Fix: Email signup and switching organization

Fix: Rebase error
parent 10a292bca563efbe5972d7ffc33ee4b96a868e42
2025-03-22 13:07:43 +00:00 · 2024-03-15 16:53:01 +01:00 · 2024-03-15 16:53:01 +01:00 · 2024-03-15 16:53:01 +01:00 · 2024-03-15 16:53:01 +01:00 · 2024-03-15 16:53:01 +01:00
314 changed files with 12090 additions and 3471 deletions
--- a/.env.example
+++ b/.env.example
@ -4,7 +4,7 @@
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218

 # Required
-DB_CONNECTION_URI=postgres://infisical:infisical@db:5432/infisical
+DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}

 # JWT
 # Required secrets to sign JWT tokens
--- a/.github/resources/changelog-generator.py
+++ b/.github/resources/changelog-generator.py
@ -12,7 +12,7 @@ import uuid
 REPO_OWNER = "infisical"
 REPO_NAME = "infisical"
 TOKEN = os.environ["GITHUB_TOKEN"]
-# SLACK_WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]
+SLACK_WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]
 OPENAI_API_KEY = os.environ["OPENAI_API_KEY"]
 SLACK_MSG_COLOR = "#36a64f"

@ -30,6 +30,23 @@ def set_multiline_output(name, value):
        print(value, file=fh)
        print(delimiter, file=fh)

+def post_changelog_to_slack(changelog, tag):
+    slack_payload = {
+        "text": "Hey team, it's changelog time! :wave:",
+        "attachments": [
+            {
+                "color": SLACK_MSG_COLOR,
+                "title": f"🗓️Infisical Changelog - {tag}",
+                "text": changelog,
+            }
+        ],
+    }
+
+    response = requests.post(SLACK_WEBHOOK_URL, json=slack_payload)
+
+    if response.status_code != 200:
+        raise Exception("Failed to post changelog to Slack.")
+
 def find_previous_release_tag(release_tag:str):
    previous_tag = subprocess.check_output(["git", "describe", "--tags", "--abbrev=0", f"{release_tag}^"]).decode("utf-8").strip()
    while not(previous_tag.startswith("infisical/")):
@ -123,20 +140,17 @@ The changelog should:
 6. Linear Links: note that the Linear link is optional, include it only if provided.
 7. Do not wrap your answer in a codeblock. Just output the text, nothing else
 Here's a good example to follow, please try to match the formatting as closely as possible, only changing the content of the changelog and have some liberty with the introduction. Notice the importance of the formatting of a changelog item:
-```
- <https://github.com/facebook/react/pull/27304/|#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/|WEB-1234>))
-```
+- <https://github.com/facebook/react/pull/27304/%7C#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/%7CWEB-1234>))
 And here's an example of the full changelog:
-```
+
 *Features*
-• <https://github.com/facebook/react/pull/27304/|#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/|WEB-1234>)
+• <https://github.com/facebook/react/pull/27304/%7C#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/%7CWEB-1234>)
 *Fixes & Improvements*
-• <https://github.com/facebook/react/pull/27304/|#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/|WEB-1234>)
+• <https://github.com/facebook/react/pull/27304/%7C#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/%7CWEB-1234>)
 *Technical Updates*
-• <https://github.com/facebook/react/pull/27304/|#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/|WEB-1234>)
+• <https://github.com/facebook/react/pull/27304/%7C#27304>: We optimize our ci to strip comments and minify production builds. (<https://linear.app/example/issue/WEB-1234/%7CWEB-1234>)

 Stay tuned for more exciting updates coming soon!
-```
 And here are the commits:
 {}
    """.format(
@ -166,11 +180,11 @@ if __name__ == "__main__":
        pr_details = extract_commit_details_from_prs(prs)

        # Generate changelog
-        changelog = f"## Infisical - {latest_tag}\n\n{generate_changelog_with_openai(pr_details)}"
+        changelog = generate_changelog_with_openai(pr_details)

+        post_changelog_to_slack(changelog,latest_tag)
        # Print or post changelog to Slack
-        set_multiline_output("changelog", changelog)
+        # set_multiline_output("changelog", changelog)

    except Exception as e:
-        print(str(e))
-
+        print(str(e))
--- a/.github/values.yaml
+++ b/.github/values.yaml
@ -27,7 +27,7 @@ infisical:
  deploymentAnnotations:
    secrets.infisical.com/auto-reload: "true"

-  kubeSecretRef: "infisical-gamma-secrets"
+  kubeSecretRef: "managed-secret"

 ingress:
  ## @param ingress.enabled Enable ingress
--- a/.github/workflows/generate-release-changelog.yml
+++ b/.github/workflows/generate-release-changelog.yml
@ -2,14 +2,21 @@ name: Generate Changelog
 permissions:
  contents: write

-on: [workflow_dispatch]
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "infisical/v*.*.*-postgres"

 jobs:
  generate_changelog:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
@ -24,13 +31,4 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-      - name: Set git identity
-        run: |
-          git config user.name 'github-actions[bot]'
-          git config user.email 'github-actions[bot]@infisical.noreply.github.com'
-      - name: Save the changelog to file
-        run: | 
-          echo "${{ steps.gen-changelog.outputs.changelog }}" >> CHANGELOG.md
-          git add CHANGELOG.md
-          git commit -m "chore: changelog update" --no-verify
-          git push origin main
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@ -23,6 +23,8 @@ jobs:
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
      - run: git fetch --force --tags
      - run: echo "Ref name ${{github.ref_name}}"
      - uses: actions/setup-go@v3
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -190,10 +190,34 @@ dockers:
  - dockerfile: docker/alpine
    goos: linux
    goarch: amd64
+    use: buildx
    ids:
      - all-other-builds
    image_templates:
-      - "infisical/cli:{{ .Version }}"
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}"
-      - "infisical/cli:{{ .Major }}"
-      - "infisical/cli:latest"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:latest-amd64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+      - "infisical/cli:latest-arm64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+
+docker_manifests:
+  - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+  - name_template: "infisical/cli:latest"
+    image_templates:
+      - "infisical/cli:latest-amd64"
+      - "infisical/cli:latest-arm64"
--- a/3
+++ b/3
@ -7,6 +7,9 @@ push:
 up-dev:
 	docker compose -f docker-compose.dev.yml up --build

+up-dev-ldap:
+	docker compose -f docker-compose.dev.yml --profile ldap up --build
+
 up-prod:
 	docker-compose -f docker-compose.prod.yml up --build

--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -10,7 +10,7 @@ import { seedData1 } from "@app/db/seed-data";
 import { initEnvConfig } from "@app/lib/config/env";
 import { initLogger } from "@app/lib/logger";
 import { main } from "@app/server/app";
-import { AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";

 import { mockQueue } from "./mocks/queue";
 import { mockSmtpServer } from "./mocks/smtp";
@ -52,6 +52,8 @@ export default {
          authTokenType: AuthTokenType.ACCESS_TOKEN,
          userId: seedData1.id,
          tokenVersionId: seedData1.token.id,
+          authMethod: AuthMethod.EMAIL,
+          organizationId: seedData1.organization.id,
          accessVersion: 1
        },
        cfg.AUTH_SECRET,
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -70,6 +70,7 @@
    "vitest": "^1.2.2"
  },
  "dependencies": {
+    "@aws-sdk/client-iam": "^3.525.0",
    "@aws-sdk/client-secrets-manager": "^3.504.0",
    "@casl/ability": "^6.5.0",
    "@fastify/cookie": "^9.3.1",
@ -106,6 +107,7 @@
    "knex": "^3.0.1",
    "libsodium-wrappers": "^0.7.13",
    "lodash.isequal": "^4.5.0",
+    "ms": "^2.1.3",
    "mysql2": "^3.9.1",
    "nanoid": "^5.0.4",
    "nodemailer": "^6.9.9",
@ -113,7 +115,9 @@
    "passport-github": "^1.1.0",
    "passport-gitlab2": "^5.0.0",
    "passport-google-oauth20": "^2.0.0",
+    "passport-ldapauth": "^3.0.1",
    "pg": "^8.11.3",
+    "pg-query-stream": "^4.5.3",
    "picomatch": "^3.0.1",
    "pino": "^8.16.2",
    "posthog-node": "^3.6.2",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -3,6 +3,7 @@ import "fastify";
 import { TUsers } from "@app/db/schemas";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
+import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
@ -18,7 +19,7 @@ import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
@ -58,6 +59,7 @@ declare module "fastify" {
    // identity injection. depending on which kinda of token the information is filled in auth
    auth: TAuthMode;
    permission: {
+      authMethod: ActorAuthMethod;
      type: ActorType;
      id: string;
      orgId?: string;
@ -69,6 +71,7 @@ declare module "fastify" {
    };
    auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
    ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
+    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
  }

  interface FastifyInstance {
@ -107,6 +110,7 @@ declare module "fastify" {
      snapshot: TSecretSnapshotServiceFactory;
      saml: TSamlConfigServiceFactory;
      scim: TScimServiceFactory;
+      ldap: TLdapConfigServiceFactory;
      auditLog: TAuditLogServiceFactory;
      secretScanning: TSecretScanningServiceFactory;
      license: TLicenseServiceFactory;
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -32,6 +32,9 @@ import {
  TIdentityOrgMemberships,
  TIdentityOrgMembershipsInsert,
  TIdentityOrgMembershipsUpdate,
+  TIdentityProjectMembershipRole,
+  TIdentityProjectMembershipRoleInsert,
+  TIdentityProjectMembershipRoleUpdate,
  TIdentityProjectMemberships,
  TIdentityProjectMembershipsInsert,
  TIdentityProjectMembershipsUpdate,
@ -50,6 +53,9 @@ import {
  TIntegrations,
  TIntegrationsInsert,
  TIntegrationsUpdate,
+  TLdapConfigs,
+  TLdapConfigsInsert,
+  TLdapConfigsUpdate,
  TOrganizations,
  TOrganizationsInsert,
  TOrganizationsUpdate,
@ -80,6 +86,9 @@ import {
  TProjects,
  TProjectsInsert,
  TProjectsUpdate,
+  TProjectUserMembershipRoles,
+  TProjectUserMembershipRolesInsert,
+  TProjectUserMembershipRolesUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@ -161,6 +170,9 @@ import {
  TUserActions,
  TUserActionsInsert,
  TUserActionsUpdate,
+  TUserAliases,
+  TUserAliasesInsert,
+  TUserAliasesUpdate,
  TUserEncryptionKeys,
  TUserEncryptionKeysInsert,
  TUserEncryptionKeysUpdate,
@ -175,6 +187,7 @@ import {
 declare module "knex/types/tables" {
  interface Tables {
    [TableName.Users]: Knex.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
+    [TableName.UserAliases]: Knex.CompositeTableType<TUserAliases, TUserAliasesInsert, TUserAliasesUpdate>;
    [TableName.UserEncryptionKey]: Knex.CompositeTableType<
      TUserEncryptionKeys,
      TUserEncryptionKeysInsert,
@ -214,6 +227,11 @@ declare module "knex/types/tables" {
      TProjectEnvironmentsUpdate
    >;
    [TableName.ProjectBot]: Knex.CompositeTableType<TProjectBots, TProjectBotsInsert, TProjectBotsUpdate>;
+    [TableName.ProjectUserMembershipRole]: Knex.CompositeTableType<
+      TProjectUserMembershipRoles,
+      TProjectUserMembershipRolesInsert,
+      TProjectUserMembershipRolesUpdate
+    >;
    [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
    [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
    [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
@ -265,6 +283,11 @@ declare module "knex/types/tables" {
      TIdentityProjectMembershipsInsert,
      TIdentityProjectMembershipsUpdate
    >;
+    [TableName.IdentityProjectMembershipRole]: Knex.CompositeTableType<
+      TIdentityProjectMembershipRole,
+      TIdentityProjectMembershipRoleInsert,
+      TIdentityProjectMembershipRoleUpdate
+    >;
    [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
    [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
      TSecretApprovalPolicies,
@ -318,6 +341,7 @@ declare module "knex/types/tables" {
      TSecretSnapshotFoldersUpdate
    >;
    [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
+    [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
    [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
    [TableName.AuditLog]: Knex.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
    [TableName.GitAppInstallSession]: Knex.CompositeTableType<
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -6,6 +6,13 @@ export const initDbConnection = ({ dbConnectionUri, dbRootCert }: { dbConnection
    client: "pg",
    connection: {
      connectionString: dbConnectionUri,
+      host: process.env.DB_HOST,
+      // @ts-expect-error I have no clue why only for the port there is a type error
+      // eslint-disable-next-line
+      port: process.env.DB_PORT,
+      user: process.env.DB_USER,
+      database: process.env.DB_NAME,
+      password: process.env.DB_PASSWORD,
      ssl: dbRootCert
        ? {
            rejectUnauthorized: true,
--- a/backend/src/db/knexfile.ts
+++ b/backend/src/db/knexfile.ts
@ -7,18 +7,22 @@ import path from "path";

 // Update with your config settings. .
 dotenv.config({
-  path: path.join(__dirname, "../../../.env.migration"),
-  debug: true
+  path: path.join(__dirname, "../../../.env.migration")
 });
 dotenv.config({
-  path: path.join(__dirname, "../../../.env"),
-  debug: true
+  path: path.join(__dirname, "../../../.env")
 });
+
 export default {
  development: {
    client: "postgres",
    connection: {
      connectionString: process.env.DB_CONNECTION_URI,
+      host: process.env.DB_HOST,
+      port: process.env.DB_PORT,
+      user: process.env.DB_USER,
+      database: process.env.DB_NAME,
+      password: process.env.DB_PASSWORD,
      ssl: process.env.DB_ROOT_CERT
        ? {
            rejectUnauthorized: true,
@ -41,6 +45,11 @@ export default {
    client: "postgres",
    connection: {
      connectionString: process.env.DB_CONNECTION_URI,
+      host: process.env.DB_HOST,
+      port: process.env.DB_PORT,
+      user: process.env.DB_USER,
+      database: process.env.DB_NAME,
+      password: process.env.DB_PASSWORD,
      ssl: process.env.DB_ROOT_CERT
        ? {
            rejectUnauthorized: true,
--- a/backend/src/db/migrations/20240307232900_integration-last-used.ts
+++ b/backend/src/db/migrations/20240307232900_integration-last-used.ts
@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    t.datetime("lastUsed");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    t.dropColumn("lastUsed");
+  });
+}
--- a/backend/src/db/migrations/20240311210135_ldap-config.ts
+++ b/backend/src/db/migrations/20240311210135_ldap-config.ts
@ -0,0 +1,68 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.LdapConfig))) {
+    await knex.schema.createTable(TableName.LdapConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("orgId").notNullable().unique();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.boolean("isActive").notNullable();
+      t.string("url").notNullable();
+      t.string("encryptedBindDN").notNullable();
+      t.string("bindDNIV").notNullable();
+      t.string("bindDNTag").notNullable();
+      t.string("encryptedBindPass").notNullable();
+      t.string("bindPassIV").notNullable();
+      t.string("bindPassTag").notNullable();
+      t.string("searchBase").notNullable();
+      t.text("encryptedCACert").notNullable();
+      t.string("caCertIV").notNullable();
+      t.string("caCertTag").notNullable();
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.LdapConfig);
+
+  if (!(await knex.schema.hasTable(TableName.UserAliases))) {
+    await knex.schema.createTable(TableName.UserAliases, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.string("username").notNullable();
+      t.string("aliasType").notNullable();
+      t.string("externalId").notNullable();
+      t.specificType("emails", "text[]");
+      t.uuid("orgId").nullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.UserAliases);
+
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    t.string("username").unique();
+    t.string("email").nullable().alter();
+    t.dropUnique(["email"]);
+  });
+
+  await knex(TableName.Users).update("username", knex.ref("email"));
+
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    t.string("username").notNullable().alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.LdapConfig);
+  await knex.schema.dropTableIfExists(TableName.UserAliases);
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    t.dropColumn("username");
+    // t.string("email").notNullable().alter();
+  });
+  await dropOnUpdateTrigger(knex, TableName.LdapConfig);
+}
--- a/backend/src/db/migrations/20240312162549_temp-roles.ts
+++ b/backend/src/db/migrations/20240312162549_temp-roles.ts
@ -0,0 +1,50 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesTableExist = await knex.schema.hasTable(TableName.ProjectUserMembershipRole);
+  if (!doesTableExist) {
+    await knex.schema.createTable(TableName.ProjectUserMembershipRole, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("role").notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      // until role is changed/removed the role should not deleted
+      t.uuid("customRoleId");
+      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.ProjectUserMembershipRole);
+
+  const projectMemberships = await knex(TableName.ProjectMembership).select(
+    "id",
+    "role",
+    "createdAt",
+    "updatedAt",
+    knex.ref("roleId").withSchema(TableName.ProjectMembership).as("customRoleId")
+  );
+  if (projectMemberships.length)
+    await knex.batchInsert(
+      TableName.ProjectUserMembershipRole,
+      projectMemberships.map((data) => ({ ...data, projectMembershipId: data.id }))
+    );
+  // will be dropped later
+  // await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
+  //   t.dropColumn("roleId");
+  //   t.dropColumn("role");
+  // });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.ProjectUserMembershipRole);
+  await dropOnUpdateTrigger(knex, TableName.ProjectUserMembershipRole);
+}
--- a/backend/src/db/migrations/20240312162556_temp-role-identity.ts
+++ b/backend/src/db/migrations/20240312162556_temp-role-identity.ts
@ -0,0 +1,52 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesTableExist = await knex.schema.hasTable(TableName.IdentityProjectMembershipRole);
+  if (!doesTableExist) {
+    await knex.schema.createTable(TableName.IdentityProjectMembershipRole, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("role").notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId")
+        .references("id")
+        .inTable(TableName.IdentityProjectMembership)
+        .onDelete("CASCADE");
+      // until role is changed/removed the role should not deleted
+      t.uuid("customRoleId");
+      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityProjectMembershipRole);
+
+  const identityMemberships = await knex(TableName.IdentityProjectMembership).select(
+    "id",
+    "role",
+    "createdAt",
+    "updatedAt",
+    knex.ref("roleId").withSchema(TableName.IdentityProjectMembership).as("customRoleId")
+  );
+  if (identityMemberships.length)
+    await knex.batchInsert(
+      TableName.IdentityProjectMembershipRole,
+      identityMemberships.map((data) => ({ ...data, projectMembershipId: data.id }))
+    );
+  // await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
+  //   t.dropColumn("roleId");
+  //   t.dropColumn("role");
+  // });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityProjectMembershipRole);
+  await dropOnUpdateTrigger(knex, TableName.IdentityProjectMembershipRole);
+}
--- a/backend/src/db/schemas/identity-project-membership-role.ts
+++ b/backend/src/db/schemas/identity-project-membership-role.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityProjectMembershipRoleSchema = z.object({
+  id: z.string().uuid(),
+  role: z.string(),
+  projectMembershipId: z.string().uuid(),
+  customRoleId: z.string().uuid().nullable().optional(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityProjectMembershipRole = z.infer<typeof IdentityProjectMembershipRoleSchema>;
+export type TIdentityProjectMembershipRoleInsert = Omit<
+  z.input<typeof IdentityProjectMembershipRoleSchema>,
+  TImmutableDBKeys
+>;
+export type TIdentityProjectMembershipRoleUpdate = Partial<
+  Omit<z.input<typeof IdentityProjectMembershipRoleSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -8,12 +8,14 @@ export * from "./git-app-org";
 export * from "./identities";
 export * from "./identity-access-tokens";
 export * from "./identity-org-memberships";
+export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
 export * from "./identity-ua-client-secrets";
 export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
+export * from "./ldap-configs";
 export * from "./models";
 export * from "./org-bots";
 export * from "./org-memberships";
@ -24,6 +26,7 @@ export * from "./project-environments";
 export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
+export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./saml-configs";
 export * from "./scim-tokens";
@ -52,6 +55,7 @@ export * from "./service-tokens";
 export * from "./super-admin";
 export * from "./trusted-ips";
 export * from "./user-actions";
+export * from "./user-aliases";
 export * from "./user-encryption-keys";
 export * from "./users";
 export * from "./webhooks";
--- a/backend/src/db/schemas/integrations.ts
+++ b/backend/src/db/schemas/integrations.ts
@ -27,7 +27,8 @@ export const IntegrationsSchema = z.object({
  envId: z.string().uuid(),
  secretPath: z.string().default("/"),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  lastUsed: z.date().nullable().optional()
 });

