Update mint.json

Fix: Moved categories and renamed Libs -> SDKs
Fix: No nested groups
2025-07-28 02:53:22 +00:00 · 2024-03-14 19:05:34 +01:00 · 2024-03-14 18:04:27 +01:00 · 2024-03-14 17:13:18 +01:00 · 2024-03-14 17:09:45 +01:00 · 2024-03-14 17:09:37 +01:00
130 changed files with 4249 additions and 1831 deletions
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@@ -70,6 +70,7 @@
    "vitest": "^1.2.2"
  },
  "dependencies": {
+    "@aws-sdk/client-iam": "^3.525.0",
    "@aws-sdk/client-secrets-manager": "^3.504.0",
    "@casl/ability": "^6.5.0",
    "@fastify/cookie": "^9.3.1",
@@ -106,6 +107,7 @@
    "knex": "^3.0.1",
    "libsodium-wrappers": "^0.7.13",
    "lodash.isequal": "^4.5.0",
+    "ms": "^2.1.3",
    "mysql2": "^3.9.1",
    "nanoid": "^5.0.4",
    "nodemailer": "^6.9.9",
@@ -115,6 +117,7 @@
    "passport-google-oauth20": "^2.0.0",
    "passport-ldapauth": "^3.0.1",
    "pg": "^8.11.3",
+    "pg-query-stream": "^4.5.3",
    "picomatch": "^3.0.1",
    "pino": "^8.16.2",
    "posthog-node": "^3.6.2",
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -32,6 +32,9 @@ import {
  TIdentityOrgMemberships,
  TIdentityOrgMembershipsInsert,
  TIdentityOrgMembershipsUpdate,
+  TIdentityProjectMembershipRole,
+  TIdentityProjectMembershipRoleInsert,
+  TIdentityProjectMembershipRoleUpdate,
  TIdentityProjectMemberships,
  TIdentityProjectMembershipsInsert,
  TIdentityProjectMembershipsUpdate,
@@ -83,6 +86,9 @@ import {
  TProjects,
  TProjectsInsert,
  TProjectsUpdate,
+  TProjectUserMembershipRoles,
+  TProjectUserMembershipRolesInsert,
+  TProjectUserMembershipRolesUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@@ -221,6 +227,11 @@ declare module "knex/types/tables" {
      TProjectEnvironmentsUpdate
    >;
    [TableName.ProjectBot]: Knex.CompositeTableType<TProjectBots, TProjectBotsInsert, TProjectBotsUpdate>;
+    [TableName.ProjectUserMembershipRole]: Knex.CompositeTableType<
+      TProjectUserMembershipRoles,
+      TProjectUserMembershipRolesInsert,
+      TProjectUserMembershipRolesUpdate
+    >;
    [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
    [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
    [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
@@ -272,6 +283,11 @@ declare module "knex/types/tables" {
      TIdentityProjectMembershipsInsert,
      TIdentityProjectMembershipsUpdate
    >;
+    [TableName.IdentityProjectMembershipRole]: Knex.CompositeTableType<
+      TIdentityProjectMembershipRole,
+      TIdentityProjectMembershipRoleInsert,
+      TIdentityProjectMembershipRoleUpdate
+    >;
    [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
    [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
      TSecretApprovalPolicies,
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@@ -6,6 +6,13 @@ export const initDbConnection = ({ dbConnectionUri, dbRootCert }: { dbConnection
    client: "pg",
    connection: {
      connectionString: dbConnectionUri,
+      host: process.env.DB_HOST,
+      // @ts-expect-error I have no clue why only for the port there is a type error
+      // eslint-disable-next-line
+      port: process.env.DB_PORT,
+      user: process.env.DB_USER,
+      database: process.env.DB_NAME,
+      password: process.env.DB_PASSWORD,
      ssl: dbRootCert
        ? {
            rejectUnauthorized: true,
--- a/backend/src/db/knexfile.ts
+++ b/backend/src/db/knexfile.ts
@@ -7,18 +7,22 @@ import path from "path";

 // Update with your config settings. .
 dotenv.config({
-  path: path.join(__dirname, "../../../.env.migration"),
-  debug: true
+  path: path.join(__dirname, "../../../.env.migration")
 });
 dotenv.config({
-  path: path.join(__dirname, "../../../.env"),
-  debug: true
+  path: path.join(__dirname, "../../../.env")
 });
+
 export default {
  development: {
    client: "postgres",
    connection: {
      connectionString: process.env.DB_CONNECTION_URI,
+      host: process.env.DB_HOST,
+      port: process.env.DB_PORT,
+      user: process.env.DB_USER,
+      database: process.env.DB_NAME,
+      password: process.env.DB_PASSWORD,
      ssl: process.env.DB_ROOT_CERT
        ? {
            rejectUnauthorized: true,
@@ -41,6 +45,11 @@ export default {
    client: "postgres",
    connection: {
      connectionString: process.env.DB_CONNECTION_URI,
+      host: process.env.DB_HOST,
+      port: process.env.DB_PORT,
+      user: process.env.DB_USER,
+      database: process.env.DB_NAME,
+      password: process.env.DB_PASSWORD,
      ssl: process.env.DB_ROOT_CERT
        ? {
            rejectUnauthorized: true,
--- a/backend/src/db/migrations/20240312162549_temp-roles.ts
+++ b/backend/src/db/migrations/20240312162549_temp-roles.ts
@@ -0,0 +1,50 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesTableExist = await knex.schema.hasTable(TableName.ProjectUserMembershipRole);
+  if (!doesTableExist) {
+    await knex.schema.createTable(TableName.ProjectUserMembershipRole, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("role").notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      // until role is changed/removed the role should not deleted
+      t.uuid("customRoleId");
+      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.ProjectUserMembershipRole);
+
+  const projectMemberships = await knex(TableName.ProjectMembership).select(
+    "id",
+    "role",
+    "createdAt",
+    "updatedAt",
+    knex.ref("roleId").withSchema(TableName.ProjectMembership).as("customRoleId")
+  );
+  if (projectMemberships.length)
+    await knex.batchInsert(
+      TableName.ProjectUserMembershipRole,
+      projectMemberships.map((data) => ({ ...data, projectMembershipId: data.id }))
+    );
+  // will be dropped later
+  // await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
+  //   t.dropColumn("roleId");
+  //   t.dropColumn("role");
+  // });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.ProjectUserMembershipRole);
+  await dropOnUpdateTrigger(knex, TableName.ProjectUserMembershipRole);
+}
--- a/backend/src/db/migrations/20240312162556_temp-role-identity.ts
+++ b/backend/src/db/migrations/20240312162556_temp-role-identity.ts
@@ -0,0 +1,52 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesTableExist = await knex.schema.hasTable(TableName.IdentityProjectMembershipRole);
+  if (!doesTableExist) {
+    await knex.schema.createTable(TableName.IdentityProjectMembershipRole, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("role").notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId")
+        .references("id")
+        .inTable(TableName.IdentityProjectMembership)
+        .onDelete("CASCADE");
+      // until role is changed/removed the role should not deleted
+      t.uuid("customRoleId");
+      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityProjectMembershipRole);
+
+  const identityMemberships = await knex(TableName.IdentityProjectMembership).select(
+    "id",
+    "role",
+    "createdAt",
+    "updatedAt",
+    knex.ref("roleId").withSchema(TableName.IdentityProjectMembership).as("customRoleId")
+  );
+  if (identityMemberships.length)
+    await knex.batchInsert(
+      TableName.IdentityProjectMembershipRole,
+      identityMemberships.map((data) => ({ ...data, projectMembershipId: data.id }))
+    );
+  // await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
+  //   t.dropColumn("roleId");
+  //   t.dropColumn("role");
+  // });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityProjectMembershipRole);
+  await dropOnUpdateTrigger(knex, TableName.IdentityProjectMembershipRole);
+}
--- a/backend/src/db/schemas/identity-project-membership-role.ts
+++ b/backend/src/db/schemas/identity-project-membership-role.ts
@@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityProjectMembershipRoleSchema = z.object({
+  id: z.string().uuid(),
+  role: z.string(),
+  projectMembershipId: z.string().uuid(),
+  customRoleId: z.string().uuid().nullable().optional(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityProjectMembershipRole = z.infer<typeof IdentityProjectMembershipRoleSchema>;
+export type TIdentityProjectMembershipRoleInsert = Omit<
+  z.input<typeof IdentityProjectMembershipRoleSchema>,
+  TImmutableDBKeys
+>;
+export type TIdentityProjectMembershipRoleUpdate = Partial<
+  Omit<z.input<typeof IdentityProjectMembershipRoleSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@@ -8,6 +8,7 @@ export * from "./git-app-org";
 export * from "./identities";
 export * from "./identity-access-tokens";
 export * from "./identity-org-memberships";
+export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
 export * from "./identity-ua-client-secrets";
 export * from "./identity-universal-auths";
@@ -25,6 +26,7 @@ export * from "./project-environments";
 export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
+export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./saml-configs";
 export * from "./scim-tokens";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -20,6 +20,7 @@ export enum TableName {
  Environment = "project_environments",
  ProjectMembership = "project_memberships",
  ProjectRoles = "project_roles",
+  ProjectUserMembershipRole = "project_user_membership_roles",
  ProjectKeys = "project_keys",
  Secret = "secrets",
  SecretBlindIndex = "secret_blind_indexes",
@@ -41,6 +42,7 @@ export enum TableName {
  IdentityUaClientSecret = "identity_ua_client_secrets",
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
+  IdentityProjectMembershipRole = "identity_project_membership_role",
  ScimToken = "scim_tokens",
  SecretApprovalPolicy = "secret_approval_policies",
  SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
--- a/backend/src/db/schemas/project-user-membership-roles.ts
+++ b/backend/src/db/schemas/project-user-membership-roles.ts
@@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectUserMembershipRolesSchema = z.object({
+  id: z.string().uuid(),
+  role: z.string(),
+  projectMembershipId: z.string().uuid(),
+  customRoleId: z.string().uuid().nullable().optional(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TProjectUserMembershipRoles = z.infer<typeof ProjectUserMembershipRolesSchema>;
+export type TProjectUserMembershipRolesInsert = Omit<
+  z.input<typeof ProjectUserMembershipRolesSchema>,
+  TImmutableDBKeys
+>;
+export type TProjectUserMembershipRolesUpdate = Partial<
+  Omit<z.input<typeof ProjectUserMembershipRolesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/seeds/3-project.ts
+++ b/backend/src/db/seeds/3-project.ts
@@ -4,7 +4,7 @@ import { Knex } from "knex";

 import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";

-import { OrgMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
+import { ProjectMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";

 export const DEFAULT_PROJECT_ENVS = [
@@ -30,10 +30,16 @@ export async function seed(knex: Knex): Promise<void> {
    })
    .returning("*");

-  await knex(TableName.ProjectMembership).insert({
-    projectId: project.id,
-    role: OrgMembershipRole.Admin,
-    userId: seedData1.id
+  const projectMembership = await knex(TableName.ProjectMembership)
+    .insert({
+      projectId: project.id,
+      userId: seedData1.id,
+      role: ProjectMembershipRole.Admin
+    })
+    .returning("*");
+  await knex(TableName.ProjectUserMembershipRole).insert({
+    role: ProjectMembershipRole.Admin,
+    projectMembershipId: projectMembership[0].id
  });

  const user = await knex(TableName.UserEncryptionKey).where({ userId: seedData1.id }).first();
--- a/backend/src/db/seeds/4-machine-identity.ts
+++ b/backend/src/db/seeds/4-machine-identity.ts
@@ -75,9 +75,16 @@ export async function seed(knex: Knex): Promise<void> {
    }
  ]);

-  await knex(TableName.IdentityProjectMembership).insert({
-    identityId: seedData1.machineIdentity.id,
+  const identityProjectMembership = await knex(TableName.IdentityProjectMembership)
+    .insert({
+      identityId: seedData1.machineIdentity.id,
+      projectId: seedData1.project.id,
+      role: ProjectMembershipRole.Admin
+    })
+    .returning("*");
+
+  await knex(TableName.IdentityProjectMembershipRole).insert({
    role: ProjectMembershipRole.Admin,
-    projectId: seedData1.project.id
+    projectMembershipId: identityProjectMembership[0].id
  });
 }
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@@ -164,15 +164,17 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
    method: "PATCH",
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
-      body: z.object({
-        organizationId: z.string().trim(),
-        isActive: z.boolean().optional(),
-        url: z.string().trim().optional(),
-        bindDN: z.string().trim().optional(),
-        bindPass: z.string().trim().optional(),
-        searchBase: z.string().trim().optional(),
-        caCert: z.string().trim().optional()
-      }),
+      body: z
+        .object({
+          isActive: z.boolean(),
+          url: z.string().trim(),
+          bindDN: z.string().trim(),
+          bindPass: z.string().trim(),
+          searchBase: z.string().trim(),
+          caCert: z.string().trim()
+        })
+        .partial()
+        .merge(z.object({ organizationId: z.string() })),
      response: {
        200: LdapConfigsSchema
      }
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@@ -1,6 +1,7 @@
+import slugify from "@sindresorhus/slugify";
 import { z } from "zod";

-import { OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -13,7 +14,17 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        organizationId: z.string().trim()
      }),
      body: z.object({
-        slug: z.string().trim(),
+        slug: z
+          .string()
+          .min(1)
+          .trim()
+          .refine(
+            (val) => Object.keys(OrgMembershipRole).includes(val),
+            "Please choose a different slug, the slug you have entered is reserved"
+          )
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid"
+          }),
        name: z.string().trim(),
        description: z.string().trim().optional(),
        permissions: z.any().array()
@@ -45,7 +56,17 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
        roleId: z.string().trim()
      }),
      body: z.object({
-        slug: z.string().trim().optional(),
+        slug: z
+          .string()
+          .trim()
+          .optional()
+          .refine(
+            (val) => typeof val === "undefined" || Object.keys(OrgMembershipRole).includes(val),
+            "Please choose a different slug, the slug you have entered is reserved."
+          )
+          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
+            message: "Slug must be a valid"
+          }),
        name: z.string().trim().optional(),
        description: z.string().trim().optional(),
        permissions: z.any().array()
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
+import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -19,13 +20,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.workspaceId)
      }),
      querystring: z.object({
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
-        offset: z.coerce.number().default(0),
-        limit: z.coerce.number().default(20)
+        environment: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(PROJECTS.GET_SNAPSHOTS.path),
+        offset: z.coerce.number().default(0).describe(PROJECTS.GET_SNAPSHOTS.offset),
+        limit: z.coerce.number().default(20).describe(PROJECTS.GET_SNAPSHOTS.limit)
      }),
      response: {
        200: z.object({
@@ -89,16 +90,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
      }),
      querystring: z.object({
-        eventType: z.nativeEnum(EventType).optional(),
-        userAgentType: z.nativeEnum(UserAgentType).optional(),
-        startDate: z.string().datetime().optional(),
-        endDate: z.string().datetime().optional(),
-        offset: z.coerce.number().default(0),
-        limit: z.coerce.number().default(20),
-        actor: z.string().optional()
+        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
+        userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
+        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
+        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
+        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
+        limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
+        actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { SecretSnapshotsSchema, SecretTagsSchema, SecretVersionsSchema } from "@app/db/schemas";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -65,7 +66,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretSnapshotId: z.string().trim()
+        secretSnapshotId: z.string().trim().describe(PROJECTS.ROLLBACK_TO_SNAPSHOT.secretSnapshotId)
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -180,21 +180,21 @@ export const ldapConfigServiceFactory = ({
      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
    });

-    if (bindDN) {
+    if (bindDN !== undefined) {
      const { ciphertext: encryptedBindDN, iv: bindDNIV, tag: bindDNTag } = encryptSymmetric(bindDN, key);
      updateQuery.encryptedBindDN = encryptedBindDN;
      updateQuery.bindDNIV = bindDNIV;
      updateQuery.bindDNTag = bindDNTag;
    }

-    if (bindPass) {
+    if (bindPass !== undefined) {
      const { ciphertext: encryptedBindPass, iv: bindPassIV, tag: bindPassTag } = encryptSymmetric(bindPass, key);
      updateQuery.encryptedBindPass = encryptedBindPass;
      updateQuery.bindPassIV = bindPassIV;
      updateQuery.bindPassTag = bindPassTag;
    }

-    if (caCert) {
+    if (caCert !== undefined) {
      const { ciphertext: encryptedCACert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
      updateQuery.encryptedCACert = encryptedCACert;
      updateQuery.caCertIV = caCertIV;
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@@ -1,7 +1,9 @@
+import { z } from "zod";
+
 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
+import { IdentityProjectMembershipRoleSchema, ProjectUserMembershipRolesSchema, TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { selectAllTableCols } from "@app/lib/knex";
+import { selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";

 export type TPermissionDALFactory = ReturnType<typeof permissionDALFactory>;

@@ -43,21 +45,72 @@ export const permissionDALFactory = (db: TDbClient) => {

  const getProjectPermission = async (userId: string, projectId: string) => {
    try {
-      const membership = await db(TableName.ProjectMembership)
-        .leftJoin(TableName.ProjectRoles, `${TableName.ProjectMembership}.roleId`, `${TableName.ProjectRoles}.id`)
+      const docs = await db(TableName.ProjectMembership)
+        .join(
+          TableName.ProjectUserMembershipRole,
+          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
+          `${TableName.ProjectMembership}.id`
+        )
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.ProjectUserMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
        .where("userId", userId)
        .where(`${TableName.ProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.ProjectMembership))
+        .select(selectAllTableCols(TableName.ProjectUserMembershipRole))
        .select(
+          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
+          // TODO(roll-forward-migration): remove this field when we drop this in next migration after a week
+          db.ref("role").withSchema(TableName.ProjectMembership).as("oldRoleField"),
+          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project)
+          db.ref("orgId").withSchema(TableName.Project),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
        )
-        .select("permissions")
-        .first();
+        .select("permissions");

-      return membership;
+      const permission = sqlNestRelationships({
+        data: docs,
+        key: "membershipId",
+        parentMapper: ({
+          orgId,
+          orgAuthEnforced,
+          membershipId,
+          membershipCreatedAt,
+          membershipUpdatedAt,
+          oldRoleField
+        }) => ({
+          orgId,
+          orgAuthEnforced,
+          userId,
+          role: oldRoleField,
+          id: membershipId,
+          projectId,
+          createdAt: membershipCreatedAt,
+          updatedAt: membershipUpdatedAt
+        }),
+        childrenMapper: [
+          {
+            key: "id",
+            label: "roles" as const,
+            mapper: (data) =>
+              ProjectUserMembershipRolesSchema.extend({
+                permissions: z.unknown(),
+                customRoleSlug: z.string().optional().nullable()
+              }).parse(data)
+          }
+        ]
+      });
+      // when introducting cron mode change it here
+      const activeRoles = permission?.[0]?.roles.filter(
+        ({ isTemporary, temporaryAccessEndTime }) =>
+          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+      );
+      return permission?.[0] ? { ...permission[0], roles: activeRoles } : undefined;
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectPermission" });
    }
@@ -65,18 +118,62 @@ export const permissionDALFactory = (db: TDbClient) => {

  const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
    try {
-      const membership = await db(TableName.IdentityProjectMembership)
+      const docs = await db(TableName.IdentityProjectMembership)
+        .join(
+          TableName.IdentityProjectMembershipRole,
+          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
        .leftJoin(
          TableName.ProjectRoles,
-          `${TableName.IdentityProjectMembership}.roleId`,
+          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
        .where("identityId", identityId)
        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.IdentityProjectMembership))
-        .select("permissions")
-        .first();
-      return membership;
+        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
+        .select(
+          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
+          db.ref("role").withSchema(TableName.IdentityProjectMembership).as("oldRoleField"),
+          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
+        )
+        .select("permissions");
+
+      const permission = sqlNestRelationships({
+        data: docs,
+        key: "membershipId",
+        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, oldRoleField }) => ({
+          id: membershipId,
+          identityId,
+          projectId,
+          role: oldRoleField,
+          createdAt: membershipCreatedAt,
+          updatedAt: membershipUpdatedAt,
+          // just a prefilled value
+          orgAuthEnforced: false,
+          orgId: ""
+        }),
+        childrenMapper: [
+          {
+            key: "id",
+            label: "roles" as const,
+            mapper: (data) =>
+              IdentityProjectMembershipRoleSchema.extend({
+                permissions: z.unknown(),
+                customRoleSlug: z.string().optional().nullable()
+              }).parse(data)
+          }
+        ]
+      });
+
+      // when introducting cron mode change it here
+      const activeRoles = permission?.[0]?.roles.filter(
+        ({ isTemporary, temporaryAccessEndTime }) =>
+          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+      );
+      return permission?.[0] ? { ...permission[0], roles: activeRoles } : undefined;
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectIdentityPermission" });
    }
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -18,6 +18,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok

 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
+import { TBuildProjectPermissionDTO } from "./permission-types";
 import {
  buildServiceTokenProjectPermission,
  projectAdminPermissions,
@@ -64,31 +65,35 @@ export const permissionServiceFactory = ({
    }
  };

-  const buildProjectPermission = (role: string, permission?: unknown) => {
-    switch (role) {
-      case ProjectMembershipRole.Admin:
-        return projectAdminPermissions;
-      case ProjectMembershipRole.Member:
-        return projectMemberPermissions;
-      case ProjectMembershipRole.Viewer:
-        return projectViewerPermission;
-      case ProjectMembershipRole.NoAccess:
-        return projectNoAccessPermissions;
-      case ProjectMembershipRole.Custom:
-        return createMongoAbility<ProjectPermissionSet>(
-          unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(
-            permission as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[]
-          ),
-          {
-            conditionsMatcher
+  const buildProjectPermission = (projectUserRoles: TBuildProjectPermissionDTO) => {
+    const rules = projectUserRoles
+      .map(({ role, permissions }) => {
+        switch (role) {
+          case ProjectMembershipRole.Admin:
+            return projectAdminPermissions;
+          case ProjectMembershipRole.Member:
+            return projectMemberPermissions;
+          case ProjectMembershipRole.Viewer:
+            return projectViewerPermission;
+          case ProjectMembershipRole.NoAccess:
+            return projectNoAccessPermissions;
+          case ProjectMembershipRole.Custom: {
+            return unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(
+              permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[]
+            );
          }
-        );
-      default:
-        throw new BadRequestError({
-          name: "ProjectRoleInvalid",
-          message: "Project role not found"
-        });
-    }
+          default:
+            throw new BadRequestError({
+              name: "ProjectRoleInvalid",
+              message: "Project role not found"
+            });
+        }
+      })
+      .reduce((curr, prev) => prev.concat(curr), []);
+
+    return createMongoAbility<ProjectPermissionSet>(rules, {
+      conditionsMatcher
+    });
  };

  /*
@@ -145,33 +150,56 @@ export const permissionServiceFactory = ({
  };

  // user permission for a project in an organization
-  const getUserProjectPermission = async (userId: string, projectId: string, userOrgId?: string) => {
-    const membership = await permissionDAL.getProjectPermission(userId, projectId);
-    if (!membership) throw new UnauthorizedError({ name: "User not in project" });
-    if (membership.role === ProjectMembershipRole.Custom && !membership.permissions) {
+  const getUserProjectPermission = async (
+    userId: string,
+    projectId: string,
+    userOrgId?: string
+  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
+    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
+    if (!userProjectPermission) throw new UnauthorizedError({ name: "User not in project" });
+
+    if (
+      userProjectPermission.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)
+    ) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }

-    if (membership.orgAuthEnforced && membership.orgId !== userOrgId) {
+    if (userProjectPermission.orgAuthEnforced && userProjectPermission.orgId !== userOrgId) {
      throw new BadRequestError({ name: "Cannot access org-scoped resource" });
    }

    return {
-      permission: buildProjectPermission(membership.role, membership.permissions),
-      membership
+      permission: buildProjectPermission(userProjectPermission.roles),
+      membership: userProjectPermission,
+      hasRole: (role: string) =>
+        userProjectPermission.roles.findIndex(
+          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
+        ) !== -1
    };
  };

-  const getIdentityProjectPermission = async (identityId: string, projectId: string) => {
-    const membership = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
-    if (!membership) throw new UnauthorizedError({ name: "Identity not in project" });
-    if (membership.role === ProjectMembershipRole.Custom && !membership.permissions) {
+  const getIdentityProjectPermission = async (
+    identityId: string,
+    projectId: string
+  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
+    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
+    if (!identityProjectPermission) throw new UnauthorizedError({ name: "Identity not in project" });
+
+    if (
+      identityProjectPermission.roles.some(
+        ({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions
+      )
+    ) {
      throw new BadRequestError({ name: "Custom permission not found" });
    }

    return {
-      permission: buildProjectPermission(membership.role, membership.permissions),
-      membership
+      permission: buildProjectPermission(identityProjectPermission.roles),
+      membership: identityProjectPermission,
+      hasRole: (role: string) =>
+        identityProjectPermission.roles.findIndex(
+          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
+        ) !== -1
    };
  };

