Fix: Delete access approval requests

Fix: Migration timestamps and cleanup
Fix: Fixed migration timestamp to match main
2025-07-02 16:55:02 +00:00 · 2024-05-06 10:08:04 +02:00 · 2024-05-04 08:01:45 +02:00 · 2024-05-04 07:53:22 +02:00 · 2024-05-04 07:41:49 +02:00 · 2024-05-04 07:41:44 +02:00
515 changed files with 18171 additions and 14972 deletions
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -74,21 +74,21 @@ jobs:
        uses: pr-mpt/actions-commit-hash@v2
      - name: Download task definition
        run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
      - name: Render Amazon ECS task definition
        id: render-web-container
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
-          container-name: infisical-core-platform
+          container-name: infisical-prod-platform
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
+          service: infisical-prod-platform
+          cluster: infisical-prod-platform
          wait-for-service-stability: true

  production-postgres-deployment:
@ -122,19 +122,19 @@ jobs:
        uses: pr-mpt/actions-commit-hash@v2
      - name: Download task definition
        run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
      - name: Render Amazon ECS task definition
        id: render-web-container
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
-          container-name: infisical-core-platform
+          container-name: infisical-prod-platform
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
+          service: infisical-prod-platform
+          cluster: infisical-prod-platform
          wait-for-service-stability: true
--- a/.github/workflows/update-be-new-migration-latest-timestamp.yml
+++ b/.github/workflows/update-be-new-migration-latest-timestamp.yml
@ -38,16 +38,6 @@ jobs:
          rm added_files.txt
          git commit -m "chore: renamed new migration files to latest timestamp (gh-action)"

-      - name: Get PR details
-        id: pr_details
-        run: |
-          PR_NUMBER=${{ github.event.pull_request.number }}
-          PR_MERGER=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER" | jq -r '.merged_by.login')
-          
-          echo "PR Number: $PR_NUMBER"
-          echo "PR Merger: $PR_MERGER"
-          echo "pr_merger=$PR_MERGER" >> $GITHUB_OUTPUT
-
      - name: Create Pull Request
        if: env.SKIP_RENAME != 'true'
        uses: peter-evans/create-pull-request@v6
@ -56,4 +46,3 @@ jobs:
          commit-message: 'chore: renamed new migration files to latest UTC (gh-action)'
          title: 'GH Action: rename new migration file timestamp'
          branch-suffix: timestamp
-          reviewers: ${{ steps.pr_details.outputs.pr_merger }}
--- a/.infisicalignore
+++ b/.infisicalignore
@ -3,5 +3,4 @@ frontend/src/views/Project/MembersPage/components/IdentityTab/components/Identit
 frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:304
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/MemberRbacSection.tsx:generic-api-key:206
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
-docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -95,13 +95,11 @@
    "axios": "^1.6.7",
    "axios-retry": "^4.0.0",
    "bcrypt": "^5.1.1",
-    "bullmq": "^5.4.2",
+    "bullmq": "^5.3.3",
    "cassandra-driver": "^4.7.2",
    "dotenv": "^16.4.1",
    "fastify": "^4.26.0",
    "fastify-plugin": "^4.5.1",
-    "google-auth-library": "^9.9.0",
-    "googleapis": "^137.1.0",
    "handlebars": "^4.7.8",
    "ioredis": "^5.3.2",
    "jmespath": "^0.16.0",
@ -112,7 +110,7 @@
    "libsodium-wrappers": "^0.7.13",
    "lodash.isequal": "^4.5.0",
    "ms": "^2.1.3",
-    "mysql2": "^3.9.7",
+    "mysql2": "^3.9.4",
    "nanoid": "^5.0.4",
    "nodemailer": "^6.9.9",
    "ora": "^7.0.1",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -32,10 +32,6 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
-import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
-import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
-import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@ -119,10 +115,6 @@ declare module "fastify" {
      identityAccessToken: TIdentityAccessTokenServiceFactory;
      identityProject: TIdentityProjectServiceFactory;
      identityUa: TIdentityUaServiceFactory;
-      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
-      identityGcpAuth: TIdentityGcpAuthServiceFactory;
-      identityAwsAuth: TIdentityAwsAuthServiceFactory;
-      identityAzureAuth: TIdentityAzureAuthServiceFactory;
      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -50,6 +50,9 @@ import {
  TGroupProjectMemberships,
  TGroupProjectMembershipsInsert,
  TGroupProjectMembershipsUpdate,
+  TGroupProjectUserAdditionalPrivilege,
+  TGroupProjectUserAdditionalPrivilegeInsert,
+  TGroupProjectUserAdditionalPrivilegeUpdate,
  TGroups,
  TGroupsInsert,
  TGroupsUpdate,
@ -59,18 +62,6 @@ import {
  TIdentityAccessTokens,
  TIdentityAccessTokensInsert,
  TIdentityAccessTokensUpdate,
-  TIdentityAwsAuths,
-  TIdentityAwsAuthsInsert,
-  TIdentityAwsAuthsUpdate,
-  TIdentityAzureAuths,
-  TIdentityAzureAuthsInsert,
-  TIdentityAzureAuthsUpdate,
-  TIdentityGcpAuths,
-  TIdentityGcpAuthsInsert,
-  TIdentityGcpAuthsUpdate,
-  TIdentityKubernetesAuths,
-  TIdentityKubernetesAuthsInsert,
-  TIdentityKubernetesAuthsUpdate,
  TIdentityOrgMemberships,
  TIdentityOrgMembershipsInsert,
  TIdentityOrgMembershipsUpdate,
@ -237,7 +228,6 @@ import {
  TWebhooksInsert,
  TWebhooksUpdate
 } from "@app/db/schemas";
-import { TSecretReferences, TSecretReferencesInsert, TSecretReferencesUpdate } from "@app/db/schemas/secret-references";

 declare module "knex/types/tables" {
  interface Tables {
@ -303,6 +293,11 @@ declare module "knex/types/tables" {
      TProjectUserMembershipRolesInsert,
      TProjectUserMembershipRolesUpdate
    >;
+    [TableName.GroupProjectUserAdditionalPrivilege]: Knex.CompositeTableType<
+      TGroupProjectUserAdditionalPrivilege,
+      TGroupProjectUserAdditionalPrivilegeInsert,
+      TGroupProjectUserAdditionalPrivilegeUpdate
+    >;
    [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
    [TableName.ProjectUserAdditionalPrivilege]: Knex.CompositeTableType<
      TProjectUserAdditionalPrivilege,
@ -311,11 +306,6 @@ declare module "knex/types/tables" {
    >;
    [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
    [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
-    [TableName.SecretReference]: Knex.CompositeTableType<
-      TSecretReferences,
-      TSecretReferencesInsert,
-      TSecretReferencesUpdate
-    >;
    [TableName.SecretBlindIndex]: Knex.CompositeTableType<
      TSecretBlindIndexes,
      TSecretBlindIndexesInsert,
@ -344,26 +334,6 @@ declare module "knex/types/tables" {
      TIdentityUniversalAuthsInsert,
      TIdentityUniversalAuthsUpdate
    >;
-    [TableName.IdentityKubernetesAuth]: Knex.CompositeTableType<
-      TIdentityKubernetesAuths,
-      TIdentityKubernetesAuthsInsert,
-      TIdentityKubernetesAuthsUpdate
-    >;
-    [TableName.IdentityGcpAuth]: Knex.CompositeTableType<
-      TIdentityGcpAuths,
-      TIdentityGcpAuthsInsert,
-      TIdentityGcpAuthsUpdate
-    >;
-    [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
-      TIdentityAwsAuths,
-      TIdentityAwsAuthsInsert,
-      TIdentityAwsAuthsUpdate
-    >;
-    [TableName.IdentityAzureAuth]: Knex.CompositeTableType<
-      TIdentityAzureAuths,
-      TIdentityAzureAuthsInsert,
-      TIdentityAzureAuthsUpdate
-    >;
    [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
      TIdentityUaClientSecrets,
      TIdentityUaClientSecretsInsert,
--- a/backend/src/db/migrations/20240503201144_access-approval-policy.ts
+++ b/backend/src/db/migrations/20240503201144_access-approval-policy.ts
@ -9,9 +9,8 @@ export async function up(knex: Knex): Promise<void> {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("name").notNullable();
      t.integer("approvals").defaultTo(1).notNullable();
-      t.string("secretPath");
-
      t.uuid("envId").notNullable();
+      t.string("secretPath");
      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
      t.timestamps(true, true, true);
    });
@ -21,8 +20,9 @@ export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover))) {
    await knex.schema.createTable(TableName.AccessApprovalPolicyApprover, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("approverId").notNullable();
-      t.foreign("approverId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+
+      t.uuid("approverUserId").nullable();
+      t.foreign("approverUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");

      t.uuid("policyId").notNullable();
      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
--- a/backend/src/db/migrations/20240503202144_group-project-user-additional-privilege.ts
+++ b/backend/src/db/migrations/20240503202144_group-project-user-additional-privilege.ts
@ -0,0 +1,37 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.GroupProjectUserAdditionalPrivilege))) {
+    await knex.schema.createTable(TableName.GroupProjectUserAdditionalPrivilege, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("slug", 60).notNullable();
+
+      t.uuid("groupProjectMembershipId").notNullable();
+      t.foreign("groupProjectMembershipId")
+        .references("id")
+        .inTable(TableName.GroupProjectMembership)
+        .onDelete("CASCADE");
+
+      t.uuid("requestedByUserId").notNullable();
+      t.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.jsonb("permissions").notNullable();
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.GroupProjectUserAdditionalPrivilege);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.GroupProjectUserAdditionalPrivilege);
+  await knex.schema.dropTableIfExists(TableName.GroupProjectUserAdditionalPrivilege);
+}
--- a/backend/src/db/migrations/20240503203144_access_approval_requests.ts
+++ b/backend/src/db/migrations/20240503203144_access_approval_requests.ts
@ -11,11 +11,26 @@ export async function up(knex: Knex): Promise<void> {
      t.uuid("policyId").notNullable();
      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");

-      t.uuid("privilegeId").nullable();
-      t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
+      t.uuid("projectUserPrivilegeId").nullable();
+      t.foreign("projectUserPrivilegeId")
+        .references("id")
+        .inTable(TableName.ProjectUserAdditionalPrivilege)
+        .onDelete("CASCADE");

-      t.uuid("requestedBy").notNullable();
-      t.foreign("requestedBy").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      t.uuid("groupProjectUserPrivilegeId").nullable();
+      t.foreign("groupProjectUserPrivilegeId")
+        .references("id")
+        .inTable(TableName.GroupProjectUserAdditionalPrivilege)
+        .onDelete("CASCADE");
+
+      t.uuid("requestedByUserId").notNullable();
+      t.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+
+      t.uuid("projectMembershipId").nullable();
+      t.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+
+      t.uuid("groupMembershipId").nullable();
+      t.foreign("groupMembershipId").references("id").inTable(TableName.GroupProjectMembership).onDelete("CASCADE");

      // We use these values to create the actual privilege at a later point in time.
      t.boolean("isTemporary").notNullable();
@ -31,14 +46,17 @@ export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequestReviewer))) {
    await knex.schema.createTable(TableName.AccessApprovalRequestReviewer, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("member").notNullable();
-      t.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+
+      t.uuid("memberUserId").notNullable();
+      t.foreign("memberUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+
      t.string("status").notNullable();
      t.uuid("requestId").notNullable();
      t.foreign("requestId").references("id").inTable(TableName.AccessApprovalRequest).onDelete("CASCADE");
      t.timestamps(true, true, true);
    });
  }
+
  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
 }

--- a/backend/src/db/migrations/20240503204144_fix-db-reference-for-groups-and-project-memberships.ts
+++ b/backend/src/db/migrations/20240503204144_fix-db-reference-for-groups-and-project-memberships.ts
@ -0,0 +1,71 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // SecretApprovalPolicyApprover, approverUserId
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (t) => {
+      t.uuid("approverId").nullable().alter();
+
+      t.uuid("approverUserId").nullable();
+      t.foreign("approverUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+    });
+  }
+
+  // SecretApprovalRequest, statusChangeByUserId
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangeByUserId"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
+      t.uuid("statusChangeBy").nullable().alter();
+
+      t.uuid("statusChangeByUserId").nullable();
+      t.foreign("statusChangeByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+    });
+  }
+
+  // SecretApprovalRequest, committerUserId
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
+      t.uuid("committerId").nullable().alter();
+
+      t.uuid("committerUserId").nullable();
+      t.foreign("committerUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+    });
+  }
+
+  // SecretApprovalRequestReviewer, memberUserId
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "memberUserId"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
+      t.uuid("member").nullable().alter();
+
+      t.uuid("memberUserId").nullable();
+      t.foreign("memberUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId")) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (t) => {
+      t.dropColumn("approverUserId");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangeByUserId")) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
+      t.dropColumn("statusChangeByUserId");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId")) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
+      t.dropColumn("committerUserId");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "memberUserId")) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
+      t.dropColumn("memberUserId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240507032811_trusted-saml-ldap-emails.ts
+++ b/backend/src/db/migrations/20240507032811_trusted-saml-ldap-emails.ts
@ -1,54 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isUsersTablePresent = await knex.schema.hasTable(TableName.Users);
-  if (isUsersTablePresent) {
-    const hasIsEmailVerifiedColumn = await knex.schema.hasColumn(TableName.Users, "isEmailVerified");
-
-    if (!hasIsEmailVerifiedColumn) {
-      await knex.schema.alterTable(TableName.Users, (t) => {
-        t.boolean("isEmailVerified").defaultTo(false);
-      });
-    }
-
-    // Backfilling the isEmailVerified to true where isAccepted is true
-    await knex(TableName.Users).update({ isEmailVerified: true }).where("isAccepted", true);
-  }
-
-  const isUserAliasTablePresent = await knex.schema.hasTable(TableName.UserAliases);
-  if (isUserAliasTablePresent) {
-    await knex.schema.alterTable(TableName.UserAliases, (t) => {
-      t.string("username").nullable().alter();
-    });
-  }
-
-  const isSuperAdminTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
-  if (isSuperAdminTablePresent) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.boolean("trustSamlEmails").defaultTo(false);
-      t.boolean("trustLdapEmails").defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Users, "isEmailVerified")) {
-    await knex.schema.alterTable(TableName.Users, (t) => {
-      t.dropColumn("isEmailVerified");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustSamlEmails")) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("trustSamlEmails");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustLdapEmails")) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("trustLdapEmails");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240507210655_identity-aws-auth.ts
+++ b/backend/src/db/migrations/20240507210655_identity-aws-auth.ts
@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAwsAuth))) {
-    await knex.schema.createTable(TableName.IdentityAwsAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-      t.string("stsEndpoint").notNullable();
-      t.string("allowedPrincipalArns").notNullable();
-      t.string("allowedAccountIds").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAwsAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
-}
--- a/backend/src/db/migrations/20240514041650_identity-gcp-auth.ts
+++ b/backend/src/db/migrations/20240514041650_identity-gcp-auth.ts
@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityGcpAuth))) {
-    await knex.schema.createTable(TableName.IdentityGcpAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-      t.string("allowedServiceAccounts").notNullable();
-      t.string("allowedProjects").notNullable();
-      t.string("allowedZones").notNullable(); // GCE only (fully qualified zone names)
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityGcpAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
-}
--- a/backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts
+++ b/backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts
@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretReference))) {
-    await knex.schema.createTable(TableName.SecretReference, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("environment").notNullable();
-      t.string("secretPath").notNullable();
-      t.uuid("secretId").notNullable();
-      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretReference);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretReference);
-  await dropOnUpdateTrigger(knex, TableName.SecretReference);
-}
--- a/backend/src/db/migrations/20240518142614_kubernetes-auth.ts
+++ b/backend/src/db/migrations/20240518142614_kubernetes-auth.ts
@ -1,36 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityKubernetesAuth))) {
-    await knex.schema.createTable(TableName.IdentityKubernetesAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("kubernetesHost").notNullable();
-      t.text("encryptedCaCert").notNullable();
-      t.string("caCertIV").notNullable();
-      t.string("caCertTag").notNullable();
-      t.text("encryptedTokenReviewerJwt").notNullable();
-      t.string("tokenReviewerJwtIV").notNullable();
-      t.string("tokenReviewerJwtTag").notNullable();
-      t.string("allowedNamespaces").notNullable();
-      t.string("allowedNames").notNullable();
-      t.string("allowedAudience").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityKubernetesAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
-}
--- a/backend/src/db/migrations/20240520064127_add-integration-sync-status.ts
+++ b/backend/src/db/migrations/20240520064127_add-integration-sync-status.ts
@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
-  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
-  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
-
-  await knex.schema.alterTable(TableName.Integration, (t) => {
-    if (!hasIsSyncedColumn) {
-      t.boolean("isSynced").nullable();
-    }
-
-    if (!hasSyncMessageColumn) {
-      t.text("syncMessage").nullable();
-    }
-
-    if (!hasLastSyncJobId) {
-      t.string("lastSyncJobId").nullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
-  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
-  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
-
-  await knex.schema.alterTable(TableName.Integration, (t) => {
-    if (hasIsSyncedColumn) {
-      t.dropColumn("isSynced");
-    }
-
-    if (hasSyncMessageColumn) {
-      t.dropColumn("syncMessage");
-    }
-
-    if (hasLastSyncJobId) {
-      t.dropColumn("lastSyncJobId");
-    }
-  });
-}
--- a/backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts
+++ b/backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts
@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist) t.index("projectId");
-      if (doesOrgIdExist) t.index("orgId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist) t.dropIndex("projectId");
-      if (doesOrgIdExist) t.dropIndex("orgId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts
+++ b/backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts
@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesEnvIdExist) t.index("envId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
-
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesEnvIdExist) t.dropIndex("envId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240522204414_index-secret-version-envId.ts
+++ b/backend/src/db/migrations/20240522204414_index-secret-version-envId.ts
@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
-  if (await knex.schema.hasTable(TableName.SecretVersion)) {
-    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
-      if (doesEnvIdExist) t.index("envId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
-
-  if (await knex.schema.hasTable(TableName.SecretVersion)) {
-    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
-      if (doesEnvIdExist) t.dropIndex("envId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts
+++ b/backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSnapshotIdExist) t.index("snapshotId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts
+++ b/backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
-    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
-      if (doesSnapshotIdExist) t.index("snapshotId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
-    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
-      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts
+++ b/backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts
@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
-  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
-  if (await knex.schema.hasTable(TableName.Secret)) {
-    await knex.schema.alterTable(TableName.Secret, (t) => {
-      if (doesFolderIdExist && doesUserIdExist) t.index(["folderId", "userId"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
-  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
-
-  if (await knex.schema.hasTable(TableName.Secret)) {
-    await knex.schema.alterTable(TableName.Secret, (t) => {
-      if (doesUserIdExist && doesFolderIdExist) t.dropIndex(["folderId", "userId"]);
-    });
-  }
-}
--- a/backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts
+++ b/backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts
@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesExpireAtExist) t.index("expiresAt");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesExpireAtExist) t.dropIndex("expiresAt");
-    });
-  }
-}
--- a/backend/src/db/migrations/20240527073740_identity-azure-auth.ts
+++ b/backend/src/db/migrations/20240527073740_identity-azure-auth.ts
@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAzureAuth))) {
-    await knex.schema.createTable(TableName.IdentityAzureAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("tenantId").notNullable();
-      t.string("resource").notNullable();
-      t.string("allowedServicePrincipalIds").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAzureAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
-}
--- a/backend/src/db/schemas/access-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/access-approval-policies-approvers.ts
@ -9,7 +9,7 @@ import { TImmutableDBKeys } from "./models";

 export const AccessApprovalPoliciesApproversSchema = z.object({
  id: z.string().uuid(),
-  approverId: z.string().uuid(),
+  approverUserId: z.string().uuid().nullable().optional(),
  policyId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date()
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@ -11,8 +11,8 @@ export const AccessApprovalPoliciesSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
  approvals: z.number().default(1),
-  secretPath: z.string().nullable().optional(),
  envId: z.string().uuid(),
+  secretPath: z.string().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
--- a/backend/src/db/schemas/access-approval-requests-reviewers.ts
+++ b/backend/src/db/schemas/access-approval-requests-reviewers.ts
@ -9,7 +9,7 @@ import { TImmutableDBKeys } from "./models";

 export const AccessApprovalRequestsReviewersSchema = z.object({
  id: z.string().uuid(),
-  member: z.string().uuid(),
+  memberUserId: z.string().uuid(),
  status: z.string(),
  requestId: z.string().uuid(),
  createdAt: z.date(),
--- a/backend/src/db/schemas/access-approval-requests.ts
+++ b/backend/src/db/schemas/access-approval-requests.ts
@ -10,8 +10,11 @@ import { TImmutableDBKeys } from "./models";
 export const AccessApprovalRequestsSchema = z.object({
  id: z.string().uuid(),
  policyId: z.string().uuid(),
-  privilegeId: z.string().uuid().nullable().optional(),
-  requestedBy: z.string().uuid(),
+  projectUserPrivilegeId: z.string().uuid().nullable().optional(),
+  groupProjectUserPrivilegeId: z.string().uuid().nullable().optional(),
+  requestedByUserId: z.string().uuid(),
+  projectMembershipId: z.string().uuid().nullable().optional(),
+  groupMembershipId: z.string().uuid().nullable().optional(),
  isTemporary: z.boolean(),
  temporaryRange: z.string().nullable().optional(),
  permissions: z.unknown(),
--- a/backend/src/db/schemas/group-project-user-additional-privilege.ts
+++ b/backend/src/db/schemas/group-project-user-additional-privilege.ts
@ -0,0 +1,32 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const GroupProjectUserAdditionalPrivilegeSchema = z.object({
+  id: z.string().uuid(),
+  slug: z.string(),
+  groupProjectMembershipId: z.string().uuid(),
+  requestedByUserId: z.string().uuid(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  permissions: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TGroupProjectUserAdditionalPrivilege = z.infer<typeof GroupProjectUserAdditionalPrivilegeSchema>;
+export type TGroupProjectUserAdditionalPrivilegeInsert = Omit<
+  z.input<typeof GroupProjectUserAdditionalPrivilegeSchema>,
+  TImmutableDBKeys
+>;
+export type TGroupProjectUserAdditionalPrivilegeUpdate = Partial<
+  Omit<z.input<typeof GroupProjectUserAdditionalPrivilegeSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/identity-aws-auths.ts
+++ b/backend/src/db/schemas/identity-aws-auths.ts
@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityAwsAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  type: z.string(),
-  stsEndpoint: z.string(),
-  allowedPrincipalArns: z.string(),
-  allowedAccountIds: z.string()
-});
-
-export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;
-export type TIdentityAwsAuthsInsert = Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityAwsAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-azure-auths.ts
+++ b/backend/src/db/schemas/identity-azure-auths.ts
@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityAzureAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  tenantId: z.string(),
-  resource: z.string(),
-  allowedServicePrincipalIds: z.string()
-});
-
-export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;
-export type TIdentityAzureAuthsInsert = Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityAzureAuthsUpdate = Partial<Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-gcp-auths.ts
+++ b/backend/src/db/schemas/identity-gcp-auths.ts
@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityGcpAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  type: z.string(),
-  allowedServiceAccounts: z.string(),
-  allowedProjects: z.string(),
-  allowedZones: z.string()
-});
-
-export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
-export type TIdentityGcpAuthsInsert = Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityGcpAuthsUpdate = Partial<Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-kubernetes-auths.ts
+++ b/backend/src/db/schemas/identity-kubernetes-auths.ts
@ -1,35 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityKubernetesAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  kubernetesHost: z.string(),
-  encryptedCaCert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
-  encryptedTokenReviewerJwt: z.string(),
-  tokenReviewerJwtIV: z.string(),
-  tokenReviewerJwtTag: z.string(),
-  allowedNamespaces: z.string(),
-  allowedNames: z.string(),
-  allowedAudience: z.string()
-});
-
-export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;
-export type TIdentityKubernetesAuthsInsert = Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityKubernetesAuthsUpdate = Partial<
-  Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>
->;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -14,13 +14,10 @@ export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./group-project-membership-roles";
 export * from "./group-project-memberships";
+export * from "./group-project-user-additional-privilege";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
-export * from "./identity-aws-auths";
-export * from "./identity-azure-auths";
-export * from "./identity-gcp-auths";
-export * from "./identity-kubernetes-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
--- a/backend/src/db/schemas/integrations.ts
+++ b/backend/src/db/schemas/integrations.ts
@ -28,10 +28,7 @@ export const IntegrationsSchema = z.object({
  secretPath: z.string().default("/"),
  createdAt: z.date(),
  updatedAt: z.date(),
-  lastUsed: z.date().nullable().optional(),
-  isSynced: z.boolean().nullable().optional(),
-  syncMessage: z.string().nullable().optional(),
-  lastSyncJobId: z.string().nullable().optional()
+  lastUsed: z.date().nullable().optional()
 });

