Move azure auth migration file to front

Merge remote-tracking branch 'origin' into azure-auth
Merge pull request #1853 from Infisical/daniel/jenkins-docs
2025-04-09 01:47:08 +00:00 · 2024-05-20 21:15:42 -07:00 · 2024-05-20 21:14:30 -07:00 · 2024-05-20 20:13:42 -07:00 · 2024-05-21 04:58:24 +02:00 · 2024-05-21 04:56:26 +02:00
1488 changed files with 65734 additions and 27696 deletions
--- a/.env.example
+++ b/.env.example
@ -3,9 +3,6 @@
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218

-# Required
-DB_CONNECTION_URI=postgres://infisical:infisical@db:5432/infisical
-
 # JWT
 # Required secrets to sign JWT tokens
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
@ -16,6 +13,9 @@ POSTGRES_PASSWORD=infisical
 POSTGRES_USER=infisical
 POSTGRES_DB=infisical

+# Required
+DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+
 # Redis
 REDIS_URL=redis://redis:6379

--- a/.github/resources/changelog-generator.py
+++ b/.github/resources/changelog-generator.py
@ -0,0 +1,190 @@
+# inspired by https://www.photoroom.com/inside-photoroom/how-we-automated-our-changelog-thanks-to-chatgpt
+import os
+import requests
+import re
+from openai import OpenAI
+import subprocess
+from datetime import datetime
+
+import uuid
+
+# Constants
+REPO_OWNER = "infisical"
+REPO_NAME = "infisical"
+TOKEN = os.environ["GITHUB_TOKEN"]
+SLACK_WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]
+OPENAI_API_KEY = os.environ["OPENAI_API_KEY"]
+SLACK_MSG_COLOR = "#36a64f"
+
+headers = {
+    "Authorization": f"Bearer {TOKEN}",
+    "Accept": "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+}
+
+
+def set_multiline_output(name, value):
+    with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
+        delimiter = uuid.uuid1()
+        print(f'{name}<<{delimiter}', file=fh)
+        print(value, file=fh)
+        print(delimiter, file=fh)
+
+def post_changelog_to_slack(changelog, tag):
+    slack_payload = {
+        "text": "Hey team, it's changelog time! :wave:",
+        "attachments": [
+            {
+                "color": SLACK_MSG_COLOR,
+                "title": f"🗓️Infisical Changelog - {tag}",
+                "text": changelog,
+            }
+        ],
+    }
+
+    response = requests.post(SLACK_WEBHOOK_URL, json=slack_payload)
+
+    if response.status_code != 200:
+        raise Exception("Failed to post changelog to Slack.")
+
+def find_previous_release_tag(release_tag:str):
+    previous_tag = subprocess.check_output(["git", "describe", "--tags", "--abbrev=0", f"{release_tag}^"]).decode("utf-8").strip()
+    while not(previous_tag.startswith("infisical/")):
+        previous_tag = subprocess.check_output(["git", "describe", "--tags", "--abbrev=0", f"{previous_tag}^"]).decode("utf-8").strip()
+    return previous_tag
+
+def get_tag_creation_date(tag_name):
+    url = f"https://api.github.com/repos/{REPO_OWNER}/{REPO_NAME}/git/refs/tags/{tag_name}"
+    response = requests.get(url, headers=headers)
+    response.raise_for_status()
+    commit_sha = response.json()['object']['sha']
+    
+    commit_url = f"https://api.github.com/repos/{REPO_OWNER}/{REPO_NAME}/commits/{commit_sha}"
+    commit_response = requests.get(commit_url, headers=headers)
+    commit_response.raise_for_status()
+    creation_date = commit_response.json()['commit']['author']['date']
+
+    return datetime.strptime(creation_date, '%Y-%m-%dT%H:%M:%SZ')
+
+
+def fetch_prs_between_tags(previous_tag_date:datetime, release_tag_date:datetime):
+    # Use GitHub API to fetch PRs merged between the commits
+    url = f"https://api.github.com/repos/{REPO_OWNER}/{REPO_NAME}/pulls?state=closed&merged=true"
+    response = requests.get(url, headers=headers)
+
+    if response.status_code != 200:
+        raise Exception("Error fetching PRs from GitHub API!")
+
+    prs = []
+    for pr in response.json():
+        # the idea is as tags happen recently we get last 100 closed PRs and then filter by tag creation date
+        if pr["merged_at"] and datetime.strptime(pr["merged_at"],'%Y-%m-%dT%H:%M:%SZ') < release_tag_date and  datetime.strptime(pr["merged_at"],'%Y-%m-%dT%H:%M:%SZ') > previous_tag_date:
+            prs.append(pr)
+
+    return prs
+
+
+def extract_commit_details_from_prs(prs):
+    commit_details = []
+    for pr in prs:
+        commit_message = pr["title"]
+        commit_url = pr["html_url"]
+        pr_number = pr["number"]
+        branch_name = pr["head"]["ref"]
+        issue_numbers = re.findall(r"(www-\d+|web-\d+)", branch_name)
+
+        # If no issue numbers are found, add the PR details without issue numbers and URLs
+        if not issue_numbers:
+            commit_details.append(
+                {
+                    "message": commit_message,
+                    "pr_number": pr_number,
+                    "pr_url": commit_url,
+                    "issue_number": None,
+                    "issue_url": None,
+                }
+            )
+            continue
+
+        for issue in issue_numbers:
+            commit_details.append(
+                {
+                    "message": commit_message,
+                    "pr_number": pr_number,
+                    "pr_url": commit_url,
+                    "issue_number": issue,
+                }
+            )
+
+    return commit_details
+
+# Function to generate changelog using OpenAI
+def generate_changelog_with_openai(commit_details):
+    commit_messages = []
+    for details in commit_details:
+        base_message = f"{details['pr_url']} - {details['message']}"
+        # Add the issue URL if available
+        # if details["issue_url"]:
+        #     base_message += f" (Linear Issue: {details['issue_url']})"
+        commit_messages.append(base_message)
+
+    commit_list = "\n".join(commit_messages)
+    prompt = """
+Generate a changelog for Infisical, opensource secretops
+The changelog should:
+1. Be Informative: Using the provided list of GitHub commits, break them down into categories such as Features, Fixes & Improvements, and Technical Updates. Summarize each commit concisely, ensuring the key points are highlighted.
+2. Have a Professional yet Friendly tone: The tone should be balanced, not too corporate or too informal.
+3. Celebratory Introduction and Conclusion: Start the changelog with a celebratory note acknowledging the team's hard work and progress. End with a shoutout to the team and wishes for a pleasant weekend.
+4. Formatting: you cannot use Markdown formatting, and you can only use emojis for the introductory paragraph or the conclusion paragraph, nowhere else.
+5. Links: the syntax to create links is the following: `<http://www.example.com|This message is a link>`.
+6. Linear Links: note that the Linear link is optional, include it only if provided.
+7. Do not wrap your answer in a codeblock. Just output the text, nothing else
+Here's a good example to follow, please try to match the formatting as closely as possible, only changing the content of the changelog and have some liberty with the introduction. Notice the importance of the formatting of a changelog item:
+- <https://github.com/facebook/react/pull/27304/%7C#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/%7CWEB-1234>))
+And here's an example of the full changelog:
+
+*Features*
+• <https://github.com/facebook/react/pull/27304/%7C#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/%7CWEB-1234>)
+*Fixes & Improvements*
+• <https://github.com/facebook/react/pull/27304/%7C#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/%7CWEB-1234>)
+*Technical Updates*
+• <https://github.com/facebook/react/pull/27304/%7C#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/%7CWEB-1234>)
+
+Stay tuned for more exciting updates coming soon!
+And here are the commits:
+{}
+    """.format(
+        commit_list
+    )
+
+    client  = OpenAI(api_key=OPENAI_API_KEY)
+    messages = [{"role": "user", "content": prompt}]
+    response = client.chat.completions.create(model="gpt-3.5-turbo", messages=messages)
+
+    if "error" in response.choices[0].message:
+        raise Exception("Error generating changelog with OpenAI!")
+
+    return response.choices[0].message.content.strip()
+
+
+if __name__ == "__main__":
+    try:
+        # Get the latest and previous release tags
+        latest_tag = subprocess.check_output(["git", "describe", "--tags", "--abbrev=0"]).decode("utf-8").strip()
+        previous_tag = find_previous_release_tag(latest_tag)
+
+        latest_tag_date = get_tag_creation_date(latest_tag)
+        previous_tag_date = get_tag_creation_date(previous_tag)
+
+        prs = fetch_prs_between_tags(previous_tag_date,latest_tag_date)
+        pr_details = extract_commit_details_from_prs(prs)
+
+        # Generate changelog
+        changelog = generate_changelog_with_openai(pr_details)
+
+        post_changelog_to_slack(changelog,latest_tag)
+        # Print or post changelog to Slack
+        # set_multiline_output("changelog", changelog)
+
+    except Exception as e:
+        print(str(e))
--- a/.github/resources/rename_migration_files.py
+++ b/.github/resources/rename_migration_files.py
@ -0,0 +1,26 @@
+import os
+from datetime import datetime, timedelta
+
+def rename_migrations():
+    migration_folder = "./backend/src/db/migrations"
+    with open("added_files.txt", "r") as file:
+        changed_files = file.readlines()
+    
+    # Find the latest file among the changed files
+    latest_timestamp = datetime.now() # utc time
+    for file_path in changed_files:
+        file_path = file_path.strip()
+        # each new file bump by 1s
+        latest_timestamp = latest_timestamp + timedelta(seconds=1)
+
+        new_filename = os.path.join(migration_folder, latest_timestamp.strftime("%Y%m%d%H%M%S") + f"_{file_path.split('_')[1]}")
+        old_filename = os.path.join(migration_folder, file_path)
+        os.rename(old_filename, new_filename)
+        print(f"Renamed {old_filename} to {new_filename}")
+
+    if len(changed_files) == 0:
+        print("No new files added to migration folder")
+
+if __name__ == "__main__":
+    rename_migrations()
+
--- a/.github/values.yaml
+++ b/.github/values.yaml
@ -27,7 +27,7 @@ infisical:
  deploymentAnnotations:
    secrets.infisical.com/auto-reload: "true"

-  kubeSecretRef: "infisical-gamma-secrets"
+  kubeSecretRef: "managed-secret"

 ingress:
  ## @param ingress.enabled Enable ingress
--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@ -41,6 +41,7 @@ jobs:
          load: true
          context: backend
          tags: infisical/infisical:test
+          platforms: linux/amd64,linux/arm64
      - name: ⏻ Spawn backend container and dependencies
        run: |
          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
@ -92,6 +93,7 @@ jobs:
          project: 64mmf0n610
          context: frontend
          tags: infisical/frontend:test
+          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/build-patroni-docker-img.yml
+++ b/.github/workflows/build-patroni-docker-img.yml
@ -0,0 +1,38 @@
+name: Build patroni 
+on: [workflow_dispatch]
+
+jobs:
+  patroni-image:
+    name: Build patroni
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+        with:
+          repository: 'zalando/patroni'
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 🏗️ Build backend and push to docker hub
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile
+          tags: |
+            infisical/patroni:${{ steps.commit.outputs.short }}
+            infisical/patroni:latest
+          platforms: linux/amd64,linux/arm64
+    
+  
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -0,0 +1,140 @@
+name: Deployment pipeline
+on: [workflow_dispatch]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  infisical-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 🏗️ Build backend and push to docker hub
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: |
+            infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            infisical/staging_infisical:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
+    
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [infisical-image]
+    environment:
+      name: Gamma
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      - name: Configure AWS Credentials 
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+      - name: Render Amazon ECS task definition
+        id: render-web-container
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: infisical-core-platform
+          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+          environment-variables: "LOG_LEVEL=info"
+      - name: Deploy to Amazon ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+          service: infisical-core-platform
+          cluster: infisical-core-platform
+          wait-for-service-stability: true
+
+  production-postgres-deployment:
+    name: Deploy to production
+    runs-on: ubuntu-latest
+    needs: [gamma-deployment]
+    environment:
+      name: Production
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      - name: Configure AWS Credentials 
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+      - name: Render Amazon ECS task definition
+        id: render-web-container
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: infisical-core-platform
+          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+          environment-variables: "LOG_LEVEL=info"
+      - name: Deploy to Amazon ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+          service: infisical-core-platform
+          cluster: infisical-core-platform
+          wait-for-service-stability: true
--- a/.github/workflows/build-staging-and-deploy.yml
+++ b/.github/workflows/build-staging-and-deploy.yml
@ -1,120 +0,0 @@
-name: Build, Publish and Deploy to Gamma
-on: [workflow_dispatch]
-
-jobs:
-  infisical-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          load: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: infisical/infisical:test
-      # - name: ⏻ Spawn backend container and dependencies
-      #   run: |
-      #     docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      # - name: 🧪 Test backend image
-      #   run: |
-      #     ./.github/resources/healthcheck.sh infisical-backend-test
-      # - name: ⏻ Shut down backend container and dependencies
-      #   run: |
-      #     docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: |
-            infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            infisical/staging_infisical:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
-  postgres-migration:
-    name: Run latest migration files
-    runs-on: ubuntu-latest
-    needs: [infisical-image]
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      # - name: Run postgres DB migration files
-      #   env:
-      #     DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-      #   run: npm run migration:latest
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [postgres-migration]
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install infisical helm chart
-        run: |
-          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
-          helm repo update
-      - name: Install kubectl
-        uses: azure/setup-kubectl@v3
-      - name: Install doctl
-        uses: digitalocean/action-doctl@v2
-        with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
-      - name: Save DigitalOcean kubeconfig with short-lived credentials
-        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 infisical-gamma-postgres
-      - name: switch to gamma namespace
-        run: kubectl config set-context --current --namespace=gamma
-      - name: test kubectl
-        run: kubectl get ingress
-      - name: Download helm values to file and upgrade gamma deploy
-        run: |
-          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical-standalone  --values values.yaml --wait --install
-          if [[ $(helm status infisical) == *"FAILED"* ]]; then
-            echo "Helm upgrade failed"
-            exit 1
-          else
-            echo "Helm upgrade was successful"
-          fi
--- a/.github/workflows/check-api-for-breaking-changes.yml
+++ b/.github/workflows/check-api-for-breaking-changes.yml
@ -5,6 +5,7 @@ on:
    types: [opened, synchronize]
    paths:
      - "backend/src/server/routes/**"
+      - "backend/src/ee/routes/**"

 jobs:
  check-be-api-changes:
--- a/.github/workflows/generate-release-changelog.yml
+++ b/.github/workflows/generate-release-changelog.yml
@ -0,0 +1,34 @@
+name: Generate Changelog
+permissions:
+  contents: write
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "infisical/v*.*.*-postgres"
+
+jobs:
+  generate_changelog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12.0"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install requests openai
+      - name: Generate Changelog and Post to Slack
+        id: gen-changelog
+        run: python .github/resources/changelog-generator.py
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@ -1,58 +1,72 @@
 name: Build and release CLI

 on:
-  push:
-    # run only against tags
-    tags:
-      - "infisical-cli/v*.*.*"
+    workflow_dispatch:
+
+    push:
+        # run only against tags
+        tags:
+            - "infisical-cli/v*.*.*"

