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      body: z.object({
        name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
@@ -43,12 +43,59 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:currentSlug",
-    method: "PATCH",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        currentSlug: z.string().trim().describe(GROUPS.UPDATE.currentSlug)
+        id: z.string()
+      }),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.getGroupById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      response: {
+        200: GroupsSchema.array()
+      }
+    },
+    handler: async (req) => {
+      const groups = await server.services.org.getOrgGroups({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return groups;
+    }
+  });
+
+  server.route({
+    url: "/:id",
+    method: "PATCH",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      params: z.object({
+        id: z.string().trim().describe(GROUPS.UPDATE.id)
      }),
      body: z
        .object({
@@ -70,7 +117,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const group = await server.services.group.updateGroup({
-        currentSlug: req.params.currentSlug,
+        id: req.params.id,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@@ -83,12 +130,12 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:slug",
+    url: "/:id",
    method: "DELETE",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.DELETE.slug)
+        id: z.string().trim().describe(GROUPS.DELETE.id)
      }),
      response: {
        200: GroupsSchema
@@ -96,7 +143,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const group = await server.services.group.deleteGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@@ -109,11 +156,11 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "GET",
-    url: "/:slug/users",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.LIST_USERS.slug)
+        id: z.string().trim().describe(GROUPS.LIST_USERS.id)
      }),
      querystring: z.object({
        offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
@@ -141,24 +188,25 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const { users, totalCount } = await server.services.group.listGroupUsers({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query
      });
+
      return { users, totalCount };
    }
  });

  server.route({
    method: "POST",
-    url: "/:slug/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.ADD_USER.slug),
+        id: z.string().trim().describe(GROUPS.ADD_USER.id),
        username: z.string().trim().describe(GROUPS.ADD_USER.username)
      }),
      response: {
@@ -173,7 +221,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const user = await server.services.group.addUserToGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        username: req.params.username,
        actor: req.permission.type,
        actorId: req.permission.id,
@@ -187,11 +235,11 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "DELETE",
-    url: "/:slug/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      params: z.object({
-        slug: z.string().trim().describe(GROUPS.DELETE_USER.slug),
+        id: z.string().trim().describe(GROUPS.DELETE_USER.id),
        username: z.string().trim().describe(GROUPS.DELETE_USER.username)
      }),
      response: {
@@ -206,7 +254,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
    },
    handler: async (req) => {
      const user = await server.services.group.removeUserFromGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
        username: req.params.username,
        actor: req.permission.type,
        actorId: req.permission.id,
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@@ -87,6 +87,12 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    }
  });

+  /*
+   * Daniel: This endpoint is no longer is use.
+   * We are keeping it for now because it has been exposed in our public api docs for a while, so by removing it we are likely to break users workflows.
+   *
+   * Please refer to the new endpoint, GET /api/v1/organization/audit-logs, for the same (and more) functionality.
+   */
  server.route({
    method: "GET",
    url: "/:workspaceId/audit-logs",
@@ -101,7 +107,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
+        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
      }),
      querystring: z.object({
        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
@@ -122,10 +128,12 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          })
            .merge(
              z.object({
-                project: z.object({
-                  name: z.string(),
-                  slug: z.string()
-                }),
+                project: z
+                  .object({
+                    name: z.string(),
+                    slug: z.string()
+                  })
+                  .optional(),
                event: z.object({
                  type: z.string(),
                  metadata: z.any()
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";

+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -16,25 +17,23 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      rateLimit: writeLimit
    },
    schema: {
-      body: z
-        .object({
-          workspaceId: z.string(),
-          name: z.string().optional(),
-          environment: z.string(),
-          secretPath: z
-            .string()
-            .optional()
-            .nullable()
-            .default("/")
-            .transform((val) => (val ? removeTrailingSlash(val) : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        workspaceId: z.string(),
+        name: z.string().optional(),
+        environment: z.string(),
+        secretPath: z
+          .string()
+          .optional()
+          .nullable()
+          .default("/")
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+        approvers: z
+          .object({ type: z.nativeEnum(ApproverType), id: z.string() })
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
@@ -67,23 +66,21 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      params: z.object({
        sapId: z.string()
      }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          secretPath: z
-            .string()
-            .optional()
-            .nullable()
-            .transform((val) => (val ? removeTrailingSlash(val) : val))
-            .transform((val) => (val === "" ? "/" : val)),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        name: z.string().optional(),
+        approvers: z
+          .object({ type: z.nativeEnum(ApproverType), id: z.string() })
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        secretPath: z
+          .string()
+          .optional()
+          .nullable()
+          .transform((val) => (val ? removeTrailingSlash(val) : val))
+          .transform((val) => (val === "" ? "/" : val)),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
+      }),
      response: {
        200: z.object({
          approval: sapPubSchema
@@ -147,9 +144,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          approvals: sapPubSchema
            .extend({
-              userApprovers: z
+              approvers: z
                .object({
-                  userId: z.string()
+                  id: z.string().nullable().optional(),
+                  type: z.nativeEnum(ApproverType)
                })
                .array()
            })
@@ -186,7 +184,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        200: z.object({
          policy: sapPubSchema
            .extend({
-              userApprovers: z.object({ userId: z.string() }).array()
+              userApprovers: z.object({ userId: z.string().nullable().optional() }).array()
            })
            .optional()
        })
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@@ -13,7 +13,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

-const approvalRequestUser = z.object({ userId: z.string() }).merge(
+const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
  UsersSchema.pick({
    email: true,
    firstName: true,
@@ -46,7 +46,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
              id: z.string(),
              name: z.string(),
              approvals: z.number(),
-              approvers: z.string().array(),
+              approvers: z
+                .object({
+                  userId: z.string().nullable().optional()
+                })
+                .array(),
              secretPath: z.string().optional().nullable(),
              enforcementLevel: z.string()
            }),
@@ -54,7 +58,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
            commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
            environment: z.string(),
            reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
-            approvers: z.string().array()
+            approvers: z
+              .object({
+                userId: z.string().nullable().optional()
+              })
+              .array()
          }).array()
        })
      }
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@@ -5,6 +5,8 @@ import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies } from
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";

+import { ApproverType } from "./access-approval-policy-types";
+
 export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;

 export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
@@ -21,6 +23,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
        `${TableName.AccessApprovalPolicyApprover}.policyId`
      )
      .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@@ -30,10 +33,10 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
    return result;
  };

-  const findById = async (id: string, tx?: Knex) => {
+  const findById = async (policyId: string, tx?: Knex) => {
    try {
      const doc = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), {
-        [`${TableName.AccessApprovalPolicy}.id` as "id"]: id
+        [`${TableName.AccessApprovalPolicy}.id` as "id"]: policyId
      });
      const formattedDoc = sqlNestRelationships({
        data: doc,
@@ -50,9 +53,18 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
        childrenMapper: [
          {
            key: "approverUserId",
-            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id }) => ({
+              id,
+              type: "user"
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              id,
+              type: "group"
            })
          }
        ]
@@ -84,9 +96,18 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
        childrenMapper: [
          {
            key: "approverUserId",
-            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id }) => ({
+              id,
+              type: ApproverType.User
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              id,
+              type: ApproverType.Group
            })
          }
        ]
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@@ -7,10 +7,12 @@ import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";

+import { TGroupDALFactory } from "../group/group-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
 import { verifyApprovers } from "./access-approval-policy-fns";
 import {
+  ApproverType,
  TCreateAccessApprovalPolicy,
  TDeleteAccessApprovalPolicy,
  TGetAccessPolicyCountByEnvironmentDTO,
@@ -25,6 +27,7 @@ type TSecretApprovalPolicyServiceFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
  accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
+  groupDAL: TGroupDALFactory;
 };

 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@@ -32,6 +35,7 @@ export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprov
 export const accessApprovalPolicyServiceFactory = ({
  accessApprovalPolicyDAL,
  accessApprovalPolicyApproverDAL,
+  groupDAL,
  permissionService,
  projectEnvDAL,
  projectDAL
@@ -52,7 +56,15 @@ export const accessApprovalPolicyServiceFactory = ({
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new BadRequestError({ message: "Project not found" });

-    if (approvals > approvers.length)
+    // If there is a group approver people might be added to the group later to meet the approvers quota
+    const groupApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id);
+    const userApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id);
+
+    if (!groupApprovers && approvals > userApprovers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

    const { permission } = await permissionService.getProjectPermission(
@@ -69,6 +81,24 @@ export const accessApprovalPolicyServiceFactory = ({
    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
    if (!env) throw new BadRequestError({ message: "Environment not found" });

+    const verifyAllApprovers = userApprovers;
+    const usersPromises: Promise<
+      {
+        id: string;
+        email: string | null | undefined;
+        username: string;
+        firstName: string | null | undefined;
+        lastName: string | null | undefined;
+        isPartOfGroup: boolean;
+      }[]
+    >[] = [];
+
+    for (const groupId of groupApprovers) {
+      usersPromises.push(groupDAL.findAllGroupMembers({ orgId: actorOrgId, groupId, offset: 0 }));
+    }
+    const verifyGroupApprovers = (await Promise.all(usersPromises)).flat().map((user) => user.id);
+    verifyAllApprovers.push(...verifyGroupApprovers);
+
    await verifyApprovers({
      projectId: project.id,
      orgId: actorOrgId,
@@ -76,7 +106,7 @@ export const accessApprovalPolicyServiceFactory = ({
      secretPath,
      actorAuthMethod,
      permissionService,
-      userIds: approvers
+      userIds: verifyAllApprovers
    });

    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
@@ -90,13 +120,26 @@ export const accessApprovalPolicyServiceFactory = ({
        },
        tx
      );
-      await accessApprovalPolicyApproverDAL.insertMany(
-        approvers.map((userId) => ({
-          approverUserId: userId,
-          policyId: doc.id
-        })),
-        tx
-      );
+      if (userApprovers) {
+        await accessApprovalPolicyApproverDAL.insertMany(
+          userApprovers.map((userId) => ({
+            approverUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupApprovers) {
+        await accessApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((groupId) => ({
+            approverGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
      return doc;
    });
    return { ...accessApproval, environment: env, projectId: project.id };
@@ -138,7 +181,19 @@ export const accessApprovalPolicyServiceFactory = ({
    approvals,
    enforcementLevel
  }: TUpdateAccessApprovalPolicy) => {
+    const groupApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id);
+    const userApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id);
+
    const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
+    const currentAppovals = approvals || accessApprovalPolicy.approvals;
+    if (groupApprovers?.length === 0 && userApprovers && currentAppovals > userApprovers.length) {
+      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
+    }
+
    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -161,7 +216,10 @@ export const accessApprovalPolicyServiceFactory = ({
        },
        tx
      );
-      if (approvers) {
+
+      await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+
+      if (userApprovers) {
        await verifyApprovers({
          projectId: accessApprovalPolicy.projectId,
          orgId: actorOrgId,
@@ -169,18 +227,52 @@ export const accessApprovalPolicyServiceFactory = ({
          secretPath: doc.secretPath!,
          actorAuthMethod,
          permissionService,
-          userIds: approvers
+          userIds: userApprovers
        });
-
-        await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
        await accessApprovalPolicyApproverDAL.insertMany(
-          approvers.map((userId) => ({
+          userApprovers.map((userId) => ({
            approverUserId: userId,
            policyId: doc.id
          })),
          tx
        );
      }
+
+      if (groupApprovers) {
+        const usersPromises: Promise<
+          {
+            id: string;
+            email: string | null | undefined;
+            username: string;
+            firstName: string | null | undefined;
+            lastName: string | null | undefined;
+            isPartOfGroup: boolean;
+          }[]
+        >[] = [];
+
+        for (const groupId of groupApprovers) {
+          usersPromises.push(groupDAL.findAllGroupMembers({ orgId: actorOrgId, groupId, offset: 0 }));
+        }
+        const verifyGroupApprovers = (await Promise.all(usersPromises)).flat().map((user) => user.id);
+
+        await verifyApprovers({
+          projectId: accessApprovalPolicy.projectId,
+          orgId: actorOrgId,
+          envSlug: accessApprovalPolicy.environment.slug,
+          secretPath: doc.secretPath!,
+          actorAuthMethod,
+          permissionService,
+          userIds: verifyGroupApprovers
+        });
+        await accessApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((groupId) => ({
+            approverGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
      return doc;
    });
    return {
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
@@ -13,11 +13,16 @@ export type TVerifyApprovers = {
  orgId: string;
 };

+export enum ApproverType {
+  Group = "group",
+  User = "user"
+}
+
 export type TCreateAccessApprovalPolicy = {
  approvals: number;
  secretPath: string;
  environment: string;
-  approvers: string[];
+  approvers: { type: ApproverType; id: string }[];
  projectSlug: string;
  name: string;
  enforcementLevel: EnforcementLevel;
@@ -26,7 +31,7 @@ export type TCreateAccessApprovalPolicy = {
 export type TUpdateAccessApprovalPolicy = {
  policyId: string;
  approvals?: number;
-  approvers?: string[];
+  approvers?: { type: ApproverType; id: string }[];
  secretPath?: string;
  name?: string;
  enforcementLevel?: EnforcementLevel;
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@@ -39,6 +39,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.AccessApprovalPolicy}.id`,
          `${TableName.AccessApprovalPolicyApprover}.policyId`
        )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
+        .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)

        .join<TUsers>(
          db(TableName.Users).as("requestedByUser"),
@@ -59,6 +65,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        )

        .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
+        .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))

        .select(
          db.ref("projectId").withSchema(TableName.Environment),
@@ -142,7 +149,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
            label: "reviewers" as const,
            mapper: ({ reviewerUserId: userId, reviewerStatus: status }) => (userId ? { userId, status } : undefined)
          },
-          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
+          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => approverGroupUserId
+          }
        ]
      });

@@ -172,17 +184,28 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        `requestedByUser.id`
      )

-      .join(
+      .leftJoin(
        TableName.AccessApprovalPolicyApprover,
        `${TableName.AccessApprovalPolicy}.id`,
        `${TableName.AccessApprovalPolicyApprover}.policyId`
      )

-      .join<TUsers>(
+      .leftJoin<TUsers>(
        db(TableName.Users).as("accessApprovalPolicyApproverUser"),
        `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
        "accessApprovalPolicyApproverUser.id"
      )
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("accessApprovalPolicyGroupApproverUser"),
+        `${TableName.UserGroupMembership}.userId`,
+        "accessApprovalPolicyGroupApproverUser.id"
+      )

      .leftJoin(
        TableName.AccessApprovalRequestReviewer,
@@ -200,10 +223,15 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
      .select(selectAllTableCols(TableName.AccessApprovalRequest))
      .select(
        tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership),
        tx.ref("email").withSchema("accessApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("email").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
        tx.ref("username").withSchema("accessApprovalPolicyApproverUser").as("approverUsername"),
+        tx.ref("username").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupUsername"),
        tx.ref("firstName").withSchema("accessApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("firstName").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
        tx.ref("lastName").withSchema("accessApprovalPolicyApproverUser").as("approverLastName"),
+        tx.ref("lastName").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
        tx.ref("email").withSchema("requestedByUser").as("requestedByUserEmail"),
        tx.ref("username").withSchema("requestedByUser").as("requestedByUserUsername"),
        tx.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
@@ -282,6 +310,23 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
              lastName,
              username
            })
+          },
+          {
+            key: "userId",
+            label: "approvers" as const,
+            mapper: ({
+              userId,
+              approverGroupEmail: email,
+              approverGroupUsername: username,
+              approverGroupLastName: lastName,
+              approverFirstName: firstName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
          }
        ]
      });
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -18,6 +18,7 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
+import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
@@ -57,6 +58,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
    TAccessApprovalRequestReviewerDALFactory,
    "create" | "find" | "findOne" | "transaction"
  >;
+  groupDAL: Pick<TGroupDALFactory, "findAllGroupMembers">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
  smtpService: Pick<TSmtpService, "sendMail">;
  userDAL: Pick<
@@ -70,6 +72,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
 export type TAccessApprovalRequestServiceFactory = ReturnType<typeof accessApprovalRequestServiceFactory>;

 export const accessApprovalRequestServiceFactory = ({
+  groupDAL,
  projectDAL,
  projectEnvDAL,
  permissionService,
@@ -124,13 +127,36 @@ export const accessApprovalRequestServiceFactory = ({
    });
    if (!policy) throw new UnauthorizedError({ message: "No policy matching criteria was found." });

+    const approverIds: string[] = [];
+    const approverGroupIds: string[] = [];
+
    const approvers = await accessApprovalPolicyApproverDAL.find({
      policyId: policy.id
    });

+    approvers.forEach((approver) => {
+      if (approver.approverUserId) {
+        approverIds.push(approver.approverUserId);
+      } else if (approver.approverGroupId) {
+        approverGroupIds.push(approver.approverGroupId);
+      }
+    });
+
+    const groupUsers = (
+      await Promise.all(
+        approverGroupIds.map((groupApproverId) =>
+          groupDAL.findAllGroupMembers({
+            orgId: actorOrgId,
+            groupId: groupApproverId
+          })
+        )
+      )
+    ).flat();
+    approverIds.push(...groupUsers.map((user) => user.id));
+
    const approverUsers = await userDAL.find({
      $in: {
-        id: approvers.map((approver) => approver.approverUserId)
+        id: [...new Set(approverIds)]
      }
    });

--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@@ -3,7 +3,7 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { AuditLogsSchema, TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols, stripUndefinedInWhere } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -48,47 +48,61 @@ export const auditLogDALFactory = (db: TDbClient) => {
    },
    tx?: Knex
  ) => {
+    if (!orgId && !projectId) {
+      throw new Error("Either orgId or projectId must be provided");
+    }
+
    try {
+      // Find statements
      const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
-        .where(
-          stripUndefinedInWhere({
-            projectId,
-            [`${TableName.AuditLog}.orgId`]: orgId,
-            userAgentType
-          })
-        )
-
        .leftJoin(TableName.Project, `${TableName.AuditLog}.projectId`, `${TableName.Project}.id`)
+        // eslint-disable-next-line func-names
+        .where(function () {
+          if (orgId) {
+            void this.where(`${TableName.Project}.orgId`, orgId).orWhere(`${TableName.AuditLog}.orgId`, orgId);
+          } else if (projectId) {
+            void this.where(`${TableName.AuditLog}.projectId`, projectId);
+          }
+        });

+      if (userAgentType) {
+        void sqlQuery.where("userAgentType", userAgentType);
+      }
+
+      // Select statements
+      void sqlQuery
        .select(selectAllTableCols(TableName.AuditLog))
-
        .select(
          db.ref("name").withSchema(TableName.Project).as("projectName"),
          db.ref("slug").withSchema(TableName.Project).as("projectSlug")
        )
-
        .limit(limit)
        .offset(offset)
        .orderBy(`${TableName.AuditLog}.createdAt`, "desc");

+      // Special case: Filter by actor ID
      if (actorId) {
        void sqlQuery.whereRaw(`"actorMetadata"->>'userId' = ?`, [actorId]);
      }

+      // Special case: Filter by key/value pairs in eventMetadata field
      if (eventMetadata && Object.keys(eventMetadata).length) {
        Object.entries(eventMetadata).forEach(([key, value]) => {
          void sqlQuery.whereRaw(`"eventMetadata"->>'${key}' = ?`, [value]);
        });
      }

+      // Filter by actor type
      if (actorType) {
        void sqlQuery.where("actor", actorType);
      }

+      // Filter by event types
      if (eventType?.length) {
        void sqlQuery.whereIn("eventType", eventType);
      }

+      // Filter by date range
      if (startDate) {
        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
      }
@@ -97,13 +111,21 @@ export const auditLogDALFactory = (db: TDbClient) => {
      }
      const docs = await sqlQuery;

-      return docs.map((doc) => ({
-        ...AuditLogsSchema.parse(doc),
-        project: {
-          name: doc.projectName,
-          slug: doc.projectSlug
-        }
-      }));
+      return docs.map((doc) => {
+        // Our type system refuses to acknowledge that the project name and slug are present in the doc, due to the disjointed query structure above.
+        // This is a quick and dirty way to get around the types.
+        const projectDoc = doc as unknown as { projectName: string; projectSlug: string };
+
+        return {
+          ...AuditLogsSchema.parse(doc),
+          ...(projectDoc?.projectSlug && {
+            project: {
+              name: projectDoc.projectName,
+              slug: projectDoc.projectSlug
+            }
+          })
+        };
+      });
    } catch (error) {
      throw new DatabaseError({ error });
    }
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@@ -24,6 +24,7 @@ export const auditLogServiceFactory = ({
  permissionService
 }: TAuditLogServiceFactoryDep) => {
  const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
+    // Filter logs for specific project
    if (filter.projectId) {
      const { permission } = await permissionService.getProjectPermission(
        actor,
@@ -34,6 +35,7 @@ export const auditLogServiceFactory = ({
      );
      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    } else {
+      // Organization-wide logs
      const { permission } = await permissionService.getOrgPermission(
        actor,
        actorId,
@@ -44,13 +46,12 @@ export const auditLogServiceFactory = ({

      /**
       * NOTE (dangtony98): Update this to organization-level audit log permission check once audit logs are moved
-       * to the organization level
+       * to the organization level ✅
       */
-      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
+      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
    }

    // If project ID is not provided, then we need to return all the audit logs for the organization itself.
-
    const auditLogs = await auditLogDAL.find({
      startDate: filter.startDate,
      endDate: filter.endDate,
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
@@ -1,10 +1,70 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";

 export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory>;

 export const dynamicSecretDALFactory = (db: TDbClient) => {
  const orm = ormify(db, TableName.DynamicSecret);
-  return orm;
+
+  // find dynamic secrets for multiple environments (folder IDs are cross env, thus need to rank for pagination)
+  const listDynamicSecretsByFolderIds = async (
+    {
+      folderIds,
+      search,
+      limit,
+      offset = 0,
+      orderBy = SecretsOrderBy.Name,
+      orderDirection = OrderByDirection.ASC
+    }: {
+      folderIds: string[];
+      search?: string;
+      limit?: number;
+      offset?: number;
+      orderBy?: SecretsOrderBy;
+      orderDirection?: OrderByDirection;
+    },
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.DynamicSecret)
+        .whereIn("folderId", folderIds)
+        .where((bd) => {
+          if (search) {
+            void bd.whereILike(`${TableName.DynamicSecret}.name`, `%${search}%`);
+          }
+        })
+        .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
+        .leftJoin(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .select(
+          selectAllTableCols(TableName.DynamicSecret),
+          db.ref("slug").withSchema(TableName.Environment).as("environment"),
+          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`)
+        )
+        .orderBy(`${TableName.DynamicSecret}.${orderBy}`, orderDirection);
+
+      if (limit) {
+        const rankOffset = offset + 1;
+        return await (tx || db)
+          .with("w", query)
+          .select("*")
+          .from<Awaited<typeof query>[number]>("w")
+          .where("w.rank", ">=", rankOffset)
+          .andWhere("w.rank", "<", rankOffset + limit);
+      }
+
+      const dynamicSecrets = await query;
+
+      return dynamicSecrets;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "List dynamic secret multi env" });
+    }
+  };
+
+  return { ...orm, listDynamicSecretsByFolderIds };
 };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@@ -6,6 +6,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
+import { OrderByDirection } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";

@@ -17,9 +18,12 @@ import {
  TCreateDynamicSecretDTO,
  TDeleteDynamicSecretDTO,
  TDetailsDynamicSecretDTO,
+  TGetDynamicSecretsCountDTO,
  TListDynamicSecretsDTO,
+  TListDynamicSecretsMultiEnvDTO,
  TUpdateDynamicSecretDTO
 } from "./dynamic-secret-types";
+import { AzureEntraIDProvider } from "./providers/azure-entra-id";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./providers/models";

 type TDynamicSecretServiceFactoryDep = {
@@ -31,7 +35,7 @@ type TDynamicSecretServiceFactoryDep = {
    "pruneDynamicSecret" | "unsetLeaseRevocation"
  >;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
@@ -300,19 +304,55 @@ export const dynamicSecretServiceFactory = ({
    return { ...dynamicSecretCfg, inputs: providerInputs };
  };

-  const list = async ({
+  // get unique dynamic secret count across multiple envs
+  const getCountMultiEnv = async ({
    actorAuthMethod,
    actorOrgId,
    actorId,
    actor,
-    projectSlug,
+    projectId,
    path,
-    environmentSlug
-  }: TListDynamicSecretsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    environmentSlugs,
+    search
+  }: TListDynamicSecretsMultiEnvDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );

-    const projectId = project.id;
+    // verify user has access to each env in request
+    environmentSlugs.forEach((environmentSlug) =>
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Read,
+        subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      )
+    );
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
+    if (!folders.length) throw new BadRequestError({ message: "Folders not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { $in: { folderId: folders.map((folder) => folder.id) }, $search: search ? { name: `%${search}%` } : undefined },
+      { countDistinct: "name" }
+    );
+
+    return Number(dynamicSecretCfg[0]?.count ?? 0);
+  };
+
+  // get dynamic secret count for a single env
+  const getDynamicSecretCount = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    path,
+    environmentSlug,
+    search,
+    projectId
+  }: TGetDynamicSecretsCountDTO) => {
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@@ -328,15 +368,127 @@ export const dynamicSecretServiceFactory = ({
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
    if (!folder) throw new BadRequestError({ message: "Folder not found" });

-    const dynamicSecretCfg = await dynamicSecretDAL.find({ folderId: folder.id });
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
+      { count: true }
+    );
+    return Number(dynamicSecretCfg[0]?.count ?? 0);
+  };
+
+  const listDynamicSecretsByEnv = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    projectSlug,
+    path,
+    environmentSlug,
+    limit,
+    offset,
+    orderBy,
+    orderDirection = OrderByDirection.ASC,
+    search,
+    ...params
+  }: TListDynamicSecretsDTO) => {
+    let { projectId } = params;
+
+    if (!projectId) {
+      if (!projectSlug) throw new BadRequestError({ message: "Project ID or slug required" });
+      const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+      if (!project) throw new BadRequestError({ message: "Project not found" });
+      projectId = project.id;
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
+      {
+        limit,
+        offset,
+        sort: orderBy ? [[orderBy, orderDirection]] : undefined
+      }
+    );
    return dynamicSecretCfg;
  };

+  // get dynamic secrets for multiple envs
+  const listDynamicSecretsByFolderIds = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    path,
+    environmentSlugs,
+    projectId,
+    ...params
+  }: TListDynamicSecretsMultiEnvDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    // verify user has access to each env in request
+    environmentSlugs.forEach((environmentSlug) =>
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Read,
+        subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+      )
+    );
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
+    if (!folders.length) throw new BadRequestError({ message: "Folders not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.listDynamicSecretsByFolderIds({
+      folderIds: folders.map((folder) => folder.id),
+      ...params
+    });
+
+    return dynamicSecretCfg;
+  };
+
+  const fetchAzureEntraIdUsers = async ({
+    tenantId,
+    applicationId,
+    clientSecret
+  }: {
+    tenantId: string;
+    applicationId: string;
+    clientSecret: string;
+  }) => {
+    const azureEntraIdUsers = await AzureEntraIDProvider().fetchAzureEntraIdUsers(
+      tenantId,
+      applicationId,
+      clientSecret
+    );
+    return azureEntraIdUsers;
+  };
+
  return {
    create,
    updateByName,
    deleteByName,
    getDetails,
-    list
+    listDynamicSecretsByEnv,
+    listDynamicSecretsByFolderIds,
+    getDynamicSecretCount,
+    getCountMultiEnv,
+    fetchAzureEntraIdUsers
  };
 };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

-import { TProjectPermission } from "@app/lib/types";
+import { OrderByDirection, TProjectPermission } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";

 import { DynamicSecretProviderSchema } from "./providers/models";

@@ -50,5 +51,20 @@ export type TDetailsDynamicSecretDTO = {
 export type TListDynamicSecretsDTO = {
  path: string;
  environmentSlug: string;
-  projectSlug: string;
+  projectSlug?: string;
+  projectId?: string;
+  offset?: number;
+  limit?: number;
+  orderBy?: SecretsOrderBy;
+  orderDirection?: OrderByDirection;
+  search?: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TListDynamicSecretsMultiEnvDTO = Omit<
+  TListDynamicSecretsDTO,
+  "projectId" | "environmentSlug" | "projectSlug"
+> & { projectId: string; environmentSlugs: string[] };
+
+export type TGetDynamicSecretsCountDTO = Omit<TListDynamicSecretsDTO, "projectSlug" | "projectId"> & {
+  projectId: string;
+};
--- a/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
@@ -0,0 +1,138 @@
+import axios from "axios";
+import { customAlphabet } from "nanoid";
+
+import { BadRequestError } from "@app/lib/errors";
+
+import { AzureEntraIDSchema, TDynamicProviderFns } from "./models";
+
+const MSFT_GRAPH_API_URL = "https://graph.microsoft.com/v1.0/";
+const MSFT_LOGIN_URL = "https://login.microsoftonline.com";
+
+const generatePassword = () => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  return customAlphabet(charset, 64)();
+};
+
+type User = { name: string; id: string; email: string };
+
+export const AzureEntraIDProvider = (): TDynamicProviderFns & {
+  fetchAzureEntraIdUsers: (tenantId: string, applicationId: string, clientSecret: string) => Promise<User[]>;
+} => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await AzureEntraIDSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const getToken = async (
+    tenantId: string,
+    applicationId: string,
+    clientSecret: string
+  ): Promise<{ token?: string; success: boolean }> => {
+    const response = await axios.post<{ access_token: string }>(
+      `${MSFT_LOGIN_URL}/${tenantId}/oauth2/v2.0/token`,
+      {
+        grant_type: "client_credentials",
+        client_id: applicationId,
+        client_secret: clientSecret,
+        scope: "https://graph.microsoft.com/.default"
+      },
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        }
+      }
+    );
+
+    if (response.status === 200) {
+      return { token: response.data.access_token, success: true };
+    }
+    return { success: false };
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    return data.success;
+  };
+
+  const renew = async (inputs: unknown, entityId: string) => {
+    // Do nothing
+    return { entityId };
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    if (!data.success) {
+      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
+    }
+
+    const password = generatePassword();
+
+    const response = await axios.patch(
+      `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
+      {
+        passwordProfile: {
+          forceChangePasswordNextSignIn: false,
+          password
+        }
+      },
+      {
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${data.token}`
+        }
+      }
+    );
+    if (response.status !== 204) {
+      throw new BadRequestError({ message: "Failed to update password" });
+    }
+
+    return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    // Creates a new password
+    await create(inputs);
+    return { entityId };
+  };
+
+  const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {
+    const data = await getToken(tenantId, applicationId, clientSecret);
+    if (!data.success) {
+      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
+    }
+
+    const response = await axios.get<{ value: [{ id: string; displayName: string; userPrincipalName: string }] }>(
+      `${MSFT_GRAPH_API_URL}/users`,
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          Authorization: `Bearer ${data.token}`
+        }
+      }
+    );
+
+    if (response.status !== 200) {
+      throw new BadRequestError({ message: "Failed to fetch users" });
+    }
+
+    const users = response.data.value.map((user) => {
+      return {
+        name: user.displayName,
+        id: user.id,
+        email: user.userPrincipalName
+      };
+    });
+    return users;
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew,
+    fetchAzureEntraIdUsers
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@@ -1,5 +1,6 @@
 import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
+import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
 import { DynamicSecretProviders } from "./models";
@@ -18,5 +19,6 @@ export const buildDynamicSecretProviders = () => ({
  [DynamicSecretProviders.MongoAtlas]: MongoAtlasProvider(),
  [DynamicSecretProviders.MongoDB]: MongoDBProvider(),
  [DynamicSecretProviders.ElasticSearch]: ElasticSearchProvider(),
-  [DynamicSecretProviders.RabbitMq]: RabbitMqProvider()
+  [DynamicSecretProviders.RabbitMq]: RabbitMqProvider(),
+  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider()
 });
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@@ -166,6 +166,14 @@ export const DynamicSecretMongoDBSchema = z.object({
    )
 });

+export const AzureEntraIDSchema = z.object({
+  tenantId: z.string().trim().min(1),
+  userId: z.string().trim().min(1),
+  email: z.string().trim().min(1),
+  applicationId: z.string().trim().min(1),
+  clientSecret: z.string().trim().min(1)
+});
+
 export enum DynamicSecretProviders {
  SqlDatabase = "sql-database",
  Cassandra = "cassandra",
@@ -175,7 +183,8 @@ export enum DynamicSecretProviders {
  MongoAtlas = "mongo-db-atlas",
  ElasticSearch = "elastic-search",
  MongoDB = "mongo-db",
-  RabbitMq = "rabbit-mq"
+  RabbitMq = "rabbit-mq",
+  AzureEntraID = "azure-entra-id"
 }

 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -187,7 +196,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
  z.object({ type: z.literal(DynamicSecretProviders.MongoAtlas), inputs: DynamicSecretMongoAtlasSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.ElasticSearch), inputs: DynamicSecretElasticSearchSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.MongoDB), inputs: DynamicSecretMongoDBSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema })
 ]);

 export type TDynamicProviderFns = {
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@@ -3,7 +3,7 @@ import slugify from "@sindresorhus/slugify";

 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -21,6 +21,7 @@ import {
  TAddUserToGroupDTO,
  TCreateGroupDTO,
  TDeleteGroupDTO,
+  TGetGroupByIdDTO,
  TListGroupUsersDTO,
  TRemoveUserFromGroupDTO,
  TUpdateGroupDTO
@@ -29,7 +30,7 @@ import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";

 type TGroupServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
-  groupDAL: Pick<TGroupDALFactory, "create" | "findOne" | "update" | "delete" | "findAllGroupMembers">;
+  groupDAL: Pick<TGroupDALFactory, "create" | "findOne" | "update" | "delete" | "findAllGroupMembers" | "findById">;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
  userGroupMembershipDAL: Pick<
@@ -95,7 +96,7 @@ export const groupServiceFactory = ({
  };

  const updateGroup = async ({
-    currentSlug,
+    id,
    name,
    slug,
    role,
@@ -121,8 +122,10 @@ export const groupServiceFactory = ({
        message: "Failed to update group due to plan restrictio Upgrade plan to update group."
      });

-    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: currentSlug });
-    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${currentSlug}` });
+    const group = await groupDAL.findOne({ orgId: actorOrgId, id });
+    if (!group) {
+      throw new BadRequestError({ message: `Failed to find group with ID ${id}` });
+    }

    let customRole: TOrgRoles | undefined;
    if (role) {
@@ -140,8 +143,7 @@ export const groupServiceFactory = ({

    const [updatedGroup] = await groupDAL.update(
      {
-        orgId: actorOrgId,
-        slug: currentSlug
+        id: group.id
      },
      {
        name,
@@ -158,7 +160,7 @@ export const groupServiceFactory = ({
    return updatedGroup;
  };

-  const deleteGroup = async ({ groupSlug, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
+  const deleteGroup = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });

    const { permission } = await permissionService.getOrgPermission(
@@ -178,15 +180,39 @@ export const groupServiceFactory = ({
      });

    const [group] = await groupDAL.delete({
-      orgId: actorOrgId,
-      slug: groupSlug
+      id,
+      orgId: actorOrgId
    });

    return group;
  };

+  const getGroupById = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TGetGroupByIdDTO) => {
+    if (!actorOrgId) {
+      throw new BadRequestError({ message: "Failed to read group without organization" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+
+    const group = await groupDAL.findById(id);
+    if (!group) {
+      throw new NotFoundError({
+        message: `Cannot find group with ID ${id}`
+      });
+    }
+
+    return group;
+  };
+
  const listGroupUsers = async ({
-    groupSlug,
+    id,
    offset,
    limit,
    username,
@@ -208,12 +234,12 @@ export const groupServiceFactory = ({

    const group = await groupDAL.findOne({
      orgId: actorOrgId,
-      slug: groupSlug
+      id
    });

    if (!group)
      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+        message: `Failed to find group with ID ${id}`
      });

    const users = await groupDAL.findAllGroupMembers({
@@ -229,14 +255,7 @@ export const groupServiceFactory = ({
    return { users, totalCount: count };
  };

-  const addUserToGroup = async ({
-    groupSlug,
-    username,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TAddUserToGroupDTO) => {
+  const addUserToGroup = async ({ id, username, actor, actorId, actorAuthMethod, actorOrgId }: TAddUserToGroupDTO) => {
    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });

    const { permission } = await permissionService.getOrgPermission(
@@ -251,12 +270,12 @@ export const groupServiceFactory = ({
    // check if group with slug exists
    const group = await groupDAL.findOne({
      orgId: actorOrgId,
-      slug: groupSlug
+      id
    });

    if (!group)
      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+        message: `Failed to find group with ID ${id}`
      });

    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
@@ -285,7 +304,7 @@ export const groupServiceFactory = ({
  };

  const removeUserFromGroup = async ({
-    groupSlug,
+    id,
    username,
    actor,
    actorId,
@@ -306,12 +325,12 @@ export const groupServiceFactory = ({
    // check if group with slug exists
    const group = await groupDAL.findOne({
      orgId: actorOrgId,
-      slug: groupSlug
+      id
    });

    if (!group)
      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+        message: `Failed to find group with ID ${id}`
      });

    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
@@ -342,6 +361,7 @@ export const groupServiceFactory = ({
    deleteGroup,
    listGroupUsers,
    addUserToGroup,
-    removeUserFromGroup
+    removeUserFromGroup,
+    getGroupById
  };
 };
--- a/backend/src/ee/services/group/group-types.ts
+++ b/backend/src/ee/services/group/group-types.ts
@@ -17,7 +17,7 @@ export type TCreateGroupDTO = {
 } & TGenericPermission;

 export type TUpdateGroupDTO = {
-  currentSlug: string;
+  id: string;
 } & Partial<{
  name: string;
  slug: string;
@@ -26,23 +26,27 @@ export type TUpdateGroupDTO = {
  TGenericPermission;

 export type TDeleteGroupDTO = {
-  groupSlug: string;
+  id: string;
+} & TGenericPermission;
+
+export type TGetGroupByIdDTO = {
+  id: string;
 } & TGenericPermission;

 export type TListGroupUsersDTO = {
-  groupSlug: string;
+  id: string;
  offset: number;
  limit: number;
  username?: string;
 } & TGenericPermission;

 export type TAddUserToGroupDTO = {
-  groupSlug: string;
+  id: string;
  username: string;
 } & TGenericPermission;

 export type TRemoveUserFromGroupDTO = {
-  groupSlug: string;
+  id: string;
  username: string;
 } & TGenericPermission;

--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@@ -25,7 +25,8 @@ export enum OrgPermissionSubjects {
  SecretScanning = "secret-scanning",
  Identity = "identity",
  Kms = "kms",
-  AdminConsole = "organization-admin-console"
+  AdminConsole = "organization-admin-console",
+  AuditLogs = "audit-logs"
 }

 export type OrgPermissionSet =
@@ -43,6 +44,7 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
  | [OrgPermissionActions, OrgPermissionSubjects.Identity]
  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
+  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];

 const buildAdminPermission = () => {
@@ -111,6 +113,11 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Kms);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AuditLogs);
+
  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);

  return rules;
@@ -140,6 +147,8 @@ const buildMemberPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+
  return rules;
 };

--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -346,7 +346,7 @@ export const permissionServiceFactory = ({
    const isCustomRole = !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole);
    if (isCustomRole) {
      const projectRole = await projectRoleDAL.findOne({ slug: role, projectId });
-      if (!projectRole) throw new BadRequestError({ message: "Role not found" });
+      if (!projectRole) throw new BadRequestError({ message: `Role not found: ${role}` });
      return {
        permission: buildProjectPermission([
          { role: ProjectMembershipRole.Custom, permissions: projectRole.permissions }
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -145,6 +145,8 @@ export const fullProjectPermissionSet: [ProjectPermissionActions, ProjectPermiss
  [ProjectPermissionActions.Edit, ProjectPermissionSub.Tags],
  [ProjectPermissionActions.Delete, ProjectPermissionSub.Tags],

+  // TODO(Daniel): Remove the audit logs permissions from project-level permissions.
+  // TODO: We haven't done this yet because it might break existing roles, since those roles will become "invalid" since the audit log permission defined on those roles, no longer exist in the project-level defined permissions.
  [ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs],
  [ProjectPermissionActions.Create, ProjectPermissionSub.AuditLogs],
  [ProjectPermissionActions.Edit, ProjectPermissionSub.AuditLogs],
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts
@@ -1,10 +1,12 @@
 import { Knex } from "knex";

 import { TDbClient } from "@app/db";
-import { SecretApprovalPoliciesSchema, TableName, TSecretApprovalPolicies } from "@app/db/schemas";
+import { SecretApprovalPoliciesSchema, TableName, TSecretApprovalPolicies, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";

+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
+
 export type TSecretApprovalPolicyDALFactory = ReturnType<typeof secretApprovalPolicyDALFactory>;

 export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
@@ -20,14 +22,29 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
        `${TableName.SecretApprovalPolicy}.id`,
        `${TableName.SecretApprovalPolicyApprover}.policyId`
      )
-
-      .leftJoin(TableName.Users, `${TableName.SecretApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
-
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("secretApprovalPolicyApproverUser"),
+        `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
+        "secretApprovalPolicyApproverUser.id"
+      )
+      .leftJoin<TUsers>(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
      .select(
-        tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
-        tx.ref("email").withSchema(TableName.Users).as("approverEmail"),
-        tx.ref("firstName").withSchema(TableName.Users).as("approverFirstName"),
-        tx.ref("lastName").withSchema(TableName.Users).as("approverLastName")
+        tx.ref("id").withSchema("secretApprovalPolicyApproverUser").as("approverUserId"),
+        tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("firstName").withSchema("secretApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName")
+      )
+      .select(
+        tx.ref("approverGroupId").withSchema(TableName.SecretApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
+        tx.ref("email").withSchema(TableName.Users).as("approverGroupEmail"),
+        tx.ref("firstName").withSchema(TableName.Users).as("approverGroupFirstName"),
+        tx.ref("lastName").withSchema(TableName.Users).as("approverGroupLastName")
      )
      .select(
        tx.ref("name").withSchema(TableName.Environment).as("envName"),
@@ -55,11 +72,31 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
          {
            key: "approverUserId",
            label: "userApprovers" as const,
-            mapper: ({ approverUserId, approverEmail, approverFirstName, approverLastName }) => ({
-              userId: approverUserId,
-              email: approverEmail,
-              firstName: approverFirstName,
-              lastName: approverLastName
+            mapper: ({
+              approverUserId: userId,
+              approverEmail: email,
+              approverFirstName: firstName,
+              approverLastName: lastName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName
+            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "userApprovers" as const,
+            mapper: ({
+              approverGroupUserId: userId,
+              approverGroupEmail: email,
+              approverGroupFirstName: firstName,
+              approverGroupLastName: lastName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName
            })
          }
        ]
@@ -83,11 +120,34 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
          ...SecretApprovalPoliciesSchema.parse(data)
        }),
        childrenMapper: [
+          {
+            key: "approverUserId",
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id }) => ({
+              type: ApproverType.User,
+              id
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              type: ApproverType.Group,
+              id
+            })
+          },
          {
            key: "approverUserId",
            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            mapper: ({ approverUserId: userId }) => ({
+              userId
+            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "userApprovers" as const,
+            mapper: ({ approverGroupUserId: userId }) => ({
+              userId
            })
          }
        ]
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@@ -8,6 +8,7 @@ import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";

+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TSecretApprovalPolicyApproverDALFactory } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
@@ -54,7 +55,14 @@ export const secretApprovalPolicyServiceFactory = ({
    environment,
    enforcementLevel
  }: TCreateSapDTO) => {
-    if (approvals > approvers.length)
+    const groupApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id);
+    const userApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id);
+
+    if (!groupApprovers && approvals > approvers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

    const { permission } = await permissionService.getProjectPermission(
@@ -91,13 +99,22 @@ export const secretApprovalPolicyServiceFactory = ({
        },
        tx
      );
+
      await secretApprovalPolicyApproverDAL.insertMany(
-        approvers.map((approverUserId) => ({
+        userApprovers.map((approverUserId) => ({
          approverUserId,
          policyId: doc.id
        })),
        tx
      );
+
+      await secretApprovalPolicyApproverDAL.insertMany(
+        groupApprovers.map((approverGroupId) => ({
+          approverGroupId,
+          policyId: doc.id
+        })),
+        tx
+      );
      return doc;
    });
    return { ...secretApproval, environment: env, projectId };
@@ -115,6 +132,13 @@ export const secretApprovalPolicyServiceFactory = ({
    secretPolicyId,
    enforcementLevel
  }: TUpdateSapDTO) => {
+    const groupApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id);
+    const userApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id);
+
    const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
    if (!secretApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });

@@ -146,16 +170,28 @@ export const secretApprovalPolicyServiceFactory = ({
        },
        tx
      );
+
+      await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+
      if (approvers) {
-        await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
        await secretApprovalPolicyApproverDAL.insertMany(
-          approvers.map((approverUserId) => ({
+          userApprovers.map((approverUserId) => ({
            approverUserId,
            policyId: doc.id
          })),
          tx
        );
      }
+
+      if (groupApprovers) {
+        await secretApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((approverGroupId) => ({
+            approverGroupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
      return doc;
    });
    return {
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts
@@ -1,10 +1,12 @@
 import { EnforcementLevel, TProjectPermission } from "@app/lib/types";

+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
+
 export type TCreateSapDTO = {
  approvals: number;
  secretPath?: string | null;
  environment: string;
-  approvers: string[];
+  approvers: { type: ApproverType; id: string }[];
  projectId: string;
  name: string;
  enforcementLevel: EnforcementLevel;
@@ -14,7 +16,7 @@ export type TUpdateSapDTO = {
  secretPolicyId: string;
  approvals?: number;
  secretPath?: string | null;
-  approvers: string[];
+  approvers: { type: ApproverType; id: string }[];
  name?: string;
  enforcementLevel?: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@@ -48,16 +48,26 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        `${TableName.SecretApprovalRequest}.committerUserId`,
        `committerUser.id`
      )
-      .join(
+      .leftJoin(
        TableName.SecretApprovalPolicyApprover,
        `${TableName.SecretApprovalPolicy}.id`,
        `${TableName.SecretApprovalPolicyApprover}.policyId`
      )
-      .join<TUsers>(
+      .leftJoin<TUsers>(
        db(TableName.Users).as("secretApprovalPolicyApproverUser"),
        `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
        "secretApprovalPolicyApproverUser.id"
      )
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("secretApprovalPolicyGroupApproverUser"),
+        `${TableName.UserGroupMembership}.userId`,
+        `secretApprovalPolicyGroupApproverUser.id`
+      )
      .leftJoin(
        TableName.SecretApprovalRequestReviewer,
        `${TableName.SecretApprovalRequest}.id`,
@@ -71,10 +81,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
      .select(selectAllTableCols(TableName.SecretApprovalRequest))
      .select(
        tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
        tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("email").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
        tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
+        tx.ref("username").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupUsername"),
        tx.ref("firstName").withSchema("secretApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("firstName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
        tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName"),
+        tx.ref("lastName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
        tx.ref("email").withSchema("statusChangedByUser").as("statusChangedByUserEmail"),
        tx.ref("username").withSchema("statusChangedByUser").as("statusChangedByUserUsername"),
        tx.ref("firstName").withSchema("statusChangedByUser").as("statusChangedByUserFirstName"),
@@ -152,13 +167,30 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            key: "approverUserId",
            label: "approvers" as const,
            mapper: ({
-              approverUserId,
+              approverUserId: userId,
              approverEmail: email,
              approverUsername: username,
              approverLastName: lastName,
              approverFirstName: firstName
            }) => ({
-              userId: approverUserId,
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({
+              approverGroupUserId: userId,
+              approverGroupEmail: email,
+              approverGroupUsername: username,
+              approverGroupLastName: lastName,
+              approverGroupFirstName: firstName
+            }) => ({
+              userId,
              email,
              firstName,
              lastName,
@@ -236,11 +268,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.SecretApprovalRequest}.policyId`,
          `${TableName.SecretApprovalPolicy}.id`
        )
-        .join(
+        .leftJoin(
          TableName.SecretApprovalPolicyApprover,
          `${TableName.SecretApprovalPolicy}.id`,
          `${TableName.SecretApprovalPolicyApprover}.policyId`
        )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
        .join<TUsers>(
          db(TableName.Users).as("committerUser"),
          `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -269,6 +306,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            void bd
              .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
              .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
+              .orWhere(`${TableName.UserGroupMembership}.userId`, userId)
        )
        .select(selectAllTableCols(TableName.SecretApprovalRequest))
        .select(
@@ -289,6 +327,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
          db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
          db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
+          db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
          db.ref("email").withSchema("committerUser").as("committerUserEmail"),
          db.ref("username").withSchema("committerUser").as("committerUserUsername"),
          db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -334,7 +373,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          {
            key: "approverUserId",
            label: "approvers" as const,
-            mapper: ({ approverUserId }) => approverUserId
+            mapper: ({ approverUserId }) => ({ userId: approverUserId })
          },
          {
            key: "commitId",
@@ -344,6 +383,11 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              id,
              secretId
            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => ({ userId: approverGroupUserId })
          }
        ]
      });
@@ -371,11 +415,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.SecretApprovalRequest}.policyId`,
          `${TableName.SecretApprovalPolicy}.id`
        )
-        .join(
+        .leftJoin(
          TableName.SecretApprovalPolicyApprover,
          `${TableName.SecretApprovalPolicy}.id`,
          `${TableName.SecretApprovalPolicyApprover}.policyId`
        )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
        .join<TUsers>(
          db(TableName.Users).as("committerUser"),
          `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -404,6 +453,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            void bd
              .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
              .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
+              .orWhere(`${TableName.UserGroupMembership}.userId`, userId)
        )
        .select(selectAllTableCols(TableName.SecretApprovalRequest))
        .select(
@@ -424,6 +474,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
          db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
+          db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
          db.ref("email").withSchema("committerUser").as("committerUserEmail"),
          db.ref("username").withSchema("committerUser").as("committerUserUsername"),
          db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -469,7 +520,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          {
            key: "approverUserId",
            label: "approvers" as const,
-            mapper: ({ approverUserId }) => approverUserId
+            mapper: ({ approverUserId }) => ({ userId: approverUserId })
          },
          {
            key: "commitId",
@@ -479,6 +530,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              id,
              secretId
            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => ({
+              userId: approverGroupUserId
+            })
          }
        ]
      });
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -447,8 +447,8 @@ export const secretApprovalRequestServiceFactory = ({
    );
    const hasMinApproval =
      secretApprovalRequest.policy.approvals <=
-      secretApprovalRequest.policy.approvers.filter(
-        ({ userId: approverId }) => reviewers[approverId.toString()] === ApprovalStatus.APPROVED
+      secretApprovalRequest.policy.approvers.filter(({ userId: approverId }) =>
+        approverId ? reviewers[approverId] === ApprovalStatus.APPROVED : false
      ).length;
    const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;