 export type TIntegrations = z.infer<typeof IntegrationsSchema>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -25,10 +25,10 @@ export enum TableName {
  ProjectMembership = "project_memberships",
  ProjectRoles = "project_roles",
  ProjectUserAdditionalPrivilege = "project_user_additional_privilege",
+  GroupProjectUserAdditionalPrivilege = "group_project_user_additional_privilege",
  ProjectUserMembershipRole = "project_user_membership_roles",
  ProjectKeys = "project_keys",
  Secret = "secrets",
-  SecretReference = "secret_references",
  SecretBlindIndex = "secret_blind_indexes",
  SecretVersion = "secret_versions",
  SecretFolder = "secret_folders",
@ -45,11 +45,7 @@ export enum TableName {
  Identity = "identities",
  IdentityAccessToken = "identity_access_tokens",
  IdentityUniversalAuth = "identity_universal_auths",
-  IdentityKubernetesAuth = "identity_kubernetes_auths",
-  IdentityGcpAuth = "identity_gcp_auths",
-  IdentityAzureAuth = "identity_azure_auths",
  IdentityUaClientSecret = "identity_ua_client_secrets",
-  IdentityAwsAuth = "identity_aws_auths",
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
@ -147,9 +143,5 @@ export enum ProjectUpgradeStatus {
 }

 export enum IdentityAuthMethod {
-  Univeral = "universal-auth",
-  KUBERNETES_AUTH = "kubernetes-auth",
-  GCP_AUTH = "gcp-auth",
-  AWS_AUTH = "aws-auth",
-  AZURE_AUTH = "azure-auth"
+  Univeral = "universal-auth"
 }
--- a/backend/src/db/schemas/secret-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/secret-approval-policies-approvers.ts
@ -9,10 +9,11 @@ import { TImmutableDBKeys } from "./models";

 export const SecretApprovalPoliciesApproversSchema = z.object({
  id: z.string().uuid(),
-  approverId: z.string().uuid(),
+  approverId: z.string().uuid().nullable().optional(),
  policyId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  approverUserId: z.string().uuid().nullable().optional()
 });

 export type TSecretApprovalPoliciesApprovers = z.infer<typeof SecretApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/secret-approval-requests-reviewers.ts
+++ b/backend/src/db/schemas/secret-approval-requests-reviewers.ts
@ -9,11 +9,12 @@ import { TImmutableDBKeys } from "./models";

 export const SecretApprovalRequestsReviewersSchema = z.object({
  id: z.string().uuid(),
-  member: z.string().uuid(),
+  member: z.string().uuid().nullable().optional(),
  status: z.string(),
  requestId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  memberUserId: z.string().uuid().nullable().optional()
 });

 export type TSecretApprovalRequestsReviewers = z.infer<typeof SecretApprovalRequestsReviewersSchema>;
--- a/backend/src/db/schemas/secret-approval-requests.ts
+++ b/backend/src/db/schemas/secret-approval-requests.ts
@ -16,9 +16,11 @@ export const SecretApprovalRequestsSchema = z.object({
  slug: z.string(),
  folderId: z.string().uuid(),
  statusChangeBy: z.string().uuid().nullable().optional(),
-  committerId: z.string().uuid(),
+  committerId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  statusChangeByUserId: z.string().uuid().nullable().optional(),
+  committerUserId: z.string().uuid().nullable().optional()
 });

 export type TSecretApprovalRequests = z.infer<typeof SecretApprovalRequestsSchema>;
--- a/backend/src/db/schemas/secret-references.ts
+++ b/backend/src/db/schemas/secret-references.ts
@ -1,21 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretReferencesSchema = z.object({
-  id: z.string().uuid(),
-  environment: z.string(),
-  secretPath: z.string(),
-  secretId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretReferences = z.infer<typeof SecretReferencesSchema>;
-export type TSecretReferencesInsert = Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>;
-export type TSecretReferencesUpdate = Partial<Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/super-admin.ts
+++ b/backend/src/db/schemas/super-admin.ts
@ -14,9 +14,7 @@ export const SuperAdminSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  allowedSignUpDomain: z.string().nullable().optional(),
-  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000"),
-  trustSamlEmails: z.boolean().default(false).nullable().optional(),
-  trustLdapEmails: z.boolean().default(false).nullable().optional()
+  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000")
 });

 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;
--- a/backend/src/db/schemas/user-aliases.ts
+++ b/backend/src/db/schemas/user-aliases.ts
@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const UserAliasesSchema = z.object({
  id: z.string().uuid(),
  userId: z.string().uuid(),
-  username: z.string().nullable().optional(),
+  username: z.string(),
  aliasType: z.string(),
  externalId: z.string(),
  emails: z.string().array().nullable().optional(),
--- a/backend/src/db/schemas/users.ts
+++ b/backend/src/db/schemas/users.ts
@ -21,8 +21,7 @@ export const UsersSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  isGhost: z.boolean().default(false),
-  username: z.string(),
-  isEmailVerified: z.boolean().default(false).nullable().optional()
+  username: z.string()
 });

 export type TUsers = z.infer<typeof UsersSchema>;
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@ -53,7 +53,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
      }),
      response: {
        200: z.object({
-          approvals: sapPubSchema.extend({ approvers: z.string().array(), secretPath: z.string().optional() }).array()
+          approvals: sapPubSchema
+            .extend({ approvers: z.string().nullish().array(), secretPath: z.string().optional() })
+            .array()
        })
      }
    },
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@ -74,7 +74,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
    schema: {
      querystring: z.object({
        projectSlug: z.string().trim(),
-        authorProjectMembershipId: z.string().trim().optional(),
+        authorUserId: z.string().trim().optional(),
        envSlug: z.string().trim().optional()
      }),
      response: {
@ -84,7 +84,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
            isApproved: z.boolean(),
            privilege: z
              .object({
-                membershipId: z.string(),
+                projectMembershipId: z.string().nullish(),
+                groupMembershipId: z.string().nullish(),
                isTemporary: z.boolean(),
                temporaryMode: z.string().nullish(),
                temporaryRange: z.string().nullish(),
@ -115,8 +116,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
    handler: async (req) => {
      const { requests } = await server.services.accessApprovalRequest.listApprovalRequests({
        projectSlug: req.query.projectSlug,
-        authorProjectMembershipId: req.query.authorProjectMembershipId,
        envSlug: req.query.envSlug,
+        authorUserId: req.query.authorUserId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
@ -127,6 +128,37 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
    }
  });

+  server.route({
+    url: "/:requestId",
+    method: "DELETE",
+    schema: {
+      params: z.object({
+        requestId: z.string().trim()
+      }),
+      querystring: z.object({
+        projectSlug: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          request: AccessApprovalRequestsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { request } = await server.services.accessApprovalRequest.deleteAccessApprovalRequest({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        requestId: req.params.requestId,
+        projectSlug: req.query.projectSlug
+      });
+
+      return { request };
+    }
+  });
+
  server.route({
    url: "/:requestId/review",
    method: "POST",
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@ -1,14 +1,16 @@
-import { packRules } from "@casl/ability/extra";
+import { MongoAbility, RawRuleOf } from "@casl/ability";
+import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";

+import { IdentityProjectAdditionalPrivilegeSchema } from "@app/db/schemas";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
+import { ProjectPermissionSet } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { ProjectPermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
@ -39,11 +41,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
          })
          .optional()
          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
      }),
      response: {
        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
        })
      }
    },
@ -90,7 +92,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
          })
          .optional()
          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
        temporaryMode: z
          .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
@ -105,7 +107,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      }),
      response: {
        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
        })
      }
    },
@ -155,7 +157,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
                message: "Slug must be a valid slug"
              })
              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
-            permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
            isTemporary: z.boolean().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
            temporaryMode: z
              .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
@ -173,7 +175,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      }),
      response: {
        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
        })
      }
    },
@ -217,7 +219,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      }),
      response: {
        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
        })
      }
    },
@ -258,7 +260,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      }),
      response: {
        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
        })
      }
    },
@ -291,11 +293,16 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
      ],
      querystring: z.object({
        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.identityId),
-        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug)
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug),
+        unpacked: z
+          .enum(["false", "true"])
+          .transform((el) => el === "true")
+          .default("true")
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.unpacked)
      }),
      response: {
        200: z.object({
-          privileges: SanitizedIdentityPrivilegeSchema.array()
+          privileges: IdentityProjectAdditionalPrivilegeSchema.array()
        })
      }
    },
@ -308,9 +315,15 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        actorOrgId: req.permission.orgId,
        ...req.query
      });
-      return {
-        privileges
-      };
+      if (req.query.unpacked) {
+        return {
+          privileges: privileges.map(({ permissions, ...el }) => ({
+            ...el,
+            permissions: unpackRules(permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
+          }))
+        };
+      }
+      return { privileges };
    }
  });
 };
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,6 +1,6 @@
+import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
 import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-router";
 import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
-import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerGroupRouter } from "./group-router";
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@ -18,7 +18,6 @@ import { LdapConfigsSchema, LdapGroupMapsSchema } from "@app/db/schemas";
 import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
 import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -53,7 +52,6 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
      // eslint-disable-next-line
      async (req: IncomingMessage, user, cb) => {
        try {
-          if (!user.email) throw new BadRequestError({ message: "Invalid request. Missing email." });
          const ldapConfig = (req as unknown as FastifyRequest).ldapConfig as TLDAPConfig;

          let groups: { dn: string; cn: string }[] | undefined;
@ -76,7 +74,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
            username: user.uid,
            firstName: user.givenName ?? user.cn ?? "",
            lastName: user.sn ?? "",
-            email: user.mail,
+            emails: user.mail ? [user.mail] : [],
            groups,
            relayState: ((req as unknown as FastifyRequest).body as { RelayState?: string }).RelayState,
            orgId: (req as unknown as FastifyRequest).ldapConfig.organization
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -102,12 +102,12 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
          if (!profile) throw new BadRequestError({ message: "Missing profile" });
          const email = profile?.email ?? (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved

-          if (!email || !profile.firstName) {
+          if (!profile.email || !profile.firstName) {
            throw new BadRequestError({ message: "Invalid request. Missing email or first name" });
          }

          const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
-            externalId: profile.nameID,
+            username: profile.nameID ?? email,
            email,
            firstName: profile.firstName as string,
            lastName: profile.lastName as string,
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@ -153,7 +153,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
    handler: async (req) => {
      const users = await req.server.services.scim.listScimUsers({
-        startIndex: req.query.startIndex,
+        offset: req.query.startIndex,
        limit: req.query.count,
        filter: req.query.filter,
        orgId: req.permission.orgId
@ -163,11 +163,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/Users/:orgMembershipId",
+    url: "/Users/:userId",
    method: "GET",
    schema: {
      params: z.object({
-        orgMembershipId: z.string().trim()
+        userId: z.string().trim()
      }),
      response: {
        201: z.object({
@ -193,7 +193,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
    handler: async (req) => {
      const user = await req.server.services.scim.getScimUser({
-        orgMembershipId: req.params.orgMembershipId,
+        userId: req.params.userId,
        orgId: req.permission.orgId
      });
      return user;
@ -249,7 +249,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      const primaryEmail = req.body.emails?.find((email) => email.primary)?.value;

      const user = await req.server.services.scim.createScimUser({
-        externalId: req.body.userName,
+        username: req.body.userName,
        email: primaryEmail,
        firstName: req.body.name.givenName,
        lastName: req.body.name.familyName,
@ -261,11 +261,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/Users/:orgMembershipId",
+    url: "/Users/:userId",
    method: "DELETE",
    schema: {
      params: z.object({
-        orgMembershipId: z.string().trim()
+        userId: z.string().trim()
      }),
      response: {
        200: z.object({})
@ -274,7 +274,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
    handler: async (req) => {
      const user = await req.server.services.scim.deleteScimUser({
-        orgMembershipId: req.params.orgMembershipId,
+        userId: req.params.userId,
        orgId: req.permission.orgId
      });

@ -361,7 +361,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const groups = await req.server.services.scim.listScimGroups({
        orgId: req.permission.orgId,
-        startIndex: req.query.startIndex,
+        offset: req.query.startIndex,
        limit: req.query.count
      });

@ -416,10 +416,10 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        displayName: z.string().trim(),
        members: z.array(
          z.object({
-            value: z.string(), // infisical orgMembershipId
+            value: z.string(), // infisical userId
            display: z.string()
          })
-        )
+        ) // note: is this where members are added to group?
      }),
      response: {
        200: z.object({
@ -534,11 +534,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/Users/:orgMembershipId",
+    url: "/Users/:userId",
    method: "PUT",
    schema: {
      params: z.object({
-        orgMembershipId: z.string().trim()
+        userId: z.string().trim()
      }),
      body: z.object({
        schemas: z.array(z.string()),
@ -575,7 +575,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
    handler: async (req) => {
      const user = await req.server.services.scim.replaceScimUser({
-        orgMembershipId: req.params.orgMembershipId,
+        userId: req.params.userId,
        orgId: req.permission.orgId,
        active: req.body.active
      });
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@ -130,7 +130,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      }),
      response: {
        200: z.object({
-          approvals: sapPubSchema.merge(z.object({ approvers: z.string().array() })).array()
+          approvals: sapPubSchema.merge(z.object({ approvers: z.string().nullish().array() })).array()
        })
      }
    },
@ -161,7 +161,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      }),
      response: {
        200: z.object({
-          policy: sapPubSchema.merge(z.object({ approvers: z.string().array() })).optional()
+          policy: sapPubSchema.merge(z.object({ approvers: z.string().nullish().array() })).optional()
        })
      }
    },
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -197,7 +197,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
          type: isClosing ? EventType.SECRET_APPROVAL_CLOSED : EventType.SECRET_APPROVAL_REOPENED,
          // eslint-disable-next-line
          metadata: {
-            [isClosing ? ("closedBy" as const) : ("reopenedBy" as const)]: approval.statusChangeBy as string,
+            [isClosing ? ("closedBy" as const) : ("reopenedBy" as const)]: approval.statusChangeByUserId as string,
            secretApprovalRequestId: approval.id,
            secretApprovalRequestSlug: approval.slug
            // eslint-disable-next-line
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@ -20,7 +20,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
        `${TableName.AccessApprovalPolicy}.id`,
        `${TableName.AccessApprovalPolicyApprover}.policyId`
      )
-      .select(tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@ -38,12 +38,12 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
      const formatedDoc = mergeOneToManyRelation(
        doc,
        "id",
-        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
+        ({ approverUserId, envId, envName: name, envSlug: slug, ...el }) => ({
          ...el,
          envId,
          environment: { id: envId, name, slug }
        }),
-        ({ approverId }) => approverId,
+        ({ approverUserId }) => approverUserId,
        "approvers"
      );
      return formatedDoc?.[0];
@ -58,12 +58,12 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
      const formatedDoc = mergeOneToManyRelation(
        docs,
        "id",
-        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
+        ({ approverUserId, envId, envName: name, envSlug: slug, ...el }) => ({
          ...el,
          envId,
          environment: { id: envId, name, slug }
        }),
-        ({ approverId }) => approverId,
+        ({ approverUserId }) => approverUserId,
        "approvers"
      );
      return formatedDoc.map((policy) => ({ ...policy, secretPath: policy.secretPath || undefined }));
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -5,7 +5,7 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { BadRequestError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
-import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";

 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
@ -24,7 +24,7 @@ type TSecretApprovalPolicyServiceFactoryDep = {
  accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
  accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
+  userDAL: Pick<TUserDALFactory, "findUsersByProjectId">;
 };

 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@ -34,8 +34,8 @@ export const accessApprovalPolicyServiceFactory = ({
  accessApprovalPolicyApproverDAL,
  permissionService,
  projectEnvDAL,
-  projectDAL,
-  projectMembershipDAL
+  userDAL,
+  projectDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
  const createAccessApprovalPolicy = async ({
    name,
@ -69,12 +69,13 @@ export const accessApprovalPolicyServiceFactory = ({
    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
    if (!env) throw new BadRequestError({ message: "Environment not found" });

-    const secretApprovers = await projectMembershipDAL.find({
-      projectId: project.id,
-      $in: { id: approvers }
-    });
+    // We need to get the users by project ID to ensure they are part of the project.
+    const accessApproverUsers = await userDAL.findUsersByProjectId(
+      project.id,
+      approvers.map((approverUserId) => approverUserId)
+    );

-    if (secretApprovers.length !== approvers.length) {
+    if (accessApproverUsers.length !== approvers.length) {
      throw new BadRequestError({ message: "Approver not found in project" });
    }

@ -85,7 +86,7 @@ export const accessApprovalPolicyServiceFactory = ({
      secretPath,
      actorAuthMethod,
      permissionService,
-      userIds: secretApprovers.map((approver) => approver.userId)
+      userIds: accessApproverUsers.map((user) => user.id)
    });

    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
@ -99,8 +100,8 @@ export const accessApprovalPolicyServiceFactory = ({
        tx
      );
      await accessApprovalPolicyApproverDAL.insertMany(
-        secretApprovers.map(({ id }) => ({
-          approverId: id,
+        accessApproverUsers.map((user) => ({
+          approverUserId: user.id,
          policyId: doc.id
        })),
        tx
@ -169,12 +170,9 @@ export const accessApprovalPolicyServiceFactory = ({
      );
      if (approvers) {
        // Find the workspace project memberships of the users passed in the approvers array
-        const secretApprovers = await projectMembershipDAL.find(
-          {
-            projectId: accessApprovalPolicy.projectId,
-            $in: { id: approvers }
-          },
-          { tx }
+        const secretApproverUsers = await userDAL.findUsersByProjectId(
+          accessApprovalPolicy.projectId,
+          approvers.map((approverUserId) => approverUserId)
        );

        await verifyApprovers({
@ -184,15 +182,15 @@ export const accessApprovalPolicyServiceFactory = ({
          secretPath: doc.secretPath!,
          actorAuthMethod,
          permissionService,
-          userIds: secretApprovers.map((approver) => approver.userId)
+          userIds: secretApproverUsers.map((user) => user.id)
        });

-        if (secretApprovers.length !== approvers.length)
+        if (secretApproverUsers.length !== approvers.length)
          throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
        await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
        await accessApprovalPolicyApproverDAL.insertMany(
-          secretApprovers.map(({ id }) => ({
-            approverId: id,
+          secretApproverUsers.map((user) => ({
+            approverUserId: user.id,
            policyId: doc.id
          })),
          tx
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@ -11,6 +11,42 @@ export type TAccessApprovalRequestDALFactory = ReturnType<typeof accessApprovalR

 export const accessApprovalRequestDALFactory = (db: TDbClient) => {
  const accessApprovalRequestOrm = ormify(db, TableName.AccessApprovalRequest);
+  const projectUserAdditionalPrivilegeOrm = ormify(db, TableName.ProjectUserAdditionalPrivilege);
+  const groupProjectUserAdditionalPrivilegeOrm = ormify(db, TableName.GroupProjectUserAdditionalPrivilege);
+
+  const deleteMany = async (filter: TFindFilter<TAccessApprovalRequests>, tx?: Knex) => {
+    const transaction = tx || (await db.transaction());
+
+    try {
+      const accessApprovalRequests = await accessApprovalRequestOrm.find(filter, { tx: transaction });
+
+      await projectUserAdditionalPrivilegeOrm.delete(
+        {
+          $in: {
+            id: accessApprovalRequests
+              .filter((req) => Boolean(req.projectUserPrivilegeId))
+              .map((req) => req.projectUserPrivilegeId!)
+          }
+        },
+        transaction
+      );
+
+      await groupProjectUserAdditionalPrivilegeOrm.delete(
+        {
+          $in: {
+            id: accessApprovalRequests
+              .filter((req) => Boolean(req.groupProjectUserPrivilegeId))
+              .map((req) => req.groupProjectUserPrivilegeId!)
+          }
+        },
+        transaction
+      );
+
+      return await accessApprovalRequestOrm.delete(filter, transaction);
+    } catch (error) {
+      throw new DatabaseError({ error, name: "DeleteManyAccessApprovalRequest" });
+    }
+  };

  const findRequestsWithPrivilegeByPolicyIds = async (policyIds: string[]) => {
    try {
@ -19,9 +55,14 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {

        .leftJoin(
          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.AccessApprovalRequest}.privilegeId`,
+          `${TableName.AccessApprovalRequest}.projectUserPrivilegeId`,
          `${TableName.ProjectUserAdditionalPrivilege}.id`
        )
+        .leftJoin(
+          TableName.GroupProjectUserAdditionalPrivilege,
+          `${TableName.AccessApprovalRequest}.groupProjectUserPrivilegeId`,
+          `${TableName.GroupProjectUserAdditionalPrivilege}.id`
+        )
        .leftJoin(
          TableName.AccessApprovalPolicy,
          `${TableName.AccessApprovalRequest}.policyId`,
@ -50,7 +91,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
        )

-        .select(db.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover))
+        .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))

        .select(
          db.ref("projectId").withSchema(TableName.Environment),
@ -59,32 +100,85 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        )

        .select(
-          db.ref("member").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerMemberId"),
+          db.ref("memberUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"),
          db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus")
        )

+        // Project user additional privilege
        .select(
          db
            .ref("projectMembershipId")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("privilegeMembershipId"),
-          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeIsTemporary"),
-          db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryMode"),
-          db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryRange"),
+            .as("projectPrivilegeProjectMembershipId"),
+
+          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("projectPrivilegeIsTemporary"),
+
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("projectPrivilegeTemporaryMode"),
+
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("projectPrivilegeTemporaryRange"),
+
          db
            .ref("temporaryAccessStartTime")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("privilegeTemporaryAccessStartTime"),
+            .as("projectPrivilegeTemporaryAccessStartTime"),
+
          db
            .ref("temporaryAccessEndTime")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("privilegeTemporaryAccessEndTime"),
+            .as("projectPrivilegeTemporaryAccessEndTime"),

-          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegePermissions")
+          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("projectPrivilegePermissions")
+        )
+        // Group project user additional privilege
+        .select(
+          db
+            .ref("groupProjectMembershipId")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("groupPrivilegeGroupProjectMembershipId"),
+
+          db
+            .ref("requestedByUserId")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("groupPrivilegeRequestedByUserId"),
+
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("groupPrivilegeIsTemporary"),
+
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("groupPrivilegeTemporaryMode"),
+
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("groupPrivilegeTemporaryRange"),
+
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("groupPrivilegeTemporaryAccessStartTime"),
+
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("groupPrivilegeTemporaryAccessEndTime"),
+          db
+            .ref("permissions")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("groupPrivilegePermissions")
        )
        .orderBy(`${TableName.AccessApprovalRequest}.createdAt`, "desc");