 permissions:
-  contents: write
-  # packages: write
-  # issues: write
-
+    contents: write
+    # packages: write
+    # issues: write
 jobs:
-  goreleaser:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - run: git fetch --force --tags
-      - run: echo "Ref name ${{github.ref_name}}"
-      - uses: actions/setup-go@v3
-        with:
-          go-version: ">=1.19.3"
-          cache: true
-          cache-dependency-path: cli/go.sum
-      - name: libssl1.1 => libssl1.0-dev for OSXCross
-        run: |
-          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-          sudo apt update && apt-cache policy libssl1.0-dev
-          sudo apt-get install libssl1.0-dev
-      - name: OSXCross for CGO Support
-        run: |
-          mkdir ../../osxcross
-          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v4
-        with:
-          distribution: goreleaser-pro
-          version: latest
-          args: release --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-      - uses: actions/setup-python@v4
-      - run: pip install --upgrade cloudsmith-cli
-      - name: Publish to CloudSmith
-        run: sh cli/upload_to_cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+    cli-integration-tests:
+        name: Run tests before deployment
+        uses: ./.github/workflows/run-cli-tests.yml
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+            CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+
+    goreleaser:
+        runs-on: ubuntu-20.04
+        needs: [cli-integration-tests]
+        steps:
+            - uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+            - run: git fetch --force --tags
+            - run: echo "Ref name ${{github.ref_name}}"
+            - uses: actions/setup-go@v3
+              with:
+                  go-version: ">=1.19.3"
+                  cache: true
+                  cache-dependency-path: cli/go.sum
+            - name: libssl1.1 => libssl1.0-dev for OSXCross
+              run: |
+                  echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+                  sudo apt update && apt-cache policy libssl1.0-dev
+                  sudo apt-get install libssl1.0-dev
+            - name: OSXCross for CGO Support
+              run: |
+                  mkdir ../../osxcross
+                  git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+            - uses: goreleaser/goreleaser-action@v4
+              with:
+                  distribution: goreleaser-pro
+                  version: latest
+                  args: release --clean
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+                  POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+                  FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+                  AUR_KEY: ${{ secrets.AUR_KEY }}
+                  GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+            - uses: actions/setup-python@v4
+            - run: pip install --upgrade cloudsmith-cli
+            - name: Publish to CloudSmith
+              run: sh cli/upload_to_cloudsmith.sh
+              env:
+                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/run-cli-tests.yml
+++ b/.github/workflows/run-cli-tests.yml
@ -0,0 +1,47 @@
+name: Go CLI Tests
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "cli/**"
+
+    workflow_dispatch:
+
+    workflow_call:
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID:
+                required: true
+            CLI_TESTS_UA_CLIENT_SECRET:
+                required: true
+            CLI_TESTS_SERVICE_TOKEN:
+                required: true
+            CLI_TESTS_PROJECT_ID:
+                required: true
+            CLI_TESTS_ENV_SLUG:
+                required: true
+
+jobs:
+    test:
+        defaults:
+            run:
+                working-directory: ./cli
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - name: Setup Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: "1.21.x"
+            - name: Install dependencies
+              run: go get .
+            - name: Test with the Go CLI
+              env:
+                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+
+              run: go test -v -count=1 ./test
--- a/.github/workflows/update-be-new-migration-latest-timestamp.yml
+++ b/.github/workflows/update-be-new-migration-latest-timestamp.yml
@ -0,0 +1,59 @@
+name: Rename Migrations
+
+on:
+  pull_request:
+    types: [closed]
+    paths:
+      - 'backend/src/db/migrations/**'
+
+jobs:
+  rename:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get list of newly added files in migration folder
+        run: |
+          git diff --name-status HEAD^ HEAD backend/src/db/migrations | grep '^A' | cut -f2 | xargs -n1 basename > added_files.txt
+          if [ ! -s added_files.txt ]; then
+            echo "No new files added. Skipping"
+            echo "SKIP_RENAME=true" >> $GITHUB_ENV
+          fi
+
+      - name: Script to rename migrations
+        if: env.SKIP_RENAME != 'true'
+        run: python .github/resources/rename_migration_files.py
+
+      - name: Commit and push changes
+        if: env.SKIP_RENAME != 'true'
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git add ./backend/src/db/migrations
+          rm added_files.txt
+          git commit -m "chore: renamed new migration files to latest timestamp (gh-action)"
+
+      - name: Get PR details
+        id: pr_details
+        run: |
+          PR_NUMBER=${{ github.event.pull_request.number }}
+          PR_MERGER=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER" | jq -r '.merged_by.login')
+          
+          echo "PR Number: $PR_NUMBER"
+          echo "PR Merger: $PR_MERGER"
+          echo "pr_merger=$PR_MERGER" >> $GITHUB_OUTPUT
+
+      - name: Create Pull Request
+        if: env.SKIP_RENAME != 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore: renamed new migration files to latest UTC (gh-action)'
+          title: 'GH Action: rename new migration file timestamp'
+          branch-suffix: timestamp
+          reviewers: ${{ steps.pr_details.outputs.pr_merger }}
--- a/.gitignore
+++ b/.gitignore
@ -59,9 +59,13 @@ yarn-error.log*
 # Infisical init
 .infisical.json

+.infisicalignore
+
 # Editor specific
 .vscode/*

 frontend-build

 *.tgz
+cli/infisical-merge
+cli/test/infisical-merge
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -190,10 +190,34 @@ dockers:
  - dockerfile: docker/alpine
    goos: linux
    goarch: amd64
+    use: buildx
    ids:
      - all-other-builds
    image_templates:
-      - "infisical/cli:{{ .Version }}"
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}"
-      - "infisical/cli:{{ .Major }}"
-      - "infisical/cli:latest"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:latest-amd64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+      - "infisical/cli:latest-arm64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+
+docker_manifests:
+  - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+  - name_template: "infisical/cli:latest"
+    image_templates:
+      - "infisical/cli:latest-amd64"
+      - "infisical/cli:latest-arm64"
--- a/.infisicalignore
+++ b/.infisicalignore
@ -1 +1,7 @@
 .github/resources/docker-compose.be-test.yml:generic-api-key:16
+frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/IdentityRbacSection.tsx:generic-api-key:206
+frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:304
+frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/MemberRbacSection.tsx:generic-api-key:206
+frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
+docs/self-hosting/configuration/envars.mdx:generic-api-key:106
+frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -1,6 +1,7 @@
 ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
+ARG SAML_ORG_SLUG=saml-org-slug-default

 FROM  node:20-alpine AS base

@ -35,6 +36,8 @@ ARG INTERCOM_ID
 ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ARG SAML_ORG_SLUG
+ENV NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG 

 # Build
 RUN npm run build
@ -100,6 +103,9 @@ ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
 ARG INTERCOM_ID=intercom-id
 ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ARG SAML_ORG_SLUG
+ENV NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG \
+  BAKED_NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG

 WORKDIR / 

@ -118,9 +124,6 @@ WORKDIR /backend

 ENV TELEMETRY_ENABLED true

-HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
-  CMD node healthcheck.js
-
 EXPOSE 8080
 EXPOSE 443

--- a/3
+++ b/3
@ -7,6 +7,9 @@ push:
 up-dev:
 	docker compose -f docker-compose.dev.yml up --build

+up-dev-ldap:
+	docker compose -f docker-compose.dev.yml --profile ldap up --build
+
 up-prod:
 	docker-compose -f docker-compose.prod.yml up --build

--- a/README.md
+++ b/README.md
@ -10,7 +10,8 @@
  <a href="https://infisical.com/">Infisical Cloud</a> |
  <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
  <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
-  <a href="https://www.infisical.com">Website</a>
+  <a href="https://www.infisical.com">Website</a> |
+  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
 </h4>

 <p align="center">
@ -75,7 +76,7 @@ Check out the [Quickstart Guides](https://infisical.com/docs/getting-started/int

 | Use Infisical Cloud                                                                                                                                     | Deploy Infisical on premise                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-to-aws.png" width="150" width="300" /></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean"> <img width="217" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/> </a> <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
+| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). |  <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |

 ### Run Infisical locally

--- a/backend/.eslintrc.js
+++ b/backend/.eslintrc.js
@ -23,16 +23,17 @@ module.exports = {
  root: true,
  overrides: [
    {
-      files: ["./e2e-test/**/*"],
+      files: ["./e2e-test/**/*", "./src/db/migrations/**/*"],
      rules: {
        "@typescript-eslint/no-unsafe-member-access": "off",
        "@typescript-eslint/no-unsafe-assignment": "off",
        "@typescript-eslint/no-unsafe-argument": "off",
        "@typescript-eslint/no-unsafe-return": "off",
-        "@typescript-eslint/no-unsafe-call": "off",
+        "@typescript-eslint/no-unsafe-call": "off"
      }
    }
  ],
+
  rules: {
    "@typescript-eslint/no-empty-function": "off",
    "@typescript-eslint/no-unsafe-enum-comparison": "off",
--- a/backend/e2e-test/routes/v1/secret-import.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-import.spec.ts
@ -46,7 +46,7 @@ const deleteSecretImport = async (id: string) => {

 describe("Secret Import Router", async () => {
  test.each([
-    { importEnv: "dev", importPath: "/" }, // one in root
+    { importEnv: "prod", importPath: "/" }, // one in root
    { importEnv: "staging", importPath: "/" } // then create a deep one creating intermediate ones
  ])("Create secret import $importEnv with path $importPath", async ({ importPath, importEnv }) => {
    // check for default environments
@ -66,7 +66,7 @@ describe("Secret Import Router", async () => {
  });

  test("Get secret imports", async () => {
-    const createdImport1 = await createSecretImport("/", "dev");
+    const createdImport1 = await createSecretImport("/", "prod");
    const createdImport2 = await createSecretImport("/", "staging");
    const res = await testServer.inject({
      method: "GET",
@ -103,10 +103,10 @@ describe("Secret Import Router", async () => {
  });

  test("Update secret import position", async () => {
-    const devImportDetails = { path: "/", envSlug: "dev" };
+    const prodImportDetails = { path: "/", envSlug: "prod" };
    const stagingImportDetails = { path: "/", envSlug: "staging" };

-    const createdImport1 = await createSecretImport(devImportDetails.path, devImportDetails.envSlug);
+    const createdImport1 = await createSecretImport(prodImportDetails.path, prodImportDetails.envSlug);
    const createdImport2 = await createSecretImport(stagingImportDetails.path, stagingImportDetails.envSlug);

    const updateImportRes = await testServer.inject({
@ -136,7 +136,7 @@ describe("Secret Import Router", async () => {
        position: 2,
        importEnv: expect.objectContaining({
          name: expect.any(String),
-          slug: expect.stringMatching(devImportDetails.envSlug),
+          slug: expect.stringMatching(prodImportDetails.envSlug),
          id: expect.any(String)
        })
      })
@ -166,7 +166,7 @@ describe("Secret Import Router", async () => {
  });

  test("Delete secret import position", async () => {
-    const createdImport1 = await createSecretImport("/", "dev");
+    const createdImport1 = await createSecretImport("/", "prod");
    const createdImport2 = await createSecretImport("/", "staging");
    const deletedImport = await deleteSecretImport(createdImport1.id);
    // check for default environments
--- a/backend/e2e-test/routes/v3/secrets.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets.spec.ts
@ -942,6 +942,113 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
      const secrets = await getSecrets(seedData1.environment.slug, path);
      expect(secrets).toEqual([]);
    });
+
+    test.each(testRawSecrets)("Bulk create secret raw in path $path", async ({ path, secret }) => {
+      const createSecretReqBody = {
+        projectSlug: seedData1.project.slug,
+        environment: seedData1.environment.slug,
+        secretPath: path,
+        secrets: [
+          {
+            secretKey: secret.key,
+            secretValue: secret.value,
+            secretComment: secret.comment
+          }
+        ]
+      };
+      const createSecRes = await testServer.inject({
+        method: "POST",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: createSecretReqBody
+      });
+      expect(createSecRes.statusCode).toBe(200);
+      const createdSecretPayload = JSON.parse(createSecRes.payload);
+      expect(createdSecretPayload).toHaveProperty("secrets");
+
+      // fetch secrets
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({
+            key: secret.key,
+            value: secret.value,
+            type: SecretType.Shared
+          })
+        ])
+      );
+
+      await deleteRawSecret({ path, key: secret.key });
+    });
+
+    test.each(testRawSecrets)("Bulk update secret raw in path $path", async ({ secret, path }) => {
+      await createRawSecret({ path, ...secret });
+      const updateSecretReqBody = {
+        projectSlug: seedData1.project.slug,
+        environment: seedData1.environment.slug,
+        secretPath: path,
+        secrets: [
+          {
+            secretValue: "new-value",
+            secretKey: secret.key
+          }
+        ]
+      };
+      const updateSecRes = await testServer.inject({
+        method: "PATCH",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: updateSecretReqBody
+      });
+      expect(updateSecRes.statusCode).toBe(200);
+      const updatedSecretPayload = JSON.parse(updateSecRes.payload);
+      expect(updatedSecretPayload).toHaveProperty("secrets");
+
+      // fetch secrets
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({
+            key: secret.key,
+            value: "new-value",
+            version: 2,
+            type: SecretType.Shared
+          })
+        ])
+      );
+
+      await deleteRawSecret({ path, key: secret.key });
+    });
+
+    test.each(testRawSecrets)("Bulk delete secret raw in path $path", async ({ path, secret }) => {
+      await createRawSecret({ path, ...secret });
+
+      const deletedSecretReqBody = {
+        projectSlug: seedData1.project.slug,
+        environment: seedData1.environment.slug,
+        secretPath: path,
+        secrets: [{ secretKey: secret.key }]
+      };
+      const deletedSecRes = await testServer.inject({
+        method: "DELETE",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: deletedSecretReqBody
+      });
+      expect(deletedSecRes.statusCode).toBe(200);
+      const deletedSecretPayload = JSON.parse(deletedSecRes.payload);
+      expect(deletedSecretPayload).toHaveProperty("secrets");
+
+      // fetch secrets
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual([]);
+    });
  }
 );

--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -10,7 +10,7 @@ import { seedData1 } from "@app/db/seed-data";
 import { initEnvConfig } from "@app/lib/config/env";
 import { initLogger } from "@app/lib/logger";
 import { main } from "@app/server/app";
-import { AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";

 import { mockQueue } from "./mocks/queue";
 import { mockSmtpServer } from "./mocks/smtp";
@ -52,6 +52,8 @@ export default {
          authTokenType: AuthTokenType.ACCESS_TOKEN,
          userId: seedData1.id,
          tokenVersionId: seedData1.token.id,
+          authMethod: AuthMethod.EMAIL,
+          organizationId: seedData1.organization.id,
          accessVersion: 1
        },
        cfg.AUTH_SECRET,
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -70,6 +70,7 @@
    "vitest": "^1.2.2"
  },
  "dependencies": {
+    "@aws-sdk/client-iam": "^3.525.0",
    "@aws-sdk/client-secrets-manager": "^3.504.0",
    "@casl/ability": "^6.5.0",
    "@fastify/cookie": "^9.3.1",
@ -94,27 +95,34 @@
    "axios": "^1.6.7",
    "axios-retry": "^4.0.0",
    "bcrypt": "^5.1.1",
-    "bullmq": "^5.3.3",
+    "bullmq": "^5.4.2",
+    "cassandra-driver": "^4.7.2",
    "dotenv": "^16.4.1",
    "fastify": "^4.26.0",
    "fastify-plugin": "^4.5.1",
+    "google-auth-library": "^9.9.0",
+    "googleapis": "^137.1.0",
    "handlebars": "^4.7.8",
    "ioredis": "^5.3.2",
    "jmespath": "^0.16.0",
    "jsonwebtoken": "^9.0.2",
    "jsrp": "^0.2.4",
    "knex": "^3.0.1",
+    "ldapjs": "^3.0.7",
    "libsodium-wrappers": "^0.7.13",
    "lodash.isequal": "^4.5.0",
-    "mysql2": "^3.9.1",
+    "ms": "^2.1.3",
+    "mysql2": "^3.9.7",
    "nanoid": "^5.0.4",
-    "node-cache": "^5.1.2",
    "nodemailer": "^6.9.9",
    "ora": "^7.0.1",
+    "oracledb": "^6.4.0",
    "passport-github": "^1.1.0",
    "passport-gitlab2": "^5.0.0",
    "passport-google-oauth20": "^2.0.0",
+    "passport-ldapauth": "^3.0.1",
    "pg": "^8.11.3",
+    "pg-query-stream": "^4.5.3",
    "picomatch": "^3.0.1",
    "pino": "^8.16.2",
    "posthog-node": "^3.6.2",
--- a/backend/scripts/create-backend-file.ts
+++ b/backend/scripts/create-backend-file.ts
@ -103,11 +103,15 @@ export const ${dalName} = (db: TDbClient) => {
    `import { z } from "zod";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { readLimit } from "@app/server/config/rateLimiter";

 export const register${pascalCase}Router = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/",
    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({}),
      response: {
--- a/backend/scripts/create-migration.ts
+++ b/backend/scripts/create-migration.ts
@ -7,10 +7,10 @@ const prompt = promptSync({ sigint: true });

 const migrationName = prompt("Enter name for migration: ");