@@ -191,14 +219,19 @@ export const permissionServiceFactory = ({
  };

  type TProjectPermissionRT<T extends ActorType> = T extends ActorType.SERVICE
-    ? { permission: MongoAbility<ProjectPermissionSet, MongoQuery>; membership: undefined }
+    ? {
+        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
+        membership: undefined;
+        hasRole: (arg: string) => boolean;
+      } // service token doesn't have both membership and roles
    : {
        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
        membership: (T extends ActorType.USER ? TProjectMemberships : TIdentityProjectMemberships) & {
-          orgAuthEnforced: boolean;
+          orgAuthEnforced: boolean | null | undefined;
          orgId: string;
-          permissions?: unknown;
+          roles: Array<{ role: string }>;
        };
+        hasRole: (role: string) => boolean;
      };

  const getProjectPermission = async <T extends ActorType>(
@@ -228,11 +261,13 @@ export const permissionServiceFactory = ({
      const projectRole = await projectRoleDAL.findOne({ slug: role, projectId });
      if (!projectRole) throw new BadRequestError({ message: "Role not found" });
      return {
-        permission: buildProjectPermission(ProjectMembershipRole.Custom, projectRole.permissions),
+        permission: buildProjectPermission([
+          { role: ProjectMembershipRole.Custom, permissions: projectRole.permissions }
+        ]),
        role: projectRole
      };
    }
-    return { permission: buildProjectPermission(role, []) };
+    return { permission: buildProjectPermission([{ role, permissions: [] }]) };
  };

  return {
--- a/backend/src/ee/services/permission/permission-types.ts
+++ b/backend/src/ee/services/permission/permission-types.ts
@@ -0,0 +1,4 @@
+export type TBuildProjectPermissionDTO = {
+  permissions?: unknown;
+  role: string;
+}[];
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -56,8 +56,8 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
  | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback];

-const buildAdminPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+const buildAdminPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);

  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.Secrets);
@@ -135,13 +135,13 @@ const buildAdminPermission = () => {
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Project);
  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);

-  return build({ conditionsMatcher });
+  return rules;
 };

-export const projectAdminPermissions = buildAdminPermission();
+export const projectAdminPermissions = buildAdminPermissionRules();

-const buildMemberPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+const buildMemberPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);

  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.Secrets);
@@ -196,13 +196,13 @@ const buildMemberPermission = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);

-  return build({ conditionsMatcher });
+  return rules;
 };

-export const projectMemberPermissions = buildMemberPermission();
+export const projectMemberPermissions = buildMemberPermissionRules();

-const buildViewerPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+const buildViewerPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);

  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
@@ -220,14 +220,14 @@ const buildViewerPermission = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);

-  return build({ conditionsMatcher });
+  return rules;
 };

-export const projectViewerPermission = buildViewerPermission();
+export const projectViewerPermission = buildViewerPermissionRules();

 const buildNoAccessProjectPermission = () => {
-  const { build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
-  return build({ conditionsMatcher });
+  const { rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+  return rules;
 };

 export const buildServiceTokenProjectPermission = (
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -172,7 +172,7 @@ export const samlConfigServiceFactory = ({
      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
    });

-    if (entryPoint) {
+    if (entryPoint !== undefined) {
      const {
        ciphertext: encryptedEntryPoint,
        iv: entryPointIV,
@@ -182,18 +182,19 @@ export const samlConfigServiceFactory = ({
      updateQuery.entryPointIV = entryPointIV;
      updateQuery.entryPointTag = entryPointTag;
    }
-    if (issuer) {
+    if (issuer !== undefined) {
      const { ciphertext: encryptedIssuer, iv: issuerIV, tag: issuerTag } = encryptSymmetric(issuer, key);
      updateQuery.encryptedIssuer = encryptedIssuer;
      updateQuery.issuerIV = issuerIV;
      updateQuery.issuerTag = issuerTag;
    }
-    if (cert) {
+    if (cert !== undefined) {
      const { ciphertext: encryptedCert, iv: certIV, tag: certTag } = encryptSymmetric(cert, key);
      updateQuery.encryptedCert = encryptedCert;
      updateQuery.certIV = certIV;
      updateQuery.certTag = certTag;
    }
+
    const [ssoConfig] = await samlConfigDAL.update({ orgId }, updateQuery);
    await orgDAL.updateById(orgId, { authEnforced: false, scimEnabled: false });

--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -129,14 +129,14 @@ export const secretApprovalRequestServiceFactory = ({
    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });

    const { policy } = secretApprovalRequest;
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
      actor,
      actorId,
      secretApprovalRequest.projectId,
      actorOrgId
    );
    if (
-      membership.role !== ProjectMembershipRole.Admin &&
+      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
      !policy.approvers.find((approverId) => approverId === membership.id)
    ) {
@@ -156,14 +156,14 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const { policy } = secretApprovalRequest;
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
      actorOrgId
    );
    if (
-      membership.role !== ProjectMembershipRole.Admin &&
+      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
      !policy.approvers.find((approverId) => approverId === membership.id)
    ) {
@@ -198,14 +198,14 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const { policy } = secretApprovalRequest;
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
      secretApprovalRequest.projectId,
      actorOrgId
    );
    if (
-      membership.role !== ProjectMembershipRole.Admin &&
+      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
      !policy.approvers.find((approverId) => approverId === membership.id)
    ) {
@@ -236,9 +236,14 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });

    const { policy, folderId, projectId } = secretApprovalRequest;
-    const { membership } = await permissionService.getProjectPermission(ActorType.USER, actorId, projectId, actorOrgId);
+    const { membership, hasRole } = await permissionService.getProjectPermission(
+      ActorType.USER,
+      actorId,
+      projectId,
+      actorOrgId
+    );
    if (
-      membership.role !== ProjectMembershipRole.Admin &&
+      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerId !== membership.id &&
      !policy.approvers.find((approverId) => approverId === membership.id)
    ) {
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@@ -1,3 +1,10 @@
+import {
+  CreateAccessKeyCommand,
+  DeleteAccessKeyCommand,
+  GetAccessKeyLastUsedCommand,
+  IAMClient
+} from "@aws-sdk/client-iam";
+
 import { SecretKeyEncoding, SecretType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import {
@@ -18,7 +25,12 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

 import { TSecretRotationDALFactory } from "../secret-rotation-dal";
 import { rotationTemplates } from "../templates";
-import { TDbProviderClients, TProviderFunctionTypes, TSecretRotationProviderTemplate } from "../templates/types";
+import {
+  TAwsProviderSystems,
+  TDbProviderClients,
+  TProviderFunctionTypes,
+  TSecretRotationProviderTemplate
+} from "../templates/types";
 import {
  getDbSetQuery,
  secretRotationDbFn,
@@ -127,7 +139,10 @@ export const secretRotationQueueFactory = ({
        internal: {}
      };

-      // when its a database we keep cycling the variables accordingly
+      /* Rotation Function For Database
+       * A database like sql cannot have multiple password for a user
+       * thus we ask users to create two users with required permission and then we keep cycling between these two db users
+       */
      if (provider.template.type === TProviderFunctionTypes.DB) {
        const lastCred = variables.creds.at(-1);
        if (lastCred && variables.creds.length === 1) {
@@ -170,6 +185,65 @@ export const secretRotationQueueFactory = ({
        if (variables.creds.length === 2) variables.creds.pop();
      }

+      /*
+       * Rotation Function For AWS Services
+       * Due to complexity in AWS Authorization hashing signature process we keep it as seperate entity instead of http template mode
+       * We first delete old key before creating a new one because aws iam has a quota limit of 2 keys
+       * */
+      if (provider.template.type === TProviderFunctionTypes.AWS) {
+        if (provider.template.client === TAwsProviderSystems.IAM) {
+          const client = new IAMClient({
+            region: newCredential.inputs.manager_user_aws_region as string,
+            credentials: {
+              accessKeyId: newCredential.inputs.manager_user_access_key as string,
+              secretAccessKey: newCredential.inputs.manager_user_secret_key as string
+            }
+          });
+
+          const iamUserName = newCredential.inputs.iam_username as string;
+
+          if (variables.creds.length === 2) {
+            const deleteCycleCredential = variables.creds.pop();
+            if (deleteCycleCredential) {
+              const deletedIamAccessKey = await client.send(
+                new DeleteAccessKeyCommand({
+                  UserName: iamUserName,
+                  AccessKeyId: deleteCycleCredential.outputs.iam_user_access_key as string
+                })
+              );
+
+              if (
+                !deletedIamAccessKey?.$metadata?.httpStatusCode ||
+                deletedIamAccessKey?.$metadata?.httpStatusCode > 300
+              ) {
+                throw new DisableRotationErrors({
+                  message: "Failed to delete aws iam access key. Check managed iam user policy"
+                });
+              }
+            }
+          }
+
+          const newIamAccessKey = await client.send(new CreateAccessKeyCommand({ UserName: iamUserName }));
+          if (!newIamAccessKey.AccessKey)
+            throw new DisableRotationErrors({ message: "Failed to create access key. Check managed iam user policy" });
+
+          // test
+          const testAccessKey = await client.send(
+            new GetAccessKeyLastUsedCommand({ AccessKeyId: newIamAccessKey.AccessKey.AccessKeyId })
+          );
+          if (testAccessKey?.UserName !== iamUserName)
+            throw new DisableRotationErrors({ message: "Failed to create access key. Check managed iam user policy" });
+
+          newCredential.outputs.iam_user_access_key = newIamAccessKey.AccessKey.AccessKeyId;
+          newCredential.outputs.iam_user_secret_key = newIamAccessKey.AccessKey.SecretAccessKey;
+        }
+      }
+
+      /* Rotation function of HTTP infisical template
+       * This is a generic http based template system for rotation
+       * we use this for sendgrid and for custom secret rotation
+       * This will ensure user provided rotation is easier to make
+       * */
      if (provider.template.type === TProviderFunctionTypes.HTTP) {
        if (provider.template.functions.set?.pre) {
          secretRotationPreSetFn(provider.template.functions.set.pre, newCredential);
@@ -185,6 +259,9 @@ export const secretRotationQueueFactory = ({
          }
        }
      }
+
+      // insert the new variables to start
+      // encrypt the data - save it
      variables.creds.unshift({
        outputs: newCredential.outputs,
        internal: newCredential.internal
@@ -200,6 +277,7 @@ export const secretRotationQueueFactory = ({
          key
        )
      }));
+      // map the final values to output keys in the board
      await secretRotationDAL.transaction(async (tx) => {
        await secretRotationDAL.updateById(
          rotationId,
--- a/backend/src/ee/services/secret-rotation/templates/aws-iam.ts
+++ b/backend/src/ee/services/secret-rotation/templates/aws-iam.ts
@@ -0,0 +1,21 @@
+import { TAwsProviderSystems, TProviderFunctionTypes } from "./types";
+
+export const AWS_IAM_TEMPLATE = {
+  type: TProviderFunctionTypes.AWS as const,
+  client: TAwsProviderSystems.IAM,
+  inputs: {
+    type: "object" as const,
+    properties: {
+      manager_user_access_key: { type: "string" as const },
+      manager_user_secret_key: { type: "string" as const },
+      manager_user_aws_region: { type: "string" as const },
+      iam_username: { type: "string" as const }
+    },
+    required: ["manager_user_access_key", "manager_user_secret_key", "manager_user_aws_region", "iam_username"],
+    additionalProperties: false
+  },
+  outputs: {
+    iam_user_access_key: { type: "string" },
+    iam_user_secret_key: { type: "string" }
+  }
+};
--- a/backend/src/ee/services/secret-rotation/templates/index.ts
+++ b/backend/src/ee/services/secret-rotation/templates/index.ts
@@ -1,3 +1,4 @@
+import { AWS_IAM_TEMPLATE } from "./aws-iam";
 import { MYSQL_TEMPLATE } from "./mysql";
 import { POSTGRES_TEMPLATE } from "./postgres";
 import { SENDGRID_TEMPLATE } from "./sendgrid";
@@ -24,5 +25,12 @@ export const rotationTemplates: TSecretRotationProviderTemplate[] = [
    image: "mysql.png",
    description: "Rotate MySQL@7/MariaDB user credentials",
    template: MYSQL_TEMPLATE
+  },
+  {
+    name: "aws-iam",
+    title: "AWS IAM",
+    image: "aws-iam.svg",
+    description: "Rotate AWS IAM User credentials",
+    template: AWS_IAM_TEMPLATE
  }
 ];
--- a/backend/src/ee/services/secret-rotation/templates/types.ts
+++ b/backend/src/ee/services/secret-rotation/templates/types.ts
@@ -1,6 +1,7 @@
 export enum TProviderFunctionTypes {
  HTTP = "http",
-  DB = "database"
+  DB = "database",
+  AWS = "aws"
 }

 export enum TDbProviderClients {
@@ -10,6 +11,10 @@ export enum TDbProviderClients {
  MySql = "mysql"
 }

+export enum TAwsProviderSystems {
+  IAM = "iam"
+}
+
 export enum TAssignOp {
  Direct = "direct",
  JmesPath = "jmesopath"
@@ -42,7 +47,7 @@ export type TSecretRotationProviderTemplate = {
  title: string;
  image?: string;
  description?: string;
-  template: THttpProviderTemplate | TDbProviderTemplate;
+  template: THttpProviderTemplate | TDbProviderTemplate | TAwsProviderTemplate;
 };

 export type THttpProviderTemplate = {
@@ -70,3 +75,14 @@ export type TDbProviderTemplate = {
  };
  outputs: Record<string, unknown>;
 };
+
+export type TAwsProviderTemplate = {
+  type: TProviderFunctionTypes.AWS;
+  client: TAwsProviderSystems;
+  inputs: {
+    type: "object";
+    properties: Record<string, { type: string; [x: string]: unknown; desc?: string }>;
+    required?: string[];
+  };
+  outputs: Record<string, unknown>;
+};
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -0,0 +1,286 @@
+export const IDENTITIES = {
+  CREATE: {
+    name: "The name of the identity to create.",
+    organizationId: "The organization ID to which the identity belongs.",
+    role: "The role of the identity. Possible values are 'no-access', 'member', and 'admin'."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update.",
+    name: "The new name of the identity.",
+    role: "The new role of the identity."
+  },
+  DELETE: {
+    identityId: "The ID of the identity to delete."
+  }
+} as const;
+
+export const UNIVERSAL_AUTH = {
+  LOGIN: {
+    clientId: "Your Machine Identity Client ID.",
+    clientSecret: "Your Machine Identity Client Secret."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    clientSecretTrustedIps:
+      "A list of IPs or CIDR ranges that the Client Secret can be used from together with the Client ID to get back an access token. You can use 0.0.0.0/0, to allow usage from any network address.",
+    accessTokenTrustedIps:
+      "A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.",
+    accessTokenTTL: "The lifetime for an access token in seconds. This value will be referenced at renewal time.",
+    accessTokenMaxTTL:
+      "The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.",
+    accessTokenNumUsesLimit:
+      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update.",
+    clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
+    accessTokenTrustedIps: "The new list of IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The new lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+  },
+  CREATE_CLIENT_SECRET: {
+    identityId: "The ID of the identity to create a client secret for.",
+    description: "The description of the client secret.",
+    numUsesLimit:
+      "The maximum number of times that the client secret can be used; a value of 0 implies infinite number of uses.",
+    ttl: "The lifetime for the client secret in seconds."
+  },
+  LIST_CLIENT_SECRETS: {
+    identityId: "The ID of the identity to list client secrets for."
+  },
+  REVOKE_CLIENT_SECRET: {
+    identityId: "The ID of the identity to revoke the client secret from.",
+    clientSecretId: "The ID of the client secret to revoke."
+  },
+  RENEW_ACCESS_TOKEN: {
+    accessToken: "The access token to renew."
+  }
+} as const;
+
+export const ORGANIZATIONS = {
+  LIST_USER_MEMBERSHIPS: {
+    organizationId: "The ID of the organization to get memberships from."
+  },
+  UPDATE_USER_MEMBERSHIP: {
+    organizationId: "The ID of the organization to update the membership for.",
+    membershipId: "The ID of the membership to update.",
+    role: "The new role of the membership."
+  },
+  DELETE_USER_MEMBERSHIP: {
+    organizationId: "The ID of the organization to delete the membership from.",
+    membershipId: "The ID of the membership to delete."
+  },
+  LIST_IDENTITY_MEMBERSHIPS: {
+    orgId: "The ID of the organization to get identity memberships from."
+  },
+  GET_PROJECTS: {
+    organizationId: "The ID of the organization to get projects from."
+  }
+} as const;
+
+export const PROJECTS = {
+  CREATE: {
+    organizationId: "The ID of the organization to create the project in.",
+    projectName: "The name of the project to create.",
+    slug: "An optional slug for the project."
+  },
+  DELETE: {
+    workspaceId: "The ID of the project to delete."
+  },
+  GET: {
+    workspaceId: "The ID of the project."
+  },
+  UPDATE: {
+    workspaceId: "The ID of the project to update.",
+    name: "The new name of the project.",
+    autoCapitalization: "Disable or enable auto-capitalization for the project."
+  },
+  INVITE_MEMBER: {
+    projectId: "The ID of the project to invite the member to.",
+    emails: "A list of organization member emails to invite to the project.",
+    usernames: "A list of usernames to invite to the project."
+  },
+  REMOVE_MEMBER: {
+    projectId: "The ID of the project to remove the member from.",
+    emails: "A list of organization member emails to remove from the project.",
+    usernames: "A list of usernames to remove from the project."
+  },
+  GET_USER_MEMBERSHIPS: {
+    workspaceId: "The ID of the project to get memberships from."
+  },
+  UPDATE_USER_MEMBERSHIP: {
+    workspaceId: "The ID of the project to update the membership for.",
+    membershipId: "The ID of the membership to update.",
+    roles: "A list of roles to update the membership to."
+  },
+  LIST_IDENTITY_MEMBERSHIPS: {
+    projectId: "The ID of the project to get identity memberships from."
+  },
+  UPDATE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to update the identity membership for.",
+    identityId: "The ID of the identity to update the membership for.",
+    roles: "A list of roles to update the membership to."
+  },
+  DELETE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to delete the identity membership from.",
+    identityId: "The ID of the identity to delete the membership from."
+  },
+  GET_KEY: {
+    workspaceId: "The ID of the project to get the key from."
+  },
+  GET_SNAPSHOTS: {
+    workspaceId: "The ID of the project to get snapshots from.",
+    environment: "The environment to get snapshots from.",
+    path: "The secret path to get snapshots from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th snapshot.",
+    limit: "The number of snapshots to return."
+  },
+  ROLLBACK_TO_SNAPSHOT: {
+    secretSnapshotId: "The ID of the snapshot to rollback to."
+  }
+} as const;
+
+export const ENVIRONMENTS = {
+  CREATE: {
+    workspaceId: "The ID of the project to create the environment in.",
+    name: "The name of the environment to create.",
+    slug: "The slug of the environment to create."
+  },
+  UPDATE: {
+    workspaceId: "The ID of the project to update the environment in.",
+    id: "The ID of the environment to update.",
+    name: "The new name of the environment.",
+    slug: "The new slug of the environment.",
+    position: "The new position of the environment. The lowest number will be displayed as the first environment."
+  },
+  DELETE: {
+    workspaceId: "The ID of the project to delete the environment from.",
+    id: "The ID of the environment to delete."
+  }
+} as const;
+
+export const FOLDERS = {
+  LIST: {
+    workspaceId: "The ID of the project to list folders from.",
+    environment: "The slug of the environment to list folders from.",
+    path: "The path to list folders from.",
+    directory: "The directory to list folders from. (Deprecated in favor of path)"
+  },
+  CREATE: {
+    workspaceId: "The ID of the project to create the folder in.",
+    environment: "The slug of the environment to create the folder in.",
+    name: "The name of the folder to create.",
+    path: "The path of the folder to create.",
+    directory: "The directory of the folder to create. (Deprecated in favor of path)"
+  },
+  UPDATE: {
+    folderId: "The ID of the folder to update.",
+    environment: "The slug of the environment where the folder is located.",
+    name: "The new name of the folder.",
+    path: "The path of the folder to update.",
+    directory: "The new directory of the folder to update. (Deprecated in favor of path)",
+    workspaceId: "The ID of the project where the folder is located."
+  },
+  DELETE: {
+    folderIdOrName: "The ID or name of the folder to delete.",
+    workspaceId: "The ID of the project to delete the folder from.",
+    environment: "The slug of the environment where the folder is located.",
+    directory: "The directory of the folder to delete. (Deprecated in favor of path)",
+    path: "The path of the folder to delete."
+  }
+} as const;
+
+export const RAW_SECRETS = {
+  LIST: {
+    workspaceId: "The ID of the project to list secrets from.",
+    environment: "The slug of the environment to list secrets from.",
+    secretPath: "The secret path to list secrets from.",
+    includeImports: "Weather to include imported secrets or not."
+  },
+  CREATE: {
+    secretName: "The name of the secret to create.",
+    environment: "The slug of the environment to create the secret in.",
+    secretComment: "Attach a comment to the secret.",
+    secretPath: "The path to create the secret in.",
+    secretValue: "The value of the secret to create.",
+    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
+    type: "The type of the secret to create.",
+    workspaceId: "The ID of the project to create the secret in."
+  },
+  GET: {
+    secretName: "The name of the secret to get.",
+    workspaceId: "The ID of the project to get the secret from.",
+    environment: "The slug of the environment to get the secret from.",
+    secretPath: "The path of the secret to get.",
+    version: "The version of the secret to get.",
+    type: "The type of the secret to get.",
+    includeImports: "Weather to include imported secrets or not."
+  },
+  UPDATE: {
+    secretName: "The name of the secret to update.",
+    environment: "The slug of the environment where the secret is located.",
+    secretPath: "The path of the secret to update",
+    secretValue: "The new value of the secret.",
+    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
+    type: "The type of the secret to update.",
+    workspaceId: "The ID of the project to update the secret in."
+  },
+  DELETE: {
+    secretName: "The name of the secret to delete.",
+    environment: "The slug of the environment where the secret is located.",
+    secretPath: "The path of the secret.",
+    type: "The type of the secret to delete.",
+    workspaceId: "The ID of the project where the secret is located."
+  }
+} as const;
+
+export const SECRET_IMPORTS = {
+  LIST: {
+    workspaceId: "The ID of the project to list secret imports from.",
+    environment: "The slug of the environment to list secret imports from.",
+    path: "The path to list secret imports from."
+  },
+  CREATE: {
+    environment: "The slug of the environment to import into.",
+    path: "The path to import into.",
+    workspaceId: "The ID of the project you are working in.",
+    import: {
+      environment: "The slug of the environment to import from.",
+      path: "The path to import from."
+    }
+  },
+  UPDATE: {
+    secretImportId: "The ID of the secret import to update.",
+    environment: "The slug of the environment where the secret import is located.",
+    import: {
+      environment: "The new environment slug to import from.",
+      path: "The new path to import from.",
+      position: "The new position of the secret import. The lowest number will be displayed as the first import."
+    },
+    path: "The path of the secret import to update.",
+    workspaceId: "The ID of the project where the secret import is located."
+  },
+  DELETE: {
+    workspaceId: "The ID of the project to delete the secret import from.",
+    secretImportId: "The ID of the secret import to delete.",
+    environment: "The slug of the environment where the secret import is located.",
+    path: "The path of the secret import to delete."
+  }
+} as const;
+
+export const AUDIT_LOGS = {
+  EXPORT: {
+    workspaceId: "The ID of the project to export audit logs from.",
+    eventType: "The type of the event to export.",
+    userAgentType: "Choose which consuming application to export audit logs for.",
+    startDate: "The date to start the export from.",
+    endDate: "The date to end the export at.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th audit log.",
+    limit: "The number of audit logs to return.",
+    actor: "The actor to filter the audit logs by."
+  }
+} as const;
--- a/backend/src/lib/api-docs/index.ts
+++ b/backend/src/lib/api-docs/index.ts
@@ -0,0 +1 @@
+export * from "./constants";
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -15,8 +15,16 @@ const envSchema = z
    PORT: z.coerce.number().default(4000),
    REDIS_URL: zpStr(z.string()),
    HOST: zpStr(z.string().default("localhost")),
-    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")),
+    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
+      `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
+    ),
    DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
+    DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
+    DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
+    DB_USER: zpStr(z.string().describe("Postgres database username").optional()),
+    DB_PASSWORD: zpStr(z.string().describe("Postgres database password").optional()),
+    DB_NAME: zpStr(z.string().describe("Postgres database name").optional()),
+
    NODE_ENV: z.enum(["development", "test", "production"]).default("production"),
    SALT_ROUNDS: z.coerce.number().default(10),
    INITIAL_ORGANIZATION_NAME: zpStr(z.string().optional()),
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -53,6 +53,7 @@ import { identityServiceFactory } from "@app/services/identity/identity-service"
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
+import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { identityUaClientSecretDALFactory } from "@app/services/identity-ua/identity-ua-client-secret-dal";
 import { identityUaDALFactory } from "@app/services/identity-ua/identity-ua-dal";
@@ -78,6 +79,7 @@ import { projectKeyDALFactory } from "@app/services/project-key/project-key-dal"
 import { projectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { projectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { projectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
+import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
@@ -141,6 +143,7 @@ export const registerRoutes = async (

  const projectDAL = projectDALFactory(db);
  const projectMembershipDAL = projectMembershipDALFactory(db);
+  const projectUserMembershipRoleDAL = projectUserMembershipRoleDALFactory(db);
  const projectRoleDAL = projectRoleDALFactory(db);
  const projectEnvDAL = projectEnvDALFactory(db);
  const projectKeyDAL = projectKeyDALFactory(db);
@@ -164,6 +167,7 @@ export const registerRoutes = async (
  const identityAccessTokenDAL = identityAccessTokenDALFactory(db);
  const identityOrgMembershipDAL = identityOrgDALFactory(db);
  const identityProjectDAL = identityProjectDALFactory(db);
+  const identityProjectMembershipRoleDAL = identityProjectMembershipRoleDALFactory(db);

  const identityUaDAL = identityUaDALFactory(db);
  const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
@@ -321,6 +325,7 @@ export const registerRoutes = async (

  const projectMembershipService = projectMembershipServiceFactory({
    projectMembershipDAL,
+    projectUserMembershipRoleDAL,
    projectDAL,
    permissionService,
    projectBotDAL,
@@ -352,7 +357,8 @@ export const registerRoutes = async (
    projectBotDAL,
    projectMembershipDAL,
    secretApprovalRequestDAL,
-    secretApprovalSecretDAL: sarSecretDAL
+    secretApprovalSecretDAL: sarSecretDAL,
+    projectUserMembershipRoleDAL
  });

  const projectService = projectServiceFactory({
@@ -369,8 +375,11 @@ export const registerRoutes = async (
    orgService,
    projectMembershipDAL,
    folderDAL,
-    licenseService
+    licenseService,
+    projectUserMembershipRoleDAL,
+    identityProjectMembershipRoleDAL
  });
+
  const projectEnvService = projectEnvServiceFactory({
    permissionService,
    projectEnvDAL,
@@ -521,7 +530,9 @@ export const registerRoutes = async (
    permissionService,
    projectDAL,
    identityProjectDAL,
-    identityOrgMembershipDAL
+    identityOrgMembershipDAL,
+    identityProjectMembershipRoleDAL,
+    projectRoleDAL
  });
  const identityUaService = identityUaServiceFactory({
    identityOrgMembershipDAL,
--- a/backend/src/server/routes/v1/identity-access-token-router.ts
+++ b/backend/src/server/routes/v1/identity-access-token-router.ts
@@ -1,5 +1,7 @@
 import { z } from "zod";