 export type TIntegrations = z.infer<typeof IntegrationsSchema>;
--- a/backend/src/db/schemas/ldap-configs.ts
+++ b/backend/src/db/schemas/ldap-configs.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const LdapConfigsSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  isActive: z.boolean(),
+  url: z.string(),
+  encryptedBindDN: z.string(),
+  bindDNIV: z.string(),
+  bindDNTag: z.string(),
+  encryptedBindPass: z.string(),
+  bindPassIV: z.string(),
+  bindPassTag: z.string(),
+  searchBase: z.string(),
+  encryptedCACert: z.string(),
+  caCertIV: z.string(),
+  caCertTag: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;
+export type TLdapConfigsInsert = Omit<z.input<typeof LdapConfigsSchema>, TImmutableDBKeys>;
+export type TLdapConfigsUpdate = Partial<Omit<z.input<typeof LdapConfigsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 export enum TableName {
  Users = "users",
+  UserAliases = "user_aliases",
  UserEncryptionKey = "user_encryption_keys",
  AuthTokens = "auth_tokens",
  AuthTokenSession = "auth_token_sessions",
@ -19,6 +20,7 @@ export enum TableName {
  Environment = "project_environments",
  ProjectMembership = "project_memberships",
  ProjectRoles = "project_roles",
+  ProjectUserMembershipRole = "project_user_membership_roles",
  ProjectKeys = "project_keys",
  Secret = "secrets",
  SecretBlindIndex = "secret_blind_indexes",
@ -40,6 +42,7 @@ export enum TableName {
  IdentityUaClientSecret = "identity_ua_client_secrets",
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
+  IdentityProjectMembershipRole = "identity_project_membership_role",
  ScimToken = "scim_tokens",
  SecretApprovalPolicy = "secret_approval_policies",
  SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
@ -50,6 +53,7 @@ export enum TableName {
  SecretRotation = "secret_rotations",
  SecretRotationOutput = "secret_rotation_outputs",
  SamlConfig = "saml_configs",
+  LdapConfig = "ldap_configs",
  AuditLog = "audit_logs",
  GitAppInstallSession = "git_app_install_sessions",
  GitAppOrg = "git_app_org",
--- a/backend/src/db/schemas/project-user-membership-roles.ts
+++ b/backend/src/db/schemas/project-user-membership-roles.ts
@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectUserMembershipRolesSchema = z.object({
+  id: z.string().uuid(),
+  role: z.string(),
+  projectMembershipId: z.string().uuid(),
+  customRoleId: z.string().uuid().nullable().optional(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TProjectUserMembershipRoles = z.infer<typeof ProjectUserMembershipRolesSchema>;
+export type TProjectUserMembershipRolesInsert = Omit<
+  z.input<typeof ProjectUserMembershipRolesSchema>,
+  TImmutableDBKeys
+>;
+export type TProjectUserMembershipRolesUpdate = Partial<
+  Omit<z.input<typeof ProjectUserMembershipRolesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/user-aliases.ts
+++ b/backend/src/db/schemas/user-aliases.ts
@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const UserAliasesSchema = z.object({
+  id: z.string().uuid(),
+  userId: z.string().uuid(),
+  username: z.string(),
+  aliasType: z.string(),
+  externalId: z.string(),
+  emails: z.string().array().nullable().optional(),
+  orgId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TUserAliases = z.infer<typeof UserAliasesSchema>;
+export type TUserAliasesInsert = Omit<z.input<typeof UserAliasesSchema>, TImmutableDBKeys>;
+export type TUserAliasesUpdate = Partial<Omit<z.input<typeof UserAliasesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/users.ts
+++ b/backend/src/db/schemas/users.ts
@ -9,7 +9,7 @@ import { TImmutableDBKeys } from "./models";

 export const UsersSchema = z.object({
  id: z.string().uuid(),
-  email: z.string(),
+  email: z.string().nullable().optional(),
  authMethods: z.string().array().nullable().optional(),
  superAdmin: z.boolean().default(false).nullable().optional(),
  firstName: z.string().nullable().optional(),
@ -20,7 +20,8 @@ export const UsersSchema = z.object({
  devices: z.unknown().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  isGhost: z.boolean().default(false)
+  isGhost: z.boolean().default(false),
+  username: z.string()
 });

 export type TUsers = z.infer<typeof UsersSchema>;
--- a/backend/src/db/seed-data.ts
+++ b/backend/src/db/seed-data.ts
@ -21,6 +21,7 @@ export let userPublicKey: string | undefined;

 export const seedData1 = {
  id: "3dafd81d-4388-432b-a4c5-f735616868c1",
+  username: process.env.TEST_USER_USERNAME || "test@localhost.local",
  email: process.env.TEST_USER_EMAIL || "test@localhost.local",
  password: process.env.TEST_USER_PASSWORD || "testInfisical@1",
  organization: {
--- a/backend/src/db/seeds/1-user.ts
+++ b/backend/src/db/seeds/1-user.ts
@ -9,7 +9,12 @@ export async function seed(knex: Knex): Promise<void> {
  await knex(TableName.Users).del();
  await knex(TableName.UserEncryptionKey).del();
  await knex(TableName.SuperAdmin).del();
-  await knex(TableName.SuperAdmin).insert([{ initialized: true, allowSignUp: true }]);
+
+  await knex(TableName.SuperAdmin).insert([
+    // eslint-disable-next-line
+    // @ts-ignore
+    { id: "00000000-0000-0000-0000-000000000000", initialized: true, allowSignUp: true }
+  ]);
  // Inserts seed entries
  const [user] = await knex(TableName.Users)
    .insert([
@ -17,6 +22,7 @@ export async function seed(knex: Knex): Promise<void> {
        // eslint-disable-next-line
        // @ts-ignore
        id: seedData1.id,
+        username: seedData1.username,
        email: seedData1.email,
        superAdmin: true,
        firstName: "test",
--- a/backend/src/db/seeds/3-project.ts
+++ b/backend/src/db/seeds/3-project.ts
@ -4,7 +4,7 @@ import { Knex } from "knex";

 import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";

-import { OrgMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
+import { ProjectMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";

 export const DEFAULT_PROJECT_ENVS = [
@ -30,10 +30,16 @@ export async function seed(knex: Knex): Promise<void> {
    })
    .returning("*");

-  await knex(TableName.ProjectMembership).insert({
-    projectId: project.id,
-    role: OrgMembershipRole.Admin,
-    userId: seedData1.id
+  const projectMembership = await knex(TableName.ProjectMembership)
+    .insert({
+      projectId: project.id,
+      userId: seedData1.id,
+      role: ProjectMembershipRole.Admin
+    })
+    .returning("*");
+  await knex(TableName.ProjectUserMembershipRole).insert({
+    role: ProjectMembershipRole.Admin,
+    projectMembershipId: projectMembership[0].id
  });

  const user = await knex(TableName.UserEncryptionKey).where({ userId: seedData1.id }).first();
--- a/backend/src/db/seeds/4-machine-identity.ts
+++ b/backend/src/db/seeds/4-machine-identity.ts
@ -75,9 +75,16 @@ export async function seed(knex: Knex): Promise<void> {
    }
  ]);

-  await knex(TableName.IdentityProjectMembership).insert({
-    identityId: seedData1.machineIdentity.id,
+  const identityProjectMembership = await knex(TableName.IdentityProjectMembership)
+    .insert({
+      identityId: seedData1.machineIdentity.id,
+      projectId: seedData1.project.id,
+      role: ProjectMembershipRole.Admin
+    })
+    .returning("*");
+
+  await knex(TableName.IdentityProjectMembershipRole).insert({
    role: ProjectMembershipRole.Admin,
-    projectId: seedData1.project.id
+    projectMembershipId: identityProjectMembership[0].id
  });
 }
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,3 +1,4 @@
+import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOrgRoleRouter } from "./org-role-router";
 import { registerProjectRoleRouter } from "./project-role-router";
@ -35,6 +36,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  });
  await server.register(registerSamlRouter, { prefix: "/sso" });
  await server.register(registerScimRouter, { prefix: "/scim" });
+  await server.register(registerLdapRouter, { prefix: "/ldap" });
  await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
  await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
  await server.register(registerSecretVersionRouter, { prefix: "/secret" });
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@ -0,0 +1,197 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-unsafe-return */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+/* eslint-disable @typescript-eslint/no-unsafe-call */
+/* eslint-disable @typescript-eslint/no-unsafe-argument */
+// All the any rules are disabled because passport typesense with fastify is really poor
+
+import { IncomingMessage } from "node:http";
+
+import { Authenticator } from "@fastify/passport";
+import fastifySession from "@fastify/session";
+import { FastifyRequest } from "fastify";
+import LdapStrategy from "passport-ldapauth";
+import { z } from "zod";
+
+import { LdapConfigsSchema } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
+import { logger } from "@app/lib/logger";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerLdapRouter = async (server: FastifyZodProvider) => {
+  const appCfg = getConfig();
+  const passport = new Authenticator({ key: "ldap", userProperty: "passportUser" });
+  await server.register(fastifySession, { secret: appCfg.COOKIE_SECRET_SIGN_KEY });
+  await server.register(passport.initialize());
+  await server.register(passport.secureSession());
+
+  const getLdapPassportOpts = (req: FastifyRequest, done: any) => {
+    const { organizationSlug } = req.body as {
+      organizationSlug: string;
+    };
+
+    process.nextTick(async () => {
+      try {
+        const { opts, ldapConfig } = await server.services.ldap.bootLdap(organizationSlug);
+        req.ldapConfig = ldapConfig;
+        done(null, opts);
+      } catch (err) {
+        done(err);
+      }
+    });
+  };
+
+  passport.use(
+    new LdapStrategy(
+      getLdapPassportOpts as any,
+      // eslint-disable-next-line
+      async (req: IncomingMessage, user, cb) => {
+        try {
+          const { isUserCompleted, providerAuthToken } = await server.services.ldap.ldapLogin({
+            externalId: user.uidNumber,
+            username: user.uid,
+            firstName: user.givenName,
+            lastName: user.sn,
+            emails: user.mail ? [user.mail] : [],
+            relayState: ((req as unknown as FastifyRequest).body as { RelayState?: string }).RelayState,
+            orgId: (req as unknown as FastifyRequest).ldapConfig.organization
+          });
+
+          return cb(null, { isUserCompleted, providerAuthToken });
+        } catch (err) {
+          logger.error(err);
+          return cb(err, false);
+        }
+      }
+    )
+  );
+
+  server.route({
+    url: "/login",
+    method: "POST",
+    schema: {
+      body: z.object({
+        organizationSlug: z.string().trim()
+      })
+    },
+    preValidation: passport.authenticate("ldapauth", {
+      session: false
+      // failureFlash: true,
+      // failureRedirect: "/login/provider/error"
+      // this is due to zod type difference
+    }) as any,
+    handler: (req, res) => {
+      let nextUrl;
+      if (req.passportUser.isUserCompleted) {
+        nextUrl = `${appCfg.SITE_URL}/login/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`;
+      } else {
+        nextUrl = `${appCfg.SITE_URL}/signup/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`;
+      }
+
+      return res.status(200).send({
+        nextUrl
+      });
+    }
+  });
+
+  server.route({
+    url: "/config",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      querystring: z.object({
+        organizationId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          organization: z.string(),
+          isActive: z.boolean(),
+          url: z.string(),
+          bindDN: z.string(),
+          bindPass: z.string(),
+          searchBase: z.string(),
+          caCert: z.string()
+        })
+      }
+    },
+    handler: async (req) => {
+      const ldap = await server.services.ldap.getLdapCfgWithPermissionCheck({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.query.organizationId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+      return ldap;
+    }
+  });
+
+  server.route({
+    url: "/config",
+    method: "POST",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z.object({
+        organizationId: z.string().trim(),
+        isActive: z.boolean(),
+        url: z.string().trim(),
+        bindDN: z.string().trim(),
+        bindPass: z.string().trim(),
+        searchBase: z.string().trim(),
+        caCert: z.string().trim().default("")
+      }),
+      response: {
+        200: LdapConfigsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldap = await server.services.ldap.createLdapCfg({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.body.organizationId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      return ldap;
+    }
+  });
+
+  server.route({
+    url: "/config",
+    method: "PATCH",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z
+        .object({
+          isActive: z.boolean(),
+          url: z.string().trim(),
+          bindDN: z.string().trim(),
+          bindPass: z.string().trim(),
+          searchBase: z.string().trim(),
+          caCert: z.string().trim()
+        })
+        .partial()
+        .merge(z.object({ organizationId: z.string() })),
+      response: {
+        200: LdapConfigsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldap = await server.services.ldap.updateLdapCfg({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.body.organizationId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      return ldap;
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/license-router.ts
+++ b/backend/src/ee/routes/v1/license-router.ts
@ -24,6 +24,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        billingCycle: req.query.billingCycle
      });
      return data;
@ -45,6 +46,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return { plan };
@ -66,6 +68,8 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.getOrgPlan({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -89,6 +93,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        success_url: req.body.success_url
      });
      return data;
@ -110,6 +115,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -131,6 +137,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -152,6 +159,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -173,6 +181,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -198,6 +207,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        name: req.body.name,
        email: req.body.email
@ -221,6 +231,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
@ -246,6 +257,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        success_url: req.body.success_url,
        cancel_url: req.body.cancel_url
@ -271,6 +283,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.delOrgPmtMethods({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        pmtMethodId: req.params.pmtMethodId
@ -295,6 +308,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.getOrgTaxIds({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@ -322,6 +336,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.addOrgTaxId({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        type: req.body.type,
@ -348,6 +363,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
      const data = await server.services.license.delOrgTaxId({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        taxId: req.params.taxId
@ -373,7 +389,8 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId
+        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod
      });
      return data;
    }
@ -396,6 +413,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId
      });
      return data;
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@ -1,6 +1,7 @@
+import slugify from "@sindresorhus/slugify";
 import { z } from "zod";

-import { OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@ -13,7 +14,17 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        organizationId: z.string().trim()
      }),
      body: z.object({
-        slug: z.string().trim(),
+        slug: z
+          .string()
+          .min(1)
+          .trim()
+          .refine(
+            (val) => Object.keys(OrgMembershipRole).includes(val),
+            "Please choose a different slug, the slug you have entered is reserved"
+          )
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid"
+          }),
        name: z.string().trim(),
        description: z.string().trim().optional(),
        permissions: z.any().array()
@ -30,6 +41,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -45,7 +57,17 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        roleId: z.string().trim()
      }),
      body: z.object({
-        slug: z.string().trim().optional(),
+        slug: z
+          .string()
+          .trim()
+          .optional()
+          .refine(
+            (val) => typeof val === "undefined" || Object.keys(OrgMembershipRole).includes(val),
+            "Please choose a different slug, the slug you have entered is reserved."
+          )
+          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
+            message: "Slug must be a valid"
+          }),
        name: z.string().trim().optional(),
        description: z.string().trim().optional(),
        permissions: z.any().array()
@ -63,6 +85,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.params.organizationId,
        req.params.roleId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -89,6 +112,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.params.roleId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -117,6 +141,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
      const roles = await server.services.orgRole.listRoles(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { roles } };
@ -142,6 +167,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
      const { permissions, membership } = await server.services.orgRole.getUserPermission(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { permissions, membership };
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -31,6 +31,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.projectId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -65,6 +66,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.params.projectId,
        req.params.roleId,
        req.body,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -92,6 +94,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.projectId,
        req.params.roleId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { role };
@ -121,6 +124,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.type,
        req.permission.id,
        req.params.projectId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { roles } };
@ -148,6 +152,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      const { permissions, membership } = await server.services.projectRole.getUserPermission(
        req.permission.id,
        req.params.projectId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { data: { permissions, membership } };
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@ -37,6 +37,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const secretSnapshots = await server.services.snapshot.listSnapshots({
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
@ -68,6 +69,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const count = await server.services.snapshot.projectSecretSnapshotCount({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        environment: req.query.environment,
@ -129,6 +131,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const auditLogs = await server.services.auditLog.listProjectAuditLogs({
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        ...req.query,
        auditLogActor: req.query.actor,
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -99,14 +99,14 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      async (req, profile, cb) => {
        try {
          if (!profile) throw new BadRequestError({ message: "Missing profile" });
-          const { firstName } = profile;
          const email = profile?.email ?? (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved

-          if (!email || !firstName) {
+          if (!profile.email || !profile.firstName) {
            throw new BadRequestError({ message: "Invalid request. Missing email or first name" });
          }

          const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
+            username: profile.nameID ?? email,
            email,
            firstName: profile.firstName as string,
            lastName: profile.lastName as string,
@ -231,6 +231,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.query.organizationId,
        type: "org"
      });
@ -259,6 +260,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      const saml = await server.services.saml.createSamlCfg({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId,
        ...req.body
@ -290,6 +292,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      const saml = await server.services.saml.updateSamlCfg({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId,
        ...req.body
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@ -39,6 +39,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId,
+        actorAuthMethod: req.permission.authMethod,
        description: req.body.description,
        ttlDays: req.body.ttlDays
      });
@ -65,6 +66,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
      const scimTokens = await server.services.scim.listScimTokens({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.query.organizationId
      });
@ -92,6 +94,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        scimTokenId: req.params.scimTokenId,
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });

@ -122,7 +125,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
              emails: z.array(
                z.object({
                  primary: z.boolean(),
-                  value: z.string().email(),
+                  value: z.string(),
                  type: z.string().trim()
                })
              ),
@ -168,7 +171,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
          emails: z.array(
            z.object({
              primary: z.boolean(),
-              value: z.string().email(),
+              value: z.string(),
              type: z.string().trim()
            })
          ),
@ -198,13 +201,15 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
          familyName: z.string().trim(),
          givenName: z.string().trim()
        }),
-        // emails: z.array( // optional?
-        //   z.object({
-        //     primary: z.boolean(),
-        //     value: z.string().email(),
-        //     type: z.string().trim()
-        //   })
-        // ),
+        emails: z
+          .array(
+            z.object({
+              primary: z.boolean(),
+              value: z.string().email(),
+              type: z.string().trim()
+            })
+          )
+          .optional(),
        // displayName: z.string().trim(),
        active: z.boolean()
      }),
@ -231,8 +236,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
    handler: async (req) => {
+      const primaryEmail = req.body.emails?.find((email) => email.primary)?.value;
+
      const user = await req.server.services.scim.createScimUser({
-        email: req.body.userName,
+        username: req.body.userName,
+        email: primaryEmail,
        firstName: req.body.name.givenName,
        lastName: req.body.name.familyName,
        orgId: req.permission.orgId as string
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@ -34,6 +34,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approval = await server.services.secretApprovalPolicy.createSecretApprovalPolicy({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body,
@ -72,6 +73,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approval = await server.services.secretApprovalPolicy.updateSecretApprovalPolicy({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        secretPolicyId: req.params.sapId
@ -98,6 +100,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approval = await server.services.secretApprovalPolicy.deleteSecretApprovalPolicy({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        secretPolicyId: req.params.sapId
      });
@ -123,6 +126,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const approvals = await server.services.secretApprovalPolicy.getSecretApprovalPolicyByProjectId({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId
      });
@ -150,6 +154,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
      const policy = await server.services.secretApprovalPolicy.getSecretApprovalPolicyOfFolder({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId,
        ...req.query
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -52,6 +52,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approvals = await server.services.secretApprovalRequest.getSecretApprovals({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
@ -81,6 +82,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approvals = await server.services.secretApprovalRequest.requestCount({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId
      });
@ -106,6 +108,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const { approval } = await server.services.secretApprovalRequest.mergeSecretApprovalRequest({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        approvalId: req.params.id
      });
@ -134,6 +137,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const review = await server.services.secretApprovalRequest.reviewApproval({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        approvalId: req.params.id,
        status: req.body.status
@ -163,6 +167,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approval = await server.services.secretApprovalRequest.updateApprovalStatus({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        approvalId: req.params.id,
        status: req.body.status
@ -271,6 +276,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
      const approval = await server.services.secretApprovalRequest.getSecretApprovalDetails({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.id
      });
--- a/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-provider-router.ts
@ -30,6 +30,7 @@ export const registerSecretRotationProviderRouter = async (server: FastifyZodPro
      const providers = await server.services.secretRotation.getProviderTemplates({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
--- a/backend/src/ee/routes/v1/secret-rotation-router.ts
+++ b/backend/src/ee/routes/v1/secret-rotation-router.ts
@ -39,6 +39,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
    handler: async (req) => {
      const secretRotation = await server.services.secretRotation.createRotation({
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        ...req.body,
@ -74,6 +75,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      const secretRotation = await server.services.secretRotation.restartById({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        rotationId: req.body.id
      });
@ -125,6 +127,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      const secretRotations = await server.services.secretRotation.getByProjectId({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.query.workspaceId
      });
@ -158,6 +161,7 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
      const secretRotation = await server.services.secretRotation.deleteById({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        rotationId: req.params.id
      });
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@ -22,6 +22,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const session = await server.services.secretScanning.createInstallationSession({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId
      });
@ -46,6 +47,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const { installatedApp } = await server.services.secretScanning.linkInstallationToOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
@ -67,6 +69,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const appInstallationCompleted = await server.services.secretScanning.getOrgInstallationStatus({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@ -88,6 +91,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const { risks } = await server.services.secretScanning.getRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId
      });
@ -110,6 +114,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
      const { risk } = await server.services.secretScanning.updateRiskStatus({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        riskId: req.params.riskId,
--- a/backend/src/ee/routes/v1/secret-version-router.ts
+++ b/backend/src/ee/routes/v1/secret-version-router.ts
@ -27,6 +27,7 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
      const secretVersions = await server.services.secret.getSecretVersions({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        limit: req.query.limit,
        offset: req.query.offset,
--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@ -46,6 +46,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
      const secretSnapshot = await server.services.snapshot.getSnapshotData({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretSnapshotId
      });
@ -78,6 +79,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
      const secretSnapshot = await server.services.snapshot.rollbackSnapshot({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretSnapshotId
      });
--- a/backend/src/ee/routes/v1/trusted-ip-router.ts
+++ b/backend/src/ee/routes/v1/trusted-ip-router.ts
@ -22,6 +22,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const trustedIps = await server.services.trustedIp.listIpsByProjectId({
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
@ -52,6 +53,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { trustedIp, project } = await server.services.trustedIp.addProjectIp({
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
@ -99,6 +101,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        trustedIpId: req.params.trustedIpId,
        ...req.body
@ -140,6 +143,7 @@ export const registerTrustedIpRouter = async (server: FastifyZodProvider) => {
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        trustedIpId: req.params.trustedIpId
      });
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -31,10 +31,17 @@ export const auditLogServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    projectId,
    auditLogActor
  }: TListProjectAuditLogDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    const auditLogs = await auditLogDAL.find({
      startDate,
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -92,7 +92,8 @@ export enum EventType {

 interface UserActorMetadata {
  userId: string;
-  email: string;
+  email?: string | null;
+  username: string;
 }

 interface ServiceActorMetadata {
--- a/backend/src/ee/services/ldap-config/ldap-config-dal.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-dal.ts
@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TLdapConfigDALFactory = ReturnType<typeof ldapConfigDALFactory>;
+
+export const ldapConfigDALFactory = (db: TDbClient) => {
+  const ldapCfgOrm = ormify(db, TableName.LdapConfig);
+
+  return { ...ldapCfgOrm };
+};
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -0,0 +1,437 @@
+import { ForbiddenError } from "@casl/ability";
+import jwt from "jsonwebtoken";
+
+import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TLdapConfigsUpdate } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
+import {
+  decryptSymmetric,
+  encryptSymmetric,
+  generateAsymmetricKeyPair,
+  generateSymmetricKey,
+  infisicalSymmetricDecrypt,
+  infisicalSymmetricEncypt
+} from "@app/lib/crypto/encryption";
+import { BadRequestError } from "@app/lib/errors";
+import { TOrgPermission } from "@app/lib/types";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
+import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";
+import { normalizeUsername } from "@app/services/user/user-fns";
+import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
+
+import { TLicenseServiceFactory } from "../license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TLdapConfigDALFactory } from "./ldap-config-dal";
+import { TCreateLdapCfgDTO, TLdapLoginDTO, TUpdateLdapCfgDTO } from "./ldap-config-types";
+
+type TLdapConfigServiceFactoryDep = {
+  ldapConfigDAL: TLdapConfigDALFactory;
+  orgDAL: Pick<
+    TOrgDALFactory,
+    "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
+  >;
+  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
+  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById">;
+  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TLdapConfigServiceFactory = ReturnType<typeof ldapConfigServiceFactory>;
+
+export const ldapConfigServiceFactory = ({
+  ldapConfigDAL,
+  orgDAL,
+  orgBotDAL,
+  userDAL,
+  userAliasDAL,
+  permissionService,
+  licenseService
+}: TLdapConfigServiceFactoryDep) => {
+  const createLdapCfg = async ({
+    actor,
+    actorId,
+    orgId,
+    actorOrgId,
+    actorAuthMethod,
+    isActive,
+    url,
+    bindDN,
+    bindPass,
+    searchBase,
+    caCert
+  }: TCreateLdapCfgDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.ldap)
+      throw new BadRequestError({
+        message:
+          "Failed to create LDAP configuration due to plan restriction. Upgrade plan to create LDAP configuration."
+      });
+
+    const orgBot = await orgBotDAL.transaction(async (tx) => {
+      const doc = await orgBotDAL.findOne({ orgId }, tx);
+      if (doc) return doc;
+
+      const { privateKey, publicKey } = generateAsymmetricKeyPair();
+      const key = generateSymmetricKey();
+      const {
+        ciphertext: encryptedPrivateKey,
+        iv: privateKeyIV,
+        tag: privateKeyTag,
+        encoding: privateKeyKeyEncoding,
+        algorithm: privateKeyAlgorithm
+      } = infisicalSymmetricEncypt(privateKey);
+      const {
+        ciphertext: encryptedSymmetricKey,
+        iv: symmetricKeyIV,
+        tag: symmetricKeyTag,
+        encoding: symmetricKeyKeyEncoding,
+        algorithm: symmetricKeyAlgorithm
+      } = infisicalSymmetricEncypt(key);
+
+      return orgBotDAL.create(
+        {
+          name: "Infisical org bot",
+          publicKey,
+          privateKeyIV,
+          encryptedPrivateKey,
+          symmetricKeyIV,
+          symmetricKeyTag,
+          encryptedSymmetricKey,
+          symmetricKeyAlgorithm,
+          orgId,
+          privateKeyTag,
+          privateKeyAlgorithm,
+          privateKeyKeyEncoding,
+          symmetricKeyKeyEncoding
+        },
+        tx
+      );
+    });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { ciphertext: encryptedBindDN, iv: bindDNIV, tag: bindDNTag } = encryptSymmetric(bindDN, key);
+    const { ciphertext: encryptedBindPass, iv: bindPassIV, tag: bindPassTag } = encryptSymmetric(bindPass, key);
+    const { ciphertext: encryptedCACert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
+
+    const ldapConfig = await ldapConfigDAL.create({
+      orgId,
+      isActive,
+      url,
+      encryptedBindDN,
+      bindDNIV,
+      bindDNTag,
+      encryptedBindPass,
+      bindPassIV,
+      bindPassTag,
+      searchBase,
+      encryptedCACert,
+      caCertIV,
+      caCertTag
+    });
+
+    return ldapConfig;
+  };
+
+  const updateLdapCfg = async ({
+    actor,
+    actorId,
+    orgId,
+    actorOrgId,
+    isActive,
+    actorAuthMethod,
+    url,
+    bindDN,
+    bindPass,
+    searchBase,
+    caCert
+  }: TUpdateLdapCfgDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.ldap)
+      throw new BadRequestError({
+        message:
+          "Failed to update LDAP configuration due to plan restriction. Upgrade plan to update LDAP configuration."
+      });
+
+    const updateQuery: TLdapConfigsUpdate = {
+      isActive,
+      url,
+      searchBase
+    };
+
+    const orgBot = await orgBotDAL.findOne({ orgId });
+    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    if (bindDN !== undefined) {
+      const { ciphertext: encryptedBindDN, iv: bindDNIV, tag: bindDNTag } = encryptSymmetric(bindDN, key);
+      updateQuery.encryptedBindDN = encryptedBindDN;
+      updateQuery.bindDNIV = bindDNIV;
+      updateQuery.bindDNTag = bindDNTag;
+    }
+
+    if (bindPass !== undefined) {
+      const { ciphertext: encryptedBindPass, iv: bindPassIV, tag: bindPassTag } = encryptSymmetric(bindPass, key);
+      updateQuery.encryptedBindPass = encryptedBindPass;
+      updateQuery.bindPassIV = bindPassIV;
+      updateQuery.bindPassTag = bindPassTag;
+    }
+
+    if (caCert !== undefined) {
+      const { ciphertext: encryptedCACert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
+      updateQuery.encryptedCACert = encryptedCACert;
+      updateQuery.caCertIV = caCertIV;
+      updateQuery.caCertTag = caCertTag;
+    }
+
+    const [ldapConfig] = await ldapConfigDAL.update({ orgId }, updateQuery);
+
+    return ldapConfig;
+  };
+
+  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean }) => {
+    const ldapConfig = await ldapConfigDAL.findOne(filter);
+    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+
+    const orgBot = await orgBotDAL.findOne({ orgId: ldapConfig.orgId });
+    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const {
+      encryptedBindDN,
+      bindDNIV,
+      bindDNTag,
+      encryptedBindPass,
+      bindPassIV,
+      bindPassTag,
+      encryptedCACert,
+      caCertIV,
+      caCertTag
+    } = ldapConfig;
+
+    let bindDN = "";
+    if (encryptedBindDN && bindDNIV && bindDNTag) {
+      bindDN = decryptSymmetric({
+        ciphertext: encryptedBindDN,
+        key,
+        tag: bindDNTag,
+        iv: bindDNIV
+      });
+    }
+
+    let bindPass = "";
+    if (encryptedBindPass && bindPassIV && bindPassTag) {
+      bindPass = decryptSymmetric({
+        ciphertext: encryptedBindPass,
+        key,
+        tag: bindPassTag,
+        iv: bindPassIV
+      });
+    }
+
+    let caCert = "";
+    if (encryptedCACert && caCertIV && caCertTag) {
+      caCert = decryptSymmetric({
+        ciphertext: encryptedCACert,
+        key,
+        tag: caCertTag,
+        iv: caCertIV
+      });
+    }
+
+    return {
+      id: ldapConfig.id,
+      organization: ldapConfig.orgId,
+      isActive: ldapConfig.isActive,
+      url: ldapConfig.url,
+      bindDN,
+      bindPass,
+      searchBase: ldapConfig.searchBase,
+      caCert
+    };
+  };
+
+  const getLdapCfgWithPermissionCheck = async ({
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId
+  }: TOrgPermission) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
+    return getLdapCfg({
+      orgId
+    });
+  };
+
+  const bootLdap = async (organizationSlug: string) => {
+    const organization = await orgDAL.findOne({ slug: organizationSlug });
+    if (!organization) throw new BadRequestError({ message: "Org not found" });
+
+    const ldapConfig = await getLdapCfg({
+      orgId: organization.id,
+      isActive: true
+    });
+
+    const opts = {
+      server: {
+        url: ldapConfig.url,
+        bindDN: ldapConfig.bindDN,
+        bindCredentials: ldapConfig.bindPass,
+        searchBase: ldapConfig.searchBase,
+        searchFilter: "(uid={{username}})",
+        searchAttributes: ["uid", "uidNumber", "givenName", "sn", "mail"],
+        ...(ldapConfig.caCert !== ""
+          ? {
+              tlsOptions: {
+                ca: [ldapConfig.caCert]
+              }
+            }
+          : {})
+      },
+      passReqToCallback: true
+    };
+
+    return { opts, ldapConfig };
+  };
+
+  const ldapLogin = async ({ externalId, username, firstName, lastName, emails, orgId, relayState }: TLdapLoginDTO) => {
+    const appCfg = getConfig();
+    let userAlias = await userAliasDAL.findOne({
+      externalId,
+      orgId,
+      aliasType: AuthMethod.LDAP
+    });
+
+    const organization = await orgDAL.findOrgById(orgId);
+    if (!organization) throw new BadRequestError({ message: "Org not found" });
+
+    if (userAlias) {
+      await userDAL.transaction(async (tx) => {
+        const [orgMembership] = await orgDAL.findMembership({ userId: userAlias.userId }, { tx });
+        if (!orgMembership) {
+          await orgDAL.createMembership(
+            {
+              userId: userAlias.userId,
+              orgId,
+              role: OrgMembershipRole.Member,
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        } else if (orgMembership.status === OrgMembershipStatus.Invited) {
+          await orgDAL.updateMembershipById(
+            orgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        }
+      });
+    } else {
+      userAlias = await userDAL.transaction(async (tx) => {
+        const uniqueUsername = await normalizeUsername(username, userDAL);
+        const newUser = await userDAL.create(
+          {
+            username: uniqueUsername,
+            email: emails[0],
+            firstName,
+            lastName,
+            authMethods: [AuthMethod.LDAP],
+            isGhost: false
+          },
+          tx
+        );
+        const newUserAlias = await userAliasDAL.create(
+          {
+            userId: newUser.id,
+            username,
+            aliasType: AuthMethod.LDAP,
+            externalId,
+            emails,
+            orgId
+          },
+          tx
+        );
+
+        await orgDAL.createMembership(
+          {
+            userId: newUser.id,
+            orgId,
+            role: OrgMembershipRole.Member,
+            status: OrgMembershipStatus.Invited
+          },
+          tx
+        );
+
+        return newUserAlias;
+      });
+    }
+
+    const user = await userDAL.findOne({ id: userAlias.userId });
+
+    const isUserCompleted = Boolean(user.isAccepted);
+
+    const providerAuthToken = jwt.sign(
+      {
+        authTokenType: AuthTokenType.PROVIDER_TOKEN,
+        userId: user.id,
+        username: user.username,
+        firstName,
+        lastName,
+        organizationName: organization.name,
+        organizationId: organization.id,
+        authMethod: AuthMethod.LDAP,
+        isUserCompleted,
+        ...(relayState
+          ? {
+              callbackPort: (JSON.parse(relayState) as { callbackPort: string }).callbackPort
+            }
+          : {})
+      },
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn: appCfg.JWT_PROVIDER_AUTH_LIFETIME
+      }
+    );
+
+    return { isUserCompleted, providerAuthToken };
+  };
+
+  return {
+    createLdapCfg,
+    updateLdapCfg,
+    getLdapCfgWithPermissionCheck,
+    getLdapCfg,
+    // getLdapPassportOpts,
+    ldapLogin,
+    bootLdap
+  };
+};
--- a/backend/src/ee/services/ldap-config/ldap-config-types.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-types.ts
@ -0,0 +1,30 @@
+import { TOrgPermission } from "@app/lib/types";
+
+export type TCreateLdapCfgDTO = {
+  isActive: boolean;
+  url: string;
+  bindDN: string;
+  bindPass: string;
+  searchBase: string;
+  caCert: string;
+} & TOrgPermission;
+
+export type TUpdateLdapCfgDTO = Partial<{
+  isActive: boolean;
+  url: string;
+  bindDN: string;
+  bindPass: string;
+  searchBase: string;
+  caCert: string;
+}> &
+  TOrgPermission;
+
+export type TLdapLoginDTO = {
+  externalId: string;
+  username: string;
+  firstName: string;
+  lastName: string;
+  emails: string[];
+  orgId: string;
+  relayState?: string;
+};
--- a/backend/src/ee/services/license/mocks/licence-fns.ts
+++ b/backend/src/ee/services/license/mocks/licence-fns.ts
@ -18,6 +18,8 @@ export const getDefaultOnPremFeatures = () => {
    auditLogs: false,
    auditLogsRetentionDays: 0,
    samlSSO: false,
+    scim: false,
+    ldap: false,
    status: null,
    trial_end: null,
    has_used_trial: true,
--- a/backend/src/ee/services/license/licence-fns.ts
+++ b/backend/src/ee/services/license/licence-fns.ts
@ -25,6 +25,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  auditLogsRetentionDays: 0,
  samlSSO: false,
  scim: false,
+  ldap: false,
  status: null,
  trial_end: null,
  has_used_trial: true,
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@ -147,14 +147,14 @@ export const licenseServiceFactory = ({
    }
  };