-      const formattedDocs = sqlNestRelationships({
+      const projectUserFormattedDocs = sqlNestRelationships({
        data: docs,
        key: "id",
        parentMapper: (doc) => ({
@ -99,33 +193,49 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
            secretPath: doc.policySecretPath,
            envId: doc.policyEnvId
          },
-          privilege: doc.privilegeId
+          // eslint-disable-next-line no-nested-ternary
+          privilege: doc.projectUserPrivilegeId
            ? {
-                membershipId: doc.privilegeMembershipId,
-                isTemporary: doc.privilegeIsTemporary,
-                temporaryMode: doc.privilegeTemporaryMode,
-                temporaryRange: doc.privilegeTemporaryRange,
-                temporaryAccessStartTime: doc.privilegeTemporaryAccessStartTime,
-                temporaryAccessEndTime: doc.privilegeTemporaryAccessEndTime,
-                permissions: doc.privilegePermissions
+                projectMembershipId: doc.projectMembershipId,
+                groupMembershipId: null,
+                requestedByUserId: null,
+                isTemporary: doc.projectPrivilegeIsTemporary,
+                temporaryMode: doc.projectPrivilegeTemporaryMode,
+                temporaryRange: doc.projectPrivilegeTemporaryRange,
+                temporaryAccessStartTime: doc.projectPrivilegeTemporaryAccessStartTime,
+                temporaryAccessEndTime: doc.projectPrivilegeTemporaryAccessEndTime,
+                permissions: doc.projectPrivilegePermissions
              }
-            : null,
+            : doc.groupProjectUserPrivilegeId
+              ? {
+                  groupMembershipId: doc.groupPrivilegeGroupProjectMembershipId,
+                  requestedByUserId: doc.groupPrivilegeRequestedByUserId,
+                  projectMembershipId: null,
+                  isTemporary: doc.groupPrivilegeIsTemporary,
+                  temporaryMode: doc.groupPrivilegeTemporaryMode,
+                  temporaryRange: doc.groupPrivilegeTemporaryRange,
+                  temporaryAccessStartTime: doc.groupPrivilegeTemporaryAccessStartTime,
+                  temporaryAccessEndTime: doc.groupPrivilegeTemporaryAccessEndTime,
+                  permissions: doc.groupPrivilegePermissions
+                }
+              : null,

-          isApproved: !!doc.privilegeId
+          isApproved: Boolean(doc.projectUserPrivilegeId || doc.groupProjectUserPrivilegeId)
        }),
        childrenMapper: [
          {
-            key: "reviewerMemberId",
+            key: "reviewerUserId",
            label: "reviewers" as const,
-            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
+            mapper: ({ reviewerUserId, reviewerStatus: status }) =>
+              reviewerUserId ? { member: reviewerUserId, status } : undefined
          },
-          { key: "approverId", label: "approvers" as const, mapper: ({ approverId }) => approverId }
+          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
        ]
      });

-      if (!formattedDocs) return [];
+      if (!projectUserFormattedDocs) return [];

-      return formattedDocs.map((doc) => ({
+      return projectUserFormattedDocs.map((doc) => ({
        ...doc,
        policy: { ...doc.policy, approvers: doc.approvers }
      }));
@ -157,7 +267,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
      .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
      .select(selectAllTableCols(TableName.AccessApprovalRequest))
      .select(
-        tx.ref("member").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerMemberId"),
+        tx.ref("memberUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"),
        tx.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"),
        tx.ref("id").withSchema(TableName.AccessApprovalPolicy).as("policyId"),
        tx.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
@ -165,7 +275,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("slug").withSchema(TableName.Environment).as("environment"),
        tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-        tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover)
+        tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover)
      );

  const findById = async (id: string, tx?: Knex) => {
@ -188,11 +298,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        }),
        childrenMapper: [
          {
-            key: "reviewerMemberId",
+            key: "reviewerUserId",
            label: "reviewers" as const,
-            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
+            mapper: ({ reviewerUserId, reviewerStatus: status }) =>
+              reviewerUserId ? { member: reviewerUserId, status } : undefined
          },
-          { key: "approverId", label: "approvers" as const, mapper: ({ approverId }) => approverId }
+          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
        ]
      });
      if (!formatedDoc?.[0]) return;
@ -214,12 +325,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.AccessApprovalPolicy}.id`
        )
        .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-        .leftJoin(
-          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.AccessApprovalRequest}.privilegeId`,
-          `${TableName.ProjectUserAdditionalPrivilege}.id`
-        )
-
        .leftJoin(
          TableName.AccessApprovalRequestReviewer,
          `${TableName.AccessApprovalRequest}.id`,
@ -229,7 +334,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        .where(`${TableName.Environment}.projectId`, projectId)
        .select(selectAllTableCols(TableName.AccessApprovalRequest))
        .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
-        .select(db.ref("member").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerMemberId"));
+        .select(db.ref("memberUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("memberUserId"));

      const formattedRequests = sqlNestRelationships({
        data: accessRequests,
@ -239,21 +344,28 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        }),
        childrenMapper: [
          {
-            key: "reviewerMemberId",
+            key: "memberUserId",
            label: "reviewers" as const,
-            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
+            mapper: ({ memberUserId, reviewerStatus: status }) =>
+              memberUserId ? { member: memberUserId, status } : undefined
          }
        ]
      });

      // an approval is pending if there is no reviewer rejections and no privilege ID is set
      const pendingApprovals = formattedRequests.filter(
-        (req) => !req.privilegeId && !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
+        (req) =>
+          !req.projectUserPrivilegeId &&
+          !req.groupProjectUserPrivilegeId &&
+          !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
      );

      // an approval is finalized if there are any rejections or a privilege ID is set
      const finalizedApprovals = formattedRequests.filter(
-        (req) => req.privilegeId || req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
+        (req) =>
+          req.projectUserPrivilegeId ||
+          req.groupProjectUserPrivilegeId ||
+          req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
      );

      return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };
@ -262,5 +374,5 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
    }
  };

-  return { ...accessApprovalRequestOrm, findById, findRequestsWithPrivilegeByPolicyIds, getCount };
+  return { ...accessApprovalRequestOrm, findById, findRequestsWithPrivilegeByPolicyIds, getCount, delete: deleteMany };
 };
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -1,7 +1,8 @@
+import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";

-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole, TProjectUserAdditionalPrivilege } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@ -14,7 +15,9 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
+import { TGroupProjectUserAdditionalPrivilegeDALFactory } from "../group-project-user-additional-privilege/group-project-user-additional-privilege-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
 import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
@ -23,13 +26,15 @@ import { TAccessApprovalRequestReviewerDALFactory } from "./access-approval-requ
 import {
  ApprovalStatus,
  TCreateAccessApprovalRequestDTO,
+  TDeleteApprovalRequestDTO,
  TGetAccessRequestCountDTO,
  TListApprovalRequestsDTO,
  TReviewAccessRequestDTO
 } from "./access-approval-request-types";

-type TSecretApprovalRequestServiceFactoryDep = {
-  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "create" | "findById">;
+type TAccessApprovalRequestServiceFactoryDep = {
+  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "create" | "findById" | "deleteById">;
+  groupAdditionalPrivilegeDAL: TGroupProjectUserAdditionalPrivilegeDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  accessApprovalPolicyApproverDAL: Pick<TAccessApprovalPolicyApproverDALFactory, "find">;
  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
@ -44,6 +49,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
    | "updateById"
    | "findOne"
    | "getCount"
+    | "deleteById"
  >;
  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find">;
  accessApprovalRequestReviewerDAL: Pick<
@ -52,7 +58,10 @@ type TSecretApprovalRequestServiceFactoryDep = {
  >;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
  smtpService: Pick<TSmtpService, "sendMail">;
-  userDAL: Pick<TUserDALFactory, "findUserByProjectMembershipId" | "findUsersByProjectMembershipIds">;
+  userDAL: Pick<
+    TUserDALFactory,
+    "findUserByProjectMembershipId" | "findUsersByProjectMembershipIds" | "findUsersByProjectId" | "findUserByProjectId"
+  >;
 };

 export type TAccessApprovalRequestServiceFactory = ReturnType<typeof accessApprovalRequestServiceFactory>;
@ -62,6 +71,7 @@ export const accessApprovalRequestServiceFactory = ({
  projectEnvDAL,
  permissionService,
  accessApprovalRequestDAL,
+  groupAdditionalPrivilegeDAL,
  accessApprovalRequestReviewerDAL,
  projectMembershipDAL,
  accessApprovalPolicyDAL,
@ -69,7 +79,7 @@ export const accessApprovalRequestServiceFactory = ({
  additionalPrivilegeDAL,
  smtpService,
  userDAL
-}: TSecretApprovalRequestServiceFactoryDep) => {
+}: TAccessApprovalRequestServiceFactoryDep) => {
  const createAccessApprovalRequest = async ({
    isTemporary,
    temporaryRange,
@ -94,9 +104,6 @@ export const accessApprovalRequestServiceFactory = ({
    );
    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });

-    const requestedByUser = await userDAL.findUserByProjectMembershipId(membership.id);
-    if (!requestedByUser) throw new UnauthorizedError({ message: "User not found" });
-
    await projectDAL.checkProjectUpgradeStatus(project.id);

    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({ permissions: requestedPermissions });
@ -114,25 +121,43 @@ export const accessApprovalRequestServiceFactory = ({
      policyId: policy.id
    });

-    const approverUsers = await userDAL.findUsersByProjectMembershipIds(
-      approvers.map((approver) => approver.approverId)
+    if (approvers.some((approver) => !approver.approverUserId)) {
+      throw new BadRequestError({ message: "Policy approvers must be assigned to users" });
+    }
+
+    const approverUsers = await userDAL.findUsersByProjectId(
+      project.id,
+      approvers.map((approver) => approver.approverUserId!)
    );

+    const requestedByUser = await userDAL.findUserByProjectId(project.id, actorId);
+
+    if (!requestedByUser) throw new BadRequestError({ message: "User not found in project" });
+
    const duplicateRequests = await accessApprovalRequestDAL.find({
      policyId: policy.id,
-      requestedBy: membership.id,
+      requestedByUserId: actorId,
      permissions: JSON.stringify(requestedPermissions),
      isTemporary
    });

    if (duplicateRequests?.length > 0) {
      for await (const duplicateRequest of duplicateRequests) {
-        if (duplicateRequest.privilegeId) {
-          const privilege = await additionalPrivilegeDAL.findById(duplicateRequest.privilegeId);
+        let foundPrivilege: Pick<
+          TProjectUserAdditionalPrivilege,
+          "temporaryAccessEndTime" | "isTemporary" | "id"
+        > | null = null;

-          const isExpired = new Date() > new Date(privilege.temporaryAccessEndTime || ("" as string));
+        if (duplicateRequest.projectUserPrivilegeId) {
+          foundPrivilege = await additionalPrivilegeDAL.findById(duplicateRequest.projectUserPrivilegeId);
+        } else if (duplicateRequest.groupProjectUserPrivilegeId) {
+          foundPrivilege = await groupAdditionalPrivilegeDAL.findById(duplicateRequest.groupProjectUserPrivilegeId);
+        }

-          if (!isExpired || !privilege.isTemporary) {
+        if (foundPrivilege) {
+          const isExpired = new Date() > new Date(foundPrivilege.temporaryAccessEndTime || ("" as string));
+
+          if (!isExpired || !foundPrivilege.isTemporary) {
            throw new BadRequestError({ message: "You already have an active privilege with the same criteria" });
          }
        } else {
@ -150,10 +175,18 @@ export const accessApprovalRequestServiceFactory = ({
    }

    const approval = await accessApprovalRequestDAL.transaction(async (tx) => {
+      const requesterUser = await userDAL.findUserByProjectId(project.id, actorId);
+
+      if (!requesterUser?.projectMembershipId && !requesterUser?.groupProjectMembershipId) {
+        throw new BadRequestError({ message: "You don't have a membership for this project" });
+      }
+
      const approvalRequest = await accessApprovalRequestDAL.create(
        {
+          projectMembershipId: requesterUser.projectMembershipId || null,
+          groupMembershipId: requesterUser.groupProjectMembershipId || null,
          policyId: policy.id,
-          requestedBy: membership.id,
+          requestedByUserId: actorId, // This is the user ID of the person who made the request
          temporaryRange: temporaryRange || null,
          permissions: JSON.stringify(requestedPermissions),
          isTemporary
@ -187,9 +220,62 @@ export const accessApprovalRequestServiceFactory = ({
    return { request: approval };
  };

+  const deleteAccessApprovalRequest = async ({
+    projectSlug,
+    actor,
+    requestId,
+    actorOrgId,
+    actorId,
+    actorAuthMethod
+  }: TDeleteApprovalRequestDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+
+    const { membership, permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Delete,
+      ProjectPermissionSub.SecretApproval
+    );
+
+    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
+
+    if (!accessApprovalRequest?.projectUserPrivilegeId && !accessApprovalRequest?.groupProjectUserPrivilegeId) {
+      throw new BadRequestError({ message: "Access request must be approved to be deleted" });
+    }
+
+    if (accessApprovalRequest?.projectId !== project.id) {
+      throw new UnauthorizedError({ message: "Request not found in project" });
+    }
+
+    const approvers = await accessApprovalPolicyApproverDAL.find({
+      policyId: accessApprovalRequest.policyId
+    });
+
+    // make sure the actor (actorId) is an approver
+    if (!approvers.some((approver) => approver.approverUserId === actorId)) {
+      throw new UnauthorizedError({ message: "Only policy approvers can delete access requests" });
+    }
+
+    if (accessApprovalRequest.projectUserPrivilegeId) {
+      await additionalPrivilegeDAL.deleteById(accessApprovalRequest.projectUserPrivilegeId);
+    } else if (accessApprovalRequest.groupProjectUserPrivilegeId) {
+      await groupAdditionalPrivilegeDAL.deleteById(accessApprovalRequest.groupProjectUserPrivilegeId);
+    }
+
+    return { request: accessApprovalRequest };
+  };
+
  const listApprovalRequests = async ({
    projectSlug,
-    authorProjectMembershipId,
+    authorUserId,
    envSlug,
    actor,
    actorOrgId,
@ -211,13 +297,8 @@ export const accessApprovalRequestServiceFactory = ({
    const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
    let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));

-    if (authorProjectMembershipId) {
-      requests = requests.filter((request) => request.requestedBy === authorProjectMembershipId);
-    }
-
-    if (envSlug) {
-      requests = requests.filter((request) => request.environment === envSlug);
-    }
+    if (authorUserId) requests = requests.filter((request) => request.requestedByUserId === authorUserId);
+    if (envSlug) requests = requests.filter((request) => request.environment === envSlug);

    return { requests };
  };
@ -246,8 +327,8 @@ export const accessApprovalRequestServiceFactory = ({

    if (
      !hasRole(ProjectMembershipRole.Admin) &&
-      accessApprovalRequest.requestedBy !== membership.id && // The request wasn't made by the current user
-      !policy.approvers.find((approverId) => approverId === membership.id) // The request isn't performed by an assigned approver
+      accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
+      !policy.approvers.find((approverUserId) => approverUserId === membership.id) // The request isn't performed by an assigned approver
    ) {
      throw new UnauthorizedError({ message: "You are not authorized to approve this request" });
    }
@ -273,7 +354,7 @@ export const accessApprovalRequestServiceFactory = ({
      const review = await accessApprovalRequestReviewerDAL.findOne(
        {
          requestId: accessApprovalRequest.id,
-          member: membership.id
+          memberUserId: actorId
        },
        tx
      );
@ -282,7 +363,7 @@ export const accessApprovalRequestServiceFactory = ({
          {
            status,
            requestId: accessApprovalRequest.id,
-            member: membership.id
+            memberUserId: actorId
          },
          tx
        );
@ -297,41 +378,92 @@ export const accessApprovalRequestServiceFactory = ({
            throw new BadRequestError({ message: "Temporary range is required for temporary access" });
          }

-          let privilegeId: string | null = null;
+          let projectUserPrivilegeId: string | null = null;
+          let groupProjectMembershipId: string | null = null;

+          if (!accessApprovalRequest.groupMembershipId && !accessApprovalRequest.projectMembershipId) {
+            throw new BadRequestError({ message: "Project membership or group membership is required" });
+          }
+
+          // Permanent access
          if (!accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
-            // Permanent access
-            const privilege = await additionalPrivilegeDAL.create(
-              {
-                projectMembershipId: accessApprovalRequest.requestedBy,
-                slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
-                permissions: JSON.stringify(accessApprovalRequest.permissions)
-              },
-              tx
-            );
-            privilegeId = privilege.id;
+            if (accessApprovalRequest.groupMembershipId) {
+              // Group user privilege
+              const groupProjectUserAdditionalPrivilege = await groupAdditionalPrivilegeDAL.create(
+                {
+                  groupProjectMembershipId: accessApprovalRequest.groupMembershipId,
+                  requestedByUserId: accessApprovalRequest.requestedByUserId,
+                  slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
+                  permissions: JSON.stringify(accessApprovalRequest.permissions)
+                },
+                tx
+              );
+
+              groupProjectMembershipId = groupProjectUserAdditionalPrivilege.id;
+            } else {
+              // Project user privilege
+              const privilege = await additionalPrivilegeDAL.create(
+                {
+                  projectMembershipId: accessApprovalRequest.projectMembershipId!,
+                  slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
+                  permissions: JSON.stringify(accessApprovalRequest.permissions)
+                },
+                tx
+              );
+              projectUserPrivilegeId = privilege.id;
+            }
          } else {
            // Temporary access
            const relativeTempAllocatedTimeInMs = ms(accessApprovalRequest.temporaryRange!);
            const startTime = new Date();

-            const privilege = await additionalPrivilegeDAL.create(
-              {
-                projectMembershipId: accessApprovalRequest.requestedBy,
-                slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
-                permissions: JSON.stringify(accessApprovalRequest.permissions),
-                isTemporary: true,
-                temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
-                temporaryRange: accessApprovalRequest.temporaryRange!,
-                temporaryAccessStartTime: startTime,
-                temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
-              },
-              tx
-            );
-            privilegeId = privilege.id;
+            if (accessApprovalRequest.groupMembershipId) {
+              //  Group user privilege
+              const groupProjectUserAdditionalPrivilege = await groupAdditionalPrivilegeDAL.create(
+                {
+                  groupProjectMembershipId: accessApprovalRequest.groupMembershipId,
+                  requestedByUserId: accessApprovalRequest.requestedByUserId,
+                  slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
+                  permissions: JSON.stringify(accessApprovalRequest.permissions),
+                  isTemporary: true,
+                  temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
+                  temporaryRange: accessApprovalRequest.temporaryRange!,
+                  temporaryAccessStartTime: startTime,
+                  temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
+                },
+                tx
+              );
+
+              groupProjectMembershipId = groupProjectUserAdditionalPrivilege.id;
+            } else {
+              const privilege = await additionalPrivilegeDAL.create(
+                {
+                  projectMembershipId: accessApprovalRequest.projectMembershipId!,
+                  slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
+                  permissions: JSON.stringify(accessApprovalRequest.permissions),
+                  isTemporary: true,
+                  temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
+                  temporaryRange: accessApprovalRequest.temporaryRange!,
+                  temporaryAccessStartTime: startTime,
+                  temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
+                },
+                tx
+              );
+              projectUserPrivilegeId = privilege.id;
+            }
          }

-          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId }, tx);
+          if (projectUserPrivilegeId) {
+            await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { projectUserPrivilegeId }, tx);
+          } else if (groupProjectMembershipId) {
+            await accessApprovalRequestDAL.updateById(
+              accessApprovalRequest.id,
+              { groupProjectUserPrivilegeId: groupProjectMembershipId },
+              tx
+            );
+          } else {
+            throw new BadRequestError({ message: "No privilege was created" });
+          }
        }

        return newReview;
@ -364,6 +496,7 @@ export const accessApprovalRequestServiceFactory = ({
    createAccessApprovalRequest,
    listApprovalRequests,
    reviewAccessRequest,
+    deleteAccessApprovalRequest,
    getCount
  };
 };
--- a/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
@ -28,6 +28,11 @@ export type TCreateAccessApprovalRequestDTO = {

 export type TListApprovalRequestsDTO = {
  projectSlug: string;
-  authorProjectMembershipId?: string;
+  authorUserId?: string;
  envSlug?: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TDeleteApprovalRequestDTO = {
+  requestId: string;
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@ -3,6 +3,7 @@ import { RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";

@ -112,7 +113,35 @@ export const auditLogQueueServiceFactory = ({
    );
  });

+  queueService.start(QueueName.AuditLogPrune, async () => {
+    logger.info(`${QueueName.AuditLogPrune}: queue task started`);
+    await auditLogDAL.pruneAuditLog();
+    logger.info(`${QueueName.AuditLogPrune}: queue task completed`);
+  });
+
+  // we do a repeat cron job in utc timezone at 12 Midnight each day
+  const startAuditLogPruneJob = async () => {
+    // clear previous job
+    await queueService.stopRepeatableJob(
+      QueueName.AuditLogPrune,
+      QueueJobs.AuditLogPrune,
+      { pattern: "0 0 * * *", utc: true },
+      QueueName.AuditLogPrune // just a job id
+    );
+
+    await queueService.queue(QueueName.AuditLogPrune, QueueJobs.AuditLogPrune, undefined, {
+      delay: 5000,
+      jobId: QueueName.AuditLogPrune,
+      repeat: { pattern: "0 0 * * *", utc: true }
+    });
+  };
+
+  queueService.listen(QueueName.AuditLogPrune, "failed", (err) => {
+    logger.error(err?.failedReason, `${QueueName.AuditLogPrune}: log pruning failed`);
+  });
+
  return {
-    pushToLog
+    pushToLog,
+    startAuditLogPruneJob
  };
 };
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -51,7 +51,6 @@ export enum EventType {
  UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
  CREATE_INTEGRATION = "create-integration",
  DELETE_INTEGRATION = "delete-integration",
-  MANUAL_SYNC_INTEGRATION = "manual-sync-integration",
  ADD_TRUSTED_IP = "add-trusted-ip",
  UPDATE_TRUSTED_IP = "update-trusted-ip",
  DELETE_TRUSTED_IP = "delete-trusted-ip",
@ -64,25 +63,9 @@ export enum EventType {
  ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
  UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
  GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
-  LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
-  ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
-  UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
-  GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
-  LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
-  ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
-  UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
-  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
-  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
-  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
-  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
-  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
-  LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
-  ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
-  UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
-  GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
  CREATE_ENVIRONMENT = "create-environment",
  UPDATE_ENVIRONMENT = "update-environment",
  DELETE_ENVIRONMENT = "delete-environment",
@ -286,25 +269,6 @@ interface DeleteIntegrationEvent {
  };
 }

-interface ManualSyncIntegrationEvent {
-  type: EventType.MANUAL_SYNC_INTEGRATION;
-  metadata: {
-    integrationId: string;
-    integration: string;
-    environment: string;
-    secretPath: string;
-    url?: string;
-    app?: string;
-    appId?: string;
-    targetEnvironment?: string;
-    targetEnvironmentId?: string;
-    targetService?: string;
-    targetServiceId?: string;
-    path?: string;
-    region?: string;
-  };
-}
-
 interface AddTrustedIPEvent {
  type: EventType.ADD_TRUSTED_IP;
  metadata: {
@ -419,50 +383,6 @@ interface GetIdentityUniversalAuthEvent {
  };
 }