+// Remove spaces from migration name and replace with hyphens
+const formattedMigrationName = migrationName.replace(/\s+/g, "-");
+
 execSync(
-  `npx knex migrate:make --knexfile ${path.join(
-    __dirname,
-    "../src/db/knexfile.ts"
-  )} -x ts ${migrationName}`,
+  `npx knex migrate:make --knexfile ${path.join(__dirname, "../src/db/knexfile.ts")} -x ts ${formattedMigrationName}`,
  { stdio: "inherit" }
 );
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -1,10 +1,19 @@
 import "fastify";

 import { TUsers } from "@app/db/schemas";
+import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
+import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
+import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
+import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
+import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
+import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
+import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@ -18,10 +27,15 @@ import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
+import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
+import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
+import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@ -58,9 +72,10 @@ declare module "fastify" {
    // identity injection. depending on which kinda of token the information is filled in auth
    auth: TAuthMode;
    permission: {
+      authMethod: ActorAuthMethod;
      type: ActorType;
      id: string;
-      orgId?: string;
+      orgId: string;
    };
    // passport data
    passportUser: {
@ -69,6 +84,7 @@ declare module "fastify" {
    };
    auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
    ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
+    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
  }

  interface FastifyInstance {
@ -82,6 +98,8 @@ declare module "fastify" {
      orgRole: TOrgRoleServiceFactory;
      superAdmin: TSuperAdminServiceFactory;
      user: TUserServiceFactory;
+      group: TGroupServiceFactory;
+      groupProject: TGroupProjectServiceFactory;
      apiKey: TApiKeyServiceFactory;
      project: TProjectServiceFactory;
      projectMembership: TProjectMembershipServiceFactory;
@ -101,18 +119,30 @@ declare module "fastify" {
      identityAccessToken: TIdentityAccessTokenServiceFactory;
      identityProject: TIdentityProjectServiceFactory;
      identityUa: TIdentityUaServiceFactory;
+      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
+      identityGcpAuth: TIdentityGcpAuthServiceFactory;
+      identityAwsAuth: TIdentityAwsAuthServiceFactory;
+      identityAzureAuth: TIdentityAzureAuthServiceFactory;
+      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
+      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
      secretApprovalRequest: TSecretApprovalRequestServiceFactory;
      secretRotation: TSecretRotationServiceFactory;
      snapshot: TSecretSnapshotServiceFactory;
      saml: TSamlConfigServiceFactory;
      scim: TScimServiceFactory;
+      ldap: TLdapConfigServiceFactory;
      auditLog: TAuditLogServiceFactory;
+      auditLogStream: TAuditLogStreamServiceFactory;
      secretScanning: TSecretScanningServiceFactory;
      license: TLicenseServiceFactory;
      trustedIp: TTrustedIpServiceFactory;
      secretBlindIndex: TSecretBlindIndexServiceFactory;
      telemetry: TTelemetryServiceFactory;
+      dynamicSecret: TDynamicSecretServiceFactory;
+      dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
+      projectUserAdditionalPrivilege: TProjectUserAdditionalPrivilegeServiceFactory;
+      identityProjectAdditionalPrivilege: TIdentityProjectAdditionalPrivilegeServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -2,11 +2,26 @@ import { Knex } from "knex";

 import {
  TableName,
+  TAccessApprovalPolicies,
+  TAccessApprovalPoliciesApprovers,
+  TAccessApprovalPoliciesApproversInsert,
+  TAccessApprovalPoliciesApproversUpdate,
+  TAccessApprovalPoliciesInsert,
+  TAccessApprovalPoliciesUpdate,
+  TAccessApprovalRequests,
+  TAccessApprovalRequestsInsert,
+  TAccessApprovalRequestsReviewers,
+  TAccessApprovalRequestsReviewersInsert,
+  TAccessApprovalRequestsReviewersUpdate,
+  TAccessApprovalRequestsUpdate,
  TApiKeys,
  TApiKeysInsert,
  TApiKeysUpdate,
  TAuditLogs,
  TAuditLogsInsert,
+  TAuditLogStreams,
+  TAuditLogStreamsInsert,
+  TAuditLogStreamsUpdate,
  TAuditLogsUpdate,
  TAuthTokens,
  TAuthTokenSessions,
@ -17,21 +32,54 @@ import {
  TBackupPrivateKey,
  TBackupPrivateKeyInsert,
  TBackupPrivateKeyUpdate,
+  TDynamicSecretLeases,
+  TDynamicSecretLeasesInsert,
+  TDynamicSecretLeasesUpdate,
+  TDynamicSecrets,
+  TDynamicSecretsInsert,
+  TDynamicSecretsUpdate,
  TGitAppInstallSessions,
  TGitAppInstallSessionsInsert,
  TGitAppInstallSessionsUpdate,
  TGitAppOrg,
  TGitAppOrgInsert,
  TGitAppOrgUpdate,
+  TGroupProjectMembershipRoles,
+  TGroupProjectMembershipRolesInsert,
+  TGroupProjectMembershipRolesUpdate,
+  TGroupProjectMemberships,
+  TGroupProjectMembershipsInsert,
+  TGroupProjectMembershipsUpdate,
+  TGroups,
+  TGroupsInsert,
+  TGroupsUpdate,
  TIdentities,
  TIdentitiesInsert,
  TIdentitiesUpdate,
  TIdentityAccessTokens,
  TIdentityAccessTokensInsert,
  TIdentityAccessTokensUpdate,
+  TIdentityAwsAuths,
+  TIdentityAwsAuthsInsert,
+  TIdentityAwsAuthsUpdate,
+  TIdentityAzureAuths,
+  TIdentityAzureAuthsInsert,
+  TIdentityAzureAuthsUpdate,
+  TIdentityGcpAuths,
+  TIdentityGcpAuthsInsert,
+  TIdentityGcpAuthsUpdate,
+  TIdentityKubernetesAuths,
+  TIdentityKubernetesAuthsInsert,
+  TIdentityKubernetesAuthsUpdate,
  TIdentityOrgMemberships,
  TIdentityOrgMembershipsInsert,
  TIdentityOrgMembershipsUpdate,
+  TIdentityProjectAdditionalPrivilege,
+  TIdentityProjectAdditionalPrivilegeInsert,
+  TIdentityProjectAdditionalPrivilegeUpdate,
+  TIdentityProjectMembershipRole,
+  TIdentityProjectMembershipRoleInsert,
+  TIdentityProjectMembershipRoleUpdate,
  TIdentityProjectMemberships,
  TIdentityProjectMembershipsInsert,
  TIdentityProjectMembershipsUpdate,
@ -50,6 +98,12 @@ import {
  TIntegrations,
  TIntegrationsInsert,
  TIntegrationsUpdate,
+  TLdapConfigs,
+  TLdapConfigsInsert,
+  TLdapConfigsUpdate,
+  TLdapGroupMaps,
+  TLdapGroupMapsInsert,
+  TLdapGroupMapsUpdate,
  TOrganizations,
  TOrganizationsInsert,
  TOrganizationsUpdate,
@ -80,6 +134,12 @@ import {
  TProjects,
  TProjectsInsert,
  TProjectsUpdate,
+  TProjectUserAdditionalPrivilege,
+  TProjectUserAdditionalPrivilegeInsert,
+  TProjectUserAdditionalPrivilegeUpdate,
+  TProjectUserMembershipRoles,
+  TProjectUserMembershipRolesInsert,
+  TProjectUserMembershipRolesUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@ -161,9 +221,15 @@ import {
  TUserActions,
  TUserActionsInsert,
  TUserActionsUpdate,
+  TUserAliases,
+  TUserAliasesInsert,
+  TUserAliasesUpdate,
  TUserEncryptionKeys,
  TUserEncryptionKeysInsert,
  TUserEncryptionKeysUpdate,
+  TUserGroupMembership,
+  TUserGroupMembershipInsert,
+  TUserGroupMembershipUpdate,
  TUsers,
  TUsersInsert,
  TUsersUpdate,
@ -171,10 +237,28 @@ import {
  TWebhooksInsert,
  TWebhooksUpdate
 } from "@app/db/schemas";
+import { TSecretReferences, TSecretReferencesInsert, TSecretReferencesUpdate } from "@app/db/schemas/secret-references";

 declare module "knex/types/tables" {
  interface Tables {
    [TableName.Users]: Knex.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
+    [TableName.Groups]: Knex.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
+    [TableName.UserGroupMembership]: Knex.CompositeTableType<
+      TUserGroupMembership,
+      TUserGroupMembershipInsert,
+      TUserGroupMembershipUpdate
+    >;
+    [TableName.GroupProjectMembership]: Knex.CompositeTableType<
+      TGroupProjectMemberships,
+      TGroupProjectMembershipsInsert,
+      TGroupProjectMembershipsUpdate
+    >;
+    [TableName.GroupProjectMembershipRole]: Knex.CompositeTableType<
+      TGroupProjectMembershipRoles,
+      TGroupProjectMembershipRolesInsert,
+      TGroupProjectMembershipRolesUpdate
+    >;
+    [TableName.UserAliases]: Knex.CompositeTableType<TUserAliases, TUserAliasesInsert, TUserAliasesUpdate>;
    [TableName.UserEncryptionKey]: Knex.CompositeTableType<
      TUserEncryptionKeys,
      TUserEncryptionKeysInsert,
@ -214,9 +298,24 @@ declare module "knex/types/tables" {
      TProjectEnvironmentsUpdate
    >;
    [TableName.ProjectBot]: Knex.CompositeTableType<TProjectBots, TProjectBotsInsert, TProjectBotsUpdate>;
+    [TableName.ProjectUserMembershipRole]: Knex.CompositeTableType<
+      TProjectUserMembershipRoles,
+      TProjectUserMembershipRolesInsert,
+      TProjectUserMembershipRolesUpdate
+    >;
    [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
+    [TableName.ProjectUserAdditionalPrivilege]: Knex.CompositeTableType<
+      TProjectUserAdditionalPrivilege,
+      TProjectUserAdditionalPrivilegeInsert,
+      TProjectUserAdditionalPrivilegeUpdate
+    >;
    [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
    [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
+    [TableName.SecretReference]: Knex.CompositeTableType<
+      TSecretReferences,
+      TSecretReferencesInsert,
+      TSecretReferencesUpdate
+    >;
    [TableName.SecretBlindIndex]: Knex.CompositeTableType<
      TSecretBlindIndexes,
      TSecretBlindIndexesInsert,
@ -245,6 +344,26 @@ declare module "knex/types/tables" {
      TIdentityUniversalAuthsInsert,
      TIdentityUniversalAuthsUpdate
    >;
+    [TableName.IdentityKubernetesAuth]: Knex.CompositeTableType<
+      TIdentityKubernetesAuths,
+      TIdentityKubernetesAuthsInsert,
+      TIdentityKubernetesAuthsUpdate
+    >;
+    [TableName.IdentityGcpAuth]: Knex.CompositeTableType<
+      TIdentityGcpAuths,
+      TIdentityGcpAuthsInsert,
+      TIdentityGcpAuthsUpdate
+    >;
+    [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
+      TIdentityAwsAuths,
+      TIdentityAwsAuthsInsert,
+      TIdentityAwsAuthsUpdate
+    >;
+    [TableName.IdentityAzureAuth]: Knex.CompositeTableType<
+      TIdentityAzureAuths,
+      TIdentityAzureAuthsInsert,
+      TIdentityAzureAuthsUpdate
+    >;
    [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
      TIdentityUaClientSecrets,
      TIdentityUaClientSecretsInsert,
@ -265,6 +384,41 @@ declare module "knex/types/tables" {
      TIdentityProjectMembershipsInsert,
      TIdentityProjectMembershipsUpdate
    >;
+    [TableName.IdentityProjectMembershipRole]: Knex.CompositeTableType<
+      TIdentityProjectMembershipRole,
+      TIdentityProjectMembershipRoleInsert,
+      TIdentityProjectMembershipRoleUpdate
+    >;
+    [TableName.IdentityProjectAdditionalPrivilege]: Knex.CompositeTableType<
+      TIdentityProjectAdditionalPrivilege,
+      TIdentityProjectAdditionalPrivilegeInsert,
+      TIdentityProjectAdditionalPrivilegeUpdate
+    >;
+
+    [TableName.AccessApprovalPolicy]: Knex.CompositeTableType<
+      TAccessApprovalPolicies,
+      TAccessApprovalPoliciesInsert,
+      TAccessApprovalPoliciesUpdate
+    >;
+
+    [TableName.AccessApprovalPolicyApprover]: Knex.CompositeTableType<
+      TAccessApprovalPoliciesApprovers,
+      TAccessApprovalPoliciesApproversInsert,
+      TAccessApprovalPoliciesApproversUpdate
+    >;
+
+    [TableName.AccessApprovalRequest]: Knex.CompositeTableType<
+      TAccessApprovalRequests,
+      TAccessApprovalRequestsInsert,
+      TAccessApprovalRequestsUpdate
+    >;
+
+    [TableName.AccessApprovalRequestReviewer]: Knex.CompositeTableType<
+      TAccessApprovalRequestsReviewers,
+      TAccessApprovalRequestsReviewersInsert,
+      TAccessApprovalRequestsReviewersUpdate
+    >;
+
    [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
    [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
      TSecretApprovalPolicies,
@ -317,9 +471,22 @@ declare module "knex/types/tables" {
      TSecretSnapshotFoldersInsert,
      TSecretSnapshotFoldersUpdate
    >;
+    [TableName.DynamicSecret]: Knex.CompositeTableType<TDynamicSecrets, TDynamicSecretsInsert, TDynamicSecretsUpdate>;
+    [TableName.DynamicSecretLease]: Knex.CompositeTableType<
+      TDynamicSecretLeases,
+      TDynamicSecretLeasesInsert,
+      TDynamicSecretLeasesUpdate
+    >;
    [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
+    [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
+    [TableName.LdapGroupMap]: Knex.CompositeTableType<TLdapGroupMaps, TLdapGroupMapsInsert, TLdapGroupMapsUpdate>;
    [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
    [TableName.AuditLog]: Knex.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
+    [TableName.AuditLogStream]: Knex.CompositeTableType<
+      TAuditLogStreams,
+      TAuditLogStreamsInsert,
+      TAuditLogStreamsUpdate
+    >;
    [TableName.GitAppInstallSession]: Knex.CompositeTableType<
      TGitAppInstallSessions,
      TGitAppInstallSessionsInsert,
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -6,6 +6,13 @@ export const initDbConnection = ({ dbConnectionUri, dbRootCert }: { dbConnection
    client: "pg",
    connection: {
      connectionString: dbConnectionUri,
+      host: process.env.DB_HOST,
+      // @ts-expect-error I have no clue why only for the port there is a type error
+      // eslint-disable-next-line
+      port: process.env.DB_PORT,
+      user: process.env.DB_USER,
+      database: process.env.DB_NAME,
+      password: process.env.DB_PASSWORD,
      ssl: dbRootCert
        ? {
            rejectUnauthorized: true,
--- a/backend/src/db/knexfile.ts
+++ b/backend/src/db/knexfile.ts
@ -7,18 +7,22 @@ import path from "path";