+import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
+
 export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/token/renew",
@@ -7,7 +9,7 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
    schema: {
      description: "Renew access token",
      body: z.object({
-        accessToken: z.string().trim()
+        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.RENEW_ACCESS_TOKEN.accessToken)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { IDENTITIES } from "@app/lib/api-docs";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,9 +21,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
        }
      ],
      body: z.object({
-        name: z.string().trim(),
-        organizationId: z.string().trim(),
-        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess)
+        name: z.string().trim().describe(IDENTITIES.CREATE.name),
+        organizationId: z.string().trim().describe(IDENTITIES.CREATE.organizationId),
+        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(IDENTITIES.CREATE.role)
      }),
      response: {
        200: z.object({
@@ -78,11 +79,11 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(IDENTITIES.UPDATE.identityId)
      }),
      body: z.object({
-        name: z.string().trim().optional(),
-        role: z.string().trim().min(1).optional()
+        name: z.string().trim().optional().describe(IDENTITIES.UPDATE.name),
+        role: z.string().trim().min(1).optional().describe(IDENTITIES.UPDATE.role)
      }),
      response: {
        200: z.object({
@@ -127,7 +128,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(IDENTITIES.DELETE.identityId)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/identity-ua.ts
+++ b/backend/src/server/routes/v1/identity-ua.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentityUaClientSecretsSchema, IdentityUniversalAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
@@ -26,8 +27,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    schema: {
      description: "Login with Universal Auth",
      body: z.object({
-        clientId: z.string().trim(),
-        clientSecret: z.string().trim()
+        clientId: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientId),
+        clientSecret: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientSecret)
      }),
      response: {
        200: z.object({
@@ -76,7 +77,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(UNIVERSAL_AUTH.ATTACH.identityId)
      }),
      body: z.object({
        clientSecretTrustedIps: z
@@ -85,14 +86,16 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
          })
          .array()
          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
        accessTokenTrustedIps: z
          .object({
            ipAddress: z.string().trim()
          })
          .array()
          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
        accessTokenTTL: z
          .number()
          .int()
@@ -100,15 +103,22 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
          .refine((value) => value !== 0, {
            message: "accessTokenTTL must have a non zero number"
          })
-          .default(2592000),
+          .default(2592000)
+          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
        accessTokenMaxTTL: z
          .number()
          .int()
          .refine((value) => value !== 0, {
            message: "accessTokenMaxTTL must have a non zero number"
          })
-          .default(2592000), // 30 days
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+          .default(2592000)
+          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
+        accessTokenNumUsesLimit: z
+          .number()
+          .int()
+          .min(0)
+          .default(0)
+          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
      }),
      response: {
        200: z.object({
@@ -156,7 +166,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.UPDATE.identityId)
      }),
      body: z.object({
        clientSecretTrustedIps: z
@@ -165,16 +175,23 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
          })
          .array()
          .min(1)
-          .optional(),
+          .optional()
+          .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
        accessTokenTrustedIps: z
          .object({
            ipAddress: z.string().trim()
          })
          .array()
          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+          .optional()
+          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
+        accessTokenTTL: z.number().int().min(0).optional().describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z
+          .number()
+          .int()
+          .min(0)
+          .optional()
+          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
        accessTokenMaxTTL: z
          .number()
          .int()
@@ -182,6 +199,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
            message: "accessTokenMaxTTL must have a non zero number"
          })
          .optional()
+          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
      }),
      response: {
        200: z.object({
@@ -230,7 +248,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.RETRIEVE.identityId)
      }),
      response: {
        200: z.object({
@@ -273,12 +291,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.identityId)
      }),
      body: z.object({
-        description: z.string().trim().default(""),
-        numUsesLimit: z.number().min(0).default(0),
-        ttl: z.number().min(0).default(0)
+        description: z.string().trim().default("").describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.description),
+        numUsesLimit: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.numUsesLimit),
+        ttl: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.ttl)
      }),
      response: {
        200: z.object({
@@ -324,7 +342,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.LIST_CLIENT_SECRETS.identityId)
      }),
      response: {
        200: z.object({
@@ -366,8 +384,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        identityId: z.string(),
-        clientSecretId: z.string()
+        identityId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.identityId),
+        clientSecretId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.clientSecretId)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/project-env-router.ts
+++ b/backend/src/server/routes/v1/project-env-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ENVIRONMENTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -18,11 +19,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(ENVIRONMENTS.CREATE.workspaceId)
      }),
      body: z.object({
-        name: z.string().trim(),
-        slug: z.string().trim()
+        name: z.string().trim().describe(ENVIRONMENTS.CREATE.name),
+        slug: z.string().trim().describe(ENVIRONMENTS.CREATE.slug)
      }),
      response: {
        200: z.object({
@@ -73,13 +74,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim(),
-        id: z.string().trim()
+        workspaceId: z.string().trim().describe(ENVIRONMENTS.UPDATE.workspaceId),
+        id: z.string().trim().describe(ENVIRONMENTS.UPDATE.id)
      }),
      body: z.object({
-        slug: z.string().trim().optional(),
-        name: z.string().trim().optional(),
-        position: z.number().optional()
+        slug: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.slug),
+        name: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.name),
+        position: z.number().optional().describe(ENVIRONMENTS.UPDATE.position)
      }),
      response: {
        200: z.object({
@@ -136,8 +137,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim(),
-        id: z.string().trim()
+        workspaceId: z.string().trim().describe(ENVIRONMENTS.DELETE.workspaceId),
+        id: z.string().trim().describe(ENVIRONMENTS.DELETE.id)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/project-membership-router.ts
+++ b/backend/src/server/routes/v1/project-membership-router.ts
@@ -1,15 +1,18 @@
+import ms from "ms";
 import { z } from "zod";

 import {
  OrgMembershipsSchema,
-  ProjectMembershipRole,
  ProjectMembershipsSchema,
+  ProjectUserMembershipRolesSchema,
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";

 export const registerProjectMembershipRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -24,20 +27,35 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.GET_USER_MEMBERSHIPS.workspaceId)
      }),
      response: {
        200: z.object({
-          memberships: ProjectMembershipsSchema.merge(
-            z.object({
-              user: UsersSchema.pick({
-                email: true,
-                firstName: true,
-                lastName: true,
-                id: true
-              }).merge(UserEncryptionKeysSchema.pick({ publicKey: true }))
-            })
-          )
+          memberships: ProjectMembershipsSchema.omit({ role: true })
+            .merge(
+              z.object({
+                user: UsersSchema.pick({
+                  email: true,
+                  firstName: true,
+                  lastName: true,
+                  id: true
+                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+                roles: z.array(
+                  z.object({
+                    id: z.string(),
+                    role: z.string(),
+                    customRoleId: z.string().optional().nullable(),
+                    customRoleName: z.string().optional().nullable(),
+                    customRoleSlug: z.string().optional().nullable(),
+                    isTemporary: z.boolean(),
+                    temporaryMode: z.string().optional().nullable(),
+                    temporaryRange: z.string().nullable().optional(),
+                    temporaryAccessStartTime: z.date().nullable().optional(),
+                    temporaryAccessEndTime: z.date().nullable().optional()
+                  })
+                )
+              })
+            )
            .omit({ createdAt: true, updatedAt: true })
            .array()
        })
@@ -86,10 +104,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
-        members: req.body.members.map((member) => ({
-          ...member,
-          projectRole: ProjectMembershipRole.Member
-        }))
+        members: req.body.members
      });

      await server.services.auditLog.createAuditLog({
@@ -120,43 +135,61 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim(),
-        membershipId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.workspaceId),
+        membershipId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.membershipId)
      }),
      body: z.object({
-        role: z.string().trim()
+        roles: z
+          .array(
+            z.union([
+              z.object({
+                role: z.string(),
+                isTemporary: z.literal(false).default(false)
+              }),
+              z.object({
+                role: z.string(),
+                isTemporary: z.literal(true),
+                temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
+                temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
+                temporaryAccessStartTime: z.string().datetime()
+              })
+            ])
+          )
+          .min(1)
+          .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least long lived role is required")
+          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
      }),
      response: {
        200: z.object({
-          membership: ProjectMembershipsSchema
+          roles: ProjectUserMembershipRolesSchema.array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const membership = await server.services.projectMembership.updateProjectMembership({
+      const roles = await server.services.projectMembership.updateProjectMembership({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        projectId: req.params.workspaceId,
        membershipId: req.params.membershipId,
-        role: req.body.role
+        roles: req.body.roles
      });

-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: req.params.workspaceId,
-        event: {
-          type: EventType.UPDATE_USER_WORKSPACE_ROLE,
-          metadata: {
-            userId: membership.userId,
-            newRole: req.body.role,
-            oldRole: membership.role,
-            email: ""
-          }
-        }
-      });
-      return { membership };
+      // await server.services.auditLog.createAuditLog({
+      //   ...req.auditLogInfo,
+      //   projectId: req.params.workspaceId,
+      //   event: {
+      //     type: EventType.UPDATE_USER_WORKSPACE_ROLE,
+      //     metadata: {
+      //       userId: membership.userId,
+      //       newRole: req.body.role,
+      //       oldRole: membership.role,
+      //       email: ""
+      //     }
+      //   }
+      // });
+      return { roles };
    }
  });

--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -7,6 +7,7 @@ import {
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -60,17 +61,32 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          users: ProjectMembershipsSchema.merge(
-            z.object({
-              user: UsersSchema.pick({
-                username: true,
-                email: true,
-                firstName: true,
-                lastName: true,
-                id: true
-              }).merge(UserEncryptionKeysSchema.pick({ publicKey: true }))
-            })
-          )
+          users: ProjectMembershipsSchema.omit({ role: true })
+            .merge(
+              z.object({
+                user: UsersSchema.pick({
+                  username: true,
+                  email: true,
+                  firstName: true,
+                  lastName: true,
+                  id: true
+                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+                roles: z.array(
+                  z.object({
+                    id: z.string(),
+                    role: z.string(),
+                    customRoleId: z.string().optional().nullable(),
+                    customRoleName: z.string().optional().nullable(),
+                    customRoleSlug: z.string().optional().nullable(),
+                    isTemporary: z.boolean(),
+                    temporaryMode: z.string().optional().nullable(),
+                    temporaryRange: z.string().nullable().optional(),
+                    temporaryAccessStartTime: z.date().nullable().optional(),
+                    temporaryAccessEndTime: z.date().nullable().optional()
+                  })
+                )
+              })
+            )
            .omit({ createdAt: true, updatedAt: true })
            .array()
        })
@@ -110,7 +126,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    method: "GET",
    schema: {
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.GET.workspaceId)
      }),
      response: {
        200: z.object({
@@ -162,7 +178,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    method: "DELETE",
    schema: {
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.DELETE.workspaceId)
      }),
      response: {
        200: z.object({
@@ -220,11 +236,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    method: "PATCH",
    schema: {
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.UPDATE.workspaceId)
      }),
      body: z.object({
-        name: z.string().trim().max(64, { message: "Name must be 64 or fewer characters" }).optional(),
-        autoCapitalization: z.boolean().optional()
+        name: z
+          .string()
+          .trim()
+          .max(64, { message: "Name must be 64 or fewer characters" })
+          .optional()
+          .describe(PROJECTS.UPDATE.name),
+        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { FOLDERS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -19,12 +20,12 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        }
      ],
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        name: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
+        environment: z.string().trim().describe(FOLDERS.CREATE.environment),
+        name: z.string().trim().describe(FOLDERS.CREATE.name),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.directory)
      }),
      response: {
        200: z.object({
@@ -73,15 +74,15 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      ],
      params: z.object({
        // old way this was name
-        folderId: z.string()
+        folderId: z.string().describe(FOLDERS.UPDATE.folderId)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        name: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
+        environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
+        name: z.string().trim().describe(FOLDERS.UPDATE.name),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.directory)
      }),
      response: {
        200: z.object({
@@ -119,6 +120,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
    }
  });

+  // TODO(daniel): Expose this route in api reference and write docs for it.
  server.route({
    url: "/:folderIdOrName",
    method: "DELETE",
@@ -131,14 +133,14 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        folderIdOrName: z.string()
+        folderIdOrName: z.string().describe(FOLDERS.DELETE.folderIdOrName)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(FOLDERS.DELETE.workspaceId),
+        environment: z.string().trim().describe(FOLDERS.DELETE.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.path),
        // keep this here as cli need directory
-        directory: z.string().trim().default("/").transform(removeTrailingSlash)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.directory)
      }),
      response: {
        200: z.object({
@@ -187,11 +189,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
        }
      ],
      querystring: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(FOLDERS.LIST.workspaceId),
+        environment: z.string().trim().describe(FOLDERS.LIST.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.path),
        // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.directory)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/secret-import-router.ts
+++ b/backend/src/server/routes/v1/secret-import-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { SecretImportsSchema, SecretsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SECRET_IMPORTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -19,12 +20,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
        }
      ],
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(SECRET_IMPORTS.CREATE.workspaceId),
+        environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.path),
        import: z.object({
-          environment: z.string().trim(),
-          path: z.string().trim().transform(removeTrailingSlash)
+          environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.import.environment),
+          path: z.string().trim().transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.import.path)
        })
      }),
      response: {
@@ -80,20 +81,21 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        secretImportId: z.string().trim()
+        secretImportId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.secretImportId)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.workspaceId),
+        environment: z.string().trim().describe(SECRET_IMPORTS.UPDATE.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.UPDATE.path),
        import: z.object({
-          environment: z.string().trim().optional(),
+          environment: z.string().trim().optional().describe(SECRET_IMPORTS.UPDATE.import.environment),
          path: z
            .string()
            .trim()
            .optional()
-            .transform((val) => (val ? removeTrailingSlash(val) : val)),
-          position: z.number().optional()
+            .transform((val) => (val ? removeTrailingSlash(val) : val))
+            .describe(SECRET_IMPORTS.UPDATE.import.path),
+          position: z.number().optional().describe(SECRET_IMPORTS.UPDATE.import.position)
        })
      }),
      response: {
@@ -150,12 +152,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
        }
      ],
      params: z.object({
-        secretImportId: z.string().trim()
+        secretImportId: z.string().trim().describe(SECRET_IMPORTS.DELETE.secretImportId)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash)
+        workspaceId: z.string().trim().describe(SECRET_IMPORTS.DELETE.workspaceId),
+        environment: z.string().trim().describe(SECRET_IMPORTS.DELETE.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.DELETE.path)
      }),
      response: {
        200: z.object({
@@ -210,9 +212,9 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
        }
      ],
      querystring: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        path: z.string().trim().default("/").transform(removeTrailingSlash)
+        workspaceId: z.string().trim().describe(SECRET_IMPORTS.LIST.workspaceId),
+        environment: z.string().trim().describe(SECRET_IMPORTS.LIST.environment),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.LIST.path)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v2/identity-org-router.ts
+++ b/backend/src/server/routes/v2/identity-org-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -18,7 +19,7 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        orgId: z.string().trim()
+        orgId: z.string().trim().describe(ORGANIZATIONS.LIST_IDENTITY_MEMBERSHIPS.orgId)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v2/identity-project-router.ts
+++ b/backend/src/server/routes/v2/identity-project-router.ts
@@ -1,13 +1,16 @@
+import ms from "ms";
 import { z } from "zod";

 import {
  IdentitiesSchema,
  IdentityProjectMembershipsSchema,
  ProjectMembershipRole,
-  ProjectRolesSchema
+  ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";

 export const registerIdentityProjectRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -53,28 +56,45 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
        }
      ],
      params: z.object({
-        projectId: z.string().trim(),
-        identityId: z.string().trim()
+        projectId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.identityId)
      }),
      body: z.object({
-        role: z.string().trim().min(1).default(ProjectMembershipRole.NoAccess)
+        roles: z
+          .array(
+            z.union([
+              z.object({
+                role: z.string(),
+                isTemporary: z.literal(false).default(false)
+              }),
+              z.object({
+                role: z.string(),
+                isTemporary: z.literal(true),
+                temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
+                temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
+                temporaryAccessStartTime: z.string().datetime()
+              })
+            ])
+          )
+          .min(1)
+          .describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.roles)
      }),
      response: {
        200: z.object({
-          identityMembership: IdentityProjectMembershipsSchema
+          roles: ProjectUserMembershipRolesSchema.array()
        })
      }
    },
    handler: async (req) => {
-      const identityMembership = await server.services.identityProject.updateProjectIdentity({
+      const roles = await server.services.identityProject.updateProjectIdentity({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        identityId: req.params.identityId,
        projectId: req.params.projectId,
-        role: req.body.role
+        roles: req.body.roles
      });
-      return { identityMembership };
+      return { roles };
    }
  });

@@ -90,8 +110,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
        }
      ],
      params: z.object({
-        projectId: z.string().trim(),
-        identityId: z.string().trim()
+        projectId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.identityId)
      }),
      response: {
        200: z.object({
@@ -123,22 +143,33 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
        }
      ],
      params: z.object({
-        projectId: z.string().trim()
+        projectId: z.string().trim().describe(PROJECTS.LIST_IDENTITY_MEMBERSHIPS.projectId)
      }),
      response: {
        200: z.object({
-          identityMemberships: IdentityProjectMembershipsSchema.merge(
-            z.object({
-              customRole: ProjectRolesSchema.pick({
-                id: true,
-                name: true,
-                slug: true,
-                permissions: true,
-                description: true
-              }).optional(),
+          identityMemberships: z
+            .object({
+              id: z.string(),
+              identityId: z.string(),
+              createdAt: z.date(),
+              updatedAt: z.date(),
+              roles: z.array(
+                z.object({
+                  id: z.string(),
+                  role: z.string(),
+                  customRoleId: z.string().optional().nullable(),
+                  customRoleName: z.string().optional().nullable(),
+                  customRoleSlug: z.string().optional().nullable(),
+                  isTemporary: z.boolean(),
+                  temporaryMode: z.string().optional().nullable(),
+                  temporaryRange: z.string().nullable().optional(),
+                  temporaryAccessStartTime: z.date().nullable().optional(),
+                  temporaryAccessEndTime: z.date().nullable().optional()
+                })
+              ),
              identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
            })
-          ).array()
+            .array()
        })
      }
    },
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";

 import { OrganizationsSchema, OrgMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
+import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";

@@ -17,7 +18,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        organizationId: z.string().trim()
+        organizationId: z.string().trim().describe(ORGANIZATIONS.LIST_USER_MEMBERSHIPS.organizationId)
      }),
      response: {
        200: z.object({
@@ -62,7 +63,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        organizationId: z.string().trim()
+        organizationId: z.string().trim().describe(ORGANIZATIONS.GET_PROJECTS.organizationId)
      }),
      response: {
        200: z.object({
@@ -106,9 +107,12 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
          apiKeyAuth: []
        }
      ],
-      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
+      params: z.object({
+        organizationId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.organizationId),
+        membershipId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.membershipId)
+      }),
      body: z.object({
-        role: z.string().trim()
+        role: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role)
      }),
      response: {
        200: z.object({
@@ -142,7 +146,10 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
          apiKeyAuth: []
        }
      ],
-      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
+      params: z.object({
+        organizationId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.organizationId),
+        membershipId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.membershipId)
+      }),
      response: {
        200: z.object({
          membership: OrgMembershipsSchema
--- a/backend/src/server/routes/v2/project-membership-router.ts
+++ b/backend/src/server/routes/v2/project-membership-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