-  const generateOrgCustomerId = async (orgName: string, email: string) => {
+  const generateOrgCustomerId = async (orgName: string, email?: string | null) => {
    if (instanceType === InstanceType.Cloud) {
      const {
        data: { customerId }
      } = await licenseServerCloudApi.request.post<{ customerId: string }>(
        "/api/license-server/v1/customers",
        {
-          email,
+          email: email ?? "",
          name: orgName
        },
        { timeout: 5000, signal: AbortSignal.timeout(5000) }
@ -192,9 +192,10 @@ export const licenseServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    billingCycle
  }: TOrgPlansTableDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const { data } = await licenseServerCloudApi.request.get(
      `/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
@ -202,15 +203,22 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, projectId }: TOrgPlanDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const plan = await getPlan(orgId, projectId);
    return plan;
  };

-  const startOrgTrial = async ({ orgId, actorId, actor, actorOrgId, success_url }: TStartOrgTrialDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const startOrgTrial = async ({
+    orgId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    success_url
+  }: TStartOrgTrialDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);

@ -231,8 +239,14 @@ export const licenseServiceFactory = ({
    return { url };
  };

-  const createOrganizationPortalSession = async ({ orgId, actorId, actor, actorOrgId }: TCreateOrgPortalSession) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const createOrganizationPortalSession = async ({
+    orgId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TCreateOrgPortalSession) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);

@ -278,8 +292,8 @@ export const licenseServiceFactory = ({
    return { url };
  };

-  const getOrgBillingInfo = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgBillInfoDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgBillingInfo = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -295,8 +309,8 @@ export const licenseServiceFactory = ({
  };

  // returns org current plan feature table
-  const getOrgPlanTable = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgBillInfoDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgPlanTable = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -311,8 +325,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgBillingDetails = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgBillInfoDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgBillingDetails = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -332,11 +346,12 @@ export const licenseServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    orgId,
    name,
    email
  }: TUpdateOrgBillingDetailsDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -355,8 +370,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgPmtMethods = async ({ orgId, actor, actorId, actorOrgId }: TOrgPmtMethodsDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgPmtMethods = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgPmtMethodsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -378,11 +393,12 @@ export const licenseServiceFactory = ({
    orgId,
    actor,
    actorId,
+    actorAuthMethod,
    actorOrgId,
    success_url,
    cancel_url
  }: TAddOrgPmtMethodDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -403,8 +419,15 @@ export const licenseServiceFactory = ({
    return { url };
  };

-  const delOrgPmtMethods = async ({ actorId, actor, actorOrgId, orgId, pmtMethodId }: TDelOrgPmtMethodDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const delOrgPmtMethods = async ({
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId,
+    orgId,
+    pmtMethodId
+  }: TDelOrgPmtMethodDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -420,8 +443,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgTaxIds = async ({ orgId, actor, actorId, actorOrgId }: TGetOrgTaxIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -438,8 +461,8 @@ export const licenseServiceFactory = ({
    return taxIds;
  };

-  const addOrgTaxId = async ({ actorId, actor, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const addOrgTaxId = async ({ actorId, actor, actorAuthMethod, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -459,8 +482,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const delOrgTaxId = async ({ orgId, actor, actorId, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const delOrgTaxId = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -476,8 +499,8 @@ export const licenseServiceFactory = ({
    return data;
  };

-  const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, orgId }: TOrgInvoiceDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, actorAuthMethod, orgId }: TOrgInvoiceDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
@ -493,8 +516,8 @@ export const licenseServiceFactory = ({
    return invoices;
  };

-  const getOrgLicenses = async ({ orgId, actor, actorId, actorOrgId }: TOrgLicensesDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgLicenses = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgLicensesDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);

    const organization = await orgDAL.findOrgById(orgId);
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@ -26,6 +26,7 @@ export type TFeatureSet = {
  auditLogsRetentionDays: 0;
  samlSSO: false;
  scim: false;
+  ldap: false;
  status: null;
  trial_end: null;
  has_used_trial: true;
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@ -17,6 +17,7 @@ export enum OrgPermissionSubjects {
  IncidentAccount = "incident-contact",
  Sso = "sso",
  Scim = "scim",
+  Ldap = "ldap",
  Billing = "billing",
  SecretScanning = "secret-scanning",
  Identity = "identity"
@ -31,6 +32,7 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.IncidentAccount]
  | [OrgPermissionActions, OrgPermissionSubjects.Sso]
  | [OrgPermissionActions, OrgPermissionSubjects.Scim]
+  | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
  | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
  | [OrgPermissionActions, OrgPermissionSubjects.Identity];
@ -76,6 +78,11 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Scim);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Scim);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Ldap);
+
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@ -1,7 +1,9 @@
+import { z } from "zod";
+
 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
+import { IdentityProjectMembershipRoleSchema, ProjectUserMembershipRolesSchema, TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { selectAllTableCols } from "@app/lib/knex";
+import { selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";

 export type TPermissionDALFactory = ReturnType<typeof permissionDALFactory>;

@ -43,21 +45,72 @@ export const permissionDALFactory = (db: TDbClient) => {

  const getProjectPermission = async (userId: string, projectId: string) => {
    try {
-      const membership = await db(TableName.ProjectMembership)
-        .leftJoin(TableName.ProjectRoles, `${TableName.ProjectMembership}.roleId`, `${TableName.ProjectRoles}.id`)
+      const docs = await db(TableName.ProjectMembership)
+        .join(
+          TableName.ProjectUserMembershipRole,
+          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
+          `${TableName.ProjectMembership}.id`
+        )
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.ProjectUserMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
        .where("userId", userId)
        .where(`${TableName.ProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.ProjectMembership))
+        .select(selectAllTableCols(TableName.ProjectUserMembershipRole))
        .select(
+          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
+          // TODO(roll-forward-migration): remove this field when we drop this in next migration after a week
+          db.ref("role").withSchema(TableName.ProjectMembership).as("oldRoleField"),
+          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project)
+          db.ref("orgId").withSchema(TableName.Project),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
        )
-        .select("permissions")
-        .first();
+        .select("permissions");

-      return membership;
+      const permission = sqlNestRelationships({
+        data: docs,
+        key: "membershipId",
+        parentMapper: ({
+          orgId,
+          orgAuthEnforced,
+          membershipId,
+          membershipCreatedAt,
+          membershipUpdatedAt,
+          oldRoleField
+        }) => ({
+          orgId,
+          orgAuthEnforced,
+          userId,
+          role: oldRoleField,
+          id: membershipId,
+          projectId,
+          createdAt: membershipCreatedAt,
+          updatedAt: membershipUpdatedAt
+        }),
+        childrenMapper: [
+          {
+            key: "id",
+            label: "roles" as const,
+            mapper: (data) =>
+              ProjectUserMembershipRolesSchema.extend({
+                permissions: z.unknown(),
+                customRoleSlug: z.string().optional().nullable()
+              }).parse(data)
+          }
+        ]
+      });
+      // when introducting cron mode change it here
+      const activeRoles = permission?.[0]?.roles.filter(
+        ({ isTemporary, temporaryAccessEndTime }) =>
+          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+      );
+      return permission?.[0] ? { ...permission[0], roles: activeRoles } : undefined;
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectPermission" });
    }
@ -65,18 +118,69 @@ export const permissionDALFactory = (db: TDbClient) => {

  const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
    try {
-      const membership = await db(TableName.IdentityProjectMembership)
+      const docs = await db(TableName.IdentityProjectMembership)
+        .join(
+          TableName.IdentityProjectMembershipRole,
+          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
        .leftJoin(
          TableName.ProjectRoles,
-          `${TableName.IdentityProjectMembership}.roleId`,
+          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
+        .join(
+          // Join the Project table to later select orgId
+          TableName.Project,
+          `${TableName.IdentityProjectMembership}.projectId`,
+          `${TableName.Project}.id`
+        )
        .where("identityId", identityId)
        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.IdentityProjectMembership))
-        .select("permissions")
-        .first();
-      return membership;
+        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
+        .select(
+          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
+          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
+          db.ref("role").withSchema(TableName.IdentityProjectMembership).as("oldRoleField"),
+          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
+        )
+        .select("permissions");
+
+      const permission = sqlNestRelationships({
+        data: docs,
+        key: "membershipId",
+        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, oldRoleField, orgId }) => ({
+          id: membershipId,
+          identityId,
+          projectId,
+          role: oldRoleField,
+          createdAt: membershipCreatedAt,
+          updatedAt: membershipUpdatedAt,
+          orgId,
+          // just a prefilled value
+          orgAuthEnforced: false
+        }),
+        childrenMapper: [
+          {
+            key: "id",
+            label: "roles" as const,
+            mapper: (data) =>
+              IdentityProjectMembershipRoleSchema.extend({
+                permissions: z.unknown(),
+                customRoleSlug: z.string().optional().nullable()
+              }).parse(data)
+          }
+        ]
+      });
+
+      // when introducting cron mode change it here
+      const activeRoles = permission?.[0]?.roles.filter(
+        ({ isTemporary, temporaryAccessEndTime }) =>
+          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+      );
+      return permission?.[0] ? { ...permission[0], roles: activeRoles } : undefined;
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectIdentityPermission" });
    }
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@ -0,0 +1,23 @@
+import { TOrganizations } from "@app/db/schemas";
+import { UnauthorizedError } from "@app/lib/errors";
+import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
+
+function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
+  if (!actorAuthMethod) return false;
+
+  return [AuthMethod.AZURE_SAML, AuthMethod.OKTA_SAML, AuthMethod.JUMPCLOUD_SAML, AuthMethod.GOOGLE_SAML].includes(
+    actorAuthMethod
+  );
+}
+
+function validateOrgSAML(actorAuthMethod: ActorAuthMethod, isSamlEnforced: TOrganizations["authEnforced"]) {
+  if (actorAuthMethod === undefined) {
+    throw new UnauthorizedError({ name: "No auth method defined" });
+  }
+
+  if (isSamlEnforced && actorAuthMethod !== null && !isAuthMethodSaml(actorAuthMethod)) {
+    throw new UnauthorizedError({ name: "Cannot access org-scoped resource" });
+  }
+}
+
+export { isAuthMethodSaml, validateOrgSAML };
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@ -11,13 +11,16 @@ import {
 } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { TServiceTokenDALFactory } from "@app/services/service-token/service-token-dal";

 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
+import { validateOrgSAML } from "./permission-fns";
+import { TBuildProjectPermissionDTO } from "./permission-types";
 import {
  buildServiceTokenProjectPermission,
  projectAdminPermissions,
@ -31,6 +34,7 @@ type TPermissionServiceFactoryDep = {
  orgRoleDAL: Pick<TOrgRoleDALFactory, "findOne">;
  projectRoleDAL: Pick<TProjectRoleDALFactory, "findOne">;
  serviceTokenDAL: Pick<TServiceTokenDALFactory, "findById">;
+  projectDAL: Pick<TProjectDALFactory, "findById">;
  permissionDAL: TPermissionDALFactory;
 };

@ -40,7 +44,8 @@ export const permissionServiceFactory = ({
  permissionDAL,
  orgRoleDAL,
  projectRoleDAL,
-  serviceTokenDAL
+  serviceTokenDAL,
+  projectDAL
 }: TPermissionServiceFactoryDep) => {
  const buildOrgPermission = (role: string, permission?: unknown) => {
    switch (role) {
@ -64,45 +69,63 @@ export const permissionServiceFactory = ({
    }
  };

-  const buildProjectPermission = (role: string, permission?: unknown) => {
-    switch (role) {
-      case ProjectMembershipRole.Admin:
-        return projectAdminPermissions;
-      case ProjectMembershipRole.Member:
-        return projectMemberPermissions;
-      case ProjectMembershipRole.Viewer:
-        return projectViewerPermission;
-      case ProjectMembershipRole.NoAccess:
-        return projectNoAccessPermissions;
-      case ProjectMembershipRole.Custom:
-        return createMongoAbility<ProjectPermissionSet>(
-          unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(
-            permission as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[]
-          ),
-          {
-            conditionsMatcher
+  const buildProjectPermission = (projectUserRoles: TBuildProjectPermissionDTO) => {
+    const rules = projectUserRoles
+      .map(({ role, permissions }) => {
+        switch (role) {
+          case ProjectMembershipRole.Admin:
+            return projectAdminPermissions;
+          case ProjectMembershipRole.Member:
+            return projectMemberPermissions;
+          case ProjectMembershipRole.Viewer:
+            return projectViewerPermission;
+          case ProjectMembershipRole.NoAccess:
+            return projectNoAccessPermissions;
+          case ProjectMembershipRole.Custom: {
+            return unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(
+              permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[]
+            );
          }
-        );
-      default:
-        throw new BadRequestError({
-          name: "ProjectRoleInvalid",
-          message: "Project role not found"
-        });
-    }
+          default:
+            throw new BadRequestError({
+              name: "ProjectRoleInvalid",
+              message: "Project role not found"
+            });
+        }
+      })
+      .reduce((curr, prev) => prev.concat(curr), []);
+
+    return createMongoAbility<ProjectPermissionSet>(rules, {
+      conditionsMatcher
+    });
  };

  /*
   * Get user permission in an organization
-   * */
-  const getUserOrgPermission = async (userId: string, orgId: string, userOrgId?: string) => {
+   */
+  const getUserOrgPermission = async (
+    userId: string,
+    orgId: string,
+    authMethod: ActorAuthMethod,
+    userOrgId?: string
+  ) => {
    const membership = await permissionDAL.getOrgPermission(userId, orgId);
    if (!membership) throw new UnauthorizedError({ name: "User not in org" });
    if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }
-    if (membership.orgAuthEnforced && membership.orgId !== userOrgId) {
-      throw new BadRequestError({ name: "Cannot access org-scoped resource" });
+
+    // If the org ID is API_KEY, the request is being made with an API Key.
+    // Since we can't scope API keys to an organization, we'll need to do an arbitrary check to see if the user is a member of the organization.
+
+    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
+    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
+    if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
+      throw new UnauthorizedError({ name: "You are not logged into this organization" });
    }
+
+    validateOrgSAML(authMethod, membership.orgAuthEnforced);
+
    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
  };

@ -115,10 +138,16 @@ export const permissionServiceFactory = ({
    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
  };

-  const getOrgPermission = async (type: ActorType, id: string, orgId: string, actorOrgId?: string) => {
+  const getOrgPermission = async (
+    type: ActorType,
+    id: string,
+    orgId: string,
+    authMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
    switch (type) {
      case ActorType.USER:
-        return getUserOrgPermission(id, orgId, actorOrgId);
+        return getUserOrgPermission(id, orgId, authMethod, actorOrgId);
      case ActorType.IDENTITY:
        return getIdentityOrgPermission(id, orgId);
      default:
@ -145,44 +174,94 @@ export const permissionServiceFactory = ({
  };

  // user permission for a project in an organization
-  const getUserProjectPermission = async (userId: string, projectId: string, userOrgId?: string) => {
+  const getUserProjectPermission = async (
+    userId: string,
+    projectId: string,
+    authMethod: ActorAuthMethod,
+    userOrgId?: string
+  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
    const membership = await permissionDAL.getProjectPermission(userId, projectId);
    if (!membership) throw new UnauthorizedError({ name: "User not in project" });
-    if (membership.role === ProjectMembershipRole.Custom && !membership.permissions) {
+
+    if (membership.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }

-    if (membership.orgAuthEnforced && membership.orgId !== userOrgId) {
-      throw new BadRequestError({ name: "Cannot access org-scoped resource" });
+    // If the org ID is API_KEY, the request is being made with an API Key.
+    // Since we can't scope API keys to an organization, we'll need to do an arbitrary check to see if the user is a member of the organization.
+
+    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
+    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
+    if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
+      throw new UnauthorizedError({ name: "You are not logged into this organization" });
    }

+    validateOrgSAML(authMethod, membership.orgAuthEnforced);
+
    return {
-      permission: buildProjectPermission(membership.role, membership.permissions),
-      membership
+      permission: buildProjectPermission(membership.roles),
+      membership,
+      hasRole: (role: string) =>
+        membership.roles.findIndex(({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug) !== -1
    };
  };

-  const getIdentityProjectPermission = async (identityId: string, projectId: string) => {
-    const membership = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
-    if (!membership) throw new UnauthorizedError({ name: "Identity not in project" });
-    if (membership.role === ProjectMembershipRole.Custom && !membership.permissions) {
+  const getIdentityProjectPermission = async (
+    identityId: string,
+    projectId: string,
+    identityOrgId: string | undefined
+  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
+    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
+    if (!identityProjectPermission) throw new UnauthorizedError({ name: "Identity not in project" });
+
+    if (
+      identityProjectPermission.roles.some(
+        ({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions
+      )
+    ) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }

+    if (identityProjectPermission.orgId !== identityOrgId) {
+      throw new UnauthorizedError({ name: "You are not a member of this organization" });
+    }
+
    return {
-      permission: buildProjectPermission(membership.role, membership.permissions),
-      membership
+      permission: buildProjectPermission(identityProjectPermission.roles),
+      membership: identityProjectPermission,
+      hasRole: (role: string) =>
+        identityProjectPermission.roles.findIndex(
+          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
+        ) !== -1
    };
  };

-  const getServiceTokenProjectPermission = async (serviceTokenId: string, projectId: string) => {
+  const getServiceTokenProjectPermission = async (
+    serviceTokenId: string,
+    projectId: string,
+    actorOrgId: string | undefined
+  ) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
    if (!serviceToken) throw new BadRequestError({ message: "Service token not found" });

+    const serviceTokenProject = await projectDAL.findById(serviceToken.projectId);
+
+    if (!serviceTokenProject) throw new BadRequestError({ message: "Service token not linked to a project" });
+
+    if (serviceTokenProject.orgId !== actorOrgId) {
+      throw new UnauthorizedError({ message: "Service token not a part of this organization" });
+    }
+
    if (serviceToken.projectId !== projectId)
      throw new UnauthorizedError({
        message: "Failed to find service authorization for given project"
      });
+
+    if (serviceTokenProject.orgId !== actorOrgId)
+      throw new UnauthorizedError({
+        message: "Failed to find service authorization for given project"
+      });
+
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@ -191,29 +270,35 @@ export const permissionServiceFactory = ({
  };

  type TProjectPermissionRT<T extends ActorType> = T extends ActorType.SERVICE
-    ? { permission: MongoAbility<ProjectPermissionSet, MongoQuery>; membership: undefined }
+    ? {
+        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
+        membership: undefined;
+        hasRole: (arg: string) => boolean;
+      } // service token doesn't have both membership and roles
    : {
        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
        membership: (T extends ActorType.USER ? TProjectMemberships : TIdentityProjectMemberships) & {
-          orgAuthEnforced: boolean;
+          orgAuthEnforced: boolean | null | undefined;
          orgId: string;
-          permissions?: unknown;
+          roles: Array<{ role: string }>;
        };
+        hasRole: (role: string) => boolean;
      };

  const getProjectPermission = async <T extends ActorType>(
    type: T,
    id: string,
    projectId: string,
-    actorOrgId?: string
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
  ): Promise<TProjectPermissionRT<T>> => {
    switch (type) {
      case ActorType.USER:
-        return getUserProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getUserProjectPermission(id, projectId, actorAuthMethod, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      case ActorType.SERVICE:
-        return getServiceTokenProjectPermission(id, projectId) as Promise<TProjectPermissionRT<T>>;
+        return getServiceTokenProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      case ActorType.IDENTITY:
-        return getIdentityProjectPermission(id, projectId) as Promise<TProjectPermissionRT<T>>;
+        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      default:
        throw new UnauthorizedError({
          message: "Permission not defined",
@ -228,11 +313,13 @@ export const permissionServiceFactory = ({
      const projectRole = await projectRoleDAL.findOne({ slug: role, projectId });
      if (!projectRole) throw new BadRequestError({ message: "Role not found" });
      return {
-        permission: buildProjectPermission(ProjectMembershipRole.Custom, projectRole.permissions),
+        permission: buildProjectPermission([
+          { role: ProjectMembershipRole.Custom, permissions: projectRole.permissions }
+        ]),
        role: projectRole
      };
    }
-    return { permission: buildProjectPermission(role, []) };
+    return { permission: buildProjectPermission([{ role, permissions: [] }]) };
  };

  return {
--- a/backend/src/ee/services/permission/permission-types.ts
+++ b/backend/src/ee/services/permission/permission-types.ts
@ -0,0 +1,4 @@
+export type TBuildProjectPermissionDTO = {
+  permissions?: unknown;
+  role: string;
+}[];
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@ -56,8 +56,8 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
  | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback];

