small nits

Chore: Use standard lib
Update export.go
2025-07-28 02:53:22 +00:00 · 2024-04-22 14:36:33 -04:00 · 2024-04-22 19:50:24 +02:00 · 2024-04-22 19:50:15 +02:00 · 2024-04-22 16:02:16 +02:00 · 2024-04-22 15:59:54 +02:00
220 changed files with 7308 additions and 2179 deletions
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@@ -1,60 +1,64 @@
 name: Build and release CLI

 on:
-  push:
-    # run only against tags
-    tags:
-      - "infisical-cli/v*.*.*"
+    push:
+        # run only against tags
+        tags:
+            - "infisical-cli/v*.*.*"

 permissions:
-  contents: write
-  # packages: write
-  # issues: write
-
+    contents: write
+    # packages: write
+    # issues: write
 jobs:
-  goreleaser:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - run: git fetch --force --tags
-      - run: echo "Ref name ${{github.ref_name}}"
-      - uses: actions/setup-go@v3
-        with:
-          go-version: ">=1.19.3"
-          cache: true
-          cache-dependency-path: cli/go.sum
-      - name: libssl1.1 => libssl1.0-dev for OSXCross
-        run: |
-          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-          sudo apt update && apt-cache policy libssl1.0-dev
-          sudo apt-get install libssl1.0-dev
-      - name: OSXCross for CGO Support
-        run: |
-          mkdir ../../osxcross
-          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v4
-        with:
-          distribution: goreleaser-pro
-          version: latest
-          args: release --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-      - uses: actions/setup-python@v4
-      - run: pip install --upgrade cloudsmith-cli
-      - name: Publish to CloudSmith
-        run: sh cli/upload_to_cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+    cli-integration-tests:
+        name: Run tests before deployment
+        uses: ./.github/workflows/run-cli-tests.yml
+
+    goreleaser:
+        runs-on: ubuntu-20.04
+        needs: [cli-integration-tests]
+        steps:
+            - uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+            - run: git fetch --force --tags
+            - run: echo "Ref name ${{github.ref_name}}"
+            - uses: actions/setup-go@v3
+              with:
+                  go-version: ">=1.19.3"
+                  cache: true
+                  cache-dependency-path: cli/go.sum
+            - name: libssl1.1 => libssl1.0-dev for OSXCross
+              run: |
+                  echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+                  sudo apt update && apt-cache policy libssl1.0-dev
+                  sudo apt-get install libssl1.0-dev
+            - name: OSXCross for CGO Support
+              run: |
+                  mkdir ../../osxcross
+                  git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+            - uses: goreleaser/goreleaser-action@v4
+              with:
+                  distribution: goreleaser-pro
+                  version: latest
+                  args: release --clean
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+                  POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+                  FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+                  AUR_KEY: ${{ secrets.AUR_KEY }}
+                  GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+            - uses: actions/setup-python@v4
+            - run: pip install --upgrade cloudsmith-cli
+            - name: Publish to CloudSmith
+              run: sh cli/upload_to_cloudsmith.sh
+              env:
+                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/run-cli-tests.yml
+++ b/.github/workflows/run-cli-tests.yml
@@ -0,0 +1,34 @@
+name: Go CLI Tests
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "cli/**"
+
+    workflow_call:
+
+jobs:
+    test:
+        defaults:
+            run:
+                working-directory: ./cli
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - name: Setup Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: "1.21.x"
+            - name: Install dependencies
+              run: go get .
+            - name: Test with the Go CLI
+              env:
+                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+
+              run: go test -v -count=1 ./test
--- a/.gitignore
+++ b/.gitignore
@@ -59,9 +59,13 @@ yarn-error.log*
 # Infisical init
 .infisical.json

+.infisicalignore
+
 # Editor specific
 .vscode/*

 frontend-build

 *.tgz
+cli/infisical-merge
+cli/test/infisical-merge
--- a/.infisicalignore
+++ b/.infisicalignore
@@ -1 +1,5 @@
 .github/resources/docker-compose.be-test.yml:generic-api-key:16
+frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/IdentityRbacSection.tsx:generic-api-key:206
+frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:304
+frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/MemberRbacSection.tsx:generic-api-key:206
+frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@@ -1,6 +1,7 @@
 ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
+ARG SAML_ORG_SLUG=saml-org-slug-default

 FROM  node:20-alpine AS base

@@ -35,6 +36,8 @@ ARG INTERCOM_ID
 ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ARG SAML_ORG_SLUG
+ENV NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG 

 # Build
 RUN npm run build
@@ -100,6 +103,9 @@ ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
 ARG INTERCOM_ID=intercom-id
 ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ARG SAML_ORG_SLUG
+ENV NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG \
+  BAKED_NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG

 WORKDIR / 

--- a/backend/.eslintrc.js
+++ b/backend/.eslintrc.js
@@ -23,16 +23,17 @@ module.exports = {
  root: true,
  overrides: [
    {
-      files: ["./e2e-test/**/*"],
+      files: ["./e2e-test/**/*", "./src/db/migrations/**/*"],
      rules: {
        "@typescript-eslint/no-unsafe-member-access": "off",
        "@typescript-eslint/no-unsafe-assignment": "off",
        "@typescript-eslint/no-unsafe-argument": "off",
        "@typescript-eslint/no-unsafe-return": "off",
-        "@typescript-eslint/no-unsafe-call": "off",
+        "@typescript-eslint/no-unsafe-call": "off"
      }
    }
  ],
+
  rules: {
    "@typescript-eslint/no-empty-function": "off",
    "@typescript-eslint/no-unsafe-enum-comparison": "off",
--- a/backend/e2e-test/routes/v1/secret-import.spec.ts
+++ b/backend/e2e-test/routes/v1/secret-import.spec.ts
@@ -46,7 +46,7 @@ const deleteSecretImport = async (id: string) => {

 describe("Secret Import Router", async () => {
  test.each([
-    { importEnv: "dev", importPath: "/" }, // one in root
+    { importEnv: "prod", importPath: "/" }, // one in root
    { importEnv: "staging", importPath: "/" } // then create a deep one creating intermediate ones
  ])("Create secret import $importEnv with path $importPath", async ({ importPath, importEnv }) => {
    // check for default environments
@@ -66,7 +66,7 @@ describe("Secret Import Router", async () => {
  });

  test("Get secret imports", async () => {
-    const createdImport1 = await createSecretImport("/", "dev");
+    const createdImport1 = await createSecretImport("/", "prod");
    const createdImport2 = await createSecretImport("/", "staging");
    const res = await testServer.inject({
      method: "GET",
@@ -103,10 +103,10 @@ describe("Secret Import Router", async () => {
  });

  test("Update secret import position", async () => {
-    const devImportDetails = { path: "/", envSlug: "dev" };
+    const prodImportDetails = { path: "/", envSlug: "prod" };
    const stagingImportDetails = { path: "/", envSlug: "staging" };

-    const createdImport1 = await createSecretImport(devImportDetails.path, devImportDetails.envSlug);
+    const createdImport1 = await createSecretImport(prodImportDetails.path, prodImportDetails.envSlug);
    const createdImport2 = await createSecretImport(stagingImportDetails.path, stagingImportDetails.envSlug);

    const updateImportRes = await testServer.inject({
@@ -136,7 +136,7 @@ describe("Secret Import Router", async () => {
        position: 2,
        importEnv: expect.objectContaining({
          name: expect.any(String),
-          slug: expect.stringMatching(devImportDetails.envSlug),
+          slug: expect.stringMatching(prodImportDetails.envSlug),
          id: expect.any(String)
        })
      })
@@ -166,7 +166,7 @@ describe("Secret Import Router", async () => {
  });

  test("Delete secret import position", async () => {
-    const createdImport1 = await createSecretImport("/", "dev");
+    const createdImport1 = await createSecretImport("/", "prod");
    const createdImport2 = await createSecretImport("/", "staging");
    const deletedImport = await deleteSecretImport(createdImport1.id);
    // check for default environments
--- a/backend/package.json
+++ b/backend/package.json
@@ -108,7 +108,7 @@
    "libsodium-wrappers": "^0.7.13",
    "lodash.isequal": "^4.5.0",
    "ms": "^2.1.3",
-    "mysql2": "^3.9.1",
+    "mysql2": "^3.9.4",
    "nanoid": "^5.0.4",
    "nodemailer": "^6.9.9",
    "ora": "^7.0.1",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -5,6 +5,7 @@ import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-se
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -25,6 +26,7 @@ import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -89,6 +91,8 @@ declare module "fastify" {
      orgRole: TOrgRoleServiceFactory;
      superAdmin: TSuperAdminServiceFactory;
      user: TUserServiceFactory;
+      group: TGroupServiceFactory;
+      groupProject: TGroupProjectServiceFactory;
      apiKey: TApiKeyServiceFactory;
      project: TProjectServiceFactory;
      projectMembership: TProjectMembershipServiceFactory;
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -29,6 +29,15 @@ import {
  TGitAppOrg,
  TGitAppOrgInsert,
  TGitAppOrgUpdate,
+  TGroupProjectMembershipRoles,
+  TGroupProjectMembershipRolesInsert,
+  TGroupProjectMembershipRolesUpdate,
+  TGroupProjectMemberships,
+  TGroupProjectMembershipsInsert,
+  TGroupProjectMembershipsUpdate,
+  TGroups,
+  TGroupsInsert,
+  TGroupsUpdate,
  TIdentities,
  TIdentitiesInsert,
  TIdentitiesUpdate,
@@ -188,6 +197,9 @@ import {
  TUserEncryptionKeys,
  TUserEncryptionKeysInsert,
  TUserEncryptionKeysUpdate,
+  TUserGroupMembership,
+  TUserGroupMembershipInsert,
+  TUserGroupMembershipUpdate,
  TUsers,
  TUsersInsert,
  TUsersUpdate,
@@ -199,6 +211,22 @@ import {
 declare module "knex/types/tables" {
  interface Tables {
    [TableName.Users]: Knex.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
+    [TableName.Groups]: Knex.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
+    [TableName.UserGroupMembership]: Knex.CompositeTableType<
+      TUserGroupMembership,
+      TUserGroupMembershipInsert,
+      TUserGroupMembershipUpdate
+    >;
+    [TableName.GroupProjectMembership]: Knex.CompositeTableType<
+      TGroupProjectMemberships,
+      TGroupProjectMembershipsInsert,
+      TGroupProjectMembershipsUpdate
+    >;
+    [TableName.GroupProjectMembershipRole]: Knex.CompositeTableType<
+      TGroupProjectMembershipRoles,
+      TGroupProjectMembershipRolesInsert,
+      TGroupProjectMembershipRolesUpdate
+    >;
    [TableName.UserAliases]: Knex.CompositeTableType<TUserAliases, TUserAliasesInsert, TUserAliasesUpdate>;
    [TableName.UserEncryptionKey]: Knex.CompositeTableType<
      TUserEncryptionKeys,
--- a/backend/src/db/migrations/20240412174842_group.ts
+++ b/backend/src/db/migrations/20240412174842_group.ts
@@ -0,0 +1,82 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.Groups))) {
+    await knex.schema.createTable(TableName.Groups, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.string("name").notNullable();
+      t.string("slug").notNullable();
+      t.unique(["orgId", "slug"]);
+      t.string("role").notNullable();
+      t.uuid("roleId");
+      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.Groups);
+
+  if (!(await knex.schema.hasTable(TableName.UserGroupMembership))) {
+    await knex.schema.createTable(TableName.UserGroupMembership, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid()); // link to user and link to groups cascade on groups
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.uuid("groupId").notNullable();
+      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.UserGroupMembership);
+
+  if (!(await knex.schema.hasTable(TableName.GroupProjectMembership))) {
+    await knex.schema.createTable(TableName.GroupProjectMembership, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("groupId").notNullable();
+      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+  await createOnUpdateTrigger(knex, TableName.GroupProjectMembership);
+
+  if (!(await knex.schema.hasTable(TableName.GroupProjectMembershipRole))) {
+    await knex.schema.createTable(TableName.GroupProjectMembershipRole, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("role").notNullable();
+      t.uuid("projectMembershipId").notNullable();
+      t.foreign("projectMembershipId").references("id").inTable(TableName.GroupProjectMembership).onDelete("CASCADE");
+      // until role is changed/removed the role should not deleted
+      t.uuid("customRoleId");
+      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
+      t.boolean("isTemporary").notNullable().defaultTo(false);
+      t.string("temporaryMode");
+      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
+      t.datetime("temporaryAccessStartTime");
+      t.datetime("temporaryAccessEndTime");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.GroupProjectMembershipRole);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.GroupProjectMembershipRole);
+  await dropOnUpdateTrigger(knex, TableName.GroupProjectMembershipRole);
+
+  await knex.schema.dropTableIfExists(TableName.UserGroupMembership);
+  await dropOnUpdateTrigger(knex, TableName.UserGroupMembership);
+
+  await knex.schema.dropTableIfExists(TableName.GroupProjectMembership);
+  await dropOnUpdateTrigger(knex, TableName.GroupProjectMembership);
+
+  await knex.schema.dropTableIfExists(TableName.Groups);
+  await dropOnUpdateTrigger(knex, TableName.Groups);
+}
--- a/backend/src/db/migrations/20240414192520_drop-role-roleid-project-membership.ts
+++ b/backend/src/db/migrations/20240414192520_drop-role-roleid-project-membership.ts
@@ -0,0 +1,47 @@
+import { Knex } from "knex";
+
+import { ProjectMembershipRole, TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesProjectRoleFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "role");
+  const doesProjectRoleIdFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "roleId");
+  await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
+    if (doesProjectRoleFieldExist) t.dropColumn("roleId");
+    if (doesProjectRoleIdFieldExist) t.dropColumn("role");
+  });
+
+  const doesIdentityProjectRoleFieldExist = await knex.schema.hasColumn(TableName.IdentityProjectMembership, "role");
+  const doesIdentityProjectRoleIdFieldExist = await knex.schema.hasColumn(
+    TableName.IdentityProjectMembership,
+    "roleId"
+  );
+  await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
+    if (doesIdentityProjectRoleFieldExist) t.dropColumn("roleId");
+    if (doesIdentityProjectRoleIdFieldExist) t.dropColumn("role");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesProjectRoleFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "role");
+  const doesProjectRoleIdFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "roleId");
+  await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
+    if (!doesProjectRoleFieldExist) t.string("role").defaultTo(ProjectMembershipRole.Member);
+    if (!doesProjectRoleIdFieldExist) {
+      t.uuid("roleId");
+      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
+    }
+  });
+
+  const doesIdentityProjectRoleFieldExist = await knex.schema.hasColumn(TableName.IdentityProjectMembership, "role");
+  const doesIdentityProjectRoleIdFieldExist = await knex.schema.hasColumn(
+    TableName.IdentityProjectMembership,
+    "roleId"
+  );
+  await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
+    if (!doesIdentityProjectRoleFieldExist) t.string("role").defaultTo(ProjectMembershipRole.Member);
+    if (!doesIdentityProjectRoleIdFieldExist) {
+      t.uuid("roleId");
+      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
+    }
+  });
+}
--- a/backend/src/db/schemas/group-project-membership-roles.ts
+++ b/backend/src/db/schemas/group-project-membership-roles.ts
@@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const GroupProjectMembershipRolesSchema = z.object({
+  id: z.string().uuid(),
+  role: z.string(),
+  projectMembershipId: z.string().uuid(),
+  customRoleId: z.string().uuid().nullable().optional(),
+  isTemporary: z.boolean().default(false),
+  temporaryMode: z.string().nullable().optional(),
+  temporaryRange: z.string().nullable().optional(),
+  temporaryAccessStartTime: z.date().nullable().optional(),
+  temporaryAccessEndTime: z.date().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TGroupProjectMembershipRoles = z.infer<typeof GroupProjectMembershipRolesSchema>;
+export type TGroupProjectMembershipRolesInsert = Omit<
+  z.input<typeof GroupProjectMembershipRolesSchema>,
+  TImmutableDBKeys
+>;
+export type TGroupProjectMembershipRolesUpdate = Partial<
+  Omit<z.input<typeof GroupProjectMembershipRolesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/group-project-memberships.ts
+++ b/backend/src/db/schemas/group-project-memberships.ts
@@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const GroupProjectMembershipsSchema = z.object({
+  id: z.string().uuid(),
+  projectId: z.string(),
+  groupId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TGroupProjectMemberships = z.infer<typeof GroupProjectMembershipsSchema>;
+export type TGroupProjectMembershipsInsert = Omit<z.input<typeof GroupProjectMembershipsSchema>, TImmutableDBKeys>;
+export type TGroupProjectMembershipsUpdate = Partial<
+  Omit<z.input<typeof GroupProjectMembershipsSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/groups.ts
+++ b/backend/src/db/schemas/groups.ts
@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const GroupsSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  name: z.string(),
+  slug: z.string(),
+  role: z.string(),
+  roleId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TGroups = z.infer<typeof GroupsSchema>;
+export type TGroupsInsert = Omit<z.input<typeof GroupsSchema>, TImmutableDBKeys>;
+export type TGroupsUpdate = Partial<Omit<z.input<typeof GroupsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-project-memberships.ts
+++ b/backend/src/db/schemas/identity-project-memberships.ts
@@ -9,8 +9,6 @@ import { TImmutableDBKeys } from "./models";

 export const IdentityProjectMembershipsSchema = z.object({
  id: z.string().uuid(),
-  role: z.string(),
-  roleId: z.string().uuid().nullable().optional(),
  projectId: z.string(),
  identityId: z.string().uuid(),
  createdAt: z.date(),
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@@ -7,6 +7,9 @@ export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
+export * from "./group-project-membership-roles";
+export * from "./group-project-memberships";
+export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
 export * from "./identity-org-memberships";
@@ -61,5 +64,6 @@ export * from "./trusted-ips";
 export * from "./user-actions";
 export * from "./user-aliases";
 export * from "./user-encryption-keys";
+export * from "./user-group-membership";
 export * from "./users";
 export * from "./webhooks";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -2,6 +2,10 @@ import { z } from "zod";

 export enum TableName {
  Users = "users",
+  Groups = "groups",
+  GroupProjectMembership = "group_project_memberships",
+  GroupProjectMembershipRole = "group_project_membership_roles",
+  UserGroupMembership = "user_group_membership",
  UserAliases = "user_aliases",
  UserEncryptionKey = "user_encryption_keys",
  AuthTokens = "auth_tokens",
--- a/backend/src/db/schemas/project-memberships.ts
+++ b/backend/src/db/schemas/project-memberships.ts
@@ -9,12 +9,10 @@ import { TImmutableDBKeys } from "./models";

 export const ProjectMembershipsSchema = z.object({
  id: z.string().uuid(),
-  role: z.string(),
  createdAt: z.date(),
  updatedAt: z.date(),
  userId: z.string().uuid(),
-  projectId: z.string(),
-  roleId: z.string().uuid().nullable().optional()
+  projectId: z.string()
 });

 export type TProjectMemberships = z.infer<typeof ProjectMembershipsSchema>;
--- a/backend/src/db/schemas/user-group-membership.ts
+++ b/backend/src/db/schemas/user-group-membership.ts
@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const UserGroupMembershipSchema = z.object({
+  id: z.string().uuid(),
+  userId: z.string().uuid(),
+  groupId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TUserGroupMembership = z.infer<typeof UserGroupMembershipSchema>;
+export type TUserGroupMembershipInsert = Omit<z.input<typeof UserGroupMembershipSchema>, TImmutableDBKeys>;
+export type TUserGroupMembershipUpdate = Partial<Omit<z.input<typeof UserGroupMembershipSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/seeds/3-project.ts
+++ b/backend/src/db/seeds/3-project.ts
@@ -33,8 +33,7 @@ export async function seed(knex: Knex): Promise<void> {
  const projectMembership = await knex(TableName.ProjectMembership)
    .insert({
      projectId: project.id,
-      userId: seedData1.id,
-      role: ProjectMembershipRole.Admin
+      userId: seedData1.id
    })
    .returning("*");
  await knex(TableName.ProjectUserMembershipRole).insert({
--- a/backend/src/db/seeds/4-machine-identity.ts
+++ b/backend/src/db/seeds/4-machine-identity.ts
@@ -78,8 +78,7 @@ export async function seed(knex: Knex): Promise<void> {
  const identityProjectMembership = await knex(TableName.IdentityProjectMembership)
    .insert({
      identityId: seedData1.machineIdentity.id,
-      projectId: seedData1.project.id,
-      role: ProjectMembershipRole.Admin
+      projectId: seedData1.project.id
    })
    .returning("*");

--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@@ -0,0 +1,220 @@
+import slugify from "@sindresorhus/slugify";
+import { z } from "zod";
+
+import { GroupsSchema, OrgMembershipRole, UsersSchema } from "@app/db/schemas";
+import { GROUPS } from "@app/lib/api-docs";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerGroupRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/",
+    method: "POST",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z.object({
+        name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
+        slug: z
+          .string()
+          .min(5)
+          .max(36)
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(GROUPS.CREATE.slug),
+        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(GROUPS.CREATE.role)
+      }),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.createGroup({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/:currentSlug",
+    method: "PATCH",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        currentSlug: z.string().trim().describe(GROUPS.UPDATE.currentSlug)
+      }),
+      body: z
+        .object({
+          name: z.string().trim().min(1).describe(GROUPS.UPDATE.name),
+          slug: z
+            .string()
+            .min(5)
+            .max(36)
+            .refine((v) => slugify(v) === v, {
+              message: "Slug must be a valid slug"
+            })
+            .describe(GROUPS.UPDATE.slug),
+          role: z.string().trim().min(1).describe(GROUPS.UPDATE.role)
+        })
+        .partial(),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.updateGroup({
+        currentSlug: req.params.currentSlug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/:slug",
+    method: "DELETE",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        slug: z.string().trim().describe(GROUPS.DELETE.slug)
+      }),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.deleteGroup({
+        groupSlug: req.params.slug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:slug/users",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        slug: z.string().trim().describe(GROUPS.LIST_USERS.slug)
+      }),
+      querystring: z.object({
+        offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
+        limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_USERS.limit),
+        username: z.string().optional().describe(GROUPS.LIST_USERS.username)
+      }),
+      response: {
+        200: z.object({
+          users: UsersSchema.pick({
+            email: true,
+            username: true,
+            firstName: true,
+            lastName: true,
+            id: true
+          })
+            .merge(
+              z.object({
+                isPartOfGroup: z.boolean()
+              })
+            )
+            .array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    handler: async (req) => {
+      const { users, totalCount } = await server.services.group.listGroupUsers({
+        groupSlug: req.params.slug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+      return { users, totalCount };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:slug/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        slug: z.string().trim().describe(GROUPS.ADD_USER.slug),
+        username: z.string().trim().describe(GROUPS.ADD_USER.username)
+      }),
+      response: {
+        200: UsersSchema.pick({
+          email: true,
+          username: true,
+          firstName: true,
+          lastName: true,
+          id: true
+        })
+      }
+    },
+    handler: async (req) => {
+      const user = await server.services.group.addUserToGroup({
+        groupSlug: req.params.slug,
+        username: req.params.username,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return user;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:slug/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        slug: z.string().trim().describe(GROUPS.DELETE_USER.slug),
+        username: z.string().trim().describe(GROUPS.DELETE_USER.username)
+      }),
+      response: {
+        200: UsersSchema.pick({
+          email: true,
+          username: true,
+          firstName: true,
+          lastName: true,
+          id: true
+        })
+      }
+    },
+    handler: async (req) => {
+      const user = await server.services.group.removeUserFromGroup({
+        groupSlug: req.params.slug,
+        username: req.params.username,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return user;
+    }
+  });
+};
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@@ -1,5 +1,6 @@
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
+import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
 import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
@@ -53,6 +54,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
  await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
  await server.register(registerSecretVersionRouter, { prefix: "/secret" });
+  await server.register(registerGroupRouter, { prefix: "/groups" });
  await server.register(
    async (privilegeRouter) => {
      await privilegeRouter.register(registerUserAdditionalPrivilegeRouter, { prefix: "/users" });
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@@ -171,6 +171,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        req.permission.authMethod,
        req.permission.orgId
      );
+
      return { data: { permissions, membership } };
    }
  });
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@@ -3,7 +3,7 @@ import { z } from "zod";
 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
-import { removeTrailingSlash } from "@app/lib/fn";
+import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -145,6 +145,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        actorAuthMethod: req.permission.authMethod,
        projectId: req.params.workspaceId,
        ...req.query,
+        startDate: req.query.endDate || getLastMidnightDateISO(),
        auditLogActor: req.query.actor,
        actor: req.permission.type
      });
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@@ -206,7 +206,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
    schema: {
      body: z.object({
        schemas: z.array(z.string()),
-        userName: z.string().trim().email(),
+        userName: z.string().trim(),
        name: z.object({
          familyName: z.string().trim(),
          givenName: z.string().trim()
@@ -227,7 +227,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          schemas: z.array(z.string()),
          id: z.string().trim(),
-          userName: z.string().trim().email(),
+          userName: z.string().trim(),
          name: z.object({
            familyName: z.string().trim(),
            givenName: z.string().trim()
@@ -262,38 +262,257 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {

  server.route({
    url: "/Users/:userId",
-    method: "PATCH",
+    method: "DELETE",
    schema: {
      params: z.object({
        userId: z.string().trim()
      }),
-      body: z.object({
-        schemas: z.array(z.string()),
-        Operations: z.array(
-          z.object({
-            op: z.string().trim(),
-            path: z.string().trim().optional(),
-            value: z.union([
-              z.object({
-                active: z.boolean()
-              }),
-              z.string().trim()
-            ])
-          })
-        )
-      }),
      response: {
        200: z.object({})
      }
    },
    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
    handler: async (req) => {
-      const user = await req.server.services.scim.updateScimUser({
+      const user = await req.server.services.scim.deleteScimUser({
        userId: req.params.userId,
+        orgId: req.permission.orgId
+      });
+
+      return user;
+    }
+  });
+
+  server.route({
+    url: "/Groups",
+    method: "POST",
+    schema: {
+      body: z.object({
+        schemas: z.array(z.string()),
+        displayName: z.string().trim(),
+        members: z.array(z.any()).length(0).optional() // okta-specific
+      }),
+      response: {
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          displayName: z.string().trim(),
+          members: z.array(z.any()).length(0),
+          meta: z.object({
+            resourceType: z.string().trim()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
+    handler: async (req) => {
+      const group = await req.server.services.scim.createScimGroup({
+        displayName: req.body.displayName,
+        orgId: req.permission.orgId
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/Groups",
+    method: "GET",
+    schema: {
+      querystring: z.object({
+        startIndex: z.coerce.number().default(1),
+        count: z.coerce.number().default(20),
+        filter: z.string().trim().optional()
+      }),
+      response: {
+        200: z.object({
+          Resources: z.array(
+            z.object({
+              schemas: z.array(z.string()),
+              id: z.string().trim(),
+              displayName: z.string().trim(),
+              members: z.array(z.any()).length(0),
+              meta: z.object({
+                resourceType: z.string().trim()
+              })
+            })
+          ),
+          itemsPerPage: z.number(),
+          schemas: z.array(z.string()),
+          startIndex: z.number(),
+          totalResults: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
+    handler: async (req) => {
+      const groups = await req.server.services.scim.listScimGroups({
+        orgId: req.permission.orgId,
+        offset: req.query.startIndex,
+        limit: req.query.count
+      });
+
+      return groups;
+    }
+  });
+
+  server.route({
+    url: "/Groups/:groupId",
+    method: "GET",
+    schema: {
+      params: z.object({
+        groupId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          displayName: z.string().trim(),
+          members: z.array(
+            z.object({
+              value: z.string(),
+              display: z.string()
+            })
+          ),
+          meta: z.object({
+            resourceType: z.string().trim()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
+    handler: async (req) => {
+      const group = await req.server.services.scim.getScimGroup({
+        groupId: req.params.groupId,
+        orgId: req.permission.orgId
+      });
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/Groups/:groupId",
+    method: "PUT",
+    schema: {
+      params: z.object({
+        groupId: z.string().trim()
+      }),
+      body: z.object({
+        schemas: z.array(z.string()),
+        id: z.string().trim(),
+        displayName: z.string().trim(),
+        members: z.array(z.any()).length(0)
+      }),
+      response: {
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          displayName: z.string().trim(),
+          members: z.array(
+            z.object({
+              value: z.string(),
+              display: z.string()
+            })
+          ),
+          meta: z.object({
+            resourceType: z.string().trim()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
+    handler: async (req) => {
+      const group = await req.server.services.scim.updateScimGroupNamePut({
+        groupId: req.params.groupId,
+        orgId: req.permission.orgId,
+        displayName: req.body.displayName
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/Groups/:groupId",
+    method: "PATCH",
+    schema: {
+      params: z.object({
+        groupId: z.string().trim()
+      }),
+      body: z.object({
+        schemas: z.array(z.string()),
+        Operations: z.array(
+          z.union([
+            z.object({
+              op: z.literal("replace"),
+              value: z.object({
+                id: z.string().trim(),
+                displayName: z.string().trim()
+              })
+            }),
+            z.object({
+              op: z.literal("remove"),
+              path: z.string().trim()
+            }),
+            z.object({
+              op: z.literal("add"),
+              value: z.object({
+                value: z.string().trim(),
+                display: z.string().trim().optional()
+              })
+            })
+          ])
+        )
+      }),
+      response: {
+        200: z.object({
+          schemas: z.array(z.string()),
+          id: z.string().trim(),
+          displayName: z.string().trim(),
+          members: z.array(
+            z.object({
+              value: z.string(),
+              display: z.string()
+            })
+          ),
+          meta: z.object({
+            resourceType: z.string().trim()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
+    handler: async (req) => {
+      // console.log("PATCH /Groups/:groupId req.body: ", req.body);
+      // console.log("PATCH /Groups/:groupId req.body: ", req.body.Operations[0]);
+      const group = await req.server.services.scim.updateScimGroupNamePatch({
+        groupId: req.params.groupId,
        orgId: req.permission.orgId,
        operations: req.body.Operations
      });
-      return user;
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/Groups/:groupId",
+    method: "DELETE",
+    schema: {
+      params: z.object({
+        groupId: z.string().trim()
+      }),
+      response: {
+        200: z.object({})
+      }
+    },
+    onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
+    handler: async (req) => {
+      const group = await req.server.services.scim.deleteScimGroup({
+        groupId: req.params.groupId,
+        orgId: req.permission.orgId
+      });
+
+      return group;
    }
  });