 // Update with your config settings. .
 dotenv.config({
-  path: path.join(__dirname, "../../../.env.migration"),
-  debug: true
+  path: path.join(__dirname, "../../../.env.migration")
 });
 dotenv.config({
-  path: path.join(__dirname, "../../../.env"),
-  debug: true
+  path: path.join(__dirname, "../../../.env")
 });
+
 export default {
  development: {
    client: "postgres",
    connection: {
      connectionString: process.env.DB_CONNECTION_URI,
+      host: process.env.DB_HOST,
+      port: process.env.DB_PORT,
+      user: process.env.DB_USER,
+      database: process.env.DB_NAME,
+      password: process.env.DB_PASSWORD,
      ssl: process.env.DB_ROOT_CERT
        ? {
            rejectUnauthorized: true,
@ -41,6 +45,11 @@ export default {
    client: "postgres",
    connection: {
      connectionString: process.env.DB_CONNECTION_URI,
+      host: process.env.DB_HOST,
+      port: process.env.DB_PORT,
+      user: process.env.DB_USER,
+      database: process.env.DB_NAME,
+      password: process.env.DB_PASSWORD,
      ssl: process.env.DB_ROOT_CERT
        ? {
            rejectUnauthorized: true,
--- a/backend/src/db/migrations/20240307232900_integration-last-used.ts
+++ b/backend/src/db/migrations/20240307232900_integration-last-used.ts
@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    t.datetime("lastUsed");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    t.dropColumn("lastUsed");
+  });
+}
--- a/backend/src/db/migrations/20240311210135_ldap-config.ts
+++ b/backend/src/db/migrations/20240311210135_ldap-config.ts
@ -0,0 +1,68 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.LdapConfig))) {
+    await knex.schema.createTable(TableName.LdapConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("orgId").notNullable().unique();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.boolean("isActive").notNullable();
+      t.string("url").notNullable();
+      t.string("encryptedBindDN").notNullable();
+      t.string("bindDNIV").notNullable();
+      t.string("bindDNTag").notNullable();
+      t.string("encryptedBindPass").notNullable();
+      t.string("bindPassIV").notNullable();
+      t.string("bindPassTag").notNullable();
+      t.string("searchBase").notNullable();
+      t.text("encryptedCACert").notNullable();
+      t.string("caCertIV").notNullable();
+      t.string("caCertTag").notNullable();
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.LdapConfig);
+
+  if (!(await knex.schema.hasTable(TableName.UserAliases))) {
+    await knex.schema.createTable(TableName.UserAliases, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.string("username").notNullable();
+      t.string("aliasType").notNullable();
+      t.string("externalId").notNullable();
+      t.specificType("emails", "text[]");
+      t.uuid("orgId").nullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.UserAliases);
+
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    t.string("username").unique();
+    t.string("email").nullable().alter();
+    t.dropUnique(["email"]);
+  });
+
+  await knex(TableName.Users).update("username", knex.ref("email"));
+
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    t.string("username").notNullable().alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.LdapConfig);
+  await knex.schema.dropTableIfExists(TableName.UserAliases);
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    t.dropColumn("username");
+    // t.string("email").notNullable().alter();
+  });
+  await dropOnUpdateTrigger(knex, TableName.LdapConfig);
+}
--- a/backend/src/db/migrations/20240312162549_temp-roles.ts
+++ b/backend/src/db/migrations/20240312162549_temp-roles.ts
@ -0,0 +1,50 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesTableExist = await knex.schema.hasTable(TableName.ProjectUserMembershipRole);
+  if (!doesTableExist) {
+    await knex.schema.createTable(TableName.ProjectUserMembershipRole, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("role").notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      // until role is changed/removed the role should not deleted
+      t.uuid("customRoleId");
+      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.ProjectUserMembershipRole);
+
+  const projectMemberships = await knex(TableName.ProjectMembership).select(
+    "id",
+    "role",
+    "createdAt",
+    "updatedAt",
+    knex.ref("roleId").withSchema(TableName.ProjectMembership).as("customRoleId")
+  );
+  if (projectMemberships.length)
+    await knex.batchInsert(
+      TableName.ProjectUserMembershipRole,
+      projectMemberships.map((data) => ({ ...data, projectMembershipId: data.id }))
+    );
+  // will be dropped later
+  // await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
+  //   t.dropColumn("roleId");
+  //   t.dropColumn("role");
+  // });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.ProjectUserMembershipRole);
+  await dropOnUpdateTrigger(knex, TableName.ProjectUserMembershipRole);
+}
--- a/backend/src/db/migrations/20240312162556_temp-role-identity.ts
+++ b/backend/src/db/migrations/20240312162556_temp-role-identity.ts
@ -0,0 +1,52 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesTableExist = await knex.schema.hasTable(TableName.IdentityProjectMembershipRole);
+  if (!doesTableExist) {
+    await knex.schema.createTable(TableName.IdentityProjectMembershipRole, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("role").notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId")
+        .references("id")
+        .inTable(TableName.IdentityProjectMembership)
+        .onDelete("CASCADE");
+      // until role is changed/removed the role should not deleted
+      t.uuid("customRoleId");
+      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityProjectMembershipRole);
+
+  const identityMemberships = await knex(TableName.IdentityProjectMembership).select(
+    "id",
+    "role",
+    "createdAt",
+    "updatedAt",
+    knex.ref("roleId").withSchema(TableName.IdentityProjectMembership).as("customRoleId")
+  );
+  if (identityMemberships.length)
+    await knex.batchInsert(
+      TableName.IdentityProjectMembershipRole,
+      identityMemberships.map((data) => ({ ...data, projectMembershipId: data.id }))
+    );
+  // await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
+  //   t.dropColumn("roleId");
+  //   t.dropColumn("role");
+  // });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityProjectMembershipRole);
+  await dropOnUpdateTrigger(knex, TableName.IdentityProjectMembershipRole);
+}
--- a/backend/src/db/migrations/20240318164718_dynamic-secret.ts
+++ b/backend/src/db/migrations/20240318164718_dynamic-secret.ts
@ -0,0 +1,58 @@
+import { Knex } from "knex";
+
+import { SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesTableExist = await knex.schema.hasTable(TableName.DynamicSecret);
+  if (!doesTableExist) {
+    await knex.schema.createTable(TableName.DynamicSecret, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.integer("version").notNullable();
+      t.string("type").notNullable();
+      t.string("defaultTTL").notNullable();
+      t.string("maxTTL");
+      t.string("inputIV").notNullable();
+      t.text("inputCiphertext").notNullable();
+      t.string("inputTag").notNullable();
+      t.string("algorithm").notNullable().defaultTo(SecretEncryptionAlgo.AES_256_GCM);
+      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
+      t.uuid("folderId").notNullable();
+      // for background process communication
+      t.string("status");
+      t.string("statusDetails");
+      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
+      t.unique(["name", "folderId"]);
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.DynamicSecret);
+
+  const doesTableDynamicSecretLease = await knex.schema.hasTable(TableName.DynamicSecretLease);
+  if (!doesTableDynamicSecretLease) {
+    await knex.schema.createTable(TableName.DynamicSecretLease, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.integer("version").notNullable();
+      t.string("externalEntityId").notNullable();
+      t.datetime("expireAt").notNullable();
+      // for background process communication
+      t.string("status");
+      t.string("statusDetails");
+      t.uuid("dynamicSecretId").notNullable();
+      t.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.DynamicSecretLease);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.DynamicSecretLease);
+  await knex.schema.dropTableIfExists(TableName.DynamicSecretLease);
+
+  await dropOnUpdateTrigger(knex, TableName.DynamicSecret);
+  await knex.schema.dropTableIfExists(TableName.DynamicSecret);
+}
--- a/backend/src/db/migrations/20240326172010_project-user-additional-privilege.ts
+++ b/backend/src/db/migrations/20240326172010_project-user-additional-privilege.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.ProjectUserAdditionalPrivilege))) {
+    await knex.schema.createTable(TableName.ProjectUserAdditionalPrivilege, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("slug", 60).notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.jsonb("permissions").notNullable();
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.ProjectUserAdditionalPrivilege);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.ProjectUserAdditionalPrivilege);
+  await knex.schema.dropTableIfExists(TableName.ProjectUserAdditionalPrivilege);
+}
--- a/backend/src/db/migrations/20240326172011_machine-identity-additional-privilege.ts
+++ b/backend/src/db/migrations/20240326172011_machine-identity-additional-privilege.ts
@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityProjectAdditionalPrivilege))) {
+    await knex.schema.createTable(TableName.IdentityProjectAdditionalPrivilege, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("slug", 60).notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId")
+        .references("id")
+        .inTable(TableName.IdentityProjectMembership)
+        .onDelete("CASCADE");
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.jsonb("permissions").notNullable();
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityProjectAdditionalPrivilege);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.IdentityProjectAdditionalPrivilege);
+  await knex.schema.dropTableIfExists(TableName.IdentityProjectAdditionalPrivilege);
+}
--- a/backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts
+++ b/backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts
@ -0,0 +1,112 @@
+import { Knex } from "knex";
+import { z } from "zod";
+
+import { TableName, TOrgMemberships } from "../schemas";
+
+const validateOrgMembership = (membershipToValidate: TOrgMemberships, firstMembership: TOrgMemberships) => {
+  const firstOrgId = firstMembership.orgId;
+  const firstUserId = firstMembership.userId;
+
+  if (membershipToValidate.id === firstMembership.id) {
+    return;
+  }
+
+  if (membershipToValidate.inviteEmail !== firstMembership.inviteEmail) {
+    throw new Error(`Invite emails are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.orgId !== firstMembership.orgId) {
+    throw new Error(`OrgIds are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.role !== firstMembership.role) {
+    throw new Error(`Roles are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.roleId !== firstMembership.roleId) {
+    throw new Error(`RoleIds are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.status !== firstMembership.status) {
+    throw new Error(`Statuses are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+  if (membershipToValidate.userId !== firstMembership.userId) {
+    throw new Error(`UserIds are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
+  }
+};
+
+export async function up(knex: Knex): Promise<void> {
+  const RowSchema = z.object({
+    userId: z.string(),
+    orgId: z.string(),
+    cnt: z.string()
+  });
+
+  // Transactional find and delete duplicate rows
+  await knex.transaction(async (tx) => {
+    const duplicateRows = await tx(TableName.OrgMembership)
+      .select("userId", "orgId") // Select the userId and orgId so we can group by them
+      .whereNotNull("userId") // Ensure that the userId is not null
+      .count("* as cnt") // Count the number of rows for each userId and orgId, so we can make sure there are more than 1 row (a duplicate)
+      .groupBy("userId", "orgId")
+      .havingRaw("count(*) > ?", [1]); // Using havingRaw for direct SQL expressions
+
+    // Parse the rows to ensure they are in the correct format, and for type safety
+    const parsedRows = RowSchema.array().parse(duplicateRows);
+
+    // For each of the duplicate rows, loop through and find the actual memberships to delete
+    for (const row of parsedRows) {
+      const count = Number(row.cnt);
+
+      // An extra check to ensure that the count is actually a number, and the number is greater than 2
+      if (typeof count !== "number" || count < 2) {
+        // eslint-disable-next-line no-continue
+        continue;
+      }
+
+      // Find all the organization memberships that have the same userId and orgId
+      // eslint-disable-next-line no-await-in-loop
+      const rowsToDelete = await tx(TableName.OrgMembership).where({
+        userId: row.userId,
+        orgId: row.orgId
+      });
+
+      // Ensure that all the rows have exactly the same value, except id, createdAt, updatedAt
+      for (const rowToDelete of rowsToDelete) {
+        validateOrgMembership(rowToDelete, rowsToDelete[0]);
+      }
+
+      // Find the row with the latest createdAt, which we will keep
+
+      let lowestCreatedAt: number | null = null;
+      let latestCreatedRow: TOrgMemberships | null = null;
+
+      for (const rowToDelete of rowsToDelete) {
+        if (lowestCreatedAt === null || rowToDelete.createdAt.getTime() < lowestCreatedAt) {
+          lowestCreatedAt = rowToDelete.createdAt.getTime();
+          latestCreatedRow = rowToDelete;
+        }
+      }
+      if (!latestCreatedRow) {
+        throw new Error("Failed to find last created membership");
+      }
+
+      // Filter out the latest row from the rows to delete
+      const membershipIdsToDelete = rowsToDelete.map((r) => r.id).filter((id) => id !== latestCreatedRow!.id);
+
+      // eslint-disable-next-line no-await-in-loop
+      const numberOfRowsDeleted = await tx(TableName.OrgMembership).whereIn("id", membershipIdsToDelete).delete();
+
+      // eslint-disable-next-line no-console
+      console.log(
+        `Deleted ${numberOfRowsDeleted} duplicate organization memberships for ${row.userId} and ${row.orgId}`
+      );
+    }
+  });
+
+  await knex.schema.alterTable(TableName.OrgMembership, (table) => {
+    table.unique(["userId", "orgId"]);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.OrgMembership, (table) => {
+    table.dropUnique(["userId", "orgId"]);
+  });
+}
--- a/backend/src/db/migrations/20240412174842_group.ts
+++ b/backend/src/db/migrations/20240412174842_group.ts
@ -0,0 +1,82 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.Groups))) {
+    await knex.schema.createTable(TableName.Groups, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.string("name").notNullable();
+      t.string("slug").notNullable();
+      t.unique(["orgId", "slug"]);
+      t.string("role").notNullable();
+      t.uuid("roleId");
+      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.Groups);
+
+  if (!(await knex.schema.hasTable(TableName.UserGroupMembership))) {
+    await knex.schema.createTable(TableName.UserGroupMembership, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid()); // link to user and link to groups cascade on groups
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.uuid("groupId").notNullable();
+      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.UserGroupMembership);
+
+  if (!(await knex.schema.hasTable(TableName.GroupProjectMembership))) {
+    await knex.schema.createTable(TableName.GroupProjectMembership, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("groupId").notNullable();
+      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+  await createOnUpdateTrigger(knex, TableName.GroupProjectMembership);
+
+  if (!(await knex.schema.hasTable(TableName.GroupProjectMembershipRole))) {
+    await knex.schema.createTable(TableName.GroupProjectMembershipRole, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("role").notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId").references("id").inTable(TableName.GroupProjectMembership).onDelete("CASCADE");
+      // until role is changed/removed the role should not deleted
+      t.uuid("customRoleId");
+      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.GroupProjectMembershipRole);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.GroupProjectMembershipRole);
+  await dropOnUpdateTrigger(knex, TableName.GroupProjectMembershipRole);
+
+  await knex.schema.dropTableIfExists(TableName.UserGroupMembership);
+  await dropOnUpdateTrigger(knex, TableName.UserGroupMembership);
+
+  await knex.schema.dropTableIfExists(TableName.GroupProjectMembership);
+  await dropOnUpdateTrigger(knex, TableName.GroupProjectMembership);
+
+  await knex.schema.dropTableIfExists(TableName.Groups);
+  await dropOnUpdateTrigger(knex, TableName.Groups);
+}
--- a/backend/src/db/migrations/20240414192520_drop-role-roleid-project-membership.ts
+++ b/backend/src/db/migrations/20240414192520_drop-role-roleid-project-membership.ts
@ -0,0 +1,47 @@
+import { Knex } from "knex";
+
+import { ProjectMembershipRole, TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesProjectRoleFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "role");
+  const doesProjectRoleIdFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "roleId");
+  await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
+    if (doesProjectRoleFieldExist) t.dropColumn("roleId");
+    if (doesProjectRoleIdFieldExist) t.dropColumn("role");
+  });
+
+  const doesIdentityProjectRoleFieldExist = await knex.schema.hasColumn(TableName.IdentityProjectMembership, "role");
+  const doesIdentityProjectRoleIdFieldExist = await knex.schema.hasColumn(
+    TableName.IdentityProjectMembership,
+    "roleId"
+  );
+  await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
+    if (doesIdentityProjectRoleFieldExist) t.dropColumn("roleId");
+    if (doesIdentityProjectRoleIdFieldExist) t.dropColumn("role");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesProjectRoleFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "role");
+  const doesProjectRoleIdFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "roleId");
+  await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
+    if (!doesProjectRoleFieldExist) t.string("role").defaultTo(ProjectMembershipRole.Member);
+    if (!doesProjectRoleIdFieldExist) {
+      t.uuid("roleId");
+      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
+    }
+  });
+
+  const doesIdentityProjectRoleFieldExist = await knex.schema.hasColumn(TableName.IdentityProjectMembership, "role");
+  const doesIdentityProjectRoleIdFieldExist = await knex.schema.hasColumn(
+    TableName.IdentityProjectMembership,
+    "roleId"
+  );
+  await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
+    if (!doesIdentityProjectRoleFieldExist) t.string("role").defaultTo(ProjectMembershipRole.Member);
+    if (!doesIdentityProjectRoleIdFieldExist) {
+      t.uuid("roleId");
+      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
+    }
+  });
+}
--- a/backend/src/db/migrations/20240417032913_pending-group-addition.ts
+++ b/backend/src/db/migrations/20240417032913_pending-group-addition.ts
@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.UserGroupMembership, (t) => {
+    t.boolean("isPending").notNullable().defaultTo(false);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.UserGroupMembership, (t) => {
+    t.dropColumn("isPending");
+  });
+}
--- a/backend/src/db/migrations/20240423023203_ldap-config-groups.ts
+++ b/backend/src/db/migrations/20240423023203_ldap-config-groups.ts
@ -0,0 +1,34 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.LdapGroupMap))) {
+    await knex.schema.createTable(TableName.LdapGroupMap, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("ldapConfigId").notNullable();
+      t.foreign("ldapConfigId").references("id").inTable(TableName.LdapConfig).onDelete("CASCADE");
+      t.string("ldapGroupCN").notNullable();
+      t.uuid("groupId").notNullable();
+      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      t.unique(["ldapGroupCN", "groupId", "ldapConfigId"]);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.LdapGroupMap);
+
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.string("groupSearchBase").notNullable().defaultTo("");
+    t.string("groupSearchFilter").notNullable().defaultTo("");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.LdapGroupMap);
+  await dropOnUpdateTrigger(knex, TableName.LdapGroupMap);
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.dropColumn("groupSearchBase");
+    t.dropColumn("groupSearchFilter");
+  });
+}
--- a/backend/src/db/migrations/20240424235842_user-search-filter.ts
+++ b/backend/src/db/migrations/20240424235842_user-search-filter.ts
@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.string("searchFilter").notNullable().defaultTo("");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.dropColumn("searchFilter");
+  });
+}
--- a/backend/src/db/migrations/20240429154610_audit-log-index.ts
+++ b/backend/src/db/migrations/20240429154610_audit-log-index.ts
@ -0,0 +1,28 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  const doesCreatedAtExist = await knex.schema.hasColumn(TableName.AuditLog, "createdAt");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist && doesCreatedAtExist) t.index(["projectId", "createdAt"]);
+      if (doesOrgIdExist && doesCreatedAtExist) t.index(["orgId", "createdAt"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  const doesCreatedAtExist = await knex.schema.hasColumn(TableName.AuditLog, "createdAt");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist && doesCreatedAtExist) t.dropIndex(["projectId", "createdAt"]);
+      if (doesOrgIdExist && doesCreatedAtExist) t.dropIndex(["orgId", "createdAt"]);
+    });
+  }
+}
--- a/backend/src/db/migrations/20240503101144_audit-log-stream.ts
+++ b/backend/src/db/migrations/20240503101144_audit-log-stream.ts
@ -0,0 +1,28 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AuditLogStream))) {
+    await knex.schema.createTable(TableName.AuditLogStream, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("url").notNullable();
+      t.text("encryptedHeadersCiphertext");
+      t.text("encryptedHeadersIV");
+      t.text("encryptedHeadersTag");
+      t.string("encryptedHeadersAlgorithm");
+      t.string("encryptedHeadersKeyEncoding");
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.AuditLogStream);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.AuditLogStream);
+  await knex.schema.dropTableIfExists(TableName.AuditLogStream);
+}
--- a/backend/src/db/migrations/20240507032811_trusted-saml-ldap-emails.ts
+++ b/backend/src/db/migrations/20240507032811_trusted-saml-ldap-emails.ts
@ -0,0 +1,54 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const isUsersTablePresent = await knex.schema.hasTable(TableName.Users);
+  if (isUsersTablePresent) {
+    const hasIsEmailVerifiedColumn = await knex.schema.hasColumn(TableName.Users, "isEmailVerified");
+
+    if (!hasIsEmailVerifiedColumn) {
+      await knex.schema.alterTable(TableName.Users, (t) => {
+        t.boolean("isEmailVerified").defaultTo(false);
+      });
+    }
+
+    // Backfilling the isEmailVerified to true where isAccepted is true
+    await knex(TableName.Users).update({ isEmailVerified: true }).where("isAccepted", true);
+  }
+
+  const isUserAliasTablePresent = await knex.schema.hasTable(TableName.UserAliases);
+  if (isUserAliasTablePresent) {
+    await knex.schema.alterTable(TableName.UserAliases, (t) => {
+      t.string("username").nullable().alter();
+    });
+  }
+
+  const isSuperAdminTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
+  if (isSuperAdminTablePresent) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.boolean("trustSamlEmails").defaultTo(false);
+      t.boolean("trustLdapEmails").defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Users, "isEmailVerified")) {
+    await knex.schema.alterTable(TableName.Users, (t) => {
+      t.dropColumn("isEmailVerified");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustSamlEmails")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("trustSamlEmails");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustLdapEmails")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("trustLdapEmails");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240507162140_access-approval-policy.ts
+++ b/backend/src/db/migrations/20240507162140_access-approval-policy.ts
@ -0,0 +1,41 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicy))) {
+    await knex.schema.createTable(TableName.AccessApprovalPolicy, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.integer("approvals").defaultTo(1).notNullable();
+      t.string("secretPath");
+
+      t.uuid("envId").notNullable();
+      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover))) {
+    await knex.schema.createTable(TableName.AccessApprovalPolicyApprover, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("approverId").notNullable();
+      t.foreign("approverId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyApprover);
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicy);
+
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
+}
--- a/backend/src/db/migrations/20240507162141_access.ts
+++ b/backend/src/db/migrations/20240507162141_access.ts
@ -0,0 +1,51 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequest))) {
+    await knex.schema.createTable(TableName.AccessApprovalRequest, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
+
+      t.uuid("privilegeId").nullable();
+      t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
+
+      t.uuid("requestedBy").notNullable();
+      t.foreign("requestedBy").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+
+      // We use these values to create the actual privilege at a later point in time.
+      t.boolean("isTemporary").notNullable();
+      t.string("temporaryRange").nullable();
+
+      t.jsonb("permissions").notNullable();
+
+      t.timestamps(true, true, true);
+    });
+  }
+  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
+
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequestReviewer))) {
+    await knex.schema.createTable(TableName.AccessApprovalRequestReviewer, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("member").notNullable();
+      t.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      t.string("status").notNullable();
+      t.uuid("requestId").notNullable();
+      t.foreign("requestId").references("id").inTable(TableName.AccessApprovalRequest).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequestReviewer);
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequest);
+
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
+}
--- a/backend/src/db/migrations/20240507210655_identity-aws-auth.ts
+++ b/backend/src/db/migrations/20240507210655_identity-aws-auth.ts
@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityAwsAuth))) {
+    await knex.schema.createTable(TableName.IdentityAwsAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+      t.string("stsEndpoint").notNullable();
+      t.string("allowedPrincipalArns").notNullable();
+      t.string("allowedAccountIds").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityAwsAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
+}
--- a/backend/src/db/migrations/20240514041650_identity-gcp-auth.ts
+++ b/backend/src/db/migrations/20240514041650_identity-gcp-auth.ts
@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityGcpAuth))) {
+    await knex.schema.createTable(TableName.IdentityGcpAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+      t.string("allowedServiceAccounts").notNullable();
+      t.string("allowedProjects").notNullable();
+      t.string("allowedZones").notNullable(); // GCE only (fully qualified zone names)
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityGcpAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}
--- a/backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts
+++ b/backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts
@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretReference))) {
+    await knex.schema.createTable(TableName.SecretReference, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("environment").notNullable();
+      t.string("secretPath").notNullable();
+      t.uuid("secretId").notNullable();
+      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretReference);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretReference);
+  await dropOnUpdateTrigger(knex, TableName.SecretReference);
+}
--- a/backend/src/db/migrations/20240518142614_kubernetes-auth.ts
+++ b/backend/src/db/migrations/20240518142614_kubernetes-auth.ts
@ -0,0 +1,36 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityKubernetesAuth))) {
+    await knex.schema.createTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("kubernetesHost").notNullable();
+      t.text("encryptedCaCert").notNullable();
+      t.string("caCertIV").notNullable();
+      t.string("caCertTag").notNullable();
+      t.text("encryptedTokenReviewerJwt").notNullable();
+      t.string("tokenReviewerJwtIV").notNullable();
+      t.string("tokenReviewerJwtTag").notNullable();
+      t.string("allowedNamespaces").notNullable();
+      t.string("allowedNames").notNullable();
+      t.string("allowedAudience").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityKubernetesAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
+}
--- a/backend/src/db/migrations/20240521041514_identity-azure-auth.ts
+++ b/backend/src/db/migrations/20240521041514_identity-azure-auth.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityAzureAuth))) {
+    await knex.schema.createTable(TableName.IdentityAzureAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("tenantId").notNullable();
+      t.string("resource").notNullable();
+      t.string("allowedServicePrincipalIds").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityAzureAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
+}
--- a/backend/src/db/schemas/access-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/access-approval-policies-approvers.ts
@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AccessApprovalPoliciesApproversSchema = z.object({
+  id: z.string().uuid(),
+  approverId: z.string().uuid(),
+  policyId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
+export type TAccessApprovalPoliciesApproversInsert = Omit<
+  z.input<typeof AccessApprovalPoliciesApproversSchema>,
+  TImmutableDBKeys
+>;
+export type TAccessApprovalPoliciesApproversUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalPoliciesApproversSchema>, TImmutableDBKeys>
+>;
--- a/pg-migrator/src/schemas/secret-approval-policies.ts
+++ b/pg-migrator/src/schemas/secret-approval-policies.ts
@ -7,16 +7,18 @@ import { z } from "zod";