@@ -805,7 +805,7 @@ export const secretApprovalRequestServiceFactory = ({
      const requestedByUser = await userDAL.findOne({ id: actorId });
      const approverUsers = await userDAL.find({
        $in: {
-          id: policy.approvers.map((approver: { userId: string }) => approver.userId)
+          id: policy.approvers.map((approver: { userId: string | null | undefined }) => approver.userId!)
        }
      });

--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -5,26 +5,27 @@ export const GROUPS = {
    role: "The role of the group to create."
  },
  UPDATE: {
-    currentSlug: "The current slug of the group to update.",
+    id: "The id of the group to update",
    name: "The new name of the group to update to.",
    slug: "The new slug of the group to update to.",
    role: "The new role of the group to update to."
  },
  DELETE: {
+    id: "The id of the group to delete",
    slug: "The slug of the group to delete"
  },
  LIST_USERS: {
-    slug: "The slug of the group to list users for",
+    id: "The id of the group to list users for",
    offset: "The offset to start from. If you enter 10, it will start from the 10th user.",
    limit: "The number of users to return.",
    username: "The username to search for."
  },
  ADD_USER: {
-    slug: "The slug of the group to add the user to.",
+    id: "The id of the group to add the user to.",
    username: "The username of the user to add to the group."
  },
  DELETE_USER: {
-    slug: "The slug of the group to remove the user from.",
+    id: "The id of the group to remove the user from.",
    username: "The username of the user to remove from the group."
  }
 } as const;
@@ -409,21 +410,21 @@ export const PROJECTS = {
    secretSnapshotId: "The ID of the snapshot to rollback to."
  },
  ADD_GROUP_TO_PROJECT: {
-    projectSlug: "The slug of the project to add the group to.",
-    groupSlug: "The slug of the group to add to the project.",
+    projectId: "The ID of the project to add the group to.",
+    groupId: "The ID of the group to add to the project.",
    role: "The role for the group to assume in the project."
  },
  UPDATE_GROUP_IN_PROJECT: {
-    projectSlug: "The slug of the project to update the group in.",
-    groupSlug: "The slug of the group to update in the project.",
+    projectId: "The ID of the project to update the group in.",
+    groupId: "The ID of the group to update in the project.",
    roles: "A list of roles to update the group to."
  },
  REMOVE_GROUP_FROM_PROJECT: {
-    projectSlug: "The slug of the project to delete the group from.",
-    groupSlug: "The slug of the group to delete from the project."
+    projectId: "The ID of the project to delete the group from.",
+    groupId: "The ID of the group to delete from the project."
  },
  LIST_GROUPS_IN_PROJECT: {
-    projectSlug: "The slug of the project to list groups for."
+    projectId: "The ID of the project to list groups for."
  },
  LIST_INTEGRATION: {
    workspaceId: "The ID of the project to list integrations for."
@@ -697,11 +698,46 @@ export const SECRET_IMPORTS = {
  }
 } as const;

+export const DASHBOARD = {
+  SECRET_OVERVIEW_LIST: {
+    projectId: "The ID of the project to list secrets/folders from.",
+    environments:
+      "The slugs of the environments to list secrets/folders from (comma separated, ie 'environments=dev,staging,prod').",
+    secretPath: "The secret path to list secrets/folders from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th secret/folder.",
+    limit: "The number of secrets/folders to return.",
+    orderBy: "The column to order secrets/folders by.",
+    orderDirection: "The direction to order secrets/folders in.",
+    search: "The text string to filter secret keys and folder names by.",
+    includeSecrets: "Whether to include project secrets in the response.",
+    includeFolders: "Whether to include project folders in the response.",
+    includeDynamicSecrets: "Whether to include dynamic project secrets in the response."
+  },
+  SECRET_DETAILS_LIST: {
+    projectId: "The ID of the project to list secrets/folders from.",
+    environment: "The slug of the environment to list secrets/folders from.",
+    secretPath: "The secret path to list secrets/folders from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th secret/folder.",
+    limit: "The number of secrets/folders to return.",
+    orderBy: "The column to order secrets/folders by.",
+    orderDirection: "The direction to order secrets/folders in.",
+    search: "The text string to filter secret keys and folder names by.",
+    tags: "The tags to filter secrets by (comma separated, ie 'tags=billing,engineering').",
+    includeSecrets: "Whether to include project secrets in the response.",
+    includeFolders: "Whether to include project folders in the response.",
+    includeImports: "Whether to include project secret imports in the response.",
+    includeDynamicSecrets: "Whether to include dynamic project secrets in the response."
+  }
+} as const;
+
 export const AUDIT_LOGS = {
  EXPORT: {
-    workspaceId: "The ID of the project to export audit logs from.",
+    projectId:
+      "Optionally filter logs by project ID. If not provided, logs from the entire organization will be returned.",
    eventType: "The type of the event to export.",
    userAgentType: "Choose which consuming application to export audit logs for.",
+    eventMetadata:
+      "Filter by event metadata key-value pairs. Formatted as `key1=value1,key2=value2`, with comma-separation.",
    startDate: "The date to start the export from.",
    endDate: "The date to end the export at.",
    offset: "The offset to start from. If you enter 10, it will start from the 10th audit log.",
--- a/backend/src/lib/fn/string.ts
+++ b/backend/src/lib/fn/string.ts
@@ -9,3 +9,8 @@ export const removeTrailingSlash = (str: string) => {

  return str.endsWith("/") ? str.slice(0, -1) : str;
 };
+
+export const prefixWithSlash = (str: string) => {
+  if (str.startsWith("/")) return str;
+  return `/${str}`;
+};
--- a/backend/src/lib/knex/index.ts
+++ b/backend/src/lib/knex/index.ts
@@ -51,11 +51,17 @@ export type TFindReturn<TQuery extends Knex.QueryBuilder, TCount extends boolean
      : unknown)
 >;

-export type TFindOpt<R extends object = object, TCount extends boolean = boolean> = {
+export type TFindOpt<
+  R extends object = object,
+  TCount extends boolean = boolean,
+  TCountDistinct extends keyof R | undefined = undefined
+> = {
  limit?: number;
  offset?: number;
  sort?: Array<[keyof R, "asc" | "desc"] | [keyof R, "asc" | "desc", "first" | "last"]>;
+  groupBy?: keyof R;
  count?: TCount;
+  countDistinct?: TCountDistinct;
  tx?: Knex;
 };

@@ -86,13 +92,18 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
      throw new DatabaseError({ error, name: "Find one" });
    }
  },
-  find: async <TCount extends boolean = false>(
+  find: async <
+    TCount extends boolean = false,
+    TCountDistinct extends keyof Tables[Tname]["base"] | undefined = undefined
+  >(
    filter: TFindFilter<Tables[Tname]["base"]>,
-    { offset, limit, sort, count, tx }: TFindOpt<Tables[Tname]["base"], TCount> = {}
+    { offset, limit, sort, count, tx, countDistinct }: TFindOpt<Tables[Tname]["base"], TCount, TCountDistinct> = {}
  ) => {
    try {
      const query = (tx || db.replicaNode())(tableName).where(buildFindFilter(filter));
-      if (count) {
+      if (countDistinct) {
+        void query.countDistinct(countDistinct);
+      } else if (count) {
        void query.select(db.raw("COUNT(*) OVER() AS count"));
        void query.select("*");
      }
@@ -101,7 +112,8 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
      if (sort) {
        void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
      }
-      const res = (await query) as TFindReturn<typeof query, TCount>;
+
+      const res = (await query) as TFindReturn<typeof query, TCountDistinct extends undefined ? TCount : true>;
      return res;
    } catch (error) {
      throw new DatabaseError({ error, name: "Find one" });
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -7,7 +7,11 @@ import {
  TScanFullRepoEventPayload,
  TScanPushEventPayload
 } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
-import { TSyncSecretsDTO } from "@app/services/secret/secret-types";
+import {
+  TFailedIntegrationSyncEmailsPayload,
+  TIntegrationSyncPayload,
+  TSyncSecretsDTO
+} from "@app/services/secret/secret-types";

 export enum QueueName {
  SecretRotation = "secret-rotation",
@@ -42,6 +46,7 @@ export enum QueueJobs {
  SecWebhook = "secret-webhook-trigger",
  TelemetryInstanceStats = "telemetry-self-hosted-stats",
  IntegrationSync = "secret-integration-pull",
+  SendFailedIntegrationSyncEmails = "send-failed-integration-sync-emails",
  SecretScan = "secret-scan",
  UpgradeProjectToGhost = "upgrade-project-to-ghost-job",
  DynamicSecretRevocation = "dynamic-secret-revocation",
@@ -88,18 +93,26 @@ export type TQueueJobTypes = {
    name: QueueJobs.SecWebhook;
    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
  };
-  [QueueName.IntegrationSync]: {
-    name: QueueJobs.IntegrationSync;
-    payload: {
-      isManual?: boolean;
-      actorId?: string;
-      projectId: string;
-      environment: string;
-      secretPath: string;
-      depth?: number;
-      deDupeQueue?: Record<string, boolean>;
-    };
-  };
+
+  [QueueName.AccessTokenStatusUpdate]:
+    | {
+        name: QueueJobs.IdentityAccessTokenStatusUpdate;
+        payload: { identityAccessTokenId: string; numberOfUses: number };
+      }
+    | {
+        name: QueueJobs.ServiceTokenStatusUpdate;
+        payload: { serviceTokenId: string };
+      };
+
+  [QueueName.IntegrationSync]:
+    | {
+        name: QueueJobs.IntegrationSync;
+        payload: TIntegrationSyncPayload;
+      }
+    | {
+        name: QueueJobs.SendFailedIntegrationSyncEmails;
+        payload: TFailedIntegrationSyncEmailsPayload;
+      };
  [QueueName.SecretFullRepoScan]: {
    name: QueueJobs.SecretScan;
    payload: TScanFullRepoEventPayload;
@@ -153,15 +166,6 @@ export type TQueueJobTypes = {
    name: QueueJobs.ProjectV3Migration;
    payload: { projectId: string };
  };
-  [QueueName.AccessTokenStatusUpdate]:
-    | {
-        name: QueueJobs.IdentityAccessTokenStatusUpdate;
-        payload: { identityAccessTokenId: string; numberOfUses: number };
-      }
-    | {
-        name: QueueJobs.ServiceTokenStatusUpdate;
-        payload: { serviceTokenId: string };
-      };
 };

 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -923,6 +923,7 @@ export const registerRoutes = async (
  const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
    accessApprovalPolicyDAL,
    accessApprovalPolicyApproverDAL,
+    groupDAL,
    permissionService,
    projectEnvDAL,
    projectMembershipDAL,
@@ -942,7 +943,8 @@ export const registerRoutes = async (
    smtpService,
    accessApprovalPolicyApproverDAL,
    projectSlackConfigDAL,
-    kmsService
+    kmsService,
+    groupDAL
  });

  const secretReplicationService = secretReplicationServiceFactory({
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -74,7 +74,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
    schema: {
      description: "Get all audit logs for an organization",
      querystring: z.object({
-        projectId: z.string().optional(),
+        projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
        actorType: z.nativeEnum(ActorType).optional(),
        // eventType is split with , for multiple values, we need to transform it to array
        eventType: z
@@ -102,7 +102,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
              },
              {} as Record<string, string>
            );
-          }),
+          })
+          .describe(AUDIT_LOGS.EXPORT.eventMetadata),
        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
@@ -120,10 +121,12 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
          })
            .merge(
              z.object({
-                project: z.object({
-                  name: z.string(),
-                  slug: z.string()
-                }),
+                project: z
+                  .object({
+                    name: z.string(),
+                    slug: z.string()
+                  })
+                  .optional(),
                event: z.object({
                  type: z.string(),
                  metadata: z.any()
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@@ -3,7 +3,7 @@ import { z } from "zod";
 import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { FOLDERS } from "@app/lib/api-docs";
-import { removeTrailingSlash } from "@app/lib/fn";
+import { prefixWithSlash, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -26,9 +26,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
        environment: z.string().trim().describe(FOLDERS.CREATE.environment),
        name: z.string().trim().describe(FOLDERS.CREATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.CREATE.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.CREATE.directory)
      }),
      response: {
        200: z.object({
@@ -86,9 +98,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
        environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
        name: z.string().trim().describe(FOLDERS.UPDATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.UPDATE.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.UPDATE.directory)
      }),
      response: {
        200: z.object({
@@ -147,7 +171,13 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
            id: z.string().describe(FOLDERS.UPDATE.folderId),
            environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
            name: z.string().trim().describe(FOLDERS.UPDATE.name),
-            path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path)
+            path: z
+              .string()
+              .trim()
+              .default("/")
+              .transform(prefixWithSlash)
+              .transform(removeTrailingSlash)
+              .describe(FOLDERS.UPDATE.path)
          })
          .array()
          .min(1)
@@ -211,9 +241,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      body: z.object({
        workspaceId: z.string().trim().describe(FOLDERS.DELETE.workspaceId),
        environment: z.string().trim().describe(FOLDERS.DELETE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.DELETE.path),
        // keep this here as cli need directory
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.DELETE.directory)
      }),
      response: {
        200: z.object({
@@ -267,9 +309,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      querystring: z.object({
        workspaceId: z.string().trim().describe(FOLDERS.LIST.workspaceId),
        environment: z.string().trim().describe(FOLDERS.LIST.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.LIST.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.LIST.directory)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v2/group-project-router.ts
+++ b/backend/src/server/routes/v2/group-project-router.ts
@@ -8,6 +8,7 @@ import {
  ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@@ -15,8 +16,11 @@ import { ProjectUserMembershipTemporaryMode } from "@app/services/project-member
 export const registerGroupProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
-    url: "/:projectSlug/groups/:groupSlug",
+    url: "/:projectId/groups/:groupId",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Add group to project",
      security: [
@@ -25,17 +29,39 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.projectSlug),
-        groupSlug: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupSlug)
-      }),
-      body: z.object({
-        role: z
-          .string()
-          .trim()
-          .min(1)
-          .default(ProjectMembershipRole.NoAccess)
-          .describe(PROJECTS.ADD_GROUP_TO_PROJECT.role)
+        projectId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.projectId),
+        groupId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupId)
      }),
+      body: z
+        .object({
+          role: z
+            .string()
+            .trim()
+            .min(1)
+            .default(ProjectMembershipRole.NoAccess)
+            .describe(PROJECTS.ADD_GROUP_TO_PROJECT.role),
+          roles: z
+            .array(
+              z.union([
+                z.object({
+                  role: z.string(),
+                  isTemporary: z.literal(false).default(false)
+                }),
+                z.object({
+                  role: z.string(),
+                  isTemporary: z.literal(true),
+                  temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
+                  temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
+                  temporaryAccessStartTime: z.string().datetime()
+                })
+              ])
+            )
+            .optional()
+        })
+        .refine((data) => data.role || data.roles, {
+          message: "Either role or roles must be present",
+          path: ["role", "roles"]
+        }),
      response: {
        200: z.object({
          groupMembership: GroupProjectMembershipsSchema
@@ -48,17 +74,18 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        groupSlug: req.params.groupSlug,
-        projectSlug: req.params.projectSlug,
-        role: req.body.role
+        roles: req.body.roles || [{ role: req.body.role }],
+        projectId: req.params.projectId,
+        groupId: req.params.groupId
      });
+
      return { groupMembership };
    }
  });

  server.route({
    method: "PATCH",
-    url: "/:projectSlug/groups/:groupSlug",
+    url: "/:projectId/groups/:groupId",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Update group in project",
@@ -68,8 +95,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.projectSlug),
-        groupSlug: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.groupSlug)
+        projectId: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.projectId),
+        groupId: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.groupId)
      }),
      body: z.object({
        roles: z
@@ -103,18 +130,22 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        groupSlug: req.params.groupSlug,
-        projectSlug: req.params.projectSlug,
+        projectId: req.params.projectId,
+        groupId: req.params.groupId,
        roles: req.body.roles
      });
+
      return { roles };
    }
  });

  server.route({
    method: "DELETE",
-    url: "/:projectSlug/groups/:groupSlug",
+    url: "/:projectId/groups/:groupId",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      description: "Remove group from project",
      security: [
@@ -123,8 +154,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.projectSlug),
-        groupSlug: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.groupSlug)
+        projectId: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.projectId),
+        groupId: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.groupId)
      }),
      response: {
        200: z.object({
@@ -138,17 +169,21 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        groupSlug: req.params.groupSlug,
-        projectSlug: req.params.projectSlug
+        groupId: req.params.groupId,
+        projectId: req.params.projectId
      });
+
      return { groupMembership };
    }
  });