-const buildAdminPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+const buildAdminPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);

  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.Secrets);
@ -135,13 +135,13 @@ const buildAdminPermission = () => {
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Project);
  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);

-  return build({ conditionsMatcher });
+  return rules;
 };

-export const projectAdminPermissions = buildAdminPermission();
+export const projectAdminPermissions = buildAdminPermissionRules();

-const buildMemberPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+const buildMemberPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);

  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.Secrets);
@ -196,13 +196,13 @@ const buildMemberPermission = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);

-  return build({ conditionsMatcher });
+  return rules;
 };

-export const projectMemberPermissions = buildMemberPermission();
+export const projectMemberPermissions = buildMemberPermissionRules();

-const buildViewerPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+const buildViewerPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);

  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
@ -220,14 +220,14 @@ const buildViewerPermission = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);

-  return build({ conditionsMatcher });
+  return rules;
 };

-export const projectViewerPermission = buildViewerPermission();
+export const projectViewerPermission = buildViewerPermissionRules();

 const buildNoAccessProjectPermission = () => {
-  const { build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
-  return build({ conditionsMatcher });
+  const { rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+  return rules;
 };

 export const buildServiceTokenProjectPermission = (
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@ -5,6 +5,7 @@ import {
  OrgMembershipRole,
  OrgMembershipStatus,
  SecretKeyEncoding,
+  TableName,
  TSamlConfigs,
  TSamlConfigsUpdate
 } from "@app/db/schemas";
@ -31,7 +32,7 @@ import { TCreateSamlCfgDTO, TGetSamlCfgDTO, TSamlLoginDTO, TUpdateSamlCfgDTO } f

 type TSamlConfigServiceFactoryDep = {
  samlConfigDAL: TSamlConfigDALFactory;
-  userDAL: Pick<TUserDALFactory, "create" | "findUserByEmail" | "transaction" | "updateById">;
+  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById">;
  orgDAL: Pick<
    TOrgDALFactory,
    "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
@ -54,6 +55,7 @@ export const samlConfigServiceFactory = ({
  const createSamlCfg = async ({
    cert,
    actor,
+    actorAuthMethod,
    actorOrgId,
    orgId,
    issuer,
@ -62,14 +64,14 @@ export const samlConfigServiceFactory = ({
    entryPoint,
    authProvider
  }: TCreateSamlCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Sso);

    const plan = await licenseService.getPlan(orgId);
    if (!plan.samlSSO)
      throw new BadRequestError({
        message:
-          "Failed to update SAML SSO configuration due to plan restriction. Upgrade plan to update SSO configuration."
+          "Failed to create SAML SSO configuration due to plan restriction. Upgrade plan to create SSO configuration."
      });

    const orgBot = await orgBotDAL.transaction(async (tx) => {
@ -122,7 +124,6 @@ export const samlConfigServiceFactory = ({

    const { ciphertext: encryptedEntryPoint, iv: entryPointIV, tag: entryPointTag } = encryptSymmetric(entryPoint, key);
    const { ciphertext: encryptedIssuer, iv: issuerIV, tag: issuerTag } = encryptSymmetric(issuer, key);
-
    const { ciphertext: encryptedCert, iv: certIV, tag: certTag } = encryptSymmetric(cert, key);
    const samlConfig = await samlConfigDAL.create({
      orgId,
@ -146,6 +147,7 @@ export const samlConfigServiceFactory = ({
    orgId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    cert,
    actorId,
    issuer,
@ -153,7 +155,7 @@ export const samlConfigServiceFactory = ({
    entryPoint,
    authProvider
  }: TUpdateSamlCfgDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Sso);
    const plan = await licenseService.getPlan(orgId);
    if (!plan.samlSSO)
@ -172,7 +174,7 @@ export const samlConfigServiceFactory = ({
      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
    });

-    if (entryPoint) {
+    if (entryPoint !== undefined) {
      const {
        ciphertext: encryptedEntryPoint,
        iv: entryPointIV,
@ -182,18 +184,19 @@ export const samlConfigServiceFactory = ({
      updateQuery.entryPointIV = entryPointIV;
      updateQuery.entryPointTag = entryPointTag;
    }
-    if (issuer) {
+    if (issuer !== undefined) {
      const { ciphertext: encryptedIssuer, iv: issuerIV, tag: issuerTag } = encryptSymmetric(issuer, key);
      updateQuery.encryptedIssuer = encryptedIssuer;
      updateQuery.issuerIV = issuerIV;
      updateQuery.issuerTag = issuerTag;
    }
-    if (cert) {
+    if (cert !== undefined) {
      const { ciphertext: encryptedCert, iv: certIV, tag: certTag } = encryptSymmetric(cert, key);
      updateQuery.encryptedCert = encryptedCert;
      updateQuery.certIV = certIV;
      updateQuery.certTag = certTag;
    }
+
    const [ssoConfig] = await samlConfigDAL.update({ orgId }, updateQuery);
    await orgDAL.updateById(orgId, { authEnforced: false, scimEnabled: false });

@ -237,6 +240,7 @@ export const samlConfigServiceFactory = ({
        dto.actor,
        dto.actorId,
        ssoConfig.orgId,
+        dto.actorAuthMethod,
        dto.actorOrgId
      );
      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Sso);
@ -300,16 +304,30 @@ export const samlConfigServiceFactory = ({
    };
  };

-  const samlLogin = async ({ firstName, email, lastName, authProvider, orgId, relayState }: TSamlLoginDTO) => {
+  const samlLogin = async ({
+    username,
+    email,
+    firstName,
+    lastName,
+    authProvider,
+    orgId,
+    relayState
+  }: TSamlLoginDTO) => {
    const appCfg = getConfig();
-    let user = await userDAL.findUserByEmail(email);
+    let user = await userDAL.findOne({ username });

    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) throw new BadRequestError({ message: "Org not found" });

    if (user) {
      await userDAL.transaction(async (tx) => {
-        const [orgMembership] = await orgDAL.findMembership({ userId: user.id, orgId }, { tx });
+        const [orgMembership] = await orgDAL.findMembership(
+          {
+            userId: user.id,
+            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+          },
+          { tx }
+        );
        if (!orgMembership) {
          await orgDAL.createMembership(
            {
@ -335,6 +353,7 @@ export const samlConfigServiceFactory = ({
      user = await userDAL.transaction(async (tx) => {
        const newUser = await userDAL.create(
          {
+            username,
            email,
            firstName,
            lastName,
@ -357,7 +376,7 @@ export const samlConfigServiceFactory = ({
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
-        email: user.email,
+        username: user.username,
        firstName,
        lastName,
        organizationName: organization.name,
--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@ -1,5 +1,5 @@
 import { TOrgPermission } from "@app/lib/types";
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";

 export enum SamlProviders {
  OKTA_SAML = "okta-saml",
@ -26,7 +26,14 @@ export type TUpdateSamlCfgDTO = Partial<{
  TOrgPermission;

 export type TGetSamlCfgDTO =
-  | { type: "org"; orgId: string; actor: ActorType; actorId: string; actorOrgId?: string }
+  | {
+      type: "org";
+      orgId: string;
+      actor: ActorType;
+      actorId: string;
+      actorAuthMethod: ActorAuthMethod;
+      actorOrgId: string | undefined;
+    }
  | {
      type: "orgSlug";
      orgSlug: string;
@ -37,7 +44,8 @@ export type TGetSamlCfgDTO =
    };

 export type TSamlLoginDTO = {
-  email: string;
+  username: string;
+  email?: string;
  firstName: string;
  lastName?: string;
  authProvider: string;
--- a/backend/src/ee/services/scim/scim-fns.ts
+++ b/backend/src/ee/services/scim/scim-fns.ts
@ -20,34 +20,38 @@ export const buildScimUserList = ({

 export const buildScimUser = ({
  userId,
+  username,
+  email,
  firstName,
  lastName,
-  email,
  active
 }: {
  userId: string;
+  username: string;
+  email?: string | null;
  firstName: string;
  lastName: string;
-  email: string;
  active: boolean;
 }): TScimUser => {
-  return {
+  const scimUser = {
    schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"],
    id: userId,
-    userName: email,
+    userName: username,
    displayName: `${firstName} ${lastName}`,
    name: {
      givenName: firstName,
      middleName: null,
      familyName: lastName
    },
-    emails: [
-      {
-        primary: true,
-        value: email,
-        type: "work"
-      }
-    ],
+    emails: email
+      ? [
+          {
+            primary: true,
+            value: email,
+            type: "work"
+          }
+        ]
+      : [],
    active,
    groups: [],
    meta: {
@ -55,4 +59,6 @@ export const buildScimUser = ({
      location: null
    }
  };
+
+  return scimUser;
 };
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";

-import { OrgMembershipRole, OrgMembershipStatus } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, TableName } from "@app/db/schemas";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
@ -56,8 +56,16 @@ export const scimServiceFactory = ({
  permissionService,
  smtpService
 }: TScimServiceFactoryDep) => {
-  const createScimToken = async ({ actor, actorId, actorOrgId, orgId, description, ttlDays }: TCreateScimTokenDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const createScimToken = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    orgId,
+    description,
+    ttlDays
+  }: TCreateScimTokenDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Scim);

    const plan = await licenseService.getPlan(orgId);
@ -85,8 +93,8 @@ export const scimServiceFactory = ({
    return { scimToken };
  };

-  const listScimTokens = async ({ actor, actorId, actorOrgId, orgId }: TOrgPermission) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const listScimTokens = async ({ actor, actorId, actorOrgId, actorAuthMethod, orgId }: TOrgPermission) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Scim);

    const plan = await licenseService.getPlan(orgId);
@ -99,11 +107,17 @@ export const scimServiceFactory = ({
    return scimTokens;
  };

-  const deleteScimToken = async ({ scimTokenId, actor, actorId, actorOrgId }: TDeleteScimTokenDTO) => {
+  const deleteScimToken = async ({ scimTokenId, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteScimTokenDTO) => {
    let scimToken = await scimDAL.findById(scimTokenId);
    if (!scimToken) throw new BadRequestError({ message: "Failed to find SCIM token to delete" });

-    const { permission } = await permissionService.getOrgPermission(actor, actorId, scimToken.orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      scimToken.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Scim);

    const plan = await licenseService.getPlan(scimToken.orgId);
@ -146,15 +160,16 @@ export const scimServiceFactory = ({

    const users = await orgDAL.findMembership(
      {
-        orgId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId,
        ...parseFilter(filter)
      },
      findOpts
    );

-    const scimUsers = users.map(({ userId, firstName, lastName, email }) =>
+    const scimUsers = users.map(({ userId, username, firstName, lastName, email }) =>
      buildScimUser({
        userId: userId ?? "",
+        username,
        firstName: firstName ?? "",
        lastName: lastName ?? "",
        email,
@ -173,7 +188,7 @@ export const scimServiceFactory = ({
    const [membership] = await orgDAL
      .findMembership({
        userId,
-        orgId
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
      })
      .catch(() => {
        throw new ScimRequestError({
@ -196,14 +211,15 @@ export const scimServiceFactory = ({

    return buildScimUser({
      userId: membership.userId as string,
+      username: membership.username,
+      email: membership.email ?? "",
      firstName: membership.firstName as string,
      lastName: membership.lastName as string,
-      email: membership.email,
      active: true
    });
  };

-  const createScimUser = async ({ firstName, lastName, email, orgId }: TCreateScimUserDTO) => {
+  const createScimUser = async ({ username, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
    const org = await orgDAL.findById(orgId);

    if (!org)
@ -219,12 +235,18 @@ export const scimServiceFactory = ({
      });

    let user = await userDAL.findOne({
-      email
+      username
    });

    if (user) {
      await userDAL.transaction(async (tx) => {
-        const [orgMembership] = await orgDAL.findMembership({ userId: user.id, orgId }, { tx });
+        const [orgMembership] = await orgDAL.findMembership(
+          {
+            userId: user.id,
+            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+          },
+          { tx }
+        );
        if (orgMembership)
          throw new ScimRequestError({
            detail: "User already exists in the database",
@ -248,6 +270,7 @@ export const scimServiceFactory = ({
      user = await userDAL.transaction(async (tx) => {
        const newUser = await userDAL.create(
          {
+            username,
            email,
            firstName,
            lastName,
@ -272,21 +295,25 @@ export const scimServiceFactory = ({
    }

    const appCfg = getConfig();
-    await smtpService.sendMail({
-      template: SmtpTemplates.ScimUserProvisioned,
-      subjectLine: "Infisical organization invitation",
-      recipients: [email],
-      substitutions: {
-        organizationName: org.name,
-        callback_url: `${appCfg.SITE_URL}/api/v1/sso/redirect/saml2/organizations/${org.slug}`
-      }
-    });
+
+    if (email) {
+      await smtpService.sendMail({
+        template: SmtpTemplates.ScimUserProvisioned,
+        subjectLine: "Infisical organization invitation",
+        recipients: [email],
+        substitutions: {
+          organizationName: org.name,
+          callback_url: `${appCfg.SITE_URL}/api/v1/sso/redirect/saml2/organizations/${org.slug}`
+        }
+      });
+    }

    return buildScimUser({
      userId: user.id,
+      username: user.username,
      firstName: user.firstName as string,
      lastName: user.lastName as string,
-      email: user.email,
+      email: user.email ?? "",
      active: true
    });
  };
@ -295,7 +322,7 @@ export const scimServiceFactory = ({
    const [membership] = await orgDAL
      .findMembership({
        userId,
-        orgId
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
      })
      .catch(() => {
        throw new ScimRequestError({
@ -342,9 +369,10 @@ export const scimServiceFactory = ({

    return buildScimUser({
      userId: membership.userId as string,
+      username: membership.username,
+      email: membership.email,
      firstName: membership.firstName as string,
      lastName: membership.lastName as string,
-      email: membership.email,
      active
    });
  };
@ -353,7 +381,7 @@ export const scimServiceFactory = ({
    const [membership] = await orgDAL
      .findMembership({
        userId,
-        orgId
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
      })
      .catch(() => {
        throw new ScimRequestError({
@ -387,9 +415,10 @@ export const scimServiceFactory = ({

    return buildScimUser({
      userId: membership.userId as string,
+      username: membership.username,
+      email: membership.email,
      firstName: membership.firstName as string,
      lastName: membership.lastName as string,
-      email: membership.email,
      active
    });
  };
--- a/backend/src/ee/services/scim/scim-types.ts
+++ b/backend/src/ee/services/scim/scim-types.ts
@ -32,7 +32,8 @@ export type TGetScimUserDTO = {
 };

 export type TCreateScimUserDTO = {
-  email: string;
+  username: string;
+  email?: string;
  firstName: string;
  lastName: string;
  orgId: string;
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@ -45,6 +45,7 @@ export const secretApprovalPolicyServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    approvals,
    approvers,
    projectId,
@ -54,7 +55,13 @@ export const secretApprovalPolicyServiceFactory = ({
    if (approvals > approvers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretApproval
@ -98,6 +105,7 @@ export const secretApprovalPolicyServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    approvals,
    secretPolicyId
  }: TUpdateSapDTO) => {
@ -108,6 +116,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actor,
      actorId,
      secretApprovalPolicy.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@ -152,7 +161,13 @@ export const secretApprovalPolicyServiceFactory = ({
    };
  };

-  const deleteSecretApprovalPolicy = async ({ secretPolicyId, actor, actorId, actorOrgId }: TDeleteSapDTO) => {
+  const deleteSecretApprovalPolicy = async ({
+    secretPolicyId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TDeleteSapDTO) => {
    const sapPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
    if (!sapPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });

@ -160,6 +175,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actor,
      actorId,
      sapPolicy.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
@ -171,8 +187,20 @@ export const secretApprovalPolicyServiceFactory = ({
    return sapPolicy;
  };

-  const getSecretApprovalPolicyByProjectId = async ({ actorId, actor, actorOrgId, projectId }: TListSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const getSecretApprovalPolicyByProjectId = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TListSapDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

    const sapPolicies = await secretApprovalPolicyDAL.find({ projectId });
@ -201,10 +229,17 @@ export const secretApprovalPolicyServiceFactory = ({
    actor,
    actorId,
    actorOrgId,
+    actorAuthMethod,
    environment,
    secretPath
  }: TGetBoardSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, { secretPath, environment })
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@ -12,9 +12,11 @@ import { groupBy, pick, unique } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { TSecretQueueFactory } from "@app/services/secret/secret-queue";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
+import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version-tag-dal";
 import { TSecretBlindIndexDALFactory } from "@app/services/secret-blind-index/secret-blind-index-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
@ -44,10 +46,12 @@ type TSecretApprovalRequestServiceFactoryDep = {
  secretApprovalRequestSecretDAL: TSecretApprovalRequestSecretDALFactory;
  secretApprovalRequestReviewerDAL: TSecretApprovalRequestReviewerDALFactory;
  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findById" | "findSecretPathByFolderIds">;
-  secretTagDAL: Pick<TSecretTagDALFactory, "findManyTagsById">;
+  secretDAL: TSecretDALFactory;
+  secretTagDAL: Pick<TSecretTagDALFactory, "findManyTagsById" | "saveTagsToSecret" | "deleteTagsManySecret">;
  secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
  snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
-  secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany">;
+  secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
+  secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
  secretService: Pick<
    TSecretServiceFactory,
@ -64,8 +68,10 @@ export type TSecretApprovalRequestServiceFactory = ReturnType<typeof secretAppro

 export const secretApprovalRequestServiceFactory = ({
  secretApprovalRequestDAL,
+  secretDAL,
  folderDAL,
  secretTagDAL,
+  secretVersionTagDAL,
  secretApprovalRequestReviewerDAL,
  secretApprovalRequestSecretDAL,
  secretBlindIndexDAL,
@ -76,13 +82,14 @@ export const secretApprovalRequestServiceFactory = ({
  secretVersionDAL,
  secretQueueService
 }: TSecretApprovalRequestServiceFactoryDep) => {
-  const requestCount = async ({ projectId, actor, actorId, actorOrgId }: TApprovalRequestCountDTO) => {
+  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

    const { membership } = await permissionService.getProjectPermission(
      actor as ActorType.USER,
      actorId,
      projectId,
+      actorAuthMethod,
      actorOrgId
    );