@@ -11,11 +12,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
    url: "/:projectId/memberships",
    schema: {
      params: z.object({
-        projectId: z.string().describe("The ID of the project.")
+        projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
      }),
      body: z.object({
-        emails: z.string().email().array().default([]).describe("Emails of the users to add to the project."),
-        usernames: z.string().array().default([]).describe("Usernames of the users to add to the project.")
+        emails: z.string().email().array().default([]).describe(PROJECTS.INVITE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECTS.INVITE_MEMBER.usernames)
      }),
      response: {
        200: z.object({
@@ -55,12 +56,12 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
    url: "/:projectId/memberships",
    schema: {
      params: z.object({
-        projectId: z.string().describe("The ID of the project.")
+        projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
      }),

      body: z.object({
-        emails: z.string().email().array().default([]).describe("Emails of the users to remove from the project."),
-        usernames: z.string().array().default([]).describe("Usernames of the users to remove from the project.")
+        emails: z.string().email().array().default([]).describe(PROJECTS.REMOVE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECTS.REMOVE_MEMBER.usernames)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v2/project-router.ts
+++ b/backend/src/server/routes/v2/project-router.ts
@@ -3,6 +3,7 @@ import { z } from "zod";

 import { ProjectKeysSchema, ProjectsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { PROJECTS } from "@app/lib/api-docs";
 import { authRateLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -29,7 +30,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.GET_KEY.workspaceId)
      }),
      response: {
        200: ProjectKeysSchema.merge(
@@ -127,7 +128,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        projectName: z.string().trim(),
+        projectName: z.string().trim().describe(PROJECTS.CREATE.projectName),
        slug: z
          .string()
          .min(5)
@@ -135,8 +136,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
-          .optional(),
-        organizationId: z.string().trim()
+          .optional()
+          .describe(PROJECTS.CREATE.slug),
+        organizationId: z.string().trim().describe(PROJECTS.CREATE.organizationId)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@@ -10,6 +10,7 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CommitType } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
+import { RAW_SECRETS } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -33,13 +34,14 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      querystring: z.object({
-        workspaceId: z.string().trim().optional(),
-        environment: z.string().trim().optional(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceId),
+        environment: z.string().trim().optional().describe(RAW_SECRETS.LIST.environment),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.LIST.secretPath),
        include_imports: z
          .enum(["true", "false"])
          .default("false")
          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.LIST.includeImports)
      }),
      response: {
        200: z.object({
@@ -123,18 +125,19 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().trim()
+        secretName: z.string().trim().describe(RAW_SECRETS.GET.secretName)
      }),
      querystring: z.object({
-        workspaceId: z.string().trim().optional(),
-        environment: z.string().trim().optional(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        version: z.coerce.number().optional(),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
+        environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
+        version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.GET.type),
        include_imports: z
          .enum(["true", "false"])
          .default("false")
          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.GET.includeImports)
      }),
      response: {
        200: z.object({
@@ -213,16 +216,24 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().trim()
+        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
-        secretComment: z.string().trim().optional().default(""),
-        skipMultilineEncoding: z.boolean().optional(),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared)
+        workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
+        environment: z.string().trim().describe(RAW_SECRETS.CREATE.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(RAW_SECRETS.CREATE.secretPath),
+        secretValue: z
+          .string()
+          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
+          .describe(RAW_SECRETS.CREATE.secretValue),
+        secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
+        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type)
      }),
      response: {
        200: z.object({
@@ -290,15 +301,23 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().trim()
+        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        skipMultilineEncoding: z.boolean().optional(),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared)
+        workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
+        environment: z.string().trim().describe(RAW_SECRETS.UPDATE.environment),
+        secretValue: z
+          .string()
+          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
+          .describe(RAW_SECRETS.UPDATE.secretValue),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(RAW_SECRETS.UPDATE.secretPath),
+        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type)
      }),
      response: {
        200: z.object({
@@ -364,13 +383,18 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        secretName: z.string().trim()
+        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
      }),
      body: z.object({
-        workspaceId: z.string().trim(),
-        environment: z.string().trim(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared)
+        workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
+        environment: z.string().trim().describe(RAW_SECRETS.DELETE.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(RAW_SECRETS.DELETE.secretPath),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.DELETE.type)
      }),
      response: {
        200: z.object({
--- a/backend/src/services/identity-project/identity-project-dal.ts
+++ b/backend/src/services/identity-project/identity-project-dal.ts
@@ -3,7 +3,7 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { ormify, sqlNestRelationships } from "@app/lib/knex";

 export type TIdentityProjectDALFactory = ReturnType<typeof identityProjectDALFactory>;

@@ -15,52 +15,81 @@ export const identityProjectDALFactory = (db: TDbClient) => {
      const docs = await (tx || db)(TableName.IdentityProjectMembership)
        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
        .join(TableName.Identity, `${TableName.IdentityProjectMembership}.identityId`, `${TableName.Identity}.id`)
+        .join(
+          TableName.IdentityProjectMembershipRole,
+          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
        .leftJoin(
          TableName.ProjectRoles,
-          `${TableName.IdentityProjectMembership}.roleId`,
+          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
-        .select(selectAllTableCols(TableName.IdentityProjectMembership))
-        // cr stands for custom role
-        .select(db.ref("id").as("crId").withSchema(TableName.ProjectRoles))
-        .select(db.ref("name").as("crName").withSchema(TableName.ProjectRoles))
-        .select(db.ref("slug").as("crSlug").withSchema(TableName.ProjectRoles))
-        .select(db.ref("description").as("crDescription").withSchema(TableName.ProjectRoles))
-        .select(db.ref("permissions").as("crPermission").withSchema(TableName.ProjectRoles))
-        .select(db.ref("permissions").as("crPermission").withSchema(TableName.ProjectRoles))
-        .select(db.ref("id").as("identityId").withSchema(TableName.Identity))
-        .select(db.ref("name").as("identityName").withSchema(TableName.Identity))
-        .select(db.ref("authMethod").as("identityAuthMethod").withSchema(TableName.Identity));
-      return docs.map(
-        ({
-          crId,
-          crDescription,
-          crSlug,
-          crPermission,
-          crName,
-          identityId,
-          identityName,
-          identityAuthMethod,
-          ...el
-        }) => ({
-          ...el,
+        .select(
+          db.ref("id").withSchema(TableName.IdentityProjectMembership),
+          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership),
+          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership),
+          db.ref("authMethod").as("identityAuthMethod").withSchema(TableName.Identity),
+          db.ref("id").as("identityId").withSchema(TableName.Identity),
+          db.ref("name").as("identityName").withSchema(TableName.Identity),
+          db.ref("id").withSchema(TableName.IdentityProjectMembership),
+          db.ref("role").withSchema(TableName.IdentityProjectMembershipRole),
+          db.ref("id").withSchema(TableName.IdentityProjectMembershipRole).as("membershipRoleId"),
+          db.ref("customRoleId").withSchema(TableName.IdentityProjectMembershipRole),
+          db.ref("name").withSchema(TableName.ProjectRoles).as("customRoleName"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("temporaryMode").withSchema(TableName.IdentityProjectMembershipRole),
+          db.ref("isTemporary").withSchema(TableName.IdentityProjectMembershipRole),
+          db.ref("temporaryRange").withSchema(TableName.IdentityProjectMembershipRole),
+          db.ref("temporaryAccessStartTime").withSchema(TableName.IdentityProjectMembershipRole),
+          db.ref("temporaryAccessEndTime").withSchema(TableName.IdentityProjectMembershipRole)
+        );
+
+      const members = sqlNestRelationships({
+        data: docs,
+        parentMapper: ({ identityId, identityName, identityAuthMethod, id, createdAt, updatedAt }) => ({
+          id,
          identityId,
+          createdAt,
+          updatedAt,
          identity: {
            id: identityId,
            name: identityName,
            authMethod: identityAuthMethod
-          },
-          customRole: el.roleId
-            ? {
-                id: crId,
-                name: crName,
-                slug: crSlug,
-                permissions: crPermission,
-                description: crDescription
-              }
-            : undefined
-        })
-      );
+          }
+        }),
+        key: "id",
+        childrenMapper: [
+          {
+            label: "roles" as const,
+            key: "membershipRoleId",
+            mapper: ({
+              role,
+              customRoleId,
+              customRoleName,
+              customRoleSlug,
+              membershipRoleId,
+              temporaryRange,
+              temporaryMode,
+              temporaryAccessEndTime,
+              temporaryAccessStartTime,
+              isTemporary
+            }) => ({
+              id: membershipRoleId,
+              role,
+              customRoleId,
+              customRoleName,
+              customRoleSlug,
+              temporaryRange,
+              temporaryMode,
+              temporaryAccessEndTime,
+              temporaryAccessStartTime,
+              isTemporary
+            })
+          }
+        ]
+      });
+      return members;
    } catch (error) {
      throw new DatabaseError({ error, name: "FindByProjectId" });
    }
--- a/backend/src/services/identity-project/identity-project-membership-role-dal.ts
+++ b/backend/src/services/identity-project/identity-project-membership-role-dal.ts
@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityProjectMembershipRoleDALFactory = ReturnType<typeof identityProjectMembershipRoleDALFactory>;
+
+export const identityProjectMembershipRoleDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.IdentityProjectMembershipRole);
+  return orm;
+};
--- a/backend/src/services/identity-project/identity-project-service.ts
+++ b/backend/src/services/identity-project/identity-project-service.ts
@@ -1,15 +1,20 @@
 import { ForbiddenError } from "@casl/ability";
+import ms from "ms";

-import { ProjectMembershipRole, TProjectRoles } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { groupBy } from "@app/lib/fn";

 import { ActorType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
+import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";
+import { TProjectRoleDALFactory } from "../project-role/project-role-dal";
 import { TIdentityProjectDALFactory } from "./identity-project-dal";
+import { TIdentityProjectMembershipRoleDALFactory } from "./identity-project-membership-role-dal";
 import {
  TCreateProjectIdentityDTO,
  TDeleteProjectIdentityDTO,
@@ -19,7 +24,12 @@ import {

 type TIdentityProjectServiceFactoryDep = {
  identityProjectDAL: TIdentityProjectDALFactory;
+  identityProjectMembershipRoleDAL: Pick<
+    TIdentityProjectMembershipRoleDALFactory,
+    "create" | "transaction" | "insertMany" | "delete"
+  >;
  projectDAL: Pick<TProjectDALFactory, "findById">;
+  projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissionByRole">;
 };
@@ -30,7 +40,9 @@ export const identityProjectServiceFactory = ({
  identityProjectDAL,
  permissionService,
  identityOrgMembershipDAL,
-  projectDAL
+  identityProjectMembershipRoleDAL,
+  projectDAL,
+  projectRoleDAL
 }: TIdentityProjectServiceFactoryDep) => {
  const createProjectIdentity = async ({
    identityId,
@@ -70,11 +82,26 @@ export const identityProjectServiceFactory = ({
      });
    const isCustomRole = Boolean(customRole);

-    const projectIdentity = await identityProjectDAL.create({
-      identityId,
-      projectId: project.id,
-      role: isCustomRole ? ProjectMembershipRole.Custom : role,
-      roleId: customRole?.id
+    const projectIdentity = await identityProjectDAL.transaction(async (tx) => {
+      const identityProjectMembership = await identityProjectDAL.create(
+        {
+          identityId,
+          projectId: project.id,
+          role: isCustomRole ? ProjectMembershipRole.Custom : role,
+          roleId: customRole?.id
+        },
+        tx
+      );
+
+      await identityProjectMembershipRoleDAL.create(
+        {
+          projectMembershipId: identityProjectMembership.id,
+          role: isCustomRole ? ProjectMembershipRole.Custom : role,
+          customRoleId: customRole?.id
+        },
+        tx
+      );
+      return identityProjectMembership;
    });
    return projectIdentity;
  };
@@ -82,7 +109,7 @@ export const identityProjectServiceFactory = ({
  const updateProjectIdentity = async ({
    projectId,
    identityId,
-    role,
+    roles,
    actor,
    actorId,
    actorOrgId
@@ -106,28 +133,51 @@ export const identityProjectServiceFactory = ({
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });

-    let customRole: TProjectRoles | undefined;
-    if (role) {
-      const { permission: rolePermission, role: customOrgRole } = await permissionService.getProjectPermissionByRole(
-        role,
-        projectIdentity.projectId
-      );
-
-      const isCustomRole = Boolean(customOrgRole);
-      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
-      if (!hasRequiredNewRolePermission)
-        throw new BadRequestError({ message: "Failed to create a more privileged identity" });
-      if (isCustomRole) customRole = customOrgRole;
-    }
-
-    const [updatedProjectIdentity] = await identityProjectDAL.update(
-      { projectId, identityId: projectIdentity.identityId },
-      {
-        role: customRole ? ProjectMembershipRole.Custom : role,
-        roleId: customRole ? customRole.id : null
-      }
+    // validate custom roles input
+    const customInputRoles = roles.filter(
+      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
    );
-    return updatedProjectIdentity;
+    const hasCustomRole = Boolean(customInputRoles.length);
+    const customRoles = hasCustomRole
+      ? await projectRoleDAL.find({
+          projectId,
+          $in: { slug: customInputRoles.map(({ role }) => role) }
+        })
+      : [];
+    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
+
+    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);
+
+    const santiziedProjectMembershipRoles = roles.map((inputRole) => {
+      const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
+      if (!inputRole.isTemporary) {
+        return {
+          projectMembershipId: projectIdentity.id,
+          role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+          customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null
+        };
+      }
+
+      // check cron or relative here later for now its just relative
+      const relativeTimeInMs = ms(inputRole.temporaryRange);
+      return {
+        projectMembershipId: projectIdentity.id,
+        role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+        customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null,
+        isTemporary: true,
+        temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
+        temporaryRange: inputRole.temporaryRange,
+        temporaryAccessStartTime: new Date(inputRole.temporaryAccessStartTime),
+        temporaryAccessEndTime: new Date(new Date(inputRole.temporaryAccessStartTime).getTime() + relativeTimeInMs)
+      };
+    });
+
+    const updatedRoles = await identityProjectMembershipRoleDAL.transaction(async (tx) => {
+      await identityProjectMembershipRoleDAL.delete({ projectMembershipId: projectIdentity.id }, tx);
+      return identityProjectMembershipRoleDAL.insertMany(santiziedProjectMembershipRoles, tx);
+    });
+
+    return updatedRoles;
  };

  const deleteProjectIdentity = async ({
--- a/backend/src/services/identity-project/identity-project-types.ts
+++ b/backend/src/services/identity-project/identity-project-types.ts
@@ -1,12 +1,26 @@
 import { TProjectPermission } from "@app/lib/types";

+import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";
+
 export type TCreateProjectIdentityDTO = {
  identityId: string;
  role: string;
 } & TProjectPermission;

 export type TUpdateProjectIdentityDTO = {
-  role: string;
+  roles: (
+    | {
+        role: string;
+        isTemporary?: false;
+      }
+    | {
+        role: string;
+        isTemporary: true;
+        temporaryMode: ProjectUserMembershipTemporaryMode.Relative;
+        temporaryRange: string;
+        temporaryAccessStartTime: string;
+      }
+  )[];
  identityId: string;
 } & TProjectPermission;

--- a/backend/src/services/org/org-role-service.ts
+++ b/backend/src/services/org/org-role-service.ts
@@ -58,7 +58,7 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
      { id: roleId, orgId },
      { ...data, permissions: data.permissions ? JSON.stringify(data.permissions) : undefined }
    );
-    if (!updateRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
+    if (!updatedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
    return updatedRole;
  };

@@ -66,7 +66,7 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Role);
    const [deletedRole] = await orgRoleDAL.delete({ id: roleId, orgId });
-    if (!deleteRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
+    if (!deletedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });

    return deletedRole;
  };
--- a/backend/src/services/project-membership/project-membership-dal.ts
+++ b/backend/src/services/project-membership/project-membership-dal.ts
@@ -1,7 +1,7 @@
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";

 export type TProjectMembershipDALFactory = ReturnType<typeof projectMembershipDALFactory>;

@@ -11,32 +11,86 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
  // special query
  const findAllProjectMembers = async (projectId: string) => {
    try {
-      const members = await db(TableName.ProjectMembership)
-        .where({ projectId })
+      const docs = await db(TableName.ProjectMembership)
+        .where({ [`${TableName.ProjectMembership}.projectId` as "projectId"]: projectId })
        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
        .join<TUserEncryptionKeys>(
          TableName.UserEncryptionKey,
          `${TableName.UserEncryptionKey}.userId`,
          `${TableName.Users}.id`
        )
+        .join(
+          TableName.ProjectUserMembershipRole,
+          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
+          `${TableName.ProjectMembership}.id`
+        )
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.ProjectUserMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
        .select(
          db.ref("id").withSchema(TableName.ProjectMembership),
-          db.ref("projectId").withSchema(TableName.ProjectMembership),
-          db.ref("role").withSchema(TableName.ProjectMembership),
-          db.ref("roleId").withSchema(TableName.ProjectMembership),
          db.ref("isGhost").withSchema(TableName.Users),
          db.ref("username").withSchema(TableName.Users),
          db.ref("email").withSchema(TableName.Users),
          db.ref("publicKey").withSchema(TableName.UserEncryptionKey),
          db.ref("firstName").withSchema(TableName.Users),
          db.ref("lastName").withSchema(TableName.Users),
-          db.ref("id").withSchema(TableName.Users).as("userId")
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("role").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("membershipRoleId"),
+          db.ref("customRoleId").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("name").withSchema(TableName.ProjectRoles).as("customRoleName"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("temporaryMode").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("isTemporary").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("temporaryRange").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("temporaryAccessStartTime").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("temporaryAccessEndTime").withSchema(TableName.ProjectUserMembershipRole)
        )
        .where({ isGhost: false });
-      return members.map(({ username, email, firstName, lastName, publicKey, isGhost, ...data }) => ({
-        ...data,
-        user: { username, email, firstName, lastName, id: data.userId, publicKey, isGhost }
-      }));
+
+      const members = sqlNestRelationships({
+        data: docs,
+        parentMapper: ({ email, firstName, username, lastName, publicKey, isGhost, id, userId }) => ({
+          id,
+          userId,
+          projectId,
+          user: { email, username, firstName, lastName, id: userId, publicKey, isGhost }
+        }),
+        key: "id",
+        childrenMapper: [
+          {
+            label: "roles" as const,
+            key: "membershipRoleId",
+            mapper: ({
+              role,
+              customRoleId,
+              customRoleName,
+              customRoleSlug,
+              membershipRoleId,
+              temporaryRange,
+              temporaryMode,
+              temporaryAccessEndTime,
+              temporaryAccessStartTime,
+              isTemporary
+            }) => ({
+              id: membershipRoleId,
+              role,
+              customRoleId,
+              customRoleName,
+              customRoleSlug,
+              temporaryRange,
+              temporaryMode,
+              temporaryAccessEndTime,
+              temporaryAccessStartTime,
+              isTemporary
+            })
+          }
+        ]
+      });
+      return members;
    } catch (error) {
      throw new DatabaseError({ error, name: "Find all project members" });
    }
--- a/backend/src/services/project-membership/project-membership-service.ts
+++ b/backend/src/services/project-membership/project-membership-service.ts
@@ -1,14 +1,13 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
+import ms from "ms";

 import {
-  OrgMembershipStatus,
  ProjectMembershipRole,
  ProjectVersion,
  SecretKeyEncoding,
  TableName,
-  TProjectMemberships,
-  TUsers
+  TProjectMemberships
 } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -29,22 +28,24 @@ import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TProjectMembershipDALFactory } from "./project-membership-dal";
 import {
+  ProjectUserMembershipTemporaryMode,
  TAddUsersToWorkspaceDTO,
  TAddUsersToWorkspaceNonE2EEDTO,
  TDeleteProjectMembershipOldDTO,
  TDeleteProjectMembershipsDTO,
  TGetProjectMembershipDTO,
-  TInviteUserToProjectDTO,
  TUpdateProjectMembershipDTO
 } from "./project-membership-types";
+import { TProjectUserMembershipRoleDALFactory } from "./project-user-membership-role-dal";

 type TProjectMembershipServiceFactoryDep = {
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  smtpService: TSmtpService;
  projectBotDAL: TProjectBotDALFactory;
  projectMembershipDAL: TProjectMembershipDALFactory;
+  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "insertMany" | "find" | "delete">;
  userDAL: Pick<TUserDALFactory, "findById" | "findOne" | "findUserByProjectMembershipId" | "find">;
-  projectRoleDAL: Pick<TProjectRoleDALFactory, "findOne">;
+  projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership" | "findOrgMembersByUsername">;
  projectDAL: Pick<TProjectDALFactory, "findById" | "findProjectGhostUser" | "transaction">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "delete" | "insertMany">;
@@ -56,6 +57,7 @@ export type TProjectMembershipServiceFactory = ReturnType<typeof projectMembersh
 export const projectMembershipServiceFactory = ({
  permissionService,
  projectMembershipDAL,
+  projectUserMembershipRoleDAL,
  smtpService,
  projectRoleDAL,
  projectBotDAL,
@@ -72,82 +74,6 @@ export const projectMembershipServiceFactory = ({
    return projectMembershipDAL.findAllProjectMembers(projectId);
  };

-  const inviteUserToProject = async ({ actorId, actor, actorOrgId, projectId, emails }: TInviteUserToProjectDTO) => {
-    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
-
-    const invitees: TUsers[] = [];
-
-    const project = await projectDAL.findById(projectId);
-    const users = await userDAL.find({
-      $in: { email: emails }
-    });
-
-    await projectDAL.transaction(async (tx) => {
-      for (const invitee of users) {
-        if (!invitee.isAccepted)
-          throw new BadRequestError({
-            message: "Failed to validate invitee",
-            name: "Invite user to project"
-          });
-
-        const inviteeMembership = await projectMembershipDAL.findOne(
-          {
-            userId: invitee.id,
-            projectId
-          },
-          tx
-        );
-
-        if (inviteeMembership) {
-          throw new BadRequestError({
-            message: "Existing member of project",
-            name: "Invite user to project"
-          });
-        }
-
-        const inviteeMembershipOrg = await orgDAL.findMembership({
-          userId: invitee.id,
-          orgId: project.orgId,
-          status: OrgMembershipStatus.Accepted
-        });
-
-        if (!inviteeMembershipOrg) {
-          throw new BadRequestError({
-            message: "Failed to validate invitee org membership",
-            name: "Invite user to project"
-          });
-        }
-
-        await projectMembershipDAL.create(
-          {
-            userId: invitee.id,
-            projectId,
-            role: ProjectMembershipRole.Member
-          },
-          tx
-        );
-
-        invitees.push(invitee);
-      }
-
-      const appCfg = getConfig();
-      await smtpService.sendMail({
-        template: SmtpTemplates.WorkspaceInvite,
-        subjectLine: "Infisical project invitation",
-        recipients: invitees.filter((i) => i.email).map((i) => i.email as string),
-        substitutions: {
-          workspaceName: project.name,
-          callback_url: `${appCfg.SITE_URL}/login`
-        }
-      });
-    });
-
-    const latestKey = await projectKeyDAL.findLatestProjectKey(actorId, projectId);
-
-    return { invitees, latestKey };
-  };
-
  const addUsersToProject = async ({
    projectId,
    actorId,
@@ -176,17 +102,16 @@ export const projectMembershipServiceFactory = ({
    if (existingMembers.length) throw new BadRequestError({ message: "Some users are already part of project" });

    await projectMembershipDAL.transaction(async (tx) => {
-      await projectMembershipDAL.insertMany(
-        orgMembers.map(({ userId, id: membershipId }) => {
-          const role =
-            members.find((i) => i.orgMembershipId === membershipId)?.projectRole || ProjectMembershipRole.Member;
-
-          return {
-            projectId,
-            userId: userId as string,
-            role
-          };
-        }),
+      const projectMemberships = await projectMembershipDAL.insertMany(
+        orgMembers.map(({ userId }) => ({
+          projectId,
+          userId: userId as string,
+          role: ProjectMembershipRole.Member
+        })),
+        tx
+      );
+      await projectUserMembershipRoleDAL.insertMany(
+        projectMemberships.map(({ id }) => ({ projectMembershipId: id, role: ProjectMembershipRole.Member })),
        tx
      );
      const encKeyGroupByOrgMembId = groupBy(members, (i) => i.orgMembershipId);
@@ -296,7 +221,7 @@ export const projectMembershipServiceFactory = ({
    const members: TProjectMemberships[] = [];

    await projectMembershipDAL.transaction(async (tx) => {
-      const result = await projectMembershipDAL.insertMany(
+      const projectMemberships = await projectMembershipDAL.insertMany(
        orgMembers.map(({ user }) => ({
          projectId,
          userId: user.id,
@@ -304,8 +229,12 @@ export const projectMembershipServiceFactory = ({
        })),
        tx
      );
+      await projectUserMembershipRoleDAL.insertMany(
+        projectMemberships.map(({ id }) => ({ projectMembershipId: id, role: ProjectMembershipRole.Member })),
+        tx
+      );

-      members.push(...result);
+      members.push(...projectMemberships);

      const encKeyGroupByOrgMembId = groupBy(newWsMembers, (i) => i.orgMembershipId);
      await projectKeyDAL.insertMany(
@@ -346,43 +275,71 @@ export const projectMembershipServiceFactory = ({
    actorOrgId,
    projectId,
    membershipId,
-    role
+    roles
  }: TUpdateProjectMembershipDTO) => {
    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);

    const membershipUser = await userDAL.findUserByProjectMembershipId(membershipId);
-
-    if (membershipUser?.isGhost) {
+    if (membershipUser?.isGhost || membershipUser?.projectId !== projectId) {
      throw new BadRequestError({
        message: "Unauthorized member update",
        name: "Update project membership"
      });
    }