--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@@ -249,7 +249,7 @@ export const dynamicSecretLeaseServiceFactory = ({

    if ((revokeResponse as { error?: Error })?.error) {
      const { error } = revokeResponse as { error?: Error };
-      logger.error("Failed to revoke lease", { error: error?.message });
+      logger.error(error?.message, "Failed to revoke lease");
      const deletedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
        status: DynamicSecretLeaseStatus.FailedDeletion,
        statusDetails: error?.message?.slice(0, 255)
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@@ -1,7 +1,8 @@
 import { z } from "zod";

 export enum SqlProviders {
-  Postgres = "postgres"
+  Postgres = "postgres",
+  MySQL = "mysql2"
 }

 export const DynamicSecretSqlDBSchema = z.object({
@@ -13,7 +14,7 @@ export const DynamicSecretSqlDBSchema = z.object({
  password: z.string(),
  creationStatement: z.string(),
  revocationStatement: z.string(),
-  renewStatement: z.string(),
+  renewStatement: z.string().optional(),
  ca: z.string().optional()
 });

--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@@ -48,10 +48,10 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
        host: providerInputs.host,
        user: providerInputs.username,
        password: providerInputs.password,
-        connectionTimeoutMillis: EXTERNAL_REQUEST_TIMEOUT,
        ssl,
        pool: { min: 0, max: 1 }
-      }
+      },
+      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
    });
    return db;
  };
@@ -73,15 +73,25 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {

    const username = alphaNumericNanoId(32);
    const password = generatePassword();
+    const { database } = providerInputs;
    const expiration = new Date(expireAt).toISOString();

    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
      username,
      password,
-      expiration
+      expiration,
+      database
    });

-    await db.raw(creationStatement.toString());
+    await db.transaction(async (tx) =>
+      Promise.all(
+        creationStatement
+          .toString()
+          .split(";")
+          .filter(Boolean)
+          .map((query) => tx.raw(query))
+      )
+    );
    await db.destroy();
    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
  };
@@ -91,9 +101,18 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
    const db = await getClient(providerInputs);

    const username = entityId;
+    const { database } = providerInputs;

-    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
-    await db.raw(revokeStatement);
+    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, database });
+    await db.transaction(async (tx) =>
+      Promise.all(
+        revokeStatement
+          .toString()
+          .split(";")
+          .filter(Boolean)
+          .map((query) => tx.raw(query))
+      )
+    );

    await db.destroy();
    return { entityId: username };
@@ -105,9 +124,19 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {

    const username = entityId;
    const expiration = new Date(expireAt).toISOString();
+    const { database } = providerInputs;

-    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });
-    await db.raw(renewStatement);
+    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration, database });
+    if (renewStatement)
+      await db.transaction(async (tx) =>
+        Promise.all(
+          renewStatement
+            .toString()
+            .split(";")
+            .filter(Boolean)
+            .map((query) => tx.raw(query))
+        )
+      );

    await db.destroy();
    return { entityId: username };
--- a/backend/src/ee/services/group/group-dal.ts
+++ b/backend/src/ee/services/group/group-dal.ts
@@ -0,0 +1,157 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName, TGroups } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt } from "@app/lib/knex";
+
+export type TGroupDALFactory = ReturnType<typeof groupDALFactory>;
+
+export const groupDALFactory = (db: TDbClient) => {
+  const groupOrm = ormify(db, TableName.Groups);
+
+  const findGroups = async (filter: TFindFilter<TGroups>, { offset, limit, sort, tx }: TFindOpt<TGroups> = {}) => {
+    try {
+      const query = (tx || db)(TableName.Groups)
+        // eslint-disable-next-line
+        .where(buildFindFilter(filter))
+        .select(selectAllTableCols(TableName.Groups));
+
+      if (limit) void query.limit(limit);
+      if (offset) void query.limit(offset);
+      if (sort) {
+        void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
+      }
+
+      const res = await query;
+      return res;
+    } catch (err) {
+      throw new DatabaseError({ error: err, name: "Find groups" });
+    }
+  };
+
+  const findByOrgId = async (orgId: string, tx?: Knex) => {
+    try {
+      const docs = await (tx || db)(TableName.Groups)
+        .where(`${TableName.Groups}.orgId`, orgId)
+        .leftJoin(TableName.OrgRoles, `${TableName.Groups}.roleId`, `${TableName.OrgRoles}.id`)
+        .select(selectAllTableCols(TableName.Groups))
+        // cr stands for custom role
+        .select(db.ref("id").as("crId").withSchema(TableName.OrgRoles))
+        .select(db.ref("name").as("crName").withSchema(TableName.OrgRoles))
+        .select(db.ref("slug").as("crSlug").withSchema(TableName.OrgRoles))
+        .select(db.ref("description").as("crDescription").withSchema(TableName.OrgRoles))
+        .select(db.ref("permissions").as("crPermission").withSchema(TableName.OrgRoles));
+      return docs.map(({ crId, crDescription, crSlug, crPermission, crName, ...el }) => ({
+        ...el,
+        customRole: el.roleId
+          ? {
+              id: crId,
+              name: crName,
+              slug: crSlug,
+              permissions: crPermission,
+              description: crDescription
+            }
+          : undefined
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindByOrgId" });
+    }
+  };
+
+  const countAllGroupMembers = async ({ orgId, groupId }: { orgId: string; groupId: string }) => {
+    try {
+      interface CountResult {
+        count: string;
+      }
+
+      const doc = await db<CountResult>(TableName.OrgMembership)
+        .where(`${TableName.OrgMembership}.orgId`, orgId)
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin(TableName.UserGroupMembership, function () {
+          this.on(`${TableName.UserGroupMembership}.userId`, "=", `${TableName.Users}.id`).andOn(
+            `${TableName.UserGroupMembership}.groupId`,
+            "=",
+            db.raw("?", [groupId])
+          );
+        })
+        .where({ isGhost: false })
+        .count(`${TableName.Users}.id`)
+        .first();
+
+      return parseInt((doc?.count as string) || "0", 10);
+    } catch (err) {
+      throw new DatabaseError({ error: err, name: "Count all group members" });
+    }
+  };
+
+  // special query
+  const findAllGroupMembers = async ({
+    orgId,
+    groupId,
+    offset = 0,
+    limit,
+    username
+  }: {
+    orgId: string;
+    groupId: string;
+    offset?: number;
+    limit?: number;
+    username?: string;
+  }) => {
+    try {
+      let query = db(TableName.OrgMembership)
+        .where(`${TableName.OrgMembership}.orgId`, orgId)
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin(TableName.UserGroupMembership, function () {
+          this.on(`${TableName.UserGroupMembership}.userId`, "=", `${TableName.Users}.id`).andOn(
+            `${TableName.UserGroupMembership}.groupId`,
+            "=",
+            db.raw("?", [groupId])
+          );
+        })
+        .select(
+          db.ref("id").withSchema(TableName.OrgMembership),
+          db.ref("groupId").withSchema(TableName.UserGroupMembership),
+          db.ref("email").withSchema(TableName.Users),
+          db.ref("username").withSchema(TableName.Users),
+          db.ref("firstName").withSchema(TableName.Users),
+          db.ref("lastName").withSchema(TableName.Users),
+          db.ref("id").withSchema(TableName.Users).as("userId")
+        )
+        .where({ isGhost: false })
+        .offset(offset);
+
+      if (limit) {
+        query = query.limit(limit);
+      }
+
+      if (username) {
+        query = query.andWhere(`${TableName.Users}.username`, "ilike", `%${username}%`);
+      }
+
+      const members = await query;
+
+      return members.map(
+        ({ email, username: memberUsername, firstName, lastName, userId, groupId: memberGroupId }) => ({
+          id: userId,
+          email,
+          username: memberUsername,
+          firstName,
+          lastName,
+          isPartOfGroup: !!memberGroupId
+        })
+      );
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find all org members" });
+    }
+  };
+
+  return {
+    findGroups,
+    findByOrgId,
+    countAllGroupMembers,
+    findAllGroupMembers,
+    ...groupOrm
+  };
+};
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@@ -0,0 +1,474 @@
+import { ForbiddenError } from "@casl/ability";
+import slugify from "@sindresorhus/slugify";
+
+import { OrgMembershipRole, SecretKeyEncoding, TOrgRoles } from "@app/db/schemas";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TGroupProjectDALFactory } from "../../../services/group-project/group-project-dal";
+import { TOrgDALFactory } from "../../../services/org/org-dal";
+import { TProjectDALFactory } from "../../../services/project/project-dal";
+import { TProjectBotDALFactory } from "../../../services/project-bot/project-bot-dal";
+import { TProjectKeyDALFactory } from "../../../services/project-key/project-key-dal";
+import { TUserDALFactory } from "../../../services/user/user-dal";
+import { TLicenseServiceFactory } from "../license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TGroupDALFactory } from "./group-dal";
+import {
+  TAddUserToGroupDTO,
+  TCreateGroupDTO,
+  TDeleteGroupDTO,
+  TListGroupUsersDTO,
+  TRemoveUserFromGroupDTO,
+  TUpdateGroupDTO
+} from "./group-types";
+import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";
+
+type TGroupServiceFactoryDep = {
+  userDAL: Pick<TUserDALFactory, "findOne" | "findUserEncKeyByUsername">;
+  groupDAL: Pick<
+    TGroupDALFactory,
+    "create" | "findOne" | "update" | "delete" | "findAllGroupMembers" | "countAllGroupMembers"
+  >;
+  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
+  orgDAL: Pick<TOrgDALFactory, "findMembership">;
+  userGroupMembershipDAL: Pick<
+    TUserGroupMembershipDALFactory,
+    "findOne" | "create" | "delete" | "filterProjectsByUserMembership"
+  >;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "create" | "delete" | "findLatestProjectKey">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TGroupServiceFactory = ReturnType<typeof groupServiceFactory>;
+
+export const groupServiceFactory = ({
+  userDAL,
+  groupDAL,
+  groupProjectDAL,
+  orgDAL,
+  userGroupMembershipDAL,
+  projectDAL,
+  projectBotDAL,
+  projectKeyDAL,
+  permissionService,
+  licenseService
+}: TGroupServiceFactoryDep) => {
+  const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
+    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Groups);
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.groups)
+      throw new BadRequestError({
+        message: "Failed to create group due to plan restriction. Upgrade plan to create group."
+      });
+
+    const { permission: rolePermission, role: customRole } = await permissionService.getOrgPermissionByRole(
+      role,
+      actorOrgId
+    );
+    const isCustomRole = Boolean(customRole);
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasRequiredPriviledges) throw new BadRequestError({ message: "Failed to create a more privileged group" });
+
+    const group = await groupDAL.create({
+      name,
+      slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
+      orgId: actorOrgId,
+      role: isCustomRole ? OrgMembershipRole.Custom : role,
+      roleId: customRole?.id
+    });
+
+    return group;
+  };
+
+  const updateGroup = async ({
+    currentSlug,
+    name,
+    slug,
+    role,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TUpdateGroupDTO) => {
+    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
+
+    const plan = await licenseService.getPlan(actorOrgId);
+    if (!plan.groups)
+      throw new BadRequestError({
+        message: "Failed to update group due to plan restrictio Upgrade plan to update group."
+      });
+
+    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: currentSlug });
+    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${currentSlug}` });
+
+    let customRole: TOrgRoles | undefined;
+    if (role) {
+      const { permission: rolePermission, role: customOrgRole } = await permissionService.getOrgPermissionByRole(
+        role,
+        group.orgId
+      );
+
+      const isCustomRole = Boolean(customOrgRole);
+      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
+      if (!hasRequiredNewRolePermission)
+        throw new BadRequestError({ message: "Failed to create a more privileged group" });
+      if (isCustomRole) customRole = customOrgRole;
+    }
+
+    const [updatedGroup] = await groupDAL.update(
+      {
+        orgId: actorOrgId,
+        slug: currentSlug
+      },
+      {
+        name,
+        slug: slug ? slugify(slug) : undefined,
+        ...(role
+          ? {
+              role: customRole ? OrgMembershipRole.Custom : role,
+              roleId: customRole?.id ?? null
+            }
+          : {})
+      }
+    );
+
+    return updatedGroup;
+  };
+
+  const deleteGroup = async ({ groupSlug, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
+    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Groups);
+
+    const plan = await licenseService.getPlan(actorOrgId);
+
+    if (!plan.groups)
+      throw new BadRequestError({
+        message: "Failed to delete group due to plan restriction. Upgrade plan to delete group."
+      });
+
+    const [group] = await groupDAL.delete({
+      orgId: actorOrgId,
+      slug: groupSlug
+    });
+
+    return group;
+  };
+
+  const listGroupUsers = async ({
+    groupSlug,
+    offset,
+    limit,
+    username,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TListGroupUsersDTO) => {
+    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+
+    const group = await groupDAL.findOne({
+      orgId: actorOrgId,
+      slug: groupSlug
+    });
+
+    if (!group)
+      throw new BadRequestError({
+        message: `Failed to find group with slug ${groupSlug}`
+      });
+
+    const users = await groupDAL.findAllGroupMembers({
+      orgId: group.orgId,
+      groupId: group.id,
+      offset,
+      limit,
+      username
+    });
+
+    const totalCount = await groupDAL.countAllGroupMembers({
+      orgId: group.orgId,
+      groupId: group.id
+    });
+
+    return { users, totalCount };
+  };
+
+  const addUserToGroup = async ({
+    groupSlug,
+    username,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TAddUserToGroupDTO) => {
+    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
+
+    // check if group with slug exists
+    const group = await groupDAL.findOne({
+      orgId: actorOrgId,
+      slug: groupSlug
+    });
+
+    if (!group)
+      throw new BadRequestError({
+        message: `Failed to find group with slug ${groupSlug}`
+      });
+
+    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
+
+    // check if user has broader or equal to privileges than group
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, groupRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });
+
+    // get user with username
+    const user = await userDAL.findUserEncKeyByUsername({
+      username
+    });
+
+    if (!user)
+      throw new BadRequestError({
+        message: `Failed to find user with username ${username}`
+      });
+
+    // check if user group membership already exists
+    const existingUserGroupMembership = await userGroupMembershipDAL.findOne({
+      groupId: group.id,
+      userId: user.userId
+    });
+
+    if (existingUserGroupMembership)
+      throw new BadRequestError({
+        message: `User ${username} is already part of the group ${groupSlug}`
+      });
+
+    // check if user is even part of the organization
+    const existingUserOrgMembership = await orgDAL.findMembership({
+      userId: user.userId,
+      orgId: actorOrgId
+    });
+
+    if (!existingUserOrgMembership)
+      throw new BadRequestError({
+        message: `User ${username} is not part of the organization`
+      });
+
+    await userGroupMembershipDAL.create({
+      userId: user.userId,
+      groupId: group.id
+    });
+
+    // check which projects the group is part of
+    const projectIds = (
+      await groupProjectDAL.find({
+        groupId: group.id
+      })
+    ).map((gp) => gp.projectId);
+
+    const keys = await projectKeyDAL.find({
+      receiverId: user.userId,
+      $in: {
+        projectId: projectIds
+      }
+    });
+
+    const keysSet = new Set(keys.map((k) => k.projectId));
+    const projectsToAddKeyFor = projectIds.filter((p) => !keysSet.has(p));
+
+    for await (const projectId of projectsToAddKeyFor) {
+      const ghostUser = await projectDAL.findProjectGhostUser(projectId);
+
+      if (!ghostUser) {
+        throw new BadRequestError({
+          message: "Failed to find sudo user"
+        });
+      }
+
+      const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId);
+
+      if (!ghostUserLatestKey) {
+        throw new BadRequestError({
+          message: "Failed to find sudo user latest key"
+        });
+      }
+
+      const bot = await projectBotDAL.findOne({ projectId });
+
+      if (!bot) {
+        throw new BadRequestError({
+          message: "Failed to find bot"
+        });
+      }
+
+      const botPrivateKey = infisicalSymmetricDecrypt({
+        keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+        iv: bot.iv,
+        tag: bot.tag,
+        ciphertext: bot.encryptedPrivateKey
+      });
+
+      const plaintextProjectKey = decryptAsymmetric({
+        ciphertext: ghostUserLatestKey.encryptedKey,
+        nonce: ghostUserLatestKey.nonce,
+        publicKey: ghostUserLatestKey.sender.publicKey,
+        privateKey: botPrivateKey
+      });
+
+      const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(plaintextProjectKey, user.publicKey, botPrivateKey);
+
+      await projectKeyDAL.create({
+        encryptedKey,
+        nonce,
+        senderId: ghostUser.id,
+        receiverId: user.userId,
+        projectId
+      });
+    }
+
+    return user;
+  };
+
+  const removeUserFromGroup = async ({
+    groupSlug,
+    username,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TRemoveUserFromGroupDTO) => {
+    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
+
+    // check if group with slug exists
+    const group = await groupDAL.findOne({
+      orgId: actorOrgId,
+      slug: groupSlug
+    });
+
+    if (!group)
+      throw new BadRequestError({
+        message: `Failed to find group with slug ${groupSlug}`
+      });
+
+    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
+
+    // check if user has broader or equal to privileges than group
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, groupRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });
+
+    const user = await userDAL.findOne({
+      username
+    });
+
+    if (!user)
+      throw new BadRequestError({
+        message: `Failed to find user with username ${username}`
+      });
+
+    // check if user group membership already exists
+    const existingUserGroupMembership = await userGroupMembershipDAL.findOne({
+      groupId: group.id,
+      userId: user.id
+    });
+
+    if (!existingUserGroupMembership)
+      throw new BadRequestError({
+        message: `User ${username} is not part of the group ${groupSlug}`
+      });
+
+    const projectIds = (
+      await groupProjectDAL.find({
+        groupId: group.id
+      })
+    ).map((gp) => gp.projectId);
+
+    const t = await userGroupMembershipDAL.filterProjectsByUserMembership(user.id, group.id, projectIds);
+
+    const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p));
+
+    if (projectsToDeleteKeyFor.length) {
+      await projectKeyDAL.delete({
+        receiverId: user.id,
+        $in: {
+          projectId: projectsToDeleteKeyFor
+        }
+      });
+    }
+
+    await userGroupMembershipDAL.delete({
+      groupId: group.id,
+      userId: user.id
+    });
+
+    return user;
+  };
+
+  return {
+    createGroup,
+    updateGroup,
+    deleteGroup,
+    listGroupUsers,
+    addUserToGroup,
+    removeUserFromGroup
+  };
+};
--- a/backend/src/ee/services/group/group-types.ts
+++ b/backend/src/ee/services/group/group-types.ts
@@ -0,0 +1,37 @@
+import { TGenericPermission } from "@app/lib/types";
+
+export type TCreateGroupDTO = {
+  name: string;
+  slug?: string;
+  role: string;
+} & TGenericPermission;
+
+export type TUpdateGroupDTO = {
+  currentSlug: string;
+} & Partial<{
+  name: string;
+  slug: string;
+  role: string;
+}> &
+  TGenericPermission;
+
+export type TDeleteGroupDTO = {
+  groupSlug: string;
+} & TGenericPermission;
+
+export type TListGroupUsersDTO = {
+  groupSlug: string;
+  offset: number;
+  limit: number;
+  username?: string;
+} & TGenericPermission;
+
+export type TAddUserToGroupDTO = {
+  groupSlug: string;
+  username: string;
+} & TGenericPermission;
+
+export type TRemoveUserFromGroupDTO = {
+  groupSlug: string;
+  username: string;
+} & TGenericPermission;
--- a/backend/src/ee/services/group/user-group-membership-dal.ts
+++ b/backend/src/ee/services/group/user-group-membership-dal.ts
@@ -0,0 +1,125 @@
+import { TDbClient } from "@app/db";
+import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify } from "@app/lib/knex";
+
+export type TUserGroupMembershipDALFactory = ReturnType<typeof userGroupMembershipDALFactory>;
+
+export const userGroupMembershipDALFactory = (db: TDbClient) => {
+  const userGroupMembershipOrm = ormify(db, TableName.UserGroupMembership);
+
+  /**
+   * Returns a sub-set of projectIds fed into this function corresponding to projects where either:
+   * - The user is a direct member of the project.
+   * - The user is a member of a group that is a member of the project, excluding projects that they are part of
+   * through the group with id [groupId].
+   */
+  const filterProjectsByUserMembership = async (userId: string, groupId: string, projectIds: string[]) => {
+    const userProjectMemberships: string[] = await db(TableName.ProjectMembership)
+      .where(`${TableName.ProjectMembership}.userId`, userId)
+      .whereIn(`${TableName.ProjectMembership}.projectId`, projectIds)
+      .pluck(`${TableName.ProjectMembership}.projectId`);
+
+    const userGroupMemberships: string[] = await db(TableName.UserGroupMembership)
+      .where(`${TableName.UserGroupMembership}.userId`, userId)
+      .whereNot(`${TableName.UserGroupMembership}.groupId`, groupId)
+      .join(
+        TableName.GroupProjectMembership,
+        `${TableName.UserGroupMembership}.groupId`,
+        `${TableName.GroupProjectMembership}.groupId`
+      )
+      .whereIn(`${TableName.GroupProjectMembership}.projectId`, projectIds)
+      .pluck(`${TableName.GroupProjectMembership}.projectId`);
+
+    return new Set(userProjectMemberships.concat(userGroupMemberships));
+  };
+
+  // special query
+  const findUserGroupMembershipsInProject = async (usernames: string[], projectId: string) => {
+    try {
+      const usernameDocs: string[] = await db(TableName.UserGroupMembership)
+        .join(
+          TableName.GroupProjectMembership,
+          `${TableName.UserGroupMembership}.groupId`,
+          `${TableName.GroupProjectMembership}.groupId`
+        )
+        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
+        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
+        .whereIn(`${TableName.Users}.username`, usernames) // TODO: pluck usernames
+        .pluck(`${TableName.Users}.id`);
+
+      return usernameDocs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find user group members in project" });
+    }
+  };
+
+  /**
+   * Return list of users that are part of the group with id [groupId]
+   * that have not yet been added individually to project with id [projectId].
+   *
+   * Note: Filters out users that are part of other groups in the project.
+   * @param groupId
+   * @param projectId
+   * @returns
+   */
+  const findGroupMembersNotInProject = async (groupId: string, projectId: string) => {
+    try {
+      // get list of groups in the project with id [projectId]
+      // that that are not the group with id [groupId]
+      const groups: string[] = await db(TableName.GroupProjectMembership)
+        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
+        .whereNot(`${TableName.GroupProjectMembership}.groupId`, groupId)
+        .pluck(`${TableName.GroupProjectMembership}.groupId`);
+
+      // main query
+      const members = await db(TableName.UserGroupMembership)
+        .where(`${TableName.UserGroupMembership}.groupId`, groupId)
+        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin(TableName.ProjectMembership, function () {
+          this.on(`${TableName.Users}.id`, "=", `${TableName.ProjectMembership}.userId`).andOn(
+            `${TableName.ProjectMembership}.projectId`,
+            "=",
+            db.raw("?", [projectId])
+          );
+        })
+        .whereNull(`${TableName.ProjectMembership}.userId`)
+        .leftJoin<TUserEncryptionKeys>(
+          TableName.UserEncryptionKey,
+          `${TableName.UserEncryptionKey}.userId`,
+          `${TableName.Users}.id`
+        )
+        .select(
+          db.ref("id").withSchema(TableName.UserGroupMembership),
+          db.ref("groupId").withSchema(TableName.UserGroupMembership),
+          db.ref("email").withSchema(TableName.Users),
+          db.ref("username").withSchema(TableName.Users),
+          db.ref("firstName").withSchema(TableName.Users),
+          db.ref("lastName").withSchema(TableName.Users),
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
+        )
+        .where({ isGhost: false }) // MAKE SURE USER IS NOT A GHOST USER
+        .whereNotIn(`${TableName.UserGroupMembership}.userId`, function () {
+          // eslint-disable-next-line @typescript-eslint/no-floating-promises
+          this.select(`${TableName.UserGroupMembership}.userId`)
+            .from(TableName.UserGroupMembership)
+            .whereIn(`${TableName.UserGroupMembership}.groupId`, groups);
+        });
+
+      return members.map(({ email, username, firstName, lastName, userId, publicKey, ...data }) => ({
+        ...data,
+        user: { email, username, firstName, lastName, id: userId, publicKey }
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find group members not in project" });
+    }
+  };
+
+  return {
+    ...userGroupMembershipOrm,
+    filterProjectsByUserMembership,
+    findUserGroupMembershipsInProject,
+    findGroupMembersNotInProject
+  };
+};
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -12,7 +12,6 @@ import {
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
-import { TOrgPermission } from "@app/lib/types";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -24,7 +23,7 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TLdapConfigDALFactory } from "./ldap-config-dal";
-import { TCreateLdapCfgDTO, TLdapLoginDTO, TUpdateLdapCfgDTO } from "./ldap-config-types";
+import { TCreateLdapCfgDTO, TGetLdapCfgDTO, TLdapLoginDTO, TUpdateLdapCfgDTO } from "./ldap-config-types";

 type TLdapConfigServiceFactoryDep = {
  ldapConfigDAL: TLdapConfigDALFactory;
@@ -282,7 +281,7 @@ export const ldapConfigServiceFactory = ({
    orgId,
    actorAuthMethod,
    actorOrgId
-  }: TOrgPermission) => {
+  }: TGetLdapCfgDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
    return getLdapCfg({
--- a/backend/src/ee/services/ldap-config/ldap-config-types.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-types.ts
@@ -1,6 +1,7 @@
 import { TOrgPermission } from "@app/lib/types";

 export type TCreateLdapCfgDTO = {
+  orgId: string;
  isActive: boolean;
  url: string;
  bindDN: string;
@@ -9,7 +10,9 @@ export type TCreateLdapCfgDTO = {
  caCert: string;
 } & TOrgPermission;