@ -94,6 +101,7 @@ export const secretApprovalRequestServiceFactory = ({
    projectId,
    actorId,
    actor,
+    actorAuthMethod,
    actorOrgId,
    status,
    environment,
@ -103,7 +111,13 @@ export const secretApprovalRequestServiceFactory = ({
  }: TListApprovalsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

-    const { membership } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { membership } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    const approvals = await secretApprovalRequestDAL.findByProjectId({
      projectId,
      committer,
@ -116,21 +130,28 @@ export const secretApprovalRequestServiceFactory = ({
    return approvals;
  };

-  const getSecretApprovalDetails = async ({ actor, actorId, actorOrgId, id }: TSecretApprovalDetailsDTO) => {
+  const getSecretApprovalDetails = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    id
+  }: TSecretApprovalDetailsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

    const secretApprovalRequest = await secretApprovalRequestDAL.findById(id);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });

    const { policy } = secretApprovalRequest;
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
      actor,
      actorId,
      secretApprovalRequest.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    if (
-      membership.role !== ProjectMembershipRole.Admin &&
+      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
      !policy.approvers.find((approverId) => approverId === membership.id)
    ) {
@ -144,20 +165,28 @@ export const secretApprovalRequestServiceFactory = ({
    return { ...secretApprovalRequest, secretPath: secretPath?.[0]?.path || "/", commits: secrets };
  };

-  const reviewApproval = async ({ approvalId, actor, status, actorId, actorOrgId }: TReviewRequestDTO) => {
+  const reviewApproval = async ({
+    approvalId,
+    actor,
+    status,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TReviewRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const { policy } = secretApprovalRequest;
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    if (
-      membership.role !== ProjectMembershipRole.Admin &&
+      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
      !policy.approvers.find((approverId) => approverId === membership.id)
    ) {
@ -186,20 +215,28 @@ export const secretApprovalRequestServiceFactory = ({
    return reviewStatus;
  };

-  const updateApprovalStatus = async ({ actorId, status, approvalId, actor, actorOrgId }: TStatusChangeDTO) => {
+  const updateApprovalStatus = async ({
+    actorId,
+    status,
+    approvalId,
+    actor,
+    actorOrgId,
+    actorAuthMethod
+  }: TStatusChangeDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const { policy } = secretApprovalRequest;
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
+      actorAuthMethod,
      actorOrgId
    );
    if (
-      membership.role !== ProjectMembershipRole.Admin &&
+      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
      !policy.approvers.find((approverId) => approverId === membership.id)
    ) {
@ -223,16 +260,24 @@ export const secretApprovalRequestServiceFactory = ({
    approvalId,
    actor,
    actorId,
-    actorOrgId
+    actorOrgId,
+    actorAuthMethod
  }: TMergeSecretApprovalRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const { policy, folderId, projectId } = secretApprovalRequest;
-    const { membership } = await permissionService.getProjectPermission(ActorType.USER, actorId, projectId, actorOrgId);
+    const { membership, hasRole } = await permissionService.getProjectPermission(
+      ActorType.USER,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
    if (
-      membership.role !== ProjectMembershipRole.Admin &&
+      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
      !policy.approvers.find((approverId) => approverId === membership.id)
    ) {
@ -335,7 +380,11 @@ export const secretApprovalRequestServiceFactory = ({
              tags: el?.tags.map(({ id }) => id),
              version: 1,
              type: SecretType.Shared
-            }))
+            })),
+            secretDAL,
+            secretVersionDAL,
+            secretTagDAL,
+            secretVersionTagDAL
          })
        : [];
      const updatedSecrets = secretUpdationCommits.length
@ -367,7 +416,11 @@ export const secretApprovalRequestServiceFactory = ({
                  "secretBlindIndex"
                ])
              }
-            }))
+            })),
+            secretDAL,
+            secretVersionDAL,
+            secretTagDAL,
+            secretVersionTagDAL
          })
        : [];
      const deletedSecret = secretDeletionCommits.length
@ -419,6 +472,7 @@ export const secretApprovalRequestServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    policy,
    projectId,
    secretPath,
@ -430,6 +484,7 @@ export const secretApprovalRequestServiceFactory = ({
      actor,
      actorId,
      projectId,
+      actorAuthMethod,
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(
@ -455,7 +510,8 @@ export const secretApprovalRequestServiceFactory = ({
        inputSecrets: createdSecrets,
        folderId,
        isNew: true,
-        blindIndexCfg
+        blindIndexCfg,
+        secretDAL
      });

      commits.push(
@ -482,7 +538,8 @@ export const secretApprovalRequestServiceFactory = ({
        inputSecrets: updatedSecrets,
        folderId,
        isNew: false,
-        blindIndexCfg
+        blindIndexCfg,
+        secretDAL
      });

      // now find any secret that needs to update its name
@ -492,7 +549,8 @@ export const secretApprovalRequestServiceFactory = ({
        inputSecrets: nameUpdatedSecrets,
        folderId,
        isNew: true,
-        blindIndexCfg
+        blindIndexCfg,
+        secretDAL
      });

      const secsGroupedByBlindIndex = groupBy(secretsToBeUpdated, (el) => el.secretBlindIndex as string);
@ -531,7 +589,8 @@ export const secretApprovalRequestServiceFactory = ({
        inputSecrets: deletedSecrets,
        folderId,
        isNew: false,
-        blindIndexCfg
+        blindIndexCfg,
+        secretDAL
      });
      const secretsGroupedByBlindIndex = groupBy(secrets, (i) => {
        if (!i.secretBlindIndex) throw new BadRequestError({ message: "Missing secret blind index" });
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@ -1,3 +1,10 @@
+import {
+  CreateAccessKeyCommand,
+  DeleteAccessKeyCommand,
+  GetAccessKeyLastUsedCommand,
+  IAMClient
+} from "@aws-sdk/client-iam";
+
 import { SecretKeyEncoding, SecretType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import {
@ -18,7 +25,12 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

 import { TSecretRotationDALFactory } from "../secret-rotation-dal";
 import { rotationTemplates } from "../templates";
-import { TDbProviderClients, TProviderFunctionTypes, TSecretRotationProviderTemplate } from "../templates/types";
+import {
+  TAwsProviderSystems,
+  TDbProviderClients,
+  TProviderFunctionTypes,
+  TSecretRotationProviderTemplate
+} from "../templates/types";
 import {
  getDbSetQuery,
  secretRotationDbFn,
@ -127,7 +139,10 @@ export const secretRotationQueueFactory = ({
        internal: {}
      };

-      // when its a database we keep cycling the variables accordingly
+      /* Rotation Function For Database
+       * A database like sql cannot have multiple password for a user
+       * thus we ask users to create two users with required permission and then we keep cycling between these two db users
+       */
      if (provider.template.type === TProviderFunctionTypes.DB) {
        const lastCred = variables.creds.at(-1);
        if (lastCred && variables.creds.length === 1) {
@ -170,6 +185,65 @@ export const secretRotationQueueFactory = ({
        if (variables.creds.length === 2) variables.creds.pop();
      }

+      /*
+       * Rotation Function For AWS Services
+       * Due to complexity in AWS Authorization hashing signature process we keep it as seperate entity instead of http template mode
+       * We first delete old key before creating a new one because aws iam has a quota limit of 2 keys
+       * */
+      if (provider.template.type === TProviderFunctionTypes.AWS) {
+        if (provider.template.client === TAwsProviderSystems.IAM) {
+          const client = new IAMClient({
+            region: newCredential.inputs.manager_user_aws_region as string,
+            credentials: {
+              accessKeyId: newCredential.inputs.manager_user_access_key as string,
+              secretAccessKey: newCredential.inputs.manager_user_secret_key as string
+            }
+          });
+
+          const iamUserName = newCredential.inputs.iam_username as string;
+
+          if (variables.creds.length === 2) {
+            const deleteCycleCredential = variables.creds.pop();
+            if (deleteCycleCredential) {
+              const deletedIamAccessKey = await client.send(
+                new DeleteAccessKeyCommand({
+                  UserName: iamUserName,
+                  AccessKeyId: deleteCycleCredential.outputs.iam_user_access_key as string
+                })
+              );
+
+              if (
+                !deletedIamAccessKey?.$metadata?.httpStatusCode ||
+                deletedIamAccessKey?.$metadata?.httpStatusCode > 300
+              ) {
+                throw new DisableRotationErrors({
+                  message: "Failed to delete aws iam access key. Check managed iam user policy"
+                });
+              }
+            }
+          }
+
+          const newIamAccessKey = await client.send(new CreateAccessKeyCommand({ UserName: iamUserName }));
+          if (!newIamAccessKey.AccessKey)
+            throw new DisableRotationErrors({ message: "Failed to create access key. Check managed iam user policy" });
+
+          // test
+          const testAccessKey = await client.send(
+            new GetAccessKeyLastUsedCommand({ AccessKeyId: newIamAccessKey.AccessKey.AccessKeyId })
+          );
+          if (testAccessKey?.UserName !== iamUserName)
+            throw new DisableRotationErrors({ message: "Failed to create access key. Check managed iam user policy" });
+
+          newCredential.outputs.iam_user_access_key = newIamAccessKey.AccessKey.AccessKeyId;
+          newCredential.outputs.iam_user_secret_key = newIamAccessKey.AccessKey.SecretAccessKey;
+        }
+      }
+
+      /* Rotation function of HTTP infisical template
+       * This is a generic http based template system for rotation
+       * we use this for sendgrid and for custom secret rotation
+       * This will ensure user provided rotation is easier to make
+       * */
      if (provider.template.type === TProviderFunctionTypes.HTTP) {
        if (provider.template.functions.set?.pre) {
          secretRotationPreSetFn(provider.template.functions.set.pre, newCredential);
@ -185,6 +259,9 @@ export const secretRotationQueueFactory = ({
          }
        }
      }
+
+      // insert the new variables to start
+      // encrypt the data - save it
      variables.creds.unshift({
        outputs: newCredential.outputs,
        internal: newCredential.internal
@ -200,6 +277,7 @@ export const secretRotationQueueFactory = ({
          key
        )
      }));
+      // map the final values to output keys in the board
      await secretRotationDAL.transaction(async (tx) => {
        await secretRotationDAL.updateById(
          rotationId,
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@ -39,8 +39,20 @@ export const secretRotationServiceFactory = ({
  folderDAL,
  secretDAL
 }: TSecretRotationServiceFactoryDep) => {
-  const getProviderTemplates = async ({ actor, actorId, actorOrgId, projectId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const getProviderTemplates = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TProjectPermission) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);

    return {
@ -54,6 +66,7 @@ export const secretRotationServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    inputs,
    outputs,
    interval,
@ -61,7 +74,13 @@ export const secretRotationServiceFactory = ({
    secretPath,
    environment
  }: TCreateSecretRotationDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRotation
@ -139,14 +158,20 @@ export const secretRotationServiceFactory = ({
    return secretRotation;
  };

-  const getByProjectId = async ({ actorId, projectId, actor, actorOrgId }: TListByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const getByProjectId = async ({ actorId, projectId, actor, actorOrgId, actorAuthMethod }: TListByProjectIdDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
    const doc = await secretRotationDAL.find({ projectId });
    return doc;
  };

-  const restartById = async ({ actor, actorId, actorOrgId, rotationId }: TRestartDTO) => {
+  const restartById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TRestartDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
    if (!doc) throw new BadRequestError({ message: "Rotation not found" });

@ -157,18 +182,30 @@ export const secretRotationServiceFactory = ({
        message: "Failed to add secret rotation due to plan restriction. Upgrade plan to add secret rotation."
      });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, doc.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      doc.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
    await secretRotationQueue.removeFromQueue(doc.id, doc.interval);
    await secretRotationQueue.addToQueue(doc.id, doc.interval);
    return doc;
  };

-  const deleteById = async ({ actor, actorId, actorOrgId, rotationId }: TDeleteDTO) => {
+  const deleteById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TDeleteDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
    if (!doc) throw new BadRequestError({ message: "Rotation not found" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, doc.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      doc.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretRotation
--- a/backend/src/ee/services/secret-rotation/templates/aws-iam.ts
+++ b/backend/src/ee/services/secret-rotation/templates/aws-iam.ts
@ -0,0 +1,21 @@
+import { TAwsProviderSystems, TProviderFunctionTypes } from "./types";
+
+export const AWS_IAM_TEMPLATE = {
+  type: TProviderFunctionTypes.AWS as const,
+  client: TAwsProviderSystems.IAM,
+  inputs: {
+    type: "object" as const,
+    properties: {
+      manager_user_access_key: { type: "string" as const },
+      manager_user_secret_key: { type: "string" as const },
+      manager_user_aws_region: { type: "string" as const },
+      iam_username: { type: "string" as const }
+    },
+    required: ["manager_user_access_key", "manager_user_secret_key", "manager_user_aws_region", "iam_username"],
+    additionalProperties: false
+  },
+  outputs: {
+    iam_user_access_key: { type: "string" },
+    iam_user_secret_key: { type: "string" }
+  }
+};
--- a/backend/src/ee/services/secret-rotation/templates/index.ts
+++ b/backend/src/ee/services/secret-rotation/templates/index.ts
@ -1,3 +1,4 @@
+import { AWS_IAM_TEMPLATE } from "./aws-iam";
 import { MYSQL_TEMPLATE } from "./mysql";
 import { POSTGRES_TEMPLATE } from "./postgres";
 import { SENDGRID_TEMPLATE } from "./sendgrid";
@ -24,5 +25,12 @@ export const rotationTemplates: TSecretRotationProviderTemplate[] = [
    image: "mysql.png",
    description: "Rotate MySQL@7/MariaDB user credentials",
    template: MYSQL_TEMPLATE
+  },
+  {
+    name: "aws-iam",
+    title: "AWS IAM",
+    image: "aws-iam.svg",
+    description: "Rotate AWS IAM User credentials",
+    template: AWS_IAM_TEMPLATE
  }
 ];
--- a/backend/src/ee/services/secret-rotation/templates/types.ts
+++ b/backend/src/ee/services/secret-rotation/templates/types.ts
@ -1,6 +1,7 @@
 export enum TProviderFunctionTypes {
  HTTP = "http",
-  DB = "database"
+  DB = "database",
+  AWS = "aws"
 }

 export enum TDbProviderClients {
@ -10,6 +11,10 @@ export enum TDbProviderClients {
  MySql = "mysql"
 }

+export enum TAwsProviderSystems {
+  IAM = "iam"
+}
+
 export enum TAssignOp {
  Direct = "direct",
  JmesPath = "jmesopath"
@ -42,7 +47,7 @@ export type TSecretRotationProviderTemplate = {
  title: string;
  image?: string;
  description?: string;
-  template: THttpProviderTemplate | TDbProviderTemplate;
+  template: THttpProviderTemplate | TDbProviderTemplate | TAwsProviderTemplate;
 };

 export type THttpProviderTemplate = {
@ -70,3 +75,14 @@ export type TDbProviderTemplate = {
  };
  outputs: Record<string, unknown>;
 };
+
+export type TAwsProviderTemplate = {
+  type: TProviderFunctionTypes.AWS;
+  client: TAwsProviderSystems;
+  inputs: {
+    type: "object";
+    properties: Record<string, { type: string; [x: string]: unknown; desc?: string }>;
+    required?: string[];
+  };
+  outputs: Record<string, unknown>;
+};
--- a/backend/src/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue.ts
@ -64,7 +64,7 @@ export const secretScanningQueueFactory = ({
      orgId: organizationId,
      role: OrgMembershipRole.Admin
    });
-    return adminsOfWork.map((userObject) => userObject.email);
+    return adminsOfWork.filter((userObject) => userObject.email).map((userObject) => userObject.email as string);
  };

  queueService.start(QueueName.SecretPushEventScan, async (job) => {
@ -149,7 +149,7 @@ export const secretScanningQueueFactory = ({
      await smtpService.sendMail({
        template: SmtpTemplates.SecretLeakIncident,
        subjectLine: `Incident alert: leaked secrets found in Github repository ${repository.fullName}`,
-        recipients: adminEmails,
+        recipients: adminEmails.filter((email) => email).map((email) => email),
        substitutions: {
          numberOfSecrets: Object.keys(allFindingsByFingerprint).length,
          pusher_email: pusher.email,
@ -221,7 +221,7 @@ export const secretScanningQueueFactory = ({
      await smtpService.sendMail({
        template: SmtpTemplates.SecretLeakIncident,
        subjectLine: `Incident alert: leaked secrets found in Github repository ${repository.fullName}`,
-        recipients: adminEmails,
+        recipients: adminEmails.filter((email) => email).map((email) => email),
        substitutions: {
          numberOfSecrets: findings.length
        }
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@ -39,8 +39,14 @@ export const secretScanningServiceFactory = ({
  permissionService,
  secretScanningQueue
 }: TSecretScanningServiceFactoryDep) => {
-  const createInstallationSession = async ({ actor, orgId, actorId, actorOrgId }: TInstallAppSessionDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const createInstallationSession = async ({
+    actor,
+    orgId,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TInstallAppSessionDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.SecretScanning);

    const sessionId = crypto.randomBytes(16).toString("hex");
@ -53,12 +59,19 @@ export const secretScanningServiceFactory = ({
    actorId,
    installationId,
    actor,
+    actorAuthMethod,
    actorOrgId
  }: TLinkInstallSessionDTO) => {
    const session = await gitAppInstallSessionDAL.findOne({ sessionId });
    if (!session) throw new UnauthorizedError({ message: "Session not found" });

-    const { permission } = await permissionService.getOrgPermission(actor, actorId, session.orgId, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      session.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.SecretScanning);
    const installatedApp = await gitAppOrgDAL.transaction(async (tx) => {
      await gitAppInstallSessionDAL.deleteById(session.id, tx);
@ -89,23 +102,37 @@ export const secretScanningServiceFactory = ({
    return { installatedApp };
  };

-  const getOrgInstallationStatus = async ({ actorId, orgId, actor, actorOrgId }: TGetOrgInstallStatusDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getOrgInstallationStatus = async ({
+    actorId,
+    orgId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TGetOrgInstallStatusDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);

    const appInstallation = await gitAppOrgDAL.findOne({ orgId });
    return Boolean(appInstallation);
  };

-  const getRisksByOrg = async ({ actor, orgId, actorId, actorOrgId }: TGetOrgRisksDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetOrgRisksDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
    const risks = await secretScanningDAL.find({ orgId }, { sort: [["createdAt", "desc"]] });
    return { risks };
  };