 import { TImmutableDBKeys } from "./models";

-export const SecretApprovalPoliciesSchema = z.object({
+export const AccessApprovalPoliciesSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
-  secretPath: z.string().nullable().optional(),
  approvals: z.number().default(1),
+  secretPath: z.string().nullable().optional(),
  envId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date(),
+  updatedAt: z.date()
 });

-export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;
-export type TSecretApprovalPoliciesInsert = Omit<TSecretApprovalPolicies, TImmutableDBKeys>;
-export type TSecretApprovalPoliciesUpdate = Partial<Omit<TSecretApprovalPolicies, TImmutableDBKeys>>;
+export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
+export type TAccessApprovalPoliciesInsert = Omit<z.input<typeof AccessApprovalPoliciesSchema>, TImmutableDBKeys>;
+export type TAccessApprovalPoliciesUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalPoliciesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/access-approval-requests-reviewers.ts
+++ b/backend/src/db/schemas/access-approval-requests-reviewers.ts
@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AccessApprovalRequestsReviewersSchema = z.object({
+  id: z.string().uuid(),
+  member: z.string().uuid(),
+  status: z.string(),
+  requestId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAccessApprovalRequestsReviewers = z.infer<typeof AccessApprovalRequestsReviewersSchema>;
+export type TAccessApprovalRequestsReviewersInsert = Omit<
+  z.input<typeof AccessApprovalRequestsReviewersSchema>,
+  TImmutableDBKeys
+>;
+export type TAccessApprovalRequestsReviewersUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalRequestsReviewersSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/access-approval-requests.ts
+++ b/backend/src/db/schemas/access-approval-requests.ts
@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AccessApprovalRequestsSchema = z.object({
+  id: z.string().uuid(),
+  policyId: z.string().uuid(),
+  privilegeId: z.string().uuid().nullable().optional(),
+  requestedBy: z.string().uuid(),
+  isTemporary: z.boolean(),
+  temporaryRange: z.string().nullable().optional(),
+  permissions: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
+export type TAccessApprovalRequestsInsert = Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>;
+export type TAccessApprovalRequestsUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/audit-log-streams.ts
+++ b/backend/src/db/schemas/audit-log-streams.ts
@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AuditLogStreamsSchema = z.object({
+  id: z.string().uuid(),
+  url: z.string(),
+  encryptedHeadersCiphertext: z.string().nullable().optional(),
+  encryptedHeadersIV: z.string().nullable().optional(),
+  encryptedHeadersTag: z.string().nullable().optional(),
+  encryptedHeadersAlgorithm: z.string().nullable().optional(),
+  encryptedHeadersKeyEncoding: z.string().nullable().optional(),
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAuditLogStreams = z.infer<typeof AuditLogStreamsSchema>;
+export type TAuditLogStreamsInsert = Omit<z.input<typeof AuditLogStreamsSchema>, TImmutableDBKeys>;
+export type TAuditLogStreamsUpdate = Partial<Omit<z.input<typeof AuditLogStreamsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/dynamic-secret-leases.ts
+++ b/backend/src/db/schemas/dynamic-secret-leases.ts
@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const DynamicSecretLeasesSchema = z.object({
+  id: z.string().uuid(),
+  version: z.number(),
+  externalEntityId: z.string(),
+  expireAt: z.date(),
+  status: z.string().nullable().optional(),
+  statusDetails: z.string().nullable().optional(),
+  dynamicSecretId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TDynamicSecretLeases = z.infer<typeof DynamicSecretLeasesSchema>;
+export type TDynamicSecretLeasesInsert = Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>;
+export type TDynamicSecretLeasesUpdate = Partial<Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/dynamic-secrets.ts
+++ b/backend/src/db/schemas/dynamic-secrets.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const DynamicSecretsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  version: z.number(),
+  type: z.string(),
+  defaultTTL: z.string(),
+  maxTTL: z.string().nullable().optional(),
+  inputIV: z.string(),
+  inputCiphertext: z.string(),
+  inputTag: z.string(),
+  algorithm: z.string().default("aes-256-gcm"),
+  keyEncoding: z.string().default("utf8"),
+  folderId: z.string().uuid(),
+  status: z.string().nullable().optional(),
+  statusDetails: z.string().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;
+export type TDynamicSecretsInsert = Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>;
+export type TDynamicSecretsUpdate = Partial<Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/group-project-membership-roles.ts
+++ b/backend/src/db/schemas/group-project-membership-roles.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const GroupProjectMembershipRolesSchema = z.object({
+  id: z.string().uuid(),
+  role: z.string(),
+  projectMembershipId: z.string().uuid(),
+  customRoleId: z.string().uuid().nullable().optional(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TGroupProjectMembershipRoles = z.infer<typeof GroupProjectMembershipRolesSchema>;
+export type TGroupProjectMembershipRolesInsert = Omit<
+  z.input<typeof GroupProjectMembershipRolesSchema>,
+  TImmutableDBKeys
+>;
+export type TGroupProjectMembershipRolesUpdate = Partial<
+  Omit<z.input<typeof GroupProjectMembershipRolesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/group-project-memberships.ts
+++ b/backend/src/db/schemas/group-project-memberships.ts
@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const GroupProjectMembershipsSchema = z.object({
+  id: z.string().uuid(),
+  projectId: z.string(),
+  groupId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TGroupProjectMemberships = z.infer<typeof GroupProjectMembershipsSchema>;
+export type TGroupProjectMembershipsInsert = Omit<z.input<typeof GroupProjectMembershipsSchema>, TImmutableDBKeys>;
+export type TGroupProjectMembershipsUpdate = Partial<
+  Omit<z.input<typeof GroupProjectMembershipsSchema>, TImmutableDBKeys>
+>;
--- a/pg-migrator/src/schemas/org-roles.ts
+++ b/pg-migrator/src/schemas/org-roles.ts
@ -7,17 +7,17 @@ import { z } from "zod";

 import { TImmutableDBKeys } from "./models";

-export const OrgRolesSchema = z.object({
+export const GroupsSchema = z.object({
  id: z.string().uuid(),
-  name: z.string(),
-  description: z.string().nullable().optional(),
-  slug: z.string(),
-  permissions: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
  orgId: z.string().uuid(),
+  name: z.string(),
+  slug: z.string(),
+  role: z.string(),
+  roleId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
 });

-export type TOrgRoles = z.infer<typeof OrgRolesSchema>;
-export type TOrgRolesInsert = Omit<TOrgRoles, TImmutableDBKeys>;
-export type TOrgRolesUpdate = Partial<Omit<TOrgRoles, TImmutableDBKeys>>;
+export type TGroups = z.infer<typeof GroupsSchema>;
+export type TGroupsInsert = Omit<z.input<typeof GroupsSchema>, TImmutableDBKeys>;
+export type TGroupsUpdate = Partial<Omit<z.input<typeof GroupsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-aws-auths.ts
+++ b/backend/src/db/schemas/identity-aws-auths.ts
@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityAwsAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  stsEndpoint: z.string(),
+  allowedPrincipalArns: z.string(),
+  allowedAccountIds: z.string()
+});
+
+export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;
+export type TIdentityAwsAuthsInsert = Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAwsAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-azure-auths.ts
+++ b/backend/src/db/schemas/identity-azure-auths.ts
@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityAzureAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  tenantId: z.string(),
+  resource: z.string(),
+  allowedServicePrincipalIds: z.string()
+});
+
+export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;
+export type TIdentityAzureAuthsInsert = Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAzureAuthsUpdate = Partial<Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-gcp-auths.ts
+++ b/backend/src/db/schemas/identity-gcp-auths.ts
@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityGcpAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  allowedServiceAccounts: z.string(),
+  allowedProjects: z.string(),
+  allowedZones: z.string()
+});
+
+export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
+export type TIdentityGcpAuthsInsert = Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityGcpAuthsUpdate = Partial<Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-kubernetes-auths.ts
+++ b/backend/src/db/schemas/identity-kubernetes-auths.ts
@ -0,0 +1,35 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityKubernetesAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  kubernetesHost: z.string(),
+  encryptedCaCert: z.string(),
+  caCertIV: z.string(),
+  caCertTag: z.string(),
+  encryptedTokenReviewerJwt: z.string(),
+  tokenReviewerJwtIV: z.string(),
+  tokenReviewerJwtTag: z.string(),
+  allowedNamespaces: z.string(),
+  allowedNames: z.string(),
+  allowedAudience: z.string()
+});
+
+export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;
+export type TIdentityKubernetesAuthsInsert = Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityKubernetesAuthsUpdate = Partial<
+  Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/identity-project-additional-privilege.ts
+++ b/backend/src/db/schemas/identity-project-additional-privilege.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityProjectAdditionalPrivilegeSchema = z.object({
+  id: z.string().uuid(),
+  slug: z.string(),
+  projectMembershipId: z.string().uuid(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  permissions: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityProjectAdditionalPrivilege = z.infer<typeof IdentityProjectAdditionalPrivilegeSchema>;
+export type TIdentityProjectAdditionalPrivilegeInsert = Omit<
+  z.input<typeof IdentityProjectAdditionalPrivilegeSchema>,
+  TImmutableDBKeys
+>;
+export type TIdentityProjectAdditionalPrivilegeUpdate = Partial<
+  Omit<z.input<typeof IdentityProjectAdditionalPrivilegeSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/identity-project-membership-role.ts
+++ b/backend/src/db/schemas/identity-project-membership-role.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityProjectMembershipRoleSchema = z.object({
+  id: z.string().uuid(),
+  role: z.string(),
+  projectMembershipId: z.string().uuid(),
+  customRoleId: z.string().uuid().nullable().optional(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityProjectMembershipRole = z.infer<typeof IdentityProjectMembershipRoleSchema>;
+export type TIdentityProjectMembershipRoleInsert = Omit<
+  z.input<typeof IdentityProjectMembershipRoleSchema>,
+  TImmutableDBKeys
+>;
+export type TIdentityProjectMembershipRoleUpdate = Partial<
+  Omit<z.input<typeof IdentityProjectMembershipRoleSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/identity-project-memberships.ts
+++ b/backend/src/db/schemas/identity-project-memberships.ts
@ -9,8 +9,6 @@ import { TImmutableDBKeys } from "./models";