  server.route({
    method: "GET",
-    url: "/:projectSlug/groups",
+    url: "/:projectId/groups",
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      description: "Return list of groups in project",
      security: [
@@ -157,7 +192,7 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.LIST_GROUPS_IN_PROJECT.projectSlug)
+        projectId: z.string().trim().describe(PROJECTS.LIST_GROUPS_IN_PROJECT.projectId)
      }),
      response: {
        200: z.object({
@@ -193,9 +228,67 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        projectSlug: req.params.projectSlug
+        projectId: req.params.projectId
      });
+
      return { groupMemberships };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/:projectId/groups/:groupId",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Return project group",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectId: z.string().trim(),
+        groupId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          groupMembership: z.object({
+            id: z.string(),
+            groupId: z.string(),
+            createdAt: z.date(),
+            updatedAt: z.date(),
+            roles: z.array(
+              z.object({
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
+              })
+            ),
+            group: GroupsSchema.pick({ name: true, id: true, slug: true })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const groupMembership = await server.services.groupProject.getGroupInProject({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      return { groupMembership };
+    }
+  });
 };
--- a/backend/src/server/routes/v3/dashboard-router.ts
+++ b/backend/src/server/routes/v3/dashboard-router.ts
@@ -0,0 +1,612 @@
+import { z } from "zod";
+
+import { SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
+import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
+import { DASHBOARD } from "@app/lib/api-docs";
+import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { OrderByDirection } from "@app/lib/types";
+import { secretsLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
+import { getUserAgentType } from "@app/server/plugins/audit-log";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedDynamicSecretSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
+
+export const registerDashboardRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/secrets-overview",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "List project secrets overview",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        projectId: z.string().trim().describe(DASHBOARD.SECRET_OVERVIEW_LIST.projectId),
+        environments: z
+          .string()
+          .trim()
+          .transform(decodeURIComponent)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.environments),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.secretPath),
+        offset: z.coerce.number().min(0).optional().default(0).describe(DASHBOARD.SECRET_OVERVIEW_LIST.offset),
+        limit: z.coerce.number().min(1).max(100).optional().default(100).describe(DASHBOARD.SECRET_OVERVIEW_LIST.limit),
+        orderBy: z
+          .nativeEnum(SecretsOrderBy)
+          .default(SecretsOrderBy.Name)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.orderBy)
+          .optional(),
+        orderDirection: z
+          .nativeEnum(OrderByDirection)
+          .default(OrderByDirection.ASC)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.orderDirection)
+          .optional(),
+        search: z.string().trim().describe(DASHBOARD.SECRET_OVERVIEW_LIST.search).optional(),
+        includeSecrets: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeSecrets),
+        includeFolders: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeFolders),
+        includeDynamicSecrets: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeDynamicSecrets)
+      }),
+      response: {
+        200: z.object({
+          folders: SecretFoldersSchema.extend({ environment: z.string() }).array().optional(),
+          dynamicSecrets: SanitizedDynamicSecretSchema.extend({ environment: z.string() }).array().optional(),
+          secrets: secretRawSchema
+            .extend({
+              secretPath: z.string().optional(),
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
+            })
+            .array()
+            .optional(),
+          totalFolderCount: z.number().optional(),
+          totalDynamicSecretCount: z.number().optional(),
+          totalSecretCount: z.number().optional(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        secretPath,
+        projectId,
+        limit,
+        offset,
+        search,
+        orderBy,
+        orderDirection,
+        includeFolders,
+        includeSecrets,
+        includeDynamicSecrets
+      } = req.query;
+
+      const environments = req.query.environments.split(",");
+
+      if (!projectId || environments.length === 0)
+        throw new BadRequestError({ message: "Missing workspace id or environment(s)" });
+
+      const { shouldUseSecretV2Bridge } = await server.services.projectBot.getBotKey(projectId);
+
+      // prevent older projects from accessing endpoint
+      if (!shouldUseSecretV2Bridge) throw new BadRequestError({ message: "Project version not supported" });
+
+      let remainingLimit = limit;
+      let adjustedOffset = offset;
+
+      let folders: Awaited<ReturnType<typeof server.services.folder.getFoldersMultiEnv>> | undefined;
+      let secrets: Awaited<ReturnType<typeof server.services.secret.getSecretsRawMultiEnv>> | undefined;
+      let dynamicSecrets:
+        | Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByFolderIds>>
+        | undefined;
+
+      let totalFolderCount: number | undefined;
+      let totalDynamicSecretCount: number | undefined;
+      let totalSecretCount: number | undefined;
+
+      if (includeFolders) {
+        // this is the unique count, ie duplicate folders across envs only count as 1
+        totalFolderCount = await server.services.folder.getProjectFolderCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId: req.query.projectId,
+          path: secretPath,
+          environments,
+          search
+        });
+
+        if (remainingLimit > 0 && totalFolderCount > adjustedOffset) {
+          folders = await server.services.folder.getFoldersMultiEnv({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            environments,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          // get the count of unique folder names to properly adjust remaining limit
+          const uniqueFolderCount = new Set(folders.map((folder) => folder.name)).size;
+
+          remainingLimit -= uniqueFolderCount;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalFolderCount);
+        }
+      }
+
+      if (includeDynamicSecrets) {
+        // this is the unique count, ie duplicate secrets across envs only count as 1
+        totalDynamicSecretCount = await server.services.dynamicSecret.getCountMultiEnv({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          search,
+          environmentSlugs: environments,
+          path: secretPath
+        });
+
+        if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
+          dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByFolderIds({
+            actor: req.permission.type,
+            actorId: req.permission.id,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            search,
+            orderBy,
+            orderDirection,
+            environmentSlugs: environments,
+            path: secretPath,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          // get the count of unique dynamic secret names to properly adjust remaining limit
+          const uniqueDynamicSecretsCount = new Set(dynamicSecrets.map((dynamicSecret) => dynamicSecret.name)).size;
+
+          remainingLimit -= uniqueDynamicSecretsCount;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalDynamicSecretCount);
+        }
+      }
+
+      if (includeSecrets) {
+        // this is the unique count, ie duplicate secrets across envs only count as 1
+        totalSecretCount = await server.services.secret.getSecretsCountMultiEnv({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorOrgId: req.permission.orgId,
+          environments,
+          actorAuthMethod: req.permission.authMethod,
+          projectId,
+          path: secretPath,
+          search
+        });
+
+        if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
+          secrets = await server.services.secret.getSecretsRawMultiEnv({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorOrgId: req.permission.orgId,
+            environments,
+            actorAuthMethod: req.permission.authMethod,
+            projectId,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          for await (const environment of environments) {
+            const secretCountFromEnv = secrets.filter((secret) => secret.environment === environment).length;
+
+            if (secretCountFromEnv) {
+              await server.services.auditLog.createAuditLog({
+                projectId,
+                ...req.auditLogInfo,
+                event: {
+                  type: EventType.GET_SECRETS,
+                  metadata: {
+                    environment,
+                    secretPath,
+                    numberOfSecrets: secretCountFromEnv
+                  }
+                }
+              });
+
+              if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+                await server.services.telemetry.sendPostHogEvents({
+                  event: PostHogEventTypes.SecretPulled,
+                  distinctId: getTelemetryDistinctId(req),
+                  properties: {
+                    numberOfSecrets: secretCountFromEnv,
+                    workspaceId: projectId,
+                    environment,
+                    secretPath,
+                    channel: getUserAgentType(req.headers["user-agent"]),
+                    ...req.auditLogInfo
+                  }
+                });
+              }
+            }
+          }
+        }
+      }
+
+      return {
+        folders,
+        dynamicSecrets,
+        secrets,
+        totalFolderCount,
+        totalDynamicSecretCount,
+        totalSecretCount,
+        totalCount: (totalFolderCount ?? 0) + (totalDynamicSecretCount ?? 0) + (totalSecretCount ?? 0)
+      };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/secrets-details",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "List project secrets details",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        projectId: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.projectId),
+        environment: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.secretPath),
+        offset: z.coerce.number().min(0).optional().default(0).describe(DASHBOARD.SECRET_DETAILS_LIST.offset),
+        limit: z.coerce.number().min(1).max(100).optional().default(100).describe(DASHBOARD.SECRET_DETAILS_LIST.limit),
+        orderBy: z
+          .nativeEnum(SecretsOrderBy)
+          .default(SecretsOrderBy.Name)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.orderBy)
+          .optional(),
+        orderDirection: z
+          .nativeEnum(OrderByDirection)
+          .default(OrderByDirection.ASC)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.orderDirection)
+          .optional(),
+        search: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.search).optional(),
+        tags: z.string().trim().transform(decodeURIComponent).describe(DASHBOARD.SECRET_DETAILS_LIST.tags).optional(),
+        includeSecrets: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeSecrets),
+        includeFolders: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeFolders),
+        includeDynamicSecrets: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeDynamicSecrets),
+        includeImports: z.coerce
+          .boolean()
+          .optional()
+          .default(true)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeImports)
+      }),
+      response: {
+        200: z.object({
+          imports: SecretImportsSchema.omit({ importEnv: true })
+            .extend({
+              importEnv: z.object({ name: z.string(), slug: z.string(), id: z.string() })
+            })
+            .array()
+            .optional(),
+          folders: SecretFoldersSchema.array().optional(),
+          dynamicSecrets: SanitizedDynamicSecretSchema.array().optional(),
+          secrets: secretRawSchema
+            .extend({
+              secretPath: z.string().optional(),
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
+            })
+            .array()
+            .optional(),
+          totalImportCount: z.number().optional(),
+          totalFolderCount: z.number().optional(),
+          totalDynamicSecretCount: z.number().optional(),
+          totalSecretCount: z.number().optional(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        secretPath,
+        environment,
+        projectId,
+        limit,
+        offset,
+        search,
+        orderBy,
+        orderDirection,
+        includeFolders,
+        includeSecrets,
+        includeDynamicSecrets,
+        includeImports
+      } = req.query;
+
+      if (!projectId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
+
+      const { shouldUseSecretV2Bridge } = await server.services.projectBot.getBotKey(projectId);
+
+      // prevent older projects from accessing endpoint
+      if (!shouldUseSecretV2Bridge) throw new BadRequestError({ message: "Project version not supported" });
+
+      const tags = req.query.tags?.split(",") ?? [];
+
+      let remainingLimit = limit;
+      let adjustedOffset = offset;
+
+      let imports: Awaited<ReturnType<typeof server.services.secretImport.getImports>> | undefined;
+      let folders: Awaited<ReturnType<typeof server.services.folder.getFolders>> | undefined;
+      let secrets: Awaited<ReturnType<typeof server.services.secret.getSecretsRaw>>["secrets"] | undefined;
+      let dynamicSecrets: Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByEnv>> | undefined;
+
+      let totalImportCount: number | undefined;
+      let totalFolderCount: number | undefined;
+      let totalDynamicSecretCount: number | undefined;
+      let totalSecretCount: number | undefined;
+
+      if (includeImports) {
+        totalImportCount = await server.services.secretImport.getProjectImportCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          environment,
+          path: secretPath,
+          search
+        });
+
+        if (remainingLimit > 0 && totalImportCount > adjustedOffset) {
+          imports = await server.services.secretImport.getImports({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            environment,
+            path: secretPath,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          await server.services.auditLog.createAuditLog({
+            ...req.auditLogInfo,
+            projectId: req.query.projectId,
+            event: {
+              type: EventType.GET_SECRET_IMPORTS,
+              metadata: {
+                environment,
+                folderId: imports?.[0]?.folderId,
+                numberOfImports: imports.length
+              }
+            }
+          });
+
+          remainingLimit -= imports.length;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalImportCount);
+        }
+      }
+
+      if (includeFolders) {
+        totalFolderCount = await server.services.folder.getProjectFolderCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          path: secretPath,
+          environments: [environment],
+          search
+        });
+
+        if (remainingLimit > 0 && totalFolderCount > adjustedOffset) {
+          folders = await server.services.folder.getFolders({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            environment,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          remainingLimit -= folders.length;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalFolderCount);
+        }
+      }
+
+      if (includeDynamicSecrets) {
+        totalDynamicSecretCount = await server.services.dynamicSecret.getDynamicSecretCount({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          search,
+          environmentSlug: environment,
+          path: secretPath
+        });
+
+        if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
+          dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByEnv({
+            actor: req.permission.type,
+            actorId: req.permission.id,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            search,
+            orderBy,
+            orderDirection,
+            environmentSlug: environment,
+            path: secretPath,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          remainingLimit -= dynamicSecrets.length;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalDynamicSecretCount);
+        }
+      }
+
+      if (includeSecrets) {
+        totalSecretCount = await server.services.secret.getSecretsCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorOrgId: req.permission.orgId,
+          environment,
+          actorAuthMethod: req.permission.authMethod,
+          projectId,
+          path: secretPath,
+          search,
+          tagSlugs: tags
+        });
+
+        if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
+          const secretsRaw = await server.services.secret.getSecretsRaw({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorOrgId: req.permission.orgId,
+            environment,
+            actorAuthMethod: req.permission.authMethod,
+            projectId,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset,
+            tagSlugs: tags
+          });
+
+          secrets = secretsRaw.secrets;
+
+          await server.services.auditLog.createAuditLog({
+            projectId,
+            ...req.auditLogInfo,
+            event: {
+              type: EventType.GET_SECRETS,
+              metadata: {
+                environment,
+                secretPath,
+                numberOfSecrets: secrets.length
+              }
+            }
+          });
+
+          if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+            await server.services.telemetry.sendPostHogEvents({
+              event: PostHogEventTypes.SecretPulled,
+              distinctId: getTelemetryDistinctId(req),
+              properties: {
+                numberOfSecrets: secrets.length,
+                workspaceId: projectId,
+                environment,
+                secretPath,
+                channel: getUserAgentType(req.headers["user-agent"]),
+                ...req.auditLogInfo
+              }
+            });
+          }
+        }
+      }
+
+      return {
+        imports,
+        folders,
+        dynamicSecrets,
+        secrets,
+        totalImportCount,
+        totalFolderCount,
+        totalDynamicSecretCount,
+        totalSecretCount,
+        totalCount:
+          (totalImportCount ?? 0) + (totalFolderCount ?? 0) + (totalDynamicSecretCount ?? 0) + (totalSecretCount ?? 0)
+      };
+    }
+  });
+};
--- a/backend/src/server/routes/v3/index.ts
+++ b/backend/src/server/routes/v3/index.ts
@@ -1,3 +1,4 @@
+import { registerDashboardRouter } from "./dashboard-router";
 import { registerLoginRouter } from "./login-router";
 import { registerSecretBlindIndexRouter } from "./secret-blind-index-router";
 import { registerSecretRouter } from "./secret-router";
@@ -10,4 +11,5 @@ export const registerV3Routes = async (server: FastifyZodProvider) => {
  await server.register(registerUserRouter, { prefix: "/users" });
  await server.register(registerSecretRouter, { prefix: "/secrets" });
  await server.register(registerSecretBlindIndexRouter, { prefix: "/workspaces" });
+  await server.register(registerDashboardRouter, { prefix: "/dashboard" });
 };
--- a/backend/src/services/group-project/group-project-dal.ts
+++ b/backend/src/services/group-project/group-project-dal.ts
@@ -10,10 +10,15 @@ export type TGroupProjectDALFactory = ReturnType<typeof groupProjectDALFactory>;
 export const groupProjectDALFactory = (db: TDbClient) => {
  const groupProjectOrm = ormify(db, TableName.GroupProjectMembership);

-  const findByProjectId = async (projectId: string, tx?: Knex) => {
+  const findByProjectId = async (projectId: string, filter?: { groupId?: string }, tx?: Knex) => {
    try {
      const docs = await (tx || db.replicaNode())(TableName.GroupProjectMembership)
        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
+        .where((qb) => {
+          if (filter?.groupId) {
+            void qb.where(`${TableName.Groups}.id`, "=", filter.groupId);
+          }
+        })
        .join(TableName.Groups, `${TableName.GroupProjectMembership}.groupId`, `${TableName.Groups}.id`)
        .join(
          TableName.GroupProjectMembershipRole,
--- a/backend/src/services/group-project/group-project-service.ts
+++ b/backend/src/services/group-project/group-project-service.ts
@@ -7,7 +7,7 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";

 import { TGroupDALFactory } from "../../ee/services/group/group-dal";
@@ -22,6 +22,7 @@ import { TGroupProjectMembershipRoleDALFactory } from "./group-project-membershi
 import {
  TCreateProjectGroupDTO,
  TDeleteProjectGroupDTO,
+  TGetGroupInProjectDTO,
  TListProjectGroupDTO,
  TUpdateProjectGroupDTO
 } from "./group-project-types";
@@ -33,7 +34,7 @@ type TGroupProjectServiceFactoryDep = {
    "create" | "transaction" | "insertMany" | "delete"
  >;
  userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "findGroupMembersNotInProject">;
-  projectDAL: Pick<TProjectDALFactory, "findOne" | "findProjectGhostUser">;
+  projectDAL: Pick<TProjectDALFactory, "findOne" | "findProjectGhostUser" | "findById">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "delete" | "insertMany" | "transaction">;
  projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
  projectBotDAL: TProjectBotDALFactory;
@@ -55,19 +56,17 @@ export const groupProjectServiceFactory = ({
  permissionService
 }: TGroupProjectServiceFactoryDep) => {
  const addGroupToProject = async ({
-    groupSlug,
    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
-    projectSlug,
-    role
+    roles,
+    projectId,
+    groupId
  }: TCreateProjectGroupDTO) => {
-    const project = await projectDAL.findOne({
-      slug: projectSlug
-    });
+    const project = await projectDAL.findById(projectId);

-    if (!project) throw new BadRequestError({ message: `Failed to find project with slug ${projectSlug}` });
+    if (!project) throw new BadRequestError({ message: `Failed to find project with ID ${projectId}` });
    if (project.version < 2) throw new BadRequestError({ message: `Failed to add group to E2EE project` });

    const { permission } = await permissionService.getProjectPermission(
@@ -79,25 +78,51 @@ export const groupProjectServiceFactory = ({
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Groups);

-    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: groupSlug });
-    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+    const group = await groupDAL.findOne({ orgId: actorOrgId, id: groupId });
+    if (!group) throw new BadRequestError({ message: `Failed to find group with ID ${groupId}` });

    const existingGroup = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
    if (existingGroup)
      throw new BadRequestError({
-        message: `Group with slug ${groupSlug} already exists in project with id ${project.id}`
+        message: `Group with ID ${groupId} already exists in project with id ${project.id}`
      });

-    const { permission: rolePermission, role: customRole } = await permissionService.getProjectPermissionByRole(
-      role,
-      project.id
+    for await (const { role: requestedRoleChange } of roles) {
+      const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
+        requestedRoleChange,
+        project.id
+      );
+
+      const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPrivileges) {
+        throw new ForbiddenRequestError({ message: "Failed to assign group to a more privileged role" });
+      }
+    }
+
+    // validate custom roles input
+    const customInputRoles = roles.filter(
+      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
    );
-    const hasPrivilege = isAtLeastAsPrivileged(permission, rolePermission);
-    if (!hasPrivilege)
-      throw new ForbiddenRequestError({
-        message: "Failed to add group to project with more privileged role"
+    const hasCustomRole = Boolean(customInputRoles.length);
+    const customRoles = hasCustomRole
+      ? await projectRoleDAL.find({
+          projectId: project.id,
+          $in: { slug: customInputRoles.map(({ role }) => role) }
+        })
+      : [];
+
+    if (customRoles.length !== customInputRoles.length) {
+      const customRoleSlugs = customRoles.map((customRole) => customRole.slug);
+      const missingInputRoles = customInputRoles
+        .filter((inputRole) => !customRoleSlugs.includes(inputRole.role))
+        .map((role) => role.role);
+
+      throw new NotFoundError({
+        message: `Custom role/s not found: ${missingInputRoles.join(", ")}`
      });
-    const isCustomRole = Boolean(customRole);
+    }
+    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);

    const projectGroup = await groupProjectDAL.transaction(async (tx) => {
      const groupProjectMembership = await groupProjectDAL.create(
@@ -108,14 +133,31 @@ export const groupProjectServiceFactory = ({
        tx
      );

-      await groupProjectMembershipRoleDAL.create(
-        {
+      const sanitizedProjectMembershipRoles = roles.map((inputRole) => {
+        const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
+        if (!inputRole.isTemporary) {
+          return {
+            projectMembershipId: groupProjectMembership.id,
+            role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+            customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null
+          };
+        }
+
+        // check cron or relative here later for now its just relative
+        const relativeTimeInMs = ms(inputRole.temporaryRange);
+        return {
          projectMembershipId: groupProjectMembership.id,
-          role: isCustomRole ? ProjectMembershipRole.Custom : role,
-          customRoleId: customRole?.id
-        },
-        tx
-      );
+          role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+          customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null,
+          isTemporary: true,
+          temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
+          temporaryRange: inputRole.temporaryRange,
+          temporaryAccessStartTime: new Date(inputRole.temporaryAccessStartTime),
+          temporaryAccessEndTime: new Date(new Date(inputRole.temporaryAccessStartTime).getTime() + relativeTimeInMs)
+        };
+      });
+
+      await groupProjectMembershipRoleDAL.insertMany(sanitizedProjectMembershipRoles, tx);

      // share project key with users in group that have not
      // individually been added to the project and that are not part of
@@ -183,19 +225,17 @@ export const groupProjectServiceFactory = ({
  };

  const updateGroupInProject = async ({
-    projectSlug,
-    groupSlug,
+    projectId,
+    groupId,
    roles,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TUpdateProjectGroupDTO) => {
-    const project = await projectDAL.findOne({
-      slug: projectSlug
-    });
+    const project = await projectDAL.findById(projectId);

-    if (!project) throw new BadRequestError({ message: `Failed to find project with slug ${projectSlug}` });
+    if (!project) throw new BadRequestError({ message: `Failed to find project with ID ${projectId}` });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -206,11 +246,24 @@ export const groupProjectServiceFactory = ({
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Groups);

-    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: groupSlug });
-    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+    const group = await groupDAL.findOne({ orgId: actorOrgId, id: groupId });
+    if (!group) throw new BadRequestError({ message: `Failed to find group with ID ${groupId}` });

    const projectGroup = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
-    if (!projectGroup) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+    if (!projectGroup) throw new BadRequestError({ message: `Failed to find group with ID ${groupId}` });
+
+    for await (const { role: requestedRoleChange } of roles) {
+      const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
+        requestedRoleChange,
+        project.id
+      );
+
+      const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPrivileges) {
+        throw new ForbiddenRequestError({ message: "Failed to assign group to a more privileged role" });
+      }
+    }

    // validate custom roles input
    const customInputRoles = roles.filter(
@@ -223,7 +276,16 @@ export const groupProjectServiceFactory = ({
          $in: { slug: customInputRoles.map(({ role }) => role) }
        })
      : [];
-    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
+    if (customRoles.length !== customInputRoles.length) {
+      const customRoleSlugs = customRoles.map((customRole) => customRole.slug);
+      const missingInputRoles = customInputRoles
+        .filter((inputRole) => !customRoleSlugs.includes(inputRole.role))
+        .map((role) => role.role);
+
+      throw new NotFoundError({
+        message: `Custom role/s not found: ${missingInputRoles.join(", ")}`
+      });
+    }

    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);

@@ -260,24 +322,22 @@ export const groupProjectServiceFactory = ({
  };

  const removeGroupFromProject = async ({
-    projectSlug,
-    groupSlug,
+    projectId,
+    groupId,
    actorId,
    actor,
    actorOrgId,
    actorAuthMethod
  }: TDeleteProjectGroupDTO) => {
-    const project = await projectDAL.findOne({
-      slug: projectSlug
-    });
+    const project = await projectDAL.findById(projectId);

-    if (!project) throw new BadRequestError({ message: `Failed to find project with slug ${projectSlug}` });
+    if (!project) throw new BadRequestError({ message: `Failed to find project with ID ${projectId}` });

-    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: groupSlug });
-    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+    const group = await groupDAL.findOne({ orgId: actorOrgId, id: groupId });
+    if (!group) throw new BadRequestError({ message: `Failed to find group with ID ${groupId}` });

    const groupProjectMembership = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
-    if (!groupProjectMembership) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+    if (!groupProjectMembership) throw new BadRequestError({ message: `Failed to find group with ID ${groupId}` });

    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -311,17 +371,17 @@ export const groupProjectServiceFactory = ({
  };

  const listGroupsInProject = async ({
-    projectSlug,
+    projectId,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TListProjectGroupDTO) => {
-    const project = await projectDAL.findOne({
-      slug: projectSlug
-    });
+    const project = await projectDAL.findById(projectId);

-    if (!project) throw new BadRequestError({ message: `Failed to find project with slug ${projectSlug}` });
+    if (!project) {
+      throw new BadRequestError({ message: `Failed to find project with ID ${projectId}` });
+    }

    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -336,10 +396,47 @@ export const groupProjectServiceFactory = ({
    return groupMemberships;
  };

+  const getGroupInProject = async ({
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    groupId,
+    projectId
+  }: TGetGroupInProjectDTO) => {
+    const project = await projectDAL.findById(projectId);
+
+    if (!project) {
+      throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
+
+    const [groupMembership] = await groupProjectDAL.findByProjectId(project.id, {
+      groupId
+    });
+
+    if (!groupMembership) {
+      throw new NotFoundError({
+        message: "Cannot find group membership"
+      });
+    }
+
+    return groupMembership;
+  };
+
  return {
    addGroupToProject,
    updateGroupInProject,
    removeGroupFromProject,
-    listGroupsInProject
+    listGroupsInProject,
+    getGroupInProject
  };
 };
--- a/backend/src/services/group-project/group-project-types.ts
+++ b/backend/src/services/group-project/group-project-types.ts
@@ -1,11 +1,23 @@
-import { TProjectSlugPermission } from "@app/lib/types";
+import { TProjectPermission } from "@app/lib/types";

 import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";

 export type TCreateProjectGroupDTO = {
-  groupSlug: string;
-  role: string;
-} & TProjectSlugPermission;
+  groupId: string;
+  roles: (
+    | {
+        role: string;
+        isTemporary?: false;
+      }
+    | {
+        role: string;
+        isTemporary: true;
+        temporaryMode: ProjectUserMembershipTemporaryMode.Relative;
+        temporaryRange: string;
+        temporaryAccessStartTime: string;
+      }
+  )[];
+} & TProjectPermission;

 export type TUpdateProjectGroupDTO = {
  roles: (
@@ -21,11 +33,13 @@ export type TUpdateProjectGroupDTO = {
        temporaryAccessStartTime: string;
      }
  )[];
-  groupSlug: string;
-} & TProjectSlugPermission;
+  groupId: string;
+} & TProjectPermission;

 export type TDeleteProjectGroupDTO = {
-  groupSlug: string;
-} & TProjectSlugPermission;
+  groupId: string;
+} & TProjectPermission;

-export type TListProjectGroupDTO = TProjectSlugPermission;
+export type TListProjectGroupDTO = TProjectPermission;
+
+export type TGetGroupInProjectDTO = TProjectPermission & { groupId: string };
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -458,12 +458,6 @@ export const orgServiceFactory = ({

    const org = await orgDAL.findOrgById(orgId);

-    if (org?.authEnforced) {
-      throw new BadRequestError({
-        message: "Failed to invite user due to org-level auth enforced for organization"
-      });
-    }
-
    const isEmailInvalid = await isDisposableEmail(inviteeEmails);
    if (isEmailInvalid) {
      throw new BadRequestError({
@@ -472,20 +466,6 @@ export const orgServiceFactory = ({
      });
    }
    const plan = await licenseService.getPlan(orgId);
-    if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-      // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-      throw new BadRequestError({
-        message: "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
-      });
-    }
-
-    if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
-      // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
-      throw new BadRequestError({
-        message: "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
-      });
-    }
-
    const isCustomOrgRole = !Object.values(OrgMembershipRole).includes(organizationRoleSlug as OrgMembershipRole);
    if (isCustomOrgRole) {
      if (!plan?.rbac)
@@ -570,7 +550,7 @@ export const orgServiceFactory = ({
          );
        }

-        const [inviteeMembership] = await orgDAL.findMembership(
+        const [inviteeOrgMembership] = await orgDAL.findMembership(
          {
            [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId,
            [`${TableName.OrgMembership}.userId` as "userId"]: inviteeUserId
@@ -579,7 +559,27 @@ export const orgServiceFactory = ({
        );

        // if there exist no org membership we set is as given by the request
-        if (!inviteeMembership) {
+        if (!inviteeOrgMembership) {
+          if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+            // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
+            throw new BadRequestError({
+              message: "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
+            });
+          }
+
+          if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+            // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
+            throw new BadRequestError({
+              message: "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
+            });
+          }
+
+          if (org?.authEnforced) {
+            throw new BadRequestError({
+              message: "Failed to invite user due to org-level auth enforced for organization"
+            });
+          }
+
          // as its used by project invite also
          ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Member);
          let roleId;
--- a/backend/src/services/secret-folder/secret-folder-dal.ts
+++ b/backend/src/services/secret-folder/secret-folder-dal.ts
@@ -5,6 +5,8 @@ import { TableName, TProjectEnvironments, TSecretFolders, TSecretFoldersUpdate }
 import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { groupBy, removeTrailingSlash } from "@app/lib/fn";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";

 export const validateFolderName = (folderName: string) => {
  const validNameRegex = /^[a-zA-Z0-9-_]+$/;
@@ -83,7 +85,7 @@ const sqlFindMultipleFolderByEnvPathQuery = (db: Knex, query: Array<{ envId: str
    .from<TSecretFolders & { depth: number; path: string }>("parent");
 };