-    const isCustomRole = !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole);
-    if (isCustomRole) {
-      const customRole = await projectRoleDAL.findOne({ slug: role, projectId });
-      if (!customRole) throw new BadRequestError({ name: "Update project membership", message: "Role not found" });
-      const project = await projectDAL.findById(customRole.projectId);
-      const plan = await licenseService.getPlan(project.orgId);
+    // validate custom roles input
+    const customInputRoles = roles.filter(
+      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
+    );
+    const hasCustomRole = Boolean(customInputRoles.length);
+    if (hasCustomRole) {
+      const plan = await licenseService.getPlan(actorOrgId as string);
      if (!plan?.rbac)
        throw new BadRequestError({
          message: "Failed to assign custom role due to RBAC restriction. Upgrade plan to assign custom role to member."
        });
-
-      const [membership] = await projectMembershipDAL.update(
-        { id: membershipId, projectId },
-        {
-          role: ProjectMembershipRole.Custom,
-          roleId: customRole.id
-        }
-      );
-      return membership;
    }

-    const [membership] = await projectMembershipDAL.update({ id: membershipId, projectId }, { role, roleId: null });
-    return membership;
+    const customRoles = hasCustomRole
+      ? await projectRoleDAL.find({
+          projectId,
+          $in: { slug: customInputRoles.map(({ role }) => role) }
+        })
+      : [];
+    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
+    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);
+
+    const santiziedProjectMembershipRoles = roles.map((inputRole) => {
+      const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
+      if (!inputRole.isTemporary) {
+        return {
+          projectMembershipId: membershipId,
+          role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+          customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null
+        };
+      }
+
+      // check cron or relative here later for now its just relative
+      const relativeTimeInMs = ms(inputRole.temporaryRange);
+      return {
+        projectMembershipId: membershipId,
+        role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+        customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null,
+        isTemporary: true,
+        temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
+        temporaryRange: inputRole.temporaryRange,
+        temporaryAccessStartTime: new Date(inputRole.temporaryAccessStartTime),
+        temporaryAccessEndTime: new Date(new Date(inputRole.temporaryAccessStartTime).getTime() + relativeTimeInMs)
+      };
+    });
+
+    const updatedRoles = await projectMembershipDAL.transaction(async (tx) => {
+      await projectUserMembershipRoleDAL.delete({ projectMembershipId: membershipId }, tx);
+      return projectUserMembershipRoleDAL.insertMany(santiziedProjectMembershipRoles, tx);
+    });
+
+    return updatedRoles;
  };

  // This is old and should be removed later. Its not used anywhere, but it is exposed in our API. So to avoid breaking changes, we are keeping it for now.
@@ -481,7 +438,6 @@ export const projectMembershipServiceFactory = ({

  return {
    getProjectMemberships,
-    inviteUserToProject,
    updateProjectMembership,
    addUsersToProjectNonE2EE,
    deleteProjectMemberships,
--- a/backend/src/services/project-membership/project-membership-types.ts
+++ b/backend/src/services/project-membership/project-membership-types.ts
@@ -1,7 +1,9 @@
-import { ProjectMembershipRole } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";

 export type TGetProjectMembershipDTO = TProjectPermission;
+export enum ProjectUserMembershipTemporaryMode {
+  Relative = "relative"
+}

 export type TInviteUserToProjectDTO = {
  emails: string[];
@@ -9,7 +11,19 @@ export type TInviteUserToProjectDTO = {

 export type TUpdateProjectMembershipDTO = {
  membershipId: string;
-  role: string;
+  roles: (
+    | {
+        role: string;
+        isTemporary?: false;
+      }
+    | {
+        role: string;
+        isTemporary: true;
+        temporaryMode: ProjectUserMembershipTemporaryMode.Relative;
+        temporaryRange: string;
+        temporaryAccessStartTime: string;
+      }
+  )[];
 } & TProjectPermission;

 export type TDeleteProjectMembershipOldDTO = {
@@ -27,7 +41,6 @@ export type TAddUsersToWorkspaceDTO = {
    orgMembershipId: string;
    workspaceEncryptedKey: string;
    workspaceEncryptedNonce: string;
-    projectRole: ProjectMembershipRole;
  }[];
 } & TProjectPermission;

--- a/backend/src/services/project-membership/project-user-membership-role-dal.ts
+++ b/backend/src/services/project-membership/project-user-membership-role-dal.ts
@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TProjectUserMembershipRoleDALFactory = ReturnType<typeof projectUserMembershipRoleDALFactory>;
+
+export const projectUserMembershipRoleDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.ProjectUserMembershipRole);
+  return orm;
+};
--- a/backend/src/services/project-role/project-role-service.ts
+++ b/backend/src/services/project-role/project-role-service.ts
@@ -76,7 +76,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
    const { permission } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Role);
    const [deletedRole] = await projectRoleDAL.delete({ id: roleId, projectId });
-    if (!deleteRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
+    if (!deletedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });

    return deletedRole;
  };
@@ -92,7 +92,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
        name: "Admin",
        slug: ProjectMembershipRole.Admin,
        description: "Complete administration access over the project",
-        permissions: packRules(projectAdminPermissions.rules),
+        permissions: packRules(projectAdminPermissions),
        createdAt: new Date(),
        updatedAt: new Date()
      },
@@ -102,7 +102,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
        name: "Developer",
        slug: ProjectMembershipRole.Member,
        description: "Non-administrative role in an project",
-        permissions: packRules(projectMemberPermissions.rules),
+        permissions: packRules(projectMemberPermissions),
        createdAt: new Date(),
        updatedAt: new Date()
      },
@@ -112,7 +112,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
        name: "Viewer",
        slug: ProjectMembershipRole.Viewer,
        description: "Non-administrative role in an project",
-        permissions: packRules(projectViewerPermission.rules),
+        permissions: packRules(projectViewerPermission),
        createdAt: new Date(),
        updatedAt: new Date()
      },
@@ -122,7 +122,7 @@ export const projectRoleServiceFactory = ({ projectRoleDAL, permissionService }:
        name: "No Access",
        slug: "no-access",
        description: "No access to any resources in the project",
-        permissions: packRules(projectNoAccessPermissions.rules),
+        permissions: packRules(projectNoAccessPermissions),
        createdAt: new Date(),
        updatedAt: new Date()
      },
--- a/backend/src/services/project/project-queue.ts
+++ b/backend/src/services/project/project-queue.ts
@@ -38,6 +38,7 @@ import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
+import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretVersionDALFactory } from "../secret/secret-version-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
@@ -58,9 +59,9 @@ type TProjectQueueFactoryDep = {
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne" | "delete" | "create">;
  orgService: Pick<TOrgServiceFactory, "addGhostUser">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create">;
+  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
  integrationAuthDAL: TIntegrationAuthDALFactory;
  userDAL: Pick<TUserDALFactory, "findUserEncKeyByUserId">;
-
  projectEnvDAL: Pick<TProjectEnvDALFactory, "find">;
  projectDAL: Pick<TProjectDALFactory, "findOne" | "transaction" | "updateById" | "setProjectUpgradeStatus" | "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership">;
@@ -81,7 +82,8 @@ export const projectQueueFactory = ({
  orgDAL,
  projectDAL,
  orgService,
-  projectMembershipDAL
+  projectMembershipDAL,
+  projectUserMembershipRoleDAL
 }: TProjectQueueFactoryDep) => {
  const upgradeProject = async (dto: TQueueJobTypes["upgrade-project-to-ghost"]["payload"]) => {
    await queueService.queue(QueueName.UpgradeProjectToGhost, QueueJobs.UpgradeProjectToGhost, dto, {
@@ -227,7 +229,7 @@ export const projectQueueFactory = ({
        );

        // Create a membership for the ghost user
-        await projectMembershipDAL.create(
+        const projectMembership = await projectMembershipDAL.create(
          {
            projectId: project.id,
            userId: ghostUser.user.id,
@@ -235,6 +237,10 @@ export const projectQueueFactory = ({
          },
          tx
        );
+        await projectUserMembershipRoleDAL.create(
+          { projectMembershipId: projectMembership.id, role: ProjectMembershipRole.Admin },
+          tx
+        );

        // If a bot already exists, delete it
        if (existingBot) {
--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@@ -17,11 +17,13 @@ import { TProjectPermission } from "@app/lib/types";
 import { ActorType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityProjectDALFactory } from "../identity-project/identity-project-dal";
+import { TIdentityProjectMembershipRoleDALFactory } from "../identity-project/identity-project-membership-role-dal";
 import { TOrgServiceFactory } from "../org/org-service";
 import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
+import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { TSecretBlindIndexDALFactory } from "../secret-blind-index/secret-blind-index-dal";
 import { ROOT_FOLDER_NAME, TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TUserDALFactory } from "../user/user-dal";
@@ -50,9 +52,11 @@ type TProjectServiceFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "insertMany" | "find">;
  identityOrgMembershipDAL: TIdentityOrgDALFactory;
  identityProjectDAL: TIdentityProjectDALFactory;
+  identityProjectMembershipRoleDAL: Pick<TIdentityProjectMembershipRoleDALFactory, "create">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "create" | "findLatestProjectKey" | "delete" | "find" | "insertMany">;
  projectBotDAL: Pick<TProjectBotDALFactory, "create" | "findById" | "delete" | "findOne">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create" | "findProjectGhostUser" | "findOne">;
+  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
  secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "create">;
  permissionService: TPermissionServiceFactory;
  orgService: Pick<TOrgServiceFactory, "addGhostUser">;
@@ -75,7 +79,9 @@ export const projectServiceFactory = ({
  secretBlindIndexDAL,
  projectMembershipDAL,
  projectEnvDAL,
-  licenseService
+  licenseService,
+  projectUserMembershipRoleDAL,
+  identityProjectMembershipRoleDAL
 }: TProjectServiceFactoryDep) => {
  /*
   * Create workspace. Make user the admin
@@ -114,14 +120,18 @@ export const projectServiceFactory = ({
        tx
      );
      // set ghost user as admin of project
-      await projectMembershipDAL.create(
+      const projectMembership = await projectMembershipDAL.create(
        {
          userId: ghostUser.user.id,
-          role: ProjectMembershipRole.Admin,
-          projectId: project.id
+          projectId: project.id,
+          role: ProjectMembershipRole.Admin
        },
        tx
      );
+      await projectUserMembershipRoleDAL.create(
+        { projectMembershipId: projectMembership.id, role: ProjectMembershipRole.Admin },
+        tx
+      );

      // generate the blind index for project
      await secretBlindIndexDAL.create(
@@ -213,7 +223,7 @@ export const projectServiceFactory = ({
        });

        // Create a membership for the user
-        await projectMembershipDAL.create(
+        const userProjectMembership = await projectMembershipDAL.create(
          {
            projectId: project.id,
            userId: user.id,
@@ -221,6 +231,10 @@ export const projectServiceFactory = ({
          },
          tx
        );
+        await projectUserMembershipRoleDAL.create(
+          { projectMembershipId: userProjectMembership.id, role: projectAdmin.projectRole },
+          tx
+        );

        // Create a project key for the user
        await projectKeyDAL.create(
@@ -266,7 +280,7 @@ export const projectServiceFactory = ({
          });
        const isCustomRole = Boolean(customRole);

-        await identityProjectDAL.create(
+        const identityProjectMembership = await identityProjectDAL.create(
          {
            identityId: actorId,
            projectId: project.id,
@@ -275,6 +289,15 @@ export const projectServiceFactory = ({
          },
          tx
        );
+
+        await identityProjectMembershipRoleDAL.create(
+          {
+            projectMembershipId: identityProjectMembership.id,
+            role: isCustomRole ? ProjectMembershipRole.Custom : ProjectMembershipRole.Admin,
+            customRoleId: customRole?.id
+          },
+          tx
+        );
      }

      return {
@@ -350,11 +373,11 @@ export const projectServiceFactory = ({
  };

  const upgradeProject = async ({ projectId, actor, actorId, userPrivateKey }: TUpgradeProjectDTO) => {
-    const { permission, membership } = await permissionService.getProjectPermission(actor, actorId, projectId);
+    const { permission, hasRole } = await permissionService.getProjectPermission(actor, actorId, projectId);

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);

-    if (membership?.role !== ProjectMembershipRole.Admin) {
+    if (!hasRole(ProjectMembershipRole.Admin)) {
      throw new ForbiddenRequestError({
        message: "User must be admin"
      });
--- a/backend/src/services/secret-blind-index/secret-blind-index-service.ts
+++ b/backend/src/services/secret-blind-index/secret-blind-index-service.ts
@@ -37,8 +37,8 @@ export const secretBlindIndexServiceFactory = ({
  };

  const getProjectSecrets = async ({ projectId, actorId, actor }: TGetProjectSecretsDTO) => {
-    const { membership } = await permissionService.getProjectPermission(actor, actorId, projectId);
-    if (membership?.role !== ProjectMembershipRole.Admin) {
+    const { hasRole } = await permissionService.getProjectPermission(actor, actorId, projectId);
+    if (!hasRole(ProjectMembershipRole.Admin)) {
      throw new UnauthorizedError({ message: "User must be admin" });
    }

@@ -53,8 +53,8 @@ export const secretBlindIndexServiceFactory = ({
    actorOrgId,
    secretsToUpdate
  }: TUpdateProjectSecretNameDTO) => {
-    const { membership } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
-    if (membership?.role !== ProjectMembershipRole.Admin) {
+    const { hasRole } = await permissionService.getProjectPermission(actor, actorId, projectId, actorOrgId);
+    if (!hasRole(ProjectMembershipRole.Admin)) {
      throw new UnauthorizedError({ message: "User must be admin" });
    }

--- a/cli/packages/util/helper.go
+++ b/cli/packages/util/helper.go
@@ -97,6 +97,11 @@ func RequireLogin() {
 	}
 }