-interface LoginIdentityKubernetesAuthEvent {
-  type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH;
-  metadata: {
-    identityId: string;
-    identityKubernetesAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityKubernetesAuthEvent {
-  type: EventType.ADD_IDENTITY_KUBERNETES_AUTH;
-  metadata: {
-    identityId: string;
-    kubernetesHost: string;
-    allowedNamespaces: string;
-    allowedNames: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityKubernetesAuthEvent {
-  type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH;
-  metadata: {
-    identityId: string;
-    kubernetesHost?: string;
-    allowedNamespaces?: string;
-    allowedNames?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityKubernetesAuthEvent {
-  type: EventType.GET_IDENTITY_KUBERNETES_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface CreateIdentityUniversalAuthClientSecretEvent {
  type: EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET;
  metadata: {
@ -486,138 +406,6 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
  };
 }

-interface LoginIdentityGcpAuthEvent {
-  type: EventType.LOGIN_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-    identityGcpAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityGcpAuthEvent {
-  type: EventType.ADD_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-    type: string;
-    allowedServiceAccounts: string;
-    allowedProjects: string;
-    allowedZones: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityGcpAuthEvent {
-  type: EventType.UPDATE_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-    type?: string;
-    allowedServiceAccounts?: string;
-    allowedProjects?: string;
-    allowedZones?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityGcpAuthEvent {
-  type: EventType.GET_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
-interface LoginIdentityAwsAuthEvent {
-  type: EventType.LOGIN_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-    identityAwsAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityAwsAuthEvent {
-  type: EventType.ADD_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-    stsEndpoint: string;
-    allowedPrincipalArns: string;
-    allowedAccountIds: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityAwsAuthEvent {
-  type: EventType.UPDATE_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-    stsEndpoint?: string;
-    allowedPrincipalArns?: string;
-    allowedAccountIds?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityAwsAuthEvent {
-  type: EventType.GET_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
-interface LoginIdentityAzureAuthEvent {
-  type: EventType.LOGIN_IDENTITY_AZURE_AUTH;
-  metadata: {
-    identityId: string;
-    identityAzureAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityAzureAuthEvent {
-  type: EventType.ADD_IDENTITY_AZURE_AUTH;
-  metadata: {
-    identityId: string;
-    tenantId: string;
-    resource: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityAzureAuthEvent {
-  type: EventType.UPDATE_IDENTITY_AZURE_AUTH;
-  metadata: {
-    identityId: string;
-    tenantId?: string;
-    resource?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityAzureAuthEvent {
-  type: EventType.GET_IDENTITY_AZURE_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface CreateEnvironmentEvent {
  type: EventType.CREATE_ENVIRONMENT;
  metadata: {
@ -837,9 +625,9 @@ interface SecretApprovalReopened {
 interface SecretApprovalRequest {
  type: EventType.SECRET_APPROVAL_REQUEST;
  metadata: {
-    committedBy: string;
    secretApprovalRequestSlug: string;
    secretApprovalRequestId: string;
+    committedByUser?: string | null; // Needs to be nullable for backward compatibility
  };
 }

@ -857,7 +645,6 @@ export type Event =
  | UnauthorizeIntegrationEvent
  | CreateIntegrationEvent
  | DeleteIntegrationEvent
-  | ManualSyncIntegrationEvent
  | AddTrustedIPEvent
  | UpdateTrustedIPEvent
  | DeleteTrustedIPEvent
@ -870,25 +657,9 @@ export type Event =
  | AddIdentityUniversalAuthEvent
  | UpdateIdentityUniversalAuthEvent
  | GetIdentityUniversalAuthEvent
-  | LoginIdentityKubernetesAuthEvent
-  | AddIdentityKubernetesAuthEvent
-  | UpdateIdentityKubernetesAuthEvent
-  | GetIdentityKubernetesAuthEvent
  | CreateIdentityUniversalAuthClientSecretEvent
  | GetIdentityUniversalAuthClientSecretsEvent
  | RevokeIdentityUniversalAuthClientSecretEvent
-  | LoginIdentityGcpAuthEvent
-  | AddIdentityGcpAuthEvent
-  | UpdateIdentityGcpAuthEvent
-  | GetIdentityGcpAuthEvent
-  | LoginIdentityAwsAuthEvent
-  | AddIdentityAwsAuthEvent
-  | UpdateIdentityAwsAuthEvent
-  | GetIdentityAwsAuthEvent
-  | LoginIdentityAzureAuthEvent
-  | AddIdentityAzureAuthEvent
-  | UpdateIdentityAzureAuthEvent
-  | GetIdentityAzureAuthEvent
  | CreateEnvironmentEvent
  | UpdateEnvironmentEvent
  | DeleteEnvironmentEvent
--- a/backend/src/ee/services/group-project-user-additional-privilege/group-project-user-additional-privilege-dal.ts
+++ b/backend/src/ee/services/group-project-user-additional-privilege/group-project-user-additional-privilege-dal.ts
@ -0,0 +1,12 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TGroupProjectUserAdditionalPrivilegeDALFactory = ReturnType<
+  typeof groupProjectUserAdditionalPrivilegeDALFactory
+>;
+
+export const groupProjectUserAdditionalPrivilegeDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.GroupProjectUserAdditionalPrivilege);
+  return orm;
+};
--- a/backend/src/ee/services/group/group-dal.ts
+++ b/backend/src/ee/services/group/group-dal.ts
@ -5,10 +5,78 @@ import { TableName, TGroups } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt } from "@app/lib/knex";

+import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";
+
 export type TGroupDALFactory = ReturnType<typeof groupDALFactory>;

-export const groupDALFactory = (db: TDbClient) => {
+export const groupDALFactory = (db: TDbClient, userGroupMembershipDAL: TUserGroupMembershipDALFactory) => {
  const groupOrm = ormify(db, TableName.Groups);
+  const groupMembershipOrm = ormify(db, TableName.GroupProjectMembership);
+  const accessApprovalRequestOrm = ormify(db, TableName.AccessApprovalRequest);
+  const secretApprovalRequestOrm = ormify(db, TableName.SecretApprovalRequest);
+
+  const deleteMany = async (filterQuery: TFindFilter<TGroups>, tx?: Knex) => {
+    const transaction = tx || (await db.transaction());
+
+    // Find all memberships
+    const groups = await groupOrm.find(filterQuery, { tx: transaction });
+
+    for await (const group of groups) {
+      // Find all the group memberships of the groups (a group membership is which projects the group is a part of)
+      const groupProjectMemberships = await groupMembershipOrm.find(
+        { groupId: group.id },
+        {
+          tx: transaction
+        }
+      );
+
+      // For each of those group memberships, we need to find all the members of the group that don't have a regular membership in the project
+      for await (const groupMembership of groupProjectMemberships) {
+        const members = await userGroupMembershipDAL.findGroupMembersNotInProject(
+          group.id,
+          groupMembership.projectId,
+          transaction
+        );
+
+        // We then delete all the access approval requests and secret approval requests associated with these members
+        await accessApprovalRequestOrm.delete(
+          {
+            groupMembershipId: groupMembership.id,
+            $in: {
+              requestedByUserId: members.map(({ user }) => user.id)
+            }
+          },
+          transaction
+        );
+
+        const policies = await (tx || db)(TableName.SecretApprovalPolicy)
+          .join(TableName.Environment, `${TableName.SecretApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+          .where(`${TableName.Environment}.projectId`, groupMembership.projectId)
+          .select(selectAllTableCols(TableName.SecretApprovalPolicy));
+
+        await secretApprovalRequestOrm.delete(
+          {
+            $in: {
+              policyId: policies.map(({ id }) => id),
+              committerUserId: members.map(({ user }) => user.id)
+            }
+          },
+          transaction
+        );
+      }
+    }
+
+    await groupOrm.delete(
+      {
+        $in: {
+          id: groups.map((group) => group.id)
+        }
+      },
+      transaction
+    );
+
+    return groups;
+  };

  const findGroups = async (filter: TFindFilter<TGroups>, { offset, limit, sort, tx }: TFindOpt<TGroups> = {}) => {
    try {
@ -122,9 +190,10 @@ export const groupDALFactory = (db: TDbClient) => {
  };

  return {
+    ...groupOrm,
    findGroups,
    findByOrgId,
    findAllGroupMembers,
-    ...groupOrm
+    delete: deleteMany
  };
 };
--- a/backend/src/ee/services/group/group-fns.ts
+++ b/backend/src/ee/services/group/group-fns.ts
@ -1,6 +1,6 @@
 import { Knex } from "knex";

-import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
+import { SecretKeyEncoding, TUsers } from "@app/db/schemas";
 import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ScimRequestError } from "@app/lib/errors";

@ -188,9 +188,9 @@ export const addUsersToGroupByUserIds = async ({
    // check if all user(s) are part of the organization
    const existingUserOrgMemberships = await orgDAL.findMembership(
      {
-        [`${TableName.OrgMembership}.orgId` as "orgId"]: group.orgId,
+        orgId: group.orgId,
        $in: {
-          [`${TableName.OrgMembership}.userId` as "userId"]: userIds
+          userId: userIds
        }
      },
      { tx }
@ -266,6 +266,9 @@ export const removeUsersFromGroupByUserIds = async ({
  userIds,
  userDAL,
  userGroupMembershipDAL,
+  accessApprovalRequestDAL,
+  secretApprovalRequestDAL,
+  secretApprovalPolicyDAL,
  groupProjectDAL,
  projectKeyDAL,
  tx: outerTx
@ -322,20 +325,16 @@ export const removeUsersFromGroupByUserIds = async ({
    });

    if (membersToRemoveFromGroupNonPending.length) {
-      // check which projects the group is part of
-      const projectIds = Array.from(
-        new Set(
-          (
-            await groupProjectDAL.find(
-              {
-                groupId: group.id
-              },
-              { tx }
-            )
-          ).map((gp) => gp.projectId)
-        )
+      const groupProjectMemberships = await groupProjectDAL.find(
+        {
+          groupId: group.id
+        },
+        { tx }
      );

+      // check which projects the group is part of
+      const projectIds = Array.from(new Set(groupProjectMemberships.map((gp) => gp.projectId)));
+
      // TODO: this part can be optimized
      for await (const userId of userIds) {
        const t = await userGroupMembershipDAL.filterProjectsByUserMembership(userId, group.id, projectIds, tx);
@ -353,10 +352,35 @@ export const removeUsersFromGroupByUserIds = async ({
          );
        }

+        await accessApprovalRequestDAL.delete(
+          {
+            $in: {
+              groupMembershipId: groupProjectMemberships
+                .filter((gp) => projectsToDeleteKeyFor.includes(gp.projectId))
+                .map((gp) => gp.id)
+            },
+            requestedByUserId: userId
+          },
+          tx
+        );
+
+        const projectSecretApprovalPolicies = await secretApprovalPolicyDAL.findByProjectIds(projectIds);
+        await secretApprovalRequestDAL.delete(
+          {
+            committerUserId: userId,
+            $in: {
+              policyId: projectSecretApprovalPolicies.map((p) => p.id)
+            }
+          },
+          tx
+        );
+
        await userGroupMembershipDAL.delete(
          {
            groupId: group.id,
-            userId
+            $in: {
+              userId: membersToRemoveFromGroupNonPending.map((member) => member.id)
+            }
          },
          tx
        );
@ -364,12 +388,15 @@ export const removeUsersFromGroupByUserIds = async ({
    }

    if (membersToRemoveFromGroupPending.length) {
-      await userGroupMembershipDAL.delete({
-        groupId: group.id,
-        $in: {
-          userId: membersToRemoveFromGroupPending.map((member) => member.id)
-        }
-      });
+      await userGroupMembershipDAL.delete(
+        {
+          groupId: group.id,
+          $in: {
+            userId: membersToRemoveFromGroupPending.map((member) => member.id)
+          }
+        },
+        tx
+      );
    }

    return membersToRemoveFromGroupNonPending.concat(membersToRemoveFromGroupPending);
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@ -12,9 +12,12 @@ import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";

+import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
+import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
 import { TGroupDALFactory } from "./group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "./group-fns";
 import {
@ -41,6 +44,9 @@ type TGroupServiceFactoryDep = {
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "findLatestProjectKey" | "insertMany">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "delete">;
+  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "delete">;
+  secretApprovalPolicyDAL: Pick<TSecretApprovalPolicyDALFactory, "findByProjectIds">;
 };

 export type TGroupServiceFactory = ReturnType<typeof groupServiceFactory>;
@ -50,6 +56,9 @@ export const groupServiceFactory = ({
  groupDAL,
  groupProjectDAL,
  orgDAL,
+  secretApprovalRequestDAL,
+  secretApprovalPolicyDAL,
+  accessApprovalRequestDAL,
  userGroupMembershipDAL,
  projectDAL,
  projectBotDAL,
@ -328,6 +337,9 @@ export const groupServiceFactory = ({
      group,
      userIds: [user.id],
      userDAL,
+      accessApprovalRequestDAL,
+      secretApprovalPolicyDAL,
+      secretApprovalRequestDAL,
      userGroupMembershipDAL,
      groupProjectDAL,
      projectKeyDAL
--- a/backend/src/ee/services/group/group-types.ts
+++ b/backend/src/ee/services/group/group-types.ts
@ -10,6 +10,10 @@ import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";

+import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
+import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
+import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
+
 export type TCreateGroupDTO = {
  name: string;
  slug?: string;
@ -77,6 +81,9 @@ export type TRemoveUsersFromGroupByUserIds = {
  group: TGroups;
  userIds: string[];
  userDAL: Pick<TUserDALFactory, "find" | "transaction">;
+  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "delete">;
+  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "delete">;
+  secretApprovalPolicyDAL: Pick<TSecretApprovalPolicyDALFactory, "findByProjectIds">;
  userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "find" | "filterProjectsByUserMembership" | "delete">;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "delete">;
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@ -1,7 +1,5 @@
-import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
-import { PackRule, unpackRules } from "@casl/ability/extra";
+import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
-import { z } from "zod";

 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
@ -10,7 +8,7 @@ import { TIdentityProjectDALFactory } from "@app/services/identity-project/ident
 import { TProjectDALFactory } from "@app/services/project/project-dal";

 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSet, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TIdentityProjectAdditionalPrivilegeDALFactory } from "./identity-project-additional-privilege-dal";
 import {
  IdentityProjectAdditionalPrivilegeTemporaryMode,
@ -32,27 +30,6 @@ export type TIdentityProjectAdditionalPrivilegeServiceFactory = ReturnType<
  typeof identityProjectAdditionalPrivilegeServiceFactory
 >;

-// TODO(akhilmhdh): move this to more centralized
-export const UnpackedPermissionSchema = z.object({
-  subject: z.union([z.string().min(1), z.string().array()]).optional(),
-  action: z.union([z.string().min(1), z.string().array()]),
-  conditions: z
-    .object({
-      environment: z.string().optional(),
-      secretPath: z
-        .object({
-          $glob: z.string().min(1)
-        })
-        .optional()
-    })
-    .optional()
-});
-
-const unpackPermissions = (permissions: unknown) =>
-  UnpackedPermissionSchema.array().parse(
-    unpackRules((permissions || []) as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
-  );
-
 export const identityProjectAdditionalPrivilegeServiceFactory = ({
  identityProjectAdditionalPrivilegeDAL,
  identityProjectDAL,
@ -109,10 +86,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
        slug,
        permissions: customPermission
      });
-      return {
-        ...additionalPrivilege,
-        permissions: unpackPermissions(additionalPrivilege.permissions)
-      };
+      return additionalPrivilege;
    }

    const relativeTempAllocatedTimeInMs = ms(dto.temporaryRange);
@ -126,10 +100,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
      temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
    });
-    return {
-      ...additionalPrivilege,
-      permissions: unpackPermissions(additionalPrivilege.permissions)
-    };
+    return additionalPrivilege;
  };

  const updateBySlug = async ({
@ -192,11 +163,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
        temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
        temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
      });
-      return {
-        ...additionalPrivilege,
-
-        permissions: unpackPermissions(additionalPrivilege.permissions)
-      };
+      return additionalPrivilege;
    }

    const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
@ -207,11 +174,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      temporaryRange: null,
      temporaryMode: null
    });
-    return {
-      ...additionalPrivilege,
-
-      permissions: unpackPermissions(additionalPrivilege.permissions)
-    };
+    return additionalPrivilege;
  };

  const deleteBySlug = async ({
@ -257,11 +220,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });

    const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
-    return {
-      ...deletedPrivilege,
-
-      permissions: unpackPermissions(deletedPrivilege.permissions)
-    };
+    return deletedPrivilege;
  };

  const getPrivilegeDetailsBySlug = async ({
@ -295,10 +254,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    });
    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });

-    return {
-      ...identityPrivilege,
-      permissions: unpackPermissions(identityPrivilege.permissions)
-    };
+    return identityPrivilege;
  };

  const listIdentityProjectPrivileges = async ({
@ -328,11 +284,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    const identityPrivileges = await identityProjectAdditionalPrivilegeDAL.find({
      projectMembershipId: identityProjectMembership.id
    });
-    return identityPrivileges.map((el) => ({
-      ...el,
-
-      permissions: unpackPermissions(el.permissions)
-    }));
+    return identityPrivileges;
  };

  return {
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -1,14 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";

-import {
-  OrgMembershipRole,
-  OrgMembershipStatus,
-  SecretKeyEncoding,
-  TableName,
-  TLdapConfigsUpdate,
-  TUsers
-} from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TLdapConfigsUpdate } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@ -26,19 +19,19 @@ import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
-import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { normalizeUsername } from "@app/services/user/user-fns";
 import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
-import { UserAliasType } from "@app/services/user-alias/user-alias-types";

+import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
+import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
 import { TLdapConfigDALFactory } from "./ldap-config-dal";
 import {
  TCreateLdapCfgDTO,
@ -56,7 +49,6 @@ import { TLdapGroupMapDALFactory } from "./ldap-group-map-dal";
 type TLdapConfigServiceFactoryDep = {
  ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne">;
  ldapGroupMapDAL: Pick<TLdapGroupMapDALFactory, "find" | "create" | "delete" | "findLdapGroupMapsByLdapConfigId">;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
  orgDAL: Pick<
    TOrgDALFactory,
    "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
@ -78,6 +70,9 @@ type TLdapConfigServiceFactoryDep = {
  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "delete">;
+  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "delete">;
+  secretApprovalPolicyDAL: Pick<TSecretApprovalPolicyDALFactory, "findByProjectIds">;
 };

 export type TLdapConfigServiceFactory = ReturnType<typeof ldapConfigServiceFactory>;
@ -86,10 +81,12 @@ export const ldapConfigServiceFactory = ({
  ldapConfigDAL,
  ldapGroupMapDAL,
  orgDAL,
-  orgMembershipDAL,
  orgBotDAL,
  groupDAL,
  groupProjectDAL,
+  accessApprovalRequestDAL,
+  secretApprovalPolicyDAL,
+  secretApprovalRequestDAL,
  projectKeyDAL,
  projectDAL,
  projectBotDAL,
@ -391,17 +388,16 @@ export const ldapConfigServiceFactory = ({
    username,
    firstName,
    lastName,
-    email,
+    emails,
    groups,
    orgId,
    relayState
  }: TLdapLoginDTO) => {
    const appCfg = getConfig();
-    const serverCfg = await getServerCfg();
    let userAlias = await userAliasDAL.findOne({
      externalId,
      orgId,
-      aliasType: UserAliasType.LDAP
+      aliasType: AuthMethod.LDAP
    });

    const organization = await orgDAL.findOrgById(orgId);
@ -409,13 +405,7 @@ export const ldapConfigServiceFactory = ({

    if (userAlias) {
      await userDAL.transaction(async (tx) => {
-        const [orgMembership] = await orgDAL.findMembership(
-          {
-            [`${TableName.OrgMembership}.userId` as "userId"]: userAlias.userId,
-            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
-          },
-          { tx }
-        );
+        const [orgMembership] = await orgDAL.findMembership({ userId: userAlias.userId }, { tx });
        if (!orgMembership) {
          await orgDAL.createMembership(
            {
@ -438,75 +428,40 @@ export const ldapConfigServiceFactory = ({
      });
    } else {
      userAlias = await userDAL.transaction(async (tx) => {
-        let newUser: TUsers | undefined;
-        if (serverCfg.trustSamlEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email,
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
-
-        if (!newUser) {
-          const uniqueUsername = await normalizeUsername(username, userDAL);
-          newUser = await userDAL.create(
-            {
-              username: serverCfg.trustLdapEmails ? email : uniqueUsername,
-              email,
-              isEmailVerified: serverCfg.trustLdapEmails,
-              firstName,
-              lastName,
-              authMethods: [],
-              isGhost: false
-            },
-            tx
-          );
-        }
-
+        const uniqueUsername = await normalizeUsername(username, userDAL);
+        const newUser = await userDAL.create(
+          {
+            username: uniqueUsername,
+            email: emails[0],
+            firstName,
+            lastName,
+            authMethods: [AuthMethod.LDAP],
+            isGhost: false
+          },
+          tx
+        );
        const newUserAlias = await userAliasDAL.create(
          {
            userId: newUser.id,
            username,
-            aliasType: UserAliasType.LDAP,
+            aliasType: AuthMethod.LDAP,
            externalId,
-            emails: [email],
+            emails,
            orgId
          },
          tx
        );

-        const [orgMembership] = await orgDAL.findMembership(
+        await orgDAL.createMembership(
          {
-            [`${TableName.OrgMembership}.userId` as "userId"]: newUser.id,
-            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+            userId: newUser.id,
+            orgId,
+            role: OrgMembershipRole.Member,
+            status: OrgMembershipStatus.Invited
          },
-          { tx }
+          tx
        );

-        if (!orgMembership) {
-          await orgMembershipDAL.create(
-            {
-              userId: userAlias.userId,
-              inviteEmail: email,
-              orgId,
-              role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-            },
-            tx
-          );
-          // Only update the membership to Accepted if the user account is already completed.
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && newUser.isAccepted) {
-          await orgDAL.updateMembershipById(
-            orgMembership.id,
-            {
-              status: OrgMembershipStatus.Accepted
-            },
-            tx
-          );
-        }
-
        return newUserAlias;
      });
    }
@ -578,7 +533,10 @@ export const ldapConfigServiceFactory = ({
              group,
              userIds: [newUser.id],
              userDAL,
+              secretApprovalRequestDAL,
+              accessApprovalRequestDAL,
              userGroupMembershipDAL,
+              secretApprovalPolicyDAL,
              groupProjectDAL,
              projectKeyDAL,
              tx
@ -597,14 +555,11 @@ export const ldapConfigServiceFactory = ({
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
        organizationId: organization.id,
-        organizationSlug: organization.slug,
        authMethod: AuthMethod.LDAP,
-        authType: UserAliasType.LDAP,
        isUserCompleted,
        ...(relayState
          ? {
--- a/backend/src/ee/services/ldap-config/ldap-config-types.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-types.ts
@ -51,7 +51,7 @@ export type TLdapLoginDTO = {
  username: string;
  firstName: string;
  lastName: string;
-  email: string;
+  emails: string[];
  orgId: string;
  groups?: {
    dn: string;
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@ -62,6 +62,11 @@ export const permissionDALFactory = (db: TDbClient) => {
          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
          `${TableName.GroupProjectMembership}.id`
        )
+        .leftJoin(
+          TableName.GroupProjectUserAdditionalPrivilege,
+          `${TableName.GroupProjectUserAdditionalPrivilege}.groupProjectMembershipId`,
+          `${TableName.GroupProjectMembership}.id`
+        )
        .leftJoin(
          TableName.ProjectRoles,
          `${TableName.GroupProjectMembershipRole}.customRoleId`,
@ -77,11 +82,34 @@ export const permissionDALFactory = (db: TDbClient) => {
          db.ref("projectId").withSchema(TableName.GroupProjectMembership),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles)
        )
-        .select("permissions");
+        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
+        .select(
+          db.ref("projectId").withSchema(TableName.GroupProjectMembership).as("groupMembershipProjectId"),
+          db.ref("id").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApId"),
+          db.ref("permissions").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApPermissions"),
+          db.ref("temporaryMode").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApTemporaryMode"),
+          db.ref("isTemporary").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApIsTemporary"),
+          db.ref("temporaryRange").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApTemporaryRange"),
+          db.ref("groupProjectMembershipId").withSchema(TableName.GroupProjectUserAdditionalPrivilege),
+          db
+            .ref("requestedByUserId")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("userApRequestedByUserId"),