-const sqlFindFolderByPathQuery = (db: Knex, projectId: string, environment: string, secretPath: string) => {
+const sqlFindFolderByPathQuery = (db: Knex, projectId: string, environments: string[], secretPath: string) => {
  // this is removing an trailing slash like /folder1/folder2/ -> /folder1/folder2
  const formatedPath = secretPath.at(-1) === "/" && secretPath.length > 1 ? secretPath.slice(0, -1) : secretPath;
  // next goal to sanitize saw the raw sql query is safe
@@ -111,7 +113,7 @@ const sqlFindFolderByPathQuery = (db: Knex, projectId: string, environment: stri
          projectId,
          parentId: null
        })
-        .where(`${TableName.Environment}.slug`, environment)
+        .whereIn(`${TableName.Environment}.slug`, environments)
        .select(selectAllTableCols(TableName.SecretFolder))
        .union(
          (qb) =>
@@ -139,14 +141,14 @@ const sqlFindFolderByPathQuery = (db: Knex, projectId: string, environment: stri
    .from<TSecretFolders & { depth: number; path: string }>("parent")
    .leftJoin<TProjectEnvironments>(TableName.Environment, `${TableName.Environment}.id`, "parent.envId")
    .select<
-      TSecretFolders & {
+      (TSecretFolders & {
        depth: number;
        path: string;
        envId: string;
        envSlug: string;
        envName: string;
        projectId: string;
-      }
+      })[]
    >(
      selectAllTableCols("parent" as TableName.SecretFolder),
      db.ref("id").withSchema(TableName.Environment).as("envId"),
@@ -214,7 +216,7 @@ export const secretFolderDALFactory = (db: TDbClient) => {
      const folder = await sqlFindFolderByPathQuery(
        tx || db.replicaNode(),
        projectId,
-        environment,
+        [environment],
        removeTrailingSlash(path)
      )
        .orderBy("depth", "desc")
@@ -230,6 +232,35 @@ export const secretFolderDALFactory = (db: TDbClient) => {
    }
  };

+  // finds folders by path for multiple envs
+  const findBySecretPathMultiEnv = async (projectId: string, environments: string[], path: string, tx?: Knex) => {
+    try {
+      const pathDepth = removeTrailingSlash(path).split("/").filter(Boolean).length + 1;
+
+      const folders = await sqlFindFolderByPathQuery(
+        tx || db.replicaNode(),
+        projectId,
+        environments,
+        removeTrailingSlash(path)
+      )
+        .orderBy("depth", "desc")
+        .where("depth", pathDepth);
+
+      const firstFolder = folders[0];
+
+      if (firstFolder && firstFolder.path !== removeTrailingSlash(path)) {
+        return [];
+      }
+
+      return folders.map((folder) => {
+        const { envId: id, envName: name, envSlug: slug, ...el } = folder;
+        return { ...el, envId: id, environment: { id, name, slug } };
+      });
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find folders by secret path multi env" });
+    }
+  };
+
  // used in folder creation
  // even if its the original given /path1/path2
  // it will stop automatically at /path2
@@ -238,7 +269,7 @@ export const secretFolderDALFactory = (db: TDbClient) => {
      const folder = await sqlFindFolderByPathQuery(
        tx || db.replicaNode(),
        projectId,
-        environment,
+        [environment],
        removeTrailingSlash(path)
      )
        .orderBy("depth", "desc")
@@ -352,14 +383,77 @@ export const secretFolderDALFactory = (db: TDbClient) => {
    }
  };

+  // find project folders for multiple envs
+  const findByMultiEnv = async (
+    {
+      environmentIds,
+      parentIds,
+      search,
+      limit,
+      offset = 0,
+      orderBy = SecretsOrderBy.Name,
+      orderDirection = OrderByDirection.ASC
+    }: {
+      environmentIds: string[];
+      parentIds: string[];
+      search?: string;
+      limit?: number;
+      offset?: number;
+      orderBy?: SecretsOrderBy;
+      orderDirection?: OrderByDirection;
+    },
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.SecretFolder)
+        .whereIn("parentId", parentIds)
+        .whereIn("envId", environmentIds)
+        .where("isReserved", false)
+        .where((bd) => {
+          if (search) {
+            void bd.whereILike(`${TableName.SecretFolder}.name`, `%${search}%`);
+          }
+        })
+        .leftJoin(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
+        .select(
+          selectAllTableCols(TableName.SecretFolder),
+          db.raw(
+            `DENSE_RANK() OVER (ORDER BY ${TableName.SecretFolder}."name" ${
+              orderDirection ?? OrderByDirection.ASC
+            }) as rank`
+          ),
+          db.ref("slug").withSchema(TableName.Environment).as("environment")
+        )
+        .orderBy(`${TableName.SecretFolder}.${orderBy}`, orderDirection);
+
+      if (limit) {
+        const rankOffset = offset + 1; // ranks start from 1
+        return await (tx || db)
+          .with("w", query)
+          .select("*")
+          .from<Awaited<typeof query>[number]>("w")
+          .where("w.rank", ">=", rankOffset)
+          .andWhere("w.rank", "<", rankOffset + limit);
+      }
+
+      const folders = await query;
+
+      return folders;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find folders multi env" });
+    }
+  };
+
  return {
    ...secretFolderOrm,
    update,
    findBySecretPath,
+    findBySecretPathMultiEnv,
    findById,
    findByManySecretPath,
    findSecretPathByFolderIds,
    findClosestFolder,
-    findByProjectId
+    findByProjectId,
+    findByMultiEnv
  };
 };
--- a/backend/src/services/secret-folder/secret-folder-service.ts
+++ b/backend/src/services/secret-folder/secret-folder-service.ts
@@ -7,6 +7,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { OrderByDirection } from "@app/lib/types";

 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
@@ -26,7 +27,7 @@ type TSecretFolderServiceFactoryDep = {
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
  folderDAL: TSecretFolderDALFactory;
-  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne" | "findBySlugs">;
  folderVersionDAL: TSecretFolderVersionDALFactory;
  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
 };
@@ -396,7 +397,12 @@ export const secretFolderServiceFactory = ({
    actorOrgId,
    actorAuthMethod,
    environment,
-    path: secretPath
+    path: secretPath,
+    search,
+    orderBy,
+    orderDirection,
+    limit,
+    offset
  }: TGetFolderDTO) => {
    // folder list is allowed to be read by anyone
    // permission to check does user has access
@@ -408,11 +414,92 @@ export const secretFolderServiceFactory = ({
    const parentFolder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!parentFolder) return [];

-    const folders = await folderDAL.find({ envId: env.id, parentId: parentFolder.id, isReserved: false });
+    const folders = await folderDAL.find(
+      {
+        envId: env.id,
+        parentId: parentFolder.id,
+        isReserved: false,
+        $search: search ? { name: `%${search}%` } : undefined
+      },
+      {
+        sort: orderBy ? [[orderBy, orderDirection ?? OrderByDirection.ASC]] : undefined,
+        limit,
+        offset
+      }
+    );
+    return folders;
+  };
+
+  // get folders for multiple envs
+  const getFoldersMultiEnv = async ({
+    projectId,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    environments,
+    path: secretPath,
+    ...params
+  }: Omit<TGetFolderDTO, "environment"> & { environments: string[] }) => {
+    // folder list is allowed to be read by anyone
+    // permission to check does user has access
+    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+
+    const envs = await projectEnvDAL.findBySlugs(projectId, environments);
+
+    if (!envs.length)
+      throw new BadRequestError({ message: "Environment(s) not found", name: "get project folder count" });
+
+    const parentFolders = await folderDAL.findBySecretPathMultiEnv(projectId, environments, secretPath);
+    if (!parentFolders.length) return [];
+
+    const folders = await folderDAL.findByMultiEnv({
+      environmentIds: envs.map((env) => env.id),
+      parentIds: parentFolders.map((folder) => folder.id),
+      ...params
+    });

    return folders;
  };

+  // get the unique count of folders within a project path
+  const getProjectFolderCount = async ({
+    projectId,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    environments,
+    path: secretPath,
+    search
+  }: Omit<TGetFolderDTO, "environment"> & { environments: string[] }) => {
+    // folder list is allowed to be read by anyone
+    // permission to check does user has access
+    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+
+    const envs = await projectEnvDAL.findBySlugs(projectId, environments);
+
+    if (!envs.length)
+      throw new BadRequestError({ message: "Environment(s) not found", name: "get project folder count" });
+
+    const parentFolders = await folderDAL.findBySecretPathMultiEnv(projectId, environments, secretPath);
+    if (!parentFolders.length) return 0;
+
+    const folders = await folderDAL.find(
+      {
+        $in: {
+          envId: envs.map((env) => env.id),
+          parentId: parentFolders.map((folder) => folder.id)
+        },
+        isReserved: false,
+        $search: search ? { name: `%${search}%` } : undefined
+      },
+      { countDistinct: "name" }
+    );
+
+    return Number(folders[0]?.count ?? 0);
+  };
+
  const getFolderById = async ({ actor, actorId, actorOrgId, actorAuthMethod, id }: TGetFolderByIdDTO) => {
    const folder = await folderDAL.findById(id);
    if (!folder) throw new NotFoundError({ message: "folder not found" });
@@ -429,6 +516,8 @@ export const secretFolderServiceFactory = ({
    updateManyFolders,
    deleteFolder,
    getFolders,
-    getFolderById
+    getFolderById,
+    getProjectFolderCount,
+    getFoldersMultiEnv
  };
 };
--- a/backend/src/services/secret-folder/secret-folder-types.ts
+++ b/backend/src/services/secret-folder/secret-folder-types.ts
@@ -1,4 +1,5 @@
-import { TProjectPermission } from "@app/lib/types";
+import { OrderByDirection, TProjectPermission } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";

 export enum ReservedFolders {
  SecretReplication = "__reserve_replication_"
@@ -36,6 +37,11 @@ export type TDeleteFolderDTO = {
 export type TGetFolderDTO = {
  environment: string;
  path: string;
+  search?: string;
+  orderBy?: SecretsOrderBy;
+  orderDirection?: OrderByDirection;
+  limit?: number;
+  offset?: number;
 } & TProjectPermission;

 export type TGetFolderByIdDTO = {
--- a/backend/src/services/secret-import/secret-import-dal.ts
+++ b/backend/src/services/secret-import/secret-import-dal.ts
@@ -49,10 +49,30 @@ export const secretImportDALFactory = (db: TDbClient) => {
    }
  };

-  const find = async (filter: Partial<TSecretImports & { projectId: string }>, tx?: Knex) => {
+  const find = async (
+    {
+      search,
+      limit,
+      offset,
+      ...filter
+    }: Partial<
+      TSecretImports & {
+        projectId: string;
+        search?: string;
+        limit?: number;
+        offset?: number;
+      }
+    >,
+    tx?: Knex
+  ) => {
    try {
-      const docs = await (tx || db.replicaNode())(TableName.SecretImport)
+      const query = (tx || db.replicaNode())(TableName.SecretImport)
        .where(filter)
+        .where((bd) => {
+          if (search) {
+            void bd.whereILike("importPath", `%${search}%`);
+          }
+        })
        .join(TableName.Environment, `${TableName.SecretImport}.importEnv`, `${TableName.Environment}.id`)
        .select(
          db.ref("*").withSchema(TableName.SecretImport) as unknown as keyof TSecretImports,
@@ -61,6 +81,13 @@ export const secretImportDALFactory = (db: TDbClient) => {
          db.ref("id").withSchema(TableName.Environment).as("envId")
        )
        .orderBy("position", "asc");
+
+      if (limit) {
+        void query.limit(limit).offset(offset ?? 0);
+      }
+
+      const docs = await query;
+
      return docs.map(({ envId, slug, name, ...el }) => ({
        ...el,
        importEnv: { id: envId, slug, name }
@@ -70,6 +97,28 @@ export const secretImportDALFactory = (db: TDbClient) => {
    }
  };

+  const getProjectImportCount = async (
+    { search, ...filter }: Partial<TSecretImports & { projectId: string; search?: string }>,
+    tx?: Knex
+  ) => {
+    try {
+      const docs = await (tx || db.replicaNode())(TableName.SecretImport)
+        .where(filter)
+        .where("isReplication", false)
+        .where((bd) => {
+          if (search) {
+            void bd.whereILike("importPath", `%${search}%`);
+          }
+        })
+        .join(TableName.Environment, `${TableName.SecretImport}.importEnv`, `${TableName.Environment}.id`)
+        .count();
+
+      return Number(docs[0]?.count ?? 0);
+    } catch (error) {
+      throw new DatabaseError({ error, name: "get secret imports count" });
+    }
+  };
+
  const findByFolderIds = async (folderIds: string[], tx?: Knex) => {
    try {
      const docs = await (tx || db.replicaNode())(TableName.SecretImport)
@@ -97,6 +146,7 @@ export const secretImportDALFactory = (db: TDbClient) => {
    find,
    findByFolderIds,
    findLastImportPosition,
-    updateAllPosition
+    updateAllPosition,
+    getProjectImportCount
  };
 };
--- a/backend/src/services/secret-import/secret-import-fns.ts
+++ b/backend/src/services/secret-import/secret-import-fns.ts
@@ -220,7 +220,7 @@ export const fnSecretsV2FromImports = async ({
  const secretsFromdeeperImportGroupedByFolderId = groupBy(secretsFromDeeperImports, (i) => i.importFolderId);

  const processedImports = allowedImports.map(({ importPath, importEnv, id, folderId }, i) => {
-    const sourceImportFolder = importedFolderGroupBySourceImport[`${importEnv.id}-${importPath}`][0];
+    const sourceImportFolder = importedFolderGroupBySourceImport[`${importEnv.id}-${importPath}`]?.[0];
    const folderDeeperImportSecrets =
      secretsFromdeeperImportGroupedByFolderId?.[sourceImportFolder?.id || ""]?.[0]?.secrets || [];
    const secretsWithDuplicate = (importedSecretsGroupByFolderId?.[importedFolders?.[i]?.id as string] || [])
--- a/backend/src/services/secret-import/secret-import-service.ts
+++ b/backend/src/services/secret-import/secret-import-service.ts
@@ -7,7 +7,7 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getReplicationFolderName } from "@app/ee/services/secret-replication/secret-replication-service";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";

 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
@@ -394,6 +394,36 @@ export const secretImportServiceFactory = ({
    return { message: "replication started" };
  };

+  const getProjectImportCount = async ({
+    path: secretPath,
+    environment,
+    projectId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    search
+  }: TGetSecretImportsDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
+    if (!folder) throw new NotFoundError({ message: "Folder not found", name: "Get imports" });
+
+    const count = await secretImportDAL.getProjectImportCount({ folderId: folder.id, search });
+
+    return count;
+  };
+
  const getImports = async ({
    path: secretPath,
    environment,
@@ -401,7 +431,10 @@ export const secretImportServiceFactory = ({
    actor,
    actorId,
    actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    search,
+    limit,
+    offset
  }: TGetSecretImportsDTO) => {
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -418,7 +451,7 @@ export const secretImportServiceFactory = ({
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder) throw new BadRequestError({ message: "Folder not found", name: "Get imports" });

-    const secImports = await secretImportDAL.find({ folderId: folder.id });
+    const secImports = await secretImportDAL.find({ folderId: folder.id, search, limit, offset });
    return secImports;
  };

@@ -535,6 +568,7 @@ export const secretImportServiceFactory = ({
    getSecretsFromImports,
    getRawSecretsFromImports,
    resyncSecretImportReplication,
+    getProjectImportCount,
    fnSecretsFromImports
  };
 };
--- a/backend/src/services/secret-import/secret-import-types.ts
+++ b/backend/src/services/secret-import/secret-import-types.ts
@@ -32,6 +32,9 @@ export type TDeleteSecretImportDTO = {
 export type TGetSecretImportsDTO = {
  environment: string;
  path: string;
+  search?: string;
+  limit?: number;
+  offset?: number;
 } & TProjectPermission;

 export type TGetSecretsFromImportDTO = {
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
@@ -5,6 +5,8 @@ import { TDbClient } from "@app/db";
 import { SecretsV2Schema, SecretType, TableName, TSecretsV2, TSecretsV2Update } from "@app/db/schemas";
 import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";

 export type TSecretV2BridgeDALFactory = ReturnType<typeof secretV2BridgeDALFactory>;

@@ -181,7 +183,16 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
    }
  };

-  const findByFolderIds = async (folderIds: string[], userId?: string, tx?: Knex) => {
+  // get unique secret count by folder IDs
+  const countByFolderIds = async (
+    folderIds: string[],
+    userId?: string,
+    tx?: Knex,
+    filters?: {
+      search?: string;
+      tagSlugs?: string[];
+    }
+  ) => {
    try {
      // check if not uui then userId id is null (corner case because service token's ID is not UUI in effort to keep backwards compatibility from mongo)
      if (userId && !uuidValidate(userId)) {
@@ -189,8 +200,70 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
        userId = undefined;
      }

-      const secs = await (tx || db.replicaNode())(TableName.SecretV2)
+      const query = (tx || db.replicaNode())(TableName.SecretV2)
        .whereIn("folderId", folderIds)
+        .where((bd) => {
+          if (filters?.search) {
+            void bd.whereILike("key", `%${filters?.search}%`);
+          }
+        })
+        .where((bd) => {
+          void bd.whereNull("userId").orWhere({ userId: userId || null });
+        })
+        .countDistinct("key");
+
+      // only need to join tags if filtering by tag slugs
+      const slugs = filters?.tagSlugs?.filter(Boolean);
+      if (slugs && slugs.length > 0) {
+        void query
+          .leftJoin(
+            TableName.SecretV2JnTag,
+            `${TableName.SecretV2}.id`,
+            `${TableName.SecretV2JnTag}.${TableName.SecretV2}Id`
+          )
+          .leftJoin(
+            TableName.SecretTag,
+            `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
+            `${TableName.SecretTag}.id`
+          )
+          .whereIn("slug", slugs);
+      }
+
+      const secrets = await query;
+
+      return Number(secrets[0]?.count ?? 0);
+    } catch (error) {
+      throw new DatabaseError({ error, name: "get folder secret count" });
+    }
+  };
+
+  const findByFolderIds = async (
+    folderIds: string[],
+    userId?: string,
+    tx?: Knex,
+    filters?: {
+      limit?: number;
+      offset?: number;
+      orderBy?: SecretsOrderBy;
+      orderDirection?: OrderByDirection;
+      search?: string;
+      tagSlugs?: string[];
+    }
+  ) => {
+    try {
+      // check if not uui then userId id is null (corner case because service token's ID is not UUI in effort to keep backwards compatibility from mongo)
+      if (userId && !uuidValidate(userId)) {
+        // eslint-disable-next-line no-param-reassign
+        userId = undefined;
+      }
+
+      const query = (tx || db.replicaNode())(TableName.SecretV2)
+        .whereIn("folderId", folderIds)
+        .where((bd) => {
+          if (filters?.search) {
+            void bd.whereILike("key", `%${filters?.search}%`);
+          }
+        })
        .where((bd) => {
          void bd.whereNull("userId").orWhere({ userId: userId || null });
        })
@@ -204,11 +277,37 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
          `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
          `${TableName.SecretTag}.id`
        )
-        .select(selectAllTableCols(TableName.SecretV2))
+        .select(
+          selectAllTableCols(TableName.SecretV2),
+          db.raw(`DENSE_RANK() OVER (ORDER BY "key" ${filters?.orderDirection ?? OrderByDirection.ASC}) as rank`)
+        )
        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
        .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
-        .orderBy("id", "asc");
+        .where((bd) => {
+          const slugs = filters?.tagSlugs?.filter(Boolean);
+          if (slugs && slugs.length > 0) {
+            void bd.whereIn("slug", slugs);
+          }
+        })
+        .orderBy(
+          filters?.orderBy === SecretsOrderBy.Name ? "key" : "id",
+          filters?.orderDirection ?? OrderByDirection.ASC
+        );
+
+      let secs: Awaited<typeof query>;
+
+      if (filters?.limit) {
+        const rankOffset = (filters?.offset ?? 0) + 1; // ranks start at 1
+        secs = await (tx || db)
+          .with("w", query)
+          .select("*")
+          .from<Awaited<typeof query>[number]>("w")
+          .where("w.rank", ">=", rankOffset)
+          .andWhere("w.rank", "<", rankOffset + filters.limit);
+      } else {
+        secs = await query;
+      }

      const data = sqlNestRelationships({
        data: secs,
@@ -384,6 +483,7 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
    findBySecretKeys,
    upsertSecretReferences,
    findReferencedSecretReferences,
-    findAllProjectSecretValues
+    findAllProjectSecretValues,
+    countByFolderIds
  };
 };
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
@@ -1,6 +1,7 @@
 import path from "node:path";

 import { TableName, TSecretFolders, TSecretsV2 } from "@app/db/schemas";
+import { UnauthorizedError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";

@@ -375,6 +376,7 @@ type TInterpolateSecretArg = {
  decryptSecretValue: (encryptedValue?: Buffer | null) => string | undefined;
  secretDAL: Pick<TSecretV2BridgeDALFactory, "findByFolderId">;
  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
+  canExpandValue: (environment: string, secretPath: string) => boolean;
 };

 const MAX_SECRET_REFERENCE_DEPTH = 10;
@@ -382,7 +384,8 @@ export const expandSecretReferencesFactory = ({
  projectId,
  decryptSecretValue: decryptSecret,
  secretDAL,
-  folderDAL
+  folderDAL,
+  canExpandValue
 }: TInterpolateSecretArg) => {
  const secretCache: Record<string, Record<string, string>> = {};
  const getCacheUniqueKey = (environment: string, secretPath: string) => `${environment}-${secretPath}`;
@@ -432,6 +435,11 @@ export const expandSecretReferencesFactory = ({
          if (entities.length === 1) {
            const [secretKey] = entities;

+            if (!canExpandValue(environment, secretPath))
+              throw new UnauthorizedError({
+                message: `You are attempting to reference secret named ${secretKey} from environment ${environment} in path ${secretPath} which you do not have access to.`
+              });
+
            // eslint-disable-next-line no-continue,no-await-in-loop
            const referedValue = await fetchSecret(environment, secretPath, secretKey);
            const cacheKey = getCacheUniqueKey(environment, secretPath);
@@ -452,6 +460,11 @@ export const expandSecretReferencesFactory = ({
            const secretReferencePath = path.join("/", ...entities.slice(1, entities.length - 1));
            const secretReferenceKey = entities[entities.length - 1];

+            if (!canExpandValue(secretReferenceEnvironment, secretReferencePath))
+              throw new UnauthorizedError({
+                message: `You are attempting to reference secret named ${secretReferenceKey} from environment ${secretReferenceEnvironment} in path ${secretReferencePath} which you do not have access to.`
+              });
+
            // eslint-disable-next-line no-await-in-loop
            const referedValue = await fetchSecret(secretReferenceEnvironment, secretReferencePath, secretReferenceKey);
            const cacheKey = getCacheUniqueKey(secretReferenceEnvironment, secretReferencePath);
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
@@ -59,7 +59,7 @@ type TSecretV2BridgeServiceFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
  folderDAL: Pick<
    TSecretFolderDALFactory,
-    "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath" | "find"
+    "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath" | "find" | "findBySecretPathMultiEnv"
  >;
  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
  secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "handleSecretReminder" | "removeSecretReminder">;
@@ -152,6 +152,15 @@ export const secretV2BridgeServiceFactory = ({
      type: KmsDataKey.SecretManager,
      projectId
    });
+    references.forEach((referredSecret) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Read,
+        subject(ProjectPermissionSub.Secrets, {
+          environment: referredSecret.environment,
+          secretPath: referredSecret.secretPath
+        })
+      );
+    });

    const secret = await secretDAL.transaction((tx) =>
      fnSecretBulkInsert({
@@ -292,6 +301,17 @@ export const secretV2BridgeServiceFactory = ({
            references: getAllNestedSecretReferences(secretValue)
          }
        : {};
+    if (encryptedValue.references) {
+      encryptedValue.references.forEach((referredSecret) => {
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, {
+            environment: referredSecret.environment,
+            secretPath: referredSecret.secretPath
+          })
+        );
+      });
+    }

    const updatedSecret = await secretDAL.transaction(async (tx) =>
      fnSecretBulkUpdate({
@@ -431,6 +451,165 @@ export const secretV2BridgeServiceFactory = ({
    });
  };