 export const IdentityProjectMembershipsSchema = z.object({
  id: z.string().uuid(),
-  role: z.string(),
-  roleId: z.string().uuid().nullable().optional(),
  projectId: z.string(),
  identityId: z.string().uuid(),
  createdAt: z.date(),
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -1,19 +1,37 @@
+export * from "./access-approval-policies";
+export * from "./access-approval-policies-approvers";
+export * from "./access-approval-requests";
+export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
+export * from "./audit-log-streams";
 export * from "./audit-logs";
 export * from "./auth-token-sessions";
 export * from "./auth-tokens";
 export * from "./backup-private-key";
+export * from "./dynamic-secret-leases";
+export * from "./dynamic-secrets";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
+export * from "./group-project-membership-roles";
+export * from "./group-project-memberships";
+export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
+export * from "./identity-aws-auths";
+export * from "./identity-azure-auths";
+export * from "./identity-gcp-auths";
+export * from "./identity-kubernetes-auths";
 export * from "./identity-org-memberships";
+export * from "./identity-project-additional-privilege";
+export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
 export * from "./identity-ua-client-secrets";
 export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
+export * from "./ldap-configs";
+export * from "./ldap-group-maps";
 export * from "./models";
 export * from "./org-bots";
 export * from "./org-memberships";
@ -24,6 +42,8 @@ export * from "./project-environments";
 export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
+export * from "./project-user-additional-privilege";
+export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./saml-configs";
 export * from "./scim-tokens";
@ -52,6 +72,8 @@ export * from "./service-tokens";
 export * from "./super-admin";
 export * from "./trusted-ips";
 export * from "./user-actions";
+export * from "./user-aliases";
 export * from "./user-encryption-keys";
+export * from "./user-group-membership";
 export * from "./users";
 export * from "./webhooks";
--- a/backend/src/db/schemas/integrations.ts
+++ b/backend/src/db/schemas/integrations.ts
@ -27,7 +27,8 @@ export const IntegrationsSchema = z.object({
  envId: z.string().uuid(),
  secretPath: z.string().default("/"),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  lastUsed: z.date().nullable().optional()
 });

 export type TIntegrations = z.infer<typeof IntegrationsSchema>;
--- a/backend/src/db/schemas/ldap-configs.ts
+++ b/backend/src/db/schemas/ldap-configs.ts
@ -0,0 +1,34 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const LdapConfigsSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  isActive: z.boolean(),
+  url: z.string(),
+  encryptedBindDN: z.string(),
+  bindDNIV: z.string(),
+  bindDNTag: z.string(),
+  encryptedBindPass: z.string(),
+  bindPassIV: z.string(),
+  bindPassTag: z.string(),
+  searchBase: z.string(),
+  encryptedCACert: z.string(),
+  caCertIV: z.string(),
+  caCertTag: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  groupSearchBase: z.string().default(""),
+  groupSearchFilter: z.string().default(""),
+  searchFilter: z.string().default("")
+});
+
+export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;
+export type TLdapConfigsInsert = Omit<z.input<typeof LdapConfigsSchema>, TImmutableDBKeys>;
+export type TLdapConfigsUpdate = Partial<Omit<z.input<typeof LdapConfigsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/ldap-group-maps.ts
+++ b/backend/src/db/schemas/ldap-group-maps.ts
@ -0,0 +1,19 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const LdapGroupMapsSchema = z.object({
+  id: z.string().uuid(),
+  ldapConfigId: z.string().uuid(),
+  ldapGroupCN: z.string(),
+  groupId: z.string().uuid()
+});
+
+export type TLdapGroupMaps = z.infer<typeof LdapGroupMapsSchema>;
+export type TLdapGroupMapsInsert = Omit<z.input<typeof LdapGroupMapsSchema>, TImmutableDBKeys>;
+export type TLdapGroupMapsUpdate = Partial<Omit<z.input<typeof LdapGroupMapsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -2,6 +2,11 @@ import { z } from "zod";

 export enum TableName {
  Users = "users",
+  Groups = "groups",
+  GroupProjectMembership = "group_project_memberships",
+  GroupProjectMembershipRole = "group_project_membership_roles",
+  UserGroupMembership = "user_group_membership",
+  UserAliases = "user_aliases",
  UserEncryptionKey = "user_encryption_keys",
  AuthTokens = "auth_tokens",
  AuthTokenSession = "auth_token_sessions",
@ -19,8 +24,11 @@ export enum TableName {
  Environment = "project_environments",
  ProjectMembership = "project_memberships",
  ProjectRoles = "project_roles",
+  ProjectUserAdditionalPrivilege = "project_user_additional_privilege",
+  ProjectUserMembershipRole = "project_user_membership_roles",
  ProjectKeys = "project_keys",
  Secret = "secrets",
+  SecretReference = "secret_references",
  SecretBlindIndex = "secret_blind_indexes",
  SecretVersion = "secret_versions",
  SecretFolder = "secret_folders",
@ -37,10 +45,20 @@ export enum TableName {
  Identity = "identities",
  IdentityAccessToken = "identity_access_tokens",
  IdentityUniversalAuth = "identity_universal_auths",
+  IdentityKubernetesAuth = "identity_kubernetes_auths",
+  IdentityGcpAuth = "identity_gcp_auths",
+  IdentityAzureAuth = "identity_azure_auths",
  IdentityUaClientSecret = "identity_ua_client_secrets",
+  IdentityAwsAuth = "identity_aws_auths",
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
+  IdentityProjectMembershipRole = "identity_project_membership_role",
+  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
  ScimToken = "scim_tokens",
+  AccessApprovalPolicy = "access_approval_policies",
+  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
+  AccessApprovalRequest = "access_approval_requests",
+  AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
  SecretApprovalPolicy = "secret_approval_policies",
  SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
  SecretApprovalRequest = "secret_approval_requests",
@ -50,11 +68,16 @@ export enum TableName {
  SecretRotation = "secret_rotations",
  SecretRotationOutput = "secret_rotation_outputs",
  SamlConfig = "saml_configs",
+  LdapConfig = "ldap_configs",
+  LdapGroupMap = "ldap_group_maps",
  AuditLog = "audit_logs",
+  AuditLogStream = "audit_log_streams",
  GitAppInstallSession = "git_app_install_sessions",
  GitAppOrg = "git_app_org",
  SecretScanningGitRisk = "secret_scanning_git_risks",
  TrustedIps = "trusted_ips",
+  DynamicSecret = "dynamic_secrets",
+  DynamicSecretLease = "dynamic_secret_leases",
  // junction tables with tags
  JnSecretTag = "secret_tag_junction",
  SecretVersionTag = "secret_version_tag_junction"
@ -124,5 +147,9 @@ export enum ProjectUpgradeStatus {
 }

 export enum IdentityAuthMethod {
-  Univeral = "universal-auth"
+  Univeral = "universal-auth",
+  KUBERNETES_AUTH = "kubernetes-auth",
+  GCP_AUTH = "gcp-auth",
+  AWS_AUTH = "aws-auth",
+  AZURE_AUTH = "azure-auth"
 }
--- a/backend/src/db/schemas/project-memberships.ts
+++ b/backend/src/db/schemas/project-memberships.ts
@ -9,12 +9,10 @@ import { TImmutableDBKeys } from "./models";

 export const ProjectMembershipsSchema = z.object({
  id: z.string().uuid(),
-  role: z.string(),
  createdAt: z.date(),
  updatedAt: z.date(),
  userId: z.string().uuid(),
-  projectId: z.string(),
-  roleId: z.string().uuid().nullable().optional()
+  projectId: z.string()
 });

 export type TProjectMemberships = z.infer<typeof ProjectMembershipsSchema>;
--- a/backend/src/db/schemas/project-user-additional-privilege.ts
+++ b/backend/src/db/schemas/project-user-additional-privilege.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectUserAdditionalPrivilegeSchema = z.object({
+  id: z.string().uuid(),
+  slug: z.string(),
+  projectMembershipId: z.string().uuid(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  permissions: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TProjectUserAdditionalPrivilege = z.infer<typeof ProjectUserAdditionalPrivilegeSchema>;
+export type TProjectUserAdditionalPrivilegeInsert = Omit<
+  z.input<typeof ProjectUserAdditionalPrivilegeSchema>,
+  TImmutableDBKeys
+>;
+export type TProjectUserAdditionalPrivilegeUpdate = Partial<
+  Omit<z.input<typeof ProjectUserAdditionalPrivilegeSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/project-user-membership-roles.ts
+++ b/backend/src/db/schemas/project-user-membership-roles.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectUserMembershipRolesSchema = z.object({
+  id: z.string().uuid(),
+  role: z.string(),
+  projectMembershipId: z.string().uuid(),
+  customRoleId: z.string().uuid().nullable().optional(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TProjectUserMembershipRoles = z.infer<typeof ProjectUserMembershipRolesSchema>;
+export type TProjectUserMembershipRolesInsert = Omit<
+  z.input<typeof ProjectUserMembershipRolesSchema>,
+  TImmutableDBKeys
+>;
+export type TProjectUserMembershipRolesUpdate = Partial<
+  Omit<z.input<typeof ProjectUserMembershipRolesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/secret-references.ts
+++ b/backend/src/db/schemas/secret-references.ts
@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretReferencesSchema = z.object({
+  id: z.string().uuid(),
+  environment: z.string(),
+  secretPath: z.string(),
+  secretId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSecretReferences = z.infer<typeof SecretReferencesSchema>;
+export type TSecretReferencesInsert = Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>;
+export type TSecretReferencesUpdate = Partial<Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/super-admin.ts
+++ b/backend/src/db/schemas/super-admin.ts
@ -14,7 +14,9 @@ export const SuperAdminSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  allowedSignUpDomain: z.string().nullable().optional(),
-  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000")
+  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000"),
+  trustSamlEmails: z.boolean().default(false).nullable().optional(),
+  trustLdapEmails: z.boolean().default(false).nullable().optional()
 });

 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;
--- a/backend/src/db/schemas/user-aliases.ts
+++ b/backend/src/db/schemas/user-aliases.ts
@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const UserAliasesSchema = z.object({
+  id: z.string().uuid(),
+  userId: z.string().uuid(),
+  username: z.string().nullable().optional(),
+  aliasType: z.string(),
+  externalId: z.string(),
+  emails: z.string().array().nullable().optional(),
+  orgId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TUserAliases = z.infer<typeof UserAliasesSchema>;
+export type TUserAliasesInsert = Omit<z.input<typeof UserAliasesSchema>, TImmutableDBKeys>;
+export type TUserAliasesUpdate = Partial<Omit<z.input<typeof UserAliasesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/user-group-membership.ts
+++ b/backend/src/db/schemas/user-group-membership.ts
@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const UserGroupMembershipSchema = z.object({
+  id: z.string().uuid(),
+  userId: z.string().uuid(),
+  groupId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  isPending: z.boolean().default(false)
+});
+
+export type TUserGroupMembership = z.infer<typeof UserGroupMembershipSchema>;
+export type TUserGroupMembershipInsert = Omit<z.input<typeof UserGroupMembershipSchema>, TImmutableDBKeys>;
+export type TUserGroupMembershipUpdate = Partial<Omit<z.input<typeof UserGroupMembershipSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/users.ts
+++ b/backend/src/db/schemas/users.ts
@ -9,7 +9,7 @@ import { TImmutableDBKeys } from "./models";

 export const UsersSchema = z.object({
  id: z.string().uuid(),
-  email: z.string(),
+  email: z.string().nullable().optional(),
  authMethods: z.string().array().nullable().optional(),
  superAdmin: z.boolean().default(false).nullable().optional(),
  firstName: z.string().nullable().optional(),
@ -20,7 +20,9 @@ export const UsersSchema = z.object({
  devices: z.unknown().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  isGhost: z.boolean().default(false)
+  isGhost: z.boolean().default(false),
+  username: z.string(),
+  isEmailVerified: z.boolean().default(false).nullable().optional()
 });

 export type TUsers = z.infer<typeof UsersSchema>;
--- a/backend/src/db/seed-data.ts
+++ b/backend/src/db/seed-data.ts
@ -21,6 +21,7 @@ export let userPublicKey: string | undefined;

 export const seedData1 = {
  id: "3dafd81d-4388-432b-a4c5-f735616868c1",
+  username: process.env.TEST_USER_USERNAME || "test@localhost.local",
  email: process.env.TEST_USER_EMAIL || "test@localhost.local",
  password: process.env.TEST_USER_PASSWORD || "testInfisical@1",
  organization: {
--- a/backend/src/db/seeds/1-user.ts
+++ b/backend/src/db/seeds/1-user.ts
@ -9,7 +9,12 @@ export async function seed(knex: Knex): Promise<void> {
  await knex(TableName.Users).del();
  await knex(TableName.UserEncryptionKey).del();
  await knex(TableName.SuperAdmin).del();
-  await knex(TableName.SuperAdmin).insert([{ initialized: true, allowSignUp: true }]);
+
+  await knex(TableName.SuperAdmin).insert([
+    // eslint-disable-next-line
+    // @ts-ignore
+    { id: "00000000-0000-0000-0000-000000000000", initialized: true, allowSignUp: true }
+  ]);
  // Inserts seed entries
  const [user] = await knex(TableName.Users)
    .insert([
@ -17,6 +22,7 @@ export async function seed(knex: Knex): Promise<void> {
        // eslint-disable-next-line
        // @ts-ignore
        id: seedData1.id,
+        username: seedData1.username,
        email: seedData1.email,
        superAdmin: true,
        firstName: "test",
--- a/backend/src/db/seeds/3-project.ts
+++ b/backend/src/db/seeds/3-project.ts
@ -4,7 +4,7 @@ import { Knex } from "knex";

 import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";

-import { OrgMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
+import { ProjectMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";

 export const DEFAULT_PROJECT_ENVS = [
@ -30,10 +30,15 @@ export async function seed(knex: Knex): Promise<void> {
    })
    .returning("*");

-  await knex(TableName.ProjectMembership).insert({
-    projectId: project.id,
-    role: OrgMembershipRole.Admin,
-    userId: seedData1.id
+  const projectMembership = await knex(TableName.ProjectMembership)
+    .insert({
+      projectId: project.id,
+      userId: seedData1.id
+    })
+    .returning("*");
+  await knex(TableName.ProjectUserMembershipRole).insert({
+    role: ProjectMembershipRole.Admin,
+    projectMembershipId: projectMembership[0].id
  });

  const user = await knex(TableName.UserEncryptionKey).where({ userId: seedData1.id }).first();
--- a/backend/src/db/seeds/4-machine-identity.ts
+++ b/backend/src/db/seeds/4-machine-identity.ts
@ -75,9 +75,15 @@ export async function seed(knex: Knex): Promise<void> {
    }
  ]);