+func IsLoggedIn() bool {
+	configFile, _ := GetConfigFile()
+	return configFile.LoggedInUserEmail != ""
+}
+
 func RequireServiceToken() {
 	serviceToken := os.Getenv(INFISICAL_TOKEN_NAME)
 	if serviceToken == "" {
--- a/cli/packages/util/secrets.go
+++ b/cli/packages/util/secrets.go
@@ -427,6 +427,8 @@ func ExpandSecrets(secrets []models.SingleEnvironmentVariable, auth models.Expan
 					refSecs, err = GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: env, InfisicalToken: auth.InfisicalToken, SecretsPath: secPath}, projectConfigPathDir)
 				} else if auth.UniversalAuthAccessToken != "" {
 					refSecs, err = GetAllEnvironmentVariables((models.GetAllSecretsParameters{Environment: env, UniversalAuthAccessToken: auth.UniversalAuthAccessToken, SecretsPath: secPath, WorkspaceId: sec.WorkspaceId}), projectConfigPathDir)
+				} else if IsLoggedIn() {
+					refSecs, err = GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: env, SecretsPath: secPath}, projectConfigPathDir)
 				} else {
 					HandleError(errors.New("no authentication provided"), "Please provide authentication to fetch secrets")
 				}
--- a/docs/api-reference/endpoints/folders/delete.mdx
+++ b/docs/api-reference/endpoints/folders/delete.mdx
@@ -1,4 +1,4 @@
 ---
 title: "Delete"
-openapi: "DELETE /api/v1/folders/{folderId}"
+openapi: "DELETE /api/v1/folders/{folderIdOrName}"
 ---
--- a/docs/cli/usage.mdx
+++ b/docs/cli/usage.mdx
@@ -135,3 +135,38 @@ Another option to point the CLI to your self hosted Infisical instance is to set
 infisical <any-command> --domain="https://your-self-hosted-infisical.com/api"
 ```
 </Accordion>
+
+## History
+
+Your terminal keeps a history with the commands you run. When you create Infisical secrets directly from your terminal, they'll stay there for a while.
+
+For security and privacy concerns, we recommend you to configure your terminal to ignore those specific Infisical commands.
+
+<Accordion title="Ignore commands">
+
+<Tabs>
+   <Tab title="Unix/Linux">
+      <Tip>
+        `$HOME/.profile` is pretty common but, you could place it under `$HOME/.profile.d/infisical.sh` or any profile file run at login 
+      </Tip>
+
+      ```bash
+      cat <<EOF >> $HOME/.profile && source $HOME/.profile
+
+      # Ignoring specific Infisical CLI commands
+      DEFAULT_HISTIGNORE=$HISTIGNORE
+      export HISTIGNORE="*infisical secrets set*:$DEFAULT_HISTIGNORE"
+      EOF
+      ```
+
+   </Tab>
+   <Tab title="Windows">
+      If you're on WSL, then you can use the Unix/Linux method.
+
+      <Tip>
+        Here's some [documentation](https://superuser.com/a/1658331) about how to clear the terminal history, in PowerShell and CMD
+      </Tip>
+
+   </Tab>
+</Tabs>
+</Accordion>
--- a/docs/documentation/platform/secret-rotation/aws-iam.mdx
+++ b/docs/documentation/platform/secret-rotation/aws-iam.mdx
@@ -0,0 +1,143 @@
+---
+title: "AWS IAM User"
+description: "Rotated access key id and secret key of AWS IAM Users"
+---
+
+Infisical's AWS IAM User secret rotation capability lets you update the **Access key** and **Secret access key** credentials of a target IAM user from within Infisical
+at a specified interval or on-demand.
+
+## Workflow
+
+The typical workflow for using the AWS IAM User rotation strategy consists of four steps:
+
+1. Creating the target IAM user whose credentials you wish to rotate.
+2. Creating the managing IAM user used by Infisical to rotate the credentials of the target IAM user.
+3. Configuring the rotation strategy in Infisical with the credentials of the managing IAM user.
+4. Pressing the **Rotate** button in the Infisical dashboard to trigger the rotation of the target IAM user's credentials. The strategy can also be configured to rotate the credentials automatically at a specified interval.
+
+In the following steps, we explore the end-to-end workflow for setting up this strategy in Infisical.
+
+<Steps>
+	<Step title="Create the target IAM user">
+		To begin, create an IAM user whose credentials you wish to rotate. If you already have an IAM user,
+		then you can skip this step.
+	</Step>
+	<Step title="Create the managing IAM user">
+		Next, create another IAM user to be used by Infisical to rotate the credentials of the IAM user in the previous step.
+
+		2.1. In your AWS console, head to IAM > Access management > Users and press **Create user**.
+		
+		![iam user secret rotation create user](../../../images/platform/secret-rotation/aws-iam/rotation-manager-create-user.png)
+		
+		2.2. Next, give the user a username like **infisical-rotation-manager** and press **Next**.
+
+		![iam user secret rotation username](../../../images/platform/secret-rotation/aws-iam/rotation-manager-username.png)
+		
+		2.3. Next, in the **Set permissions** step, select **Attach policies directly** and then press **Create policy**.
+		
+		![iam user secret rotation create policy](../../../images/platform/secret-rotation/aws-iam/rotation-manager-create-policy.png)
+		
+		2.4. Next, in the **Policy editor**, paste the following JSON and press **Next**:
+
+		```json
+		{
+			"Version": "2012-10-17",
+			"Statement": [
+				{
+					"Sid": "VisualEditor0",
+					"Effect": "Allow",
+					"Action": [
+					"iam:DeleteAccessKey",
+					"iam:GetAccessKeyLastUsed",
+					"iam:CreateAccessKey"
+					],
+					"Resource": "*"
+				}
+			]
+		}
+		```
+
+		<Note>
+			The IAM policy above uses the wildcard option in Resource: "*".
+			
+			You may want to restrict the policy to a specific path, and make any adjustments as necessary, to control access for the managing user in production.
+			
+			Read more about this [here](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/).
+		</Note>
+		
+		In the **Review and create** step, give the policy a name like **infisical-rotation-manager**, press **Create policy** to finish creating the policy.
+		
+		![iam user secret rotation policy review](../../../images/platform/secret-rotation/aws-iam/rotation-manager-policy-review.png)
+
+		2.5. Back in the **Set permissions** step from step 2.3, refresh the policy list and search for the policy you just created from step 2.4.
+		
+		Select the policy and press **Next**.
+		
+		![iam user secret rotation attach policy](../../../images/platform/secret-rotation/aws-iam/rotation-manager-attach-policy.png)
+		
+		In the **Review and create** step, press **Create user** to finish creating the IAM user.
+		
+		![iam user secret rotation manager user review](../../../images/platform/secret-rotation/aws-iam/rotation-manager-user-review.png)
+		
+		2.5. Having created the user, head to its Security credentials > Access keys and press **Create access key**.
+
+		Follow the subsequent steps to create the **access key** and **secret access key** credential pair for the user.
+
+		![iam user secret rotation manager create access key](../../../images/platform/secret-rotation/aws-iam/rotation-manager-create-access-key.png)
+		
+		At the end of the flow, copy the **Access key** and **Secret access key** to use when configuring the AWS IAM User rotation strategy back in Infisical next.
+	
+		![iam user secret rotation manager access keys](../../../images/platform/secret-rotation/aws-iam/rotation-manager-access-keys.png)
+	</Step>
+	<Step title="Configure the AWS IAM User secret rotation strategy in Infisical">
+		3.1. Back in Infisical, head to the Project > Secrets > Environment and path where you want the rotated AWS IAM credentials to appear and create two placeholder secrets.
+		
+		In this example, we'll create two secrets called `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY`.
+		
+		![iam user secret rotation secrets](../../../images/platform/secret-rotation/aws-iam/rotation-config-secrets.png)
+		
+		3.2. Next, in the **Secret Rotation** tab, press on the **AWS IAM** tile to configure the AWS IAM User rotation strategy.
+		
+		![iam user secret rotation select aws iam user method](../../../images/platform/secret-rotation/aws-iam/rotations-select-aws-iam-user.png)
+		
+		3.3. Input the configuration details for the AWS IAM User rotation strategy obtained from steps 1 and 2:
+		
+		![iam user secret rotation config 1](../../../images/platform/secret-rotation/aws-iam/rotation-config-1.png)
+		
+		Here's some guidance on each field:
+		
+		- Manager User Access Key: The managing IAM user's access key from step 2.5.
+		- Manager User Secret Key: The managing IAM user's secret access key from step 2.5.
+		- Manager User AWS Region: The [AWS region](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) for Infisical to make requests to such as `us-east-1`.
+		- IAM Username: The IAM username of the user from step 1.
+		
+		Next, specify the output secret mappings configuration for the rotated AWS IAM credentials; this is the secrets whose values will be replaced with new credentials after each rotation.
+		Here, you can also specify a rotation interval for the credentials to be automatically rotated periodically.
+
+		In this example, we want to map the output of the rotated AWS IAM credentials to the secrets that we created in step 3.1 (i.e. `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY`).
+		
+		![iam user secret rotation config 2](../../../images/platform/secret-rotation/aws-iam/rotation-config-2.png)
+		
+		Finally, press **Submit** to create the secret rotation strategy.
+	</Step>
+	<Step title="Rotate secrets in Infisical">
+		You should now see the AWS IAM User rotation strategy listed in the **Secret Rotation** tab.
+		
+		To manually trigger a rotation, you can press the **Rotate** button on the strategy.
+		Once triggered, the secrets in step 3.1 should be updated with new rotated credential values.
+		
+		![iam user secret rotations aws iam user](../../../images/platform/secret-rotation/aws-iam/rotations-aws-iam-user.png)
+	</Step>
+</Steps>
+
+**FAQ**
+
+<AccordionGroup>
+<Accordion title="Why are my AWS IAM credentials not rotating?">
+  There are a few reasons for why this might happen:
+  
+  - The strategy configuration is invalid (e.g. the managing IAM user's credentials are incorrect, the target IAM username is incorrect, etc.).
+  - The managing IAM user is insufficently permissioned to rotate the credentials of the target IAM user. For instance, you may have setup [paths](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) for the managing IAM user and the policy does not have the necessary permissions to rotate the credentials.
+  - The target IAM user already has 2 access keys configured in AWS; you should delete one of the access keys to allow for rotation.
+</Accordion>
+</AccordionGroup>
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-config-1.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-config-1.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-config-2.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-config-2.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-config-secrets.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-config-secrets.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-manager-access-key-third-party.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-manager-access-key-third-party.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-manager-access-keys.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-manager-access-keys.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-manager-attach-policy.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-manager-attach-policy.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-manager-create-access-key.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-manager-create-access-key.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-manager-create-policy.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-manager-create-policy.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-manager-create-user.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-manager-create-user.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-manager-policy-review.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-manager-policy-review.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-manager-user-review.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-manager-user-review.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotation-manager-username.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotation-manager-username.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotations-aws-iam-user.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotations-aws-iam-user.png
--- a/docs/images/platform/secret-rotation/aws-iam/rotations-select-aws-iam-user.png
+++ b/docs/images/platform/secret-rotation/aws-iam/rotations-select-aws-iam-user.png
--- a/docs/infisical-agent/overview.mdx
+++ b/docs/infisical-agent/overview.mdx
@@ -1,5 +1,6 @@
 ---
 title: "Overview"
+description: "This page describes how to manage secrets using Infisical Agent."
 ---

 Infisical Agent is a client daemon that simplifies the adoption of Infisical by providing a more scalable and user-friendly approach for applications to interact with Infisical.
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -39,32 +39,32 @@
    "name": "Start for Free",
    "url": "https://app.infisical.com/signup"
  },
-  "anchors": [
+  "tabs": [
    {
-      "name": "Internals",
-      "icon": "sitemap",
-      "url": "internals"
-    },
-    {
-      "name": "SDKs",
-      "icon": "puzzle-piece",
-      "url": "sdks"
+      "name": "Changelog",
+      "url": "changelog"
    },
    {
      "name": "API Reference",
-      "icon": "cloud",
      "url": "api-reference"
    },
    {
-      "name": "Changelog",
-      "icon": "timer",
-      "url": "changelog"
+      "name": "SDKs",
+      "url": "sdks"
    },
+    {
+      "name": "Contributing",
+      "url": "contributing"
+    }
+  ],
+  "anchors": [
+   
    {
      "name": "Contributing",
      "icon": "code",
      "url": "contributing"
    },
+    
    {
      "name": "Blog",
      "icon": "newspaper",
@@ -79,6 +79,11 @@
      "name": "GitHub",
      "icon": "github",
      "url": "https://github.com/Infisical/infisical"
+    },
+    {
+      "name": "Internals",
+      "icon": "sitemap",
+      "url": "internals"
    }
  ],
  "navigation": [
@@ -134,7 +139,8 @@
            "documentation/platform/secret-rotation/overview",
            "documentation/platform/secret-rotation/sendgrid",
            "documentation/platform/secret-rotation/postgres",
-            "documentation/platform/secret-rotation/mysql"
+            "documentation/platform/secret-rotation/mysql",
+            "documentation/platform/secret-rotation/aws-iam"
          ]
        },
        {
@@ -158,14 +164,6 @@
            "documentation/platform/ldap/general"
          ]
        },
-        {
-          "group": "LDAP",
-          "pages": [
-            "documentation/platform/ldap/overview",
-            "documentation/platform/ldap/jumpcloud",
-            "documentation/platform/ldap/general"
-          ]
-        },
        {
          "group": "SCIM",
          "pages": [
@@ -363,7 +361,18 @@
    },
    {
      "group": "Overview",
-      "pages": ["sdks/overview"]
+      "pages": [
+        "sdks/overview"
+      ]
+    }, 
+    {
+      "group": "SDK's",
+      "pages": [
+        "sdks/languages/node",
+        "sdks/languages/python",
+        "sdks/languages/java",
+        "sdks/languages/csharp"
+      ]
    },
    {
      "group": "Overview",
--- a/docs/sdks/languages/csharp.mdx
+++ b/docs/sdks/languages/csharp.mdx
@@ -1,6 +1,7 @@
 ---
 title: "Infisical .NET SDK"
-icon: "C#"
+sidebarTitle: ".NET"
+icon: "bars"
 ---

 If you're working with C#, the official [Infisical C# SDK](https://github.com/Infisical/sdk/tree/main/languages/csharp) package is the easiest way to fetch and work with secrets for your application.
--- a/docs/sdks/languages/java.mdx
+++ b/docs/sdks/languages/java.mdx
@@ -1,5 +1,6 @@
 ---
 title: "Infisical Java SDK"
+sidebarTitle: "Java"
 icon: "java"
 ---

--- a/docs/sdks/languages/node.mdx
+++ b/docs/sdks/languages/node.mdx
@@ -1,5 +1,6 @@
 ---
 title: "Infisical Node.js SDK"
+sidebarTitle: "Node.js"
 icon: "node"
 ---

--- a/docs/sdks/languages/python.mdx
+++ b/docs/sdks/languages/python.mdx
@@ -1,5 +1,6 @@
 ---
 title: "Infisical Python SDK"
+sidebarTitle: "Python"
 icon: "python"
 ---

--- a/frontend/public/images/secretRotation/aws-iam.svg
+++ b/frontend/public/images/secretRotation/aws-iam.svg
@@ -0,0 +1 @@
+<svg width="1306" height="2500" viewBox="0 0 256 490" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M21 165.75l-21 6.856 21.75 2.519-.75-9.375M19.955 206.806L128 213.714l108.045-6.908L128 185.75 19.955 206.806M234.5 175.125l21.5-2.519-21.5-5.731v8.25" fill="#3C4929"/><path d="M157.387 352.929l56.606 13.396-56.756 17.116.15-30.512" fill="#B7CA9D"/><path d="M19.955 92.221V54.019L128 0l.482.405-.248 48.496-.234.102-.405 1.117-59.098 23.856-.542 84.037 31.452-5.29L128 147.002V490.03l-32.369-16.177v-45.771l-28.354-11.338V202.069l-47.322 4.737v-38.195L0 172.606v-72.408l19.955-7.977" fill="#4B612C"/><path d="M99.408 152.727l-32.131 6.424V73.28l32.131 10.018v69.429M183.925 27.959l52.106 26.06v38.202L256 100.198V172.6l-19.969-3.989v38.195l-25.441-2.538-21.881-2.199v42.939h47.336v39.284l-21.997 1.974v39.611l-53.692 10.672v45.77l53.57-15.899.122 40.38-53.692 21.282v45.771L128 490.03V147.002l28.572 5.71 30.583 4.038V73.966l-58.338-22.498-.817-2.465V0l55.925 27.959" fill="#759C3E"/><path d="M160.356 61.941L128 49.01 67.277 73.28l32.131 10.018 60.948-21.357" fill="#3C4929"/><path d="M67.277 73.28L128 49.01l12.775 5.104 19.581 7.827 28.353 11.353-1.515 1.541-28.876 8.991-1.74-.528L128 73.28 99.408 83.298 67.277 73.28" fill="#3C4929"/><path d="M156.578 83.298l32.131-10.004v85.864l-32.131-6.446V83.298" fill="#4B612C"/></svg>
--- a/frontend/src/components/navigation/NavHeader.tsx
+++ b/frontend/src/components/navigation/NavHeader.tsx
@@ -56,18 +56,20 @@ export default function NavHeader({

  return (
    <div className="flex flex-row items-center pt-6">
-      <div className="mr-2 flex h-5 w-5 items-center justify-center rounded-md bg-primary text-sm text-black">
+      <div className="mr-2 flex h-5 w-5 items-center justify-center rounded-md bg-primary text-sm text-black min-w-[1.25rem]">
        {currentOrg?.name?.charAt(0)}
      </div>
      <Link passHref legacyBehavior href={`/org/${currentOrg?.id}/overview`}>
-        <a className="pl-0.5 text-sm font-semibold text-primary/80 hover:text-primary">
+        <a className="truncate pl-0.5 text-sm font-semibold text-primary/80 hover:text-primary">
          {currentOrg?.name}
        </a>
      </Link>
      {isProjectRelated && (
        <>
          <FontAwesomeIcon icon={faAngleRight} className="ml-3 mr-3 text-xs text-gray-400" />
-          <div className="text-sm font-semibold text-bunker-300">{currentWorkspace?.name}</div>
+          <div className="truncate text-sm font-semibold text-bunker-300">
+            {currentWorkspace?.name}
+          </div>
        </>
      )}
      {isOrganizationRelated && (
--- a/frontend/src/components/signup/UserInfoStep.tsx
+++ b/frontend/src/components/signup/UserInfoStep.tsx
@@ -245,6 +245,7 @@ export default function UserInfoStep({
            placeholder="Infisical"
            onChange={(e) => setOrganizationName(e.target.value)}
            value={organizationName}
+            maxLength={64}
            isRequired
            className="h-12"
          />
--- a/frontend/src/components/v2/Popoverv2/Popoverv2.tsx
+++ b/frontend/src/components/v2/Popoverv2/Popoverv2.tsx
@@ -12,6 +12,7 @@ export const Popover = PopoverPrimitive.Root;

 export type PopoverContentProps = {
  children?: ReactNode;
+  arrowClassName?: string;
  hideCloseBtn?: boolean;
 } & PopoverPrimitive.PopoverContentProps;

@@ -19,6 +20,7 @@ export const PopoverContent = ({
  children,
  className,
  hideCloseBtn,
+  arrowClassName,
  ...props
 }: PopoverContentProps) => (
  <PopoverPrimitive.Portal>
@@ -48,7 +50,7 @@ export const PopoverContent = ({
          </IconButton>
        </PopoverPrimitive.Close>
      )}
-      <PopoverPrimitive.Arrow className="fill-inherit" />
+      <PopoverPrimitive.Arrow className={twMerge("fill-inherit", arrowClassName)} />
    </PopoverPrimitive.Content>
  </PopoverPrimitive.Portal>
 );
--- a/frontend/src/hooks/api/identities/types.ts
+++ b/frontend/src/hooks/api/identities/types.ts
@@ -1,4 +1,4 @@
-import { TOrgRole, TProjectRole } from "../roles/types";
+import { TOrgRole } from "../roles/types";
 import { IdentityAuthMethod } from "./enums";

 export type IdentityTrustedIp = {
@@ -29,9 +29,18 @@ export type IdentityMembershipOrg = {
 export type IdentityMembership = {
  id: string;
  identity: Identity;
-  organization: string;
-  role: "admin" | "member" | "viewer" | "no-access" | "custom";
-  customRole?: TProjectRole;
+  roles: {
+    id: string;
+    role: "owner" | "admin" | "member" | "no-access" | "custom";
+    customRoleId: string;
+    customRoleName: string;
+    customRoleSlug: string;
+    isTemporary: boolean;
+    temporaryMode: string | null;
+    temporaryRange: string | null;
+    temporaryAccessStartTime: string | null;
+    temporaryAccessEndTime: string | null;
+  }[];
  createdAt: string;
  updatedAt: string;
 };
--- a/frontend/src/hooks/api/users/types.ts
+++ b/frontend/src/hooks/api/users/types.ts
@@ -64,7 +64,33 @@ export type TProjectMembership = {
  roleId: string;
 };

-export type TWorkspaceUser = OrgUser;
+export type TWorkspaceUser = {
+  id: string;
+  user: {
+    email: string;
+    username: string;
+    firstName: string;
+    lastName: string;
+    id: string;
+    publicKey: string;
+  };
+  inviteEmail: string;
+  organization: string;
+  roles: {
+    id: string;
+    role: "owner" | "admin" | "member" | "no-access" | "custom";
+    customRoleId: string;
+    customRoleName: string;
+    customRoleSlug: string;
+    isTemporary: boolean;
+    temporaryMode: string | null;
+    temporaryRange: string | null;
+    temporaryAccessStartTime: string | null;
+    temporaryAccessEndTime: string | null;
+  }[];
+  status: "invited" | "accepted" | "verified" | "completed";
+  deniedPermissions: any[];
+};

 export type AddUserToWsDTOE2EE = {
  workspaceId: string;
--- a/frontend/src/hooks/api/workspace/queries.tsx
+++ b/frontend/src/hooks/api/workspace/queries.tsx
@@ -16,6 +16,8 @@ import {
  RenameWorkspaceDTO,
  TGetUpgradeProjectStatusDTO,
  ToggleAutoCapitalizationDTO,
+  TUpdateWorkspaceIdentityRoleDTO,
+  TUpdateWorkspaceUserRoleDTO,
  UpdateEnvironmentDTO,
  Workspace
 } from "./types";
@@ -340,27 +342,19 @@ export const useDeleteUserFromWorkspace = () => {
 export const useUpdateUserWorkspaceRole = () => {
  const queryClient = useQueryClient();
  return useMutation({
-    mutationFn: async ({
-      membershipId,
-      role,
-      workspaceId
-    }: {
-      membershipId: string;
-      role: string;
-      workspaceId: string;
-    }) => {
+    mutationFn: async ({ membershipId, roles, workspaceId }: TUpdateWorkspaceUserRoleDTO) => {
      const {
        data: { membership }
      } = await apiRequest.patch<{ membership: { projectId: string } }>(
        `/api/v1/workspace/${workspaceId}/memberships/${membershipId}`,
        {
-          role
+          roles
        }
      );
      return membership;
    },
-    onSuccess: (res) => {
-      queryClient.invalidateQueries(workspaceKeys.getWorkspaceUsers(res.projectId));
+    onSuccess: (_, { workspaceId }) => {
+      queryClient.invalidateQueries(workspaceKeys.getWorkspaceUsers(workspaceId));
    }
  });
 };
@@ -400,18 +394,14 @@ export const useUpdateIdentityWorkspaceRole = () => {
    mutationFn: async ({
      identityId,
      workspaceId,
-      role
-    }: {
-      identityId: string;
-      workspaceId: string;
-      role?: string;
-    }) => {
+      roles
+    }:TUpdateWorkspaceIdentityRoleDTO)=> {
      const {
        data: { identityMembership }
      } = await apiRequest.patch(
        `/api/v2/workspace/${workspaceId}/identity-memberships/${identityId}`,
        {
-          role
+          roles
        }
      );

--- a/frontend/src/hooks/api/workspace/types.ts
+++ b/frontend/src/hooks/api/workspace/types.ts
@@ -3,6 +3,10 @@ export enum ProjectVersion {
  V2 = 2
 }

+export enum ProjectUserMembershipTemporaryMode {
+  Relative = "relative"
+}
+
 export type Workspace = {
  __v: number;
  id: string;
@@ -72,3 +76,39 @@ export type UpdateEnvironmentDTO = {
 };

 export type DeleteEnvironmentDTO = { workspaceId: string; id: string };
+
+export type TUpdateWorkspaceUserRoleDTO = {
+  membershipId: string;
+  workspaceId: string;
+  roles: (
+    | {
+      role: string;
+      isTemporary?: false;
+    }
+    | {
+      role: string;
+      isTemporary: true;
+      temporaryMode: ProjectUserMembershipTemporaryMode;
+      temporaryRange: string;
+      temporaryAccessStartTime: string;
+    }
+  )[];
+};
+
+export type TUpdateWorkspaceIdentityRoleDTO = {
+  identityId: string;
+  workspaceId: string;
+  roles: (
+    | {
+      role: string;
+      isTemporary?: false;
+    }
+    | {
+      role: string;
+      isTemporary: true;
+      temporaryMode: ProjectUserMembershipTemporaryMode;
+      temporaryRange: string;
+      temporaryAccessStartTime: string;
+    }
+  )[];
+};
--- a/frontend/src/layouts/AppLayout/AppLayout.tsx
+++ b/frontend/src/layouts/AppLayout/AppLayout.tsx
@@ -28,6 +28,7 @@ import {
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { yupResolver } from "@hookform/resolvers/yup";
 import { DropdownMenuTrigger } from "@radix-ui/react-dropdown-menu";
+import { twMerge } from "tailwind-merge";
 import * as yup from "yup";

 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
@@ -99,7 +100,7 @@ const supportOptions = [
 ];

 const formSchema = yup.object({
-  name: yup.string().required().label("Project Name").trim(),
+  name: yup.string().required().label("Project Name").trim().max(64, "Too long, maximum length is 64 characters"),
  addMembers: yup.bool().required().label("Add Members")
 });

@@ -273,13 +274,16 @@ export const AppLayout = ({ children }: LayoutProps) => {
                      </Link>
                    )}
                    <DropdownMenu>
-                      <DropdownMenuTrigger asChild className="data-[state=open]:bg-mineshaft-600">
+                      <DropdownMenuTrigger
+                        asChild
+                        className="max-w-[160px] data-[state=open]:bg-mineshaft-600"
+                      >
                        <div className="mr-auto flex items-center rounded-md py-1.5 pl-1.5 pr-2 hover:bg-mineshaft-600">
-                          <div className="flex h-5 w-5 items-center justify-center rounded-md bg-primary text-sm">
+                          <div className="flex h-5 w-5 min-w-[20px] items-center justify-center rounded-md bg-primary text-sm">
                            {currentOrg?.name.charAt(0)}
                          </div>
                          <div
-                            className="overflow-hidden text-ellipsis pl-2 text-sm text-mineshaft-100"
+                            className="overflow-hidden truncate text-ellipsis pl-2 text-sm text-mineshaft-100"
                            style={{ maxWidth: "140px" }}
                          >
                            {currentOrg?.name}
@@ -323,7 +327,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
                                  )
                                }
                              >
-                                <div className="flex w-full items-center justify-between">
+                                <div className="flex w-full max-w-[150px] items-center justify-between truncate">
                                  {org.name}
                                </div>
                              </Button>
@@ -422,7 +426,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
                      <Select
                        defaultValue={currentWorkspace?.id}
                        value={currentWorkspace?.id}
-                        className="w-full truncate bg-mineshaft-600 py-2.5 font-medium"
+                        className="w-full [&>*:first-child]:truncate bg-mineshaft-600 py-2.5 font-medium"
                        onValueChange={(value) => {
                          router.push(`/project/${value}/secrets/overview`);
                          localStorage.setItem("projectData.id", value);
@@ -437,7 +441,10 @@ export const AppLayout = ({ children }: LayoutProps) => {
                              <SelectItem
                                key={`ws-layout-list-${id}`}
                                value={id}
-                                className={`${currentWorkspace?.id === id && "bg-mineshaft-600"}`}
+                                className={twMerge(
+                                  currentWorkspace?.id === id && "bg-mineshaft-600",
+                                  "truncate"
+                                )}
                              >
                                {name}
                              </SelectItem>
--- a/frontend/src/lib/fn/array.ts
+++ b/frontend/src/lib/fn/array.ts
@@ -0,0 +1,15 @@
+/**
+ * Sorts an array of items into groups. The return value is a map where the keys are
+ * the group ids the given getGroupId function produced and the value is an array of
+ * each item in that group.
+ */
+export const groupBy = <T, Key extends string | number | symbol>(
+	array: readonly T[],
+	getGroupId: (item: T) => Key
+): Record<Key, T[]> =>
+	array.reduce((acc, item) => {
+		const groupId = getGroupId(item);
+		if (!acc[groupId]) acc[groupId] = [];
+		acc[groupId].push(item);
+		return acc;
+	}, {} as Record<Key, T[]>);
--- a/frontend/src/pages/org/[id]/overview/index.tsx
+++ b/frontend/src/pages/org/[id]/overview/index.tsx