-      const docs = await db(TableName.ProjectMembership)
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("userApTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
+            .as("userApTemporaryAccessEndTime")
+        );
+
+      const projectMemberDocs = await db(TableName.ProjectMembership)
        .join(
          TableName.ProjectUserMembershipRole,
          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
@ -127,7 +155,7 @@ export const permissionDALFactory = (db: TDbClient) => {
        );

      const permission = sqlNestRelationships({
-        data: docs,
+        data: projectMemberDocs,
        key: "projectId",
        parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
          orgId,
@ -194,6 +222,33 @@ export const permissionDALFactory = (db: TDbClient) => {
                    permissions: z.unknown(),
                    customRoleSlug: z.string().optional().nullable()
                  }).parse(data)
+              },
+              {
+                key: "userApId",
+                label: "additionalPrivileges" as const,
+                mapper: ({
+                  groupMembershipProjectId,
+                  groupProjectMembershipId,
+                  userApId,
+                  userApPermissions,
+                  userApRequestedByUserId,
+                  userApIsTemporary,
+                  userApTemporaryMode,
+                  userApTemporaryRange,
+                  userApTemporaryAccessEndTime,
+                  userApTemporaryAccessStartTime
+                }) => ({
+                  groupProjectMembershipId,
+                  groupMembershipProjectId,
+                  id: userApId,
+                  userId: userApRequestedByUserId,
+                  permissions: userApPermissions,
+                  temporaryRange: userApTemporaryRange,
+                  temporaryMode: userApTemporaryMode,
+                  temporaryAccessEndTime: userApTemporaryAccessEndTime,
+                  temporaryAccessStartTime: userApTemporaryAccessStartTime,
+                  isTemporary: userApIsTemporary
+                })
              }
            ]
          })
@ -214,15 +269,24 @@ export const permissionDALFactory = (db: TDbClient) => {
            !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
        ) ?? [];

-      const activeAdditionalPrivileges = permission?.[0]?.additionalPrivileges?.filter(
-        ({ isTemporary, temporaryAccessEndTime }) =>
-          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-      );
+      const activeAdditionalPrivileges =
+        permission?.[0]?.additionalPrivileges?.filter(
+          ({ isTemporary, temporaryAccessEndTime }) =>
+            !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+        ) ?? [];
+      const activeGroupAdditionalPrivileges =
+        groupPermission?.[0]?.additionalPrivileges?.filter(
+          ({ isTemporary, temporaryAccessEndTime, groupProjectMembershipId, groupMembershipProjectId, userId: user }) =>
+            groupMembershipProjectId === projectId &&
+            !!groupProjectMembershipId &&
+            user === userId &&
+            (!isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime))
+        ) ?? [];

      return {
        ...(permission[0] || groupPermission[0]),
        roles: [...activeRoles, ...activeGroupRoles],
-        additionalPrivileges: activeAdditionalPrivileges
+        additionalPrivileges: [...activeAdditionalPrivileges, ...activeGroupAdditionalPrivileges]
      };
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectPermission" });
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@ -90,6 +90,10 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });

+    // This is fine. This service is only used for direct user privileges, not group-based privileges
+    if (!userPrivilege.projectMembershipId)
+      throw new BadRequestError({ message: "Operation not supported for groups" });
+
    const projectMembership = await projectMembershipDAL.findById(userPrivilege.projectMembershipId);
    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });

@ -138,6 +142,10 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });

+    // This is fine. This service is only used for direct user privileges, not group-based privileges
+    if (!userPrivilege.projectMembershipId)
+      throw new BadRequestError({ message: "Operation not supported for groups" });
+
    const projectMembership = await projectMembershipDAL.findById(userPrivilege.projectMembershipId);
    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });

@ -164,6 +172,10 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });

+    // This is fine. This service is only used for direct user privileges, not group-based privileges
+    if (!userPrivilege.projectMembershipId)
+      throw new BadRequestError({ message: "Operation not supported for groups" });
+
    const projectMembership = await projectMembershipDAL.findById(userPrivilege.projectMembershipId);
    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });

--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@ -7,8 +7,7 @@ import {
  SecretKeyEncoding,
  TableName,
  TSamlConfigs,
-  TSamlConfigsUpdate,
-  TUsers
+  TSamlConfigsUpdate
 } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import {
@ -20,18 +19,10 @@ import {
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
-import { AuthTokenType } from "@app/services/auth/auth-type";
-import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
-import { TokenType } from "@app/services/auth-token/auth-token-types";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
-import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
-import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
-import { normalizeUsername } from "@app/services/user/user-fns";
-import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
-import { UserAliasType } from "@app/services/user-alias/user-alias-types";

 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@ -40,19 +31,15 @@ import { TSamlConfigDALFactory } from "./saml-config-dal";
 import { TCreateSamlCfgDTO, TGetSamlCfgDTO, TSamlLoginDTO, TUpdateSamlCfgDTO } from "./saml-config-types";

 type TSamlConfigServiceFactoryDep = {
-  samlConfigDAL: Pick<TSamlConfigDALFactory, "create" | "findOne" | "update" | "findById">;
-  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById" | "findById">;
-  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
+  samlConfigDAL: TSamlConfigDALFactory;
+  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById">;
  orgDAL: Pick<
    TOrgDALFactory,
    "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
  >;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
-  smtpService: Pick<TSmtpService, "sendMail">;
 };

 export type TSamlConfigServiceFactory = ReturnType<typeof samlConfigServiceFactory>;
@ -61,13 +48,9 @@ export const samlConfigServiceFactory = ({
  samlConfigDAL,
  orgBotDAL,
  orgDAL,
-  orgMembershipDAL,
  userDAL,
-  userAliasDAL,
  permissionService,
-  licenseService,
-  tokenService,
-  smtpService
+  licenseService
 }: TSamlConfigServiceFactoryDep) => {
  const createSamlCfg = async ({
    cert,
@ -322,7 +305,7 @@ export const samlConfigServiceFactory = ({
  };

  const samlLogin = async ({
-    externalId,
+    username,
    email,
    firstName,
    lastName,
@ -331,40 +314,38 @@ export const samlConfigServiceFactory = ({
    relayState
  }: TSamlLoginDTO) => {
    const appCfg = getConfig();
-    const serverCfg = await getServerCfg();
-    const userAlias = await userAliasDAL.findOne({
-      externalId,
-      orgId,
-      aliasType: UserAliasType.SAML
-    });
+    let user = await userDAL.findOne({ username });

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) throw new BadRequestError({ message: "Org not found" });

-    let user: TUsers;
-    if (userAlias) {
-      user = await userDAL.transaction(async (tx) => {
-        const foundUser = await userDAL.findById(userAlias.userId, tx);
+    // TODO(dangtony98): remove this after aliases update
+    if (authProvider === AuthMethod.KEYCLOAK_SAML && appCfg.LICENSE_SERVER_KEY) {
+      throw new BadRequestError({ message: "Keycloak SAML is not yet available on Infisical Cloud" });
+    }
+
+    if (user) {
+      await userDAL.transaction(async (tx) => {
        const [orgMembership] = await orgDAL.findMembership(
          {
-            [`${TableName.OrgMembership}.userId` as "userId"]: foundUser.id,
+            userId: user.id,
            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
          },
          { tx }
        );
        if (!orgMembership) {
-          await orgMembershipDAL.create(
+          await orgDAL.createMembership(
            {
-              userId: userAlias.userId,
-              inviteEmail: email,
+              userId: user.id,
              orgId,
+              inviteEmail: email,
              role: OrgMembershipRole.Member,
-              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
            },
            tx
          );
          // Only update the membership to Accepted if the user account is already completed.
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && foundUser.isAccepted) {
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
          await orgDAL.updateMembershipById(
            orgMembership.id,
            {
@ -373,97 +354,40 @@ export const samlConfigServiceFactory = ({
            tx
          );
        }
-
-        return foundUser;
      });
    } else {
      user = await userDAL.transaction(async (tx) => {
-        let newUser: TUsers | undefined;
-        if (serverCfg.trustSamlEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email,
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
-
-        if (!newUser) {
-          const uniqueUsername = await normalizeUsername(`${firstName ?? ""}-${lastName ?? ""}`, userDAL);
-          newUser = await userDAL.create(
-            {
-              username: serverCfg.trustSamlEmails ? email : uniqueUsername,
-              email,
-              isEmailVerified: serverCfg.trustSamlEmails,
-              firstName,
-              lastName,
-              authMethods: [],
-              isGhost: false
-            },
-            tx
-          );
-        }
-
-        await userAliasDAL.create(
+        const newUser = await userDAL.create(
          {
-            userId: newUser.id,
-            aliasType: UserAliasType.SAML,
-            externalId,
-            emails: email ? [email] : [],
-            orgId
+            username,
+            email,
+            firstName,
+            lastName,
+            authMethods: [AuthMethod.EMAIL],
+            isGhost: false
          },
          tx
        );
-
-        const [orgMembership] = await orgDAL.findMembership(
-          {
-            [`${TableName.OrgMembership}.userId` as "userId"]: newUser.id,
-            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
-          },
-          { tx }
-        );
-
-        if (!orgMembership) {
-          await orgMembershipDAL.create(
-            {
-              userId: newUser.id,
-              inviteEmail: email,
-              orgId,
-              role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-            },
-            tx
-          );
-          // Only update the membership to Accepted if the user account is already completed.
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && newUser.isAccepted) {
-          await orgDAL.updateMembershipById(
-            orgMembership.id,
-            {
-              status: OrgMembershipStatus.Accepted
-            },
-            tx
-          );
-        }
-
+        await orgDAL.createMembership({
+          inviteEmail: email,
+          orgId,
+          role: OrgMembershipRole.Member,
+          status: OrgMembershipStatus.Invited
+        });
        return newUser;
      });
    }
-
    const isUserCompleted = Boolean(user.isAccepted);
    const providerAuthToken = jwt.sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
        organizationId: organization.id,
-        organizationSlug: organization.slug,
        authMethod: authProvider,
-        authType: UserAliasType.SAML,
        isUserCompleted,
        ...(relayState
          ? {
@ -479,22 +403,6 @@ export const samlConfigServiceFactory = ({

    await samlConfigDAL.update({ orgId }, { lastUsed: new Date() });

-    if (user.email && !user.isEmailVerified) {
-      const token = await tokenService.createTokenForUser({
-        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
-      });
-
-      await smtpService.sendMail({
-        template: SmtpTemplates.EmailVerification,
-        subjectLine: "Infisical confirmation code",
-        recipients: [user.email],
-        substitutions: {
-          code: token
-        }
-      });
-    }
-
    return { isUserCompleted, providerAuthToken };
  };

--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@ -45,8 +45,8 @@ export type TGetSamlCfgDTO =
    };

 export type TSamlLoginDTO = {
-  externalId: string;
-  email: string;
+  username: string;
+  email?: string;
  firstName: string;
  lastName?: string;
  authProvider: string;
--- a/backend/src/ee/services/scim/scim-fns.ts
+++ b/backend/src/ee/services/scim/scim-fns.ts
@ -2,31 +2,31 @@ import { TListScimGroups, TListScimUsers, TScimGroup, TScimUser } from "./scim-t

 export const buildScimUserList = ({
  scimUsers,
-  startIndex,
+  offset,
  limit
 }: {
  scimUsers: TScimUser[];
-  startIndex: number;
+  offset: number;
  limit: number;
 }): TListScimUsers => {
  return {
    Resources: scimUsers,
    itemsPerPage: limit,
    schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-    startIndex,
+    startIndex: offset,
    totalResults: scimUsers.length
  };
 };

 export const buildScimUser = ({
-  orgMembershipId,
+  userId,
  username,
  email,
  firstName,
  lastName,
  active
 }: {
-  orgMembershipId: string;
+  userId: string;
  username: string;
  email?: string | null;
  firstName: string;
@ -35,7 +35,7 @@ export const buildScimUser = ({
 }): TScimUser => {
  const scimUser = {
    schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"],
-    id: orgMembershipId,
+    id: userId,
    userName: username,
    displayName: `${firstName} ${lastName}`,
    name: {
@ -65,18 +65,18 @@ export const buildScimUser = ({

 export const buildScimGroupList = ({
  scimGroups,
-  startIndex,
+  offset,
  limit
 }: {
  scimGroups: TScimGroup[];
-  startIndex: number;
+  offset: number;
  limit: number;
 }): TListScimGroups => {
  return {
    Resources: scimGroups,
    itemsPerPage: limit,
    schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-    startIndex,
+    startIndex: offset,
    totalResults: scimGroups.length
  };
 };
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 import jwt from "jsonwebtoken";

-import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups, TOrgMemberships, TUsers } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@ -11,25 +11,23 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
-import { AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { deleteOrgMembershipFn } from "@app/services/org/org-fns";
-import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
+import { deleteOrgMembership } from "@app/services/org/org-fns";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
-import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
-import { normalizeUsername } from "@app/services/user/user-fns";
-import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
-import { UserAliasType } from "@app/services/user-alias/user-alias-types";

+import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
+import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
 import { buildScimGroup, buildScimGroupList, buildScimUser, buildScimUserList } from "./scim-fns";
 import {
  TCreateScimGroupDTO,
@ -52,32 +50,27 @@ import {

 type TScimServiceFactoryDep = {
  scimDAL: Pick<TScimDALFactory, "create" | "find" | "findById" | "deleteById">;
-  userDAL: Pick<
-    TUserDALFactory,
-    "find" | "findOne" | "create" | "transaction" | "findUserEncKeyByUserIdsBatch" | "findById"
-  >;
-  userAliasDAL: Pick<TUserAliasDALFactory, "findOne" | "create" | "delete">;
+  userDAL: Pick<TUserDALFactory, "find" | "findOne" | "create" | "transaction" | "findUserEncKeyByUserIdsBatch">;
  orgDAL: Pick<
    TOrgDALFactory,
-    "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction" | "updateMembershipById"
+    "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction"
  >;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById">;
  projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete">;
  groupDAL: Pick<
    TGroupDALFactory,
    "create" | "findOne" | "findAllGroupMembers" | "update" | "delete" | "findGroups" | "transaction"
  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
-  userGroupMembershipDAL: Pick<
-    TUserGroupMembershipDALFactory,
-    "find" | "transaction" | "insertMany" | "filterProjectsByUserMembership" | "delete"
-  >;
+  userGroupMembershipDAL: TUserGroupMembershipDALFactory; // TODO: Pick
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  smtpService: Pick<TSmtpService, "sendMail">;
+  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "delete">;
+  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "delete">;
+  secretApprovalPolicyDAL: Pick<TSecretApprovalPolicyDALFactory, "findByProjectIds">;
+  smtpService: TSmtpService;
 };

 export type TScimServiceFactory = ReturnType<typeof scimServiceFactory>;
@ -86,9 +79,7 @@ export const scimServiceFactory = ({
  licenseService,
  scimDAL,
  userDAL,
-  userAliasDAL,
  orgDAL,
-  orgMembershipDAL,
  projectDAL,
  projectMembershipDAL,
  groupDAL,
@ -96,6 +87,9 @@ export const scimServiceFactory = ({
  userGroupMembershipDAL,
  projectKeyDAL,
  projectBotDAL,
+  accessApprovalRequestDAL,
+  secretApprovalRequestDAL,
+  secretApprovalPolicyDAL,
  permissionService,
  smtpService
 }: TScimServiceFactoryDep) => {
@ -175,7 +169,7 @@ export const scimServiceFactory = ({
  };

  // SCIM server endpoints
-  const listScimUsers = async ({ startIndex, limit, filter, orgId }: TListScimUsersDTO): Promise<TListScimUsers> => {
+  const listScimUsers = async ({ offset, limit, filter, orgId }: TListScimUsersDTO): Promise<TListScimUsers> => {
    const org = await orgDAL.findById(orgId);

    if (!org.scimEnabled)
@ -193,11 +187,11 @@ export const scimServiceFactory = ({
        attributeName = "email";
      }

-      return { [attributeName]: parsedValue.replace(/"/g, "") };
+      return { [attributeName]: parsedValue };
    };

    const findOpts = {
-      ...(startIndex && { offset: startIndex - 1 }),
+      ...(offset && { offset }),
      ...(limit && { limit })
    };

@ -209,10 +203,10 @@ export const scimServiceFactory = ({
      findOpts
    );

-    const scimUsers = users.map(({ id, externalId, username, firstName, lastName, email }) =>
+    const scimUsers = users.map(({ userId, username, firstName, lastName, email }) =>
      buildScimUser({
-        orgMembershipId: id ?? "",
-        username: externalId ?? username,
+        userId: userId ?? "",
+        username,
        firstName: firstName ?? "",
        lastName: lastName ?? "",
        email,
@ -222,16 +216,16 @@ export const scimServiceFactory = ({

    return buildScimUserList({
      scimUsers,
-      startIndex,
+      offset,
      limit
    });
  };

-  const getScimUser = async ({ orgMembershipId, orgId }: TGetScimUserDTO) => {
+  const getScimUser = async ({ userId, orgId }: TGetScimUserDTO) => {
    const [membership] = await orgDAL
      .findMembership({
-        [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
-        [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
+        userId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
      })
      .catch(() => {
        throw new ScimRequestError({
@ -253,8 +247,8 @@ export const scimServiceFactory = ({
      });

    return buildScimUser({
-      orgMembershipId: membership.id,
-      username: membership.externalId ?? membership.username,
+      userId: membership.userId as string,
+      username: membership.username,
      email: membership.email ?? "",
      firstName: membership.firstName as string,
      lastName: membership.lastName as string,
@ -262,9 +256,7 @@ export const scimServiceFactory = ({
    });
  };

-  const createScimUser = async ({ externalId, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
-    if (!email) throw new ScimRequestError({ detail: "Invalid request. Missing email.", status: 400 });
-
+  const createScimUser = async ({ username, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
    const org = await orgDAL.findById(orgId);

    if (!org)
@ -279,121 +271,67 @@ export const scimServiceFactory = ({
        status: 403
      });

-    const appCfg = getConfig();
-    const serverCfg = await getServerCfg();
-
-    const userAlias = await userAliasDAL.findOne({
-      externalId,
-      orgId,
-      aliasType: UserAliasType.SAML
+    let user = await userDAL.findOne({
+      username
    });

-    const { user: createdUser, orgMembership: createdOrgMembership } = await userDAL.transaction(async (tx) => {
-      let user: TUsers | undefined;
-      let orgMembership: TOrgMemberships;
-      if (userAlias) {
-        user = await userDAL.findById(userAlias.userId, tx);
-        orgMembership = await orgMembershipDAL.findOne(
+    if (user) {
+      await userDAL.transaction(async (tx) => {
+        const [orgMembership] = await orgDAL.findMembership(
          {
            userId: user.id,
-            orgId
-          },
-          tx
-        );
-
-        if (!orgMembership) {
-          orgMembership = await orgMembershipDAL.create(
-            {
-              userId: userAlias.userId,
-              inviteEmail: email,
-              orgId,
-              role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-            },
-            tx
-          );
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
-          orgMembership = await orgMembershipDAL.updateById(
-            orgMembership.id,
-            {
-              status: OrgMembershipStatus.Accepted
-            },
-            tx
-          );
-        }
-      } else {
-        if (serverCfg.trustSamlEmails) {
-          user = await userDAL.findOne(
-            {
-              email,
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
-
-        if (!user) {
-          const uniqueUsername = await normalizeUsername(`${firstName}-${lastName}`, userDAL);
-          user = await userDAL.create(
-            {
-              username: serverCfg.trustSamlEmails ? email : uniqueUsername,
-              email,
-              isEmailVerified: serverCfg.trustSamlEmails,
-              firstName,
-              lastName,
-              authMethods: [],
-              isGhost: false
-            },
-            tx
-          );
-        }
-
-        await userAliasDAL.create(
-          {
-            userId: user.id,
-            aliasType: UserAliasType.SAML,
-            externalId,
-            emails: email ? [email] : [],
-            orgId
-          },
-          tx
-        );
-
-        const [foundOrgMembership] = await orgDAL.findMembership(
-          {
-            [`${TableName.OrgMembership}.userId` as "userId"]: user.id,
            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
          },
          { tx }
        );
-
-        orgMembership = foundOrgMembership;
+        if (orgMembership)
+          throw new ScimRequestError({
+            detail: "User already exists in the database",
+            status: 409
+          });

        if (!orgMembership) {
-          orgMembership = await orgMembershipDAL.create(
+          await orgDAL.createMembership(
            {
              userId: user.id,
-              inviteEmail: email,
              orgId,
+              inviteEmail: email,
              role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-            },
-            tx
-          );
-          // Only update the membership to Accepted if the user account is already completed.
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
-          orgMembership = await orgDAL.updateMembershipById(
-            orgMembership.id,
-            {
-              status: OrgMembershipStatus.Accepted
+              status: OrgMembershipStatus.Invited
            },
            tx
          );
        }
-      }
+      });
+    } else {
+      user = await userDAL.transaction(async (tx) => {
+        const newUser = await userDAL.create(
+          {
+            username,
+            email,
+            firstName,
+            lastName,
+            authMethods: [AuthMethod.EMAIL],
+            isGhost: false
+          },
+          tx
+        );

-      return { user, orgMembership };
-    });
+        await orgDAL.createMembership(
+          {
+            inviteEmail: email,
+            orgId,
+            userId: newUser.id,
+            role: OrgMembershipRole.Member,
+            status: OrgMembershipStatus.Invited
+          },
+          tx
+        );
+        return newUser;
+      });
+    }
+
+    const appCfg = getConfig();

    if (email) {
      await smtpService.sendMail({
@ -408,20 +346,20 @@ export const scimServiceFactory = ({
    }

    return buildScimUser({
-      orgMembershipId: createdOrgMembership.id,
-      username: externalId,
-      firstName: createdUser.firstName as string,
-      lastName: createdUser.lastName as string,
-      email: createdUser.email ?? "",
+      userId: user.id,
+      username: user.username,
+      firstName: user.firstName as string,
+      lastName: user.lastName as string,
+      email: user.email ?? "",
      active: true
    });
  };

-  const updateScimUser = async ({ orgMembershipId, orgId, operations }: TUpdateScimUserDTO) => {
+  const updateScimUser = async ({ userId, orgId, operations }: TUpdateScimUserDTO) => {
    const [membership] = await orgDAL
      .findMembership({
-        [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
-        [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
+        userId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
      })
      .catch(() => {
        throw new ScimRequestError({
@ -457,20 +395,18 @@ export const scimServiceFactory = ({
    });

    if (!active) {
-      await deleteOrgMembershipFn({
+      await deleteOrgMembership({
        orgMembershipId: membership.id,
        orgId: membership.orgId,
        orgDAL,
-        projectMembershipDAL,
-        projectKeyDAL,
-        userAliasDAL,
-        licenseService
+        projectDAL,
+        projectMembershipDAL
      });
    }

    return buildScimUser({
-      orgMembershipId: membership.id,
-      username: membership.externalId ?? membership.username,
+      userId: membership.userId as string,
+      username: membership.username,
      email: membership.email,
      firstName: membership.firstName as string,
      lastName: membership.lastName as string,
@ -478,11 +414,11 @@ export const scimServiceFactory = ({
    });
  };