-  const updateRiskStatus = async ({ actorId, orgId, actor, actorOrgId, riskId, status }: TUpdateRiskStatusDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
+  const updateRiskStatus = async ({
+    actorId,
+    orgId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    riskId,
+    status
+  }: TUpdateRiskStatusDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.SecretScanning);

    const isRiskResolved = Boolean(
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@ -59,9 +59,16 @@ export const secretSnapshotServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    path
  }: TProjectSnapshotCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
@ -77,11 +84,18 @@ export const secretSnapshotServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    path,
    limit = 20,
    offset = 0
  }: TProjectSnapshotListDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
@ -91,10 +105,16 @@ export const secretSnapshotServiceFactory = ({
    return snapshots;
  };

-  const getSnapshotData = async ({ actorId, actor, actorOrgId, id }: TGetSnapshotDataDTO) => {
+  const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
    const snapshot = await snapshotDAL.findSecretSnapshotDataById(id);
    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, snapshot.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      snapshot.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    return snapshot;
  };
@ -145,11 +165,23 @@ export const secretSnapshotServiceFactory = ({
    }
  };

-  const rollbackSnapshot = async ({ id: snapshotId, actor, actorId, actorOrgId }: TRollbackSnapshotDTO) => {
+  const rollbackSnapshot = async ({
+    id: snapshotId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TRollbackSnapshotDTO) => {
    const snapshot = await snapshotDAL.findById(snapshotId);
    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });

-    const { permission } = await permissionService.getProjectPermission(actor, actorId, snapshot.projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      snapshot.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRollback
--- a/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
+++ b/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
@ -26,8 +26,14 @@ export const trustedIpServiceFactory = ({
  licenseService,
  projectDAL
 }: TTrustedIpServiceFactoryDep) => {
-  const listIpsByProjectId = async ({ projectId, actor, actorId, actorOrgId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const listIpsByProjectId = async ({ projectId, actor, actorId, actorAuthMethod, actorOrgId }: TProjectPermission) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
    const trustedIps = await trustedIpDAL.find({
      projectId
@ -38,13 +44,20 @@ export const trustedIpServiceFactory = ({
  const addProjectIp = async ({
    projectId,
    actorId,
+    actorAuthMethod,
    actor,
    actorOrgId,
    ipAddress: ip,
    comment,
    isActive
  }: TCreateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

    const project = await projectDAL.findById(projectId);
@ -78,11 +91,18 @@ export const trustedIpServiceFactory = ({
    actorId,
    actor,
    actorOrgId,
+    actorAuthMethod,
    ipAddress: ip,
    comment,
    trustedIpId
  }: TUpdateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

    const project = await projectDAL.findById(projectId);
@ -113,8 +133,21 @@ export const trustedIpServiceFactory = ({
    return { trustedIp, project }; // for audit log
  };

-  const deleteProjectIp = async ({ projectId, actorId, actor, actorOrgId, trustedIpId }: TDeleteIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+  const deleteProjectIp = async ({
+    projectId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    trustedIpId
+  }: TDeleteIpDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

    const project = await projectDAL.findById(projectId);
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@ -15,8 +15,16 @@ const envSchema = z
    PORT: z.coerce.number().default(4000),
    REDIS_URL: zpStr(z.string()),
    HOST: zpStr(z.string().default("localhost")),
-    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")),
+    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
+      `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
+    ),
    DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
+    DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
+    DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
+    DB_USER: zpStr(z.string().describe("Postgres database username").optional()),
+    DB_PASSWORD: zpStr(z.string().describe("Postgres database password").optional()),
+    DB_NAME: zpStr(z.string().describe("Postgres database name").optional()),
+
    NODE_ENV: z.enum(["development", "test", "production"]).default("production"),
    SALT_ROUNDS: z.coerce.number().default(10),
    INITIAL_ORGANIZATION_NAME: zpStr(z.string().optional()),
--- a/backend/src/lib/types/index.ts
+++ b/backend/src/lib/types/index.ts
@ -1,17 +1,19 @@
-import { ActorType } from "@app/services/auth/auth-type";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";

 export type TOrgPermission = {
  actor: ActorType;
  actorId: string;
  orgId: string;
-  actorOrgId?: string;
+  actorAuthMethod: ActorAuthMethod;
+  actorOrgId: string | undefined;
 };

 export type TProjectPermission = {
  actor: ActorType;
  actorId: string;
  projectId: string;
-  actorOrgId?: string;
+  actorAuthMethod: ActorAuthMethod;
+  actorOrgId: string | undefined;
 };

 export type RequiredKeys<T> = {
--- a/backend/src/server/lib/telemetry.ts
+++ b/backend/src/server/lib/telemetry.ts
@ -5,7 +5,7 @@ import { ActorType } from "@app/services/auth/auth-type";
 // this is a unique id for sending posthog event
 export const getTelemetryDistinctId = (req: FastifyRequest) => {
  if (req.auth.actor === ActorType.USER) {
-    return req.auth.user.email;
+    return req.auth.user.username;
  }
  if (req.auth.actor === ActorType.IDENTITY) {
    return `identity-${req.auth.identityId}`;
--- a/backend/src/server/plugins/audit-log.ts
+++ b/backend/src/server/plugins/audit-log.ts
@ -44,6 +44,7 @@ export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
        type: ActorType.USER,
        metadata: {
          email: req.auth.user.email,
+          username: req.auth.user.username,
          userId: req.permission.id
        }
      };
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@ -6,42 +6,49 @@ import { TServiceTokens, TUsers } from "@app/db/schemas";
 import { TScimTokenJwtPayload } from "@app/ee/services/scim/scim-types";
 import { getConfig } from "@app/lib/config/env";
 import { UnauthorizedError } from "@app/lib/errors";
-import { ActorType, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
+import { ActorType, AuthMethod, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
 import { TIdentityAccessTokenJwtPayload } from "@app/services/identity-access-token/identity-access-token-types";

 export type TAuthMode =
  | {
-      orgId?: string;
      authMode: AuthMode.JWT;
      actor: ActorType.USER;
      userId: string;
      tokenVersionId: string; // the session id of token used
      user: TUsers;
+      orgId?: string;
+      authMethod: AuthMethod;
    }
  | {
      authMode: AuthMode.API_KEY;
+      authMethod: null;
      actor: ActorType.USER;
      userId: string;
      user: TUsers;
-      orgId?: string;
+      orgId: string;
    }
  | {
      authMode: AuthMode.SERVICE_TOKEN;
      serviceToken: TServiceTokens & { createdByEmail: string };
      actor: ActorType.SERVICE;
      serviceTokenId: string;
+      orgId: string;
+      authMethod: null;
    }
  | {
      authMode: AuthMode.IDENTITY_ACCESS_TOKEN;
      actor: ActorType.IDENTITY;
      identityId: string;
      identityName: string;
+      orgId: string;
+      authMethod: null;
    }
  | {
      authMode: AuthMode.SCIM_TOKEN;
      actor: ActorType.SCIM_CLIENT;
      scimTokenId: string;
      orgId: string;
+      authMethod: null;
    };

 const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
@ -50,6 +57,7 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
    return { authMode: AuthMode.API_KEY, token: apiKey, actor: ActorType.USER } as const;
  }
  const authHeader = req.headers?.authorization;
+
  if (!authHeader) return { authMode: null, token: null };

  const authTokenValue = authHeader.slice(7); // slice of after Bearer
@ -71,6 +79,7 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
        actor: ActorType.USER
      } as const;
    case AuthTokenType.API_KEY:
+      // throw new Error("API Key auth is no longer supported.");
      return { authMode: AuthMode.API_KEY, token: decodedToken, actor: ActorType.USER } as const;
    case AuthTokenType.IDENTITY_ACCESS_TOKEN:
      return {
@ -89,17 +98,30 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
  }
 };

+// ! Important: You can only 100% count on the `req.permission.orgId` field being present when the auth method is Identity Access Token (Machine Identity).
 export const injectIdentity = fp(async (server: FastifyZodProvider) => {
  server.decorateRequest("auth", null);
  server.addHook("onRequest", async (req) => {
    const appCfg = getConfig();
    const { authMode, token, actor } = await extractAuth(req, appCfg.AUTH_SECRET);
+
+    if (req.url.includes("/api/v3/auth/")) {
+      return;
+    }
    if (!authMode) return;

    switch (authMode) {
      case AuthMode.JWT: {
        const { user, tokenVersionId, orgId } = await server.services.authToken.fnValidateJwtIdentity(token);
-        req.auth = { authMode: AuthMode.JWT, user, userId: user.id, tokenVersionId, actor, orgId };
+        req.auth = {
+          authMode: AuthMode.JWT,
+          user,
+          userId: user.id,
+          tokenVersionId,
+          actor,
+          orgId,
+          authMethod: token.authMethod
+        };
        break;
      }
      case AuthMode.IDENTITY_ACCESS_TOKEN: {
@ -107,29 +129,40 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
        req.auth = {
          authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
          actor,
+          orgId: identity.orgId,
          identityId: identity.identityId,
-          identityName: identity.name
+          identityName: identity.name,
+          authMethod: null
        };
        break;
      }
      case AuthMode.SERVICE_TOKEN: {
        const serviceToken = await server.services.serviceToken.fnValidateServiceToken(token);
        req.auth = {
+          orgId: serviceToken.orgId,
          authMode: AuthMode.SERVICE_TOKEN as const,
          serviceToken,
          serviceTokenId: serviceToken.id,
-          actor
+          actor,
+          authMethod: null
        };
        break;
      }
      case AuthMode.API_KEY: {
        const user = await server.services.apiKey.fnValidateApiKey(token as string);
-        req.auth = { authMode: AuthMode.API_KEY as const, userId: user.id, actor, user };
+        req.auth = {
+          authMode: AuthMode.API_KEY as const,
+          userId: user.id,
+          actor,
+          user,
+          orgId: "API_KEY", // We set the orgId to an arbitrary value, since we can't link an API key to a specific org. We have to deprecate API keys soon!
+          authMethod: null
+        };
        break;
      }
      case AuthMode.SCIM_TOKEN: {
        const { orgId, scimTokenId } = await server.services.scim.fnValidateScimToken(token);
-        req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId };
+        req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId, authMethod: null };
        break;
      }
      default:
--- a/backend/src/server/plugins/auth/inject-permission.ts
+++ b/backend/src/server/plugins/auth/inject-permission.ts
@ -9,13 +9,33 @@ export const injectPermission = fp(async (server) => {
    if (!req.auth) return;

    if (req.auth.actor === ActorType.USER) {
-      req.permission = { type: ActorType.USER, id: req.auth.userId, orgId: req.auth?.orgId };
+      req.permission = {
+        type: ActorType.USER,
+        id: req.auth.userId,
+        orgId: req.auth.orgId, // if the req.auth.authMode is AuthMode.API_KEY, the orgId will be "API_KEY"
+        authMethod: req.auth.authMethod // if the req.auth.authMode is AuthMode.API_KEY, the authMethod will be null
+      };
    } else if (req.auth.actor === ActorType.IDENTITY) {
-      req.permission = { type: ActorType.IDENTITY, id: req.auth.identityId };
+      req.permission = {
+        type: ActorType.IDENTITY,
+        id: req.auth.identityId,
+        orgId: req.auth.orgId,
+        authMethod: null
+      };
    } else if (req.auth.actor === ActorType.SERVICE) {
-      req.permission = { type: ActorType.SERVICE, id: req.auth.serviceTokenId };
+      req.permission = {
+        type: ActorType.SERVICE,
+        id: req.auth.serviceTokenId,
+        orgId: req.auth.orgId,
+        authMethod: null
+      };
    } else if (req.auth.actor === ActorType.SCIM_CLIENT) {
-      req.permission = { type: ActorType.SCIM_CLIENT, id: req.auth.scimTokenId, orgId: req.auth.orgId };
+      req.permission = {
+        type: ActorType.SCIM_CLIENT,
+        id: req.auth.scimTokenId,
+        orgId: req.auth.orgId,
+        authMethod: null
+      };
    }
  });
 });
--- a/backend/src/server/plugins/auth/verify-auth.ts
+++ b/backend/src/server/plugins/auth/verify-auth.ts
@ -3,15 +3,26 @@ import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";
 import { UnauthorizedError } from "@app/lib/errors";
 import { AuthMode } from "@app/services/auth/auth-type";

+interface TAuthOptions {
+  requireOrg: boolean;
+}
+
 export const verifyAuth =
-  <T extends FastifyRequest>(authStrats: AuthMode[]) =>
+  <T extends FastifyRequest>(authStrategies: AuthMode[], options: TAuthOptions = { requireOrg: true }) =>
  (req: T, _res: FastifyReply, done: HookHandlerDoneFunction) => {
-    if (!Array.isArray(authStrats)) throw new Error("Auth strategy must be array");
+    if (!Array.isArray(authStrategies)) throw new Error("Auth strategy must be array");
    if (!req.auth) throw new UnauthorizedError({ name: "Unauthorized access", message: "Token missing" });

-    const isAccessAllowed = authStrats.some((strat) => strat === req.auth.authMode);
+    const isAccessAllowed = authStrategies.some((strategy) => strategy === req.auth.authMode);
    if (!isAccessAllowed) {
      throw new UnauthorizedError({ name: `${req.url} Unauthorized Access` });
    }
+
+    // New optional option. There are some routes which do not require an organization ID to be present on the request.
+    // An example of this is the /v1 auth routes.
+    if (req.auth.authMode === AuthMode.JWT && options.requireOrg === true && !req.permission.orgId) {
+      throw new UnauthorizedError({ name: `${req.url} Unauthorized Access, no organization found in request` });
+    }
+
    done();
  };
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -5,6 +5,8 @@ import { registerV1EERoutes } from "@app/ee/routes/v1";
 import { auditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
 import { auditLogQueueServiceFactory } from "@app/ee/services/audit-log/audit-log-queue";
 import { auditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
+import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
+import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { licenseDALFactory } from "@app/ee/services/license/license-dal";
 import { licenseServiceFactory } from "@app/ee/services/license/license-service";
 import { permissionDALFactory } from "@app/ee/services/permission/permission-dal";
@ -51,6 +53,7 @@ import { identityServiceFactory } from "@app/services/identity/identity-service"
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
+import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { identityUaClientSecretDALFactory } from "@app/services/identity-ua/identity-ua-client-secret-dal";
 import { identityUaDALFactory } from "@app/services/identity-ua/identity-ua-dal";
@ -76,6 +79,7 @@ import { projectKeyDALFactory } from "@app/services/project-key/project-key-dal"
 import { projectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { projectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { projectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
+import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
@ -102,6 +106,7 @@ import { telemetryQueueServiceFactory } from "@app/services/telemetry/telemetry-
 import { telemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
 import { userDALFactory } from "@app/services/user/user-dal";
 import { userServiceFactory } from "@app/services/user/user-service";
+import { userAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 import { webhookDALFactory } from "@app/services/webhook/webhook-dal";
 import { webhookServiceFactory } from "@app/services/webhook/webhook-service";

@ -126,6 +131,7 @@ export const registerRoutes = async (

  // db layers
  const userDAL = userDALFactory(db);
+  const userAliasDAL = userAliasDALFactory(db);
  const authDAL = authDALFactory(db);
  const authTokenDAL = tokenDALFactory(db);
  const orgDAL = orgDALFactory(db);
@ -137,6 +143,7 @@ export const registerRoutes = async (

  const projectDAL = projectDALFactory(db);
  const projectMembershipDAL = projectMembershipDALFactory(db);
+  const projectUserMembershipRoleDAL = projectUserMembershipRoleDALFactory(db);
  const projectRoleDAL = projectRoleDALFactory(db);
  const projectEnvDAL = projectEnvDALFactory(db);
  const projectKeyDAL = projectKeyDALFactory(db);
@ -160,18 +167,20 @@ export const registerRoutes = async (
  const identityAccessTokenDAL = identityAccessTokenDALFactory(db);
  const identityOrgMembershipDAL = identityOrgDALFactory(db);
  const identityProjectDAL = identityProjectDALFactory(db);
+  const identityProjectMembershipRoleDAL = identityProjectMembershipRoleDALFactory(db);

  const identityUaDAL = identityUaDALFactory(db);
  const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);

  const auditLogDAL = auditLogDALFactory(db);
  const trustedIpDAL = trustedIpDALFactory(db);
-  const scimDAL = scimDALFactory(db);
  const telemetryDAL = telemetryDALFactory(db);

  // ee db layer ops
  const permissionDAL = permissionDALFactory(db);
  const samlConfigDAL = samlConfigDALFactory(db);
+  const scimDAL = scimDALFactory(db);
+  const ldapConfigDAL = ldapConfigDALFactory(db);
  const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
  const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
  const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
@ -192,7 +201,8 @@ export const registerRoutes = async (
    permissionDAL,
    orgRoleDAL,
    projectRoleDAL,
-    serviceTokenDAL
+    serviceTokenDAL,
+    projectDAL
  });
  const licenseService = licenseServiceFactory({ permissionService, orgDAL, licenseDAL, keyStore });
  const trustedIpService = trustedIpServiceFactory({
@ -235,6 +245,16 @@ export const registerRoutes = async (
    smtpService
  });

+  const ldapService = ldapConfigServiceFactory({
+    ldapConfigDAL,
+    orgDAL,
+    orgBotDAL,
+    userDAL,
+    userAliasDAL,
+    permissionService,
+    licenseService
+  });
+
  const telemetryService = telemetryServiceFactory({
    keyStore,
    licenseService
@ -247,7 +267,7 @@ export const registerRoutes = async (