+  // get unique secrets count for multiple envs
+  const getSecretsCountMultiEnv = async ({
+    actorId,
+    path,
+
+    projectId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    environments,
+    ...params
+  }: Pick<TGetSecretsDTO, "actorId" | "actor" | "path" | "projectId" | "actorOrgId" | "actorAuthMethod" | "search"> & {
+    environments: string[];
+  }) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    // verify user has access to all environments
+    environments.forEach((environment) =>
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Read,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
+      )
+    );
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environments, path);
+    if (!folders.length) return 0;
+
+    const count = await secretDAL.countByFolderIds(
+      folders.map((folder) => folder.id),
+      actorId,
+      undefined,
+      params
+    );
+
+    return count;
+  };
+
+  // get secret count for individual env
+  const getSecretsCount = async ({
+    actorId,
+    path,
+    environment,
+    projectId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    ...params
+  }: Pick<
+    TGetSecretsDTO,
+    | "actorId"
+    | "actor"
+    | "path"
+    | "projectId"
+    | "actorOrgId"
+    | "actorAuthMethod"
+    | "tagSlugs"
+    | "environment"
+    | "search"
+  >) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
+    if (!folder) return 0;
+
+    const count = await secretDAL.countByFolderIds([folder.id], actorId, undefined, params);
+
+    return count;
+  };
+
+  // get secrets for multiple envs
+  const getSecretsMultiEnv = async ({
+    actorId,
+    path,
+    environments,
+    projectId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    ...params
+  }: Pick<TGetSecretsDTO, "actorId" | "actor" | "path" | "projectId" | "actorOrgId" | "actorAuthMethod" | "search"> & {
+    environments: string[];
+  }) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    let paths: { folderId: string; path: string; environment: string }[] = [];
+
+    // verify user has access to all environments
+    environments.forEach((environment) =>
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Read,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
+      )
+    );
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environments, path);
+
+    if (!folders.length) {
+      return [];
+    }
+
+    paths = folders.map((folder) => ({ folderId: folder.id, path, environment: folder.environment.slug }));
+
+    const groupedPaths = groupBy(paths, (p) => p.folderId);
+
+    const secrets = await secretDAL.findByFolderIds(
+      paths.map((p) => p.folderId),
+      actorId,
+      undefined,
+      params
+    );
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId
+    });
+
+    const decryptedSecrets = secrets.map((secret) =>
+      reshapeBridgeSecret(
+        projectId,
+        groupedPaths[secret.folderId][0].environment,
+        groupedPaths[secret.folderId][0].path,
+        {
+          ...secret,
+          value: secret.encryptedValue
+            ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
+            : "",
+          comment: secret.encryptedComment
+            ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedComment }).toString()
+            : ""
+        }
+      )
+    );
+
+    return decryptedSecrets;
+  };
+
  const getSecrets = async ({
    actorId,
    path,
@@ -441,8 +620,8 @@ export const secretV2BridgeServiceFactory = ({
    actorAuthMethod,
    includeImports,
    recursive,
-    tagSlugs = [],
-    expandSecretReferences: shouldExpandSecretReferences
+    expandSecretReferences: shouldExpandSecretReferences,
+    ...params
  }: TGetSecretsDTO) => {
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -490,7 +669,9 @@ export const secretV2BridgeServiceFactory = ({

    const secrets = await secretDAL.findByFolderIds(
      paths.map((p) => p.folderId),
-      actorId
+      actorId,
+      undefined,
+      params
    );

    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -509,18 +690,21 @@ export const secretV2BridgeServiceFactory = ({
          : ""
      })
    );
-    const filteredSecrets = tagSlugs.length
-      ? decryptedSecrets.filter((secret) => Boolean(secret.tags?.find((el) => tagSlugs.includes(el.slug))))
-      : decryptedSecrets;
+
    const expandSecretReferences = expandSecretReferencesFactory({
      projectId,
      folderDAL,
      secretDAL,
-      decryptSecretValue: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined)
+      decryptSecretValue: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined),
+      canExpandValue: (expandEnvironment, expandSecretPath) =>
+        permission.can(
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, { environment: expandEnvironment, secretPath: expandSecretPath })
+        )
    });

    if (shouldExpandSecretReferences) {
-      const secretsGroupByPath = groupBy(filteredSecrets, (i) => i.secretPath);
+      const secretsGroupByPath = groupBy(decryptedSecrets, (i) => i.secretPath);
      await Promise.allSettled(
        Object.keys(secretsGroupByPath).map((groupedPath) =>
          Promise.allSettled(
@@ -541,7 +725,7 @@ export const secretV2BridgeServiceFactory = ({

    if (!includeImports) {
      return {
-        secrets: filteredSecrets
+        secrets: decryptedSecrets
      };
    }

@@ -569,7 +753,7 @@ export const secretV2BridgeServiceFactory = ({
    });

    return {
-      secrets: filteredSecrets,
+      secrets: decryptedSecrets,
      imports: importedSecrets
    };
  };
@@ -640,7 +824,12 @@ export const secretV2BridgeServiceFactory = ({
      projectId,
      folderDAL,
      secretDAL,
-      decryptSecretValue: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined)
+      decryptSecretValue: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined),
+      canExpandValue: (expandEnvironment, expandSecretPath) =>
+        permission.can(
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, { environment: expandEnvironment, secretPath: expandSecretPath })
+        )
    });

    // now if secret is not found
@@ -757,21 +946,34 @@ export const secretV2BridgeServiceFactory = ({

    const newSecrets = await secretDAL.transaction(async (tx) =>
      fnSecretBulkInsert({
-        inputSecrets: inputSecrets.map((el) => ({
-          version: 1,
-          encryptedComment: setKnexStringValue(
-            el.secretComment,
-            (value) => secretManagerEncryptor({ plainText: Buffer.from(value) }).cipherTextBlob
-          ),
-          encryptedValue: el.secretValue
-            ? secretManagerEncryptor({ plainText: Buffer.from(el.secretValue) }).cipherTextBlob
-            : undefined,
-          skipMultilineEncoding: el.skipMultilineEncoding,
-          key: el.secretKey,
-          tagIds: el.tagIds,
-          references: getAllNestedSecretReferences(el.secretValue),
-          type: SecretType.Shared
-        })),
+        inputSecrets: inputSecrets.map((el) => {
+          const references = getAllNestedSecretReferences(el.secretValue);
+          references.forEach((referredSecret) => {
+            ForbiddenError.from(permission).throwUnlessCan(
+              ProjectPermissionActions.Read,
+              subject(ProjectPermissionSub.Secrets, {
+                environment: referredSecret.environment,
+                secretPath: referredSecret.secretPath
+              })
+            );
+          });
+
+          return {
+            version: 1,
+            encryptedComment: setKnexStringValue(
+              el.secretComment,
+              (value) => secretManagerEncryptor({ plainText: Buffer.from(value) }).cipherTextBlob
+            ),
+            encryptedValue: el.secretValue
+              ? secretManagerEncryptor({ plainText: Buffer.from(el.secretValue) }).cipherTextBlob
+              : undefined,
+            skipMultilineEncoding: el.skipMultilineEncoding,
+            key: el.secretKey,
+            tagIds: el.tagIds,
+            references,
+            type: SecretType.Shared
+          };
+        }),
        folderId,
        secretDAL,
        secretVersionDAL,
@@ -878,6 +1080,19 @@ export const secretV2BridgeServiceFactory = ({
                  references: getAllNestedSecretReferences(el.secretValue)
                }
              : {};
+
+          if (encryptedValue.references) {
+            encryptedValue.references.forEach((referredSecret) => {
+              ForbiddenError.from(permission).throwUnlessCan(
+                ProjectPermissionActions.Read,
+                subject(ProjectPermissionSub.Secrets, {
+                  environment: referredSecret.environment,
+                  secretPath: referredSecret.secretPath
+                })
+              );
+            });
+          }
+
          return {
            filter: { id: originalSecret.id, type: SecretType.Shared },
            data: {
@@ -1416,6 +1631,9 @@ export const secretV2BridgeServiceFactory = ({
    getSecrets,
    getSecretVersions,
    backfillSecretReferences,
-    moveSecrets
+    moveSecrets,
+    getSecretsCount,
+    getSecretsCountMultiEnv,
+    getSecretsMultiEnv
  };
 };
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
@@ -1,8 +1,9 @@
 import { Knex } from "knex";

 import { SecretType, TSecretsV2, TSecretsV2Insert, TSecretsV2Update } from "@app/db/schemas";
-import { TProjectPermission } from "@app/lib/types";
+import { OrderByDirection, TProjectPermission } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";

@@ -21,6 +22,11 @@ export type TGetSecretsDTO = {
  includeImports?: boolean;
  recursive?: boolean;
  tagSlugs?: string[];
+  orderBy?: SecretsOrderBy;
+  orderDirection?: OrderByDirection;
+  offset?: number;
+  limit?: number;
+  search?: string;
 } & TProjectPermission;

 export type TGetASecretDTO = {
--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@@ -1,7 +1,13 @@
 /* eslint-disable no-await-in-loop */
 import { AxiosError } from "axios";

-import { ProjectUpgradeStatus, ProjectVersion, TSecretSnapshotSecretsV2, TSecretVersionsV2 } from "@app/db/schemas";
+import {
+  ProjectMembershipRole,
+  ProjectUpgradeStatus,
+  ProjectVersion,
+  TSecretSnapshotSecretsV2,
+  TSecretVersionsV2
+} from "@app/db/schemas";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { Actor, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
@@ -50,7 +56,9 @@ import { TSecretDALFactory } from "./secret-dal";
 import { interpolateSecrets } from "./secret-fns";
 import {
  TCreateSecretReminderDTO,
+  TFailedIntegrationSyncEmailsPayload,
  THandleReminderDTO,
+  TIntegrationSyncPayload,
  TRemoveSecretReminderDTO,
  TSyncSecretsDTO
 } from "./secret-types";
@@ -282,7 +290,9 @@ export const secretQueueFactory = ({
      decryptSecretValue: dto.decryptor,
      secretDAL: secretV2BridgeDAL,
      folderDAL,
-      projectId: dto.projectId
+      projectId: dto.projectId,
+      // on integration expand all secrets
+      canExpandValue: () => true
    });
    // process secrets in current folder
    const secrets = await secretV2BridgeDAL.findByFolderId(dto.folderId);
@@ -509,6 +519,19 @@ export const secretQueueFactory = ({
    );
  };

+  const sendFailedIntegrationSyncEmails = async (payload: TFailedIntegrationSyncEmailsPayload) => {
+    const appCfg = getConfig();
+    if (!appCfg.isSmtpConfigured) return;
+
+    await queueService.queue(QueueName.IntegrationSync, QueueJobs.SendFailedIntegrationSyncEmails, payload, {
+      jobId: `send-failed-integration-sync-emails-${payload.projectId}-${payload.secretPath}-${payload.environmentSlug}`,
+      delay: 1_000 * 60, // 1 minute
+
+      removeOnFail: true,
+      removeOnComplete: true
+    });
+  };
+
  queueService.start(QueueName.SecretSync, async (job) => {
    const {
      _deDupeQueue: deDupeQueue,
@@ -554,327 +577,396 @@ export const secretQueueFactory = ({
  });

  queueService.start(QueueName.IntegrationSync, async (job) => {
-    const { environment, actorId, isManual, projectId, secretPath, depth = 1, deDupeQueue = {} } = job.data;
-    if (depth > MAX_SYNC_SECRET_DEPTH) return;
+    if (job.name === QueueJobs.SendFailedIntegrationSyncEmails) {
+      const appCfg = getConfig();

-    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder) {
-      throw new Error("Secret path not found");
-    }
+      const jobPayload = job.data as TFailedIntegrationSyncEmailsPayload;

-    // find all imports made with the given environment and secret path
-    const linkSourceDto = {
-      projectId,
-      importEnv: folder.environment.id,
-      importPath: secretPath,
-      isReplication: false
-    };
-    const imports = await secretImportDAL.find(linkSourceDto);
+      const projectMembers = await projectMembershipDAL.findAllProjectMembers(jobPayload.projectId);
+      const project = await projectDAL.findById(jobPayload.projectId);

-    if (imports.length) {
-      // keep calling sync secret for all the imports made
-      const importedFolderIds = unique(imports, (i) => i.folderId).map(({ folderId }) => folderId);
-      const importedFolders = await folderDAL.findSecretPathByFolderIds(projectId, importedFolderIds);
-      const foldersGroupedById = groupBy(importedFolders.filter(Boolean), (i) => i?.id as string);
-      logger.info(
-        `getIntegrationSecrets: Syncing secret due to link change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
-      );
-      await Promise.all(
-        imports
-          .filter(({ folderId }) => Boolean(foldersGroupedById[folderId][0]?.path as string))
-          // filter out already synced ones
-          .filter(
-            ({ folderId }) =>
-              !deDupeQueue[
-                uniqueSecretQueueKey(
-                  foldersGroupedById[folderId][0]?.environmentSlug as string,
-                  foldersGroupedById[folderId][0]?.path as string
-                )
-              ]
-          )
-          .map(({ folderId }) =>
-            syncSecrets({
-              projectId,
-              secretPath: foldersGroupedById[folderId][0]?.path as string,
-              environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
-              _deDupeQueue: deDupeQueue,
-              _depth: depth + 1,
-              excludeReplication: true
-            })
-          )
-      );
-    }
-    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(projectId);
-    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
-    let referencedFolderIds;
-    if (shouldUseSecretV2Bridge) {
-      const secretReferences = await secretV2BridgeDAL.findReferencedSecretReferences(
-        projectId,
-        folder.environment.slug,
-        secretPath
-      );
-      referencedFolderIds = unique(secretReferences, (i) => i.folderId).map(({ folderId }) => folderId);
-    } else {
-      const secretReferences = await secretDAL.findReferencedSecretReferences(
-        projectId,
-        folder.environment.slug,
-        secretPath
-      );
-      referencedFolderIds = unique(secretReferences, (i) => i.folderId).map(({ folderId }) => folderId);
-    }
-    if (referencedFolderIds.length) {
-      const referencedFolders = await folderDAL.findSecretPathByFolderIds(projectId, referencedFolderIds);
-      const referencedFoldersGroupedById = groupBy(referencedFolders.filter(Boolean), (i) => i?.id as string);
-      logger.info(
-        `getIntegrationSecrets: Syncing secret due to reference change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
-      );
-      await Promise.all(
-        referencedFolderIds
-          .filter((folderId) => Boolean(referencedFoldersGroupedById[folderId][0]?.path))
-          // filter out already synced ones
-          .filter(
-            (folderId) =>
-              !deDupeQueue[
-                uniqueSecretQueueKey(
-                  referencedFoldersGroupedById[folderId][0]?.environmentSlug as string,
-                  referencedFoldersGroupedById[folderId][0]?.path as string
-                )
-              ]
-          )
-          .map((folderId) =>
-            syncSecrets({
-              projectId,
-              secretPath: referencedFoldersGroupedById[folderId][0]?.path as string,
-              environmentSlug: referencedFoldersGroupedById[folderId][0]?.environmentSlug as string,
-              _deDupeQueue: deDupeQueue,
-              _depth: depth + 1,
-              excludeReplication: true
-            })
-          )
-      );
-    }
-
-    const integrations = await integrationDAL.findByProjectIdV2(projectId, environment); // note: returns array of integrations + integration auths in this environment
-    const toBeSyncedIntegrations = integrations.filter(
-      // note: sync only the integrations sourced from secretPath
-      ({ secretPath: integrationSecPath, isActive }) => isActive && isSamePath(secretPath, integrationSecPath)
-    );
-
-    if (!integrations.length) return;
-    logger.info(
-      `getIntegrationSecrets: secret integration sync started [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${job.data.depth}]`
-    );
-
-    const lock = await keyStore.acquireLock(
-      [KeyStorePrefixes.SyncSecretIntegrationLock(projectId, environment, secretPath)],
-      10000,
-      {
-        retryCount: 3,
-        retryDelay: 2000
-      }
-    );
-    const lockAcquiredTime = new Date();
-
-    const lastRunSyncIntegrationTimestamp = await keyStore.getItem(
-      KeyStorePrefixes.SyncSecretIntegrationLastRunTimestamp(projectId, environment, secretPath)
-    );
-
-    // check whether the integration should wait or not
-    if (lastRunSyncIntegrationTimestamp) {
-      const INTEGRATION_INTERVAL = 2000;
-      const isStaleSyncIntegration = new Date(job.timestamp) < new Date(lastRunSyncIntegrationTimestamp);
-      if (isStaleSyncIntegration) {
-        logger.info(
-          `getIntegrationSecrets: secret integration sync stale [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${job.data.depth}]`
+      // Only send emails to admins, and if its a manual trigger, only send it to the person who triggered it (if actor is admin as well)
+      const filteredProjectMembers = projectMembers
+        .filter((member) => member.roles.some((role) => role.role === ProjectMembershipRole.Admin))
+        .filter((member) =>
+          jobPayload.manuallyTriggeredByUserId ? member.userId === jobPayload.manuallyTriggeredByUserId : true
        );
-        return;
-      }

-      const timeDifferenceWithLastIntegration = getTimeDifferenceInSeconds(
-        lockAcquiredTime.toISOString(),
-        lastRunSyncIntegrationTimestamp
-      );
-      if (timeDifferenceWithLastIntegration < INTEGRATION_INTERVAL && timeDifferenceWithLastIntegration > 0)
-        await new Promise((resolve) => {
-          setTimeout(resolve, 2000 - timeDifferenceWithLastIntegration * 1000);
-        });
+      await smtpService.sendMail({
+        recipients: filteredProjectMembers.map((member) => member.user.email!),
+        template: SmtpTemplates.IntegrationSyncFailed,
+        subjectLine: `Integration Sync Failed`,
+        substitutions: {
+          syncMessage: jobPayload.count === 1 ? jobPayload.syncMessage : undefined, // We are only displaying the sync message if its a singular integration, so we can just grab the first one in the array.
+          secretPath: jobPayload.secretPath,
+          environment: jobPayload.environmentName,
+          count: jobPayload.count,
+          projectName: project.name,
+          integrationUrl: `${appCfg.SITE_URL}/integrations/${project.id}`
+        }
+      });
    }

-    const generateActor = async (): Promise<Actor> => {
-      if (isManual && actorId) {
-        const user = await userDAL.findById(actorId);
+    if (job.name === QueueJobs.IntegrationSync) {
+      const {
+        environment,
+        actorId,
+        isManual,
+        projectId,
+        secretPath,
+        depth = 1,
+        deDupeQueue = {}
+      } = job.data as TIntegrationSyncPayload;
+      if (depth > MAX_SYNC_SECRET_DEPTH) return;

-        if (!user) {
-          throw new Error("User not found");
+      const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
+      if (!folder) {
+        throw new Error("Secret path not found");
+      }
+
+      // find all imports made with the given environment and secret path
+      const linkSourceDto = {
+        projectId,
+        importEnv: folder.environment.id,
+        importPath: secretPath,
+        isReplication: false
+      };
+      const imports = await secretImportDAL.find(linkSourceDto);
+
+      if (imports.length) {
+        // keep calling sync secret for all the imports made
+        const importedFolderIds = unique(imports, (i) => i.folderId).map(({ folderId }) => folderId);
+        const importedFolders = await folderDAL.findSecretPathByFolderIds(projectId, importedFolderIds);
+        const foldersGroupedById = groupBy(importedFolders.filter(Boolean), (i) => i?.id as string);
+        logger.info(
+          `getIntegrationSecrets: Syncing secret due to link change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+        );
+        await Promise.all(
+          imports
+            .filter(({ folderId }) => Boolean(foldersGroupedById[folderId][0]?.path as string))
+            // filter out already synced ones
+            .filter(
+              ({ folderId }) =>
+                !deDupeQueue[
+                  uniqueSecretQueueKey(
+                    foldersGroupedById[folderId][0]?.environmentSlug as string,
+                    foldersGroupedById[folderId][0]?.path as string
+                  )
+                ]
+            )
+            .map(({ folderId }) =>
+              syncSecrets({
+                projectId,
+                secretPath: foldersGroupedById[folderId][0]?.path as string,
+                environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
+                _deDupeQueue: deDupeQueue,
+                _depth: depth + 1,
+                excludeReplication: true
+              })
+            )
+        );
+      }
+      const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(projectId);
+      const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+        type: KmsDataKey.SecretManager,
+        projectId
+      });
+      let referencedFolderIds;
+      if (shouldUseSecretV2Bridge) {
+        const secretReferences = await secretV2BridgeDAL.findReferencedSecretReferences(
+          projectId,
+          folder.environment.slug,
+          secretPath
+        );
+        referencedFolderIds = unique(secretReferences, (i) => i.folderId).map(({ folderId }) => folderId);
+      } else {
+        const secretReferences = await secretDAL.findReferencedSecretReferences(
+          projectId,
+          folder.environment.slug,
+          secretPath
+        );
+        referencedFolderIds = unique(secretReferences, (i) => i.folderId).map(({ folderId }) => folderId);
+      }
+      if (referencedFolderIds.length) {
+        const referencedFolders = await folderDAL.findSecretPathByFolderIds(projectId, referencedFolderIds);
+        const referencedFoldersGroupedById = groupBy(referencedFolders.filter(Boolean), (i) => i?.id as string);
+        logger.info(
+          `getIntegrationSecrets: Syncing secret due to reference change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+        );
+        await Promise.all(
+          referencedFolderIds
+            .filter((folderId) => Boolean(referencedFoldersGroupedById[folderId][0]?.path))
+            // filter out already synced ones
+            .filter(
+              (folderId) =>
+                !deDupeQueue[
+                  uniqueSecretQueueKey(
+                    referencedFoldersGroupedById[folderId][0]?.environmentSlug as string,
+                    referencedFoldersGroupedById[folderId][0]?.path as string
+                  )
+                ]
+            )
+            .map((folderId) =>
+              syncSecrets({
+                projectId,
+                secretPath: referencedFoldersGroupedById[folderId][0]?.path as string,
+                environmentSlug: referencedFoldersGroupedById[folderId][0]?.environmentSlug as string,
+                _deDupeQueue: deDupeQueue,
+                _depth: depth + 1,
+                excludeReplication: true
+              })
+            )
+        );
+      }
+
+      const integrations = await integrationDAL.findByProjectIdV2(projectId, environment); // note: returns array of integrations + integration auths in this environment
+      const toBeSyncedIntegrations = integrations.filter(
+        // note: sync only the integrations sourced from secretPath
+        ({ secretPath: integrationSecPath, isActive }) => isActive && isSamePath(secretPath, integrationSecPath)
+      );
+
+      const integrationsFailedToSync: { integrationId: string; syncMessage?: string }[] = [];
+
+      if (!integrations.length) return;
+      logger.info(
+        `getIntegrationSecrets: secret integration sync started [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+      );
+
+      const lock = await keyStore.acquireLock(
+        [KeyStorePrefixes.SyncSecretIntegrationLock(projectId, environment, secretPath)],
+        10000,
+        {
+          retryCount: 3,
+          retryDelay: 2000
+        }
+      );
+      const lockAcquiredTime = new Date();
+
+      const lastRunSyncIntegrationTimestamp = await keyStore.getItem(
+        KeyStorePrefixes.SyncSecretIntegrationLastRunTimestamp(projectId, environment, secretPath)
+      );
+
+      // check whether the integration should wait or not
+      if (lastRunSyncIntegrationTimestamp) {
+        const INTEGRATION_INTERVAL = 2000;
+        const isStaleSyncIntegration = new Date(job.timestamp) < new Date(lastRunSyncIntegrationTimestamp);
+        if (isStaleSyncIntegration) {
+          logger.info(
+            `getIntegrationSecrets: secret integration sync stale [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+          );
+          return;
+        }
+
+        const timeDifferenceWithLastIntegration = getTimeDifferenceInSeconds(
+          lockAcquiredTime.toISOString(),
+          lastRunSyncIntegrationTimestamp
+        );
+        if (timeDifferenceWithLastIntegration < INTEGRATION_INTERVAL && timeDifferenceWithLastIntegration > 0)
+          await new Promise((resolve) => {
+            setTimeout(resolve, 2000 - timeDifferenceWithLastIntegration * 1000);
+          });
+      }
+
+      const generateActor = async (): Promise<Actor> => {
+        if (isManual && actorId) {
+          const user = await userDAL.findById(actorId);
+
+          if (!user) {
+            throw new Error("User not found");
+          }
+
+          return {
+            type: ActorType.USER,
+            metadata: {
+              email: user.email,
+              username: user.username,
+              userId: user.id
+            }
+          };
        }

        return {
-          type: ActorType.USER,
-          metadata: {
-            email: user.email,
-            username: user.username,
-            userId: user.id
-          }
+          type: ActorType.PLATFORM,
+          metadata: {}
        };
-      }
-
-      return {
-        type: ActorType.PLATFORM,
-        metadata: {}
      };
-    };