-export type TUpdateLdapCfgDTO = Partial<{
+export type TUpdateLdapCfgDTO = {
+  orgId: string;
+} & Partial<{
  isActive: boolean;
  url: string;
  bindDN: string;
@@ -19,6 +22,10 @@ export type TUpdateLdapCfgDTO = Partial<{
 }> &
  TOrgPermission;

+export type TGetLdapCfgDTO = {
+  orgId: string;
+} & TOrgPermission;
+
 export type TLdapLoginDTO = {
  externalId: string;
  username: string;
--- a/backend/src/ee/services/license/mocks/licence-fns.ts
+++ b/backend/src/ee/services/license/mocks/licence-fns.ts
@@ -20,6 +20,7 @@ export const getDefaultOnPremFeatures = () => {
    samlSSO: false,
    scim: false,
    ldap: false,
+    groups: false,
    status: null,
    trial_end: null,
    has_used_trial: true,
--- a/backend/src/ee/services/license/licence-fns.ts
+++ b/backend/src/ee/services/license/licence-fns.ts
@@ -27,6 +27,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  samlSSO: false,
  scim: false,
  ldap: false,
+  groups: false,
  status: null,
  trial_end: null,
  has_used_trial: true,
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@@ -43,6 +43,7 @@ export type TFeatureSet = {
  samlSSO: false;
  scim: false;
  ldap: false;
+  groups: false;
  status: null;
  trial_end: null;
  has_used_trial: true;
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@@ -18,6 +18,7 @@ export enum OrgPermissionSubjects {
  Sso = "sso",
  Scim = "scim",
  Ldap = "ldap",
+  Groups = "groups",
  Billing = "billing",
  SecretScanning = "secret-scanning",
  Identity = "identity"
@@ -33,6 +34,7 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Sso]
  | [OrgPermissionActions, OrgPermissionSubjects.Scim]
  | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
+  | [OrgPermissionActions, OrgPermissionSubjects.Groups]
  | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
  | [OrgPermissionActions, OrgPermissionSubjects.Identity];
@@ -83,6 +85,11 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Ldap);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.Groups);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Groups);
+
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
@@ -105,6 +112,7 @@ const buildMemberPermission = () => {
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Member);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@@ -45,6 +45,42 @@ export const permissionDALFactory = (db: TDbClient) => {

  const getProjectPermission = async (userId: string, projectId: string) => {
    try {
+      const groups: string[] = await db(TableName.GroupProjectMembership)
+        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
+        .pluck(`${TableName.GroupProjectMembership}.groupId`);
+
+      const groupDocs = await db(TableName.UserGroupMembership)
+        .where(`${TableName.UserGroupMembership}.userId`, userId)
+        .whereIn(`${TableName.UserGroupMembership}.groupId`, groups)
+        .join(
+          TableName.GroupProjectMembership,
+          `${TableName.GroupProjectMembership}.groupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
+        .join(
+          TableName.GroupProjectMembershipRole,
+          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
+          `${TableName.GroupProjectMembership}.id`
+        )
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.GroupProjectMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
+        .join(TableName.Project, `${TableName.GroupProjectMembership}.projectId`, `${TableName.Project}.id`)
+        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
+        .select(selectAllTableCols(TableName.GroupProjectMembershipRole))
+        .select(
+          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
+          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("membershipUpdatedAt"),
+          db.ref("projectId").withSchema(TableName.GroupProjectMembership),
+          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("orgId").withSchema(TableName.Project),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
+        )
+        .select("permissions");
+
      const docs = await db(TableName.ProjectMembership)
        .join(
          TableName.ProjectUserMembershipRole,
@@ -68,10 +104,9 @@ export const permissionDALFactory = (db: TDbClient) => {
        .select(selectAllTableCols(TableName.ProjectUserMembershipRole))
        .select(
          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
-          // TODO(roll-forward-migration): remove this field when we drop this in next migration after a week
-          db.ref("role").withSchema(TableName.ProjectMembership).as("oldRoleField"),
          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
+          db.ref("projectId").withSchema(TableName.ProjectMembership),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
          db.ref("orgId").withSchema(TableName.Project),
          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
@@ -93,19 +128,11 @@ export const permissionDALFactory = (db: TDbClient) => {

      const permission = sqlNestRelationships({
        data: docs,
-        key: "membershipId",
-        parentMapper: ({
-          orgId,
-          orgAuthEnforced,
-          membershipId,
-          membershipCreatedAt,
-          membershipUpdatedAt,
-          oldRoleField
-        }) => ({
+        key: "projectId",
+        parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
          orgId,
          orgAuthEnforced,
          userId,
-          role: oldRoleField,
          id: membershipId,
          projectId,
          createdAt: membershipCreatedAt,
@@ -145,19 +172,58 @@ export const permissionDALFactory = (db: TDbClient) => {
        ]
      });

-      if (!permission?.[0]) return undefined;
+      const groupPermission = groupDocs.length
+        ? sqlNestRelationships({
+            data: groupDocs,
+            key: "projectId",
+            parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
+              orgId,
+              orgAuthEnforced,
+              userId,
+              id: membershipId,
+              projectId,
+              createdAt: membershipCreatedAt,
+              updatedAt: membershipUpdatedAt
+            }),
+            childrenMapper: [
+              {
+                key: "id",
+                label: "roles" as const,
+                mapper: (data) =>
+                  ProjectUserMembershipRolesSchema.extend({
+                    permissions: z.unknown(),
+                    customRoleSlug: z.string().optional().nullable()
+                  }).parse(data)
+              }
+            ]
+          })
+        : [];
+
+      if (!permission?.[0] && !groupPermission[0]) return undefined;
+
      // when introducting cron mode change it here
-      const activeRoles = permission?.[0]?.roles?.filter(
-        ({ isTemporary, temporaryAccessEndTime }) =>
-          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-      );
+      const activeRoles =
+        permission?.[0]?.roles?.filter(
+          ({ isTemporary, temporaryAccessEndTime }) =>
+            !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+        ) ?? [];
+
+      const activeGroupRoles =
+        groupPermission?.[0]?.roles?.filter(
+          ({ isTemporary, temporaryAccessEndTime }) =>
+            !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+        ) ?? [];

      const activeAdditionalPrivileges = permission?.[0]?.additionalPrivileges?.filter(
        ({ isTemporary, temporaryAccessEndTime }) =>
          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
      );

-      return { ...permission[0], roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
+      return {
+        ...(permission[0] || groupPermission[0]),
+        roles: [...activeRoles, ...activeGroupRoles],
+        additionalPrivileges: activeAdditionalPrivileges
+      };
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectPermission" });
    }
@@ -193,7 +259,6 @@ export const permissionDALFactory = (db: TDbClient) => {
        .select(
          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
-          db.ref("role").withSchema(TableName.IdentityProjectMembership).as("oldRoleField"),
          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
@@ -222,11 +287,10 @@ export const permissionDALFactory = (db: TDbClient) => {
      const permission = sqlNestRelationships({
        data: docs,
        key: "membershipId",
-        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, oldRoleField, orgId }) => ({
+        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, orgId }) => ({
          id: membershipId,
          identityId,
          projectId,
-          role: oldRoleField,
          createdAt: membershipCreatedAt,
          updatedAt: membershipUpdatedAt,
          orgId,
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -12,6 +12,7 @@ export enum ProjectPermissionActions {
 export enum ProjectPermissionSub {
  Role = "role",
  Member = "member",
+  Groups = "groups",
  Settings = "settings",
  Integrations = "integrations",
  Webhooks = "webhooks",
@@ -41,6 +42,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.Role]
  | [ProjectPermissionActions, ProjectPermissionSub.Tags]
  | [ProjectPermissionActions, ProjectPermissionSub.Member]
+  | [ProjectPermissionActions, ProjectPermissionSub.Groups]
  | [ProjectPermissionActions, ProjectPermissionSub.Integrations]
  | [ProjectPermissionActions, ProjectPermissionSub.Webhooks]
  | [ProjectPermissionActions, ProjectPermissionSub.AuditLogs]
@@ -82,6 +84,11 @@ const buildAdminPermissionRules = () => {
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);

+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
+  can(ProjectPermissionActions.Create, ProjectPermissionSub.Groups);
+  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Groups);
+  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Groups);
+
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.Role);
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Role);
@@ -157,6 +164,8 @@ const buildMemberPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.Member);

+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
+
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
@@ -209,6 +218,7 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
--- a/backend/src/ee/services/scim/scim-fns.ts
+++ b/backend/src/ee/services/scim/scim-fns.ts
@@ -1,4 +1,4 @@
-import { TListScimUsers, TScimUser } from "./scim-types";
+import { TListScimGroups, TListScimUsers, TScimGroup, TScimUser } from "./scim-types";

 export const buildScimUserList = ({
  scimUsers,
@@ -62,3 +62,47 @@ export const buildScimUser = ({

  return scimUser;
 };
+
+export const buildScimGroupList = ({
+  scimGroups,
+  offset,
+  limit
+}: {
+  scimGroups: TScimGroup[];
+  offset: number;
+  limit: number;
+}): TListScimGroups => {
+  return {
+    Resources: scimGroups,
+    itemsPerPage: limit,
+    schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+    startIndex: offset,
+    totalResults: scimGroups.length
+  };
+};
+
+export const buildScimGroup = ({
+  groupId,
+  name,
+  members
+}: {
+  groupId: string;
+  name: string;
+  members: {
+    value: string;
+    display: string;
+  }[];
+}): TScimGroup => {
+  const scimGroup = {
+    schemas: ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+    id: groupId,
+    displayName: name,
+    members,
+    meta: {
+      resourceType: "Group",
+      location: null
+    }
+  };
+
+  return scimGroup;
+};
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@@ -1,10 +1,13 @@
 import { ForbiddenError } from "@casl/ability";
+import slugify from "@sindresorhus/slugify";
 import jwt from "jsonwebtoken";

-import { OrgMembershipRole, OrgMembershipStatus, TableName } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups } from "@app/db/schemas";
+import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -17,16 +20,23 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { buildScimUser, buildScimUserList } from "./scim-fns";
+import { buildScimGroup, buildScimGroupList, buildScimUser, buildScimUserList } from "./scim-fns";
 import {
+  TCreateScimGroupDTO,
  TCreateScimTokenDTO,
  TCreateScimUserDTO,
+  TDeleteScimGroupDTO,
  TDeleteScimTokenDTO,
+  TDeleteScimUserDTO,
+  TGetScimGroupDTO,
  TGetScimUserDTO,
+  TListScimGroupsDTO,
  TListScimUsers,
  TListScimUsersDTO,
  TReplaceScimUserDTO,
  TScimTokenJwtPayload,
+  TUpdateScimGroupNamePatchDTO,
+  TUpdateScimGroupNamePutDTO,
  TUpdateScimUserDTO
 } from "./scim-types";

@@ -39,6 +49,7 @@ type TScimServiceFactoryDep = {
  >;
  projectDAL: Pick<TProjectDALFactory, "find">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete">;
+  groupDAL: Pick<TGroupDALFactory, "create" | "findOne" | "findAllGroupMembers" | "update" | "delete" | "findGroups">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  smtpService: TSmtpService;
@@ -53,6 +64,7 @@ export const scimServiceFactory = ({
  orgDAL,
  projectDAL,
  projectMembershipDAL,
+  groupDAL,
  permissionService,
  smtpService
 }: TScimServiceFactoryDep) => {
@@ -423,6 +435,221 @@ export const scimServiceFactory = ({
    });
  };

+  const deleteScimUser = async ({ userId, orgId }: TDeleteScimUserDTO) => {
+    const [membership] = await orgDAL
+      .findMembership({
+        userId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+      })
+      .catch(() => {
+        throw new ScimRequestError({
+          detail: "User not found",
+          status: 404
+        });
+      });
+
+    if (!membership)
+      throw new ScimRequestError({
+        detail: "User not found",
+        status: 404
+      });
+
+    if (!membership.scimEnabled) {
+      throw new ScimRequestError({
+        detail: "SCIM is disabled for the organization",
+        status: 403
+      });
+    }
+
+    await deleteOrgMembership({
+      orgMembershipId: membership.id,
+      orgId: membership.orgId,
+      orgDAL,
+      projectDAL,
+      projectMembershipDAL
+    });
+
+    return {}; // intentionally return empty object upon success
+  };
+
+  const listScimGroups = async ({ orgId, offset, limit }: TListScimGroupsDTO) => {
+    const org = await orgDAL.findById(orgId);
+
+    if (!org.scimEnabled)
+      throw new ScimRequestError({
+        detail: "SCIM is disabled for the organization",
+        status: 403
+      });
+
+    const groups = await groupDAL.findGroups({
+      orgId
+    });
+
+    const scimGroups = groups.map((group) =>
+      buildScimGroup({
+        groupId: group.id,
+        name: group.name,
+        members: []
+      })
+    );
+
+    return buildScimGroupList({
+      scimGroups,
+      offset,
+      limit
+    });
+  };
+
+  const createScimGroup = async ({ displayName, orgId }: TCreateScimGroupDTO) => {
+    const org = await orgDAL.findById(orgId);
+
+    if (!org.scimEnabled)
+      throw new ScimRequestError({
+        detail: "SCIM is disabled for the organization",
+        status: 403
+      });
+
+    const group = await groupDAL.create({
+      name: displayName,
+      slug: slugify(`${displayName}-${alphaNumericNanoId(4)}`),
+      orgId,
+      role: OrgMembershipRole.NoAccess
+    });
+
+    return buildScimGroup({
+      groupId: group.id,
+      name: group.name,
+      members: []
+    });
+  };
+
+  const getScimGroup = async ({ groupId, orgId }: TGetScimGroupDTO) => {
+    const group = await groupDAL.findOne({
+      id: groupId,
+      orgId
+    });
+
+    if (!group) {
+      throw new ScimRequestError({
+        detail: "Group Not Found",
+        status: 404
+      });
+    }
+
+    const users = await groupDAL.findAllGroupMembers({
+      orgId: group.orgId,
+      groupId: group.id
+    });
+
+    return buildScimGroup({
+      groupId: group.id,
+      name: group.name,
+      members: users
+        .filter((user) => user.isPartOfGroup)
+        .map((user) => ({
+          value: user.id,
+          display: `${user.firstName} ${user.lastName}`
+        }))
+    });
+  };
+
+  const updateScimGroupNamePut = async ({ groupId, orgId, displayName }: TUpdateScimGroupNamePutDTO) => {
+    const [group] = await groupDAL.update(
+      {
+        id: groupId,
+        orgId
+      },
+      {
+        name: displayName
+      }
+    );
+
+    if (!group) {
+      throw new ScimRequestError({
+        detail: "Group Not Found",
+        status: 404
+      });
+    }
+
+    return buildScimGroup({
+      groupId: group.id,
+      name: group.name,
+      members: []
+    });
+  };
+
+  // TODO: add support for add/remove op
+  const updateScimGroupNamePatch = async ({ groupId, orgId, operations }: TUpdateScimGroupNamePatchDTO) => {
+    const org = await orgDAL.findById(orgId);
+
+    if (!org.scimEnabled)
+      throw new ScimRequestError({
+        detail: "SCIM is disabled for the organization",
+        status: 403
+      });
+
+    let group: TGroups | undefined;
+    for await (const operation of operations) {
+      switch (operation.op) {
+        case "replace": {
+          await groupDAL.update(
+            {
+              id: groupId,
+              orgId
+            },
+            {
+              name: operation.value.displayName
+            }
+          );
+          break;
+        }
+        case "add": {
+          // TODO
+          break;
+        }
+        case "remove": {
+          // TODO
+          break;
+        }
+        default: {
+          throw new ScimRequestError({
+            detail: "Invalid Operation",
+            status: 400
+          });
+        }
+      }
+    }
+
+    if (!group) {
+      throw new ScimRequestError({
+        detail: "Group Not Found",
+        status: 404
+      });
+    }
+
+    return buildScimGroup({
+      groupId: group.id,
+      name: group.name,
+      members: []
+    });
+  };
+
+  const deleteScimGroup = async ({ groupId, orgId }: TDeleteScimGroupDTO) => {
+    const [group] = await groupDAL.delete({
+      id: groupId,
+      orgId
+    });
+
+    if (!group) {
+      throw new ScimRequestError({
+        detail: "Group Not Found",
+        status: 404
+      });
+    }
+
+    return {}; // intentionally return empty object upon success
+  };
+
  const fnValidateScimToken = async (token: TScimTokenJwtPayload) => {
    const scimToken = await scimDAL.findById(token.scimTokenId);
    if (!scimToken) throw new UnauthorizedError();
@@ -455,6 +682,13 @@ export const scimServiceFactory = ({
    createScimUser,
    updateScimUser,
    replaceScimUser,
+    deleteScimUser,
+    listScimGroups,
+    createScimGroup,
+    getScimGroup,
+    deleteScimGroup,
+    updateScimGroupNamePut,
+    updateScimGroupNamePatch,
    fnValidateScimToken
  };
 };
--- a/backend/src/ee/services/scim/scim-types.ts
+++ b/backend/src/ee/services/scim/scim-types.ts
@@ -59,6 +59,73 @@ export type TReplaceScimUserDTO = {
  orgId: string;
 };

+export type TDeleteScimUserDTO = {
+  userId: string;
+  orgId: string;
+};
+
+export type TListScimGroupsDTO = {
+  offset: number;
+  limit: number;
+  orgId: string;
+};
+
+export type TListScimGroups = {
+  schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"];
+  totalResults: number;
+  Resources: TScimGroup[];
+  itemsPerPage: number;
+  startIndex: number;
+};
+
+export type TCreateScimGroupDTO = {
+  displayName: string;
+  orgId: string;
+};
+
+export type TGetScimGroupDTO = {
+  groupId: string;
+  orgId: string;
+};
+
+export type TUpdateScimGroupNamePutDTO = {
+  groupId: string;
+  orgId: string;
+  displayName: string;
+};
+
+export type TUpdateScimGroupNamePatchDTO = {
+  groupId: string;
+  orgId: string;
+  operations: (TRemoveOp | TReplaceOp | TAddOp)[];
+};
+
+type TReplaceOp = {
+  op: "replace";
+  value: {
+    id: string;
+    displayName: string;
+  };
+};
+
+type TRemoveOp = {
+  op: "remove";
+  path: string;
+};
+
+type TAddOp = {
+  op: "add";
+  value: {
+    value: string;
+    display?: string;
+  };
+};
+
+export type TDeleteScimGroupDTO = {
+  groupId: string;
+  orgId: string;
+};
+
 export type TScimTokenJwtPayload = {
  scimTokenId: string;
  authTokenType: string;
@@ -86,3 +153,17 @@ export type TScimUser = {
    location: null;
  };
 };
+
+export type TScimGroup = {
+  schemas: string[];
+  id: string;
+  displayName: string;
+  members: {
+    value: string;
+    display: string;
+  }[];
+  meta: {
+    resourceType: string;
+    location: null;
+  };
+};
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -1,3 +1,34 @@
+export const GROUPS = {
+  CREATE: {
+    name: "The name of the group to create.",
+    slug: "The slug of the group to create.",
+    role: "The role of the group to create."
+  },
+  UPDATE: {
+    currentSlug: "The current slug of the group to update.",
+    name: "The new name of the group to update to.",
+    slug: "The new slug of the group to update to.",
+    role: "The new role of the group to update to."
+  },
+  DELETE: {
+    slug: "The slug of the group to delete"
+  },
+  LIST_USERS: {
+    slug: "The slug of the group to list users for",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th user.",
+    limit: "The number of users to return.",
+    username: "The username to search for."
+  },
+  ADD_USER: {
+    slug: "The slug of the group to add the user to.",
+    username: "The username of the user to add to the group."
+  },
+  DELETE_USER: {
+    slug: "The slug of the group to remove the user from.",
+    username: "The username of the user to remove from the group."
+  }
+} as const;
+
 export const IDENTITIES = {
  CREATE: {
    name: "The name of the identity to create.",
@@ -79,6 +110,9 @@ export const ORGANIZATIONS = {
  },
  GET_PROJECTS: {
    organizationId: "The ID of the organization to get projects from."
+  },
+  LIST_GROUPS: {
+    organizationId: "The ID of the organization to list groups for."
  }
 } as const;

@@ -141,6 +175,29 @@ export const PROJECTS = {
  },
  ROLLBACK_TO_SNAPSHOT: {
    secretSnapshotId: "The ID of the snapshot to rollback to."
+  },
+  ADD_GROUP_TO_PROJECT: {
+    projectSlug: "The slug of the project to add the group to.",
+    groupSlug: "The slug of the group to add to the project.",
+    role: "The role for the group to assume in the project."
+  },
+  UPDATE_GROUP_IN_PROJECT: {
+    projectSlug: "The slug of the project to update the group in.",
+    groupSlug: "The slug of the group to update in the project.",
+    roles: "A list of roles to update the group to."
+  },
+  REMOVE_GROUP_FROM_PROJECT: {
+    projectSlug: "The slug of the project to delete the group from.",
+    groupSlug: "The slug of the group to delete from the project."
+  },
+  LIST_GROUPS_IN_PROJECT: {
+    projectSlug: "The slug of the project to list groups for."
+  },
+  LIST_INTEGRATION: {
+    workspaceId: "The ID of the project to list integrations for."
+  },
+  LIST_INTEGRATION_AUTHORIZATION: {
+    workspaceId: "The ID of the project to list integration auths for."
  }
 } as const;

@@ -215,7 +272,8 @@ export const SECRETS = {

 export const RAW_SECRETS = {
  LIST: {
-    recursive: "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories.",
+    recursive:
+      "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
    workspaceId: "The ID of the project to list secrets from.",
    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
    environment: "The slug of the environment to list secrets from.",
@@ -502,11 +560,8 @@ export const INTEGRATION_AUTH = {
    url: "",
    namespace: "",
    refreshToken: "The refresh token for integration authorization."
-  },
-  LIST_AUTHORIZATION: {
-    workspaceId: "The ID of the project to list integration auths for."
  }
-};
+} as const;

 export const INTEGRATION = {
  CREATE: {
--- a/backend/src/lib/fn/dates.ts
+++ b/backend/src/lib/fn/dates.ts
@@ -0,0 +1,2 @@
+export const getLastMidnightDateISO = (last = 1) =>
+  `${new Date(new Date().setDate(new Date().getDate() - last)).toISOString().slice(0, 10)}T00:00:00Z`;
--- a/backend/src/lib/fn/index.ts
+++ b/backend/src/lib/fn/index.ts
@@ -2,5 +2,6 @@
 // Full credits goes to https://github.com/rayapps to those functions
 // Code taken to keep in in house and to adjust somethings for our needs
 export * from "./array";
+export * from "./dates";
 export * from "./object";
 export * from "./string";
--- a/backend/src/lib/types/index.ts
+++ b/backend/src/lib/types/index.ts
@@ -1,5 +1,17 @@
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";

+export type TGenericPermission = {
+  actor: ActorType;
+  actorId: string;
+  actorAuthMethod: ActorAuthMethod;
+  actorOrgId: string | undefined;
+};
+
+/**
+ * TODO(dangtony98): ideally move service fns to use TGenericPermission
+ * because TOrgPermission [orgId] is not as relevant anymore with the
+ * introduction of organizationIds bound to all user tokens
+ */
 export type TOrgPermission = {
  actor: ActorType;
  actorId: string;
@@ -16,6 +28,15 @@ export type TProjectPermission = {
  actorOrgId: string;
 };