  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
  const userService = userServiceFactory({ userDAL });
-  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService });
+  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL, tokenDAL: authTokenDAL });
  const passwordService = authPaswordServiceFactory({
    tokenService,
    smtpService,
@ -263,6 +283,8 @@ export const registerRoutes = async (
    incidentContactDAL,
    tokenService,
    projectDAL,
+    projectMembershipDAL,
+    projectKeyDAL,
    smtpService,
    userDAL,
    orgBotDAL
@ -304,6 +326,7 @@ export const registerRoutes = async (

  const projectMembershipService = projectMembershipServiceFactory({
    projectMembershipDAL,
+    projectUserMembershipRoleDAL,
    projectDAL,
    permissionService,
    projectBotDAL,
@ -335,7 +358,8 @@ export const registerRoutes = async (
    projectBotDAL,
    projectMembershipDAL,
    secretApprovalRequestDAL,
-    secretApprovalSecretDAL: sarSecretDAL
+    secretApprovalSecretDAL: sarSecretDAL,
+    projectUserMembershipRoleDAL
  });

  const projectService = projectServiceFactory({
@ -349,11 +373,15 @@ export const registerRoutes = async (
    projectKeyDAL,
    userDAL,
    projectEnvDAL,
+    orgDAL,
    orgService,
    projectMembershipDAL,
    folderDAL,
-    licenseService
+    licenseService,
+    projectUserMembershipRoleDAL,
+    identityProjectMembershipRoleDAL
  });
+
  const projectEnvService = projectEnvServiceFactory({
    permissionService,
    projectEnvDAL,
@ -419,7 +447,12 @@ export const registerRoutes = async (
    orgDAL,
    projectMembershipDAL,
    smtpService,
-    projectDAL
+    projectDAL,
+    projectBotDAL,
+    secretVersionDAL,
+    secretBlindIndexDAL,
+    secretTagDAL,
+    secretVersionTagDAL
  });
  const secretBlindIndexService = secretBlindIndexServiceFactory({
    permissionService,
@ -443,6 +476,7 @@ export const registerRoutes = async (
  const sarService = secretApprovalRequestServiceFactory({
    permissionService,
    folderDAL,
+    secretDAL,
    secretTagDAL,
    secretApprovalRequestSecretDAL: sarSecretDAL,
    secretApprovalRequestReviewerDAL: sarReviewerDAL,
@ -452,6 +486,7 @@ export const registerRoutes = async (
    secretApprovalRequestDAL,
    secretService,
    snapshotService,
+    secretVersionTagDAL,
    secretQueueService
  });
  const secretRotationQueue = secretRotationQueueFactory({
@ -484,7 +519,8 @@ export const registerRoutes = async (
    projectEnvDAL,
    serviceTokenDAL,
    userDAL,
-    permissionService
+    permissionService,
+    projectDAL
  });

  const identityService = identityServiceFactory({
@ -492,12 +528,17 @@ export const registerRoutes = async (
    identityDAL,
    identityOrgMembershipDAL
  });
-  const identityAccessTokenService = identityAccessTokenServiceFactory({ identityAccessTokenDAL });
+  const identityAccessTokenService = identityAccessTokenServiceFactory({
+    identityAccessTokenDAL,
+    identityOrgMembershipDAL
+  });
  const identityProjectService = identityProjectServiceFactory({
    permissionService,
    projectDAL,
    identityProjectDAL,
-    identityOrgMembershipDAL
+    identityOrgMembershipDAL,
+    identityProjectMembershipRoleDAL,
+    projectRoleDAL
  });
  const identityUaService = identityUaServiceFactory({
    identityOrgMembershipDAL,
@ -552,6 +593,7 @@ export const registerRoutes = async (
    secretRotation: secretRotationService,
    snapshot: snapshotService,
    saml: samlService,
+    ldap: ldapService,
    auditLog: auditLogService,
    secretScanning: secretScanningService,
    license: licenseService,
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@ -92,9 +92,10 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {

      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.AdminInit,
-        distinctId: user.user.email,
+        distinctId: user.user.username ?? "",
        properties: {
-          email: user.user.email,
+          username: user.user.username,
+          email: user.user.email ?? "",
          lastName: user.user.lastName || "",
          firstName: user.user.firstName || ""
        }
--- a/backend/src/server/routes/v1/auth-router.ts
+++ b/backend/src/server/routes/v1/auth-router.ts
@ -21,7 +21,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
    handler: async (req, res) => {
      const appCfg = getConfig();
      if (req.auth.authMode === AuthMode.JWT) {
@ -85,6 +85,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {

      const token = jwt.sign(
        {
+          authMethod: decodedToken.authMethod,
          authTokenType: AuthTokenType.ACCESS_TOKEN,
          userId: decodedToken.userId,
          tokenVersionId: tokenVersion.id,
--- a/backend/src/server/routes/v1/bot-router.ts
+++ b/backend/src/server/routes/v1/bot-router.ts
@ -30,6 +30,7 @@ export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.projectId
      });
      return { bot };
@ -70,6 +71,7 @@ export const registerProjectBotRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        botId: req.params.botId,
        botKey: req.body.botKey,
        isActive: req.body.isActive
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@ -34,6 +34,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      const identity = await server.services.identity.createIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        orgId: req.body.organizationId
@ -94,6 +95,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      const identity = await server.services.identity.updateIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.identityId,
        ...req.body
@ -139,6 +141,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      const identity = await server.services.identity.deleteIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.identityId
      });
--- a/backend/src/server/routes/v1/identity-ua.ts
+++ b/backend/src/server/routes/v1/identity-ua.ts
@ -121,6 +121,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        ...req.body,
        identityId: req.params.identityId
      });
@ -194,6 +195,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        ...req.body,
        identityId: req.params.identityId
      });
@ -242,6 +244,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const identityUniversalAuth = await server.services.identityUa.getIdentityUa({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId
      });
@ -291,6 +294,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const { clientSecret, clientSecretData, orgId } = await server.services.identityUa.createUaClientSecret({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        ...req.body
@ -336,6 +340,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUaClientSecrets({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId
      });
@ -379,6 +384,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      const clientSecretData = await server.services.identityUa.revokeUaClientSecret({
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        clientSecretId: req.params.clientSecretId
--- a/backend/src/server/routes/v1/integration-auth-router.ts
+++ b/backend/src/server/routes/v1/integration-auth-router.ts
@ -53,6 +53,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.getIntegrationAuth({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -80,6 +81,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        integration: req.query.integration,
        projectId: req.query.projectId
      });
@ -117,6 +119,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.deleteIntegrationAuthById({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -157,6 +160,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.oauthExchange({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body
@ -200,6 +204,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const integrationAuth = await server.services.integrationAuth.saveIntegrationToken({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.body.workspaceId,
        ...req.body
@ -247,6 +252,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const apps = await server.services.integrationAuth.getIntegrationApps({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        ...req.query
@ -278,6 +284,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const teams = await server.services.integrationAuth.getIntegrationAuthTeams({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -306,6 +313,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const branches = await server.services.integrationAuth.getVercelBranches({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@ -335,6 +343,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const groups = await server.services.integrationAuth.getChecklyGroups({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        accountId: req.query.accountId
@ -361,6 +370,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const orgs = await server.services.integrationAuth.getQoveryOrgs({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -389,6 +399,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const projects = await server.services.integrationAuth.getQoveryProjects({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        orgId: req.query.orgId
@ -418,6 +429,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const environments = await server.services.integrationAuth.getQoveryEnvs({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        projectId: req.query.projectId
@ -447,6 +459,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const apps = await server.services.integrationAuth.getQoveryApps({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        environmentId: req.query.environmentId
@ -476,6 +489,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const containers = await server.services.integrationAuth.getQoveryContainers({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        environmentId: req.query.environmentId
@ -505,6 +519,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const jobs = await server.services.integrationAuth.getQoveryJobs({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        environmentId: req.query.environmentId
@ -513,6 +528,38 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    }
  });

+  server.route({
+    url: "/:integrationAuthId/heroku/pipelines",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        integrationAuthId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          pipelines: z
+            .object({
+              app: z.object({ appId: z.string() }),
+              stage: z.string(),
+              pipeline: z.object({ name: z.string(), pipelineId: z.string() })
+            })
+            .array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const pipelines = await server.services.integrationAuth.getHerokuPipelines({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationAuthId
+      });
+      return { pipelines };
+    }
+  });
+
  server.route({
    url: "/:integrationAuthId/railway/environments",
    method: "GET",
@ -534,6 +581,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const environments = await server.services.integrationAuth.getRailwayEnvironments({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@ -563,6 +611,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const services = await server.services.integrationAuth.getRailwayServices({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@ -599,6 +648,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const workspaces = await server.services.integrationAuth.getBitbucketWorkspaces({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId
      });
@ -632,6 +682,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const secretGroups = await server.services.integrationAuth.getNorthFlankSecretGroups({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
@ -666,6 +717,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
      const buildConfigs = await server.services.integrationAuth.getTeamcityBuildConfigs({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationAuthId,
        appId: req.query.appId
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@ -32,6 +32,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
          .object({
            secretPrefix: z.string().optional(),
            secretSuffix: z.string().optional(),
+            initialSyncBehavior: z.string().optional(),
            secretGCPLabel: z
              .object({
                labelName: z.string(),
@ -52,6 +53,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      const { integration, integrationAuth } = await server.services.integration.createIntegration({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
@ -122,6 +124,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
      const integration = await server.services.integration.updateIntegration({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationId,
        ...req.body
@ -147,6 +150,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const integration = await server.services.integration.deleteIntegration({
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        id: req.params.integrationId
--- a/backend/src/server/routes/v1/invite-org-router.ts
+++ b/backend/src/server/routes/v1/invite-org-router.ts
@ -29,6 +29,7 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
        orgId: req.body.organizationId,
        userId: req.permission.id,
        inviteeEmail: req.body.inviteeEmail,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });

--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@ -15,7 +15,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
    handler: async (req) => {
      const organizations = await server.services.org.findAllOrganizationOfUser(req.permission.id);
      return { organizations };
@ -40,6 +40,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const organization = await server.services.org.findOrganizationById(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { organization };
@ -58,6 +59,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
          users: OrgMembershipsSchema.merge(
            z.object({
              user: UsersSchema.pick({
+                username: true,
                email: true,
                firstName: true,
                lastName: true,
@ -75,6 +77,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const users = await server.services.org.findAllOrgMembers(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { users };
@ -110,6 +113,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        orgId: req.params.organizationId,
        data: req.body
      });
@ -137,6 +141,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const incidentContactsOrg = await req.server.services.org.findIncidentContacts(
        req.permission.id,
        req.params.organizationId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { incidentContactsOrg };
@ -161,6 +166,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.body.email,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { incidentContactsOrg };
@ -184,6 +190,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        req.permission.id,
        req.params.organizationId,
        req.params.incidentContactId,
+        req.permission.authMethod,
        req.permission.orgId
      );
      return { incidentContactsOrg };
--- a/backend/src/server/routes/v1/project-env-router.ts
+++ b/backend/src/server/routes/v1/project-env-router.ts
@ -38,6 +38,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        ...req.body
      });
@ -94,6 +95,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      const { environment, old } = await server.services.projectEnv.updateEnvironment({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        id: req.params.id,
@ -152,6 +154,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
      const environment = await server.services.projectEnv.deleteEnvironment({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        id: req.params.id
--- a/backend/src/server/routes/v1/project-key-router.ts
+++ b/backend/src/server/routes/v1/project-key-router.ts
@ -30,6 +30,7 @@ export const registerProjectKeyRouter = async (server: FastifyZodProvider) => {
        projectId: req.params.workspaceId,
        actor: req.permission.type,
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        nonce: req.body.key.nonce,
        receiverId: req.body.key.userId,
--- a/backend/src/server/routes/v1/project-membership-router.ts
+++ b/backend/src/server/routes/v1/project-membership-router.ts
@ -1,15 +1,17 @@
+import ms from "ms";
 import { z } from "zod";

 import {
  OrgMembershipsSchema,
-  ProjectMembershipRole,
  ProjectMembershipsSchema,
+  ProjectUserMembershipRolesSchema,
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";

 export const registerProjectMembershipRouter = async (server: FastifyZodProvider) => {
  server.route({
@ -28,16 +30,31 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      }),
      response: {
        200: z.object({
-          memberships: ProjectMembershipsSchema.merge(
-            z.object({
-              user: UsersSchema.pick({
-                email: true,
-                firstName: true,
-                lastName: true,
-                id: true
-              }).merge(UserEncryptionKeysSchema.pick({ publicKey: true }))
-            })
-          )
+          memberships: ProjectMembershipsSchema.omit({ role: true })
+            .merge(
+              z.object({
+                user: UsersSchema.pick({
+                  email: true,
+                  firstName: true,
+                  lastName: true,
+                  id: true
+                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+                roles: z.array(
+                  z.object({
+                    id: z.string(),
+                    role: z.string(),
+                    customRoleId: z.string().optional().nullable(),
+                    customRoleName: z.string().optional().nullable(),
+                    customRoleSlug: z.string().optional().nullable(),
+                    isTemporary: z.boolean(),
+                    temporaryMode: z.string().optional().nullable(),
+                    temporaryRange: z.string().nullable().optional(),
+                    temporaryAccessStartTime: z.date().nullable().optional(),
+                    temporaryAccessEndTime: z.date().nullable().optional()
+                  })
+                )
+              })
+            )
            .omit({ createdAt: true, updatedAt: true })
            .array()
        })
@ -48,6 +65,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const memberships = await server.services.projectMembership.getProjectMemberships({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
@ -84,12 +102,10 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const data = await server.services.projectMembership.addUsersToProject({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
-        members: req.body.members.map((member) => ({
-          ...member,
-          projectRole: ProjectMembershipRole.Member
-        }))
+        members: req.body.members
      });

      await server.services.auditLog.createAuditLog({
@ -124,39 +140,57 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
        membershipId: z.string().trim()
      }),
      body: z.object({
-        role: z.string().trim()
+        roles: z
+          .array(
+            z.union([
+              z.object({
+                role: z.string(),
+                isTemporary: z.literal(false).default(false)
+              }),
+              z.object({
+                role: z.string(),
+                isTemporary: z.literal(true),
+                temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
+                temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
+                temporaryAccessStartTime: z.string().datetime()
+              })
+            ])
+          )
+          .min(1)
+          .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least long lived role is required")
      }),
      response: {
        200: z.object({
-          membership: ProjectMembershipsSchema
+          roles: ProjectUserMembershipRolesSchema.array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const membership = await server.services.projectMembership.updateProjectMembership({
+      const roles = await server.services.projectMembership.updateProjectMembership({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        membershipId: req.params.membershipId,
-        role: req.body.role
+        roles: req.body.roles
      });

-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: req.params.workspaceId,
-        event: {
-          type: EventType.UPDATE_USER_WORKSPACE_ROLE,
-          metadata: {
-            userId: membership.userId,
-            newRole: req.body.role,
-            oldRole: membership.role,
-            email: ""
-          }
-        }
-      });
-      return { membership };
+      // await server.services.auditLog.createAuditLog({
+      //   ...req.auditLogInfo,
+      //   projectId: req.params.workspaceId,
+      //   event: {
+      //     type: EventType.UPDATE_USER_WORKSPACE_ROLE,
+      //     metadata: {
+      //       userId: membership.userId,
+      //       newRole: req.body.role,
+      //       oldRole: membership.role,
+      //       email: ""
+      //     }
+      //   }
+      // });
+      return { roles };
    }
  });

@ -186,6 +220,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      const membership = await server.services.projectMembership.deleteProjectMembership({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        membershipId: req.params.membershipId
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@ -9,6 +9,7 @@ import {
 } from "@app/db/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ProjectFilterType } from "@app/services/project/project-types";

 import { integrationAuthPubSchema } from "../sanitizedSchemas";
 import { sanitizedServiceTokenSchema } from "../v2/service-token-router";
@ -44,6 +45,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const publicKeys = await server.services.projectKey.getProjectPublicKeys({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
      });
@ -60,16 +62,32 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          users: ProjectMembershipsSchema.merge(
-            z.object({
-              user: UsersSchema.pick({
-                email: true,
-                firstName: true,
-                lastName: true,
-                id: true
-              }).merge(UserEncryptionKeysSchema.pick({ publicKey: true }))
-            })
-          )
+          users: ProjectMembershipsSchema.omit({ role: true })
+            .merge(
+              z.object({
+                user: UsersSchema.pick({
+                  username: true,
+                  email: true,
+                  firstName: true,
+                  lastName: true,
+                  id: true
+                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+                roles: z.array(
+                  z.object({
+                    id: z.string(),
+                    role: z.string(),
+                    customRoleId: z.string().optional().nullable(),
+                    customRoleName: z.string().optional().nullable(),
+                    customRoleSlug: z.string().optional().nullable(),
+                    isTemporary: z.boolean(),
+                    temporaryMode: z.string().optional().nullable(),
+                    temporaryRange: z.string().nullable().optional(),
+                    temporaryAccessStartTime: z.date().nullable().optional(),
+                    temporaryAccessEndTime: z.date().nullable().optional()
+                  })
+                )
+              })
+            )
            .omit({ createdAt: true, updatedAt: true })
            .array()
        })
@ -80,6 +98,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const users = await server.services.projectMembership.getProjectMemberships({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        actorOrgId: req.permission.orgId
      });
@ -120,37 +139,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const workspace = await server.services.project.getAProject({
+        filter: {
+          type: ProjectFilterType.ID,
+          projectId: req.params.workspaceId
+        },
+        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId
-      });
-      return { workspace };
-    }
-  });
-
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z.object({
-        workspaceName: z.string().trim(),
-        organizationId: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          workspace: projectWithEnv
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const workspace = await server.services.project.createProject({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        orgId: req.body.organizationId,
-        actorOrgId: req.permission.orgId,
-        workspaceName: req.body.workspaceName
+        actorOrgId: req.permission.orgId
      });
      return { workspace };
    }
@ -172,10 +168,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const workspace = await server.services.project.deleteProject({
+        filter: {
+          type: ProjectFilterType.ID,
+          projectId: req.params.workspaceId
+        },
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId
+        actorOrgId: req.permission.orgId
      });
      return { workspace };
    }
@ -203,6 +203,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const workspace = await server.services.project.updateName({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        name: req.body.name
@ -231,17 +232,21 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const workspace = await server.services.project.updateProject({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId,
+        filter: {
+          type: ProjectFilterType.ID,
+          projectId: req.params.workspaceId
+        },
        update: {
          name: req.body.name,
          autoCapitalization: req.body.autoCapitalization
-        }
+        },
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId
      });
      return {
        workspace
@ -271,6 +276,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      const workspace = await server.services.project.toggleAutoCapitalization({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        autoCapitalization: req.body.autoCapitalization
@ -307,6 +313,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const integrations = await server.services.integration.listIntegrationByProject({
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
@ -332,6 +339,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const authorizations = await server.services.integrationAuth.listIntegrationAuthByProjectId({
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
@ -357,6 +365,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    handler: async (req) => {
      const serviceTokenData = await server.services.serviceToken.getProjectServiceTokens({
        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@ -38,6 +38,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const folder = await server.services.folder.createFolder({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@ -95,6 +96,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const { folder, old } = await server.services.folder.updateFolder({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@ -120,7 +122,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
  });

  server.route({
-    url: "/:folderId",
+    url: "/:folderIdOrName",
    method: "DELETE",
    schema: {
      description: "Delete a folder",
@ -131,7 +133,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        folderId: z.string()
+        folderIdOrName: z.string()
      }),
      body: z.object({
        workspaceId: z.string().trim(),
@ -152,10 +154,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const folder = await server.services.folder.deleteFolder({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
-        id: req.params.folderId,
+        idOrName: req.params.folderIdOrName,
        path
      });
      await server.services.auditLog.createAuditLog({
@ -205,6 +208,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      const folders = await server.services.folder.getFolders({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId,
--- a/backend/src/server/routes/v1/secret-import-router.ts
+++ b/backend/src/server/routes/v1/secret-import-router.ts
@ -43,6 +43,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImport = await server.services.secretImport.createImport({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body,
        projectId: req.body.workspaceId,
@ -112,6 +113,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImport = await server.services.secretImport.updateImport({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretImportId,
        ...req.body,
@ -173,6 +175,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImport = await server.services.secretImport.deleteImport({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        id: req.params.secretImportId,
        ...req.body,
@ -232,6 +235,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const secretImports = await server.services.secretImport.getImports({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
@ -285,6 +289,7 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
      const importedSecrets = await server.services.secretImport.getSecretsFromImports({
        actorId: req.permission.id,
        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.query,
        projectId: req.query.workspaceId
--- a/Show More
+++ b/Show More