@@ -453,7 +453,7 @@ const LearningItemSquare = ({
 };

 const formSchema = yup.object({
-  name: yup.string().required().label("Project Name").trim(),
+  name: yup.string().required().label("Project Name").trim().max(64, "Too long, maximum length is 64 characters"),
  addMembers: yup.bool().required().label("Add Members")
 });

@@ -633,7 +633,7 @@ const OrganizationPage = withPermission(
                  key={workspace.id}
                  className="min-w-72 flex h-40 flex-col justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-4"
                >
-                  <div className="mt-0 text-lg text-mineshaft-100">{workspace.name}</div>
+                  <div className="mt-0 truncate text-lg text-mineshaft-100">{workspace.name}</div>
                  <div className="mt-0 pb-6 text-sm text-mineshaft-300">
                    {workspace.environments?.length || 0} environments
                  </div>
--- a/frontend/src/views/Project/MembersPage/MembersPage.tsx
+++ b/frontend/src/views/Project/MembersPage/MembersPage.tsx
@@ -5,12 +5,7 @@ import { Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
 import { withProjectPermission } from "@app/hoc";

-import {
-  IdentityTab,
-  MemberListTab,
-  ProjectRoleListTab,
-  ServiceTokenTab
-} from "./components";
+import { IdentityTab, MemberListTab, ProjectRoleListTab, ServiceTokenTab } from "./components";

 enum TabSections {
  Member = "members",
@@ -23,19 +18,14 @@ export const MembersPage = withProjectPermission(
  () => {
    return (
      <div className="container mx-auto flex flex-col justify-between bg-bunker-800 text-white">
-        <div className="mb-6 w-full py-6 px-6 max-w-7xl mx-auto">
-          <p className="mr-4 mb-4 text-3xl font-semibold text-white">
-            Project Access Control
-          </p>
+        <div className="mx-auto mb-6 w-full max-w-7xl py-6 px-6">
+          <p className="mr-4 mb-4 text-3xl font-semibold text-white">Project Access Control</p>
          <Tabs defaultValue={TabSections.Member}>
            <TabList>
              <Tab value={TabSections.Member}>People</Tab>
              <Tab value={TabSections.Identities}>
                <div className="flex items-center">
                  <p>Machine Identities</p>
-                  <div className="ml-2 rounded-md text-yellow text-sm inline-block bg-yellow/20 px-1.5 pb-[0.03rem] pt-[0.04rem] opacity-80 hover:opacity-100 cursor-default">
-                    New
-                  </div>
                </div>
              </Tab>
              <Tab value={TabSections.ServiceTokens}>Service Tokens</Tab>
--- a/frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentitySection/IdentityRoles.tsx
+++ b/frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentitySection/IdentityRoles.tsx
@@ -0,0 +1,459 @@
+import { useState } from "react";
+import { Controller, useForm } from "react-hook-form";
+import { faCheck, faClock, faEdit, faSearch } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { twMerge } from "tailwind-merge";
+import { z } from "zod";
+
+import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
+import {
+  Button,
+  Checkbox,
+  FormControl,
+  HoverCard,
+  HoverCardContent,
+  HoverCardTrigger,
+  IconButton,
+  Input,
+  Popover,
+  PopoverContent,
+  PopoverTrigger,
+  Spinner,
+  Tag,
+  Tooltip
+} from "@app/components/v2";
+import { useWorkspace } from "@app/context";
+import { usePopUp } from "@app/hooks";
+import { useGetProjectRoles, useUpdateIdentityWorkspaceRole } from "@app/hooks/api";
+import { ProjectMembershipRole } from "@app/hooks/api/roles/types";
+import { TWorkspaceUser } from "@app/hooks/api/types";
+import { ProjectUserMembershipTemporaryMode } from "@app/hooks/api/workspace/types";
+import { groupBy } from "@app/lib/fn/array";
+
+const temporaryRoleFormSchema = z.object({
+  temporaryRange: z.string().min(1, "Required")
+});
+
+type TTemporaryRoleFormSchema = z.infer<typeof temporaryRoleFormSchema>;
+
+type TTemporaryRoleFormProps = {
+  temporaryConfig?: {
+    isTemporary?: boolean;
+    temporaryAccessEndTime?: string | null;
+    temporaryAccessStartTime?: string | null;
+    temporaryRange?: string | null;
+  };
+  onSetTemporary: (data: { temporaryRange: string; temporaryAccessStartTime?: string }) => void;
+  onRemoveTemporary: () => void;
+};
+
+const IdentityTemporaryRoleForm = ({
+  temporaryConfig: defaultValues = {},
+  onSetTemporary,
+  onRemoveTemporary
+}: TTemporaryRoleFormProps) => {
+  const { popUp, handlePopUpToggle } = usePopUp(["setTempRole"] as const);
+  const { control, handleSubmit } = useForm<TTemporaryRoleFormSchema>({
+    resolver: zodResolver(temporaryRoleFormSchema),
+    values: {
+      temporaryRange: defaultValues.temporaryRange || "1h"
+    }
+  });
+  const isTemporaryFieldValue = defaultValues.isTemporary;
+  const isExpired =
+    isTemporaryFieldValue && new Date() > new Date(defaultValues.temporaryAccessEndTime || "");
+
+  return (
+    <Popover
+      open={popUp.setTempRole.isOpen}
+      onOpenChange={(isOpen) => {
+        handlePopUpToggle("setTempRole", isOpen);
+      }}
+    >
+      <PopoverTrigger>
+        <IconButton ariaLabel="role-temp" variant="plain" size="md">
+          <Tooltip content={isExpired ? "Access Expired" : "Grant Temporary Access"}>
+            <FontAwesomeIcon
+              icon={faClock}
+              className={twMerge(
+                isTemporaryFieldValue && "text-primary",
+                isExpired && "text-red-600"
+              )}
+            />
+          </Tooltip>
+        </IconButton>
+      </PopoverTrigger>
+      <PopoverContent
+        arrowClassName="fill-gray-600"
+        side="right"
+        sideOffset={12}
+        hideCloseBtn
+        className="border border-gray-600 pt-4"
+      >
+        <div className="flex flex-col space-y-4">
+          <div className="border-b border-b-gray-700 pb-2 text-sm text-mineshaft-300">
+            Set Role Temporarily
+          </div>
+          {isExpired && <Tag colorSchema="red">Expired</Tag>}
+          <Controller
+            control={control}
+            name="temporaryRange"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                label="Validity"
+                isError={Boolean(error?.message)}
+                errorText={error?.message}
+                helperText={
+                  <span>
+                    1m, 2h, 3d.{" "}
+                    <a
+                      href="https://github.com/vercel/ms?tab=readme-ov-file#examples"
+                      target="_blank"
+                      rel="noopener noreferrer"
+                      className="text-primary-700"
+                    >
+                      More
+                    </a>
+                  </span>
+                }
+              >
+                <Input {...field} />
+              </FormControl>
+            )}
+          />
+          <div className="flex items-center space-x-2">
+            {isTemporaryFieldValue && (
+              <Button
+                size="xs"
+                type="submit"
+                onClick={() => {
+                  handleSubmit(({ temporaryRange }) => {
+                    onSetTemporary({
+                      temporaryRange,
+                      temporaryAccessStartTime: new Date().toISOString()
+                    });
+                    handlePopUpToggle("setTempRole");
+                  })();
+                }}
+              >
+                Restart
+              </Button>
+            )}
+            {!isTemporaryFieldValue ? (
+              <Button
+                size="xs"
+                type="submit"
+                onClick={() =>
+                  handleSubmit(({ temporaryRange }) => {
+                    onSetTemporary({
+                      temporaryRange,
+                      temporaryAccessStartTime:
+                        defaultValues.temporaryAccessStartTime || new Date().toISOString()
+                    });
+                    handlePopUpToggle("setTempRole");
+                  })()
+                }
+              >
+                Grant access
+              </Button>
+            ) : (
+              <Button
+                size="xs"
+                variant="outline_bg"
+                colorSchema="danger"
+                onClick={() => {
+                  onRemoveTemporary();
+                  handlePopUpToggle("setTempRole");
+                }}
+              >
+                Revoke Access
+              </Button>
+            )}
+          </div>
+        </div>
+      </PopoverContent>
+    </Popover>
+  );
+};
+
+const formSchema = z.record(
+  z.object({
+    isChecked: z.boolean().optional(),
+    temporaryAccess: z.union([
+      z.object({
+        isTemporary: z.literal(true),
+        temporaryRange: z.string().min(1),
+        temporaryAccessStartTime: z.string().datetime(),
+        temporaryAccessEndTime: z.string().datetime().nullable().optional()
+      }),
+      z.boolean()
+    ])
+  })
+);
+type TForm = z.infer<typeof formSchema>;
+
+export type TMemberRolesProp = {
+  disableEdit?: boolean;
+  identityId: string;
+  roles: TWorkspaceUser["roles"];
+};
+
+const MAX_ROLES_TO_BE_SHOWN_IN_TABLE = 2;
+
+export const IdentityRoles = ({
+  roles = [],
+  disableEdit = false,
+  identityId
+}: TMemberRolesProp) => {
+  const { currentWorkspace } = useWorkspace();
+  const { createNotification } = useNotificationContext();
+  const { popUp, handlePopUpToggle } = usePopUp(["editRole"] as const);
+  const [searchRoles, setSearchRoles] = useState("");
+
+  const {
+    handleSubmit,
+    control,
+    reset,
+    setValue,
+    formState: { isSubmitting, isDirty }
+  } = useForm<TForm>({
+    resolver: zodResolver(formSchema)
+  });
+
+  const workspaceId = currentWorkspace?.id || "";
+
+  const { data: projectRoles, isLoading: isRolesLoading } = useGetProjectRoles(workspaceId);
+  const userRolesGroupBySlug = groupBy(roles, ({ customRoleSlug, role }) => customRoleSlug || role);
+
+  const updateIdentityWorkspaceRole = useUpdateIdentityWorkspaceRole();
+
+  const handleRoleUpdate = async (data: TForm) => {
+    const selectedRoles = Object.keys(data)
+      .filter((el) => Boolean(data[el].isChecked))
+      .map((el) => {
+        const isTemporary = Boolean(data[el].temporaryAccess);
+        if (!isTemporary) {
+          return { role: el, isTemporary: false as const };
+        }
+
+        const tempCfg = data[el].temporaryAccess as {
+          temporaryRange: string;
+          temporaryAccessStartTime: string;
+        };
+
+        return {
+          role: el,
+          isTemporary: true as const,
+          temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
+          temporaryRange: tempCfg.temporaryRange,
+          temporaryAccessStartTime: tempCfg.temporaryAccessStartTime
+        };
+      });
+
+    try {
+      await updateIdentityWorkspaceRole.mutateAsync({
+        workspaceId,
+        identityId,
+        roles: selectedRoles
+      });
+      createNotification({ text: "Successfully updated identity role", type: "success" });
+      handlePopUpToggle("editRole");
+      setSearchRoles("");
+    } catch (err) {
+      createNotification({ text: "Failed to update identity role", type: "error" });
+    }
+  };
+
+  const formatRoleName = (role: string, customRoleName?: string) => {
+    if (role === ProjectMembershipRole.Custom) return customRoleName;
+    if (role === ProjectMembershipRole.Member) return "Developer";
+    return role;
+  };
+
+  return (
+    <div className="flex items-center space-x-2">
+      {roles
+        .slice(0, MAX_ROLES_TO_BE_SHOWN_IN_TABLE)
+        .map(({ role, customRoleName, id, isTemporary, temporaryAccessEndTime }) => {
+          const isExpired = new Date() > new Date(temporaryAccessEndTime || ("" as string));
+          return (
+            <Tag key={id} className="capitalize">
+              <div className="flex items-center space-x-2">
+                <div>{formatRoleName(role, customRoleName)}</div>
+                {isTemporary && (
+                  <div>
+                    <Tooltip content={isExpired ? "Expired Temporary Access" : "Temporary Access"}>
+                      <FontAwesomeIcon
+                        icon={faClock}
+                        className={twMerge(isExpired && "text-red-600")}
+                      />
+                    </Tooltip>
+                  </div>
+                )}
+              </div>
+            </Tag>
+          );
+        })}
+      {roles.length > MAX_ROLES_TO_BE_SHOWN_IN_TABLE && (
+        <HoverCard>
+          <HoverCardTrigger>
+            <Tag>+{roles.length - MAX_ROLES_TO_BE_SHOWN_IN_TABLE}</Tag>
+          </HoverCardTrigger>
+          <HoverCardContent className="border border-gray-700 bg-mineshaft-800 p-4">
+            {roles
+              .slice(MAX_ROLES_TO_BE_SHOWN_IN_TABLE)
+              .map(({ role, customRoleName, id, isTemporary, temporaryAccessEndTime }) => {
+                const isExpired = new Date() > new Date(temporaryAccessEndTime || ("" as string));
+                return (
+                  <Tag key={id} className="capitalize">
+                    <div className="flex items-center space-x-2">
+                      <div>{formatRoleName(role, customRoleName)}</div>
+                      {isTemporary && (
+                        <div>
+                          <Tooltip
+                            content={isExpired ? "Expired Temporary Access" : "Temporary Access"}
+                          >
+                            <FontAwesomeIcon
+                              icon={faClock}
+                              className={twMerge(
+                                new Date() > new Date(temporaryAccessEndTime as string) &&
+                                "text-red-600"
+                              )}
+                            />
+                          </Tooltip>
+                        </div>
+                      )}
+                    </div>
+                  </Tag>
+                );
+              })}{" "}
+          </HoverCardContent>
+        </HoverCard>
+      )}
+      <div>
+        <Popover
+          open={popUp.editRole.isOpen}
+          onOpenChange={(isOpen) => {
+            handlePopUpToggle("editRole", isOpen);
+            reset();
+          }}
+        >
+          {!disableEdit && (
+            <PopoverTrigger>
+              <IconButton size="sm" variant="plain" ariaLabel="update">
+                <FontAwesomeIcon icon={faEdit} />
+              </IconButton>
+            </PopoverTrigger>
+          )}
+          <PopoverContent hideCloseBtn className="pt-4">
+            {isRolesLoading ? (
+              <div className="flex h-8 w-full items-center justify-center">
+                <Spinner />
+              </div>
+            ) : (
+              <form onSubmit={handleSubmit(handleRoleUpdate)} id="role-update-form">
+                <div className="thin-scrollbar max-h-80 space-y-4 overflow-y-auto">
+                  {projectRoles
+                    ?.filter(
+                      ({ name, slug }) =>
+                        name.toLowerCase().includes(searchRoles.toLowerCase()) ||
+                        slug.toLowerCase().includes(searchRoles.toLowerCase())
+                    )
+                    ?.map(({ id, name, slug }) => {
+                      const userProjectRoleDetails = userRolesGroupBySlug?.[slug]?.[0];
+
+                      return (
+                        <div key={id} className="flex items-center space-x-4">
+                          <div className="flex-grow">
+                            <Controller
+                              control={control}
+                              defaultValue={Boolean(userProjectRoleDetails?.id)}
+                              name={`${slug}.isChecked`}
+                              render={({ field }) => (
+                                <Checkbox
+                                  id={slug}
+                                  isChecked={field.value}
+                                  onCheckedChange={(isChecked) => {
+                                    field.onChange(isChecked);
+                                    setValue(`${slug}.temporaryAccess`, false);
+                                  }}
+                                >
+                                  {name}
+                                </Checkbox>
+                              )}
+                            />
+                          </div>
+                          <div>
+                            <Controller
+                              control={control}
+                              name={`${slug}.temporaryAccess`}
+                              defaultValue={
+                                userProjectRoleDetails?.isTemporary
+                                  ? {
+                                    isTemporary: true,
+                                    temporaryAccessStartTime:
+                                      userProjectRoleDetails.temporaryAccessStartTime as string,
+                                    temporaryRange:
+                                      userProjectRoleDetails.temporaryRange as string,
+                                    temporaryAccessEndTime:
+                                      userProjectRoleDetails.temporaryAccessEndTime
+                                  }
+                                  : false
+                              }
+                              render={({ field }) => (
+                                <IdentityTemporaryRoleForm
+                                  temporaryConfig={
+                                    typeof field.value === "boolean"
+                                      ? { isTemporary: field.value }
+                                      : field.value
+                                  }
+                                  onSetTemporary={(data) => {
+                                    setValue(`${slug}.isChecked`, true, { shouldDirty: true });
+                                    console.log(data);
+                                    field.onChange({ isTemporary: true, ...data });
+                                  }}
+                                  onRemoveTemporary={() => {
+                                    setValue(`${slug}.isChecked`, false, { shouldDirty: true });
+                                    field.onChange(false);
+                                  }}
+                                />
+                              )}
+                            />
+                          </div>
+                        </div>
+                      );
+                    })}
+                </div>
+                <div className="mt-3 flex items-center space-x-2 border-t border-t-gray-700 pt-3">
+                  <div>
+                    <Input
+                      className="w-full p-1.5 pl-8"
+                      size="xs"
+                      value={searchRoles}
+                      onChange={(el) => setSearchRoles(el.target.value)}
+                      leftIcon={<FontAwesomeIcon icon={faSearch} />}
+                      placeholder="Search roles.."
+                    />
+                  </div>
+                  <div>
+                    <Button
+                      size="xs"
+                      type="submit"
+                      form="role-update-form"
+                      leftIcon={<FontAwesomeIcon icon={faCheck} />}
+                      isDisabled={!isDirty || isSubmitting}
+                      isLoading={isSubmitting}
+                    >
+                      Save
+                    </Button>
+                  </div>
+                </div>
+              </form>
+            )}
+          </PopoverContent>
+        </Popover>
+      </div>
+    </div>
+  );
+};
--- a/frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentitySection/IdentityTable.tsx
+++ b/frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentitySection/IdentityTable.tsx
@@ -2,13 +2,10 @@ import { faServer, faXmark } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { format } from "date-fns";

-import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
 import { ProjectPermissionCan } from "@app/components/permissions";
 import {
  EmptyState,
  IconButton,
-  Select,
-  SelectItem,
  Table,
  TableContainer,
  TableSkeleton,
@@ -19,13 +16,11 @@ import {
  Tr
 } from "@app/components/v2";
 import { ProjectPermissionActions, ProjectPermissionSub, useWorkspace } from "@app/context";
-import {
-  useGetProjectRoles,
-  useGetWorkspaceIdentityMemberships,
-  useUpdateIdentityWorkspaceRole
-} from "@app/hooks/api";
+import { useGetWorkspaceIdentityMemberships } from "@app/hooks/api";
 import { UsePopUpState } from "@app/hooks/usePopUp";

+import { IdentityRoles } from "./IdentityRoles";
+
 type Props = {
  handlePopUpOpen: (
    popUpName: keyof UsePopUpState<["deleteIdentity", "identity"]>,
@@ -37,39 +32,9 @@ type Props = {
 };

 export const IdentityTable = ({ handlePopUpOpen }: Props) => {
-  const { createNotification } = useNotificationContext();
  const { currentWorkspace } = useWorkspace();
-  const workspaceId = currentWorkspace?.id || "";
  const { data, isLoading } = useGetWorkspaceIdentityMemberships(currentWorkspace?.id || "");

-  const { data: roles } = useGetProjectRoles(workspaceId);
-
-  const { mutateAsync: updateMutateAsync } = useUpdateIdentityWorkspaceRole();
-
-  const handleChangeRole = async ({ identityId, role }: { identityId: string; role: string }) => {
-    try {
-      await updateMutateAsync({
-        identityId,
-        workspaceId,
-        role
-      });
-
-      createNotification({
-        text: "Successfully updated identity role",
-        type: "success"
-      });
-    } catch (err) {
-      console.error(err);
-      const error = err as any;
-      const text = error?.response?.data?.message ?? "Failed to update identity role";
-
-      createNotification({
-        text,
-        type: "error"
-      });
-    }
-  };
-
  return (
    <TableContainer>
      <Table>
@@ -86,7 +51,7 @@ export const IdentityTable = ({ handlePopUpOpen }: Props) => {
          {!isLoading &&
            data &&
            data.length > 0 &&
-            data.map(({ identity: { id, name }, role, customRole, createdAt }) => {
+            data.map(({ identity: { id, name }, roles, createdAt }) => {
              return (
                <Tr className="h-10" key={`st-v3-${id}`}>
                  <Td>{name}</Td>
@@ -95,28 +60,9 @@ export const IdentityTable = ({ handlePopUpOpen }: Props) => {
                      I={ProjectPermissionActions.Edit}
                      a={ProjectPermissionSub.Identity}
                    >
-                      {(isAllowed) => {
-                        return (
-                          <Select
-                            value={role === "custom" ? (customRole?.slug as string) : role}
-                            isDisabled={!isAllowed}
-                            className="w-40 bg-mineshaft-600"
-                            dropdownContainerClassName="border border-mineshaft-600 bg-mineshaft-800"
-                            onValueChange={(selectedRole) =>
-                              handleChangeRole({
-                                identityId: id,
-                                role: selectedRole
-                              })
-                            }
-                          >
-                            {(roles || []).map(({ slug, name: roleName }) => (
-                              <SelectItem value={slug} key={`owner-option-${slug}`}>
-                                {roleName}
-                              </SelectItem>
-                            ))}
-                          </Select>
-                        );
-                      }}
+                      {(isAllowed) => (
+                        <IdentityRoles roles={roles} disableEdit={!isAllowed} identityId={id} />
+                      )}
                    </ProjectPermissionCan>
                  </Td>
                  <Td>{format(new Date(createdAt), "yyyy-MM-dd")}</Td>
--- a/frontend/src/views/Project/MembersPage/components/MemberListTab/MemberListTab.tsx
+++ b/frontend/src/views/Project/MembersPage/components/MemberListTab/MemberListTab.tsx
@@ -1,4 +1,4 @@
-import { useCallback, useMemo, useState } from "react";
+import { useMemo, useState } from "react";
 import { Controller, useForm } from "react-hook-form";
 import { useTranslation } from "react-i18next";
 import Link from "next/link";
@@ -34,7 +34,6 @@ import {
  ProjectPermissionActions,
  ProjectPermissionSub,
  useOrganization,
-  useSubscription,
  useUser,
  useWorkspace
 } from "@app/context";
@@ -44,14 +43,13 @@ import {
  useAddUserToWsNonE2EE,
  useDeleteUserFromWorkspace,
  useGetOrgUsers,
-  useGetProjectRoles,
  useGetUserWsKey,
-  useGetWorkspaceUsers,
-  useUpdateUserWorkspaceRole
+  useGetWorkspaceUsers
 } from "@app/hooks/api";
-import { ProjectMembershipRole } from "@app/hooks/api/roles/types";
 import { ProjectVersion } from "@app/hooks/api/workspace/types";

+import { MemberRoles } from "./MemberRoles";
+
 const addMemberFormSchema = z.object({
  orgMembershipId: z.string().trim()
 });
@@ -60,7 +58,6 @@ type TAddMemberForm = z.infer<typeof addMemberFormSchema>;

 export const MemberListTab = () => {
  const { createNotification } = useNotificationContext();
-  const { subscription } = useSubscription();
  const { t } = useTranslation();

  const { currentOrg } = useOrganization();
@@ -71,8 +68,6 @@ export const MemberListTab = () => {
  const orgId = currentOrg?.id || "";
  const workspaceId = currentWorkspace?.id || "";

-  const { data: roles, isLoading: isRolesLoading } = useGetProjectRoles(workspaceId);
-
  const { data: wsKey } = useGetUserWsKey(workspaceId);
  const { data: members, isLoading: isMembersLoading } = useGetWorkspaceUsers(workspaceId);
  const { data: orgUsers } = useGetOrgUsers(orgId);
@@ -95,7 +90,6 @@ export const MemberListTab = () => {
  const { mutateAsync: addUserToWorkspace } = useAddUserToWsE2EE();
  const { mutateAsync: addUserToWorkspaceNonE2EE } = useAddUserToWsNonE2EE();
  const { mutateAsync: removeUserFromWorkspace } = useDeleteUserFromWorkspace();
-  const { mutateAsync: updateUserWorkspaceRole } = useUpdateUserWorkspaceRole();

  const onAddMember = async ({ orgMembershipId }: TAddMemberForm) => {
    if (!currentWorkspace) return;
@@ -167,47 +161,6 @@ export const MemberListTab = () => {
    handlePopUpClose("removeMember");
  };

-  const isIamOwner = useMemo(
-    () => members?.find(({ user: u }) => userId === u?.id)?.role === "owner",
-    [userId, members]
-  );
-
-  const findRoleFromId = useCallback(
-    (roleId: string) => {
-      return (roles || []).find(({ id }) => id === roleId);
-    },
-    [roles]
-  );
-
-  const onRoleChange = async (membershipId: string, role: string) => {
-    if (!currentOrg?.id) return;
-
-    try {
-      const isCustomRole = !Object.values(ProjectMembershipRole).includes(
-        role as ProjectMembershipRole
-      );
-
-      if (isCustomRole && subscription && !subscription?.rbac) {
-        handlePopUpOpen("upgradePlan", {
-          description: "You can assign custom roles to members if you upgrade your Infisical plan."
-        });
-        return;
-      }
-
-      await updateUserWorkspaceRole({ membershipId, role, workspaceId });
-      createNotification({
-        text: "Successfully updated user role",
-        type: "success"
-      });
-    } catch (error) {
-      console.error(error);
-      createNotification({
-        text: "Failed to update user role",
-        type: "error"
-      });
-    }
-  };
-
  const filterdUsers = useMemo(
    () =>
      members?.filter(
@@ -231,8 +184,6 @@ export const MemberListTab = () => {
    );
  }, [orgUsers, members]);

-  const isLoading = isMembersLoading || isRolesLoading;
-
  return (
    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
      <div className="mb-4 flex items-center justify-between">
@@ -269,75 +220,63 @@ export const MemberListTab = () => {
              </Tr>
            </THead>
            <TBody>
-              {isLoading && <TableSkeleton columns={4} innerKey="project-members" />}
-              {!isLoading &&
-                filterdUsers?.map(
-                  ({ user: u, id: membershipId, roleId, role }) => {
-                    const name = u ? `${u.firstName} ${u.lastName}` : "-";
-                    const username = u?.username ?? "-";
-                    return (
-                      <Tr key={`membership-${membershipId}`} className="w-full">
-                        <Td>{name}</Td>
-                        <Td>{username}</Td>
-                        <Td>
+              {isMembersLoading && <TableSkeleton columns={4} innerKey="project-members" />}
+              {!isMembersLoading &&
+                filterdUsers?.map(({ user: u, inviteEmail, id: membershipId, roles }) => {
+                  const name = u ? `${u.firstName} ${u.lastName}` : "-";
+                  const email = u?.email || inviteEmail;
+
+                  return (
+                    <Tr key={`membership-${membershipId}`} className="w-full">
+                      <Td>{name}</Td>
+                      <Td>{email}</Td>
+                      <Td>
+                        <ProjectPermissionCan
+                          I={ProjectPermissionActions.Edit}
+                          a={ProjectPermissionSub.Member}
+                        >
+                          {(isAllowed) => (
+                              <MemberRoles
+                                roles={roles}
+                                disableEdit={u.id === user?.id || !isAllowed}