-    // akhilmhdh: this try catch is for lock release
-    try {
-      const secrets = shouldUseSecretV2Bridge
-        ? await getIntegrationSecretsV2({
-            environment,
-            projectId,
-            folderId: folder.id,
-            depth: 1,
-            secretPath,
-            decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : "")
-          })
-        : await getIntegrationSecrets({
-            environment,
-            projectId,
-            folderId: folder.id,
-            key: botKey as string,
-            depth: 1,
-            secretPath
-          });
+      // akhilmhdh: this try catch is for lock release
+      try {
+        const secrets = shouldUseSecretV2Bridge
+          ? await getIntegrationSecretsV2({
+              environment,
+              projectId,
+              folderId: folder.id,
+              depth: 1,
+              secretPath,
+              decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : "")
+            })
+          : await getIntegrationSecrets({
+              environment,
+              projectId,
+              folderId: folder.id,
+              key: botKey as string,
+              depth: 1,
+              secretPath
+            });

-      for (const integration of toBeSyncedIntegrations) {
-        const integrationAuth = {
-          ...integration.integrationAuth,
-          createdAt: new Date(),
-          updatedAt: new Date(),
-          projectId: integration.projectId
-        };
+        for (const integration of toBeSyncedIntegrations) {
+          const integrationAuth = {
+            ...integration.integrationAuth,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+            projectId: integration.projectId
+          };

-        const { accessToken, accessId } = await integrationAuthService.getIntegrationAccessToken(
-          integrationAuth,
-          shouldUseSecretV2Bridge,
-          botKey
-        );
-        let awsAssumeRoleArn = null;
-        if (shouldUseSecretV2Bridge) {
-          if (integrationAuth.encryptedAwsAssumeIamRoleArn) {
-            awsAssumeRoleArn = secretManagerDecryptor({
-              cipherTextBlob: Buffer.from(integrationAuth.encryptedAwsAssumeIamRoleArn)
-            }).toString();
-          }
-        } else if (
-          integrationAuth.awsAssumeIamRoleArnTag &&
-          integrationAuth.awsAssumeIamRoleArnIV &&
-          integrationAuth.awsAssumeIamRoleArnCipherText
-        ) {
-          awsAssumeRoleArn = decryptSymmetric128BitHexKeyUTF8({
-            ciphertext: integrationAuth.awsAssumeIamRoleArnCipherText,
-            iv: integrationAuth.awsAssumeIamRoleArnIV,
-            tag: integrationAuth.awsAssumeIamRoleArnTag,
-            key: botKey as string
-          });
-        }
-
-        const suffixedSecrets: typeof secrets = {};
-        const metadata = integration.metadata as Record<string, string>;
-        if (metadata) {
-          Object.keys(secrets).forEach((key) => {
-            const prefix = metadata?.secretPrefix || "";
-            const suffix = metadata?.secretSuffix || "";
-            const newKey = prefix + key + suffix;
-            suffixedSecrets[newKey] = secrets[key];
-          });
-        }
-
-        // akhilmhdh: this try catch is for catching integration error and saving it in db
-        try {
-          // akhilmhdh: this needs to changed later to be more easier to use
-          // at present this is not at all extendable like to add a new parameter for just one integration need to modify multiple places
-          const response = await syncIntegrationSecrets({
-            createManySecretsRawFn,
-            updateManySecretsRawFn,
-            integrationDAL,
-            integration,
+          const { accessToken, accessId } = await integrationAuthService.getIntegrationAccessToken(
            integrationAuth,
-            secrets: Object.keys(suffixedSecrets).length !== 0 ? suffixedSecrets : secrets,
-            accessId: accessId as string,
-            awsAssumeRoleArn,
-            accessToken,
-            projectId,
-            appendices: {
-              prefix: metadata?.secretPrefix || "",
-              suffix: metadata?.secretSuffix || ""
-            }
-          });
-
-          await auditLogService.createAuditLog({
-            projectId,
-            actor: await generateActor(),
-            event: {
-              type: EventType.INTEGRATION_SYNCED,
-              metadata: {
-                integrationId: integration.id,
-                isSynced: response?.isSynced ?? true,
-                lastSyncJobId: job?.id ?? "",
-                lastUsed: new Date(),
-                syncMessage: response?.syncMessage ?? ""
-              }
-            }
-          });
-
-          await integrationDAL.updateById(integration.id, {
-            lastSyncJobId: job.id,
-            lastUsed: new Date(),
-            syncMessage: response?.syncMessage ?? "",
-            isSynced: response?.isSynced ?? true
-          });
-        } catch (err) {
-          logger.error(
-            err,
-            `Secret integration sync error [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}]`
+            shouldUseSecretV2Bridge,
+            botKey
          );
-
-          const message =
-            (err instanceof AxiosError ? JSON.stringify(err?.response?.data) : (err as Error)?.message) ||
-            "Unknown error occurred.";
-
-          await auditLogService.createAuditLog({
-            projectId,
-            actor: await generateActor(),
-            event: {
-              type: EventType.INTEGRATION_SYNCED,
-              metadata: {
-                integrationId: integration.id,
-                isSynced: false,
-                lastSyncJobId: job?.id ?? "",
-                lastUsed: new Date(),
-                syncMessage: message
-              }
+          let awsAssumeRoleArn = null;
+          if (shouldUseSecretV2Bridge) {
+            if (integrationAuth.encryptedAwsAssumeIamRoleArn) {
+              awsAssumeRoleArn = secretManagerDecryptor({
+                cipherTextBlob: Buffer.from(integrationAuth.encryptedAwsAssumeIamRoleArn)
+              }).toString();
            }
-          });
+          } else if (
+            integrationAuth.awsAssumeIamRoleArnTag &&
+            integrationAuth.awsAssumeIamRoleArnIV &&
+            integrationAuth.awsAssumeIamRoleArnCipherText
+          ) {
+            awsAssumeRoleArn = decryptSymmetric128BitHexKeyUTF8({
+              ciphertext: integrationAuth.awsAssumeIamRoleArnCipherText,
+              iv: integrationAuth.awsAssumeIamRoleArnIV,
+              tag: integrationAuth.awsAssumeIamRoleArnTag,
+              key: botKey as string
+            });
+          }

-          await integrationDAL.updateById(integration.id, {
-            lastSyncJobId: job.id,
-            syncMessage: message,
-            isSynced: false
+          const suffixedSecrets: typeof secrets = {};
+          const metadata = integration.metadata as Record<string, string>;
+          if (metadata) {
+            Object.keys(secrets).forEach((key) => {
+              const prefix = metadata?.secretPrefix || "";
+              const suffix = metadata?.secretSuffix || "";
+              const newKey = prefix + key + suffix;
+              suffixedSecrets[newKey] = secrets[key];
+            });
+          }
+
+          // akhilmhdh: this try catch is for catching integration error and saving it in db
+          try {
+            // akhilmhdh: this needs to changed later to be more easier to use
+            // at present this is not at all extendable like to add a new parameter for just one integration need to modify multiple places
+            const response = await syncIntegrationSecrets({
+              createManySecretsRawFn,
+              updateManySecretsRawFn,
+              integrationDAL,
+              integration,
+              integrationAuth,
+              secrets: Object.keys(suffixedSecrets).length !== 0 ? suffixedSecrets : secrets,
+              accessId: accessId as string,
+              awsAssumeRoleArn,
+              accessToken,
+              projectId,
+              appendices: {
+                prefix: metadata?.secretPrefix || "",
+                suffix: metadata?.secretSuffix || ""
+              }
+            });
+
+            await auditLogService.createAuditLog({
+              projectId,
+              actor: await generateActor(),
+              event: {
+                type: EventType.INTEGRATION_SYNCED,
+                metadata: {
+                  integrationId: integration.id,
+                  isSynced: response?.isSynced ?? true,
+                  lastSyncJobId: job?.id ?? "",
+                  lastUsed: new Date(),
+                  syncMessage: response?.syncMessage ?? ""
+                }
+              }
+            });
+
+            await integrationDAL.updateById(integration.id, {
+              lastSyncJobId: job.id,
+              lastUsed: new Date(),
+              syncMessage: response?.syncMessage ?? "",
+              isSynced: response?.isSynced ?? true
+            });
+
+            // May be undefined, if it's undefined we assume the sync was successful, hence the strict equality type check.
+            if (response?.isSynced === false) {
+              integrationsFailedToSync.push({
+                integrationId: integration.id,
+                syncMessage: response.syncMessage
+              });
+            }
+          } catch (err) {
+            logger.error(
+              err,
+              `Secret integration sync error [projectId=${job.data.projectId}] [environment=${environment}]  [secretPath=${job.data.secretPath}]`
+            );
+
+            const message =
+              (err instanceof AxiosError ? JSON.stringify(err?.response?.data) : (err as Error)?.message) ||
+              "Unknown error occurred.";
+
+            await auditLogService.createAuditLog({
+              projectId,
+              actor: await generateActor(),
+              event: {
+                type: EventType.INTEGRATION_SYNCED,
+                metadata: {
+                  integrationId: integration.id,
+                  isSynced: false,
+                  lastSyncJobId: job?.id ?? "",
+                  lastUsed: new Date(),
+                  syncMessage: message
+                }
+              }
+            });
+
+            await integrationDAL.updateById(integration.id, {
+              lastSyncJobId: job.id,
+              syncMessage: message,
+              isSynced: false
+            });
+
+            integrationsFailedToSync.push({
+              integrationId: integration.id,
+              syncMessage: message
+            });
+          }
+        }
+      } finally {
+        await lock.release();
+        if (integrationsFailedToSync.length) {
+          await sendFailedIntegrationSyncEmails({
+            count: integrationsFailedToSync.length,
+            environmentName: folder.environment.name,
+            environmentSlug: environment,
+            ...(isManual &&
+              actorId && {
+                manuallyTriggeredByUserId: actorId
+              }),
+            projectId,
+            secretPath,
+            syncMessage: integrationsFailedToSync[0].syncMessage
          });
        }
      }
-    } finally {
-      await lock.release();
-    }

-    await keyStore.setItemWithExpiry(
-      KeyStorePrefixes.SyncSecretIntegrationLastRunTimestamp(projectId, environment, secretPath),
-      KeyStoreTtls.SetSyncSecretIntegrationLastRunTimestampInSeconds,
-      lockAcquiredTime.toISOString()
-    );
-    logger.info("Secret integration sync ended: %s", job.id);
+      await keyStore.setItemWithExpiry(
+        KeyStorePrefixes.SyncSecretIntegrationLastRunTimestamp(projectId, environment, secretPath),
+        KeyStoreTtls.SetSyncSecretIntegrationLastRunTimestampInSeconds,
+        lockAcquiredTime.toISOString()
+      );
+      logger.info("Secret integration sync ended: %s", job.id);
+    }
  });

  queueService.start(QueueName.SecretReminder, async ({ data }) => {
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@@ -954,6 +954,120 @@ export const secretServiceFactory = ({
    return secretsDeleted;
  };

+  const getSecretsCount = async ({
+    projectId,
+    path,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    environment,
+    tagSlugs = [],
+    ...v2Params
+  }: Pick<
+    TGetSecretsRawDTO,
+    | "projectId"
+    | "path"
+    | "actor"
+    | "actorId"
+    | "actorOrgId"
+    | "actorAuthMethod"
+    | "environment"
+    | "tagSlugs"
+    | "search"
+  >) => {
+    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
+
+    if (!shouldUseSecretV2Bridge)
+      throw new BadRequestError({
+        message: "Project version does not support pagination",
+        name: "pagination_not_supported"
+      });
+
+    const count = await secretV2BridgeService.getSecretsCount({
+      projectId,
+      actorId,
+      actor,
+      actorOrgId,
+      environment,
+      path,
+      actorAuthMethod,
+      tagSlugs,
+      ...v2Params
+    });
+
+    return count;
+  };
+
+  const getSecretsCountMultiEnv = async ({
+    projectId,
+    path,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    environments,
+    ...v2Params
+  }: Pick<
+    TGetSecretsRawDTO,
+    "projectId" | "path" | "actor" | "actorId" | "actorOrgId" | "actorAuthMethod" | "search"
+  > & { environments: string[] }) => {
+    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
+
+    if (!shouldUseSecretV2Bridge)
+      throw new BadRequestError({
+        message: "Project version does not support pagination",
+        name: "pagination_not_supported"
+      });
+
+    const count = await secretV2BridgeService.getSecretsCountMultiEnv({
+      projectId,
+      actorId,
+      actor,
+      actorOrgId,
+      environments,
+      path,
+      actorAuthMethod,
+      ...v2Params
+    });
+
+    return count;
+  };
+
+  const getSecretsRawMultiEnv = async ({
+    projectId,
+    path,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    environments,
+    ...params
+  }: Omit<TGetSecretsRawDTO, "environment" | "includeImports" | "expandSecretReferences" | "recursive" | "tagSlugs"> & {
+    environments: string[];
+  }) => {
+    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
+
+    if (!shouldUseSecretV2Bridge)
+      throw new BadRequestError({
+        message: "Project version does not support pagination",
+        name: "pagination_not_supported"
+      });
+
+    const secrets = await secretV2BridgeService.getSecretsMultiEnv({
+      projectId,
+      actorId,
+      actor,
+      actorOrgId,
+      environments,
+      path,
+      actorAuthMethod,
+      ...params
+    });
+
+    return secrets;
+  };
+
  const getSecretsRaw = async ({
    projectId,
    path,
@@ -965,7 +1079,8 @@ export const secretServiceFactory = ({
    includeImports,
    expandSecretReferences,
    recursive,
-    tagSlugs = []
+    tagSlugs = [],
+    ...paramsV2
  }: TGetSecretsRawDTO) => {
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    if (shouldUseSecretV2Bridge) {
@@ -980,7 +1095,8 @@ export const secretServiceFactory = ({
        recursive,
        actorAuthMethod,
        includeImports,
-        tagSlugs
+        tagSlugs,
+        ...paramsV2
      });
      return { secrets, imports };
    }
@@ -2693,6 +2809,9 @@ export const secretServiceFactory = ({
    getSecretVersions,
    backfillSecretReferences,
    moveSecrets,
-    startSecretV2Migration
+    startSecretV2Migration,
+    getSecretsCount,
+    getSecretsCountMultiEnv,
+    getSecretsRawMultiEnv
  };
 };
--- a/backend/src/services/secret/secret-types.ts
+++ b/backend/src/services/secret/secret-types.ts
@@ -1,7 +1,8 @@
 import { Knex } from "knex";
+import { z } from "zod";

 import { SecretType, TSecretBlindIndexes, TSecrets, TSecretsInsert, TSecretsUpdate } from "@app/db/schemas";
-import { TProjectPermission } from "@app/lib/types";
+import { OrderByDirection, TProjectPermission } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
@@ -21,6 +22,29 @@ type TPartialSecret = Pick<TSecrets, "id" | "secretReminderRepeatDays" | "secret

 type TPartialInputSecret = Pick<TSecrets, "type" | "secretReminderNote" | "secretReminderRepeatDays" | "id">;

+export const FailedIntegrationSyncEmailsPayloadSchema = z.object({
+  projectId: z.string(),
+  secretPath: z.string(),
+  environmentName: z.string(),
+  environmentSlug: z.string(),
+
+  count: z.number(),
+  syncMessage: z.string().optional(),
+  manuallyTriggeredByUserId: z.string().optional()
+});
+
+export type TFailedIntegrationSyncEmailsPayload = z.infer<typeof FailedIntegrationSyncEmailsPayloadSchema>;
+
+export type TIntegrationSyncPayload = {
+  isManual?: boolean;
+  actorId?: string;
+  projectId: string;
+  environment: string;
+  secretPath: string;
+  depth?: number;
+  deDupeQueue?: Record<string, boolean>;
+};
+
 export type TCreateSecretDTO = {
  secretName: string;
  path: string;
@@ -81,6 +105,8 @@ export type TGetSecretsDTO = {
  environment: string;
  includeImports?: boolean;
  recursive?: boolean;
+  limit?: number;
+  offset?: number;
 } & TProjectPermission;

 export type TGetASecretDTO = {
@@ -143,6 +169,10 @@ export type TDeleteBulkSecretDTO = {
  }>;
 } & TProjectPermission;

+export enum SecretsOrderBy {
+  Name = "name" // "key" for secrets but using name for use across resources
+}
+
 export type TGetSecretsRawDTO = {
  expandSecretReferences?: boolean;
  path: string;
@@ -150,6 +180,11 @@ export type TGetSecretsRawDTO = {
  includeImports?: boolean;
  recursive?: boolean;
  tagSlugs?: string[];
+  orderBy?: SecretsOrderBy;
+  orderDirection?: OrderByDirection;
+  offset?: number;
+  limit?: number;
+  search?: string;
 } & TProjectPermission;

 export type TGetASecretRawDTO = {
--- a/backend/src/services/smtp/smtp-service.ts
+++ b/backend/src/services/smtp/smtp-service.ts
@@ -33,7 +33,8 @@ export enum SmtpTemplates {
  SecretLeakIncident = "secretLeakIncident.handlebars",
  WorkspaceInvite = "workspaceInvitation.handlebars",
  ScimUserProvisioned = "scimUserProvisioned.handlebars",
-  PkiExpirationAlert = "pkiExpirationAlert.handlebars"
+  PkiExpirationAlert = "pkiExpirationAlert.handlebars",
+  IntegrationSyncFailed = "integrationSyncFailed.handlebars"
 }

 export enum SmtpHost {
--- a/backend/src/services/smtp/templates/integrationSyncFailed.handlebars
+++ b/backend/src/services/smtp/templates/integrationSyncFailed.handlebars
@@ -0,0 +1,31 @@
+<html>
+
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Integration Sync Failed</title>
+  </head>
+
+  <body>
+    <h2>Infisical</h2>
+
+    <div>
+      <p>{{count}} integration(s) failed to sync.</p>
+      <a href="{{integrationUrl}}">
+        View your project integrations.
+      </a>
+    </div>
+
+    <br />
+    <div>
+      <p><strong>Project</strong>: {{projectName}}</p>
+      <p><strong>Environment</strong>: {{environment}}</p>
+      <p><strong>Secret Path</strong>: {{secretPath}}</p>
+    </div>
+
+    {{#if syncMessage}}
+      <p><b>Reason: </b>{{syncMessage}}</p>
+    {{/if}}
+  </body>
+
+</html>
--- a/docs/api-reference/endpoints/audit-logs/export-audit-log.mdx
+++ b/docs/api-reference/endpoints/audit-logs/export-audit-log.mdx
@@ -1,4 +1,4 @@
 ---
 title: "Export"
-openapi: "GET /api/v1/workspace/{workspaceId}/audit-logs"
+openapi: "GET /api/v1/organization/audit-logs"
 ---
--- a/docs/cli/commands/export.mdx
+++ b/docs/cli/commands/export.mdx
@@ -51,7 +51,6 @@ infisical export --template=<path to template>
  <Info>
    Alternatively, you may use service tokens.

-    Please note, however, that service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities). They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
    ```bash
    # Example
    export INFISICAL_TOKEN=<service-token>
--- a/docs/cli/commands/run.mdx
+++ b/docs/cli/commands/run.mdx
@@ -54,8 +54,6 @@ $ infisical run -- npm run dev
    <Info>
      Alternatively, you may use service tokens.