-  const replaceScimUser = async ({ orgMembershipId, active, orgId }: TReplaceScimUserDTO) => {
+  const replaceScimUser = async ({ userId, active, orgId }: TReplaceScimUserDTO) => {
    const [membership] = await orgDAL
      .findMembership({
-        [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
-        [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
+        userId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
      })
      .catch(() => {
        throw new ScimRequestError({
@ -504,20 +440,19 @@ export const scimServiceFactory = ({
      });

    if (!active) {
-      await deleteOrgMembershipFn({
+      // tx
+      await deleteOrgMembership({
        orgMembershipId: membership.id,
        orgId: membership.orgId,
        orgDAL,
-        projectMembershipDAL,
-        projectKeyDAL,
-        userAliasDAL,
-        licenseService
+        projectDAL,
+        projectMembershipDAL
      });
    }

    return buildScimUser({
-      orgMembershipId: membership.id,
-      username: membership.externalId ?? membership.username,
+      userId: membership.userId as string,
+      username: membership.username,
      email: membership.email,
      firstName: membership.firstName as string,
      lastName: membership.lastName as string,
@ -525,11 +460,18 @@ export const scimServiceFactory = ({
    });
  };

-  const deleteScimUser = async ({ orgMembershipId, orgId }: TDeleteScimUserDTO) => {
-    const [membership] = await orgDAL.findMembership({
-      [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
-      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
-    });
+  const deleteScimUser = async ({ userId, orgId }: TDeleteScimUserDTO) => {
+    const [membership] = await orgDAL
+      .findMembership({
+        userId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+      })
+      .catch(() => {
+        throw new ScimRequestError({
+          detail: "User not found",
+          status: 404
+        });
+      });

    if (!membership)
      throw new ScimRequestError({
@ -544,20 +486,18 @@ export const scimServiceFactory = ({
      });
    }

-    await deleteOrgMembershipFn({
+    await deleteOrgMembership({
      orgMembershipId: membership.id,
      orgId: membership.orgId,
      orgDAL,
-      projectMembershipDAL,
-      projectKeyDAL,
-      userAliasDAL,
-      licenseService
+      projectDAL,
+      projectMembershipDAL
    });

    return {}; // intentionally return empty object upon success
  };

-  const listScimGroups = async ({ orgId, startIndex, limit }: TListScimGroupsDTO) => {
+  const listScimGroups = async ({ orgId, offset, limit }: TListScimGroupsDTO) => {
    const plan = await licenseService.getPlan(orgId);
    if (!plan.groups)
      throw new BadRequestError({
@ -578,27 +518,21 @@ export const scimServiceFactory = ({
        status: 403
      });

-    const groups = await groupDAL.findGroups(
-      {
-        orgId
-      },
-      {
-        offset: startIndex - 1,
-        limit
-      }
-    );
+    const groups = await groupDAL.findGroups({
+      orgId
+    });

    const scimGroups = groups.map((group) =>
      buildScimGroup({
        groupId: group.id,
        name: group.name,
-        members: [] // does this need to be populated?
+        members: []
      })
    );

    return buildScimGroupList({
      scimGroups,
-      startIndex,
+      offset,
      limit
    });
  };
@ -637,15 +571,9 @@ export const scimServiceFactory = ({
      );

      if (members && members.length) {
-        const orgMemberships = await orgMembershipDAL.find({
-          $in: {
-            id: members.map((member) => member.value)
-          }
-        });
-
        const newMembers = await addUsersToGroupByUserIds({
          group,
-          userIds: orgMemberships.map((membership) => membership.userId as string),
+          userIds: members.map((member) => member.value),
          userDAL,
          userGroupMembershipDAL,
          orgDAL,
@ -662,19 +590,12 @@ export const scimServiceFactory = ({
      return { group, newMembers: [] };
    });

-    const orgMemberships = await orgDAL.findMembership({
-      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId,
-      $in: {
-        [`${TableName.OrgMembership}.userId` as "userId"]: newGroup.newMembers.map((member) => member.id)
-      }
-    });
-
    return buildScimGroup({
      groupId: newGroup.group.id,
      name: newGroup.group.name,
-      members: orgMemberships.map(({ id, firstName, lastName }) => ({
-        value: id,
-        display: `${firstName} ${lastName}`
+      members: newGroup.newMembers.map((member) => ({
+        value: member.id,
+        display: `${member.firstName} ${member.lastName}`
      }))
    });
  };
@ -703,22 +624,15 @@ export const scimServiceFactory = ({
      groupId: group.id
    });

-    const orgMemberships = await orgDAL.findMembership({
-      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId,
-      $in: {
-        [`${TableName.OrgMembership}.userId` as "userId"]: users
-          .filter((user) => user.isPartOfGroup)
-          .map((user) => user.id)
-      }
-    });
-
    return buildScimGroup({
      groupId: group.id,
      name: group.name,
-      members: orgMemberships.map(({ id, firstName, lastName }) => ({
-        value: id,
-        display: `${firstName} ${lastName}`
-      }))
+      members: users
+        .filter((user) => user.isPartOfGroup)
+        .map((user) => ({
+          value: user.id,
+          display: `${user.firstName} ${user.lastName}`
+        }))
    });
  };

@ -762,13 +676,7 @@ export const scimServiceFactory = ({
      }

      if (members) {
-        const orgMemberships = await orgMembershipDAL.find({
-          $in: {
-            id: members.map((member) => member.value)
-          }
-        });
-
-        const membersIdsSet = new Set(orgMemberships.map((orgMembership) => orgMembership.userId));
+        const membersIdsSet = new Set(members.map((member) => member.value));

        const directMemberUserIds = (
          await userGroupMembershipDAL.find({
@ -787,13 +695,13 @@ export const scimServiceFactory = ({
        const allMembersUserIds = directMemberUserIds.concat(pendingGroupAdditionsUserIds);
        const allMembersUserIdsSet = new Set(allMembersUserIds);

-        const toAddUserIds = orgMemberships.filter((member) => !allMembersUserIdsSet.has(member.userId as string));
+        const toAddUserIds = members.filter((member) => !allMembersUserIdsSet.has(member.value));
        const toRemoveUserIds = allMembersUserIds.filter((userId) => !membersIdsSet.has(userId));

        if (toAddUserIds.length) {
          await addUsersToGroupByUserIds({
            group,
-            userIds: toAddUserIds.map((member) => member.userId as string),
+            userIds: toAddUserIds.map((member) => member.value),
            userDAL,
            userGroupMembershipDAL,
            orgDAL,
@ -811,6 +719,9 @@ export const scimServiceFactory = ({
            userIds: toRemoveUserIds,
            userDAL,
            userGroupMembershipDAL,
+            secretApprovalPolicyDAL,
+            accessApprovalRequestDAL,
+            secretApprovalRequestDAL,
            groupProjectDAL,
            projectKeyDAL,
            tx
--- a/backend/src/ee/services/scim/scim-types.ts
+++ b/backend/src/ee/services/scim/scim-types.ts
@ -12,7 +12,7 @@ export type TDeleteScimTokenDTO = {
 // SCIM server endpoint types

 export type TListScimUsersDTO = {
-  startIndex: number;
+  offset: number;
  limit: number;
  filter?: string;
  orgId: string;
@ -27,12 +27,12 @@ export type TListScimUsers = {
 };

 export type TGetScimUserDTO = {
-  orgMembershipId: string;
+  userId: string;
  orgId: string;
 };

 export type TCreateScimUserDTO = {
-  externalId: string;
+  username: string;
  email?: string;
  firstName: string;
  lastName: string;
@ -40,7 +40,7 @@ export type TCreateScimUserDTO = {
 };

 export type TUpdateScimUserDTO = {
-  orgMembershipId: string;
+  userId: string;
  orgId: string;
  operations: {
    op: string;
@ -54,18 +54,18 @@ export type TUpdateScimUserDTO = {
 };

 export type TReplaceScimUserDTO = {
-  orgMembershipId: string;
+  userId: string;
  active: boolean;
  orgId: string;
 };

 export type TDeleteScimUserDTO = {
-  orgMembershipId: string;
+  userId: string;
  orgId: string;
 };

 export type TListScimGroupsDTO = {
-  startIndex: number;
+  offset: number;
  limit: number;
  orgId: string;
 };
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts
@ -20,7 +20,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
        `${TableName.SecretApprovalPolicy}.id`,
        `${TableName.SecretApprovalPolicyApprover}.policyId`
      )
-      .select(tx.ref("approverId").withSchema(TableName.SecretApprovalPolicyApprover))
+      .select(tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover))
      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@ -33,18 +33,18 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
      const doc = await sapFindQuery(tx || db, {
        [`${TableName.SecretApprovalPolicy}.id` as "id"]: id
      });
-      const formatedDoc = mergeOneToManyRelation(
+      const formattedDoc = mergeOneToManyRelation(
        doc,
        "id",
-        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
+        ({ approverUserId, envId, envName: name, envSlug: slug, ...el }) => ({
          ...el,
          envId,
          environment: { id: envId, name, slug }
        }),
-        ({ approverId }) => approverId,
+        ({ approverUserId }) => approverUserId,
        "approvers"
      );
-      return formatedDoc?.[0];
+      return formattedDoc?.[0];
    } catch (error) {
      throw new DatabaseError({ error, name: "FindById" });
    }
@ -53,22 +53,31 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
  const find = async (filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>, tx?: Knex) => {
    try {
      const docs = await sapFindQuery(tx || db, filter);
-      const formatedDoc = mergeOneToManyRelation(
+      const formattedDoc = mergeOneToManyRelation(
        docs,
        "id",
-        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
+        ({ approverUserId, envId, envName: name, envSlug: slug, ...el }) => ({
          ...el,
          envId,
          environment: { id: envId, name, slug }
        }),
-        ({ approverId }) => approverId,
+        ({ approverUserId }) => approverUserId,
        "approvers"
      );
-      return formatedDoc;
+      return formattedDoc;
    } catch (error) {
      throw new DatabaseError({ error, name: "Find" });
    }
  };

-  return { ...secretApprovalPolicyOrm, findById, find };
+  const findByProjectIds = async (projectIds: string[], tx?: Knex) => {
+    const policies = await (tx || db)(TableName.SecretApprovalPolicy)
+      .join(TableName.Environment, `${TableName.SecretApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+      .whereIn(`${TableName.Environment}.projectId`, projectIds)
+      .select(selectAllTableCols(TableName.SecretApprovalPolicy));
+
+    return policies;
+  };
+
+  return { ...secretApprovalPolicyOrm, findById, find, findByProjectIds };
 };
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@ -7,6 +7,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";

 import { TSecretApprovalPolicyApproverDALFactory } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
@ -29,6 +30,7 @@ type TSecretApprovalPolicyServiceFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
  secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
+  userDAL: Pick<TUserDALFactory, "findUsersByProjectId" | "findUserByProjectId">;
 };

 export type TSecretApprovalPolicyServiceFactory = ReturnType<typeof secretApprovalPolicyServiceFactory>;
@ -38,7 +40,7 @@ export const secretApprovalPolicyServiceFactory = ({
  permissionService,
  secretApprovalPolicyApproverDAL,
  projectEnvDAL,
-  projectMembershipDAL
+  userDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
  const createSecretApprovalPolicy = async ({
    name,
@ -69,11 +71,12 @@ export const secretApprovalPolicyServiceFactory = ({
    const env = await projectEnvDAL.findOne({ slug: environment, projectId });
    if (!env) throw new BadRequestError({ message: "Environment not found" });

-    const secretApprovers = await projectMembershipDAL.find({
+    const secretApproverUsers = await userDAL.findUsersByProjectId(
      projectId,
-      $in: { id: approvers }
-    });
-    if (secretApprovers.length !== approvers.length)
+      approvers.map((approverUserId) => approverUserId)
+    );
+
+    if (secretApproverUsers.length !== approvers.length)
      throw new BadRequestError({ message: "Approver not found in project" });

    const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
@ -87,8 +90,8 @@ export const secretApprovalPolicyServiceFactory = ({
        tx
      );
      await secretApprovalPolicyApproverDAL.insertMany(
-        secretApprovers.map(({ id }) => ({
-          approverId: id,
+        secretApproverUsers.map(({ id }) => ({
+          approverUserId: id,
          policyId: doc.id
        })),
        tx
@ -132,21 +135,19 @@ export const secretApprovalPolicyServiceFactory = ({
        tx
      );
      if (approvers) {
-        const secretApprovers = await projectMembershipDAL.find(
-          {
-            projectId: secretApprovalPolicy.projectId,
-            $in: { id: approvers }
-          },
-          { tx }
+        const secretApproverUsers = await userDAL.findUsersByProjectId(
+          secretApprovalPolicy.projectId,
+          approvers.map((approverUserId) => approverUserId)
        );
-        if (secretApprovers.length !== approvers.length)
+
+        if (secretApproverUsers.length !== approvers.length)
          throw new BadRequestError({ message: "Approver not found in project" });
-        if (doc.approvals > secretApprovers.length)
+        if (doc.approvals > secretApproverUsers.length)
          throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
        await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
        await secretApprovalPolicyApproverDAL.insertMany(
-          secretApprovers.map(({ id }) => ({
-            approverId: id,
+          secretApproverUsers.map((user) => ({
+            approverUserId: user.id,
            policyId: doc.id
          })),
          tx
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@ -16,7 +16,7 @@ export type TSecretApprovalRequestDALFactory = ReturnType<typeof secretApprovalR

 type TFindQueryFilter = {
  projectId: string;
-  membershipId: string;
+  actorId: string;
  status?: RequestState;
  environment?: string;
  committer?: string;
@ -49,7 +49,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
      )
      .select(selectAllTableCols(TableName.SecretApprovalRequest))
      .select(
-        tx.ref("member").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerMemberId"),
+        tx.ref("memberUserId").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerMemberId"),
        tx.ref("status").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerStatus"),
        tx.ref("id").withSchema(TableName.SecretApprovalPolicy).as("policyId"),
        tx.ref("name").withSchema(TableName.SecretApprovalPolicy).as("policyName"),
@ -57,14 +57,14 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("slug").withSchema(TableName.Environment).as("environment"),
        tx.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
        tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
-        tx.ref("approverId").withSchema(TableName.SecretApprovalPolicyApprover)
+        tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover)
      );

  const findById = async (id: string, tx?: Knex) => {
    try {
      const sql = findQuery({ [`${TableName.SecretApprovalRequest}.id` as "id"]: id }, tx || db);
      const docs = await sql;
-      const formatedDoc = sqlNestRelationships({
+      const formattedDoc = sqlNestRelationships({
        data: docs,
        key: "id",
        parentMapper: (el) => ({
@ -84,20 +84,20 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            label: "reviewers" as const,
            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
          },
-          { key: "approverId", label: "approvers" as const, mapper: ({ approverId }) => approverId }
+          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
        ]
      });
-      if (!formatedDoc?.[0]) return;
+      if (!formattedDoc?.[0]) return;
      return {
-        ...formatedDoc[0],
-        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
+        ...formattedDoc[0],
+        policy: { ...formattedDoc[0].policy, approvers: formattedDoc[0].approvers }
      };
    } catch (error) {
      throw new DatabaseError({ error, name: "FindByIdSAR" });
    }
  };

-  const findProjectRequestCount = async (projectId: string, membershipId: string, tx?: Knex) => {
+  const findProjectRequestCount = async (projectId: string, approverUserId: string, tx?: Knex) => {
    try {
      const docs = await (tx || db)
        .with(
@ -110,12 +110,12 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              `${TableName.SecretApprovalRequest}.policyId`,
              `${TableName.SecretApprovalPolicyApprover}.policyId`
            )
-            .where({ projectId })
+            .where({ [`${TableName.Environment}.projectId` as "projectId"]: projectId })
            .andWhere(
              (bd) =>
                void bd
-                  .where(`${TableName.SecretApprovalPolicyApprover}.approverId`, membershipId)
-                  .orWhere(`${TableName.SecretApprovalRequest}.committerId`, membershipId)
+                  .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, approverUserId)
+                  .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, approverUserId)
            )
            .select("status", `${TableName.SecretApprovalRequest}.id`)
            .groupBy(`${TableName.SecretApprovalRequest}.id`, "status")
@ -142,7 +142,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
  };

  const findByProjectId = async (
-    { status, limit = 20, offset = 0, projectId, committer, environment, membershipId }: TFindQueryFilter,
+    { status, limit = 20, offset = 0, projectId, committer, environment, actorId }: TFindQueryFilter,
    tx?: Knex
  ) => {
    try {
@ -173,21 +173,21 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        )
        .where(
          stripUndefinedInWhere({
-            projectId,
+            [`${TableName.Environment}.projectId`]: projectId,
            [`${TableName.Environment}.slug` as "slug"]: environment,
            [`${TableName.SecretApprovalRequest}.status`]: status,
-            committerId: committer
+            committerUserId: committer
          })
        )
        .andWhere(
          (bd) =>
            void bd
-              .where(`${TableName.SecretApprovalPolicyApprover}.approverId`, membershipId)
-              .orWhere(`${TableName.SecretApprovalRequest}.committerId`, membershipId)
+              .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, actorId)
+              .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, actorId)
        )
        .select(selectAllTableCols(TableName.SecretApprovalRequest))
        .select(
-          db.ref("projectId").withSchema(TableName.Environment),
+          db.ref("projectId").withSchema(TableName.Environment).as("envProjectId"),
          db.ref("slug").withSchema(TableName.Environment).as("environment"),
          db.ref("id").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerMemberId"),
          db.ref("status").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerStatus"),
@ -201,7 +201,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          ),
          db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
          db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
-          db.ref("approverId").withSchema(TableName.SecretApprovalPolicyApprover)
+          db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover)
        )
        .orderBy("createdAt", "desc");

@ -217,7 +217,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        parentMapper: (el) => ({
          ...SecretApprovalRequestsSchema.parse(el),
          environment: el.environment,
-          projectId: el.projectId,
+          projectId: el.envProjectId,
          policy: {
            id: el.policyId,
            name: el.policyName,
@ -232,9 +232,9 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            mapper: ({ reviewerMemberId: member, reviewerStatus: s }) => (member ? { member, status: s } : undefined)
          },
          {
-            key: "approverId",
+            key: "approverUserId",
            label: "approvers" as const,
-            mapper: ({ approverId }) => approverId
+            mapper: ({ approverUserId }) => approverUserId
          },
          {
            key: "commitId",
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
@ -113,7 +113,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
          db.ref("secretCommentTag").withSchema(TableName.SecretVersion).as("secVerCommentTag"),
          db.ref("secretCommentCiphertext").withSchema(TableName.SecretVersion).as("secVerCommentCiphertext")
        );
-      const formatedDoc = sqlNestRelationships({
+      const formattedDoc = sqlNestRelationships({
        data: doc,
        key: "id",
        parentMapper: (data) => SecretApprovalRequestsSecretsSchema.omit({ secretVersion: true }).parse(data),
@ -212,7 +212,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
          }
        ]
      });
-      return formatedDoc?.map(({ secret, secretVersion, ...el }) => ({
+      return formattedDoc?.map(({ secret, secretVersion, ...el }) => ({
        ...el,
        secret: secret?.[0],
        secretVersion: secretVersion?.[0]
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@ -7,15 +7,12 @@ import {
  SecretType,
  TSecretApprovalRequestsSecretsInsert
 } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
-import { getAllNestedSecretReferences } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory } from "@app/services/secret/secret-queue";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
@ -56,7 +53,6 @@ type TSecretApprovalRequestServiceFactoryDep = {
  secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
  secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
-  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
  secretService: Pick<
    TSecretServiceFactory,
    | "fnSecretBulkInsert"
@ -84,13 +80,12 @@ export const secretApprovalRequestServiceFactory = ({
  snapshotService,
  secretService,
  secretVersionDAL,
-  secretQueueService,
-  projectBotService
+  secretQueueService
 }: TSecretApprovalRequestServiceFactoryDep) => {
  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

-    const { membership } = await permissionService.getProjectPermission(
+    await permissionService.getProjectPermission(
      actor as ActorType.USER,
      actorId,
      projectId,
@ -98,7 +93,7 @@ export const secretApprovalRequestServiceFactory = ({
      actorOrgId
    );

-    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, membership.id);
+    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
    return count;
  };

@ -116,19 +111,14 @@ export const secretApprovalRequestServiceFactory = ({
  }: TListApprovalsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

-    const { membership } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
+    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+
    const approvals = await secretApprovalRequestDAL.findByProjectId({
      projectId,
      committer,
      environment,
      status,
-      membershipId: membership.id,
+      actorId,
      limit,
      offset
    });
@ -148,7 +138,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });

    const { policy } = secretApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission(
      actor,
      actorId,
      secretApprovalRequest.projectId,
@ -157,8 +147,8 @@ export const secretApprovalRequestServiceFactory = ({
    );
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
-      secretApprovalRequest.committerId !== membership.id &&
-      !policy.approvers.find((approverId) => approverId === membership.id)
+      secretApprovalRequest.committerUserId !== actorId &&
+      !policy.approvers.find((approverUserId) => approverUserId === actorId)
    ) {
      throw new UnauthorizedError({ message: "User has no access" });
    }
@ -183,7 +173,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const { policy } = secretApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
@ -192,8 +182,8 @@ export const secretApprovalRequestServiceFactory = ({
    );
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
-      secretApprovalRequest.committerId !== membership.id &&
-      !policy.approvers.find((approverId) => approverId === membership.id)
+      secretApprovalRequest.committerUserId !== actorId &&
+      !policy.approvers.find((approverUserId) => approverUserId === actorId)
    ) {
      throw new UnauthorizedError({ message: "User has no access" });
    }
@ -201,7 +191,7 @@ export const secretApprovalRequestServiceFactory = ({
      const review = await secretApprovalRequestReviewerDAL.findOne(
        {
          requestId: secretApprovalRequest.id,
-          member: membership.id
+          memberUserId: actorId
        },
        tx
      );
@ -210,7 +200,7 @@ export const secretApprovalRequestServiceFactory = ({
          {
            status,
            requestId: secretApprovalRequest.id,
-            member: membership.id
+            memberUserId: actorId
          },
          tx
        );
@ -233,7 +223,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const { policy } = secretApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
@ -242,8 +232,8 @@ export const secretApprovalRequestServiceFactory = ({
    );
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
-      secretApprovalRequest.committerId !== membership.id &&
-      !policy.approvers.find((approverId) => approverId === membership.id)
+      secretApprovalRequest.committerUserId !== actorId &&
+      !policy.approvers.find((approverUserId) => approverUserId === actorId)
    ) {
      throw new UnauthorizedError({ message: "User has no access" });
    }
@ -256,8 +246,9 @@ export const secretApprovalRequestServiceFactory = ({

    const updatedRequest = await secretApprovalRequestDAL.updateById(secretApprovalRequest.id, {
      status,
-      statusChangeBy: membership.id
+      statusChangeByUserId: actorId
    });
+
    return { ...secretApprovalRequest, ...updatedRequest };
  };