+// same as TProjectPermission but with projectSlug requirement instead of projectId
+export type TProjectSlugPermission = {
+  actor: ActorType;
+  actorId: string;
+  projectSlug: string;
+  actorAuthMethod: ActorAuthMethod;
+  actorOrgId: string;
+};
+
 export type RequiredKeys<T> = {
  [K in keyof T]-?: undefined extends T[K] ? never : K;
 }[keyof T];
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -61,11 +61,11 @@ export type TQueueJobTypes = {
  };
  [QueueName.SecretWebhook]: {
    name: QueueJobs.SecWebhook;
-    payload: { projectId: string; environment: string; secretPath: string };
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
  };
  [QueueName.IntegrationSync]: {
    name: QueueJobs.IntegrationSync;
-    payload: { projectId: string; environment: string; secretPath: string };
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
  };
  [QueueName.SecretFullRepoScan]: {
    name: QueueJobs.SecretScan;
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -11,6 +11,9 @@ import { buildDynamicSecretProviders } from "@app/ee/services/dynamic-secret/pro
 import { dynamicSecretLeaseDALFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal";
 import { dynamicSecretLeaseQueueServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue";
 import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { groupDALFactory } from "@app/ee/services/group/group-dal";
+import { groupServiceFactory } from "@app/ee/services/group/group-service";
+import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
@@ -58,6 +61,9 @@ import { authPaswordServiceFactory } from "@app/services/auth/auth-password-serv
 import { authSignupServiceFactory } from "@app/services/auth/auth-signup-service";
 import { tokenDALFactory } from "@app/services/auth-token/auth-token-dal";
 import { tokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { groupProjectDALFactory } from "@app/services/group-project/group-project-dal";
+import { groupProjectMembershipRoleDALFactory } from "@app/services/group-project/group-project-membership-role-dal";
+import { groupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { identityDALFactory } from "@app/services/identity/identity-dal";
 import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
@@ -207,6 +213,10 @@ export const registerRoutes = async (

  const gitAppInstallSessionDAL = gitAppInstallSessionDALFactory(db);
  const gitAppOrgDAL = gitAppDALFactory(db);
+  const groupDAL = groupDALFactory(db);
+  const groupProjectDAL = groupProjectDALFactory(db);
+  const groupProjectMembershipRoleDAL = groupProjectMembershipRoleDALFactory(db);
+  const userGroupMembershipDAL = userGroupMembershipDALFactory(db);
  const secretScanningDAL = secretScanningDALFactory(db);
  const licenseDAL = licenseDALFactory(db);
  const dynamicSecretDAL = dynamicSecretDALFactory(db);
@@ -249,6 +259,29 @@ export const registerRoutes = async (
    samlConfigDAL,
    licenseService
  });
+  const groupService = groupServiceFactory({
+    userDAL,
+    groupDAL,
+    groupProjectDAL,
+    orgDAL,
+    userGroupMembershipDAL,
+    projectDAL,
+    projectBotDAL,
+    projectKeyDAL,
+    permissionService,
+    licenseService
+  });
+  const groupProjectService = groupProjectServiceFactory({
+    groupDAL,
+    groupProjectDAL,
+    groupProjectMembershipRoleDAL,
+    userGroupMembershipDAL,
+    projectDAL,
+    projectKeyDAL,
+    projectBotDAL,
+    projectRoleDAL,
+    permissionService
+  });
  const scimService = scimServiceFactory({
    licenseService,
    scimDAL,
@@ -256,6 +289,7 @@ export const registerRoutes = async (
    orgDAL,
    projectDAL,
    projectMembershipDAL,
+    groupDAL,
    permissionService,
    smtpService
  });
@@ -302,6 +336,7 @@ export const registerRoutes = async (
    projectKeyDAL,
    smtpService,
    userDAL,
+    groupDAL,
    orgBotDAL
  });
  const signupService = authSignupServiceFactory({
@@ -347,6 +382,7 @@ export const registerRoutes = async (
    projectBotDAL,
    orgDAL,
    userDAL,
+    userGroupMembershipDAL,
    smtpService,
    projectKeyDAL,
    projectRoleDAL,
@@ -445,14 +481,6 @@ export const registerRoutes = async (
    projectEnvDAL,
    snapshotService
  });
-  const secretImportService = secretImportServiceFactory({
-    projectEnvDAL,
-    folderDAL,
-    permissionService,
-    secretImportDAL,
-    projectDAL,
-    secretDAL
-  });
  const integrationAuthService = integrationAuthServiceFactory({
    integrationAuthDAL,
    integrationDAL,
@@ -480,6 +508,15 @@ export const registerRoutes = async (
    secretTagDAL,
    secretVersionTagDAL
  });
+  const secretImportService = secretImportServiceFactory({
+    projectEnvDAL,
+    folderDAL,
+    permissionService,
+    secretImportDAL,
+    projectDAL,
+    secretDAL,
+    secretQueueService
+  });
  const secretBlindIndexService = secretBlindIndexServiceFactory({
    permissionService,
    secretDAL,
@@ -625,6 +662,8 @@ export const registerRoutes = async (
    password: passwordService,
    signup: signupService,
    user: userService,
+    group: groupService,
+    groupProject: groupProjectService,
    permission: permissionService,
    org: orgService,
    orgRole: orgRoleService,
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -1,6 +1,14 @@
 import { z } from "zod";

-import { IncidentContactsSchema, OrganizationsSchema, OrgMembershipsSchema, UsersSchema } from "@app/db/schemas";
+import {
+  GroupsSchema,
+  IncidentContactsSchema,
+  OrganizationsSchema,
+  OrgMembershipsSchema,
+  OrgRolesSchema,
+  UsersSchema
+} from "@app/db/schemas";
+import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -218,4 +226,41 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      return { incidentContactsOrg };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/:organizationId/groups",
+    schema: {
+      params: z.object({
+        organizationId: z.string().trim().describe(ORGANIZATIONS.LIST_GROUPS.organizationId)
+      }),
+      response: {
+        200: z.object({
+          groups: GroupsSchema.merge(
+            z.object({
+              customRole: OrgRolesSchema.pick({
+                id: true,
+                name: true,
+                slug: true,
+                permissions: true,
+                description: true
+              }).optional()
+            })
+          ).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const groups = await server.services.org.getOrgGroups({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return { groups };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/project-membership-router.ts
+++ b/backend/src/server/routes/v1/project-membership-router.ts
@@ -35,31 +35,28 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      }),
      response: {
        200: z.object({
-          memberships: ProjectMembershipsSchema.omit({ role: true })
-            .merge(
+          memberships: ProjectMembershipsSchema.extend({
+            user: UsersSchema.pick({
+              email: true,
+              firstName: true,
+              lastName: true,
+              id: true
+            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+            roles: z.array(
              z.object({
-                user: UsersSchema.pick({
-                  email: true,
-                  firstName: true,
-                  lastName: true,
-                  id: true
-                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
-                roles: z.array(
-                  z.object({
-                    id: z.string(),
-                    role: z.string(),
-                    customRoleId: z.string().optional().nullable(),
-                    customRoleName: z.string().optional().nullable(),
-                    customRoleSlug: z.string().optional().nullable(),
-                    isTemporary: z.boolean(),
-                    temporaryMode: z.string().optional().nullable(),
-                    temporaryRange: z.string().nullable().optional(),
-                    temporaryAccessStartTime: z.date().nullable().optional(),
-                    temporaryAccessEndTime: z.date().nullable().optional()
-                  })
-                )
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
              })
            )
+          })
            .omit({ createdAt: true, updatedAt: true })
            .array()
        })
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -7,7 +7,7 @@ import {
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
-import { INTEGRATION_AUTH, PROJECTS } from "@app/lib/api-docs";
+import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -70,32 +70,29 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          users: ProjectMembershipsSchema.omit({ role: true })
-            .merge(
+          users: ProjectMembershipsSchema.extend({
+            user: UsersSchema.pick({
+              email: true,
+              username: true,
+              firstName: true,
+              lastName: true,
+              id: true
+            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+            roles: z.array(
              z.object({
-                user: UsersSchema.pick({
-                  username: true,
-                  email: true,
-                  firstName: true,
-                  lastName: true,
-                  id: true
-                }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
-                roles: z.array(
-                  z.object({
-                    id: z.string(),
-                    role: z.string(),
-                    customRoleId: z.string().optional().nullable(),
-                    customRoleName: z.string().optional().nullable(),
-                    customRoleSlug: z.string().optional().nullable(),
-                    isTemporary: z.boolean(),
-                    temporaryMode: z.string().optional().nullable(),
-                    temporaryRange: z.string().nullable().optional(),
-                    temporaryAccessStartTime: z.date().nullable().optional(),
-                    temporaryAccessEndTime: z.date().nullable().optional()
-                  })
-                )
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
              })
            )
+          })
            .omit({ createdAt: true, updatedAt: true })
            .array()
        })
@@ -326,8 +323,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      description: "List integrations for a project.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.LIST_INTEGRATION.workspaceId)
      }),
      response: {
        200: z.object({
@@ -343,7 +346,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const integrations = await server.services.integration.listIntegrationByProject({
        actorId: req.permission.id,
@@ -370,7 +373,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        }
      ],
      params: z.object({
-        workspaceId: z.string().trim().describe(INTEGRATION_AUTH.LIST_AUTHORIZATION.workspaceId)
+        workspaceId: z.string().trim().describe(PROJECTS.LIST_INTEGRATION_AUTHORIZATION.workspaceId)
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v2/group-project-router.ts
+++ b/backend/src/server/routes/v2/group-project-router.ts
@@ -0,0 +1,201 @@
+import ms from "ms";
+import { z } from "zod";
+
+import {
+  GroupProjectMembershipsSchema,
+  GroupsSchema,
+  ProjectMembershipRole,
+  ProjectUserMembershipRolesSchema
+} from "@app/db/schemas";
+import { PROJECTS } from "@app/lib/api-docs";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
+
+export const registerGroupProjectRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/:projectSlug/groups/:groupSlug",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Add group to project",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectSlug: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.projectSlug),
+        groupSlug: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupSlug)
+      }),
+      body: z.object({
+        role: z
+          .string()
+          .trim()
+          .min(1)
+          .default(ProjectMembershipRole.NoAccess)
+          .describe(PROJECTS.ADD_GROUP_TO_PROJECT.role)
+      }),
+      response: {
+        200: z.object({
+          groupMembership: GroupProjectMembershipsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const groupMembership = await server.services.groupProject.addGroupToProject({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        groupSlug: req.params.groupSlug,
+        projectSlug: req.params.projectSlug,
+        role: req.body.role
+      });
+      return { groupMembership };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:projectSlug/groups/:groupSlug",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update group in project",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectSlug: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.projectSlug),
+        groupSlug: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.groupSlug)
+      }),
+      body: z.object({
+        roles: z
+          .array(
+            z.union([
+              z.object({
+                role: z.string(),
+                isTemporary: z.literal(false).default(false)
+              }),
+              z.object({
+                role: z.string(),
+                isTemporary: z.literal(true),
+                temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
+                temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
+                temporaryAccessStartTime: z.string().datetime()
+              })
+            ])
+          )
+          .min(1)
+          .describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.roles)
+      }),
+      response: {
+        200: z.object({
+          roles: ProjectUserMembershipRolesSchema.array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const roles = await server.services.groupProject.updateGroupInProject({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        groupSlug: req.params.groupSlug,
+        projectSlug: req.params.projectSlug,
+        roles: req.body.roles
+      });
+      return { roles };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:projectSlug/groups/:groupSlug",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Remove group from project",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectSlug: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.projectSlug),
+        groupSlug: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.groupSlug)
+      }),
+      response: {
+        200: z.object({
+          groupMembership: GroupProjectMembershipsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const groupMembership = await server.services.groupProject.removeGroupFromProject({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        groupSlug: req.params.groupSlug,
+        projectSlug: req.params.projectSlug
+      });
+      return { groupMembership };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:projectSlug/groups",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Return list of groups in project",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectSlug: z.string().trim().describe(PROJECTS.LIST_GROUPS_IN_PROJECT.projectSlug)
+      }),
+      response: {
+        200: z.object({
+          groupMemberships: z
+            .object({
+              id: z.string(),
+              groupId: z.string(),
+              createdAt: z.date(),
+              updatedAt: z.date(),
+              roles: z.array(
+                z.object({
+                  id: z.string(),
+                  role: z.string(),
+                  customRoleId: z.string().optional().nullable(),
+                  customRoleName: z.string().optional().nullable(),
+                  customRoleSlug: z.string().optional().nullable(),
+                  isTemporary: z.boolean(),
+                  temporaryMode: z.string().optional().nullable(),
+                  temporaryRange: z.string().nullable().optional(),
+                  temporaryAccessStartTime: z.date().nullable().optional(),
+                  temporaryAccessEndTime: z.date().nullable().optional()
+                })
+              ),
+              group: GroupsSchema.pick({ name: true, id: true, slug: true })
+            })
+            .array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const groupMemberships = await server.services.groupProject.listGroupsInProject({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectSlug: req.params.projectSlug
+      });
+      return { groupMemberships };
+    }
+  });
+};
--- a/backend/src/server/routes/v2/identity-org-router.ts
+++ b/backend/src/server/routes/v2/identity-org-router.ts
@@ -50,6 +50,7 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
        actorOrgId: req.permission.orgId,
        orgId: req.params.orgId
      });
+
      return { identityMemberships };
    }
  });
--- a/backend/src/server/routes/v2/index.ts
+++ b/backend/src/server/routes/v2/index.ts
@@ -1,3 +1,4 @@
+import { registerGroupProjectRouter } from "./group-project-router";
 import { registerIdentityOrgRouter } from "./identity-org-router";
 import { registerIdentityProjectRouter } from "./identity-project-router";
 import { registerMfaRouter } from "./mfa-router";
@@ -22,6 +23,7 @@ export const registerV2Routes = async (server: FastifyZodProvider) => {
    async (projectServer) => {
      await projectServer.register(registerProjectRouter);
      await projectServer.register(registerIdentityProjectRouter);
+      await projectServer.register(registerGroupProjectRouter);
      await projectServer.register(registerProjectMembershipRouter);
    },
    { prefix: "/workspace" }
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -153,7 +153,7 @@ export const authLoginServiceFactory = ({
      username: email
    });
    if (!userEnc || (userEnc && !userEnc.isAccepted)) {
-      throw new Error("Failed to find  user");
+      throw new Error("Failed to find user");
    }
    if (!userEnc.authMethods?.includes(AuthMethod.EMAIL)) {
      validateProviderAuthToken(providerAuthToken as string, email);
--- a/backend/src/services/auth/auth-password-service.ts
+++ b/backend/src/services/auth/auth-password-service.ts
@@ -192,7 +192,7 @@ export const authPaswordServiceFactory = ({
  }: TCreateBackupPrivateKeyDTO) => {
    const userEnc = await userDAL.findUserEncKeyByUserId(userId);
    if (!userEnc || (userEnc && !userEnc.isAccepted)) {
-      throw new Error("Failed to find  user");
+      throw new Error("Failed to find user");
    }

    if (!userEnc.clientPublicKey || !userEnc.serverPrivateKey) throw new Error("failed to create backup key");
@@ -239,7 +239,7 @@ export const authPaswordServiceFactory = ({
  const getBackupPrivateKeyOfUser = async (userId: string) => {
    const user = await userDAL.findUserEncKeyByUserId(userId);
    if (!user || (user && !user.isAccepted)) {
-      throw new Error("Failed to find  user");
+      throw new Error("Failed to find user");
    }
    const backupKey = await authDAL.getBackupPrivateKeyByUserId(userId);
    if (!backupKey) throw new Error("Failed to find user backup key");
--- a/backend/src/services/group-project/group-project-dal.ts
+++ b/backend/src/services/group-project/group-project-dal.ts
@@ -0,0 +1,99 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, sqlNestRelationships } from "@app/lib/knex";
+
+export type TGroupProjectDALFactory = ReturnType<typeof groupProjectDALFactory>;
+
+export const groupProjectDALFactory = (db: TDbClient) => {
+  const groupProjectOrm = ormify(db, TableName.GroupProjectMembership);
+
+  const findByProjectId = async (projectId: string, tx?: Knex) => {
+    try {
+      const docs = await (tx || db)(TableName.GroupProjectMembership)
+        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
+        .join(TableName.Groups, `${TableName.GroupProjectMembership}.groupId`, `${TableName.Groups}.id`)
+        .join(
+          TableName.GroupProjectMembershipRole,
+          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
+          `${TableName.GroupProjectMembership}.id`
+        )
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.GroupProjectMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
+        .select(
+          db.ref("id").withSchema(TableName.GroupProjectMembership),
+          db.ref("createdAt").withSchema(TableName.GroupProjectMembership),
+          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership),
+          db.ref("id").as("groupId").withSchema(TableName.Groups),
+          db.ref("name").as("groupName").withSchema(TableName.Groups),
+          db.ref("slug").as("groupSlug").withSchema(TableName.Groups),
+          db.ref("id").withSchema(TableName.GroupProjectMembership),
+          db.ref("role").withSchema(TableName.GroupProjectMembershipRole),
+          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("membershipRoleId"),
+          db.ref("customRoleId").withSchema(TableName.GroupProjectMembershipRole),
+          db.ref("name").withSchema(TableName.ProjectRoles).as("customRoleName"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("temporaryMode").withSchema(TableName.GroupProjectMembershipRole),
+          db.ref("isTemporary").withSchema(TableName.GroupProjectMembershipRole),
+          db.ref("temporaryRange").withSchema(TableName.GroupProjectMembershipRole),
+          db.ref("temporaryAccessStartTime").withSchema(TableName.GroupProjectMembershipRole),
+          db.ref("temporaryAccessEndTime").withSchema(TableName.GroupProjectMembershipRole)
+        );
+
+      const members = sqlNestRelationships({
+        data: docs,
+        parentMapper: ({ groupId, groupName, groupSlug, id, createdAt, updatedAt }) => ({
+          id,
+          groupId,
+          createdAt,
+          updatedAt,
+          group: {
+            id: groupId,
+            name: groupName,
+            slug: groupSlug
+          }
+        }),
+        key: "id",
+        childrenMapper: [
+          {
+            label: "roles" as const,
+            key: "membershipRoleId",
+            mapper: ({
+              role,
+              customRoleId,
+              customRoleName,
+              customRoleSlug,
+              membershipRoleId,
+              temporaryRange,
+              temporaryMode,
+              temporaryAccessEndTime,
+              temporaryAccessStartTime,
+              isTemporary
+            }) => ({
+              id: membershipRoleId,
+              role,
+              customRoleId,
+              customRoleName,
+              customRoleSlug,
+              temporaryRange,
+              temporaryMode,
+              temporaryAccessEndTime,
+              temporaryAccessStartTime,
+              isTemporary
+            })
+          }
+        ]
+      });
+      return members;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindByProjectId" });
+    }
+  };
+
+  return { ...groupProjectOrm, findByProjectId };
+};
--- a/backend/src/services/group-project/group-project-membership-role-dal.ts
+++ b/backend/src/services/group-project/group-project-membership-role-dal.ts
@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TGroupProjectMembershipRoleDALFactory = ReturnType<typeof groupProjectMembershipRoleDALFactory>;
+
+export const groupProjectMembershipRoleDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.GroupProjectMembershipRole);
+  return orm;
+};
--- a/backend/src/services/group-project/group-project-service.ts
+++ b/backend/src/services/group-project/group-project-service.ts
@@ -0,0 +1,338 @@
+import { ForbiddenError } from "@casl/ability";
+import ms from "ms";
+
+import { ProjectMembershipRole, SecretKeyEncoding } from "@app/db/schemas";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { groupBy } from "@app/lib/fn";
+
+import { TGroupDALFactory } from "../../ee/services/group/group-dal";
+import { TUserGroupMembershipDALFactory } from "../../ee/services/group/user-group-membership-dal";
+import { TProjectDALFactory } from "../project/project-dal";
+import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
+import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
+import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";
+import { TProjectRoleDALFactory } from "../project-role/project-role-dal";
+import { TGroupProjectDALFactory } from "./group-project-dal";
+import { TGroupProjectMembershipRoleDALFactory } from "./group-project-membership-role-dal";
+import {
+  TCreateProjectGroupDTO,
+  TDeleteProjectGroupDTO,
+  TListProjectGroupDTO,
+  TUpdateProjectGroupDTO
+} from "./group-project-types";
+
+type TGroupProjectServiceFactoryDep = {
+  groupProjectDAL: Pick<TGroupProjectDALFactory, "findOne" | "transaction" | "create" | "delete" | "findByProjectId">;
+  groupProjectMembershipRoleDAL: Pick<
+    TGroupProjectMembershipRoleDALFactory,
+    "create" | "transaction" | "insertMany" | "delete"
+  >;
+  userGroupMembershipDAL: TUserGroupMembershipDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "findOne" | "findProjectGhostUser">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "delete" | "insertMany" | "transaction">;
+  projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
+  projectBotDAL: TProjectBotDALFactory;
+  groupDAL: Pick<TGroupDALFactory, "findOne">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissionByRole">;
+};
+
+export type TGroupProjectServiceFactory = ReturnType<typeof groupProjectServiceFactory>;
+
+export const groupProjectServiceFactory = ({
+  groupDAL,
+  groupProjectDAL,
+  groupProjectMembershipRoleDAL,
+  userGroupMembershipDAL,
+  projectDAL,
+  projectKeyDAL,
+  projectBotDAL,
+  projectRoleDAL,
+  permissionService
+}: TGroupProjectServiceFactoryDep) => {
+  const addGroupToProject = async ({
+    groupSlug,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectSlug,
+    role
+  }: TCreateProjectGroupDTO) => {
+    const project = await projectDAL.findOne({
+      slug: projectSlug
+    });
+
+    if (!project) throw new BadRequestError({ message: `Failed to find project with slug ${projectSlug}` });
+    if (project.version < 2) throw new BadRequestError({ message: `Failed to add group to E2EE project` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Groups);
+
+    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: groupSlug });
+    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+
+    const existingGroup = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
+    if (existingGroup)
+      throw new BadRequestError({
+        message: `Group with slug ${groupSlug} already exists in project with id ${project.id}`
+      });
+
+    const { permission: rolePermission, role: customRole } = await permissionService.getProjectPermissionByRole(
+      role,
+      project.id
+    );
+    const hasPrivilege = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPrivilege)
+      throw new ForbiddenRequestError({
+        message: "Failed to add group to project with more privileged role"
+      });
+    const isCustomRole = Boolean(customRole);
+
+    const projectGroup = await groupProjectDAL.transaction(async (tx) => {
+      const groupProjectMembership = await groupProjectDAL.create(
+        {
+          groupId: group.id,
+          projectId: project.id
+        },
+        tx
+      );
+
+      await groupProjectMembershipRoleDAL.create(
+        {
+          projectMembershipId: groupProjectMembership.id,
+          role: isCustomRole ? ProjectMembershipRole.Custom : role,
+          customRoleId: customRole?.id
+        },
+        tx
+      );
+      return groupProjectMembership;
+    });
+
+    // share project key with users in group that have not
+    // individually been added to the project and that are not part of
+    // other groups that are in the project
+    const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id);
+
+    if (groupMembers.length) {
+      const ghostUser = await projectDAL.findProjectGhostUser(project.id);
+
+      if (!ghostUser) {
+        throw new BadRequestError({
+          message: "Failed to find sudo user"
+        });
+      }
+
+      const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, project.id);
+
+      if (!ghostUserLatestKey) {
+        throw new BadRequestError({
+          message: "Failed to find sudo user latest key"
+        });
+      }
+
+      const bot = await projectBotDAL.findOne({ projectId: project.id });
+
+      if (!bot) {
+        throw new BadRequestError({
+          message: "Failed to find bot"
+        });
+      }
+
+      const botPrivateKey = infisicalSymmetricDecrypt({
+        keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+        iv: bot.iv,
+        tag: bot.tag,
+        ciphertext: bot.encryptedPrivateKey
+      });
+
+      const plaintextProjectKey = decryptAsymmetric({
+        ciphertext: ghostUserLatestKey.encryptedKey,
+        nonce: ghostUserLatestKey.nonce,
+        publicKey: ghostUserLatestKey.sender.publicKey,
+        privateKey: botPrivateKey
+      });
+
+      const projectKeyData = groupMembers.map(({ user: { publicKey, id } }) => {
+        const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(plaintextProjectKey, publicKey, botPrivateKey);
+
+        return {
+          encryptedKey,
+          nonce,
+          senderId: ghostUser.id,
+          receiverId: id,
+          projectId: project.id
+        };
+      });
+
+      await projectKeyDAL.insertMany(projectKeyData);
+    }
+
+    return projectGroup;
+  };
+
+  const updateGroupInProject = async ({
+    projectSlug,
+    groupSlug,
+    roles,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TUpdateProjectGroupDTO) => {
+    const project = await projectDAL.findOne({
+      slug: projectSlug
+    });
+
+    if (!project) throw new BadRequestError({ message: `Failed to find project with slug ${projectSlug}` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Groups);
+
+    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: groupSlug });
+    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+
+    const projectGroup = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
+    if (!projectGroup) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+
+    // validate custom roles input
+    const customInputRoles = roles.filter(
+      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
+    );
+    const hasCustomRole = Boolean(customInputRoles.length);
+    const customRoles = hasCustomRole
+      ? await projectRoleDAL.find({
+          projectId: project.id,
+          $in: { slug: customInputRoles.map(({ role }) => role) }
+        })
+      : [];
+    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
+
+    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);
+
+    const sanitizedProjectMembershipRoles = roles.map((inputRole) => {
+      const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
+      if (!inputRole.isTemporary) {
+        return {
+          projectMembershipId: projectGroup.id,
+          role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+          customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null
+        };
+      }
+
+      // check cron or relative here later for now its just relative
+      const relativeTimeInMs = ms(inputRole.temporaryRange);
+      return {
+        projectMembershipId: projectGroup.id,
+        role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+        customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null,
+        isTemporary: true,
+        temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
+        temporaryRange: inputRole.temporaryRange,
+        temporaryAccessStartTime: new Date(inputRole.temporaryAccessStartTime),
+        temporaryAccessEndTime: new Date(new Date(inputRole.temporaryAccessStartTime).getTime() + relativeTimeInMs)
+      };
+    });
+
+    const updatedRoles = await groupProjectMembershipRoleDAL.transaction(async (tx) => {
+      await groupProjectMembershipRoleDAL.delete({ projectMembershipId: projectGroup.id }, tx);
+      return groupProjectMembershipRoleDAL.insertMany(sanitizedProjectMembershipRoles, tx);
+    });
+
+    return updatedRoles;
+  };
+
+  const removeGroupFromProject = async ({
+    projectSlug,
+    groupSlug,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod
+  }: TDeleteProjectGroupDTO) => {
+    const project = await projectDAL.findOne({
+      slug: projectSlug
+    });
+
+    if (!project) throw new BadRequestError({ message: `Failed to find project with slug ${projectSlug}` });
+
+    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: groupSlug });
+    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+
+    const groupProjectMembership = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
+    if (!groupProjectMembership) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Groups);
+
+    const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id);
+
+    if (groupMembers.length) {
+      await projectKeyDAL.delete({
+        projectId: project.id,
+        $in: {
+          receiverId: groupMembers.map(({ user: { id } }) => id)
+        }
+      });
+    }
+
+    const [deletedGroup] = await groupProjectDAL.delete({ groupId: group.id, projectId: project.id });
+
+    return deletedGroup;
+  };
+
+  const listGroupsInProject = async ({
+    projectSlug,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TListProjectGroupDTO) => {
+    const project = await projectDAL.findOne({
+      slug: projectSlug
+    });
+
+    if (!project) throw new BadRequestError({ message: `Failed to find project with slug ${projectSlug}` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
+
+    const groupMemberships = await groupProjectDAL.findByProjectId(project.id);
+    return groupMemberships;
+  };
+
+  return {
+    addGroupToProject,
+    updateGroupInProject,
+    removeGroupFromProject,
+    listGroupsInProject
+  };
+};
--- a/backend/src/services/group-project/group-project-types.ts
+++ b/backend/src/services/group-project/group-project-types.ts
@@ -0,0 +1,31 @@
+import { TProjectSlugPermission } from "@app/lib/types";
+
+import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";
+
+export type TCreateProjectGroupDTO = {
+  groupSlug: string;
+  role: string;
+} & TProjectSlugPermission;
+
+export type TUpdateProjectGroupDTO = {
+  roles: (
+    | {
+        role: string;
+        isTemporary?: false;
+      }
+    | {
+        role: string;
+        isTemporary: true;
+        temporaryMode: ProjectUserMembershipTemporaryMode.Relative;
+        temporaryRange: string;
+        temporaryAccessStartTime: string;
+      }
+  )[];
+  groupSlug: string;
+} & TProjectSlugPermission;
+
+export type TDeleteProjectGroupDTO = {
+  groupSlug: string;
+} & TProjectSlugPermission;
+
+export type TListProjectGroupDTO = TProjectSlugPermission;
--- a/backend/src/services/identity-project/identity-project-service.ts
+++ b/backend/src/services/identity-project/identity-project-service.ts
@@ -93,9 +93,7 @@ export const identityProjectServiceFactory = ({
      const identityProjectMembership = await identityProjectDAL.create(
        {
          identityId,
-          projectId: project.id,
-          role: isCustomRole ? ProjectMembershipRole.Custom : role,
-          roleId: customRole?.id
+          projectId: project.id
        },
        tx
      );
@@ -163,7 +161,7 @@ export const identityProjectServiceFactory = ({

    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);