-      Please note, however, that service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities). They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
-      
      ```bash
        # Example
        export INFISICAL_TOKEN=<service-token>
--- a/docs/cli/commands/secrets.mdx
+++ b/docs/cli/commands/secrets.mdx
@@ -33,7 +33,6 @@ $ infisical secrets
    <Info>
      Alternatively, you may use service tokens.

-      Please note, however, that service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities). They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
      ```bash
      # Example
      export INFISICAL_TOKEN=<service-token>
--- a/docs/cli/usage.mdx
+++ b/docs/cli/usage.mdx
@@ -206,8 +206,6 @@ infisical <any-command> --domain="https://your-self-hosted-infisical.com/api"

  </Accordion>
  <Accordion title="Can I use the CLI with service tokens?">
-    Yes. Please note, however, that service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities). They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
-
    To use Infisical for non local development scenarios, please create a service token. The service token will allow you to authenticate and interact with Infisical. Once you have created a service token with the required permissions, you’ll need to feed the token to the CLI.

    ```bash
--- a/docs/documentation/platform/dynamic-secrets/azure-entra-id.mdx
+++ b/docs/documentation/platform/dynamic-secrets/azure-entra-id.mdx
@@ -0,0 +1,164 @@
+---
+title: "Azure Entra Id"
+description: "Learn how to dynamically generate Azure Entra Id user credentials."
+---
+
+The Infisical Azure Entra Id dynamic secret allows you to generate Azure Entra Id credentials on demand based on configured role.
+
+## Prerequisites
+
+<Steps>
+<Step>
+Login to [Microsoft Entra ID](https://entra.microsoft.com/)
+</Step>
+
+<Step>
+Go to Overview, Copy and store `Tenant Id`
+![Copy Tenant Id](../../../images/platform/dynamic-secrets/dynamic-secret-ad-tenant-id.png)
+</Step>
+
+<Step>
+Go to Applications > App registrations. Click on New Registration.
+![Copy Tenant Id](../../../images/platform/dynamic-secrets/dynamic-secret-ad-new-registration.png)
+</Step>
+
+<Step>
+Enter an application name. Click Register.
+</Step>
+
+<Step>
+Copy and store `Application Id`.
+![Copy Application Id](../../../images/platform/dynamic-secrets/dynamic-secret-ad-copy-app-id.png)
+</Step>
+
+<Step>
+Go to Clients and Secrets. Click on New Client Secret.
+</Step>
+
+<Step>
+Enter a description, select expiry and click Add.
+</Step>
+
+<Step>
+Copy and store `Client Secret` value.
+![Copy client Secret](../../../images/platform/dynamic-secrets/dynamic-secret-ad-add-client-secret.png)
+</Step>
+
+<Step>
+Go to API Permissions. Click on Add a permission.
+![Click add a permission](../../../images/platform/dynamic-secrets/dynamic-secret-ad-add-permission.png)
+</Step>
+
+<Step>
+Click on Microsoft Graph.
+![Click Microsoft Graph](../../../images/platform/dynamic-secrets/dynamic-secret-ad-select-graph.png)
+</Step>
+
+<Step>
+Click on Application Permissions. Search and select `User.ReadWrite.All` and click Add permissions.
+![Add User.Read.All](../../../images/platform/dynamic-secrets/dynamic-secret-ad-select-perms.png)
+</Step>
+
+<Step>
+Click on Grant admin consent for app. Click yes to confirm.
+![Grant admin consent](../../../images/platform/dynamic-secrets/dynamic-secret-ad-admin-consent.png)
+</Step>
+
+<Step>
+Go to Dashboard. Click on show more.
+![Show more](../../../images/platform/dynamic-secrets/dynamic-secret-ad-show-more.png)
+</Step>
+
+<Step>
+Click on Roles & admins. Search for User Administrator and click on it.
+![User Administrator](../../../images/platform/dynamic-secrets/dynamic-secret-ad-user-admin.png)
+</Step>
+
+<Step>
+Click on Add assignments. Search for the application name you created and select it. Click on Add.
+![Add assignments](../../../images/platform/dynamic-secrets/dynamic-secret-ad-add-assignments.png)
+</Step>
+</Steps>
+
+## Set up Dynamic Secrets with Azure Entra ID
+
+<Steps>
+  <Step title="Open Secret Overview Dashboard">
+	Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
+  </Step>
+  <Step title="Click on the 'Add Dynamic Secret' button">
+	![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+  </Step>
+  <Step title="Select 'Azure Entra ID'">
+	![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-ad-modal.png)
+  </Step>
+  <Step title="Provide the inputs for dynamic secret parameters">
+	<ParamField path="Secret Prefix" type="string" required>
+		Prefix for the secrets to be created
+	</ParamField>
+
+	<ParamField path="Default TTL" type="string" required>
+		Default time-to-live for a generated secret (it is possible to modify this value when a secret is generate)
+	</ParamField>
+
+	<ParamField path="Max TTL" type="string" required>
+		Maximum time-to-live for a generated secret.
+	</ParamField>
+
+	<ParamField path="Tenant ID" type="string" required>
+		The Tenant ID of your Azure Entra ID account.
+	</ParamField>
+
+	<ParamField path="Application ID" type="string" required>
+		The Application ID of the application you created in Azure Entra ID.
+	</ParamField>
+
+	<ParamField path="Client Secret" type="string" required>
+		The Client Secret of the application you created in Azure Entra ID.
+	</ParamField>
+
+	<ParamField path="Users" type="selection" required>
+		Multi select list of users to generate secrets for.
+	</ParamField>
+
+  </Step>
+  <Step title="Click `Submit`">
+  	After submitting the form, you will see a dynamic secrets for each user created in the dashboard. 
+  </Step>
+
+  <Step title="Generate dynamic secrets">
+	Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials. 
+	To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item. 
+	Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+
+	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate-redis.png)
+	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty-redis.png)
+
+	When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate  how long the credentials are valid for.
+
+	![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+
+	<Tip>
+		Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret.
+	</Tip>
+
+
+	Once you click the `Submit` button, a new secret lease will be generated and the credentials from it will be shown to you. 
+
+	![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-ad-lease.png)
+  </Step>
+</Steps>
+
+## Audit or Revoke Leases
+Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. 
+This will allow you see the expiration time of the lease or delete a lease before it's set time to live.
+
+![Provision Lease](/images/platform/dynamic-secrets/lease-data.png)
+
+## Renew Leases
+To extend the life of the generated dynamic secret leases past its initial time to live, simply click on the **Renew** as illustrated below.
+![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-lease-renew.png)
+
+<Warning>
+	Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret
+</Warning>
--- a/docs/documentation/platform/mfa.mdx
+++ b/docs/documentation/platform/mfa.mdx
@@ -17,3 +17,40 @@ Check the box in Personal Settings > Two-factor Authentication to enable email-b
  building support for other forms of identification via SMS and Authenticator
  App.
 </Note>
+
+## Entra ID / Azure AD MFA
+
+<Note>
+    Before proceeding make sure you've enabled [SAML SSO for Entra ID / Azure AD](./sso/azure).
+
+    We also encourage you to have your team download and setup the
+    [Microsoft Authenticator App](https://www.microsoft.com/en-us/security/mobile-authenticator-app) prior to enabling MFA.
+</Note>
+
+<Steps>
+    <Step title="Open your Infisical Application in the Microsoft Entra Admin Center">
+        ![Entra Infisical app](../../images/platform/mfa/entra/mfa_entra_infisical_app.png)
+    </Step>
+    <Step title="Tap on Conditional Access under the Security Tab">
+        ![conditional access](../../images/platform/mfa/entra/mfa_entra_conditional_access.png)
+    </Step>
+    <Step title="Tap on Create New Policy from Templates">
+        ![create policy](../../images/platform/mfa/entra/mfa_entra_create_policy.png)
+    </Step>
+    <Step title="Select Require MFA for All Users and Tap on Review + Create">
+        ![require MFA and review policy](../../images/platform/mfa/entra/mfa_entra_review_policy.png)
+        <Note>
+            By default all users except the configuring admin will be setup to require MFA.
+            Microsoft encourages keeping at least one admin excluded from MFA to prevent accidental lockout.
+        </Note>
+    </Step>
+    <Step title="Set Policy State to Enabled and Tap on Create">
+        ![enable policy and confirm](../../images/platform/mfa/entra/mfa_entra_confirm_policy.png)
+    </Step>
+    <Step title="MFA is now Required When Accessing Infisical">
+        ![mfa login](../../images/platform/mfa/entra/mfa_entra_login.png)
+        <Note>
+            If users have not setup MFA for Entra / Azure they will be prompted to do so at this time.
+        </Note>
+    </Step>
+</Steps>
--- a/docs/documentation/platform/sso/azure.mdx
+++ b/docs/documentation/platform/sso/azure.mdx
@@ -116,3 +116,7 @@ description: "Learn how to configure Microsoft Entra ID for Infisical SSO."
   - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
   - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
 </Note>
+
+<Note>
+   If you'd like to require Multi-factor Authentication for your team members to access Infisical check out our [Entra ID / Azure AD MFA](../mfa#entra-id-azure-ad-mfa) guide.
+</Note>
--- a/docs/documentation/platform/token.mdx
+++ b/docs/documentation/platform/token.mdx
@@ -3,13 +3,6 @@ title: "Service Token"
 description: "Infisical service tokens allow users to programmatically interact with Infisical."
 ---

-<Warning>
-  Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
-
-They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
-
-</Warning>
-
 Service tokens are authentication credentials that services can use to access designated endpoints in the Infisical API to manage project resources like secrets.
 Each service token can be provisioned scoped access to select environment(s) and path(s) within them.

--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-add-assignments.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-add-assignments.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-add-client-secret.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-add-client-secret.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-add-permission.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-add-permission.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-admin-consent.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-admin-consent.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-copy-app-id.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-copy-app-id.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-lease.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-lease.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-modal.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-modal.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-new-registration.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-new-registration.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-select-graph.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-select-graph.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-select-perms.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-select-perms.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-show-more.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-show-more.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-tenant-id.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-tenant-id.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-ad-user-admin.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-ad-user-admin.png
--- a/docs/images/platform/mfa/entra/mfa_entra_conditional_access.png
+++ b/docs/images/platform/mfa/entra/mfa_entra_conditional_access.png
--- a/docs/images/platform/mfa/entra/mfa_entra_confirm_policy.png
+++ b/docs/images/platform/mfa/entra/mfa_entra_confirm_policy.png
--- a/docs/images/platform/mfa/entra/mfa_entra_create_policy.png
+++ b/docs/images/platform/mfa/entra/mfa_entra_create_policy.png
--- a/docs/images/platform/mfa/entra/mfa_entra_infisical_app.png
+++ b/docs/images/platform/mfa/entra/mfa_entra_infisical_app.png
--- a/docs/images/platform/mfa/entra/mfa_entra_login.png
+++ b/docs/images/platform/mfa/entra/mfa_entra_login.png
--- a/docs/images/platform/mfa/entra/mfa_entra_review_policy.png
+++ b/docs/images/platform/mfa/entra/mfa_entra_review_policy.png
--- a/docs/integrations/cicd/jenkins.mdx
+++ b/docs/integrations/cicd/jenkins.mdx
@@ -138,16 +138,9 @@ Prerequisites:

  </Tab>

-  <Tab title="Using CLI with Service Tokens (Deprecated)">
+  <Tab title="Using CLI with Service Tokens">
    ## Add Infisical Service Token to Jenkins

-  <Warning>
-    Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
-    They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
-
-    **Please use our Jenkins Plugin instead!**
-  </Warning>
-
    After setting up your project in Infisical and installing the Infisical CLI to the environment where your Jenkins builds will run, you will need to add the Infisical Service Token to Jenkins.

    To generate a Infisical service token, follow the guide [here](/documentation/platform/token).
--- a/docs/integrations/cloud/aws-amplify.mdx
+++ b/docs/integrations/cloud/aws-amplify.mdx
@@ -62,12 +62,6 @@ This approach enables you to fetch secrets from Infisical during Amplify build t
  </Tab>

  <Tab title="Service Token (Deprecated)">
-    
-    <Warning>
-      Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
-
-      They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
-    </Warning>

    <Steps>
      <Step title="Generate a service token">
--- a/docs/integrations/platforms/docker-compose.mdx
+++ b/docs/integrations/platforms/docker-compose.mdx
@@ -63,14 +63,7 @@ Follow this [guide](./docker) to configure the Infisical CLI for each service th
    ```

  </Tab>
-  <Tab title="Service Token (Deprecated)">
-
-  <Warning>
-  Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
-
-They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
-
-  </Warning>
+  <Tab title="Service Token">

    ## Generate service token
    Generate a unique [Service Token](/documentation/platform/token) for each service.
--- a/docs/integrations/platforms/docker.mdx
+++ b/docs/integrations/platforms/docker.mdx
@@ -83,12 +83,6 @@ CMD ["infisical", "run", "--projectId", "<your-project-id>", "--command", "npm r

 </Tab>
 <Tab title="Service Token (Deprecated)">
-  <Warning>
-Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
-
-They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
-
-</Warning>
 ```dockerfile
 CMD ["infisical", "run", "--", "[your service start command]"]

--- a/docs/integrations/platforms/kubernetes.mdx
+++ b/docs/integrations/platforms/kubernetes.mdx
@@ -587,12 +587,6 @@ spec:
 </Accordion>

 <Accordion title="authentication.serviceToken">
-  <Warning>
-  Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
-
-They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
-
-  </Warning>

 The service token required to authenticate with Infisical needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores this service token.
 Follow the instructions below to create and store the service token in a Kubernetes secrets and reference it in your CRD.
--- a/docs/internals/service-tokens.mdx
+++ b/docs/internals/service-tokens.mdx
@@ -2,13 +2,6 @@
 title: "Service tokens"
 description: "Understanding service tokens and their best practices."
 ---
-
-<Warning>
-  Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
-
-They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
-
-</Warning>

 Many clients use service tokens to authenticate and read/write secrets from/to Infisical; they can be created in your project settings.

--- a/docs/mint.json
+++ b/docs/mint.json
@@ -167,7 +167,8 @@
            "documentation/platform/dynamic-secrets/rabbit-mq",
            "documentation/platform/dynamic-secrets/aws-iam",
            "documentation/platform/dynamic-secrets/mongo-atlas",
-            "documentation/platform/dynamic-secrets/mongo-db"
+            "documentation/platform/dynamic-secrets/mongo-db",
+            "documentation/platform/dynamic-secrets/azure-entra-id"
          ]
        },
        {
--- a/frontend/src/components/features/FormLabelToolTip.tsx
+++ b/frontend/src/components/features/FormLabelToolTip.tsx
@@ -0,0 +1,36 @@
+import { faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { FormLabel, Tooltip } from "../v2";
+
+// To give users example of possible values of TTL
+export const FormLabelToolTip = ({ label, linkToMore, content }: { label: string, linkToMore: string, content: string }) => (
+  <div>
+    <FormLabel
+      label={label}
+      icon={
+        <Tooltip
+          content={
+            <span>
+              {content}{" "}
+              <a
+                href={linkToMore}
+                target="_blank"
+                rel="noopener noreferrer"
+                className="text-primary-700"
+              >
+                More
+              </a>
+            </span>
+          }
+        >
+          <FontAwesomeIcon
+            icon={faQuestionCircle}
+            size="sm"
+            className="relative bottom-1 right-1"
+          />
+        </Tooltip>
+      }
+    />
+  </div>
+);
--- a/frontend/src/components/features/TtlFormLabel.tsx
+++ b/frontend/src/components/features/TtlFormLabel.tsx
@@ -1,36 +1,12 @@
-import { faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-
-import { FormLabel, Tooltip } from "../v2";
+import { FormLabelToolTip } from "./FormLabelToolTip";

 // To give users example of possible values of TTL
 export const TtlFormLabel = ({ label }: { label: string }) => (
  <div>
-    <FormLabel
+    <FormLabelToolTip
      label={label}
-      icon={
-        <Tooltip
-          content={
-            <span>
-              1m, 2h, 3d.{" "}
-              <a
-                href="https://github.com/vercel/ms?tab=readme-ov-file#examples"
-                target="_blank"
-                rel="noopener noreferrer"
-                className="text-primary-700"
-              >
-                More
-              </a>
-            </span>
-          }
-        >
-          <FontAwesomeIcon
-            icon={faQuestionCircle}
-            size="sm"
-            className="relative bottom-1 right-1"
-          />
-        </Tooltip>
-      }
+      content="1m, 2h, 3d. "
+      linkToMore="https://github.com/vercel/ms?tab=readme-ov-file#examples"
    />
  </div>
 );
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Sheen Capadngan	59f3581370	misc: made it specific for cloud	2024-09-25 00:31:13 +08:00
Sheen Capadngan	ccae63936c	misc: added maintenance notice to audit log page and handled project auto-select	2024-09-25 00:27:36 +08:00
Daniel Hougaard	50b51f1810	Merge pull request #2475 from Infisical/daniel/prefix-secret-folders fix(folders-api): prefix paths	2024-09-24 17:30:47 +04:00
Daniel Hougaard	5964976e47	fix(folders-api): prefix paths	2024-09-24 15:49:27 +04:00
Daniel Hougaard	677a87150b	Merge pull request #2474 from meetcshah19/meet/fix-group-fetch fix: group fetch using project id	2024-09-24 01:01:58 +04:00
Meet	2469c8d0c6	fix: group listing using project id	2024-09-24 02:24:37 +05:30
Maidul Islam	dafb89d1dd	Merge pull request #2473 from scott-ray-wilson/project-upgrade-banner-revision Improvement: Project Upgrade Banner Revisions	2024-09-23 15:48:02 -04:00
Scott Wilson	8da01445e5	improvement: revise project upgrade banner to refer to secret engine version, state that upgrading is free and use lighter text for improved legibility	2024-09-23 12:36:10 -07:00
Maidul Islam	6b2273d314	update message	2024-09-23 15:32:11 -04:00
Maidul Islam	b886e66ee9	Remove service token notice	2024-09-23 15:25:36 -04:00
Scott Wilson	3afcb19727	Merge pull request #2464 from scott-ray-wilson/entra-mfa-docs Docs: Microsoft Entra ID / Azure AD MFA	2024-09-23 12:10:38 -07:00
Meet Shah	06d2480f30	Merge pull request #2472 from meetcshah19/meet/fix-create-policy-ui fix: group selection on create policy	2024-09-23 23:02:22 +05:30
Meet	fd7d8ddf2d	fix: group selection on create policy	2024-09-23 20:59:05 +05:30
Maidul Islam	1dc0f4e5b8	Merge pull request #2431 from Infisical/misc/terraform-project-group-prereq misc: setup prerequisites for terraform project group	2024-09-23 11:21:46 -04:00
Maidul Islam	fa64a88c24	Merge pull request #2470 from akhilmhdh/fix/inline-reference-permission feat: added validation check for secret references made in v2 engine	2024-09-23 10:07:07 -04:00
Meet Shah	385ec05e57	Merge pull request #2458 from meetcshah19/meet/eng-1443-add-groups-as-eligible-approvers feat: allow access approvals with user groups	2024-09-23 19:14:52 +05:30
Meet	3a38e1e413	chore: refactor	2024-09-23 19:04:57 +05:30
=	7f04e9e97d	feat: added validation check for secret references made in v2 engine	2024-09-23 16:29:01 +05:30
Sheen Capadngan	839f0c7e1c	misc: moved the rest of project group methods to IDs	2024-09-23 17:59:10 +08:00
Sheen Capadngan	2352e29902	Merge remote-tracking branch 'origin/main' into misc/terraform-project-group-prereq	2024-09-23 15:09:56 +08:00
Meet	fcbc7fcece	chore: fix test	2024-09-23 10:53:58 +05:30
Meet	c2252c65a4	chore: lint fix	2024-09-23 10:30:49 +05:30
Meet	e150673de4	chore: Refactor and remove new tables	2024-09-23 10:26:58 +05:30
Maidul Islam	4f5c49a529	Merge pull request #2467 from akhilmhdh/fix/scim-enform-org-invite feat: moved check for org invite specifc operation inside the creation if	2024-09-22 11:48:24 -04:00
Maidul Islam	7107089ad3	update var name	2024-09-22 15:44:07 +00:00
=	967818f57d	feat: moved check for org invite specifc operation inside the creation if	2024-09-22 18:42:20 +05:30
Sheen Capadngan	02111c2dc2	misc: moved to group project v3 for get with ID based	2024-09-22 19:46:36 +08:00
Scott Wilson	ebea74b607	fix: address capitalization	2024-09-21 19:41:58 -07:00
Scott Wilson	5bbe5421bf	docs: add images	2024-09-20 17:32:14 -07:00
Scott Wilson	279289989f	docs: add entra / azure mfa docs	2024-09-20 17:31:32 -07:00
Daniel Hougaard	bb4a16cf7c	Merge pull request #2448 from Infisical/daniel/org-level-audit-logs feat(audit-logs): moved audit logs to organization-level	2024-09-21 02:54:06 +04:00
Maidul Islam	309db49f1b	Merge pull request #2451 from scott-ray-wilson/secrets-pagination-ss Feature: Server-side Pagination for Secrets Overview and Main Pages	2024-09-20 15:38:29 -04:00
Scott Wilson	62a582ef17	Merge pull request #2459 from Infisical/daniel/better-next-error feat: next.js error boundary	2024-09-20 12:23:12 -07:00
Scott Wilson	d6b389760d	chore: resolve merge conflict	2024-09-20 12:20:13 -07:00
Daniel Hougaard	bd4deb02b0	feat: added error boundary	2024-09-20 23:17:09 +04:00
Daniel Hougaard	449e7672f9	Requested changes	2024-09-20 23:08:20 +04:00
Daniel Hougaard	31ff6d3c17	Cleanup	2024-09-20 23:08:20 +04:00
Daniel Hougaard	cfcc32271f	Update project-router.ts	2024-09-20 23:08:20 +04:00
Daniel Hougaard	e2ea84f28a	Update project-router.ts	2024-09-20 23:08:20 +04:00
Daniel Hougaard	6885ef2e54	docs(api-reference): updated audit log endpoint	2024-09-20 23:08:20 +04:00
Daniel Hougaard	8fa9f476e3	fix: allow org members to read audit logs	2024-09-20 23:08:20 +04:00
Daniel Hougaard	1cf8d1e3fa	Fix: Added missing event cases	2024-09-20 23:07:53 +04:00
Daniel Hougaard	9f61177b62	feat: project-independent log support	2024-09-20 23:07:53 +04:00
Daniel Hougaard	59b8e83476	updated imports	2024-09-20 23:07:53 +04:00
Daniel Hougaard	eee4d00a08	fix: removed audit logs from project-level	2024-09-20 23:07:53 +04:00
Daniel Hougaard	51c0598b50	feat: audit log permissions	2024-09-20 23:07:53 +04:00
Daniel Hougaard	69311f058b	Update BackfillSecretReferenceSection.tsx	2024-09-20 23:07:52 +04:00
Daniel Hougaard	0f70c3ea9a	Moved audit logs to org-level entirely	2024-09-20 23:07:52 +04:00
Daniel Hougaard	b5660c87a0	feat(dashboard): organization-level audit logs	2024-09-20 23:07:52 +04:00
Daniel Hougaard	2a686e65cd	feat: added error boundary	2024-09-20 23:05:23 +04:00
Scott Wilson	2bb0386220	improvements: address change requests	2024-09-20 11:52:25 -07:00
Scott Wilson	526605a0bb	fix: remove container class to keep project upgrade card centered	2024-09-20 11:52:25 -07:00
Daniel Hougaard	5b9903a226	Merge pull request #2455 from Infisical/daniel/emails-on-sync-failed feat(integrations): email when integration sync fails	2024-09-20 22:52:15 +04:00
Daniel Hougaard	3fc60bf596	Update keystore.ts	2024-09-20 22:29:44 +04:00
Meet Shah	7815d6538f	Merge pull request #2442 from meetcshah19/meet/eng-1495-dynamic-secrets-with-ad feat: Add dynamic secrets for Azure Entra ID	2024-09-20 23:51:45 +05:30
Daniel Hougaard	4c4d525655	fix: moved away from keystore since its not needed	2024-09-20 22:20:32 +04:00
Daniel Hougaard	e44213a8a9	feat: added error boundary	2024-09-20 21:29:03 +04:00
Maidul Islam	e87656631c	update upgrade message	2024-09-20 12:56:49 -04:00
Daniel Hougaard	e102ccf9f0	Merge pull request #2462 from Infisical/daniel/node-docs-redirect docs: redirect node docs to new sdk	2024-09-20 20:00:20 +04:00
Maidul Islam	8a10af9b62	Merge pull request #2461 from Infisical/misc/removed-teams-from-cloud-plans misc: removed teams from cloud plans	2024-09-20 11:15:14 -04:00
Sheen Capadngan	18308950d1	misc: removed teams from cloud plans	2024-09-20 22:48:41 +08:00
Scott Wilson	86a9676a9c	fix: invalidate workspace query after project upgrade	2024-09-20 05:34:01 -07:00
Scott Wilson	aa12a71ff3	fix: correct secret import count by filtering replicas	2024-09-20 05:24:05 -07:00
Daniel Hougaard	aee46d1902	cleanup	2024-09-20 15:17:20 +04:00
Daniel Hougaard	279a1791f6	feat: added error boundary	2024-09-20 15:16:19 +04:00
Sheen Capadngan	8d71b295ea	misc: add copy group ID to clipboard	2024-09-20 17:24:46 +08:00
Sheen Capadngan	f72cedae10	misc: added groups endpoint	2024-09-20 16:24:22 +08:00
Meet	864cf23416	chore: Fix types	2024-09-20 12:31:34 +05:30
Meet	10574bfe26	chore: Refactor and improve UI	2024-09-20 12:29:26 +05:30
Sheen Capadngan	02085ce902	fix: addressed overlooked update	2024-09-20 14:45:43 +08:00
Sheen Capadngan	4eeea0b27c	misc: added endpoint for fetching group details by ID	2024-09-20 14:05:22 +08:00
Sheen Capadngan	93b7f56337	misc: migrated groups API to use ids instead of slug	2024-09-20 13:30:38 +08:00
Meet	12ecefa832	chore: remove logs	2024-09-20 09:31:18 +05:30
Meet	dd9a00679d	chore: fix type	2024-09-20 09:03:43 +05:30
Meet	081502848d	feat: allow secret approvals with user groups	2024-09-20 08:51:48 +05:30
Scott Wilson	0fa9fa20bc	improvement: update project upgrade text	2024-09-19 19:41:55 -07:00
Scott Wilson	0a1f25a659	fix: hide pagination if table empty and add optional chaining operator to fix invalid imports	2024-09-19 19:28:09 -07:00
Scott Wilson	bc74c44f97	refactor: move overview resource env determination logic to the client side to preserve ordering of resources	2024-09-19 16:36:11 -07:00
Daniel Hougaard	c50e325f53	feat: added error boundary	2024-09-20 01:29:01 +04:00
Daniel Hougaard	0225e6fabb	feat: added error boundary	2024-09-20 01:20:54 +04:00
Daniel Hougaard	3caa46ade8	feat: added error boundary	2024-09-20 01:19:10 +04:00
Daniel Hougaard	998bbe92f7	feat: failed integration sync emails debouncer	2024-09-20 00:07:09 +04:00
Meet	009be0ded8	feat: allow access approvals with user groups	2024-09-20 01:24:30 +05:30
Daniel Hougaard	c9f6207e32	fix: bundle integration emails by secret path	2024-09-19 21:19:41 +04:00
Daniel Hougaard	0564d06923	feat(integrations): email when integration sync fails	2024-09-19 17:35:52 +04:00
Scott Wilson	d0656358a2	feature: server-side pagination/filtering/sorting for secrets overview and main pages	2024-09-18 21:17:48 -07:00
Meet	040fa511f6	feat: add docs	2024-09-19 07:49:39 +05:30
Meet	75099f159f	feat: switch to custom app installation flow	2024-09-19 07:35:23 +05:30
Meet	e4a83ad2e2	feat: add docs	2024-09-19 06:09:46 +05:30
Meet	760f9d487c	chore: UI improvements	2024-09-19 01:23:24 +05:30
Meet	a02e73e2a4	chore: refactor frontend and UI improvements	2024-09-19 01:01:18 +05:30
Sheen Capadngan	fbebeaf38f	misc: added rate limiter	2024-09-19 01:08:11 +08:00
Sheen Capadngan	97245c740e	misc: added as least as privileged check to update	2024-09-19 01:05:31 +08:00
Sheen Capadngan	5a40b5a1cf	Merge branch 'misc/terraform-project-group-prereq' of https://github.com/Infisical/infisical into misc/terraform-project-group-prereq	2024-09-18 14:43:59 +08:00
Sheen Capadngan	19e4a6de4d	misc: added helpful error message	2024-09-18 14:43:25 +08:00
Maidul Islam	0daca059c7	fix small typo	2024-09-17 20:53:23 -04:00
Meet	0fd193f8e0	chore: Remove unused import	2024-09-18 01:40:37 +05:30
Meet	342c713805	feat: Add callback and edit dynamic secret for Azure Entra ID	2024-09-18 01:33:04 +05:30
Sheen Capadngan	613b97c93d	misc: added handling of not found group membership	2024-09-18 00:29:50 +08:00
Sheen Capadngan	335f3f7d37	misc: removed hacky approach	2024-09-17 18:52:30 +08:00
Meet	b3f0d36ddc	feat: Add dynamic secrets for Azure Entra ID	2024-09-17 10:29:19 +05:30
Sheen Capadngan	dbb8617180	misc: setup prerequisites for terraform project group	2024-09-16 02:12:24 +08:00