+                                onOpenUpgradeModal={(description) =>
+                                  handlePopUpOpen("upgradePlan", { description })
+                                }
+                                membershipId={membershipId}
+                              />
+                          )}
+                        </ProjectPermissionCan>
+                      </Td>
+                      <Td>
+                        {userId !== u?.id && (
                          <ProjectPermissionCan
-                            I={ProjectPermissionActions.Edit}
+                            I={ProjectPermissionActions.Delete}
                            a={ProjectPermissionSub.Member}
                          >
                            {(isAllowed) => (
-                              <Select
-                                  value={role === "custom" ? findRoleFromId(roleId)?.slug : role}
-                                  isDisabled={userId === u?.id || !isAllowed}
-                                  className="w-40 bg-mineshaft-600"
-                                  dropdownContainerClassName="border border-mineshaft-600 bg-mineshaft-800"
-                                  onValueChange={(selectedRole) =>
-                                    onRoleChange(membershipId, selectedRole)
-                                  }
-                                >
-                                  {(roles || [])
-                                    .filter(({ slug }) =>
-                                      slug === "owner" ? isIamOwner || role === "owner" : true
-                                    )
-                                    .map(({ slug, name: roleName }) => (
-                                      <SelectItem value={slug} key={`owner-option-${slug}`}>
-                                        {roleName}
-                                      </SelectItem>
-                                    ))}
-                                </Select>
+                              <IconButton
+                                size="lg"
+                                colorSchema="danger"
+                                variant="plain"
+                                ariaLabel="update"
+                                className="ml-4"
+                                isDisabled={userId === u?.id || !isAllowed}
+                                onClick={() =>
+                                  handlePopUpOpen("removeMember", { username: u.username })
+                                }
+                              >
+                                <FontAwesomeIcon icon={faXmark} />
+                              </IconButton>
                            )}
                          </ProjectPermissionCan>
-                        </Td>
-                        <Td>
-                          {userId !== u?.id && (
-                            <ProjectPermissionCan
-                              I={ProjectPermissionActions.Delete}
-                              a={ProjectPermissionSub.Member}
-                            >
-                              {(isAllowed) => (
-                                <IconButton
-                                  size="lg"
-                                  colorSchema="danger"
-                                  variant="plain"
-                                  ariaLabel="update"
-                                  className="ml-4"
-                                  isDisabled={userId === u?.id || !isAllowed}
-                                  onClick={() =>
-                                    handlePopUpOpen("removeMember", { username: u.username })
-                                  }
-                                >
-                                  <FontAwesomeIcon icon={faXmark} />
-                                </IconButton>
-                              )}
-                            </ProjectPermissionCan>
-                          )}
-                        </Td>
-                      </Tr>
-                    );
-                  }
-                )}
+                        )}
+                      </Td>
+                    </Tr>
+                  );
+                })}
            </TBody>
          </Table>
-          {!isLoading && filterdUsers?.length === 0 && (
+          {!isMembersLoading && filterdUsers?.length === 0 && (
            <EmptyState title="No project members found" icon={faUsers} />
          )}
        </TableContainer>
--- a/frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoles.tsx
+++ b/frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoles.tsx
@@ -0,0 +1,473 @@
+import { useState } from "react";
+import { Controller, useForm } from "react-hook-form";
+import { faCheck, faClock, faEdit, faSearch } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { twMerge } from "tailwind-merge";
+import { z } from "zod";
+
+import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
+import {
+  Button,
+  Checkbox,
+  FormControl,
+  HoverCard,
+  HoverCardContent,
+  HoverCardTrigger,
+  IconButton,
+  Input,
+  Popover,
+  PopoverContent,
+  PopoverTrigger,
+  Spinner,
+  Tag,
+  Tooltip
+} from "@app/components/v2";
+import { useSubscription, useWorkspace } from "@app/context";
+import { usePopUp } from "@app/hooks";
+import { useGetProjectRoles, useUpdateUserWorkspaceRole } from "@app/hooks/api";
+import { ProjectMembershipRole } from "@app/hooks/api/roles/types";
+import { TWorkspaceUser } from "@app/hooks/api/types";
+import { ProjectUserMembershipTemporaryMode } from "@app/hooks/api/workspace/types";
+import { groupBy } from "@app/lib/fn/array";
+
+const temporaryRoleFormSchema = z.object({
+  temporaryRange: z.string().min(1, "Required")
+});
+
+type TTemporaryRoleFormSchema = z.infer<typeof temporaryRoleFormSchema>;
+
+type TTemporaryRoleFormProps = {
+  temporaryConfig?: {
+    isTemporary?: boolean;
+    temporaryAccessEndTime?: string | null;
+    temporaryAccessStartTime?: string | null;
+    temporaryRange?: string | null;
+  };
+  onSetTemporary: (data: { temporaryRange: string; temporaryAccessStartTime?: string }) => void;
+  onRemoveTemporary: () => void;
+};
+
+const TemporaryRoleForm = ({
+  temporaryConfig: defaultValues = {},
+  onSetTemporary,
+  onRemoveTemporary
+}: TTemporaryRoleFormProps) => {
+  const { popUp, handlePopUpToggle } = usePopUp(["setTempRole"] as const);
+  const { control, handleSubmit } = useForm<TTemporaryRoleFormSchema>({
+    resolver: zodResolver(temporaryRoleFormSchema),
+    values: {
+      temporaryRange: defaultValues.temporaryRange || "1h"
+    }
+  });
+  const isTemporaryFieldValue = defaultValues.isTemporary;
+  const isExpired =
+    isTemporaryFieldValue && new Date() > new Date(defaultValues.temporaryAccessEndTime || "");
+
+  return (
+    <Popover
+      open={popUp.setTempRole.isOpen}
+      onOpenChange={(isOpen) => {
+        handlePopUpToggle("setTempRole", isOpen);
+      }}
+    >
+      <PopoverTrigger>
+        <IconButton ariaLabel="role-temp" variant="plain" size="md">
+          <Tooltip content={isExpired ? "Timed access expired" : "Grant timed access"}>
+            <FontAwesomeIcon
+              icon={faClock}
+              className={twMerge(
+                isTemporaryFieldValue && "text-primary",
+                isExpired && "text-red-600"
+              )}
+            />
+          </Tooltip>
+        </IconButton>
+      </PopoverTrigger>
+      <PopoverContent
+        arrowClassName="fill-gray-600"
+        side="right"
+        sideOffset={12}
+        hideCloseBtn
+        className="border border-gray-600 pt-4"
+      >
+        <div className="flex flex-col space-y-4">
+          <div className="border-b border-b-gray-700 pb-2 text-sm text-mineshaft-300">
+            Configure timed access
+          </div>
+          {isExpired && <Tag colorSchema="red">Expired</Tag>}
+          <Controller
+            control={control}
+            name="temporaryRange"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                label="Validity"
+                isError={Boolean(error?.message)}
+                errorText={error?.message}
+                helperText={
+                  <span>
+                    1m, 2h, 3d.{" "}
+                    <a
+                      href="https://github.com/vercel/ms?tab=readme-ov-file#examples"
+                      target="_blank"
+                      rel="noopener noreferrer"
+                      className="text-primary-700"
+                    >
+                      More
+                    </a>
+                  </span>
+                }
+              >
+                <Input {...field} />
+              </FormControl>
+            )}
+          />
+          <div className="flex items-center space-x-2">
+            {isTemporaryFieldValue && (
+              <Button
+                size="xs"
+                type="submit"
+                onClick={() => {
+                  handleSubmit(({ temporaryRange }) => {
+                    onSetTemporary({
+                      temporaryRange,
+                      temporaryAccessStartTime: new Date().toISOString()
+                    });
+                    handlePopUpToggle("setTempRole");
+                  })();
+                }}
+              >
+                Restart
+              </Button>
+            )}
+            {!isTemporaryFieldValue ? (
+              <Button
+                size="xs"
+                type="submit"
+                onClick={() =>
+                  handleSubmit(({ temporaryRange }) => {
+                    onSetTemporary({
+                      temporaryRange,
+                      temporaryAccessStartTime:
+                        defaultValues.temporaryAccessStartTime || new Date().toISOString()
+                    });
+                    handlePopUpToggle("setTempRole");
+                  })()
+                }
+              >
+                Grant access
+              </Button>
+            ) : (
+              <Button
+                size="xs"
+                variant="outline_bg"
+                colorSchema="danger"
+                onClick={() => {
+                  onRemoveTemporary();
+                  handlePopUpToggle("setTempRole");
+                }}
+              >
+                Revoke Access
+              </Button>
+            )}
+          </div>
+        </div>
+      </PopoverContent>
+    </Popover>
+  );
+};
+
+const formSchema = z.record(
+  z.object({
+    isChecked: z.boolean().optional(),
+    temporaryAccess: z.union([
+      z.object({
+        isTemporary: z.literal(true),
+        temporaryRange: z.string().min(1),
+        temporaryAccessStartTime: z.string().datetime(),
+        temporaryAccessEndTime: z.string().datetime().nullable().optional()
+      }),
+      z.boolean()
+    ])
+  })
+);
+type TForm = z.infer<typeof formSchema>;
+
+export type TMemberRolesProp = {
+  disableEdit?: boolean;
+  membershipId: string;
+  onOpenUpgradeModal: (description: string) => void;
+  roles: TWorkspaceUser["roles"];
+};
+
+const MAX_ROLES_TO_BE_SHOWN_IN_TABLE = 2;
+
+export const MemberRoles = ({
+  roles = [],
+  disableEdit = false,
+  membershipId,
+  onOpenUpgradeModal
+}: TMemberRolesProp) => {
+  const { currentWorkspace } = useWorkspace();
+  const { createNotification } = useNotificationContext();
+  const { popUp, handlePopUpToggle } = usePopUp(["editRole"] as const);
+  const [searchRoles, setSearchRoles] = useState("");
+  const { subscription } = useSubscription();
+
+  const {
+    handleSubmit,
+    control,
+    reset,
+    setValue,
+    formState: { isSubmitting, isDirty }
+  } = useForm<TForm>({
+    resolver: zodResolver(formSchema)
+  });
+
+  const workspaceId = currentWorkspace?.id || "";
+
+  const { data: projectRoles, isLoading: isRolesLoading } = useGetProjectRoles(workspaceId);
+  const userRolesGroupBySlug = groupBy(roles, ({ customRoleSlug, role }) => customRoleSlug || role);
+
+  const updateMembershipRole = useUpdateUserWorkspaceRole();
+
+  const handleRoleUpdate = async (data: TForm) => {
+    const selectedRoles = Object.keys(data)
+      .filter((el) => Boolean(data[el].isChecked))
+      .map((el) => {
+        const isTemporary = Boolean(data[el].temporaryAccess);
+        if (!isTemporary) {
+          return { role: el, isTemporary: false as const };
+        }
+
+        const tempCfg = data[el].temporaryAccess as {
+          temporaryRange: string;
+          temporaryAccessStartTime: string;
+        };
+
+        return {
+          role: el,
+          isTemporary: true as const,
+          temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
+          temporaryRange: tempCfg.temporaryRange,
+          temporaryAccessStartTime: tempCfg.temporaryAccessStartTime
+        };
+      });
+
+    const hasCustomRoleSelected = selectedRoles.some(
+      (el) => !Object.values(ProjectMembershipRole).includes(el.role as ProjectMembershipRole)
+    );
+
+    if (hasCustomRoleSelected && subscription && !subscription?.rbac) {
+      onOpenUpgradeModal(
+        "You can assign custom roles to members if you upgrade your Infisical plan."
+      );
+      return;
+    }
+
+    try {
+      await updateMembershipRole.mutateAsync({
+        workspaceId,
+        membershipId,
+        roles: selectedRoles
+      });
+      createNotification({ text: "Successfully updated role", type: "success" });
+      handlePopUpToggle("editRole");
+      setSearchRoles("");
+    } catch (err) {
+      createNotification({ text: "Failed to update role", type: "error" });
+    }
+  };
+
+  const formatRoleName = (role: string, customRoleName?: string) => {
+    if (role === ProjectMembershipRole.Custom) return customRoleName;
+    if (role === ProjectMembershipRole.Member) return "Developer";
+    return role;
+  };
+
+  return (
+    <div className="flex items-center space-x-2">
+      {roles
+        .slice(0, MAX_ROLES_TO_BE_SHOWN_IN_TABLE)
+        .map(({ role, customRoleName, id, isTemporary, temporaryAccessEndTime }) => {
+          const isExpired = new Date() > new Date(temporaryAccessEndTime || ("" as string));
+          return (
+            <Tag key={id}>
+              <div className="flex items-center space-x-2">
+                <div>{formatRoleName(role, customRoleName)}</div>
+                {isTemporary && (
+                  <div>
+                    <Tooltip content={isExpired ? "Timed role expired" : "Timed role access"}>
+                      <FontAwesomeIcon
+                        icon={faClock}
+                        className={twMerge(isExpired && "text-red-600")}
+                      />
+                    </Tooltip>
+                  </div>
+                )}
+              </div>
+            </Tag>
+          );
+        })}
+      {roles.length > MAX_ROLES_TO_BE_SHOWN_IN_TABLE && (
+        <HoverCard>
+          <HoverCardTrigger>
+            <Tag>+{roles.length - MAX_ROLES_TO_BE_SHOWN_IN_TABLE}</Tag>
+          </HoverCardTrigger>
+          <HoverCardContent className="border border-gray-700 bg-mineshaft-800 p-4">
+            {roles
+              .slice(MAX_ROLES_TO_BE_SHOWN_IN_TABLE)
+              .map(({ role, customRoleName, id, isTemporary, temporaryAccessEndTime }) => {
+                const isExpired = new Date() > new Date(temporaryAccessEndTime || ("" as string));
+                return (
+                  <Tag key={id} className="capitalize">
+                    <div className="flex items-center space-x-2">
+                      <div>{formatRoleName(role, customRoleName)}</div>
+                      {isTemporary && (
+                        <div>
+                          <Tooltip
+                            content={isExpired ? "Access expired" : "Temporary access"}
+                          >
+                            <FontAwesomeIcon
+                              icon={faClock}
+                              className={twMerge(
+                                new Date() > new Date(temporaryAccessEndTime as string) &&
+                                "text-red-600"
+                              )}
+                            />
+                          </Tooltip>
+                        </div>
+                      )}
+                    </div>
+                  </Tag>
+                );
+              })}{" "}
+          </HoverCardContent>
+        </HoverCard>
+      )}
+      <div>
+        <Popover
+          open={popUp.editRole.isOpen}
+          onOpenChange={(isOpen) => {
+            handlePopUpToggle("editRole", isOpen);
+            reset();
+          }}
+        >
+          {!disableEdit && (
+            <PopoverTrigger>
+              <IconButton size="sm" variant="plain" ariaLabel="update">
+                <FontAwesomeIcon icon={faEdit} />
+              </IconButton>
+            </PopoverTrigger>
+          )}
+          <PopoverContent hideCloseBtn className="pt-4">
+            {isRolesLoading ? (
+              <div className="flex h-8 w-full items-center justify-center">
+                <Spinner />
+              </div>
+            ) : (
+              <form onSubmit={handleSubmit(handleRoleUpdate)} id="role-update-form">
+                <div className="thin-scrollbar max-h-80 space-y-4 overflow-y-auto">
+                  {projectRoles
+                    ?.filter(
+                      ({ name, slug }) =>
+                        name.toLowerCase().includes(searchRoles.toLowerCase()) ||
+                        slug.toLowerCase().includes(searchRoles.toLowerCase())
+                    )
+                    ?.map(({ id, name, slug }) => {
+                      const userProjectRoleDetails = userRolesGroupBySlug?.[slug]?.[0];
+
+                      return (
+                        <div key={id} className="flex items-center space-x-4">
+                          <div className="flex-grow">
+                            <Controller
+                              control={control}
+                              defaultValue={Boolean(userProjectRoleDetails?.id)}
+                              name={`${slug}.isChecked`}
+                              render={({ field }) => (
+                                <Checkbox
+                                  id={slug}
+                                  isChecked={field.value}
+                                  onCheckedChange={(isChecked) => {
+                                    field.onChange(isChecked);
+                                    setValue(`${slug}.temporaryAccess`, false);
+                                  }}
+                                >
+                                  {name}
+                                </Checkbox>
+                              )}
+                            />
+                          </div>
+                          <div>
+                            <Controller
+                              control={control}
+                              name={`${slug}.temporaryAccess`}
+                              defaultValue={
+                                userProjectRoleDetails?.isTemporary
+                                  ? {
+                                    isTemporary: true,
+                                    temporaryAccessStartTime:
+                                      userProjectRoleDetails.temporaryAccessStartTime as string,
+                                    temporaryRange:
+                                      userProjectRoleDetails.temporaryRange as string,
+                                    temporaryAccessEndTime:
+                                      userProjectRoleDetails.temporaryAccessEndTime
+                                  }
+                                  : false
+                              }
+                              render={({ field }) => (
+                                <TemporaryRoleForm
+                                  temporaryConfig={
+                                    typeof field.value === "boolean"
+                                      ? { isTemporary: field.value }
+                                      : field.value
+                                  }
+                                  onSetTemporary={(data) => {
+                                    setValue(`${slug}.isChecked`, true, { shouldDirty: true });
+                                    console.log(data);
+                                    field.onChange({ isTemporary: true, ...data });
+                                  }}
+                                  onRemoveTemporary={() => {
+                                    setValue(`${slug}.isChecked`, false, { shouldDirty: true });
+                                    field.onChange(false);
+                                  }}
+                                />
+                              )}
+                            />
+                          </div>
+                        </div>
+                      );
+                    })}
+                </div>
+                <div className="mt-3 flex items-center space-x-2 border-t border-t-gray-700 pt-3">
+                  <div>
+                    <Input
+                      className="w-full p-1.5 pl-8"
+                      size="xs"
+                      value={searchRoles}
+                      onChange={(el) => setSearchRoles(el.target.value)}
+                      leftIcon={<FontAwesomeIcon icon={faSearch} />}
+                      placeholder="Search roles.."
+                    />
+                  </div>
+                  <div>
+                    <Button
+                      size="xs"
+                      type="submit"
+                      form="role-update-form"
+                      leftIcon={<FontAwesomeIcon icon={faCheck} />}
+                      isDisabled={!isDirty || isSubmitting}
+                      isLoading={isSubmitting}
+                    >
+                      Save
+                    </Button>
+                  </div>
+                </div>
+              </form>
+            )}
+          </PopoverContent>
+        </Popover>
+      </div>
+    </div>
+  );
+};
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Daniel Hougaard	519b92d592	Update mint.json	2024-03-14 19:05:34 +01:00
Daniel Hougaard	97eff2b480	Fix: Moved categories and renamed Libs -> SDKs	2024-03-14 18:04:27 +01:00
Daniel Hougaard	11dfeda501	Fix: No nested groups	2024-03-14 17:13:18 +01:00
Daniel Hougaard	70bd64d54b	Fix: Shorter sidebar titles	2024-03-14 17:09:45 +01:00
Daniel Hougaard	0c88a5466c	Feat: Documentation improvements	2024-03-14 17:09:37 +01:00
Daniel Hougaard	36266b30d5	Fix: Shorter sidebar title	2024-03-14 17:09:21 +01:00
Daniel Hougaard	288577b455	Fix: OpenAPI specification URL	2024-03-14 15:41:32 +01:00
Daniel Hougaard	5194be14fd	Update mint.json	2024-03-14 15:40:53 +01:00
Daniel Hougaard	bab8f95fde	Feat: Added descriptions to all public API endpoints	2024-03-14 15:40:38 +01:00
Daniel Hougaard	b4f372f883	Fix: Delete folder docs page not rendering	2024-03-14 15:40:08 +01:00
Daniel Hougaard	b13365ecf5	Feat: Written API explanations	2024-03-14 15:39:29 +01:00
Daniel Hougaard	70618420d7	Merge pull request #1565 from Infisical/daniel/deprecate-service-tokens-and-api-keys Feat: Deprecate API keys	2024-03-13 17:58:05 +01:00
Daniel Hougaard	7feb7ef9c6	Fix: Change title	2024-03-13 17:52:24 +01:00
Daniel Hougaard	ab1b9fb164	Feat: Deprecate API keys	2024-03-13 17:46:48 +01:00
Daniel Hougaard	8c028889a6	Chore: Remove unused frontend V2 API key code	2024-03-13 17:45:19 +01:00
Akhil Mohan	7dc366baf0	Merge pull request #1562 from rhythmbhiwani/fix-typo Fix typo on Copy button tooltip	2024-03-13 16:28:42 +05:30
Akhil Mohan	2124d2669f	Merge pull request #1564 from myapos/bugfix_1563_remove_member fix issue on removing member from project	2024-03-13 16:24:18 +05:30
myapos	af83fbea14	fix issue on removing member from project	2024-03-13 12:32:11 +02:00
Rhythm Bhiwani	9657b64ab2	Fix typo on Copy button tooltip	2024-03-13 15:54:42 +05:30
Maidul Islam	90b55a94e1	Merge pull request #1561 from Infisical/pg-new-connection add individual pg connection properties	2024-03-13 00:43:45 -04:00
Maidul Islam	d83d249f29	add individual pg connection properties	2024-03-13 00:40:37 -04:00
BlackMagiq	151787c60a	Merge pull request #1560 from Infisical/toggle-invite-org Update UI for Org Settings Page	2024-03-12 16:26:39 -07:00
Tuan Dang	ce443b114c	Fix merge conflicts	2024-03-12 16:20:17 -07:00
Tuan Dang	2ca03abec2	Update org settings > general tab ui	2024-03-12 16:18:17 -07:00
Maidul Islam	c8bb690736	Merge pull request #1539 from akhilmhdh/feat/secret-rotation-aws-iam Secret rotation for AWS IAM User	2024-03-12 15:36:49 -04:00
Tuan Dang	6efbdaef9c	Update docs for AWS IAM rotation strategy	2024-03-12 12:06:42 -07:00
Maidul Islam	7e90493cce	Merge pull request #1557 from akhilmhdh/feat/temp-roles feat(server): removed stream in project multi role migration	2024-03-12 13:37:09 -04:00
Akhil Mohan	1330c0455a	feat(server): removed stream in project multi role migration	2024-03-12 23:06:06 +05:30
Maidul Islam	407248c616	Merge pull request #1552 from akhilmhdh/feat/temp-roles feat: multiple project role and temporary role support	2024-03-12 12:57:00 -04:00
Tuan Dang	a6d7d32156	Draft revamp org auth tab	2024-03-12 09:37:28 -07:00
Akhil Mohan	0f0e2b360c	feat(server): rebased migration files and resolved commits	2024-03-12 21:57:45 +05:30
Akhil Mohan	47906c4dd4	feat(server): removed role and roleid field dropping from project membership table for rolling forward migration	2024-03-12 21:50:39 +05:30
Maidul Islam	fc57884035	renamed from temp access to timed access	2024-03-12 21:49:33 +05:30
Akhil Mohan	4152b3a524	feat: minor bug fixes and text changes	2024-03-12 21:49:33 +05:30
Akhil Mohan	f1f18e81cd	feat(ui): added identity multi project role and temporary in ui	2024-03-12 21:49:33 +05:30
Akhil Mohan	929f91a738	feat(server): multi role with temporary support for identity	2024-03-12 21:49:33 +05:30
Akhil Mohan	fa41b8bb47	feat(ui): completed ui user multi role with temporary access	2024-03-12 21:49:33 +05:30
Akhil Mohan	edbb7e2b1e	feat(server): completed user multi role with temporary access	2024-03-12 21:39:37 +05:30
Maidul Islam	1d53e0f21b	Merge pull request #1548 from rhythmbhiwani/overview-page-enchanced Overview Page Bug Fixes and Enhancement	2024-03-12 11:58:42 -04:00
Rhythm Bhiwani	a232450f20	Resolved Comments	2024-03-12 21:21:29 +05:30
Akhil Mohan	6f65f2a63d	Merge pull request #1379 from Grraahaam/doc/cli-history doc(cli): HISTIGNORE recommendation	2024-03-12 19:03:46 +05:30
Akhil Mohan	9545960e6f	Merge pull request #1555 from Infisical/daniel/cli-expand-secrets-fix Fix: CLI user authentication	2024-03-12 15:32:00 +05:30
Daniel Hougaard	cfa42017b1	Fix: CLI expanding secrets	2024-03-12 10:55:36 +01:00
Daniel Hougaard	1b74fdb232	Fix: CLI expanding secrets	2024-03-12 10:55:30 +01:00
Daniel Hougaard	ad1cae6aac	Merge pull request #1483 from Salman2301/fix-org-long-name fix: truncate too long proj or org name	2024-03-12 10:22:06 +01:00
Rhythm Bhiwani	e5d4328e2a	Merge branch 'heads/main' into overview-page-enchanced	2024-03-12 11:11:20 +05:30
vmatsiiako	635948c4f4	Update overview.mdx	2024-03-11 19:19:04 -07:00
vmatsiiako	d6231d4649	Update overview.mdx	2024-03-11 19:16:57 -07:00
Salman	3f0c4f0ca9	fix: lowercase and remove truncate for button	2024-03-12 03:42:38 +05:30
Rhythm Bhiwani	624fb3d46a	Fixed issue when visible environments not updating on project change	2024-03-11 10:04:47 +05:30
Rhythm Bhiwani	8a27b1b5e6	Fixed overflow of environment name in SecretOverviewTableRow	2024-03-11 09:43:00 +05:30
Rhythm Bhiwani	972b80e790	updated message if search results not found	2024-03-11 06:11:26 +05:30
Rhythm Bhiwani	6cc0d79d8a	Fixed environment filter button height Polished the interface more	2024-03-11 06:01:31 +05:30
Akhil Mohan	f9b6f78e8d	fix(server): resolved broken required validation in aws iam template	2024-03-09 18:26:16 +05:30
Akhil Mohan	2852a495c8	docs: aws iam secret rotation	2024-03-09 18:24:22 +05:30
Akhil Mohan	6305300b12	feat(ui): image for aws iam secret rotation	2024-03-07 14:51:14 +05:30
Akhil Mohan	b4ae1e8f3b	feat(server): added aws iam secret rotation function	2024-03-07 14:50:42 +05:30
Salman	db9f21be87	fix: add input max length for org and project name	2024-02-28 15:59:23 +05:30
Salman	449617d271	fix: truncate too long proj or org name	2024-02-28 14:38:13 +05:30
Grraahaam	541fa10964	doc: HISTIGNORE recommendation	2024-02-04 21:18:10 +01:00
				`@@ -0,0 +1 @@`
				<svg width="1306" height="2500" viewBox="0 0 256 490" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M21 165.75l-21 6.856 21.75 2.519-.75-9.375M19.955 206.806L128 213.714l108.045-6.908L128 185.75 19.955 206.806M234.5 175.125l21.5-2.519-21.5-5.731v8.25" fill="#3C4929"/><path d="M157.387 352.929l56.606 13.396-56.756 17.116.15-30.512" fill="#B7CA9D"/><path d="M19.955 92.221V54.019L128 0l.482.405-.248 48.496-.234.102-.405 1.117-59.098 23.856-.542 84.037 31.452-5.29L128 147.002V490.03l-32.369-16.177v-45.771l-28.354-11.338V202.069l-47.322 4.737v-38.195L0 172.606v-72.408l19.955-7.977" fill="#4B612C"/><path d="M99.408 152.727l-32.131 6.424V73.28l32.131 10.018v69.429M183.925 27.959l52.106 26.06v38.202L256 100.198V172.6l-19.969-3.989v38.195l-25.441-2.538-21.881-2.199v42.939h47.336v39.284l-21.997 1.974v39.611l-53.692 10.672v45.77l53.57-15.899.122 40.38-53.692 21.282v45.771L128 490.03V147.002l28.572 5.71 30.583 4.038V73.966l-58.338-22.498-.817-2.465V0l55.925 27.959" fill="#759C3E"/><path d="M160.356 61.941L128 49.01 67.277 73.28l32.131 10.018 60.948-21.357" fill="#3C4929"/><path d="M67.277 73.28L128 49.01l12.775 5.104 19.581 7.827 28.353 11.353-1.515 1.541-28.876 8.991-1.74-.528L128 73.28 99.408 83.298 67.277 73.28" fill="#3C4929"/><path d="M156.578 83.298l32.131-10.004v85.864l-32.131-6.446V83.298" fill="#4B612C"/></svg>