-    const santiziedProjectMembershipRoles = roles.map((inputRole) => {
+    const sanitizedProjectMembershipRoles = roles.map((inputRole) => {
      const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
      if (!inputRole.isTemporary) {
        return {
@@ -189,7 +187,7 @@ export const identityProjectServiceFactory = ({

    const updatedRoles = await identityProjectMembershipRoleDAL.transaction(async (tx) => {
      await identityProjectMembershipRoleDAL.delete({ projectMembershipId: projectIdentity.id }, tx);
-      return identityProjectMembershipRoleDAL.insertMany(santiziedProjectMembershipRoles, tx);
+      return identityProjectMembershipRoleDAL.insertMany(sanitizedProjectMembershipRoles, tx);
    });

    return updatedRoles;
@@ -246,8 +244,8 @@ export const identityProjectServiceFactory = ({
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);

-    const identityMemberhips = await identityProjectDAL.findByProjectId(projectId);
-    return identityMemberhips;
+    const identityMemberships = await identityProjectDAL.findByProjectId(projectId);
+    return identityMemberships;
  };

  return {
--- a/backend/src/services/identity/identity-service.ts
+++ b/backend/src/services/identity/identity-service.ts
@@ -157,8 +157,8 @@ export const identityServiceFactory = ({
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);

-    const identityMemberhips = await identityOrgMembershipDAL.findByOrgId(orgId);
-    return identityMemberhips;
+    const identityMemberships = await identityOrgMembershipDAL.findByOrgId(orgId);
+    return identityMemberships;
  };

  return {
--- a/backend/src/services/integration/integration-service.ts
+++ b/backend/src/services/integration/integration-service.ts
@@ -146,7 +146,27 @@ export const integrationServiceFactory = ({
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);

-    const deletedIntegration = await integrationDAL.deleteById(id);
+    const deletedIntegration = await integrationDAL.transaction(async (tx) => {
+      // delete integration
+      const deletedIntegrationResult = await integrationDAL.deleteById(id, tx);
+
+      // check if there are other integrations that share the same integration auth
+      const integrations = await integrationDAL.find(
+        {
+          integrationAuthId: integration.integrationAuthId
+        },
+        tx
+      );
+
+      if (integrations.length === 0) {
+        // no other integration shares the same integration auth
+        // -> delete the integration auth
+        await integrationAuthDAL.deleteById(integration.integrationAuthId, tx);
+      }
+
+      return deletedIntegrationResult;
+    });
+
    return { ...integration, ...deletedIntegration };
  };

--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -6,6 +6,7 @@ import { Knex } from "knex";

 import { OrgMembershipRole, OrgMembershipStatus } from "@app/db/schemas";
 import { TProjects } from "@app/db/schemas/projects";
+import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -34,6 +35,7 @@ import {
  TDeleteOrgMembershipDTO,
  TFindAllWorkspacesDTO,
  TFindOrgMembersByEmailDTO,
+  TGetOrgGroupsDTO,
  TInviteUserToOrgDTO,
  TUpdateOrgDTO,
  TUpdateOrgMembershipDTO,
@@ -45,6 +47,7 @@ type TOrgServiceFactoryDep = {
  orgBotDAL: TOrgBotDALFactory;
  orgRoleDAL: TOrgRoleDALFactory;
  userDAL: TUserDALFactory;
+  groupDAL: TGroupDALFactory;
  projectDAL: TProjectDALFactory;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findProjectMembershipsByUserId" | "delete">;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete">;
@@ -64,6 +67,7 @@ export type TOrgServiceFactory = ReturnType<typeof orgServiceFactory>;
 export const orgServiceFactory = ({
  orgDAL,
  userDAL,
+  groupDAL,
  orgRoleDAL,
  incidentContactDAL,
  permissionService,
@@ -113,6 +117,13 @@ export const orgServiceFactory = ({
    return members;
  };

+  const getOrgGroups = async ({ actor, actorId, orgId, actorAuthMethod, actorOrgId }: TGetOrgGroupsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+    const groups = await groupDAL.findByOrgId(orgId);
+    return groups;
+  };
+
  const findOrgMembersByUsername = async ({
    actor,
    actorId,
@@ -674,6 +685,7 @@ export const orgServiceFactory = ({
    // incident contacts
    findIncidentContacts,
    createIncidentContact,
-    deleteIncidentContact
+    deleteIncidentContact,
+    getOrgGroups
  };
 };
--- a/backend/src/services/org/org-types.ts
+++ b/backend/src/services/org/org-types.ts
@@ -53,3 +53,5 @@ export type TFindAllWorkspacesDTO = {
 export type TUpdateOrgDTO = {
  data: Partial<{ name: string; slug: string; authEnforced: boolean; scimEnabled: boolean }>;
 } & TOrgPermission;
+
+export type TGetOrgGroupsDTO = TOrgPermission;
--- a/backend/src/services/project-membership/project-membership-service.ts
+++ b/backend/src/services/project-membership/project-membership-service.ts
@@ -17,6 +17,7 @@ import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";

+import { TUserGroupMembershipDALFactory } from "../../ee/services/group/user-group-membership-dal";
 import { ActorType } from "../auth/auth-type";
 import { TOrgDALFactory } from "../org/org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
@@ -45,6 +46,7 @@ type TProjectMembershipServiceFactoryDep = {
  projectMembershipDAL: TProjectMembershipDALFactory;
  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "insertMany" | "find" | "delete">;
  userDAL: Pick<TUserDALFactory, "findById" | "findOne" | "findUserByProjectMembershipId" | "find">;
+  userGroupMembershipDAL: TUserGroupMembershipDALFactory;
  projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership" | "findOrgMembersByUsername">;
  projectDAL: Pick<TProjectDALFactory, "findById" | "findProjectGhostUser" | "transaction">;
@@ -63,6 +65,7 @@ export const projectMembershipServiceFactory = ({
  projectBotDAL,
  orgDAL,
  userDAL,
+  userGroupMembershipDAL,
  projectDAL,
  projectKeyDAL,
  licenseService
@@ -120,6 +123,13 @@ export const projectMembershipServiceFactory = ({
    });
    if (existingMembers.length) throw new BadRequestError({ message: "Some users are already part of project" });

+    const userIdsToExcludeForProjectKeyAddition = new Set(
+      await userGroupMembershipDAL.findUserGroupMembershipsInProject(
+        orgMembers.map(({ username }) => username),
+        projectId
+      )
+    );
+
    await projectMembershipDAL.transaction(async (tx) => {
      const projectMemberships = await projectMembershipDAL.insertMany(
        orgMembers.map(({ userId }) => ({
@@ -135,13 +145,15 @@ export const projectMembershipServiceFactory = ({
      );
      const encKeyGroupByOrgMembId = groupBy(members, (i) => i.orgMembershipId);
      await projectKeyDAL.insertMany(
-        orgMembers.map(({ userId, id }) => ({
-          encryptedKey: encKeyGroupByOrgMembId[id][0].workspaceEncryptedKey,
-          nonce: encKeyGroupByOrgMembId[id][0].workspaceEncryptedNonce,
-          senderId: actorId,
-          receiverId: userId as string,
-          projectId
-        })),
+        orgMembers
+          .filter(({ userId }) => !userIdsToExcludeForProjectKeyAddition.has(userId as string))
+          .map(({ userId, id }) => ({
+            encryptedKey: encKeyGroupByOrgMembId[id][0].workspaceEncryptedKey,
+            nonce: encKeyGroupByOrgMembId[id][0].workspaceEncryptedNonce,
+            senderId: actorId,
+            receiverId: userId as string,
+            projectId
+          })),
        tx
      );
    });
@@ -247,6 +259,10 @@ export const projectMembershipServiceFactory = ({

    const members: TProjectMemberships[] = [];

+    const userIdsToExcludeForProjectKeyAddition = new Set(
+      await userGroupMembershipDAL.findUserGroupMembershipsInProject(usernamesAndEmails, projectId)
+    );
+
    await projectMembershipDAL.transaction(async (tx) => {
      const projectMemberships = await projectMembershipDAL.insertMany(
        orgMembers.map(({ user }) => ({
@@ -265,13 +281,15 @@ export const projectMembershipServiceFactory = ({

      const encKeyGroupByOrgMembId = groupBy(newWsMembers, (i) => i.orgMembershipId);
      await projectKeyDAL.insertMany(
-        orgMembers.map(({ user, id }) => ({
-          encryptedKey: encKeyGroupByOrgMembId[id][0].workspaceEncryptedKey,
-          nonce: encKeyGroupByOrgMembId[id][0].workspaceEncryptedNonce,
-          senderId: ghostUser.id,
-          receiverId: user.id,
-          projectId
-        })),
+        orgMembers
+          .filter(({ user }) => !userIdsToExcludeForProjectKeyAddition.has(user.id))
+          .map(({ user, id }) => ({
+            encryptedKey: encKeyGroupByOrgMembId[id][0].workspaceEncryptedKey,
+            nonce: encKeyGroupByOrgMembId[id][0].workspaceEncryptedNonce,
+            senderId: ghostUser.id,
+            receiverId: user.id,
+            projectId
+          })),
        tx
      );
    });
@@ -344,7 +362,7 @@ export const projectMembershipServiceFactory = ({
    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);

-    const santiziedProjectMembershipRoles = roles.map((inputRole) => {
+    const sanitizedProjectMembershipRoles = roles.map((inputRole) => {
      const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
      if (!inputRole.isTemporary) {
        return {
@@ -370,7 +388,7 @@ export const projectMembershipServiceFactory = ({

    const updatedRoles = await projectMembershipDAL.transaction(async (tx) => {
      await projectUserMembershipRoleDAL.delete({ projectMembershipId: membershipId }, tx);
-      return projectUserMembershipRoleDAL.insertMany(santiziedProjectMembershipRoles, tx);
+      return projectUserMembershipRoleDAL.insertMany(sanitizedProjectMembershipRoles, tx);
    });

    return updatedRoles;
@@ -458,6 +476,10 @@ export const projectMembershipServiceFactory = ({
      });
    }

+    const userIdsToExcludeFromProjectKeyRemoval = new Set(
+      await userGroupMembershipDAL.findUserGroupMembershipsInProject(usernamesAndEmails, projectId)
+    );
+
    const memberships = await projectMembershipDAL.transaction(async (tx) => {
      const deletedMemberships = await projectMembershipDAL.delete(
        {
@@ -469,11 +491,15 @@ export const projectMembershipServiceFactory = ({
        tx
      );

+      // delete project keys belonging to users that are not part of any other groups in the project
      await projectKeyDAL.delete(
        {
          projectId,
          $in: {
-            receiverId: projectMembers.map(({ user }) => user.id).filter(Boolean)
+            receiverId: projectMembers
+              .filter(({ user }) => !userIdsToExcludeFromProjectKeyRemoval.has(user.id))
+              .map(({ user }) => user.id)
+              .filter(Boolean)
          }
        },
        tx
--- a/backend/src/services/project/project-dal.ts
+++ b/backend/src/services/project/project-dal.ts
@@ -30,8 +30,33 @@ export const projectDALFactory = (db: TDbClient) => {
          { column: `${TableName.Environment}.position`, order: "asc" }
        ]);

+      const groups: string[] = await db(TableName.UserGroupMembership)
+        .where({ userId })
+        .select(selectAllTableCols(TableName.UserGroupMembership))
+        .pluck("groupId");
+
+      const groupWorkspaces = await db(TableName.GroupProjectMembership)
+        .whereIn("groupId", groups)
+        .join(TableName.Project, `${TableName.GroupProjectMembership}.projectId`, `${TableName.Project}.id`)
+        .whereNotIn(
+          `${TableName.Project}.id`,
+          workspaces.map(({ id }) => id)
+        )
+        .leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
+        .select(
+          selectAllTableCols(TableName.Project),
+          db.ref("id").withSchema(TableName.Project).as("_id"),
+          db.ref("id").withSchema(TableName.Environment).as("envId"),
+          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
+          db.ref("name").withSchema(TableName.Environment).as("envName")
+        )
+        .orderBy([
+          { column: `${TableName.Project}.name`, order: "asc" },
+          { column: `${TableName.Environment}.position`, order: "asc" }
+        ]);
+
      const nestedWorkspaces = sqlNestRelationships({
-        data: workspaces,
+        data: workspaces.concat(groupWorkspaces),
        key: "id",
        parentMapper: ({ _id, ...el }) => ({ _id, ...ProjectsSchema.parse(el) }),
        childrenMapper: [
@@ -126,13 +151,11 @@ export const projectDALFactory = (db: TDbClient) => {

  const findProjectById = async (id: string) => {
    try {
-      const workspaces = await db(TableName.ProjectMembership)
+      const workspaces = await db(TableName.Project)
        .where(`${TableName.Project}.id`, id)
-        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
-        .join(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
+        .leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
        .select(
          selectAllTableCols(TableName.Project),
-          db.ref("id").withSchema(TableName.Project).as("_id"),
          db.ref("id").withSchema(TableName.Environment).as("envId"),
          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
          db.ref("name").withSchema(TableName.Environment).as("envName")
@@ -141,10 +164,11 @@ export const projectDALFactory = (db: TDbClient) => {
          { column: `${TableName.Project}.name`, order: "asc" },
          { column: `${TableName.Environment}.position`, order: "asc" }
        ]);
+
      const project = sqlNestRelationships({
        data: workspaces,
        key: "id",
-        parentMapper: ({ _id, ...el }) => ({ _id, ...ProjectsSchema.parse(el) }),
+        parentMapper: ({ ...el }) => ({ _id: el.id, ...ProjectsSchema.parse(el) }),
        childrenMapper: [
          {
            key: "envId",
@@ -174,14 +198,12 @@ export const projectDALFactory = (db: TDbClient) => {
        throw new BadRequestError({ message: "Organization ID is required when querying with slugs" });
      }

-      const projects = await db(TableName.ProjectMembership)
+      const projects = await db(TableName.Project)
        .where(`${TableName.Project}.slug`, slug)
        .where(`${TableName.Project}.orgId`, orgId)
-        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
-        .join(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
+        .leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
        .select(
          selectAllTableCols(TableName.Project),
-          db.ref("id").withSchema(TableName.Project).as("_id"),
          db.ref("id").withSchema(TableName.Environment).as("envId"),
          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
          db.ref("name").withSchema(TableName.Environment).as("envName")
@@ -194,7 +216,7 @@ export const projectDALFactory = (db: TDbClient) => {
      const project = sqlNestRelationships({
        data: projects,
        key: "id",
-        parentMapper: ({ _id, ...el }) => ({ _id, ...ProjectsSchema.parse(el) }),
+        parentMapper: ({ ...el }) => ({ _id: el.id, ...ProjectsSchema.parse(el) }),
        childrenMapper: [
          {
            key: "envId",
--- a/backend/src/services/project/project-queue.ts
+++ b/backend/src/services/project/project-queue.ts
@@ -232,8 +232,7 @@ export const projectQueueFactory = ({
        const projectMembership = await projectMembershipDAL.create(
          {
            projectId: project.id,
-            userId: ghostUser.user.id,
-            role: ProjectMembershipRole.Admin
+            userId: ghostUser.user.id
          },
          tx
        );
--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@@ -141,8 +141,7 @@ export const projectServiceFactory = ({
      const projectMembership = await projectMembershipDAL.create(
        {
          userId: ghostUser.user.id,
-          projectId: project.id,
-          role: ProjectMembershipRole.Admin
+          projectId: project.id
        },
        tx
      );
@@ -244,8 +243,7 @@ export const projectServiceFactory = ({
        const userProjectMembership = await projectMembershipDAL.create(
          {
            projectId: project.id,
-            userId: user.id,
-            role: projectAdmin.projectRole
+            userId: user.id
          },
          tx
        );
@@ -302,9 +300,7 @@ export const projectServiceFactory = ({
        const identityProjectMembership = await identityProjectDAL.create(
          {
            identityId: actorId,
-            projectId: project.id,
-            role: isCustomRole ? ProjectMembershipRole.Custom : ProjectMembershipRole.Admin,
-            roleId: customRole?.id
+            projectId: project.id
          },
          tx
        );
--- a/backend/src/services/secret-folder/secret-folder-dal.ts
+++ b/backend/src/services/secret-folder/secret-folder-dal.ts
@@ -170,7 +170,8 @@ const sqlFindSecretPathByFolderId = (db: Knex, projectId: string, folderIds: str
          //  if the given folder id is root folder id then intial path is set as / instead of /root
          //  if not root folder the path here will be /<folder name>
          path: db.raw(`CONCAT('/', (CASE WHEN "parentId" is NULL THEN '' ELSE ${TableName.SecretFolder}.name END))`),
-          child: db.raw("NULL::uuid")
+          child: db.raw("NULL::uuid"),
+          environmentSlug: `${TableName.Environment}.slug`
        })
        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
        .where({ projectId })
@@ -190,14 +191,15 @@ const sqlFindSecretPathByFolderId = (db: Knex, projectId: string, folderIds: str
                  ELSE  CONCAT('/', secret_folders.name) 
                END, parent.path )`
                ),
-                child: db.raw("COALESCE(parent.child, parent.id)")
+                child: db.raw("COALESCE(parent.child, parent.id)"),
+                environmentSlug: "parent.environmentSlug"
              })
              .from(TableName.SecretFolder)
              .join("parent", "parent.parentId", `${TableName.SecretFolder}.id`)
        );
    })
    .select("*")
-    .from<TSecretFolders & { child: string | null; path: string }>("parent");
+    .from<TSecretFolders & { child: string | null; path: string; environmentSlug: string }>("parent");

 export type TSecretFolderDALFactory = ReturnType<typeof secretFolderDALFactory>;
 // never change this. If u do write a migration for it
@@ -257,10 +259,12 @@ export const secretFolderDALFactory = (db: TDbClient) => {
  const findSecretPathByFolderIds = async (projectId: string, folderIds: string[], tx?: Knex) => {
    try {
      const folders = await sqlFindSecretPathByFolderId(tx || db, projectId, folderIds);
+
      const rootFolders = groupBy(
        folders.filter(({ parentId }) => parentId === null),
        (i) => i.child || i.id // root condition then child and parent will null
      );
+
      return folderIds.map((folderId) => rootFolders[folderId]?.[0]);
    } catch (error) {
      throw new DatabaseError({ error, name: "Find by secret path" });
--- a/backend/src/services/secret-import/secret-import-dal.ts
+++ b/backend/src/services/secret-import/secret-import-dal.ts
@@ -49,7 +49,7 @@ export const secretImportDALFactory = (db: TDbClient) => {
    }
  };

-  const find = async (filter: Partial<TSecretImports>, tx?: Knex) => {
+  const find = async (filter: Partial<TSecretImports & { projectId: string }>, tx?: Knex) => {
    try {
      const docs = await (tx || db)(TableName.SecretImport)
        .where(filter)
--- a/backend/src/services/secret-import/secret-import-service.ts
+++ b/backend/src/services/secret-import/secret-import-service.ts
@@ -7,6 +7,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretDALFactory } from "../secret/secret-dal";
+import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "./secret-import-dal";
 import { fnSecretsFromImports } from "./secret-import-fns";
@@ -25,6 +26,7 @@ type TSecretImportServiceFactoryDep = {
  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
  projectEnvDAL: TProjectEnvDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  secretQueueService: Pick<TSecretQueueFactory, "syncSecrets">;
 };

 const ERR_SEC_IMP_NOT_FOUND = new BadRequestError({ message: "Secret import not found" });
@@ -37,7 +39,8 @@ export const secretImportServiceFactory = ({
  permissionService,
  folderDAL,
  projectDAL,
-  secretDAL
+  secretDAL,
+  secretQueueService
 }: TSecretImportServiceFactoryDep) => {
  const createImport = async ({
    environment,
@@ -77,10 +80,19 @@ export const secretImportServiceFactory = ({
    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
    if (!folder) throw new BadRequestError({ message: "Folder not found", name: "Create import" });

-    // TODO(akhilmhdh-pg): updated permission check add here
    const [importEnv] = await projectEnvDAL.findBySlugs(projectId, [data.environment]);
    if (!importEnv) throw new BadRequestError({ error: "Imported env not found", name: "Create import" });

+    const sourceFolder = await folderDAL.findBySecretPath(projectId, data.environment, data.path);
+    if (sourceFolder) {
+      const existingImport = await secretImportDAL.findOne({
+        folderId: sourceFolder.id,
+        importEnv: folder.environment.id,
+        importPath: path
+      });
+      if (existingImport) throw new BadRequestError({ message: "Cyclic import not allowed" });
+    }
+
    const secImport = await secretImportDAL.transaction(async (tx) => {
      const lastPos = await secretImportDAL.findLastImportPosition(folder.id, tx);
      return secretImportDAL.create(
@@ -94,6 +106,12 @@ export const secretImportServiceFactory = ({
      );
    });

+    await secretQueueService.syncSecrets({
+      secretPath: secImport.importPath,
+      projectId,
+      environment: importEnv.slug
+    });
+
    return { ...secImport, importEnv };
  };

@@ -131,6 +149,20 @@ export const secretImportServiceFactory = ({
      : await projectEnvDAL.findById(secImpDoc.importEnv);
    if (!importedEnv) throw new BadRequestError({ error: "Imported env not found", name: "Create import" });

+    const sourceFolder = await folderDAL.findBySecretPath(
+      projectId,
+      importedEnv.slug,
+      data.path || secImpDoc.importPath
+    );
+    if (sourceFolder) {
+      const existingImport = await secretImportDAL.findOne({
+        folderId: sourceFolder.id,
+        importEnv: folder.environment.id,
+        importPath: path
+      });
+      if (existingImport) throw new BadRequestError({ message: "Cyclic import not allowed" });
+    }
+
    const updatedSecImport = await secretImportDAL.transaction(async (tx) => {
      const secImp = await secretImportDAL.findOne({ folderId: folder.id, id });
      if (!secImp) throw ERR_SEC_IMP_NOT_FOUND;
@@ -185,6 +217,13 @@ export const secretImportServiceFactory = ({
      if (!importEnv) throw new BadRequestError({ error: "Imported env not found", name: "Create import" });
      return { ...doc, importEnv };
    });
+
+    await secretQueueService.syncSecrets({
+      secretPath: path,
+      projectId,
+      environment
+    });
+
    return secImport;
  };

--- a/backend/src/services/secret/secret-fns.ts
+++ b/backend/src/services/secret/secret-fns.ts
@@ -21,6 +21,7 @@ import {
 } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { groupBy, unique } from "@app/lib/fn";
+import { logger } from "@app/lib/logger";

 import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 import { getBotKeyFnFactory } from "../project-bot/project-bot-fns";
@@ -92,7 +93,8 @@ const buildHierarchy = (folders: TSecretFolders[]): FolderMap => {
 const generatePaths = (
  map: FolderMap,
  parentId: string = "null",
-  basePath: string = ""
+  basePath: string = "",
+  currentDepth: number = 0
 ): { path: string; folderId: string }[] => {
  const children = map[parentId || "null"] || [];
  let paths: { path: string; folderId: string }[] = [];
@@ -105,13 +107,20 @@ const generatePaths = (
    // eslint-disable-next-line no-nested-ternary
    const currPath = basePath === "" ? (isRootFolder ? "/" : `/${child.name}`) : `${basePath}/${child.name}`;

+    // Add the current path
    paths.push({
      path: currPath,
      folderId: child.id
-    }); // Add the current path
+    });

-    // Recursively generate paths for children, passing down the formatted pathh
-    const childPaths = generatePaths(map, child.id, currPath);
+    // We make sure that the recursion depth doesn't exceed 20.
+    // We do this to create "circuit break", basically to ensure that we can't encounter any potential memory leaks.
+    if (currentDepth >= 20) {
+      logger.info(`generatePaths: Recursion depth exceeded 20, breaking out of recursion [map=${JSON.stringify(map)}]`);
+      return;
+    }
+    // Recursively generate paths for children, passing down the formatted path
+    const childPaths = generatePaths(map, child.id, currPath, currentDepth + 1);
    paths = paths.concat(
      childPaths.map((p) => ({
        path: p.path,
--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@@ -3,7 +3,7 @@ import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
 import { BadRequestError } from "@app/lib/errors";
-import { isSamePath } from "@app/lib/fn";
+import { groupBy, isSamePath, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
@@ -23,7 +23,6 @@ import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
-import { fnSecretsFromImports } from "../secret-import/secret-import-fns";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TWebhookDALFactory } from "../webhook/webhook-dal";
 import { fnTriggerWebhook } from "../webhook/webhook-fns";
@@ -32,7 +31,6 @@ import { interpolateSecrets } from "./secret-fns";
 import { TCreateSecretReminderDTO, THandleReminderDTO, TRemoveSecretReminderDTO } from "./secret-types";

 export type TSecretQueueFactory = ReturnType<typeof secretQueueFactory>;
-
 type TSecretQueueFactoryDep = {
  queueService: TQueueServiceFactory;
  integrationDAL: Pick<TIntegrationDALFactory, "findByProjectIdV2" | "updateById">;
@@ -60,6 +58,8 @@ export type TGetSecrets = {
  environment: string;
 };

+const MAX_SYNC_SECRET_DEPTH = 5;
+
 export const secretQueueFactory = ({
  queueService,
  integrationDAL,
@@ -117,7 +117,10 @@ export const secretQueueFactory = ({
    });
  };

-  const syncSecrets = async (dto: TGetSecrets) => {
+  const syncSecrets = async (dto: TGetSecrets & { depth?: number }) => {
+    logger.info(
+      `syncSecrets: syncing project secrets where [projectId=${dto.projectId}]  [environment=${dto.environment}] [path=${dto.secretPath}]`
+    );
    await queueService.queue(QueueName.SecretWebhook, QueueJobs.SecWebhook, dto, {
      jobId: `secret-webhook-${dto.environment}-${dto.projectId}-${dto.secretPath}`,
      removeOnFail: { count: 5 },
@@ -227,62 +230,42 @@ export const secretQueueFactory = ({
    }
  };