-  await knex(TableName.IdentityProjectMembership).insert({
-    identityId: seedData1.machineIdentity.id,
+  const identityProjectMembership = await knex(TableName.IdentityProjectMembership)
+    .insert({
+      identityId: seedData1.machineIdentity.id,
+      projectId: seedData1.project.id
+    })
+    .returning("*");
+
+  await knex(TableName.IdentityProjectMembershipRole).insert({
    role: ProjectMembershipRole.Admin,
-    projectId: seedData1.project.id
+    projectMembershipId: identityProjectMembership[0].id
  });
 }
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@ -0,0 +1,168 @@
+import { nanoid } from "nanoid";
+import { z } from "zod";
+
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/",
+    method: "POST",
+    schema: {
+      body: z
+        .object({
+          projectSlug: z.string().trim(),
+          name: z.string().optional(),
+          secretPath: z.string().trim().default("/"),
+          environment: z.string(),
+          approvers: z.string().array().min(1),
+          approvals: z.number().min(1).default(1)
+        })
+        .refine((data) => data.approvals <= data.approvers.length, {
+          path: ["approvals"],
+          message: "The number of approvals should be lower than the number of approvers."
+        }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const approval = await server.services.accessApprovalPolicy.createAccessApprovalPolicy({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        projectSlug: req.body.projectSlug,
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
+      });
+      return { approval };
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          approvals: sapPubSchema.extend({ approvers: z.string().array(), secretPath: z.string().optional() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const approvals = await server.services.accessApprovalPolicy.getAccessApprovalPolicyByProjectSlug({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectSlug: req.query.projectSlug
+      });
+      return { approvals };
+    }
+  });
+
+  server.route({
+    url: "/count",
+    method: "GET",
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string(),
+        envSlug: z.string()
+      }),
+      response: {
+        200: z.object({
+          count: z.number()
+        })
+      }
+    },
+
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { count } = await server.services.accessApprovalPolicy.getAccessPolicyCountByEnvSlug({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        projectSlug: req.query.projectSlug,
+        actorOrgId: req.permission.orgId,
+        envSlug: req.query.envSlug
+      });
+      return { count };
+    }
+  });
+
+  server.route({
+    url: "/:policyId",
+    method: "PATCH",
+    schema: {
+      params: z.object({
+        policyId: z.string()
+      }),
+      body: z
+        .object({
+          name: z.string().optional(),
+          secretPath: z
+            .string()
+            .trim()
+            .optional()
+            .transform((val) => (val === "" ? "/" : val)),
+          approvers: z.string().array().min(1),
+          approvals: z.number().min(1).default(1)
+        })
+        .refine((data) => data.approvals <= data.approvers.length, {
+          path: ["approvals"],
+          message: "The number of approvals should be lower than the number of approvers."
+        }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.accessApprovalPolicy.updateAccessApprovalPolicy({
+        policyId: req.params.policyId,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body
+      });
+    }
+  });
+
+  server.route({
+    url: "/:policyId",
+    method: "DELETE",
+    schema: {
+      params: z.object({
+        policyId: z.string()
+      }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const approval = await server.services.accessApprovalPolicy.deleteAccessApprovalPolicy({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        policyId: req.params.policyId
+      });
+      return { approval };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@ -0,0 +1,160 @@
+import { z } from "zod";
+
+import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema } from "@app/db/schemas";
+import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerAccessApprovalRequestRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/",
+    method: "POST",
+    schema: {
+      body: z.object({
+        permissions: z.any().array(),
+        isTemporary: z.boolean(),
+        temporaryRange: z.string().optional()
+      }),
+      querystring: z.object({
+        projectSlug: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          approval: AccessApprovalRequestsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { request } = await server.services.accessApprovalRequest.createAccessApprovalRequest({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        permissions: req.body.permissions,
+        actorOrgId: req.permission.orgId,
+        projectSlug: req.query.projectSlug,
+        temporaryRange: req.body.temporaryRange,
+        isTemporary: req.body.isTemporary
+      });
+      return { approval: request };
+    }
+  });
+
+  server.route({
+    url: "/count",
+    method: "GET",
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          pendingCount: z.number(),
+          finalizedCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { count } = await server.services.accessApprovalRequest.getCount({
+        projectSlug: req.query.projectSlug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      return { ...count };
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string().trim(),
+        authorProjectMembershipId: z.string().trim().optional(),
+        envSlug: z.string().trim().optional()
+      }),
+      response: {
+        200: z.object({
+          requests: AccessApprovalRequestsSchema.extend({
+            environmentName: z.string(),
+            isApproved: z.boolean(),
+            privilege: z
+              .object({
+                membershipId: z.string(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().nullish(),
+                temporaryRange: z.string().nullish(),
+                temporaryAccessStartTime: z.date().nullish(),
+                temporaryAccessEndTime: z.date().nullish(),
+                permissions: z.unknown()
+              })
+              .nullable(),
+            policy: z.object({
+              id: z.string(),
+              name: z.string(),
+              approvals: z.number(),
+              approvers: z.string().array(),
+              secretPath: z.string().nullish(),
+              envId: z.string()
+            }),
+            reviewers: z
+              .object({
+                member: z.string(),
+                status: z.string()
+              })
+              .array()
+          }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { requests } = await server.services.accessApprovalRequest.listApprovalRequests({
+        projectSlug: req.query.projectSlug,
+        authorProjectMembershipId: req.query.authorProjectMembershipId,
+        envSlug: req.query.envSlug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      return { requests };
+    }
+  });
+
+  server.route({
+    url: "/:requestId/review",
+    method: "POST",
+    schema: {
+      params: z.object({
+        requestId: z.string().trim()
+      }),
+      body: z.object({
+        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
+      }),
+      response: {
+        200: z.object({
+          review: AccessApprovalRequestsReviewersSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const review = await server.services.accessApprovalRequest.reviewAccessRequest({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        requestId: req.params.requestId,
+        status: req.body.status
+      });
+
+      return { review };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/audit-log-stream-router.ts
+++ b/backend/src/ee/routes/v1/audit-log-stream-router.ts
@ -0,0 +1,215 @@
+import { z } from "zod";
+
+import { AUDIT_LOG_STREAMS } from "@app/lib/api-docs";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedAuditLogStreamSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerAuditLogStreamRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Create an Audit Log Stream.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        url: z.string().min(1).describe(AUDIT_LOG_STREAMS.CREATE.url),
+        headers: z
+          .object({
+            key: z.string().min(1).trim().describe(AUDIT_LOG_STREAMS.CREATE.headers.key),
+            value: z.string().min(1).trim().describe(AUDIT_LOG_STREAMS.CREATE.headers.value)
+          })
+          .describe(AUDIT_LOG_STREAMS.CREATE.headers.desc)
+          .array()
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          auditLogStream: SanitizedAuditLogStreamSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const auditLogStream = await server.services.auditLogStream.create({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        url: req.body.url,
+        headers: req.body.headers
+      });
+
+      return { auditLogStream };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Update an Audit Log Stream by ID.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        id: z.string().describe(AUDIT_LOG_STREAMS.UPDATE.id)
+      }),
+      body: z.object({
+        url: z.string().optional().describe(AUDIT_LOG_STREAMS.UPDATE.url),
+        headers: z
+          .object({
+            key: z.string().min(1).trim().describe(AUDIT_LOG_STREAMS.UPDATE.headers.key),
+            value: z.string().min(1).trim().describe(AUDIT_LOG_STREAMS.UPDATE.headers.value)
+          })
+          .describe(AUDIT_LOG_STREAMS.UPDATE.headers.desc)
+          .array()
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          auditLogStream: SanitizedAuditLogStreamSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const auditLogStream = await server.services.auditLogStream.updateById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        id: req.params.id,
+        url: req.body.url,
+        headers: req.body.headers
+      });
+
+      return { auditLogStream };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Delete an Audit Log Stream by ID.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        id: z.string().describe(AUDIT_LOG_STREAMS.DELETE.id)
+      }),
+      response: {
+        200: z.object({
+          auditLogStream: SanitizedAuditLogStreamSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const auditLogStream = await server.services.auditLogStream.deleteById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        id: req.params.id
+      });
+
+      return { auditLogStream };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get an Audit Log Stream by ID.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        id: z.string().describe(AUDIT_LOG_STREAMS.GET_BY_ID.id)
+      }),
+      response: {
+        200: z.object({
+          auditLogStream: SanitizedAuditLogStreamSchema.extend({
+            headers: z
+              .object({
+                key: z.string(),
+                value: z.string()
+              })
+              .array()
+              .optional()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const auditLogStream = await server.services.auditLogStream.getById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        id: req.params.id
+      });
+
+      return { auditLogStream };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List Audit Log Streams.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      response: {
+        200: z.object({
+          auditLogStreams: SanitizedAuditLogStreamSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const auditLogStreams = await server.services.auditLogStream.list({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      return { auditLogStreams };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-lease-router.ts
@ -0,0 +1,197 @@
+import ms from "ms";
+import { z } from "zod";
+
+import { DynamicSecretLeasesSchema } from "@app/db/schemas";
+import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
+import { daysToMillisecond } from "@app/lib/dates";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
+        ttl: z
+          .string()
+          .optional()
+          .describe(DYNAMIC_SECRET_LEASES.CREATE.ttl)
+          .superRefine((val, ctx) => {
+            if (!val) return;
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          }),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRET_LEASES.CREATE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.path)
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema,
+          dynamicSecret: SanitizedDynamicSecretSchema,
+          data: z.unknown()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { data, lease, dynamicSecret } = await server.services.dynamicSecretLease.create({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.body.dynamicSecretName,
+        ...req.body
+      });
+      return { lease, data, dynamicSecret };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:leaseId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
+      }),
+      body: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.projectSlug),
+        path: z
+          .string()
+          .min(1)
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DYNAMIC_SECRET_LEASES.DELETE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.environmentSlug),
+        isForced: z.boolean().default(false).describe(DYNAMIC_SECRET_LEASES.DELETE.isForced)
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const lease = await server.services.dynamicSecretLease.revokeLease({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        leaseId: req.params.leaseId,
+        ...req.body
+      });
+      return { lease };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:leaseId/renew",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
+      }),
+      body: z.object({
+        ttl: z
+          .string()
+          .describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
+          .optional()
+          .superRefine((val, ctx) => {
+            if (!val) return;
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          }),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.projectSlug),
+        path: z
+          .string()
+          .min(1)
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DYNAMIC_SECRET_LEASES.RENEW.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const lease = await server.services.dynamicSecretLease.renewLease({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        leaseId: req.params.leaseId,
+        ...req.body
+      });
+      return { lease };
+    }
+  });
+
+  server.route({
+    url: "/:leaseId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
+      }),
+      querystring: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.projectSlug),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.environmentSlug)
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema.extend({
+            dynamicSecret: SanitizedDynamicSecretSchema
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const lease = await server.services.dynamicSecretLease.getLeaseDetails({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        leaseId: req.params.leaseId,
+        ...req.query
+      });
+      return { lease };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/dynamic-secret-router.ts
+++ b/backend/src/ee/routes/v1/dynamic-secret-router.ts
@ -0,0 +1,290 @@
+import slugify from "@sindresorhus/slugify";
+import ms from "ms";
+import { z } from "zod";
+
+import { DynamicSecretLeasesSchema } from "@app/db/schemas";
+import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/providers/models";
+import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
+import { daysToMillisecond } from "@app/lib/dates";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
+        provider: DynamicSecretProviderSchema.describe(DYNAMIC_SECRETS.CREATE.provider),
+        defaultTTL: z
+          .string()
+          .describe(DYNAMIC_SECRETS.CREATE.defaultTTL)
+          .superRefine((val, ctx) => {
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          }),
+        maxTTL: z
+          .string()
+          .describe(DYNAMIC_SECRETS.CREATE.maxTTL)
+          .optional()
+          .superRefine((val, ctx) => {
+            if (!val) return;
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          })
+          .nullable(),
+        path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
+        environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
+        name: z
+          .string()
+          .describe(DYNAMIC_SECRETS.CREATE.name)
+          .min(1)
+          .toLowerCase()
+          .max(64)
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid"
+          })
+      }),
+      response: {
+        200: z.object({
+          dynamicSecret: SanitizedDynamicSecretSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfg = await server.services.dynamicSecret.create({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+      return { dynamicSecret: dynamicSecretCfg };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:name",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
+      }),
+      body: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.projectSlug),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.UPDATE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.environmentSlug),
+        data: z.object({
+          inputs: z.any().optional().describe(DYNAMIC_SECRETS.UPDATE.inputs),
+          defaultTTL: z
+            .string()
+            .describe(DYNAMIC_SECRETS.UPDATE.defaultTTL)
+            .optional()
+            .superRefine((val, ctx) => {
+              if (!val) return;
+              const valMs = ms(val);
+              if (valMs < 60 * 1000)
+                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+              if (valMs > daysToMillisecond(1))
+                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+            }),
+          maxTTL: z
+            .string()
+            .describe(DYNAMIC_SECRETS.UPDATE.maxTTL)
+            .optional()
+            .superRefine((val, ctx) => {
+              if (!val) return;
+              const valMs = ms(val);
+              if (valMs < 60 * 1000)
+                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+              if (valMs > daysToMillisecond(1))
+                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+            })
+            .nullable(),
+          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional()
+        })
+      }),
+      response: {
+        200: z.object({
+          dynamicSecret: SanitizedDynamicSecretSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfg = await server.services.dynamicSecret.updateByName({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.params.name,
+        path: req.body.path,
+        projectSlug: req.body.projectSlug,
+        environmentSlug: req.body.environmentSlug,
+        ...req.body.data
+      });
+      return { dynamicSecret: dynamicSecretCfg };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:name",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
+      }),
+      body: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.projectSlug),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.DELETE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.environmentSlug),
+        isForced: z.boolean().default(false).describe(DYNAMIC_SECRETS.DELETE.isForced)
+      }),
+      response: {
+        200: z.object({
+          dynamicSecret: SanitizedDynamicSecretSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfg = await server.services.dynamicSecret.deleteByName({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.params.name,
+        ...req.body
+      });
+      return { dynamicSecret: dynamicSecretCfg };
+    }
+  });
+
+  server.route({
+    url: "/:name",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
+      }),
+      querystring: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.projectSlug),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.GET_BY_NAME.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.environmentSlug)
+      }),
+      response: {
+        200: z.object({
+          dynamicSecret: SanitizedDynamicSecretSchema.extend({
+            inputs: z.unknown()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfg = await server.services.dynamicSecret.getDetails({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.params.name,
+        ...req.query
+      });
+      return { dynamicSecret: dynamicSecretCfg };
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.LIST.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.environmentSlug)
+      }),
+      response: {
+        200: z.object({
+          dynamicSecrets: SanitizedDynamicSecretSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+      return { dynamicSecrets: dynamicSecretCfgs };
+    }
+  });
+
+  server.route({
+    url: "/:name/leases",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
+      }),
+      querystring: z.object({
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.projectSlug),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.environmentSlug)
+      }),
+      response: {
+        200: z.object({
+          leases: DynamicSecretLeasesSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const leases = await server.services.dynamicSecretLease.listLeases({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.params.name,
+        ...req.query
+      });
+      return { leases };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@ -0,0 +1,220 @@
+import slugify from "@sindresorhus/slugify";
+import { z } from "zod";
+
+import { GroupsSchema, OrgMembershipRole, UsersSchema } from "@app/db/schemas";
+import { GROUPS } from "@app/lib/api-docs";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerGroupRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/",
+    method: "POST",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z.object({
+        name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
+        slug: z
+          .string()
+          .min(5)
+          .max(36)
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(GROUPS.CREATE.slug),
+        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(GROUPS.CREATE.role)
+      }),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.createGroup({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/:currentSlug",
+    method: "PATCH",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        currentSlug: z.string().trim().describe(GROUPS.UPDATE.currentSlug)
+      }),
+      body: z
+        .object({
+          name: z.string().trim().min(1).describe(GROUPS.UPDATE.name),
+          slug: z
+            .string()
+            .min(5)
+            .max(36)
+            .refine((v) => slugify(v) === v, {
+              message: "Slug must be a valid slug"
+            })
+            .describe(GROUPS.UPDATE.slug),
+          role: z.string().trim().min(1).describe(GROUPS.UPDATE.role)
+        })
+        .partial(),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.updateGroup({
+        currentSlug: req.params.currentSlug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/:slug",
+    method: "DELETE",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        slug: z.string().trim().describe(GROUPS.DELETE.slug)
+      }),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.deleteGroup({
+        groupSlug: req.params.slug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:slug/users",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        slug: z.string().trim().describe(GROUPS.LIST_USERS.slug)
+      }),
+      querystring: z.object({
+        offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
+        limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_USERS.limit),
+        username: z.string().optional().describe(GROUPS.LIST_USERS.username)
+      }),
+      response: {
+        200: z.object({
+          users: UsersSchema.pick({
+            email: true,
+            username: true,
+            firstName: true,
+            lastName: true,
+            id: true
+          })
+            .merge(
+              z.object({
+                isPartOfGroup: z.boolean()
+              })
+            )
+            .array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    handler: async (req) => {
+      const { users, totalCount } = await server.services.group.listGroupUsers({
+        groupSlug: req.params.slug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+      return { users, totalCount };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:slug/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        slug: z.string().trim().describe(GROUPS.ADD_USER.slug),
+        username: z.string().trim().describe(GROUPS.ADD_USER.username)
+      }),
+      response: {
+        200: UsersSchema.pick({
+          email: true,
+          username: true,
+          firstName: true,
+          lastName: true,
+          id: true
+        })
+      }
+    },
+    handler: async (req) => {
+      const user = await server.services.group.addUserToGroup({
+        groupSlug: req.params.slug,
+        username: req.params.username,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return user;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:slug/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        slug: z.string().trim().describe(GROUPS.DELETE_USER.slug),
+        username: z.string().trim().describe(GROUPS.DELETE_USER.username)
+      }),
+      response: {
+        200: UsersSchema.pick({
+          email: true,
+          username: true,
+          firstName: true,
+          lastName: true,
+          id: true
+        })
+      }
+    },
+    handler: async (req) => {
+      const user = await server.services.group.removeUserFromGroup({
+        groupSlug: req.params.slug,
+        username: req.params.username,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return user;
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@ -0,0 +1,316 @@
+import { packRules } from "@casl/ability/extra";
+import slugify from "@sindresorhus/slugify";
+import ms from "ms";
+import { z } from "zod";
+
+import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
+import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { ProjectPermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/permanent",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Create a permanent or a non expiry specific privilege for identity.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.projectSlug),
+        slug: z
+          .string()
+          .min(1)
+          .max(60)
+          .trim()
+          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilege.create({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        isTemporary: false,
+        permissions: JSON.stringify(packRules(req.body.permissions))
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/temporary",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Create a temporary or a expiring specific privilege for identity.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.projectSlug),
+        slug: z
+          .string()
+          .min(1)
+          .max(60)
+          .trim()
+          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        temporaryMode: z
+          .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
+        temporaryRange: z
+          .string()
+          .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryRange),
+        temporaryAccessStartTime: z
+          .string()
+          .datetime()
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryAccessStartTime)
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilege.create({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        isTemporary: true,
+        permissions: JSON.stringify(packRules(req.body.permissions))
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Update a specific privilege of an identity.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        // disallow empty string
+        privilegeSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.slug),
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.projectSlug),
+        privilegeDetails: z
+          .object({
+            slug: z
+              .string()
+              .min(1)
+              .max(60)
+              .trim()
+              .refine((val) => val.toLowerCase() === val, "Must be lowercase")
+              .refine((v) => slugify(v) === v, {
+                message: "Slug must be a valid slug"
+              })
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
+            permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            isTemporary: z.boolean().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
+            temporaryMode: z
+              .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.temporaryMode),
+            temporaryRange: z
+              .string()
+              .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.temporaryRange),
+            temporaryAccessStartTime: z
+              .string()
+              .datetime()
+              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.temporaryAccessStartTime)
+          })
+          .partial()
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const updatedInfo = req.body.privilegeDetails;
+      const privilege = await server.services.identityProjectAdditionalPrivilege.updateBySlug({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        slug: req.body.privilegeSlug,
+        identityId: req.body.identityId,
+        projectSlug: req.body.projectSlug,
+        data: {
+          ...updatedInfo,
+          permissions: updatedInfo?.permissions ? JSON.stringify(packRules(updatedInfo.permissions)) : undefined
+        }
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Delete a specific privilege of an identity.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        privilegeSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.DELETE.slug),
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.DELETE.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.DELETE.projectSlug)
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilege.deleteBySlug({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        slug: req.body.privilegeSlug,
+        identityId: req.body.identityId,
+        projectSlug: req.body.projectSlug
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:privilegeSlug",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Retrieve details of a specific privilege by privilege slug.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        privilegeSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.GET_BY_SLUG.slug)
+      }),
+      querystring: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.GET_BY_SLUG.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.GET_BY_SLUG.projectSlug)
+      }),
+      response: {
+        200: z.object({
+          privilege: SanitizedIdentityPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privilege = await server.services.identityProjectAdditionalPrivilege.getPrivilegeDetailsBySlug({
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        slug: req.params.privilegeSlug,
+        ...req.query
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List of a specific privilege of an identity in a project.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.identityId),
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug)
+      }),
+      response: {
+        200: z.object({
+          privileges: SanitizedIdentityPrivilegeSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const privileges = await server.services.identityProjectAdditionalPrivilege.listIdentityProjectPrivileges({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+      return {
+        privileges
+      };
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,3 +1,11 @@
+import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-router";
+import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
+import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
+import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
+import { registerDynamicSecretRouter } from "./dynamic-secret-router";
+import { registerGroupRouter } from "./group-router";
+import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
+import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOrgRoleRouter } from "./org-role-router";
 import { registerProjectRoleRouter } from "./project-role-router";
@ -12,6 +20,7 @@ import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
 import { registerTrustedIpRouter } from "./trusted-ip-router";
+import { registerUserAdditionalPrivilegeRouter } from "./user-additional-privilege-router";