@ -273,7 +264,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const { policy, folderId, projectId } = secretApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
      projectId,
@ -283,8 +274,8 @@ export const secretApprovalRequestServiceFactory = ({

    if (
      !hasRole(ProjectMembershipRole.Admin) &&
-      secretApprovalRequest.committerId !== membership.id &&
-      !policy.approvers.find((approverId) => approverId === membership.id)
+      secretApprovalRequest.committerUserId !== actorId &&
+      !policy.approvers.find((approverUserId) => approverUserId === actorId)
    ) {
      throw new UnauthorizedError({ message: "User has no access" });
    }
@ -295,7 +286,7 @@ export const secretApprovalRequestServiceFactory = ({
    const hasMinApproval =
      secretApprovalRequest.policy.approvals <=
      secretApprovalRequest.policy.approvers.filter(
-        (approverId) => reviewers[approverId.toString()] === ApprovalStatus.APPROVED
+        (approverUserId) => reviewers[approverUserId.toString()] === ApprovalStatus.APPROVED
      ).length;

    if (!hasMinApproval) throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
@ -357,7 +348,7 @@ export const secretApprovalRequestServiceFactory = ({
    }

    const secretDeletionCommits = secretApprovalSecrets.filter(({ op }) => op === CommitType.Delete);
-    const botKey = await projectBotService.getBotKey(projectId).catch(() => null);
+
    const mergeStatus = await secretApprovalRequestDAL.transaction(async (tx) => {
      const newSecrets = secretCreationCommits.length
        ? await secretService.fnSecretBulkInsert({
@ -384,17 +375,7 @@ export const secretApprovalRequestServiceFactory = ({
              ]),
              tags: el?.tags.map(({ id }) => id),
              version: 1,
-              type: SecretType.Shared,
-              references: botKey
-                ? getAllNestedSecretReferences(
-                    decryptSymmetric128BitHexKeyUTF8({
-                      ciphertext: el.secretValueCiphertext,
-                      iv: el.secretValueIV,
-                      tag: el.secretValueTag,
-                      key: botKey
-                    })
-                  )
-                : undefined
+              type: SecretType.Shared
            })),
            secretDAL,
            secretVersionDAL,
@ -429,17 +410,7 @@ export const secretApprovalRequestServiceFactory = ({
                  "secretReminderNote",
                  "secretReminderRepeatDays",
                  "secretBlindIndex"
-                ]),
-                references: botKey
-                  ? getAllNestedSecretReferences(
-                      decryptSymmetric128BitHexKeyUTF8({
-                        ciphertext: el.secretValueCiphertext,
-                        iv: el.secretValueIV,
-                        tag: el.secretValueTag,
-                        key: botKey
-                      })
-                    )
-                  : undefined
+                ])
              }
            })),
            secretDAL,
@ -470,7 +441,7 @@ export const secretApprovalRequestServiceFactory = ({
          conflicts: JSON.stringify(conflicts),
          hasMerged: true,
          status: RequestState.Closed,
-          statusChangeBy: membership.id
+          statusChangeByUserId: actorId
        },
        tx
      );
@ -505,7 +476,7 @@ export const secretApprovalRequestServiceFactory = ({
  }: TGenerateSecretApprovalRequestDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

-    const { permission, membership } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
@ -659,7 +630,7 @@ export const secretApprovalRequestServiceFactory = ({
          policyId: policy.id,
          status: "open",
          hasMerged: false,
-          committerId: membership.id
+          committerUserId: actorId
        },
        tx
      );
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@ -90,17 +90,15 @@ export const secretScanningServiceFactory = ({
    const {
      data: { repositories }
    } = await octokit.apps.listReposAccessibleToInstallation();
-    if (!appCfg.DISABLE_SECRET_SCANNING) {
-      await Promise.all(
-        repositories.map(({ id, full_name }) =>
-          secretScanningQueue.startFullRepoScan({
-            organizationId: session.orgId,
-            installationId,
-            repository: { id, fullName: full_name }
-          })
-        )
-      );
-    }
+    await Promise.all(
+      repositories.map(({ id, full_name }) =>
+        secretScanningQueue.startFullRepoScan({
+          organizationId: session.orgId,
+          installationId,
+          repository: { id, fullName: full_name }
+        })
+      )
+    );
    return { installatedApp };
  };

@ -153,7 +151,6 @@ export const secretScanningServiceFactory = ({
  };

  const handleRepoPushEvent = async (payload: WebhookEventMap["push"]) => {
-    const appCfg = getConfig();
    const { commits, repository, installation, pusher } = payload;
    if (!commits || !repository || !installation || !pusher) {
      return;
@ -164,15 +161,13 @@ export const secretScanningServiceFactory = ({
    });
    if (!installationLink) return;

-    if (!appCfg.DISABLE_SECRET_SCANNING) {
-      await secretScanningQueue.startPushEventScan({
-        commits,
-        pusher: { name: pusher.name, email: pusher.email },
-        repository: { fullName: repository.full_name, id: repository.id },
-        organizationId: installationLink.orgId,
-        installationId: String(installation?.id)
-      });
-    }
+    await secretScanningQueue.startPushEventScan({
+      commits,
+      pusher: { name: pusher.name, email: pusher.email },
+      repository: { fullName: repository.full_name, id: repository.id },
+      organizationId: installationLink.orgId,
+      installationId: String(installation?.id)
+    });
  };

  const handleRepoDeleteEvent = async (installationId: string, repositoryIds: string[]) => {
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -89,21 +89,6 @@ export const UNIVERSAL_AUTH = {
  },
  RENEW_ACCESS_TOKEN: {
    accessToken: "The access token to renew."
-  },
-  REVOKE_ACCESS_TOKEN: {
-    accessToken: "The access token to revoke."
-  }
-} as const;
-
-export const AWS_AUTH = {
-  LOGIN: {
-    identityId: "The ID of the identity to login.",
-    iamHttpRequestMethod: "The HTTP request method used in the signed request.",
-    iamRequestUrl:
-      "The base64-encoded HTTP URL used in the signed request. Most likely, the base64-encoding of https://sts.amazonaws.com/",
-    iamRequestBody:
-      "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
-    iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
  }
 } as const;

@ -148,6 +133,36 @@ export const PROJECTS = {
    name: "The new name of the project.",
    autoCapitalization: "Disable or enable auto-capitalization for the project."
  },
+  INVITE_MEMBER: {
+    projectId: "The ID of the project to invite the member to.",
+    emails: "A list of organization member emails to invite to the project.",
+    usernames: "A list of usernames to invite to the project."
+  },
+  REMOVE_MEMBER: {
+    projectId: "The ID of the project to remove the member from.",
+    emails: "A list of organization member emails to remove from the project.",
+    usernames: "A list of usernames to remove from the project."
+  },
+  GET_USER_MEMBERSHIPS: {
+    workspaceId: "The ID of the project to get memberships from."
+  },
+  UPDATE_USER_MEMBERSHIP: {
+    workspaceId: "The ID of the project to update the membership for.",
+    membershipId: "The ID of the membership to update.",
+    roles: "A list of roles to update the membership to."
+  },
+  LIST_IDENTITY_MEMBERSHIPS: {
+    projectId: "The ID of the project to get identity memberships from."
+  },
+  UPDATE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to update the identity membership for.",
+    identityId: "The ID of the identity to update the membership for.",
+    roles: "A list of roles to update the membership to."
+  },
+  DELETE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to delete the identity membership from.",
+    identityId: "The ID of the identity to delete the membership from."
+  },
  GET_KEY: {
    workspaceId: "The ID of the project to get the key from."
  },
@ -186,70 +201,6 @@ export const PROJECTS = {
  }
 } as const;

-export const PROJECT_USERS = {
-  INVITE_MEMBER: {
-    projectId: "The ID of the project to invite the member to.",
-    emails: "A list of organization member emails to invite to the project.",
-    usernames: "A list of usernames to invite to the project."
-  },
-  REMOVE_MEMBER: {
-    projectId: "The ID of the project to remove the member from.",
-    emails: "A list of organization member emails to remove from the project.",
-    usernames: "A list of usernames to remove from the project."
-  },
-  GET_USER_MEMBERSHIPS: {
-    workspaceId: "The ID of the project to get memberships from."
-  },
-  GET_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to get memberships from.",
-    username: "The username to get project membership of. Email is the default username."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    roles: "A list of roles to update the membership to."
-  }
-};
-
-export const PROJECT_IDENTITIES = {
-  LIST_IDENTITY_MEMBERSHIPS: {
-    projectId: "The ID of the project to get identity memberships from."
-  },
-  GET_IDENTITY_MEMBERSHIP_BY_ID: {
-    identityId: "The ID of the identity to get the membership for.",
-    projectId: "The ID of the project to get the identity membership for."
-  },
-  UPDATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to update the identity membership for.",
-    identityId: "The ID of the identity to update the membership for.",
-    roles: {
-      description: "A list of role slugs to assign to the identity project membership.",
-      role: "The role slug to assign to the newly created identity project membership.",
-      isTemporary: "Whether the assigned role is temporary.",
-      temporaryMode: "Type of temporary expiry.",
-      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
-      temporaryAccessStartTime: "Time to which the temporary access starts"
-    }
-  },
-  DELETE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to delete the identity membership from.",
-    identityId: "The ID of the identity to delete the membership from."
-  },
-  CREATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to create the identity membership from.",
-    identityId: "The ID of the identity to create the membership from.",
-    role: "The role slug to assign to the newly created identity project membership.",
-    roles: {
-      description: "A list of role slugs to assign to the newly created identity project membership.",
-      role: "The role slug to assign to the newly created identity project membership.",
-      isTemporary: "Whether the assigned role is temporary.",
-      temporaryMode: "Type of temporary expiry.",
-      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
-      temporaryAccessStartTime: "Time to which the temporary access starts"
-    }
-  }
-};
-
 export const ENVIRONMENTS = {
  CREATE: {
    workspaceId: "The ID of the project to create the environment in.",
@ -289,7 +240,6 @@ export const FOLDERS = {
    name: "The new name of the folder.",
    path: "The path of the folder to update.",
    directory: "The new directory of the folder to update. (Deprecated in favor of path)",
-    projectSlug: "The slug of the project where the folder is located.",
    workspaceId: "The ID of the project where the folder is located."
  },
  DELETE: {
@ -322,12 +272,10 @@ export const SECRETS = {

 export const RAW_SECRETS = {
  LIST: {
-    expand: "Whether or not to expand secret references",
    recursive:
      "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
    workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug:
-      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
+    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
    environment: "The slug of the environment to list secrets from.",
    secretPath: "The secret path to list secrets from.",
    includeImports: "Weather to include imported secrets or not."
@ -346,7 +294,6 @@ export const RAW_SECRETS = {
  GET: {
    secretName: "The name of the secret to get.",
    workspaceId: "The ID of the project to get the secret from.",
-    workspaceSlug: "The slug of the project to get the secret from.",
    environment: "The slug of the environment to get the secret from.",
    secretPath: "The path of the secret to get.",
    version: "The version of the secret to get.",
@ -517,21 +464,12 @@ export const SECRET_TAGS = {
 export const IDENTITY_ADDITIONAL_PRIVILEGE = {
  CREATE: {
    projectSlug: "The slug of the project of the identity in.",
-    identityId: "The ID of the identity to create.",
+    identityId: "The ID of the identity to delete.",
    slug: "The slug of the privilege to create.",
    permissions: `The permission object for the privilege.
- Read secrets
-\`\`\`
-{ "permissions": [{"action": "read", "subject": "secrets"]}
-\`\`\`
- Read and Write secrets
-\`\`\`
-{ "permissions": [{"action": "read", "subject": "secrets"], {"action": "write", "subject": "secrets"]}
-\`\`\`
- Read secrets scoped to an environment and secret path
-\`\`\`
- { "permissions": [{"action": "read", "subject": "secrets", "conditions": { "environment": "dev", "secretPath": { "$glob": "/" } }}] }
-\`\`\`
+1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
+2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
+2. [["read", "secrets", {environment: "dev"}]]
 `,
    isPackPermission: "Whether the server should pack(compact) the permission object.",
    isTemporary: "Whether the privilege is temporary.",
@ -545,19 +483,11 @@ export const IDENTITY_ADDITIONAL_PRIVILEGE = {
    slug: "The slug of the privilege to update.",
    newSlug: "The new slug of the privilege to update.",
    permissions: `The permission object for the privilege.
- Read secrets
-\`\`\`
-{ "permissions": [{"action": "read", "subject": "secrets"]}
-\`\`\`
- Read and Write secrets
-\`\`\`
-{ "permissions": [{"action": "read", "subject": "secrets"], {"action": "write", "subject": "secrets"]}
-\`\`\`
- Read secrets scoped to an environment and secret path
-\`\`\`
- { "permissions": [{"action": "read", "subject": "secrets", "conditions": { "environment": "dev", "secretPath": { "$glob": "/" } }}] }
-\`\`\`
+1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
+2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
+2. [["read", "secrets", {environment: "dev"}]]
 `,
+    isPackPermission: "Whether the server should pack(compact) the permission object.",
    isTemporary: "Whether the privilege is temporary.",
    temporaryMode: "Type of temporary access given. Types: relative",
    temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
@ -662,12 +592,10 @@ export const INTEGRATION = {
      secretPrefix: "The prefix for the saved secret. Used by GCP.",
      secretSuffix: "The suffix for the saved secret. Used by GCP.",
      initialSyncBehavoir: "Type of syncing behavoir with the integration.",
-      mappingBehavior: "The mapping behavior of the integration.",
      shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
      secretGCPLabel: "The label for GCP secrets.",
      secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS.",
-      shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store."
+      kmsKeyId: "The ID of the encryption key from AWS KMS."
    }
  },
  UPDATE: {
@ -684,9 +612,6 @@ export const INTEGRATION = {
  },
  DELETE: {
    integrationId: "The ID of the integration object."
-  },
-  SYNC: {
-    integrationId: "The ID of the integration object to manually sync"
  }
 };

--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@ -13,10 +13,6 @@ const zodStrBool = z
 const envSchema = z
  .object({
    PORT: z.coerce.number().default(4000),
-    DISABLE_SECRET_SCANNING: z
-      .enum(["true", "false"])
-      .default("false")
-      .transform((el) => el === "true"),
    REDIS_URL: zpStr(z.string()),
    HOST: zpStr(z.string().default("localhost")),
    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
--- a/backend/src/lib/knex/index.ts
+++ b/backend/src/lib/knex/index.ts
@ -104,68 +104,24 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
      throw new DatabaseError({ error, name: "Create" });
    }
  },
-  updateById: async (
-    id: string,
-    {
-      $incr,
-      $decr,
-      ...data
-    }: Tables[Tname]["update"] & {
-      $incr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
-      $decr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
-    },
-    tx?: Knex
-  ) => {
+  updateById: async (id: string, data: Tables[Tname]["update"], tx?: Knex) => {
    try {
-      const query = (tx || db)(tableName)
+      const [res] = await (tx || db)(tableName)
        .where({ id } as never)
        .update(data as never)
        .returning("*");
-      if ($incr) {
-        Object.entries($incr).forEach(([incrementField, incrementValue]) => {
-          void query.increment(incrementField, incrementValue);
-        });
-      }
-      if ($decr) {
-        Object.entries($decr).forEach(([incrementField, incrementValue]) => {
-          void query.increment(incrementField, incrementValue);
-        });
-      }
-      const [docs] = await query;
-      return docs;
+      return res;
    } catch (error) {
      throw new DatabaseError({ error, name: "Update by id" });
    }
  },
-  update: async (
-    filter: TFindFilter<Tables[Tname]["base"]>,
-    {
-      $incr,
-      $decr,
-      ...data
-    }: Tables[Tname]["update"] & {
-      $incr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
-      $decr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
-    },
-    tx?: Knex
-  ) => {
+  update: async (filter: TFindFilter<Tables[Tname]["base"]>, data: Tables[Tname]["update"], tx?: Knex) => {
    try {
-      const query = (tx || db)(tableName)
+      const res = await (tx || db)(tableName)
        .where(buildFindFilter(filter))
        .update(data as never)
        .returning("*");
-      // increment and decrement operation in update
-      if ($incr) {
-        Object.entries($incr).forEach(([incrementField, incrementValue]) => {
-          void query.increment(incrementField, incrementValue);
-        });
-      }
-      if ($decr) {
-        Object.entries($decr).forEach(([incrementField, incrementValue]) => {
-          void query.increment(incrementField, incrementValue);
-        });
-      }
-      return await query;
+      return res;
    } catch (error) {
      throw new DatabaseError({ error, name: "Update" });
    }
--- a/backend/src/lib/logger/logger.ts
+++ b/backend/src/lib/logger/logger.ts
@ -30,37 +30,6 @@ const loggerConfig = z.object({
  NODE_ENV: z.enum(["development", "test", "production"]).default("production")
 });

-const redactedKeys = [
-  "accessToken",
-  "authToken",
-  "serviceToken",
-  "identityAccessToken",
-  "token",
-  "privateKey",
-  "serverPrivateKey",
-  "plainPrivateKey",
-  "plainProjectKey",
-  "encryptedPrivateKey",
-  "userPrivateKey",
-  "protectedKey",
-  "decryptKey",
-  "encryptedProjectKey",
-  "encryptedSymmetricKey",
-  "encryptedPrivateKey",
-  "backupPrivateKey",
-  "secretKey",
-  "SecretKey",
-  "botPrivateKey",
-  "encryptedKey",
-  "plaintextProjectKey",
-  "accessKey",
-  "botKey",
-  "decryptedSecret",
-  "secrets",
-  "key",
-  "password"
-];
-
 export const initLogger = async () => {
  const cfg = loggerConfig.parse(process.env);
  const targets: pino.TransportMultiOptions["targets"][number][] = [
@ -105,9 +74,7 @@ export const initLogger = async () => {
          hostname: bindings.hostname
          // node_version: process.version
        })
-      },
-      // redact until depth of three
-      redact: [...redactedKeys, ...redactedKeys.map((key) => `*.${key}`), ...redactedKeys.map((key) => `*.*.${key}`)]
+      }
    },
    // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
    transport
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@ -12,9 +12,7 @@ export enum QueueName {
  SecretRotation = "secret-rotation",
  SecretReminder = "secret-reminder",
  AuditLog = "audit-log",
-  // TODO(akhilmhdh): This will get removed later. For now this is kept to stop the repeatable queue
  AuditLogPrune = "audit-log-prune",
-  DailyResourceCleanUp = "daily-resource-cleanup",
  TelemetryInstanceStats = "telemtry-self-hosted-stats",
  IntegrationSync = "sync-integrations",
  SecretWebhook = "secret-webhook",
@ -28,9 +26,7 @@ export enum QueueJobs {
  SecretReminder = "secret-reminder-job",
  SecretRotation = "secret-rotation-job",
  AuditLog = "audit-log-job",
-  // TODO(akhilmhdh): This will get removed later. For now this is kept to stop the repeatable queue
  AuditLogPrune = "audit-log-prune-job",
-  DailyResourceCleanUp = "daily-resource-cleanup-job",
  SecWebhook = "secret-webhook-trigger",
  TelemetryInstanceStats = "telemetry-self-hosted-stats",
  IntegrationSync = "secret-integration-pull",
@ -59,10 +55,6 @@ export type TQueueJobTypes = {
    name: QueueJobs.AuditLog;
    payload: TCreateAuditLogDTO;
  };
-  [QueueName.DailyResourceCleanUp]: {
-    name: QueueJobs.DailyResourceCleanUp;
-    payload: undefined;
-  };
  [QueueName.AuditLogPrune]: {
    name: QueueJobs.AuditLogPrune;
    payload: undefined;
@ -73,13 +65,7 @@ export type TQueueJobTypes = {
  };
  [QueueName.IntegrationSync]: {
    name: QueueJobs.IntegrationSync;
-    payload: {
-      projectId: string;
-      environment: string;
-      secretPath: string;
-      depth?: number;
-      deDupeQueue?: Record<string, boolean>;
-    };
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
  };
  [QueueName.SecretFullRepoScan]: {
    name: QueueJobs.SecretScan;
@ -180,9 +166,7 @@ export const queueServiceFactory = (redisUrl: string) => {
    jobId?: string
  ) => {
    const q = queueContainer[name];
-    if (q) {
-      return q.removeRepeatable(job, repeatOpt, jobId);
-    }
+    return q.removeRepeatable(job, repeatOpt, jobId);
  };

  const stopRepeatableJobByJobId = async <T extends QueueName>(name: T, jobId: string) => {
--- a/backend/src/server/config/rateLimiter.ts
+++ b/backend/src/server/config/rateLimiter.ts
@ -36,7 +36,7 @@ export const writeLimit: RateLimitOptions = {
 export const secretsLimit: RateLimitOptions = {
  // secrets, folders, secret imports
  timeWindow: 60 * 1000,
-  max: 60,
+  max: 1000,
  keyGenerator: (req) => req.realIp
 };

--- a/backend/src/server/plugins/auth/inject-permission.ts
+++ b/backend/src/server/plugins/auth/inject-permission.ts
@ -1,6 +1,5 @@
 import fp from "fastify-plugin";

-import { logger } from "@app/lib/logger";
 import { ActorType } from "@app/services/auth/auth-type";

 // inject permission type needed based on auth extracted
@ -16,10 +15,6 @@ export const injectPermission = fp(async (server) => {
        orgId: req.auth.orgId, // if the req.auth.authMode is AuthMode.API_KEY, the orgId will be "API_KEY"
        authMethod: req.auth.authMethod // if the req.auth.authMode is AuthMode.API_KEY, the authMethod will be null
      };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.userId}] [type=${ActorType.USER}]`
-      );
    } else if (req.auth.actor === ActorType.IDENTITY) {
      req.permission = {
        type: ActorType.IDENTITY,
@ -27,10 +22,6 @@ export const injectPermission = fp(async (server) => {
        orgId: req.auth.orgId,
        authMethod: null
      };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.identityId}] [type=${ActorType.IDENTITY}]`
-      );
    } else if (req.auth.actor === ActorType.SERVICE) {
      req.permission = {
        type: ActorType.SERVICE,
@ -38,10 +29,6 @@ export const injectPermission = fp(async (server) => {
        orgId: req.auth.orgId,
        authMethod: null
      };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.serviceTokenId}] [type=${ActorType.SERVICE}]`
-      );
    } else if (req.auth.actor === ActorType.SCIM_CLIENT) {
      req.permission = {
        type: ActorType.SCIM_CLIENT,
@ -49,10 +36,6 @@ export const injectPermission = fp(async (server) => {
        orgId: req.auth.orgId,
        authMethod: null
      };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.scimTokenId}] [type=${ActorType.SCIM_CLIENT}]`
-      );
    }
  });
 });
--- a/backend/src/server/plugins/ip.ts
+++ b/backend/src/server/plugins/ip.ts
@ -6,7 +6,6 @@ const headersOrder = [
  "cf-connecting-ip", // Cloudflare
  "Cf-Pseudo-IPv4", // Cloudflare
  "x-client-ip", // Most common
-  "x-envoy-external-address", // for envoy
  "x-forwarded-for", // Mostly used by proxies
  "fastly-client-ip",
  "true-client-ip", // Akamai and Cloudflare
@ -24,21 +23,7 @@ export const fastifyIp = fp(async (fastify) => {
    const forwardedIpHeader = headersOrder.find((header) => Boolean(req.headers[header]));
    const forwardedIp = forwardedIpHeader ? req.headers[forwardedIpHeader] : undefined;
    if (forwardedIp) {
-      if (Array.isArray(forwardedIp)) {
-        // eslint-disable-next-line
-        req.realIp = forwardedIp[0];
-        return;
-      }
-
-      if (forwardedIp.includes(",")) {
-        // the ip header when placed with load balancers that proxy request
-        // will attach the internal ips to header by appending with comma
-        // https://github.com/go-chi/chi/blob/master/middleware/realip.go
-        const clientIPFromProxy = forwardedIp.slice(0, forwardedIp.indexOf(",")).trim();
-        req.realIp = clientIPFromProxy;
-        return;
-      }
-      req.realIp = forwardedIp;
+      req.realIp = Array.isArray(forwardedIp) ? forwardedIp[0] : forwardedIp;
    } else {
      req.realIp = req.ip;
    }
--- a/backend/src/server/plugins/maintenanceMode.ts
+++ b/backend/src/server/plugins/maintenanceMode.ts
@ -5,13 +5,8 @@ import { getConfig } from "@app/lib/config/env";
 export const maintenanceMode = fp(async (fastify) => {
  fastify.addHook("onRequest", async (req) => {
    const serverEnvs = getConfig();
-    if (serverEnvs.MAINTENANCE_MODE) {
-      // skip if its universal auth login or renew
-      if (req.url === "/api/v1/auth/universal-auth/login" && req.method === "POST") return;
-      if (req.url === "/api/v1/auth/token/renew" && req.method === "POST") return;
-      if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET") {
-        throw new Error("Infisical is in maintenance mode. Please try again later.");
-      }
+    if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET" && serverEnvs.MAINTENANCE_MODE) {
+      throw new Error("Infisical is in maintenance mode. Please try again later.");
    }
  });
 });
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -22,6 +22,7 @@ import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secre
 import { groupDALFactory } from "@app/ee/services/group/group-dal";
 import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
+import { groupProjectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/group-project-user-additional-privilege/group-project-user-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
@ -78,14 +79,6 @@ import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
-import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
-import { identityAzureAuthDALFactory } from "@app/services/identity-azure-auth/identity-azure-auth-dal";
-import { identityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
-import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-dal";
-import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
-import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
-import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@ -102,7 +95,6 @@ import { orgDALFactory } from "@app/services/org/org-dal";
 import { orgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { orgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { orgServiceFactory } from "@app/services/org/org-service";
-import { orgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
 import { projectServiceFactory } from "@app/services/project/project-service";
@ -117,7 +109,6 @@ import { projectMembershipServiceFactory } from "@app/services/project-membershi
 import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
-import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
 import { secretServiceFactory } from "@app/services/secret/secret-service";
@ -163,10 +154,7 @@ export const registerRoutes = async (
    keyStore
  }: { db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
-  const appCfg = getConfig();
-  if (!appCfg.DISABLE_SECRET_SCANNING) {
-    await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
-  }
+  await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });

  // db layers
  const userDAL = userDALFactory(db);
@ -174,7 +162,6 @@ export const registerRoutes = async (
  const authDAL = authDALFactory(db);
  const authTokenDAL = tokenDALFactory(db);
  const orgDAL = orgDALFactory(db);
-  const orgMembershipDAL = orgMembershipDALFactory(db);
  const orgBotDAL = orgBotDALFactory(db);
  const incidentContactDAL = incidentContactDALFactory(db);
  const orgRoleDAL = orgRoleDALFactory(db);
@ -212,11 +199,7 @@ export const registerRoutes = async (
  const identityProjectAdditionalPrivilegeDAL = identityProjectAdditionalPrivilegeDALFactory(db);

  const identityUaDAL = identityUaDALFactory(db);
-  const identityKubernetesAuthDAL = identityKubernetesAuthDALFactory(db);
  const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
-  const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
-  const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
-  const identityAzureAuthDAL = identityAzureAuthDALFactory(db);

  const auditLogDAL = auditLogDALFactory(db);
  const auditLogStreamDAL = auditLogStreamDALFactory(db);
@ -235,6 +218,8 @@ export const registerRoutes = async (
  const accessApprovalPolicyApproverDAL = accessApprovalPolicyApproverDALFactory(db);
  const accessApprovalRequestReviewerDAL = accessApprovalRequestReviewerDALFactory(db);

+  const groupProjectUserAdditionalPrivilegeDAL = groupProjectUserAdditionalPrivilegeDALFactory(db);
+
  const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
  const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
  const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
@ -248,10 +233,10 @@ export const registerRoutes = async (

  const gitAppInstallSessionDAL = gitAppInstallSessionDALFactory(db);
  const gitAppOrgDAL = gitAppDALFactory(db);
-  const groupDAL = groupDALFactory(db);
+  const userGroupMembershipDAL = userGroupMembershipDALFactory(db);
+  const groupDAL = groupDALFactory(db, userGroupMembershipDAL);
  const groupProjectDAL = groupProjectDALFactory(db);
  const groupProjectMembershipRoleDAL = groupProjectMembershipRoleDALFactory(db);
-  const userGroupMembershipDAL = userGroupMembershipDALFactory(db);
  const secretScanningDAL = secretScanningDALFactory(db);
  const licenseDAL = licenseDALFactory(db);
  const dynamicSecretDAL = dynamicSecretDALFactory(db);
@ -289,32 +274,31 @@ export const registerRoutes = async (
    projectMembershipDAL,
    projectEnvDAL,
    secretApprovalPolicyApproverDAL: sapApproverDAL,
+    userDAL,
    permissionService,
    secretApprovalPolicyDAL
  });
-  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });

  const samlService = samlConfigServiceFactory({
    permissionService,
    orgBotDAL,
    orgDAL,
-    orgMembershipDAL,
    userDAL,
-    userAliasDAL,
    samlConfigDAL,
-    licenseService,
-    tokenService,
-    smtpService
+    licenseService
  });
  const groupService = groupServiceFactory({
    userDAL,
    groupDAL,
    groupProjectDAL,
    orgDAL,
+    secretApprovalPolicyDAL,
    userGroupMembershipDAL,
    projectDAL,
    projectBotDAL,
    projectKeyDAL,
+    secretApprovalRequestDAL,
+    accessApprovalRequestDAL,
    permissionService,
    licenseService
  });
@ -322,7 +306,10 @@ export const registerRoutes = async (
    groupDAL,
    groupProjectDAL,
    groupProjectMembershipRoleDAL,
+    secretApprovalPolicyDAL,
+    secretApprovalRequestDAL,
    userGroupMembershipDAL,
+    accessApprovalRequestDAL,
    projectDAL,
    projectKeyDAL,
    projectBotDAL,
@ -333,13 +320,14 @@ export const registerRoutes = async (
    licenseService,
    scimDAL,
    userDAL,
-    userAliasDAL,
    orgDAL,
-    orgMembershipDAL,
    projectDAL,
    projectMembershipDAL,
    groupDAL,
+    secretApprovalPolicyDAL,
    groupProjectDAL,
+    secretApprovalRequestDAL,
+    accessApprovalRequestDAL,
    userGroupMembershipDAL,
    projectKeyDAL,
    projectBotDAL,
@ -351,9 +339,11 @@ export const registerRoutes = async (
    ldapConfigDAL,
    ldapGroupMapDAL,
    orgDAL,
-    orgMembershipDAL,
    orgBotDAL,
+    secretApprovalPolicyDAL,
    groupDAL,
+    secretApprovalRequestDAL,
+    accessApprovalRequestDAL,
    groupProjectDAL,
    projectKeyDAL,
    projectDAL,
@ -375,13 +365,8 @@ export const registerRoutes = async (
    queueService
  });

-  const userService = userServiceFactory({
-    userDAL,
-    userAliasDAL,
-    orgMembershipDAL,
-    tokenService,
-    smtpService
-  });
+  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
+  const userService = userServiceFactory({ userDAL });
  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL, tokenDAL: authTokenDAL });
  const passwordService = authPaswordServiceFactory({
    tokenService,
@ -390,7 +375,6 @@ export const registerRoutes = async (
    userDAL
  });
  const orgService = orgServiceFactory({
-    userAliasDAL,
    licenseService,
    samlConfigDAL,
    orgRoleDAL,
@ -451,6 +435,7 @@ export const registerRoutes = async (
    projectUserMembershipRoleDAL,
    projectDAL,
    permissionService,
+    groupProjectDAL,
    projectBotDAL,
    orgDAL,
    userDAL,
@ -551,10 +536,8 @@ export const registerRoutes = async (
    folderDAL,
    folderVersionDAL,
    projectEnvDAL,
-    snapshotService,
-    projectDAL
+    snapshotService
  });
-
  const integrationAuthService = integrationAuthServiceFactory({
    integrationAuthDAL,
    integrationDAL,
@ -613,7 +596,6 @@ export const registerRoutes = async (
  });
  const sarService = secretApprovalRequestServiceFactory({
    permissionService,
-    projectBotService,
    folderDAL,
    secretDAL,
    secretTagDAL,
@ -634,7 +616,7 @@ export const registerRoutes = async (
    accessApprovalPolicyApproverDAL,
    permissionService,
    projectEnvDAL,
-    projectMembershipDAL,
+    userDAL,
    projectDAL
  });

@ -643,6 +625,7 @@ export const registerRoutes = async (
    permissionService,
    accessApprovalRequestReviewerDAL,
    additionalPrivilegeDAL: projectUserAdditionalPrivilegeDAL,
+    groupAdditionalPrivilegeDAL: groupProjectUserAdditionalPrivilegeDAL,
    projectMembershipDAL,
    accessApprovalPolicyDAL,
    accessApprovalRequestDAL,
@ -718,41 +701,6 @@ export const registerRoutes = async (
    identityUaDAL,
    licenseService
  });
-  const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
-    identityKubernetesAuthDAL,
-    identityOrgMembershipDAL,
-    identityAccessTokenDAL,
-    identityDAL,
-    orgBotDAL,
-    permissionService,
-    licenseService
-  });
-  const identityGcpAuthService = identityGcpAuthServiceFactory({
-    identityGcpAuthDAL,
-    identityOrgMembershipDAL,
-    identityAccessTokenDAL,
-    identityDAL,
-    permissionService,
-    licenseService
-  });
-
-  const identityAwsAuthService = identityAwsAuthServiceFactory({
-    identityAccessTokenDAL,
-    identityAwsAuthDAL,
-    identityOrgMembershipDAL,
-    identityDAL,
-    licenseService,
-    permissionService
-  });
-
-  const identityAzureAuthService = identityAzureAuthServiceFactory({
-    identityAzureAuthDAL,
-    identityOrgMembershipDAL,
-    identityAccessTokenDAL,
-    identityDAL,
-    permissionService,
-    licenseService
-  });

  const dynamicSecretProviders = buildDynamicSecretProviders();
  const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
@ -781,19 +729,14 @@ export const registerRoutes = async (
    folderDAL,
    licenseService
  });
-  const dailyResourceCleanUp = dailyResourceCleanUpQueueServiceFactory({
-    auditLogDAL,
-    queueService,
-    identityAccessTokenDAL
-  });

  await superAdminService.initServerCfg();
  //
  // setup the communication with license key server
  await licenseService.init();

+  await auditLogQueue.startAuditLogPruneJob();
  await telemetryQueue.startTelemetryCheck();
-  await dailyResourceCleanUp.startCleanUp();

  // inject all services
  server.decorate<FastifyZodProvider["services"]>("services", {
@ -827,10 +770,6 @@ export const registerRoutes = async (
    identityAccessToken: identityAccessTokenService,
    identityProject: identityProjectService,
    identityUa: identityUaService,
-    identityKubernetesAuth: identityKubernetesAuthService,
-    identityGcpAuth: identityGcpAuthService,
-    identityAwsAuth: identityAwsAuthService,
-    identityAzureAuth: identityAzureAuthService,
    secretApprovalPolicy: sapService,
    accessApprovalPolicy: accessApprovalPolicyService,
    accessApprovalRequest: accessApprovalRequestService,
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@ -2,13 +2,10 @@ import { z } from "zod";

 import {
  DynamicSecretsSchema,
-  IdentityProjectAdditionalPrivilegeSchema,
  IntegrationAuthsSchema,
  SecretApprovalPoliciesSchema,
  UsersSchema
 } from "@app/db/schemas";
-import { UnpackedPermissionSchema } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";

 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@ -65,33 +62,6 @@ export const secretRawSchema = z.object({
  secretComment: z.string().optional()
 });

-export const ProjectPermissionSchema = z.object({
-  action: z
-    .nativeEnum(ProjectPermissionActions)
-    .describe("Describe what action an entity can take. Possible actions: create, edit, delete, and read"),
-  subject: z
-    .nativeEnum(ProjectPermissionSub)
-    .describe("The entity this permission pertains to. Possible options: secrets, environments"),
-  conditions: z
-    .object({
-      environment: z.string().describe("The environment slug this permission should allow.").optional(),
-      secretPath: z
-        .object({
-          $glob: z
-            .string()
-            .min(1)
-            .describe("The secret path this permission should allow. Can be a glob pattern such as /folder-name/*/** ")
-        })
-        .optional()
-    })
-    .describe("When specified, only matching conditions will be allowed to access given resource.")
-    .optional()
-});
-
-export const SanitizedIdentityPrivilegeSchema = IdentityProjectAdditionalPrivilegeSchema.extend({
-  permissions: UnpackedPermissionSchema.array()
-});
-
 export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
  inputIV: true,
  inputTag: true,
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@ -20,23 +20,16 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
    schema: {
      response: {
        200: z.object({
-          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).extend({
-            isMigrationModeOn: z.boolean(),
-            isSecretScanningDisabled: z.boolean()
-          })
+          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).merge(
+            z.object({ isMigrationModeOn: z.boolean() })
+          )
        })
      }
    },
    handler: async () => {
      const config = await getServerCfg();
      const serverEnvs = getConfig();
-      return {
-        config: {
-          ...config,
-          isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
-          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
-        }
-      };
+      return { config: { ...config, isMigrationModeOn: serverEnvs.MAINTENANCE_MODE } };
    }
  });

@ -49,9 +42,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
    schema: {
      body: z.object({
        allowSignUp: z.boolean().optional(),
-        allowedSignUpDomain: z.string().optional().nullable(),
-        trustSamlEmails: z.boolean().optional(),
-        trustLdapEmails: z.boolean().optional()
+        allowedSignUpDomain: z.string().optional().nullable()
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/identity-access-token-router.ts
+++ b/backend/src/server/routes/v1/identity-access-token-router.ts
@ -36,29 +36,4 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
      };
    }
  });
-
-  server.route({
-    url: "/token/revoke",
-    method: "POST",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Revoke access token",
-      body: z.object({
-        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.REVOKE_ACCESS_TOKEN.accessToken)
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    handler: async (req) => {
-      await server.services.identityAccessToken.revokeAccessToken(req.body.accessToken);
-      return {
-        message: "Successfully revoked access token"
-      };
-    }
-  });
 };
--- a/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
@ -1,269 +0,0 @@
-import { z } from "zod";
-
-import { IdentityAwsAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { AWS_AUTH } from "@app/lib/api-docs";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import {
-  validateAccountIds,
-  validatePrincipalArns
-} from "@app/services/identity-aws-auth/identity-aws-auth-validators";
-
-export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/aws-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with AWS Auth",
-      body: z.object({
-        identityId: z.string().describe(AWS_AUTH.LOGIN.identityId),
-        iamHttpRequestMethod: z.string().default("POST").describe(AWS_AUTH.LOGIN.iamHttpRequestMethod),
-        iamRequestBody: z.string().describe(AWS_AUTH.LOGIN.iamRequestBody),
-        iamRequestHeaders: z.string().describe(AWS_AUTH.LOGIN.iamRequestHeaders)
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityAwsAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityAwsAuth.login(req.body);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg?.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityAwsAuthId: identityAwsAuth.id
-          }
-        }
-      });
-
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityAwsAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/aws-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach AWS Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        stsEndpoint: z.string().trim().min(1).default("https://sts.amazonaws.com/"),
-        allowedPrincipalArns: validatePrincipalArns,
-        allowedAccountIds: validateAccountIds,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityAwsAuth: IdentityAwsAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAwsAuth = await server.services.identityAwsAuth.attachAwsAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAwsAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId,
-            stsEndpoint: identityAwsAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAwsAuth };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/aws-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update AWS Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      body: z.object({
-        stsEndpoint: z.string().trim().min(1).optional(),
-        allowedPrincipalArns: validatePrincipalArns,
-        allowedAccountIds: validateAccountIds,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityAwsAuth: IdentityAwsAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAwsAuth = await server.services.identityAwsAuth.updateAwsAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAwsAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId,
-            stsEndpoint: identityAwsAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAwsAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/aws-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve AWS Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityAwsAuth: IdentityAwsAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAwsAuth = await server.services.identityAwsAuth.getAwsAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAwsAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId
-          }
-        }
-      });
-      return { identityAwsAuth };
-    }
-  });
-};
--- a/backend/src/server/routes/v1/identity-azure-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-azure-auth-router.ts
@ -1,262 +0,0 @@
-import { z } from "zod";
-
-import { IdentityAzureAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import { validateAzureAuthField } from "@app/services/identity-azure-auth/identity-azure-auth-validators";
-
-export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/azure-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with Azure Auth",
-      body: z.object({
-        identityId: z.string(),
-        jwt: z.string()
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityAzureAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityAzureAuth.login(req.body);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_AZURE_AUTH,
-          metadata: {
-            identityId: identityAzureAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityAzureAuthId: identityAzureAuth.id
-          }
-        }
-      });
-
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityAzureAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/azure-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach Azure Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        tenantId: z.string().trim(),
-        resource: z.string().trim(),
-        allowedServicePrincipalIds: validateAzureAuthField,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityAzureAuth: IdentityAzureAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAzureAuth = await server.services.identityAzureAuth.attachAzureAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAzureAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_AZURE_AUTH,
-          metadata: {
-            identityId: identityAzureAuth.identityId,
-            tenantId: identityAzureAuth.tenantId,
-            resource: identityAzureAuth.resource,
-            accessTokenTTL: identityAzureAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAzureAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAzureAuth };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/azure-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update Azure Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        tenantId: z.string().trim().optional(),
-        resource: z.string().trim().optional(),
-        allowedServicePrincipalIds: validateAzureAuthField.optional(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityAzureAuth: IdentityAzureAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAzureAuth = await server.services.identityAzureAuth.updateAzureAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAzureAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_AZURE_AUTH,
-          metadata: {
-            identityId: identityAzureAuth.identityId,
-            tenantId: identityAzureAuth.tenantId,
-            resource: identityAzureAuth.resource,
-            accessTokenTTL: identityAzureAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAzureAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAzureAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/azure-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve Azure Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityAzureAuth: IdentityAzureAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAzureAuth = await server.services.identityAzureAuth.getAzureAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAzureAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_AZURE_AUTH,
-          metadata: {
-            identityId: identityAzureAuth.identityId
-          }
-        }
-      });
-
-      return { identityAzureAuth };
-    }
-  });
-};
--- a/backend/src/server/routes/v1/identity-gcp-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-gcp-auth-router.ts
@ -1,268 +0,0 @@
-import { z } from "zod";
-
-import { IdentityGcpAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import { validateGcpAuthField } from "@app/services/identity-gcp-auth/identity-gcp-auth-validators";
-
-export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/gcp-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with GCP Auth",
-      body: z.object({
-        identityId: z.string(),
-        jwt: z.string()
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityGcpAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityGcpAuth.login(req.body);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg?.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityGcpAuthId: identityGcpAuth.id
-          }
-        }
-      });
-
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityGcpAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/gcp-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach GCP Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        type: z.enum(["iam", "gce"]),
-        allowedServiceAccounts: validateGcpAuthField,
-        allowedProjects: validateGcpAuthField,
-        allowedZones: validateGcpAuthField,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityGcpAuth: IdentityGcpAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityGcpAuth = await server.services.identityGcpAuth.attachGcpAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityGcpAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId,
-            type: identityGcpAuth.type,
-            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
-            allowedProjects: identityGcpAuth.allowedProjects,
-            allowedZones: identityGcpAuth.allowedZones,
-            accessTokenTTL: identityGcpAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityGcpAuth };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/gcp-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update GCP Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        type: z.enum(["iam", "gce"]).optional(),
-        allowedServiceAccounts: validateGcpAuthField.optional(),
-        allowedProjects: validateGcpAuthField.optional(),
-        allowedZones: validateGcpAuthField.optional(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityGcpAuth: IdentityGcpAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityGcpAuth = await server.services.identityGcpAuth.updateGcpAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityGcpAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId,
-            type: identityGcpAuth.type,
-            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
-            allowedProjects: identityGcpAuth.allowedProjects,
-            allowedZones: identityGcpAuth.allowedZones,
-            accessTokenTTL: identityGcpAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityGcpAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/gcp-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve GCP Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityGcpAuth: IdentityGcpAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityGcpAuth = await server.services.identityGcpAuth.getGcpAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityGcpAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId
-          }
-        }
-      });
-
-      return { identityGcpAuth };
-    }
-  });
-};
--- a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
@ -1,283 +0,0 @@
-import { z } from "zod";
-
-import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-
-const IdentityKubernetesAuthResponseSchema = IdentityKubernetesAuthsSchema.omit({
-  encryptedCaCert: true,
-  caCertIV: true,
-  caCertTag: true,
-  encryptedTokenReviewerJwt: true,
-  tokenReviewerJwtIV: true,
-  tokenReviewerJwtTag: true
-}).extend({
-  caCert: z.string(),
-  tokenReviewerJwt: z.string()
-});
-
-export const registerIdentityKubernetesRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/kubernetes-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with Kubernetes Auth",
-      body: z.object({
-        identityId: z.string().trim(),
-        jwt: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityKubernetesAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityKubernetesAuth.login({
-          identityId: req.body.identityId,
-          jwt: req.body.jwt
-        });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg?.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityKubernetesAuthId: identityKubernetesAuth.id
-          }
-        }
-      });
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityKubernetesAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/kubernetes-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach Kubernetes Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        kubernetesHost: z.string().trim().min(1),
-        caCert: z.string().trim().default(""),
-        tokenReviewerJwt: z.string().trim().min(1),
-        allowedNamespaces: z.string(), // TODO: validation
-        allowedNames: z.string(),
-        allowedAudience: z.string(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityKubernetesAuth = await server.services.identityKubernetesAuth.attachKubernetesAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityKubernetesAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_KUBERNETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId,
-            kubernetesHost: identityKubernetesAuth.kubernetesHost,
-            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
-            allowedNames: identityKubernetesAuth.allowedNames,
-            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/kubernetes-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update Kubernetes Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      body: z.object({
-        kubernetesHost: z.string().trim().min(1).optional(),
-        caCert: z.string().trim().optional(),
-        tokenReviewerJwt: z.string().trim().min(1).optional(),
-        allowedNamespaces: z.string().optional(), // TODO: validation
-        allowedNames: z.string().optional(),
-        allowedAudience: z.string().optional(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityKubernetesAuth = await server.services.identityKubernetesAuth.updateKubernetesAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityKubernetesAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId,
-            kubernetesHost: identityKubernetesAuth.kubernetesHost,
-            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
-            allowedNames: identityKubernetesAuth.allowedNames,
-            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityKubernetesAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/kubernetes-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve Kubernetes Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityKubernetesAuth = await server.services.identityKubernetesAuth.getKubernetesAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityKubernetesAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_KUBERNETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId
-          }
-        }
-      });
-
-      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
-    }
-  });
-};
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@ -2,10 +2,6 @@ import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
-import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
-import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
-import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
-import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
@ -31,11 +27,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
    async (authRouter) => {
      await authRouter.register(registerAuthRoutes);
      await authRouter.register(registerIdentityUaRouter);
-      await authRouter.register(registerIdentityKubernetesRouter);
-      await authRouter.register(registerIdentityGcpAuthRouter);
      await authRouter.register(registerIdentityAccessTokenRouter);
-      await authRouter.register(registerIdentityAwsAuthRouter);
-      await authRouter.register(registerIdentityAzureAuthRouter);
    },
    { prefix: "/auth" }
  );
--- a/backend/src/server/routes/v1/integration-auth-router.ts
+++ b/backend/src/server/routes/v1/integration-auth-router.ts
@ -330,7 +330,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
          teams: z
            .object({
              name: z.string(),
-              id: z.string()
+              id: z.string().optional()
            })
            .array()
        })
--- a/Show More
+++ b/Show More