-  const getIntegrationSecrets = async (dto: TGetSecrets & { folderId: string }, key: string) => {
+  type Content = Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }>;
+
+  /**
+   * Return the secrets in a given [folderId] including secrets from
+   * nested imported folders recursively.
+   */
+  const getIntegrationSecrets = async (dto: {
+    projectId: string;
+    environment: string;
+    folderId: string;
+    key: string;
+    depth: number;
+  }) => {
+    let content: Content = {};
+    if (dto.depth > MAX_SYNC_SECRET_DEPTH) {
+      logger.info(
+        `getIntegrationSecrets: secret depth exceeded for [projectId=${dto.projectId}] [folderId=${dto.folderId}] [depth=${dto.depth}]`
+      );
+      return content;
+    }
+
+    // process secrets in current folder
    const secrets = await secretDAL.findByFolderId(dto.folderId);
-
-    // get imported secrets
-    const secretImport = await secretImportDAL.find({ folderId: dto.folderId });
-    const importedSecrets = await fnSecretsFromImports({
-      allowedImports: secretImport,
-      secretDAL,
-      folderDAL
-    });
-
-    if (!secrets.length && !importedSecrets.length) return {};
-
-    const content: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }> = {};
-
-    importedSecrets.forEach(({ secrets: secs }) => {
-      secs.forEach((secret) => {
-        const secretKey = decryptSymmetric128BitHexKeyUTF8({
-          ciphertext: secret.secretKeyCiphertext,
-          iv: secret.secretKeyIV,
-          tag: secret.secretKeyTag,
-          key
-        });
-        const secretValue = decryptSymmetric128BitHexKeyUTF8({
-          ciphertext: secret.secretValueCiphertext,
-          iv: secret.secretValueIV,
-          tag: secret.secretValueTag,
-          key
-        });
-        content[secretKey] = { value: secretValue };
-        content[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
-
-        if (secret.secretCommentCiphertext && secret.secretCommentIV && secret.secretCommentTag) {
-          const commentValue = decryptSymmetric128BitHexKeyUTF8({
-            ciphertext: secret.secretCommentCiphertext,
-            iv: secret.secretCommentIV,
-            tag: secret.secretCommentTag,
-            key
-          });
-          content[secretKey].comment = commentValue;
-        }
-      });
-    });
    secrets.forEach((secret) => {
      const secretKey = decryptSymmetric128BitHexKeyUTF8({
        ciphertext: secret.secretKeyCiphertext,
        iv: secret.secretKeyIV,
        tag: secret.secretKeyTag,
-        key
+        key: dto.key
      });

      const secretValue = decryptSymmetric128BitHexKeyUTF8({
        ciphertext: secret.secretValueCiphertext,
        iv: secret.secretValueIV,
        tag: secret.secretValueTag,
-        key
+        key: dto.key
      });

      content[secretKey] = { value: secretValue };
@@ -292,38 +275,111 @@ export const secretQueueFactory = ({
          ciphertext: secret.secretCommentCiphertext,
          iv: secret.secretCommentIV,
          tag: secret.secretCommentTag,
-          key
+          key: dto.key
        });
        content[secretKey].comment = commentValue;
      }

      content[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
    });
+
    const expandSecrets = interpolateSecrets({
      projectId: dto.projectId,
-      secretEncKey: key,
+      secretEncKey: dto.key,
      folderDAL,
      secretDAL
    });
+
    await expandSecrets(content);
+
+    // check if current folder has any imports from other folders
+    const secretImport = await secretImportDAL.find({ folderId: dto.folderId });
+
+    // if no imports then return secrets in the current folder
+    if (!secretImport) return content;
+
+    const importedFolders = await folderDAL.findByManySecretPath(
+      secretImport.map(({ importEnv, importPath }) => ({
+        envId: importEnv.id,
+        secretPath: importPath
+      }))
+    );
+
+    for await (const folder of importedFolders) {
+      if (folder) {
+        // get secrets contained in each imported folder by recursively calling
+        // this function against the imported folder
+        const importedSecrets = await getIntegrationSecrets({
+          environment: dto.environment,
+          projectId: dto.projectId,
+          folderId: folder.id,
+          key: dto.key,
+          depth: dto.depth + 1
+        });
+
+        // add the imported secrets to the current folder secrets
+        content = { ...content, ...importedSecrets };
+      }
+    }
+
    return content;
  };

  queueService.start(QueueName.IntegrationSync, async (job) => {
-    const { environment, projectId, secretPath } = job.data;
+    const { environment, projectId, secretPath, depth = 1 } = job.data;
+
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder) {
-      logger.error("Secret path not found");
+      logger.error(new Error("Secret path not found"));
      return;
    }

-    const integrations = await integrationDAL.findByProjectIdV2(projectId, environment);
+    // start syncing all linked imports also
+    if (depth < MAX_SYNC_SECRET_DEPTH) {
+      // find all imports made with the given environment and secret path
+      const linkSourceDto = {
+        projectId,
+        importEnv: folder.environment.id,
+        importPath: secretPath
+      };
+      const imports = await secretImportDAL.find(linkSourceDto);
+
+      if (imports.length) {
+        // keep calling sync secret for all the imports made
+        const importedFolderIds = unique(imports, (i) => i.folderId).map(({ folderId }) => folderId);
+        const importedFolders = await folderDAL.findSecretPathByFolderIds(projectId, importedFolderIds);
+        const foldersGroupedById = groupBy(importedFolders, (i) => i.child || i.id);
+        await Promise.all(
+          imports
+            .filter(({ folderId }) => Boolean(foldersGroupedById[folderId][0].path))
+            .map(({ folderId }) => {
+              const syncDto = {
+                depth: depth + 1,
+                projectId,
+                secretPath: foldersGroupedById[folderId][0].path,
+                environment: foldersGroupedById[folderId][0].environmentSlug
+              };
+              logger.info(
+                `getIntegrationSecrets: Syncing secret due to link change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+              );
+              return syncSecrets(syncDto);
+            })
+        );
+      }
+    } else {
+      logger.info(`getIntegrationSecrets: Secret depth exceeded for [projectId=${projectId}] [folderId=${folder.id}]`);
+    }
+
+    const integrations = await integrationDAL.findByProjectIdV2(projectId, environment); // note: returns array of integrations + integration auths in this environment
    const toBeSyncedIntegrations = integrations.filter(
+      // note: sync only the integrations sourced from secretPath
      ({ secretPath: integrationSecPath, isActive }) => isActive && isSamePath(secretPath, integrationSecPath)
    );

    if (!integrations.length) return;
-    logger.info("Secret integration sync started", job.data, job.id);
+    logger.info(
+      `getIntegrationSecrets: secret integration sync started [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${job.data.depth}]`
+    );
    for (const integration of toBeSyncedIntegrations) {
      const integrationAuth = {
        ...integration.integrationAuth,
@@ -334,7 +390,13 @@ export const secretQueueFactory = ({

      const botKey = await projectBotService.getBotKey(projectId);
      const { accessToken, accessId } = await integrationAuthService.getIntegrationAccessToken(integrationAuth, botKey);
-      const secrets = await getIntegrationSecrets({ environment, projectId, secretPath, folderId: folder.id }, botKey);
+      const secrets = await getIntegrationSecrets({
+        environment,
+        projectId,
+        folderId: folder.id,
+        key: botKey,
+        depth: 1
+      });
      const suffixedSecrets: typeof secrets = {};
      const metadata = integration.metadata as Record<string, string>;
      if (metadata) {
@@ -362,7 +424,7 @@ export const secretQueueFactory = ({
      });
    }

-    logger.info("Secret integration sync ended", job.id);
+    logger.info("Secret integration sync ended: %s", job.id);
  });

  queueService.start(QueueName.SecretReminder, async ({ data }) => {
@@ -403,7 +465,7 @@ export const secretQueueFactory = ({
  });

  queueService.listen(QueueName.IntegrationSync, "failed", (job, err) => {
-    logger.error("Failed to sync integration", job?.data, err);
+    logger.error(err, "Failed to sync integration %s", job?.id);
  });

  queueService.start(QueueName.SecretWebhook, async (job) => {
@@ -411,7 +473,8 @@ export const secretQueueFactory = ({
  });

  return {
-    syncSecrets,
+    // depth is internal only field thus no need to make it available outside
+    syncSecrets: (dto: TGetSecrets) => syncSecrets(dto),
    syncIntegrations,
    addSecretReminder,
    removeSecretReminder,
--- a/cli/go.mod
+++ b/cli/go.mod
@@ -29,6 +29,7 @@ require (
 require (
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
+	github.com/bradleyjkemp/cupaloy/v2 v2.8.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
--- a/cli/go.sum
+++ b/cli/go.sum
@@ -51,6 +51,8 @@ github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGL
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/charmbracelet/lipgloss v0.5.0 h1:lulQHuVeodSgDez+3rGiuxlPVXSnhth442DATR2/8t8=
 github.com/charmbracelet/lipgloss v0.5.0/go.mod h1:EZLha/HbzEt7cYqdFPovlqy5FZPj0xFhg5SaqxScmgs=
@@ -324,6 +326,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.8.1 h1:Kq1fyeebqsBfbjZj4EL7gj2IO0mMaiyjYUWcUsl2O44=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
--- a/cli/packages/api/api.go
+++ b/cli/packages/api/api.go
@@ -512,16 +512,23 @@ func CallUniversalAuthRefreshAccessToken(httpClient *resty.Client, request Unive

 func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Request) (GetRawSecretsV3Response, error) {
 	var getRawSecretsV3Response GetRawSecretsV3Response
-	response, err := httpClient.
+	req := httpClient.
 		R().
 		SetResult(&getRawSecretsV3Response).
 		SetHeader("User-Agent", USER_AGENT).
 		SetBody(request).
 		SetQueryParam("workspaceId", request.WorkspaceId).
 		SetQueryParam("environment", request.Environment).
-		SetQueryParam("secretPath", request.SecretPath).
-		SetQueryParam("include_imports", "false").
-		Get(fmt.Sprintf("%v/v3/secrets/raw", config.INFISICAL_URL))
+		SetQueryParam("secretPath", request.SecretPath)
+
+	if request.IncludeImport {
+		req.SetQueryParam("include_imports", "true")
+	}
+	if request.Recursive {
+		req.SetQueryParam("recursive", "true")
+	}
+
+	response, err := req.Get(fmt.Sprintf("%v/v3/secrets/raw", config.INFISICAL_URL))

 	if err != nil {
 		return GetRawSecretsV3Response{}, fmt.Errorf("CallGetRawSecretsV3: Unable to complete api request [err=%w]", err)
--- a/cli/packages/api/model.go
+++ b/cli/packages/api/model.go
@@ -371,6 +371,22 @@ type ImportedSecretV3 struct {
 	Secrets     []EncryptedSecretV3 `json:"secrets"`
 }

+type ImportedRawSecretV3 struct {
+	SecretPath  string `json:"secretPath"`
+	Environment string `json:"environment"`
+	FolderId    string `json:"folderId"`
+	Secrets     []struct {
+		ID            string `json:"id"`
+		Workspace     string `json:"workspace"`
+		Environment   string `json:"environment"`
+		Version       int    `json:"version"`
+		Type          string `json:"type"`
+		SecretKey     string `json:"secretKey"`
+		SecretValue   string `json:"secretValue"`
+		SecretComment string `json:"secretComment"`
+	} `json:"secrets"`
+}
+
 type GetEncryptedSecretsV3Response struct {
 	Secrets         []EncryptedSecretV3 `json:"secrets"`
 	ImportedSecrets []ImportedSecretV3  `json:"imports,omitempty"`
@@ -528,6 +544,7 @@ type GetRawSecretsV3Request struct {
 	WorkspaceId   string `json:"workspaceId"`
 	SecretPath    string `json:"secretPath"`
 	IncludeImport bool   `json:"include_imports"`
+	Recursive     bool   `json:"recursive"`
 }

 type GetRawSecretsV3Response struct {
@@ -541,6 +558,6 @@ type GetRawSecretsV3Response struct {
 		SecretValue   string `json:"secretValue"`
 		SecretComment string `json:"secretComment"`
 	} `json:"secrets"`
-	Imports []any `json:"imports"`
+	Imports []ImportedRawSecretV3 `json:"imports"`
 	ETag    string
 }
--- a/cli/packages/cmd/agent.go
+++ b/cli/packages/cmd/agent.go
@@ -479,7 +479,7 @@ func (tm *AgentManager) GetToken() string {

 // Fetches a new access token using client credentials
 func (tm *AgentManager) FetchNewAccessToken() error {
-	clientID := os.Getenv("INFISICAL_UNIVERSAL_AUTH_CLIENT_ID")
+	clientID := os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
 	if clientID == "" {
 		clientIDAsByte, err := ReadFile(tm.clientIdPath)
 		if err != nil {
@@ -509,7 +509,7 @@ func (tm *AgentManager) FetchNewAccessToken() error {
 	// save as cache in memory
 	tm.cachedClientSecret = clientSecret

-	err, loginResponse := universalAuthLogin(clientID, clientSecret)
+	loginResponse, err := util.UniversalAuthLogin(clientID, clientSecret)
 	if err != nil {
 		return err
 	}
@@ -725,20 +725,6 @@ func (tm *AgentManager) MonitorSecretChanges(secretTemplate Template, templateId
 	}
 }

-func universalAuthLogin(clientId string, clientSecret string) (error, api.UniversalAuthLoginResponse) {
-	httpClient := resty.New()
-	httpClient.SetRetryCount(10000).
-		SetRetryMaxWaitTime(20 * time.Second).
-		SetRetryWaitTime(5 * time.Second)
-
-	tokenResponse, err := api.CallUniversalAuthLogin(httpClient, api.UniversalAuthLoginRequest{ClientId: clientId, ClientSecret: clientSecret})
-	if err != nil {
-		return err, api.UniversalAuthLoginResponse{}
-	}
-
-	return nil, tokenResponse
-}
-
 // runCmd represents the run command
 var agentCmd = &cobra.Command{
 	Example: `
--- a/cli/packages/cmd/export.go
+++ b/cli/packages/cmd/export.go
@@ -44,6 +44,11 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err)
 		}

+		includeImports, err := cmd.Flags().GetBool("include-imports")
+		if err != nil {
+			util.HandleError(err)
+		}
+
 		projectId, err := cmd.Flags().GetString("projectId")
 		if err != nil {
 			util.HandleError(err)
@@ -59,8 +64,7 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

-		infisicalToken, err := util.GetInfisicalServiceToken(cmd)
-
+		token, err := util.GetInfisicalToken(cmd)
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
@@ -75,7 +79,21 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

-		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, WorkspaceId: projectId, SecretsPath: secretsPath}, "")
+		request := models.GetAllSecretsParameters{
+			Environment:   environmentName,
+			TagSlugs:      tagSlugs,
+			WorkspaceId:   projectId,
+			SecretsPath:   secretsPath,
+			IncludeImport: includeImports,
+		}
+
+		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+			request.InfisicalToken = token.Token
+		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+			request.UniversalAuthAccessToken = token.Token
+		}
+
+		secrets, err := util.GetAllEnvironmentVariables(request, "")
 		if err != nil {
 			util.HandleError(err, "Unable to fetch secrets")
 		}
@@ -88,11 +106,20 @@ var exportCmd = &cobra.Command{

 		var output string
 		if shouldExpandSecrets {
-			secrets = util.ExpandSecrets(secrets, models.ExpandSecretsAuthentication{
-				InfisicalToken: infisicalToken,
-			}, "")
+
+			authParams := models.ExpandSecretsAuthentication{}
+
+			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+				authParams.InfisicalToken = token.Token
+			} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+				authParams.UniversalAuthAccessToken = token.Token
+			}
+
+			secrets = util.ExpandSecrets(secrets, authParams, "")
 		}
 		secrets = util.FilterSecretsByTag(secrets, tagSlugs)
+		secrets = util.SortSecretsByKeys(secrets)
+
 		output, err = formatEnvs(secrets, format)
 		if err != nil {
 			util.HandleError(err)
@@ -110,6 +137,7 @@ func init() {
 	exportCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	exportCmd.Flags().StringP("format", "f", "dotenv", "Set the format of the output file (dotenv, json, csv)")
 	exportCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
+	exportCmd.Flags().Bool("include-imports", true, "Imported linked secrets")
 	exportCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
 	exportCmd.Flags().StringP("tags", "t", "", "filter secrets by tag slugs")
 	exportCmd.Flags().String("projectId", "", "manually set the projectId to fetch secrets from")
--- a/cli/packages/cmd/folder.go
+++ b/cli/packages/cmd/folder.go
@@ -36,18 +36,33 @@ var getCmd = &cobra.Command{
 			}
 		}

-		infisicalToken, err := util.GetInfisicalServiceToken(cmd)
-
+		projectId, err := cmd.Flags().GetString("projectId")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}

+		token, err := util.GetInfisicalToken(cmd)
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
 		foldersPath, err := cmd.Flags().GetString("path")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}

-		folders, err := util.GetAllFolders(models.GetAllFoldersParameters{Environment: environmentName, InfisicalToken: infisicalToken, FoldersPath: foldersPath})
+		request := models.GetAllFoldersParameters{
+			Environment: environmentName,
+			WorkspaceId: projectId,
+			FoldersPath: foldersPath,
+		}
+
+		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+			request.InfisicalToken = token.Token
+		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+			request.UniversalAuthAccessToken = token.Token
+		}
+
+		folders, err := util.GetAllFolders(request)
 		if err != nil {
 			util.HandleError(err, "Unable to get folders")
 		}
--- a/cli/packages/cmd/login.go
+++ b/cli/packages/cmd/login.go
@@ -55,95 +55,157 @@ var loginCmd = &cobra.Command{
 	Short:                 "Login into your Infisical account",
 	DisableFlagsInUseLine: true,
 	Run: func(cmd *cobra.Command, args []string) {
-		currentLoggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
-		// if the key can't be found or there is an error getting current credentials from key ring, allow them to override
-		if err != nil && (strings.Contains(err.Error(), "we couldn't find your logged in details")) {
-			log.Debug().Err(err)
-		} else if err != nil {
+
+		loginMethod, err := cmd.Flags().GetString("method")
+		if err != nil {
+			util.HandleError(err)
+		}
+		plainOutput, err := cmd.Flags().GetBool("plain")
+		if err != nil {
 			util.HandleError(err)
 		}

-		if currentLoggedInUserDetails.IsUserLoggedIn && !currentLoggedInUserDetails.LoginExpired && len(currentLoggedInUserDetails.UserCredentials.PrivateKey) != 0 {
-			shouldOverride, err := userLoginMenu(currentLoggedInUserDetails.UserCredentials.Email)
-			if err != nil {
+		if loginMethod != "user" && loginMethod != "universal-auth" {
+			util.PrintErrorMessageAndExit("Invalid login method. Please use either 'user' or 'universal-auth'")
+		}
+
+		if loginMethod == "user" {
+
+			currentLoggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
+			// if the key can't be found or there is an error getting current credentials from key ring, allow them to override
+			if err != nil && (strings.Contains(err.Error(), "we couldn't find your logged in details")) {
+				log.Debug().Err(err)
+			} else if err != nil {
 				util.HandleError(err)
 			}

-			if !shouldOverride {
-				return
+			if currentLoggedInUserDetails.IsUserLoggedIn && !currentLoggedInUserDetails.LoginExpired && len(currentLoggedInUserDetails.UserCredentials.PrivateKey) != 0 {
+				shouldOverride, err := userLoginMenu(currentLoggedInUserDetails.UserCredentials.Email)
+				if err != nil {
+					util.HandleError(err)
+				}
+
+				if !shouldOverride {
+					return
+				}
 			}
-		}
-		//override domain
-		domainQuery := true
-		if config.INFISICAL_URL_MANUAL_OVERRIDE != "" && config.INFISICAL_URL_MANUAL_OVERRIDE != util.INFISICAL_DEFAULT_API_URL {
-			overrideDomain, err := DomainOverridePrompt()
-			if err != nil {
-				util.HandleError(err)
+			//override domain
+			domainQuery := true
+			if config.INFISICAL_URL_MANUAL_OVERRIDE != "" && config.INFISICAL_URL_MANUAL_OVERRIDE != util.INFISICAL_DEFAULT_API_URL {
+				overrideDomain, err := DomainOverridePrompt()
+				if err != nil {
+					util.HandleError(err)
+				}
+
+				//if not override set INFISICAL_URL to exported var
+				//set domainQuery to false
+				if !overrideDomain {
+					domainQuery = false
+					config.INFISICAL_URL = config.INFISICAL_URL_MANUAL_OVERRIDE
+				}
+
 			}

-			//if not override set INFISICAL_URL to exported var
-			//set domainQuery to false
-			if !overrideDomain {
-				domainQuery = false
-				config.INFISICAL_URL = config.INFISICAL_URL_MANUAL_OVERRIDE
+			//prompt user to select domain between Infisical cloud and self hosting
+			if domainQuery {
+				err = askForDomain()
+				if err != nil {
+					util.HandleError(err, "Unable to parse domain url")
+				}
 			}
+			var userCredentialsToBeStored models.UserCredentials

-		}
-
-		//prompt user to select domain between Infisical cloud and self hosting
-		if domainQuery {
-			err = askForDomain()
-			if err != nil {
-				util.HandleError(err, "Unable to parse domain url")
-			}
-		}
-		var userCredentialsToBeStored models.UserCredentials
-
-		interactiveLogin := false
-		if cmd.Flags().Changed("interactive") {
-			interactiveLogin = true
-			cliDefaultLogin(&userCredentialsToBeStored)
-		}
-
-		//call browser login function
-		if !interactiveLogin {
-			fmt.Println("Logging in via browser... To login via interactive mode run [infisical login -i]")
-			userCredentialsToBeStored, err = browserCliLogin()
-			if err != nil {
-				//default to cli login on error
+			interactiveLogin := false
+			if cmd.Flags().Changed("interactive") {
+				interactiveLogin = true
 				cliDefaultLogin(&userCredentialsToBeStored)
 			}
+
+			//call browser login function
+			if !interactiveLogin {
+				fmt.Println("Logging in via browser... To login via interactive mode run [infisical login -i]")
+				userCredentialsToBeStored, err = browserCliLogin()
+				if err != nil {
+					//default to cli login on error
+					cliDefaultLogin(&userCredentialsToBeStored)
+				}
+			}
+
+			err = util.StoreUserCredsInKeyRing(&userCredentialsToBeStored)
+			if err != nil {
+				log.Error().Msgf("Unable to store your credentials in system vault [%s]")
+				log.Error().Msgf("\nTo trouble shoot further, read https://infisical.com/docs/cli/faq")
+				log.Debug().Err(err)
+				//return here
+				util.HandleError(err)
+			}
+
+			err = util.WriteInitalConfig(&userCredentialsToBeStored)
+			if err != nil {
+				util.HandleError(err, "Unable to write write to Infisical Config file. Please try again")
+			}
+
+			// clear backed up secrets from prev account
+			util.DeleteBackupSecrets()
+
+			whilte := color.New(color.FgGreen)
+			boldWhite := whilte.Add(color.Bold)
+			time.Sleep(time.Second * 1)
+			boldWhite.Printf(">>>> Welcome to Infisical!")
+			boldWhite.Printf(" You are now logged in as %v <<<< \n", userCredentialsToBeStored.Email)
+
+			plainBold := color.New(color.Bold)
+
+			plainBold.Println("\nQuick links")
+			fmt.Println("- Learn to inject secrets into your application at https://infisical.com/docs/cli/usage")
+			fmt.Println("- Stuck? Join our slack for quick support https://infisical.com/slack")
+			Telemetry.CaptureEvent("cli-command:login", posthog.NewProperties().Set("infisical-backend", config.INFISICAL_URL).Set("version", util.CLI_VERSION))
+		} else if loginMethod == "universal-auth" {
+
+			clientId, err := cmd.Flags().GetString("client-id")
+			if err != nil {
+				util.HandleError(err)
+			}
+
+			clientSecret, err := cmd.Flags().GetString("client-secret")
+			if err != nil {
+				util.HandleError(err)
+			}
+
+			if clientId == "" {
+				clientId = os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
+				if clientId == "" {
+					util.PrintErrorMessageAndExit("Please provide client-id")
+				}
+			}
+			if clientSecret == "" {
+				clientSecret = os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET_NAME)
+				if clientSecret == "" {
+					util.PrintErrorMessageAndExit("Please provide client-secret")
+				}
+			}
+
+			res, err := util.UniversalAuthLogin(clientId, clientSecret)
+
+			if err != nil {
+				util.HandleError(err)
+			}
+
+			if plainOutput {
+				fmt.Println(res.AccessToken)
+				return
+			}
+
+			boldGreen := color.New(color.FgGreen).Add(color.Bold)
+			boldPlain := color.New(color.Bold)
+			time.Sleep(time.Second * 1)
+			boldGreen.Printf(">>>> Successfully authenticated with Universal Auth!\n\n")
+			boldPlain.Printf("Universal Auth Access Token:\n%v", res.AccessToken)
+
+			plainBold := color.New(color.Bold)
+			plainBold.Println("\n\nYou can use this access token to authenticate through other commands in the CLI.")
+
 		}
-
-		err = util.StoreUserCredsInKeyRing(&userCredentialsToBeStored)
-		if err != nil {
-			log.Error().Msgf("Unable to store your credentials in system vault [%s]")
-			log.Error().Msgf("\nTo trouble shoot further, read https://infisical.com/docs/cli/faq")
-			log.Debug().Err(err)
-			//return here
-			util.HandleError(err)
-		}
-
-		err = util.WriteInitalConfig(&userCredentialsToBeStored)
-		if err != nil {
-			util.HandleError(err, "Unable to write write to Infisical Config file. Please try again")
-		}
-
-		// clear backed up secrets from prev account
-		util.DeleteBackupSecrets()
-
-		whilte := color.New(color.FgGreen)
-		boldWhite := whilte.Add(color.Bold)
-		time.Sleep(time.Second * 1)
-		boldWhite.Printf(">>>> Welcome to Infisical!")
-		boldWhite.Printf(" You are now logged in as %v <<<< \n", userCredentialsToBeStored.Email)
-
-		plainBold := color.New(color.Bold)
-
-		plainBold.Println("\nQuick links")
-		fmt.Println("- Learn to inject secrets into your application at https://infisical.com/docs/cli/usage")
-		fmt.Println("- Stuck? Join our slack for quick support https://infisical.com/slack")
-		Telemetry.CaptureEvent("cli-command:login", posthog.NewProperties().Set("infisical-backend", config.INFISICAL_URL).Set("version", util.CLI_VERSION))
 	},
 }

@@ -313,6 +375,10 @@ func cliDefaultLogin(userCredentialsToBeStored *models.UserCredentials) {
 func init() {
 	rootCmd.AddCommand(loginCmd)
 	loginCmd.Flags().BoolP("interactive", "i", false, "login via the command line")
+	loginCmd.Flags().String("method", "user", "login method [user, universal-auth]")
+	loginCmd.Flags().String("client-id", "", "client id for universal auth")
+	loginCmd.Flags().Bool("plain", false, "only output the token without any formatting")
+	loginCmd.Flags().String("client-secret", "", "client secret for universal auth")
 }

 func DomainOverridePrompt() (bool, error) {
--- a/cli/packages/cmd/root.go
+++ b/cli/packages/cmd/root.go
@@ -40,8 +40,14 @@ func init() {
 	rootCmd.PersistentFlags().StringP("log-level", "l", "info", "log level (trace, debug, info, warn, error, fatal)")
 	rootCmd.PersistentFlags().Bool("telemetry", true, "Infisical collects non-sensitive telemetry data to enhance features and improve user experience. Participation is voluntary")
 	rootCmd.PersistentFlags().StringVar(&config.INFISICAL_URL, "domain", util.INFISICAL_DEFAULT_API_URL, "Point the CLI to your own backend [can also set via environment variable name: INFISICAL_API_URL]")
+	rootCmd.PersistentFlags().Bool("silent", false, "Disable output of tip/info messages. Useful when running in scripts or CI/CD pipelines.")
 	rootCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
-		if !util.IsRunningInDocker() {
+		silent, err := cmd.Flags().GetBool("silent")
+		if err != nil {
+			util.HandleError(err)
+		}
+
+		if !util.IsRunningInDocker() && !silent {
 			util.CheckForUpdate()
 		}
 	}
--- a/cli/packages/cmd/run.go
+++ b/cli/packages/cmd/run.go
@@ -62,8 +62,7 @@ var runCmd = &cobra.Command{
 			}
 		}

-		infisicalToken, err := util.GetInfisicalServiceToken(cmd)
-
+		token, err := util.GetInfisicalToken(cmd)
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
@@ -73,6 +72,11 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

+		projectId, err := cmd.Flags().GetString("projectId")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
 		secretOverriding, err := cmd.Flags().GetBool("secret-overriding")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
@@ -103,7 +107,22 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