 export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  // org role starts with organization
@ -33,9 +42,31 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerSecretRotationProviderRouter, {
    prefix: "/secret-rotation-providers"
  });
+
+  await server.register(registerAccessApprovalPolicyRouter, { prefix: "/access-approvals/policies" });
+  await server.register(registerAccessApprovalRequestRouter, { prefix: "/access-approvals/requests" });
+
+  await server.register(
+    async (dynamicSecretRouter) => {
+      await dynamicSecretRouter.register(registerDynamicSecretRouter);
+      await dynamicSecretRouter.register(registerDynamicSecretLeaseRouter, { prefix: "/leases" });
+    },
+    { prefix: "/dynamic-secrets" }
+  );
+
  await server.register(registerSamlRouter, { prefix: "/sso" });
  await server.register(registerScimRouter, { prefix: "/scim" });
+  await server.register(registerLdapRouter, { prefix: "/ldap" });
  await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
  await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
  await server.register(registerSecretVersionRouter, { prefix: "/secret" });
+  await server.register(registerGroupRouter, { prefix: "/groups" });
+  await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });
+  await server.register(
+    async (privilegeRouter) => {
+      await privilegeRouter.register(registerUserAdditionalPrivilegeRouter, { prefix: "/users" });
+      await privilegeRouter.register(registerIdentityProjectAdditionalPrivilegeRouter, { prefix: "/identity" });
+    },
+    { prefix: "/additional-privilege" }
+  );
 };
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@ -0,0 +1,371 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-unsafe-return */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+/* eslint-disable @typescript-eslint/no-unsafe-call */
+/* eslint-disable @typescript-eslint/no-unsafe-argument */
+// All the any rules are disabled because passport typesense with fastify is really poor
+
+import { IncomingMessage } from "node:http";
+
+import { Authenticator } from "@fastify/passport";
+import fastifySession from "@fastify/session";
+import { FastifyRequest } from "fastify";
+import LdapStrategy from "passport-ldapauth";
+import { z } from "zod";
+
+import { LdapConfigsSchema, LdapGroupMapsSchema } from "@app/db/schemas";
+import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
+import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerLdapRouter = async (server: FastifyZodProvider) => {
+  const appCfg = getConfig();
+  const passport = new Authenticator({ key: "ldap", userProperty: "passportUser" });
+  await server.register(fastifySession, { secret: appCfg.COOKIE_SECRET_SIGN_KEY });
+  await server.register(passport.initialize());
+  await server.register(passport.secureSession());
+
+  const getLdapPassportOpts = (req: FastifyRequest, done: any) => {
+    const { organizationSlug } = req.body as {
+      organizationSlug: string;
+    };
+
+    process.nextTick(async () => {
+      try {
+        const { opts, ldapConfig } = await server.services.ldap.bootLdap(organizationSlug);
+        req.ldapConfig = ldapConfig;
+        done(null, opts);
+      } catch (err) {
+        done(err);
+      }
+    });
+  };
+
+  passport.use(
+    new LdapStrategy(
+      getLdapPassportOpts as any,
+      // eslint-disable-next-line
+      async (req: IncomingMessage, user, cb) => {
+        try {
+          if (!user.email) throw new BadRequestError({ message: "Invalid request. Missing email." });
+          const ldapConfig = (req as unknown as FastifyRequest).ldapConfig as TLDAPConfig;
+
+          let groups: { dn: string; cn: string }[] | undefined;
+          if (ldapConfig.groupSearchBase) {
+            const groupFilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))";
+            const groupSearchFilter = (ldapConfig.groupSearchFilter || groupFilter)
+              .replace(/{{\.Username}}/g, user.uid)
+              .replace(/{{\.UserDN}}/g, user.dn);
+
+            if (!isValidLdapFilter(groupSearchFilter)) {
+              throw new Error("Generated LDAP search filter is invalid.");
+            }
+
+            groups = await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase);
+          }
+
+          const { isUserCompleted, providerAuthToken } = await server.services.ldap.ldapLogin({
+            ldapConfigId: ldapConfig.id,
+            externalId: user.uidNumber,
+            username: user.uid,
+            firstName: user.givenName ?? user.cn ?? "",
+            lastName: user.sn ?? "",
+            email: user.mail,
+            groups,
+            relayState: ((req as unknown as FastifyRequest).body as { RelayState?: string }).RelayState,
+            orgId: (req as unknown as FastifyRequest).ldapConfig.organization
+          });
+
+          return cb(null, { isUserCompleted, providerAuthToken });
+        } catch (error) {
+          logger.error(error);
+          return cb(error, false);
+        }
+      }
+    )
+  );
+
+  server.route({
+    url: "/login",
+    method: "POST",
+    schema: {
+      body: z.object({
+        organizationSlug: z.string().trim()
+      })
+    },
+    preValidation: passport.authenticate("ldapauth", {
+      session: false
+      // failureFlash: true,
+      // failureRedirect: "/login/provider/error"
+      // this is due to zod type difference
+    }) as any,
+    handler: (req, res) => {
+      let nextUrl;
+      if (req.passportUser.isUserCompleted) {
+        nextUrl = `${appCfg.SITE_URL}/login/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`;
+      } else {
+        nextUrl = `${appCfg.SITE_URL}/signup/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`;
+      }
+
+      return res.status(200).send({
+        nextUrl
+      });
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/config",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      querystring: z.object({
+        organizationId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          organization: z.string(),
+          isActive: z.boolean(),
+          url: z.string(),
+          bindDN: z.string(),
+          bindPass: z.string(),
+          searchBase: z.string(),
+          searchFilter: z.string(),
+          groupSearchBase: z.string(),
+          groupSearchFilter: z.string(),
+          caCert: z.string()
+        })
+      }
+    },
+    handler: async (req) => {
+      const ldap = await server.services.ldap.getLdapCfgWithPermissionCheck({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.query.organizationId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+      return ldap;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z.object({
+        organizationId: z.string().trim(),
+        isActive: z.boolean(),
+        url: z.string().trim(),
+        bindDN: z.string().trim(),
+        bindPass: z.string().trim(),
+        searchBase: z.string().trim(),
+        searchFilter: z.string().trim().default("(uid={{username}})"),
+        groupSearchBase: z.string().trim(),
+        groupSearchFilter: z
+          .string()
+          .trim()
+          .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"),
+        caCert: z.string().trim().default("")
+      }),
+      response: {
+        200: LdapConfigsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldap = await server.services.ldap.createLdapCfg({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.body.organizationId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      return ldap;
+    }
+  });
+
+  server.route({
+    url: "/config",
+    method: "PATCH",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z
+        .object({
+          isActive: z.boolean(),
+          url: z.string().trim(),
+          bindDN: z.string().trim(),
+          bindPass: z.string().trim(),
+          searchBase: z.string().trim(),
+          searchFilter: z.string().trim(),
+          groupSearchBase: z.string().trim(),
+          groupSearchFilter: z.string().trim(),
+          caCert: z.string().trim()
+        })
+        .partial()
+        .merge(z.object({ organizationId: z.string() })),
+      response: {
+        200: LdapConfigsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldap = await server.services.ldap.updateLdapCfg({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.body.organizationId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      return ldap;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/config/:configId/group-maps",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim()
+      }),
+      response: {
+        200: z.array(
+          z.object({
+            id: z.string(),
+            ldapConfigId: z.string(),
+            ldapGroupCN: z.string(),
+            group: z.object({
+              id: z.string(),
+              name: z.string(),
+              slug: z.string()
+            })
+          })
+        )
+      }
+    },
+    handler: async (req) => {
+      const ldapGroupMaps = await server.services.ldap.getLdapGroupMaps({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId
+      });
+      return ldapGroupMaps;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/config/:configId/group-maps",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim()
+      }),
+      body: z.object({
+        ldapGroupCN: z.string().trim(),
+        groupSlug: z.string().trim()
+      }),
+      response: {
+        200: LdapGroupMapsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldapGroupMap = await server.services.ldap.createLdapGroupMap({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId,
+        ...req.body
+      });
+      return ldapGroupMap;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/config/:configId/group-maps/:groupMapId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim(),
+        groupMapId: z.string().trim()
+      }),
+      response: {
+        200: LdapGroupMapsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldapGroupMap = await server.services.ldap.deleteLdapGroupMap({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId,
+        ldapGroupMapId: req.params.groupMapId
+      });
+      return ldapGroupMap;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/config/:configId/test-connection",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim()
+      }),
+      response: {
+        200: z.boolean()
+      }
+    },
+    handler: async (req) => {
+      const result = await server.services.ldap.testLDAPConnection({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId
+      });
+      return result;
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/license-router.ts
+++ b/backend/src/ee/routes/v1/license-router.ts
@ -3,13 +3,17 @@
 // TODO(akhilmhdh): Fix this when licence service gets it type
 import { z } from "zod";

+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  server.route({
-    url: "/:organizationId/plans/table",
    method: "GET",
+    url: "/:organizationId/plans/table",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      querystring: z.object({ billingCycle: z.enum(["monthly", "yearly"]) }),
      params: z.object({ organizationId: z.string().trim() }),
@ -24,6 +28,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        billingCycle: req.query.billingCycle
      });
      return data;
@ -31,8 +36,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plan",
    method: "GET",
+    url: "/:organizationId/plan",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -45,6 +53,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return { plan };
@ -52,8 +61,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plans",
    method: "GET",
+    url: "/:organizationId/plans",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      querystring: z.object({ workspaceId: z.string().trim().optional() }),
@ -66,6 +78,8 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.getOrgPlan({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -73,8 +87,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/session/trial",
    method: "POST",
+    url: "/:organizationId/session/trial",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({ success_url: z.string().trim() }),
@ -89,6 +106,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        success_url: req.body.success_url
      });
      return data;
@ -98,6 +116,9 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/:organizationId/customer-portal-session",
    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -110,6 +131,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -117,8 +139,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plan/billing",
    method: "GET",
+    url: "/:organizationId/plan/billing",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -131,6 +156,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -138,8 +164,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/plan/table",
    method: "GET",
+    url: "/:organizationId/plan/table",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -152,6 +181,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -159,8 +189,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details",
    method: "GET",
+    url: "/:organizationId/billing-details",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -173,6 +206,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -180,8 +214,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details",
    method: "PATCH",
+    url: "/:organizationId/billing-details",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({
@ -198,6 +235,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        name: req.body.name,
        email: req.body.email
@ -207,8 +245,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/payment-methods",
    method: "GET",
+    url: "/:organizationId/billing-details/payment-methods",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      response: {
@ -221,6 +262,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -228,8 +270,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/payment-methods",
    method: "POST",
+    url: "/:organizationId/billing-details/payment-methods",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({
@ -246,6 +291,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        success_url: req.body.success_url,
        cancel_url: req.body.cancel_url
@ -255,8 +301,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/payment-methods/:pmtMethodId",
    method: "DELETE",
+    url: "/:organizationId/billing-details/payment-methods/:pmtMethodId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@ -271,6 +320,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.delOrgPmtMethods({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        pmtMethodId: req.params.pmtMethodId
@ -280,8 +330,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/tax-ids",
    method: "GET",
+    url: "/:organizationId/billing-details/tax-ids",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -295,6 +348,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.getOrgTaxIds({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@ -303,8 +357,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/tax-ids",
    method: "POST",
+    url: "/:organizationId/billing-details/tax-ids",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -322,6 +379,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.addOrgTaxId({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        type: req.body.type,
@ -332,8 +390,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/billing-details/tax-ids/:taxId",
    method: "DELETE",
+    url: "/:organizationId/billing-details/tax-ids/:taxId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@ -348,6 +409,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.delOrgTaxId({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        taxId: req.params.taxId
@ -357,8 +419,11 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
  });

  server.route({
-    url: "/:organizationId/invoices",
    method: "GET",
+    url: "/:organizationId/invoices",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -373,15 +438,19 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId
+        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod
      });
      return data;
    }
  });

  server.route({
-    url: "/:organizationId/licenses",
    method: "GET",
+    url: "/:organizationId/licenses",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -396,6 +465,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@ -1,6 +1,8 @@
+import slugify from "@sindresorhus/slugify";
 import { z } from "zod";

-import { OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -8,12 +10,25 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:organizationId/roles",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
      }),
      body: z.object({
-        slug: z.string().trim(),
+        slug: z
+          .string()
+          .min(1)
+          .trim()
+          .refine(
+            (val) => !Object.keys(OrgMembershipRole).includes(val),
+            "Please choose a different slug, the slug you have entered is reserved"
+          )
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid"
+          }),
        name: z.string().trim(),
        description: z.string().trim().optional(),
        permissions: z.any().array()
@ -30,6 +45,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -39,13 +55,26 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:organizationId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
        roleId: z.string().trim()
      }),
      body: z.object({
-        slug: z.string().trim().optional(),
+        slug: z
+          .string()
+          .trim()
+          .optional()
+          .refine(
+            (val) => typeof val === "undefined" || Object.keys(OrgMembershipRole).includes(val),
+            "Please choose a different slug, the slug you have entered is reserved."
+          )
+          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
+            message: "Slug must be a valid"
+          }),
        name: z.string().trim().optional(),
        description: z.string().trim().optional(),
        permissions: z.any().array()
@ -63,6 +92,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.params.organizationId,
        req.params.roleId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -72,6 +102,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:organizationId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim(),
@ -89,6 +122,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.params.roleId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -98,6 +132,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/roles",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -117,6 +154,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
      const roles = await server.services.orgRole.listRoles(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { roles } };
@ -126,6 +164,9 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:organizationId/permissions",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        organizationId: z.string().trim()
@ -142,6 +183,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
      const { permissions, membership } = await server.services.orgRole.getUserPermission(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { permissions, membership };
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -1,6 +1,7 @@
 import { z } from "zod";

 import { ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -8,6 +9,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/:projectId/roles",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@ -31,6 +35,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.projectId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -40,6 +45,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "PATCH",
    url: "/:projectId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim(),
@ -65,6 +73,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.params.projectId,
        req.params.roleId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -74,6 +83,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "DELETE",
    url: "/:projectId/roles/:roleId",
+    config: {
+      rateLimit: writeLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim(),
@ -92,6 +104,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.projectId,
        req.params.roleId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -101,6 +114,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:projectId/roles",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@ -121,6 +137,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.type,
        req.permission.id,
        req.params.projectId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { roles } };
@ -130,6 +147,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:projectId/permissions",
+    config: {
+      rateLimit: readLimit
+    },
    schema: {
      params: z.object({
        projectId: z.string().trim()
@ -137,7 +157,13 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.object({
          data: z.object({
-            membership: ProjectMembershipsSchema,
+            membership: ProjectMembershipsSchema.extend({
+              roles: z
+                .object({
+                  role: z.string()
+                })
+                .array()
+            }),
            permissions: z.any().array()
          })
        })
@ -148,8 +174,10 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      const { permissions, membership } = await server.services.projectRole.getUserPermission(
        req.permission.id,
        req.params.projectId,
+        req.permission.authMethod,
        req.permission.orgId
      );
+
      return { data: { permissions, membership } };
    }
  });
--- a/Show More
+++ b/Show More