-		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: includeImports, Recursive: recursive}, projectConfigDir)
+		request := models.GetAllSecretsParameters{
+			Environment:   environmentName,
+			WorkspaceId:   projectId,
+			TagSlugs:      tagSlugs,
+			SecretsPath:   secretsPath,
+			IncludeImport: includeImports,
+			Recursive:     recursive,
+		}
+
+		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+			request.InfisicalToken = token.Token
+		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+			request.UniversalAuthAccessToken = token.Token
+		}
+
+		secrets, err := util.GetAllEnvironmentVariables(request, projectConfigDir)

 		if err != nil {
 			util.HandleError(err, "Could not fetch secrets", "If you are using a service token to fetch secrets, please ensure it is valid")
@@ -116,9 +135,16 @@ var runCmd = &cobra.Command{
 		}

 		if shouldExpandSecrets {
-			secrets = util.ExpandSecrets(secrets, models.ExpandSecretsAuthentication{
-				InfisicalToken: infisicalToken,
-			}, projectConfigDir)
+
+			authParams := models.ExpandSecretsAuthentication{}
+
+			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+				authParams.InfisicalToken = token.Token
+			} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+				authParams.UniversalAuthAccessToken = token.Token
+			}
+
+			secrets = util.ExpandSecrets(secrets, authParams, projectConfigDir)
 		}

 		secretsByKey := getSecretsByKeys(secrets)
@@ -149,7 +175,15 @@ var runCmd = &cobra.Command{

 		log.Debug().Msgf("injecting the following environment variables into shell: %v", env)

-		Telemetry.CaptureEvent("cli-command:run", posthog.NewProperties().Set("secretsCount", len(secrets)).Set("environment", environmentName).Set("isUsingServiceToken", infisicalToken != "").Set("single-command", strings.Join(args, " ")).Set("multi-command", cmd.Flag("command").Value.String()).Set("version", util.CLI_VERSION))
+		Telemetry.CaptureEvent("cli-command:run",
+			posthog.NewProperties().
+				Set("secretsCount", len(secrets)).
+				Set("environment", environmentName).
+				Set("isUsingServiceToken", token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER).
+				Set("isUsingUniversalAuthToken", token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER).
+				Set("single-command", strings.Join(args, " ")).
+				Set("multi-command", cmd.Flag("command").Value.String()).
+				Set("version", util.CLI_VERSION))

 		if cmd.Flags().Changed("command") {
 			command := cmd.Flag("command").Value.String()
@@ -204,6 +238,7 @@ func filterReservedEnvVars(env map[string]models.SingleEnvironmentVariable) {
 func init() {
 	rootCmd.AddCommand(runCmd)
 	runCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
+	runCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
 	runCmd.Flags().StringP("env", "e", "dev", "Set the environment (dev, prod, etc.) from which your secrets should be pulled from")
 	runCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	runCmd.Flags().Bool("include-imports", true, "Import linked secrets ")
--- a/cli/packages/cmd/secrets.go
+++ b/cli/packages/cmd/secrets.go
@@ -38,12 +38,12 @@ var secretsCmd = &cobra.Command{
 			}
 		}

-		infisicalToken, err := util.GetInfisicalServiceToken(cmd)
-
+		token, err := util.GetInfisicalToken(cmd)
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}

+		projectId, err := cmd.Flags().GetString("projectId")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
 		}
@@ -78,7 +78,22 @@ var secretsCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

-		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: includeImports, Recursive: recursive}, "")
+		request := models.GetAllSecretsParameters{
+			Environment:   environmentName,
+			WorkspaceId:   projectId,
+			TagSlugs:      tagSlugs,
+			SecretsPath:   secretsPath,
+			IncludeImport: includeImports,
+			Recursive:     recursive,
+		}
+
+		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+			request.InfisicalToken = token.Token
+		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+			request.UniversalAuthAccessToken = token.Token
+		}
+
+		secrets, err := util.GetAllEnvironmentVariables(request, "")
 		if err != nil {
 			util.HandleError(err)
 		}
@@ -90,11 +105,20 @@ var secretsCmd = &cobra.Command{
 		}

 		if shouldExpandSecrets {
-			secrets = util.ExpandSecrets(secrets, models.ExpandSecretsAuthentication{
-				InfisicalToken: infisicalToken,
-			}, "")
+
+			authParams := models.ExpandSecretsAuthentication{}
+			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+				authParams.InfisicalToken = token.Token
+			} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+				authParams.UniversalAuthAccessToken = token.Token
+			}
+
+			secrets = util.ExpandSecrets(secrets, authParams, "")
 		}

+		// Sort the secrets by key so we can create a consistent output
+		secrets = util.SortSecretsByKeys(secrets)
+
 		visualize.PrintAllSecretDetails(secrets)
 		Telemetry.CaptureEvent("cli-command:secrets", posthog.NewProperties().Set("secretCount", len(secrets)).Set("version", util.CLI_VERSION))
 	},
@@ -402,8 +426,12 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		}
 	}

-	infisicalToken, err := util.GetInfisicalServiceToken(cmd)
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}

+	shouldExpand, err := cmd.Flags().GetBool("expand")
 	if err != nil {
 		util.HandleError(err, "Unable to parse flag")
 	}
@@ -413,6 +441,11 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}

+	projectId, err := cmd.Flags().GetString("projectId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
 	secretsPath, err := cmd.Flags().GetString("path")
 	if err != nil {
 		util.HandleError(err, "Unable to parse path flag")
@@ -428,11 +461,37 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse path flag")
 	}

-	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: true, Recursive: recursive}, "")
+	request := models.GetAllSecretsParameters{
+		Environment:   environmentName,
+		WorkspaceId:   projectId,
+		TagSlugs:      tagSlugs,
+		SecretsPath:   secretsPath,
+		IncludeImport: true,
+		Recursive:     recursive,
+	}
+
+	if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+		request.InfisicalToken = token.Token
+	} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+		request.UniversalAuthAccessToken = token.Token
+	}
+
+	secrets, err := util.GetAllEnvironmentVariables(request, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}

+	if shouldExpand {
+		authParams := models.ExpandSecretsAuthentication{}
+		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+			authParams.InfisicalToken = token.Token
+		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+			authParams.UniversalAuthAccessToken = token.Token
+		}
+
+		secrets = util.ExpandSecrets(secrets, authParams, "")
+	}
+
 	requestedSecrets := []models.SingleEnvironmentVariable{}

 	secretsMap := getSecretsByKeys(secrets)
@@ -475,8 +534,12 @@ func generateExampleEnv(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}

-	infisicalToken, err := util.GetInfisicalServiceToken(cmd)
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}

+	projectId, err := cmd.Flags().GetString("projectId")
 	if err != nil {
 		util.HandleError(err, "Unable to parse flag")
 	}
@@ -486,7 +549,21 @@ func generateExampleEnv(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}

-	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: true}, "")
+	request := models.GetAllSecretsParameters{
+		Environment:   environmentName,
+		WorkspaceId:   projectId,
+		TagSlugs:      tagSlugs,
+		SecretsPath:   secretsPath,
+		IncludeImport: true,
+	}
+
+	if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
+		request.InfisicalToken = token.Token
+	} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
+		request.UniversalAuthAccessToken = token.Token
+	}
+
+	secrets, err := util.GetAllEnvironmentVariables(request, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}
@@ -686,19 +763,23 @@ func getSecretsByKeys(secrets []models.SingleEnvironmentVariable) map[string]mod

 func init() {
 	secretsGenerateExampleEnvCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
+	secretsGenerateExampleEnvCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
 	secretsGenerateExampleEnvCmd.Flags().String("path", "/", "Fetch secrets from within a folder path")
 	secretsCmd.AddCommand(secretsGenerateExampleEnvCmd)

 	secretsGetCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
-	secretsCmd.AddCommand(secretsGetCmd)
+	secretsGetCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
 	secretsGetCmd.Flags().String("path", "/", "get secrets within a folder path")
+	secretsGetCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	secretsGetCmd.Flags().Bool("raw-value", false, "Returns only the value of secret, only works with one secret")
 	secretsGetCmd.Flags().Bool("recursive", false, "Fetch secrets from all sub-folders")
+	secretsCmd.AddCommand(secretsGetCmd)

 	secretsCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
 	secretsCmd.AddCommand(secretsSetCmd)
 	secretsSetCmd.Flags().String("path", "/", "set secrets within a folder path")

+	// Only supports logged in users (JWT auth)
 	secretsSetCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
 		util.RequireLogin()
 		util.RequireLocalWorkspaceFile()
@@ -707,6 +788,8 @@ func init() {
 	secretsDeleteCmd.Flags().String("type", "personal", "the type of secret to delete: personal or shared  (default: personal)")
 	secretsDeleteCmd.Flags().String("path", "/", "get secrets within a folder path")
 	secretsCmd.AddCommand(secretsDeleteCmd)
+
+	// Only supports logged in users (JWT auth)
 	secretsDeleteCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
 		util.RequireLogin()
 		util.RequireLocalWorkspaceFile()
@@ -718,6 +801,7 @@ func init() {
 	// Add getCmd, createCmd and deleteCmd flags here
 	getCmd.Flags().StringP("path", "p", "/", "The path from where folders should be fetched from")
 	getCmd.Flags().String("token", "", "Fetch folders using the infisical token")
+	getCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
 	folderCmd.AddCommand(getCmd)

 	// Add createCmd flags here
@@ -735,6 +819,7 @@ func init() {
 	// ** End of folders sub command

 	secretsCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
+	secretsCmd.Flags().String("projectId", "", "manually set the projectId to fetch folders from for machine identity")
 	secretsCmd.PersistentFlags().String("env", "dev", "Used to select the environment name on which actions should be taken on")
 	secretsCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	secretsCmd.Flags().Bool("include-imports", true, "Imported linked secrets ")
--- a/cli/packages/cmd/token.go
+++ b/cli/packages/cmd/token.go
@@ -0,0 +1,63 @@
+/*
+Copyright (c) 2023 Infisical Inc.
+*/
+package cmd
+
+import (
+	"strings"
+	"time"
+
+	"github.com/Infisical/infisical-merge/packages/util"
+	"github.com/fatih/color"
+	"github.com/spf13/cobra"
+)
+
+var tokenCmd = &cobra.Command{
+	Use:                   "token",
+	Short:                 "Manage your access tokens",
+	DisableFlagsInUseLine: true,
+	Example:               "infisical token",
+	Args:                  cobra.ExactArgs(0),
+	PreRun: func(cmd *cobra.Command, args []string) {
+		util.RequireLogin()
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+	},
+}
+
+var tokenRenewCmd = &cobra.Command{
+	Use:                   "renew [token]",
+	Short:                 "Used to renew your universal auth access token",
+	DisableFlagsInUseLine: true,
+	Example:               "infisical token renew <access-token>",
+	Args:                  cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		// args[0] will be the <INSERT_TOKEN> from your command call
+		token := args[0]
+
+		if strings.HasPrefix(token, "st.") {
+			util.PrintErrorMessageAndExit("You are trying to renew a service token. You can only renew universal auth access tokens.")
+		}
+
+		renewedAccessToken, err := util.RenewUniversalAuthAccessToken(token)
+
+		if err != nil {
+			util.HandleError(err, "Unable to renew token")
+		}
+
+		boldGreen := color.New(color.FgGreen).Add(color.Bold)
+		time.Sleep(time.Second * 1)
+		boldGreen.Printf(">>>> Successfully renewed token!\n\n")
+		boldGreen.Printf("Renewed Access Token:\n%v", renewedAccessToken)
+
+		plainBold := color.New(color.Bold)
+		plainBold.Println("\n\nYou can use the new access token to authenticate through other commands in the CLI.")
+
+	},
+}
+
+func init() {
+	tokenCmd.AddCommand(tokenRenewCmd)
+
+	rootCmd.AddCommand(tokenCmd)
+}
--- a/cli/packages/models/cli.go
+++ b/cli/packages/models/cli.go
@@ -59,6 +59,11 @@ type DynamicSecretLease struct {
 	Data map[string]interface{} `json:"data"`
 }

+type TokenDetails struct {
+	Type  string
+	Token string
+}
+
 type SingleFolder struct {
 	ID   string `json:"_id"`
 	Name string `json:"name"`
@@ -97,10 +102,11 @@ type GetAllSecretsParameters struct {
 }

 type GetAllFoldersParameters struct {
-	WorkspaceId    string
-	Environment    string
-	FoldersPath    string
-	InfisicalToken string
+	WorkspaceId              string
+	Environment              string
+	FoldersPath              string
+	InfisicalToken           string
+	UniversalAuthAccessToken string
 }

 type CreateFolderParameters struct {
@@ -123,3 +129,8 @@ type ExpandSecretsAuthentication struct {
 	InfisicalToken           string
 	UniversalAuthAccessToken string
 }
+
+type MachineIdentityCredentials struct {
+	ClientId     string
+	ClientSecret string
+}
--- a/cli/packages/util/constants.go
+++ b/cli/packages/util/constants.go
@@ -1,17 +1,23 @@
 package util

 const (
-	CONFIG_FILE_NAME                     = "infisical-config.json"
-	CONFIG_FOLDER_NAME                   = ".infisical"
-	INFISICAL_DEFAULT_API_URL            = "https://app.infisical.com/api"
-	INFISICAL_DEFAULT_URL                = "https://app.infisical.com"
-	INFISICAL_WORKSPACE_CONFIG_FILE_NAME = ".infisical.json"
-	INFISICAL_TOKEN_NAME                 = "INFISICAL_TOKEN"
-	SECRET_TYPE_PERSONAL                 = "personal"
-	SECRET_TYPE_SHARED                   = "shared"
-	KEYRING_SERVICE_NAME                 = "infisical"
-	PERSONAL_SECRET_TYPE_NAME            = "personal"
-	SHARED_SECRET_TYPE_NAME              = "shared"
+	CONFIG_FILE_NAME                            = "infisical-config.json"
+	CONFIG_FOLDER_NAME                          = ".infisical"
+	INFISICAL_DEFAULT_API_URL                   = "https://app.infisical.com/api"
+	INFISICAL_DEFAULT_URL                       = "https://app.infisical.com"
+	INFISICAL_WORKSPACE_CONFIG_FILE_NAME        = ".infisical.json"
+	INFISICAL_TOKEN_NAME                        = "INFISICAL_TOKEN"
+	INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME     = "INFISICAL_UNIVERSAL_AUTH_CLIENT_ID"
+	INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET_NAME = "INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET"
+	INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN_NAME  = "INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN"
+	SECRET_TYPE_PERSONAL                        = "personal"
+	SECRET_TYPE_SHARED                          = "shared"
+	KEYRING_SERVICE_NAME                        = "infisical"
+	PERSONAL_SECRET_TYPE_NAME                   = "personal"
+	SHARED_SECRET_TYPE_NAME                     = "shared"
+
+	SERVICE_TOKEN_IDENTIFIER        = "service-token"
+	UNIVERSAL_AUTH_TOKEN_IDENTIFIER = "universal-auth-token"
 )

 var (
--- a/cli/packages/util/folders.go
+++ b/cli/packages/util/folders.go
@@ -19,7 +19,7 @@ func GetAllFolders(params models.GetAllFoldersParameters) ([]models.SingleFolder

 	var foldersToReturn []models.SingleFolder
 	var folderErr error
-	if params.InfisicalToken == "" {
+	if params.InfisicalToken == "" && params.UniversalAuthAccessToken == "" {

 		log.Debug().Msg("GetAllFolders: Trying to fetch folders using logged in details")

@@ -44,11 +44,24 @@ func GetAllFolders(params models.GetAllFoldersParameters) ([]models.SingleFolder
 		folders, err := GetFoldersViaJTW(loggedInUserDetails.UserCredentials.JTWToken, workspaceFile.WorkspaceId, params.Environment, params.FoldersPath)
 		folderErr = err
 		foldersToReturn = folders
-	} else {
+	} else if params.InfisicalToken != "" {
+		log.Debug().Msg("GetAllFolders: Trying to fetch folders using service token")
+
 		// get folders via service token
 		folders, err := GetFoldersViaServiceToken(params.InfisicalToken, params.WorkspaceId, params.Environment, params.FoldersPath)
 		folderErr = err
 		foldersToReturn = folders
+	} else if params.UniversalAuthAccessToken != "" {
+		log.Debug().Msg("GetAllFolders: Trying to fetch folders using universal auth")
+
+		if params.WorkspaceId == "" {
+			PrintErrorMessageAndExit("Project ID is required when using machine identity")
+		}
+
+		// get folders via machine identity
+		folders, err := GetFoldersViaMachineIdentity(params.UniversalAuthAccessToken, params.WorkspaceId, params.Environment, params.FoldersPath)
+		folderErr = err
+		foldersToReturn = folders
 	}
 	return foldersToReturn, folderErr
 }
@@ -132,6 +145,34 @@ func GetFoldersViaServiceToken(fullServiceToken string, workspaceId string, envi
 	return folders, nil
 }

+func GetFoldersViaMachineIdentity(accessToken string, workspaceId string, envSlug string, foldersPath string) ([]models.SingleFolder, error) {
+	httpClient := resty.New()
+	httpClient.SetAuthToken(accessToken).
+		SetHeader("Accept", "application/json")
+
+	getFoldersRequest := api.GetFoldersV1Request{
+		WorkspaceId: workspaceId,
+		Environment: envSlug,
+		FoldersPath: foldersPath,
+	}
+
+	apiResponse, err := api.CallGetFoldersV1(httpClient, getFoldersRequest)
+	if err != nil {
+		return nil, err
+	}
+
+	var folders []models.SingleFolder
+
+	for _, folder := range apiResponse.Folders {
+		folders = append(folders, models.SingleFolder{
+			Name: folder.Name,
+			ID:   folder.ID,
+		})
+	}
+
+	return folders, nil
+}
+
 // CreateFolder creates a folder in Infisical
 func CreateFolder(params models.CreateFolderParameters) (models.SingleFolder, error) {
 	loggedInUserDetails, err := GetCurrentLoggedInUserDetails()
--- a/cli/packages/util/helper.go
+++ b/cli/packages/util/helper.go
@@ -8,9 +8,13 @@ import (
 	"os"
 	"os/exec"
 	"path"
+	"sort"
 	"strings"
+	"time"

+	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/models"
+	"github.com/go-resty/resty/v2"
 	"github.com/spf13/cobra"
 )

@@ -50,6 +54,14 @@ func GetBase64DecodedSymmetricEncryptionDetails(key string, cipher string, IV st
 	}, nil
 }

+// Helper function to sort the secrets by key so we can create a consistent output
+func SortSecretsByKeys(secrets []models.SingleEnvironmentVariable) []models.SingleEnvironmentVariable {
+	sort.Slice(secrets, func(i, j int) bool {
+		return secrets[i].Key < secrets[j].Key
+	})
+	return secrets
+}
+
 func IsSecretEnvironmentValid(env string) bool {
 	if env == "prod" || env == "dev" || env == "test" || env == "staging" {
 		return true
@@ -64,18 +76,70 @@ func IsSecretTypeValid(s string) bool {
 	return false
 }

-func GetInfisicalServiceToken(cmd *cobra.Command) (serviceToken string, err error) {
+func GetInfisicalToken(cmd *cobra.Command) (token *models.TokenDetails, err error) {
 	infisicalToken, err := cmd.Flags().GetString("token")

-	if infisicalToken == "" {
-		infisicalToken = os.Getenv(INFISICAL_TOKEN_NAME)
+	if err != nil {
+		return nil, err
 	}

+	if infisicalToken == "" { // If no flag is passed, we first check for the universal auth access token env variable.
+		infisicalToken = os.Getenv(INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN_NAME)
+
+		if infisicalToken == "" { // If it's still empty after the first env check, we check for the service token env variable.
+			infisicalToken = os.Getenv(INFISICAL_TOKEN_NAME)
+		}
+	}
+
+	if infisicalToken == "" { // If it's empty, we return nothing at all.
+		return nil, nil
+	}
+
+	if strings.HasPrefix(infisicalToken, "st.") {
+		return &models.TokenDetails{
+			Type:  SERVICE_TOKEN_IDENTIFIER,
+			Token: infisicalToken,
+		}, nil
+	}
+
+	return &models.TokenDetails{
+		Type:  UNIVERSAL_AUTH_TOKEN_IDENTIFIER,
+		Token: infisicalToken,
+	}, nil
+
+}
+
+func UniversalAuthLogin(clientId string, clientSecret string) (api.UniversalAuthLoginResponse, error) {
+	httpClient := resty.New()
+	httpClient.SetRetryCount(10000).
+		SetRetryMaxWaitTime(20 * time.Second).
+		SetRetryWaitTime(5 * time.Second)
+
+	tokenResponse, err := api.CallUniversalAuthLogin(httpClient, api.UniversalAuthLoginRequest{ClientId: clientId, ClientSecret: clientSecret})
+	if err != nil {
+		return api.UniversalAuthLoginResponse{}, err
+	}
+
+	return tokenResponse, nil
+}
+
+func RenewUniversalAuthAccessToken(accessToken string) (string, error) {
+
+	httpClient := resty.New()
+	httpClient.SetRetryCount(10000).
+		SetRetryMaxWaitTime(20 * time.Second).
+		SetRetryWaitTime(5 * time.Second)
+
+	request := api.UniversalAuthRefreshRequest{
+		AccessToken: accessToken,
+	}
+
+	tokenResponse, err := api.CallUniversalAuthRefreshAccessToken(httpClient, request)
 	if err != nil {
 		return "", err
 	}

-	return infisicalToken, nil
+	return tokenResponse.AccessToken, nil
 }

 // Checks if the passed in email already exists in the users slice
--- a/cli/packages/util/secrets.go
+++ b/cli/packages/util/secrets.go
@@ -159,7 +159,7 @@ func GetPlainTextSecretsViaMachineIdentity(accessToken string, workspaceId strin
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")

-	getSecretsRequest := api.GetEncryptedSecretsV3Request{
+	getSecretsRequest := api.GetRawSecretsV3Request{
 		WorkspaceId:   workspaceId,
 		Environment:   environmentName,
 		IncludeImport: includeImports,
@@ -171,7 +171,8 @@ func GetPlainTextSecretsViaMachineIdentity(accessToken string, workspaceId strin
 		getSecretsRequest.SecretPath = secretsPath
 	}

-	rawSecrets, err := api.CallGetRawSecretsV3(httpClient, api.GetRawSecretsV3Request{WorkspaceId: workspaceId, SecretPath: secretsPath, Environment: environmentName})
+	rawSecrets, err := api.CallGetRawSecretsV3(httpClient, getSecretsRequest)
+
 	if err != nil {
 		return models.PlaintextSecretResult{}, err
 	}
@@ -182,15 +183,15 @@ func GetPlainTextSecretsViaMachineIdentity(accessToken string, workspaceId strin
 	}

 	for _, secret := range rawSecrets.Secrets {
-		plainTextSecrets = append(plainTextSecrets, models.SingleEnvironmentVariable{Key: secret.SecretKey, Value: secret.SecretValue, WorkspaceId: secret.Workspace})
+		plainTextSecrets = append(plainTextSecrets, models.SingleEnvironmentVariable{Key: secret.SecretKey, Value: secret.SecretValue, Type: secret.Type, WorkspaceId: secret.Workspace})
 	}

-	// if includeImports {
-	// 	plainTextSecrets, err = InjectImportedSecret(plainTextWorkspaceKey, plainTextSecrets, encryptedSecrets.ImportedSecrets)
-	// 	if err != nil {
-	// 		return nil, err
-	// 	}
-	// }
+	if includeImports {
+		plainTextSecrets, err = InjectRawImportedSecret(plainTextSecrets, rawSecrets.Imports)
+		if err != nil {
+			return models.PlaintextSecretResult{}, err
+		}
+	}

 	return models.PlaintextSecretResult{
 		Secrets: plainTextSecrets,
@@ -251,6 +252,36 @@ func InjectImportedSecret(plainTextWorkspaceKey []byte, secrets []models.SingleE
 	return secrets, nil
 }

+func InjectRawImportedSecret(secrets []models.SingleEnvironmentVariable, importedSecrets []api.ImportedRawSecretV3) ([]models.SingleEnvironmentVariable, error) {
+	if importedSecrets == nil {
+		return secrets, nil
+	}
+
+	hasOverriden := make(map[string]bool)
+	for _, sec := range secrets {
+		hasOverriden[sec.Key] = true
+	}
+
+	for i := len(importedSecrets) - 1; i >= 0; i-- {
+		importSec := importedSecrets[i]
+		plainTextImportedSecrets := importSec.Secrets
+
+		for _, sec := range plainTextImportedSecrets {
+			if _, ok := hasOverriden[sec.SecretKey]; !ok {
+				secrets = append(secrets, models.SingleEnvironmentVariable{
+					Key:         sec.SecretKey,
+					WorkspaceId: sec.Workspace,
+					Value:       sec.SecretValue,
+					Type:        sec.Type,
+					ID:          sec.ID,
+				})
+				hasOverriden[sec.SecretKey] = true
+			}
+		}
+	}
+	return secrets, nil
+}
+
 func FilterSecretsByTag(plainTextSecrets []models.SingleEnvironmentVariable, tagSlugs string) []models.SingleEnvironmentVariable {
 	if tagSlugs == "" {
 		return plainTextSecrets
@@ -355,6 +386,11 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo
 			log.Debug().Msg("Trying to fetch secrets using service token")
 			secretsToReturn, _, errorToReturn = GetPlainTextSecretsViaServiceToken(params.InfisicalToken, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive)
 		} else if params.UniversalAuthAccessToken != "" {
+
+			if params.WorkspaceId == "" {
+				PrintErrorMessageAndExit("Project ID is required when using machine identity")
+			}
+
 			log.Debug().Msg("Trying to fetch secrets using universal auth")
 			res, err := GetPlainTextSecretsViaMachineIdentity(params.UniversalAuthAccessToken, params.WorkspaceId, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive)

--- a/cli/test/.snapshots/test-TestServiceToken_ExportSecretsWithImports
+++ b/cli/test/.snapshots/test-TestServiceToken_ExportSecretsWithImports
@@ -0,0 +1,5 @@
+STAGING-SECRET-1='staging-value-1'
+STAGING-SECRET-2='staging-value-2'
+TEST-SECRET-1='test-value-1'
+TEST-SECRET-2='test-value-2'
+TEST-SECRET-3='test-value-3'
--- a/cli/test/.snapshots/test-TestServiceToken_ExportSecretsWithoutImports
+++ b/cli/test/.snapshots/test-TestServiceToken_ExportSecretsWithoutImports
@@ -0,0 +1,3 @@
+TEST-SECRET-1='test-value-1'
+TEST-SECRET-2='test-value-2'
+TEST-SECRET-3='test-value-3'
--- a/cli/test/.snapshots/test-TestServiceToken_GetSecretsByNameRecursive
+++ b/cli/test/.snapshots/test-TestServiceToken_GetSecretsByNameRecursive
@@ -0,0 +1,7 @@
+┌─────────────────┬────────────────┬─────────────┐
+│ SECRET NAME     │ SECRET VALUE   │ SECRET TYPE │
+├─────────────────┼────────────────┼─────────────┤
+│ TEST-SECRET-1   │ test-value-1   │ shared      │
+│ TEST-SECRET-2   │ test-value-2   │ shared      │
+│ FOLDER-SECRET-1 │ folder-value-1 │ shared      │
+└─────────────────┴────────────────┴─────────────┘
--- a/cli/test/.snapshots/test-TestServiceToken_GetSecretsByNameWithImports
+++ b/cli/test/.snapshots/test-TestServiceToken_GetSecretsByNameWithImports
@@ -0,0 +1,7 @@
+┌──────────────────┬─────────────────┬─────────────┐
+│ SECRET NAME      │ SECRET VALUE    │ SECRET TYPE │
+├──────────────────┼─────────────────┼─────────────┤
+│ TEST-SECRET-1    │ test-value-1    │ shared      │
+│ STAGING-SECRET-2 │ staging-value-2 │ shared      │
+│ FOLDER-SECRET-1  │ folder-value-1  │ shared      │
+└──────────────────┴─────────────────┴─────────────┘
--- a/cli/test/.snapshots/test-TestServiceToken_GetSecretsByNameWithNotFoundSecret
+++ b/cli/test/.snapshots/test-TestServiceToken_GetSecretsByNameWithNotFoundSecret
@@ -0,0 +1,8 @@
+┌─────────────────┬────────────────┬─────────────┐
+│ SECRET NAME     │ SECRET VALUE   │ SECRET TYPE │
+├─────────────────┼────────────────┼─────────────┤
+│ TEST-SECRET-1   │ test-value-1   │ shared      │
+│ TEST-SECRET-2   │ test-value-2   │ shared      │
+│ FOLDER-SECRET-1 │ folder-value-1 │ shared      │
+│ DOES-NOT-EXIST  │ *not found*    │ *not found* │
+└─────────────────┴────────────────┴─────────────┘
--- a/cli/test/.snapshots/test-TestServiceToken_RunCmdRecursiveAndImports
+++ b/cli/test/.snapshots/test-TestServiceToken_RunCmdRecursiveAndImports
@@ -0,0 +1,2 @@
+[0m Injecting 6 Infisical secrets into your application process
+hello world
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Maidul Islam	de21b44486	small nits	2024-04-22 14:36:33 -04:00
Daniel Hougaard	519d6f98a2	Chore: Use standard lib	2024-04-22 19:50:24 +02:00
Daniel Hougaard	973ed37018	Update export.go	2024-04-22 19:50:15 +02:00
Daniel Hougaard	e008fb26a2	Cleanup	2024-04-22 16:02:16 +02:00
Daniel Hougaard	34543ef127	Fix: Removed old code	2024-04-22 15:59:54 +02:00
Daniel Hougaard	83107f56bb	Fix: Removed old test code	2024-04-22 15:59:16 +02:00
Daniel Hougaard	35071af478	Fix: Run cmd tests	2024-04-22 15:27:42 +02:00
Daniel Hougaard	eb5f71cb05	Chore: Disable build as the tests handle this automatically	2024-04-22 15:27:35 +02:00
Daniel Hougaard	9cf1dd38a6	Fix: Run CMD snapshot fix	2024-04-22 15:27:22 +02:00
Daniel Hougaard	144a563609	Fix: Fixed snapshots order	2024-04-22 15:21:19 +02:00
Daniel Hougaard	ca0062f049	Update run-cli-tests.yml	2024-04-22 15:18:32 +02:00
Daniel Hougaard	2ed9aa888e	Fix: Secrets order	2024-04-22 15:18:30 +02:00
Daniel Hougaard	8c7d329f8f	Fix: Snapshot output order	2024-04-22 15:18:23 +02:00
Daniel Hougaard	a0aa06e2f5	Fix: Refactor teests to use cupaloy	2024-04-22 15:12:21 +02:00
Daniel Hougaard	1dd0167ac8	Feat: CLI Integration Tests	2024-04-22 15:12:18 +02:00
Daniel Hougaard	55aea364da	Fix: Refactor teests to use cupaloy	2024-04-22 15:12:09 +02:00
Daniel Hougaard	afee47ab45	Delete root_test.go	2024-04-22 15:12:02 +02:00
Daniel Hougaard	9387d9aaac	Rename	2024-04-22 15:11:58 +02:00
Daniel Hougaard	2b215a510c	Fix: Integrated UA login test	2024-04-22 15:11:39 +02:00
Daniel Hougaard	89ff6a6c93	Update .gitignore	2024-04-22 15:11:25 +02:00
Daniel Hougaard	3bcf406688	Fix: Refactor	2024-04-22 15:11:20 +02:00
Daniel Hougaard	580b86cde8	Fix: Refactor teests to use cupaloy	2024-04-22 15:11:10 +02:00
Daniel Hougaard	7a20251261	Fix: Returning keys in a reproducible manner	2024-04-22 15:10:55 +02:00
Daniel Hougaard	ae63898d5e	Install cupaloy	2024-04-22 15:02:51 +02:00
Daniel Hougaard	d4d3c2b10f	Update .gitignore	2024-04-22 15:02:44 +02:00
Daniel Hougaard	0e3cc4fdeb	Correct snapshots	2024-04-22 15:02:40 +02:00
Daniel Hougaard	4050e56e60	Feat: CLI Integration tests	2024-04-18 23:29:11 +02:00
Daniel Hougaard	e453ddf937	Update secrets.go	2024-04-18 18:04:29 +02:00
Daniel Hougaard	3f68807179	Update run-cli-tests.yml	2024-04-18 17:07:37 +02:00
Daniel Hougaard	ba42aca069	Workflow	2024-04-18 15:13:58 +02:00
Daniel Hougaard	22c589e2cf	Update tests.go	2024-04-18 15:01:31 +02:00
Daniel Hougaard	943945f6d7	Feat: Make run testable	2024-04-18 15:01:28 +02:00
Daniel Hougaard	b598dd3d47	Feat: Cli integration tests -- exports	2024-04-18 14:59:41 +02:00
Daniel Hougaard	ad6d18a905	Feat: Cli integration tests -- run cmd	2024-04-18 14:59:26 +02:00
Daniel Hougaard	46a91515b1	Fix: Use login UA token	2024-04-18 14:59:21 +02:00
Daniel Hougaard	b79ce8a880	Feat: Cli integration tests -- login	2024-04-18 14:59:13 +02:00
Daniel Hougaard	d31d98b5e0	Feat: CLI Integration tests	2024-04-18 14:58:59 +02:00
Daniel Hougaard	cb6cbafcae	Fix: JSON error check	2024-04-17 19:33:51 +02:00
Daniel Hougaard	bcb3eaab74	Feat: Integration tests	2024-04-17 19:33:51 +02:00
Daniel Hougaard	12d5fb1043	Fix: Add support for imported secrets with raw fetching	2024-04-17 19:33:51 +02:00
Daniel Hougaard	8bf09789d6	Feat: Integration tests	2024-04-17 19:33:51 +02:00
Daniel Hougaard	7ab8db0471	Feat: Integration tests	2024-04-17 19:33:51 +02:00
Daniel Hougaard	6b473d2b36	Feat: Integration tests	2024-04-17 19:33:51 +02:00
Daniel Hougaard	7581b33b3b	Fix: Add import support for raw fetching	2024-04-17 19:33:51 +02:00
Daniel Hougaard	be74f4d34c	Fix: Add import & recursive support to raw fetching	2024-04-17 19:33:51 +02:00
Maidul Islam	e973a62753	Merge pull request #1684 from akhilmhdh/chore/drop-role-field chore: rolling migration removed role and roleId field from project membership and identity project membership	2024-04-17 11:41:59 -04:00
vmatsiiako	94fa294455	Update email-password.mdx	2024-04-17 08:13:05 -06:00
vmatsiiako	be63e538d7	Update email-password.mdx	2024-04-17 08:11:49 -06:00
Maidul Islam	02e423f52c	remove old deployment options	2024-04-17 01:16:47 -04:00
Maidul Islam	3cb226908b	Merge pull request #1693 from Infisical/on-premise-architecure on prem architecture	2024-04-17 00:56:59 -04:00
Maidul Islam	ba37b1c083	on prem reference	2024-04-17 00:55:37 -04:00
Maidul Islam	d23b39abba	Merge pull request #1692 from Infisical/daniel/cli-fix Hotfix: CLI run command null pointer reference crash	2024-04-16 14:33:24 -04:00
Daniel Hougaard	de92ba157a	Update run.go	2024-04-16 20:30:03 +02:00
Maidul Islam	dadea751e3	Merge pull request #1685 from Infisical/snyk-fix-f3ea1a09d48832703f1fbc7b1eb0a4a3 [Snyk] Security upgrade mysql2 from 3.9.1 to 3.9.4	2024-04-16 13:44:26 -04:00
Maidul Islam	0ff0357a7c	Merge pull request #1630 from Infisical/daniel/cli-ua-support Feat: Machine Identity support for CLI commands	2024-04-16 13:28:00 -04:00
Maidul Islam	85f257b4db	add tip to only print token	2024-04-16 13:24:39 -04:00
Maidul Islam	18d7a14e3f	add silent flag	2024-04-16 13:21:05 -04:00
vmatsiiako	ff4d932631	Update aws-amplify.mdx	2024-04-16 10:27:09 -06:00
Maidul Islam	519f0025c0	Update aws-amplify.mdx	2024-04-16 11:31:18 -04:00
Maidul Islam	d8d6d7dc1b	Merge pull request #1687 from akhilmhdh/docs/aws-amplify-integration docs: added aws amplify integration documentation	2024-04-16 11:21:38 -04:00
Daniel Hougaard	a975fbd8a4	Fix: Moved comments	2024-04-16 10:16:23 +02:00
Daniel Hougaard	3a6ec3717b	Fix: Use constant identifiers	2024-04-16 10:15:07 +02:00
Daniel Hougaard	a4a961996b	Fix: Formatting and plain token output	2024-04-16 10:14:41 +02:00
Akhil Mohan	5b4777c1a5	docs: updated cli build command and image on env console	2024-04-16 12:06:09 +05:30
Maidul Islam	2f526850d6	edits to aws amplify docs	2024-04-16 01:20:52 -04:00
Maidul Islam	4f5d31d06f	edit aws amplify docs	2024-04-16 00:56:39 -04:00
Maidul Islam	a8264b17e4	Merge pull request #1689 from akhilmhdh/dynamic-secret/mysql Dynamic secret mysql support	2024-04-15 15:51:17 -04:00
Maidul Islam	cb66733e6d	remove password expire	2024-04-15 15:47:56 -04:00
Akhil Mohan	40a0691ccb	feat(ui): added mysql dynamic secret	2024-04-15 19:35:29 +05:30
Akhil Mohan	6410d51033	feat(server): added mysql dynamic secret server logic	2024-04-15 19:34:47 +05:30
Akhil Mohan	bc30ba9ad1	docs: added aws amplify integration documentation	2024-04-15 14:59:44 +05:30
Maidul Islam	a0259712df	Update aws-ecs.mdx	2024-04-15 03:36:12 -04:00
Maidul Islam	1132d07dea	Merge pull request #1686 from Infisical/aws-reference-guide-ecs AWS ECS reference architecture	2024-04-15 03:24:26 -04:00
Maidul Islam	1f0b1964b9	ecs reference architecture	2024-04-15 03:23:58 -04:00
snyk-bot	690e72b44c	fix: backend/package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MYSQL2-6591085	2024-04-14 23:08:40 +00:00
Akhil Mohan	e2967f5e61	chore: added volume mount to migration docker dev image	2024-04-15 02:24:14 +05:30
Akhil Mohan	97afc4ff51	feat: added back username field in response for project users	2024-04-15 02:23:36 +05:30
Akhil Mohan	c47a91715f	chore: rolling migration removed role and roleId field from project membership and identity project membership	2024-04-15 02:16:11 +05:30
Maidul Islam	fbc7b34786	Merge pull request #1683 from akhilmhdh/fix/audit-log-latency fix: resolved slow audit log list	2024-04-14 11:54:11 -04:00
Akhil Mohan	9e6641c058	fix: resolved slow audit log list	2024-04-14 18:38:42 +05:30
Maidul Islam	d035403af1	Update kubernetes.mdx	2024-04-12 14:07:31 -04:00
Tuan Dang	1af0d958dd	Update migration order for group	2024-04-12 10:50:06 -07:00
Maidul Islam	66a51658d7	Merge pull request #1682 from Infisical/k8s-owner-policy add docs for owner policy	2024-04-12 12:52:09 -04:00
Maidul Islam	28dc3a4b1c	add docs for owner policy	2024-04-12 12:49:45 -04:00
BlackMagiq	b27cadb651	Merge pull request #1638 from Infisical/groups User Groups	2024-04-12 08:28:10 -07:00
Maidul Islam	3dca82ad2f	Merge pull request #1680 from Infisical/daniel/recursive-max-depth Fix: Hard limit on recursive secret fetching	2024-04-12 10:38:38 -04:00
Maidul Islam	1c90df9dd4	add log for secrets depth breakout	2024-04-12 10:34:59 -04:00
Maidul Islam	e15c9e72c6	allow inetgrations list fetch via UA	2024-04-12 10:06:16 -04:00
Daniel Hougaard	71575b1d2e	Fix: Secret interpolation not working as intended for fetching secrets by name	2024-04-12 14:05:43 +02:00
Daniel Hougaard	51f164c399	Chore: Add debug logs	2024-04-12 13:42:42 +02:00
Daniel Hougaard	702cd0d403	Update secret-fns.ts	2024-04-12 13:31:48 +02:00
Daniel Hougaard	75267987fc	Fix: Add recursive search max depth (20)	2024-04-12 13:28:03 +02:00
Daniel Hougaard	d734a3f6f4	Fix: Add hard recursion limit to documentation	2024-04-12 13:15:42 +02:00
vmatsiiako	cbb749e34a	Update list-project-integrations.mdx	2024-04-11 23:52:25 -04:00
Tuan Dang	4535c1069a	Fix merge conflicts	2024-04-11 20:46:14 -07:00
Tuan Dang	747acfe070	Resolve PR review issues	2024-04-11 20:44:38 -07:00
Tuan Dang	fa1b236f26	Disallow adding groups to E2EE projects	2024-04-11 19:52:10 -07:00
Tuan Dang	c98ef0eca8	Add pagination for user assignment modal	2024-04-11 19:33:19 -07:00
Maidul Islam	9f23106c6c	Update list-project-integrations.mdx	2024-04-11 20:49:31 -04:00
Maidul Islam	1e7744b498	Merge pull request #1679 from Infisical/list-project-integrations-api Expose List integratiosn API	2024-04-11 20:20:22 -04:00
Daniel Hougaard	44c736facd	Fix: Updated descriptions	2024-04-12 02:15:23 +02:00
Daniel Hougaard	51928ddb47	Fix: OpenAPI doc descriptions structure	2024-04-12 02:15:11 +02:00
Daniel Hougaard	c7cded4af6	Merge pull request #1678 from Infisical/daniel/workspace-endpoint-fix FIx: Fetching workspaces with no environments	2024-04-12 01:54:06 +02:00
Daniel Hougaard	8b56e20b42	Fix: Removed icon	2024-04-12 01:49:59 +02:00
Daniel Hougaard	39c2c37cc0	Remove log	2024-04-12 01:49:28 +02:00
Daniel Hougaard	3131ae7dae	Feat: Disable integration creation when no environments are present on project	2024-04-12 01:46:19 +02:00
Daniel Hougaard	5315a67d74	Feat: Disable integration creation when no environments are present on project	2024-04-12 01:46:11 +02:00
Maidul Islam	79de7f9f5b	expose list integrations api	2024-04-11 19:41:55 -04:00
Daniel Hougaard	71ffed026d	FIx: Fetching workspaces with no environments	2024-04-12 00:52:22 +02:00
Vladyslav Matsiiako	ee98b15e2b	fix typo	2024-04-11 17:43:13 -05:00
Maidul Islam	945d81ad4b	update aws SES docs	2024-04-11 16:28:02 -04:00
Tuan Dang	ff8354605c	Patch getProjectPermission	2024-04-11 13:00:50 -07:00
Tuan Dang	09b63eee90	Merge remote-tracking branch 'origin' into groups	2024-04-11 11:42:01 -07:00
Maidul Islam	d175256bb4	Merge pull request #1677 from Infisical/integration-auth-del-update Integration Auth deletion upon Integration deletion	2024-04-11 14:30:31 -04:00
Tuan Dang	ee0c79d018	Delete integration auth upon integration deletion if no other integrations share the same auth	2024-04-11 11:25:28 -07:00
Maidul Islam	d5d7564550	Merge pull request #1643 from akhilmhdh/feat/import-sync-secret fix(server): added sync secret for imports and added check for avoid cyclic import	2024-04-11 10:16:30 -04:00
Maidul Islam	0db682c5f0	remove depth from exceed message	2024-04-11 10:11:05 -04:00
Tuan Dang	a01a995585	Add comments to explain new getIntegrationSecrets	2024-04-11 10:11:05 -04:00
Tuan Dang	2ac785493a	Add comments to explain new getIntegrationSecrets	2024-04-10 21:52:33 -07:00
Tuan Dang	85489a81ff	Add resync on integration import creation/deletion and update forward/backward recursive logic for syncing dependent imports	2024-04-10 21:18:26 -07:00
Maidul Islam	7116c85f2c	remove note	2024-04-09 20:51:19 -04:00
Maidul Islam	31e4da0dd3	Merge pull request #1672 from JunedKhan101/main docs: fixed another broken link	2024-04-09 09:47:07 -07:00
Tuan Dang	f255d891ae	Merge remote-tracking branch 'origin' into feat/import-sync-secret	2024-04-09 08:40:10 -07:00
Juned Khan	4774469244	docs: fixed another broken link	2024-04-09 14:05:45 +05:30
Maidul Islam	e143a31e79	Merge pull request #1670 from JunedKhan101/main docs:fixed broken link	2024-04-08 17:45:51 -07:00
Daniel Hougaard	0baea4c5fd	Draft	2024-04-08 15:18:15 -07:00
Maidul Islam	f6cc20b08b	remove link from docs	2024-04-08 12:00:11 -07:00
Maidul Islam	90e125454e	remove docs for e2ee	2024-04-08 11:58:48 -07:00
Maidul Islam	fbdf3dc9ce	Merge pull request #1647 from akhilmhdh/doc/integration-api-guide docs: added guide to setup integration with api	2024-04-08 11:56:19 -07:00
Maidul Islam	f333c905d9	revise generic integration docs	2024-04-08 11:55:38 -07:00
Maidul Islam	71e60df39a	Merge pull request #1659 from agilesyndrome/fix_universalAuth_operatorinstall fix: Run make kubectl-install	2024-04-08 10:18:00 -07:00
Maidul Islam	8b4d050d05	updated original value in replace script	2024-04-08 10:15:09 -07:00
Maidul Islam	3b4bb591a3	set default for NEXT_PUBLIC_SAML_ORG_SLUG	2024-04-08 09:25:37 -07:00
Maidul Islam	54f1a4416b	add default value	2024-04-08 09:06:42 -07:00
Maidul Islam	47e3f1b510	Merge pull request #1661 from Infisical/saml-auto-redirect add automatic SAML redirect	2024-04-08 08:22:04 -07:00
Juned Khan	5810b76027	docs:fixed broken link	2024-04-08 16:55:11 +05:30
Daniel Hougaard	246e6c64d1	Merge pull request #1668 from JunedKhan101/main removed extra whitespace from error message	2024-04-07 16:05:31 -07:00
Juned Khan	4e836c5dca	removed extra whitespace from error message	2024-04-07 17:41:39 +05:30
Maidul Islam	63a289c3be	add saml org clug to standalone	2024-04-06 11:58:50 -07:00
Maidul Islam	0a52bbd55d	add render once to use effect	2024-04-06 11:40:13 -07:00
Maidul Islam	593bdf74b8	patch notice	2024-04-06 10:57:08 -07:00
Maidul Islam	1f3742e619	update april_2024_db_update_closed	2024-04-06 10:39:21 -07:00
vmatsiiako	dde24d4c71	Merge pull request #1663 from Infisical/daniel/cli-improvements Feat: CLI Improvements	2024-04-05 18:42:18 -07:00
Daniel Hougaard	8f1e662688	Feat: Added include imports to export command	2024-04-05 17:30:30 -07:00
Daniel Hougaard	dcbbb67f03	Feat: Added secret interpolation to get secret by name command	2024-04-05 17:30:19 -07:00
Vladyslav Matsiiako	055fd34c33	added baked env var	2024-04-05 17:25:25 -07:00
Tuan Dang	dc0d3b860e	Continue making progress on SCIM groups	2024-04-05 17:20:17 -07:00
Daniel Hougaard	c0fb3c905e	Docs: UA Auth Docs	2024-04-05 17:10:38 -07:00
Daniel Hougaard	18b0766d96	Update folders.go	2024-04-05 15:47:18 -07:00
Daniel Hougaard	b423696630	Feat: UA CLI Support	2024-04-05 15:22:48 -07:00
Daniel Hougaard	bf60489fde	Feat: Added UA support to export command	2024-04-05 15:20:03 -07:00
Daniel Hougaard	85ea6d2585	Fix: Cleanup	2024-04-05 15:19:52 -07:00
Daniel Hougaard	a97737ab90	Feat: Folder support for Machine Identities	2024-04-05 15:19:44 -07:00
Daniel Hougaard	3793858f0a	Feat: Export support for Machine Identities	2024-04-05 15:18:09 -07:00
Daniel Hougaard	66c48fbff8	Update model.go	2024-04-05 15:16:12 -07:00
Daniel Hougaard	b6b040375b	Feat: UA CLI Support	2024-04-05 15:13:47 -07:00
Daniel Hougaard	9ad5e082e2	Feat: UA CLI support	2024-04-05 15:13:47 -07:00
Daniel Hougaard	f1805811aa	Feat: Added token renew command	2024-04-05 15:13:47 -07:00
Daniel Hougaard	b135258cce	Feat: Added UA support to secret commands	2024-04-05 15:13:47 -07:00
Daniel Hougaard	a651de53d1	Feat: Added UA support to run command	2024-04-05 15:13:00 -07:00
Daniel Hougaard	7d0a535f46	Feat: Added UA login support (defaults to 'user')	2024-04-05 15:12:32 -07:00
Daniel Hougaard	c4e3dd84e3	Feat: Added UA support to folder command	2024-04-05 15:12:32 -07:00
Daniel Hougaard	9193f13970	Feat: Added UA support to export command	2024-04-05 15:12:32 -07:00
Daniel Hougaard	016f22c295	Fix: Cleanup	2024-04-05 15:12:32 -07:00
Daniel Hougaard	4d7182c9b1	Fix: Removed unused struct and included secret type on secret response	2024-04-05 15:12:32 -07:00
Daniel Hougaard	6ea7b04efa	Feat: Folder support for Machine Identities	2024-04-05 15:12:32 -07:00
Daniel Hougaard	3981d61853	Feat: Support for Machine Identities auth	2024-04-05 15:12:32 -07:00
Daniel Hougaard	3d391b4e2d	Feat: Secrets cmd support for Machine Identities	2024-04-05 15:12:32 -07:00
Daniel Hougaard	4123177133	Feat: Run cmd support for Machine Identities	2024-04-05 15:09:38 -07:00
Daniel Hougaard	4d61188d0f	Feat: Folder support for Machine Identities	2024-04-05 15:08:52 -07:00
Daniel Hougaard	fa33f35fcd	Feat: Export support for Machine Identities	2024-04-05 15:08:52 -07:00
Daniel Hougaard	13629223fb	Chore: Moved universalAuthLogin function to utils	2024-04-05 15:08:52 -07:00
Vladyslav Matsiiako	74fefa9879	add automatic SAML redirect	2024-04-05 14:39:31 -07:00
Vladyslav Matsiiako	ff2c8d017f	add automatic SAML redirect	2024-04-05 14:29:50 -07:00
Tuan Dang	f8ea421a0e	Add group deletion and (name) update support for SCIM integration	2024-04-05 10:13:47 -07:00
Tuan Dang	f7b8345da4	Fix merge conflicts	2024-04-05 09:04:30 -07:00
Drew Easley	f6d7ec52c2	fix: Run make kubectl-install	2024-04-05 08:10:38 -04:00
Tuan Dang	b3a9661755	Merge main	2024-04-04 12:24:28 -07:00
Tuan Dang	175ce865aa	Move group migration to top	2024-04-04 12:06:10 -07:00
Tuan Dang	51f220ba2c	Fix getProjectMembership to work with additional privileges	2024-04-04 11:20:39 -07:00
Tuan Dang	51819e57d1	Address merge conflicts	2024-04-04 10:01:19 -07:00
Tuan Dang	e1d9f779b2	Remove role and roleId from group project membership	2024-04-03 20:30:14 -07:00
Akhil Mohan	40bb9668fe	docs: added guide to setup integration with api	2024-04-03 01:12:30 +05:30
Akhil Mohan	abd62867eb	fix(server): resolved failing test in import	2024-04-02 13:55:26 +05:30
Akhil Mohan	179573a269	fix(server): added sync secret for imports and added check for avoiding cyclic import	2024-04-02 13:20:48 +05:30
Tuan Dang	457edef5fe	Merge remote-tracking branch 'origin/groups' into groups	2024-04-01 11:34:30 -07:00
Tuan Dang	f0b84d5bc9	Begin add push groups SCIM	2024-04-01 11:30:25 -07:00
Akhil Mohan	9fddcea3db	fix(ui): sending group users without orgid	2024-04-01 17:15:57 +05:30
Tuan Dang	0c2e566184	Add docs for groups	2024-03-29 17:49:20 -07:00
Tuan Dang	38adc83f2b	Rename group fns and add upgrade plan modal to project level groups tab	2024-03-28 20:54:25 -07:00
Tuan Dang	f2e5f1bb10	Fix lint issues	2024-03-28 20:22:58 -07:00
Tuan Dang	9460eafd91	Add API specs to groups endpoints, convert projectId groups endpoints to be slug-based	2024-03-28 18:21:12 -07:00
Tuan Dang	8afecac7d8	Rely on actorOrgId for group orgId refs	2024-03-28 17:00:33 -07:00
Tuan Dang	bf13b81c0f	Fix type issues	2024-03-28 12:55:18 -07:00
Tuan Dang	c753a91958	run linter	2024-03-28 12:44:44 -07:00
Tuan Dang	695a4a34b5	Fix merge conflicts	2024-03-28 12:41:34 -07:00
Tuan Dang	372f71f2b0	Add/remove bulk users to projects upon add/remove users to/from groups	2024-03-28 12:18:44 -07:00
Tuan Dang	0da6262ead	Complete logic for user provisioning/deprovisioning to projects with groups	2024-03-27 10:53:51 -07:00
Tuan Dang	8ffbaa2f6c	Minor group validation changes	2024-03-20 14:59:42 -07:00
Tuan Dang	796d5e3540	Complete preliminary list, update, create group in project	2024-03-20 14:47:12 -07:00
Tuan Dang	686b88fc97	Complete basic pre-cleaned group member assignment/unassignment	2024-03-19 18:23:52 -07:00
Tuan Dang	2a134b9dc2	Weave roles into groups	2024-03-19 11:34:28 -07:00
Tuan Dang	d8d63ecaec	Merge remote-tracking branch 'origin' into groups	2024-03-19 10:25:03 -07:00
Tuan Dang	efc186ae6c	Finish basic CRUD groups	2024-03-19 10:20:51 -07:00